Firewalls

Network Security
Lecture 9

Eike Ritter Network Security - Lecture 9 1

 Firewalls
• Idea: inspect incoming and outgoing packets and drop
packets deemed to be harmful
• Firewalls operate at different levels:
- Packet filter: Have simple rules based on port and IP
address
- Stateful filters: in addition, tracks state of
connections
- Application layer firewall: filter packet according to
application protocol

Eike Ritter Network Security - Lecture 9 2

 Packet filters
• State whether incoming or outgoing packet from/to port and
IP-address is allowed
• Useful for blocking unwanted protocols
• Examples:
– Blocking illicit mail servers (eg for viruses)
– Ensuring that only approved services are visible from the outside
(eg no web services visible from workstations)
• Rejected packets normally silently dropped

• Easy to implement but open to spoofing attacks

Eike Ritter Network Security - Lecture 9 3

 Stateful firewall
• Exploits state transitions for TCP
– Need to check only SYN-packets against rules
– Construct table of accepted connections and consult for all other
packages
• More efficient
• Reduces risk of hijacking connections
• Problems:
– Several protocols use random unpredictable ports
– Examples: FTP, Skype, Videoconferencing
– Solution: use suitable dynamically created rules

Eike Ritter Network Security - Lecture 9 4

 Application layer firewall
• Content of packet inspected for conformance with protocol or
undesirable content
• Resource intensive
• Mostly used for web application to protect against attacks on web
services or filtering out unwanted traffic (eg illegal downloads)
• Detailed description of such attacks later in the module

Eike Ritter Network Security - Lecture 9 5

 Network Address Translation
• Translation of IP addresses by router
• Appears as if packets coming from router
• May need to modify port numbers as well
• Used frequently in home routers with only
one public IP-address
– Assign private IP-addresses via DHCP to
home network
– Use NAT to give home network access to
Internet
 Network Address translation
• Direct incoming connections between public internet and host
impossible if NAT is used
• Hence, services cannot be hosted on such hosts
• Easy way of achieving security, but problematic for services like
Skype, videoconferencing etc.
• Way out: have rules on router for port forwarding to specific host
• Originally intended as short-term measure, but now very popular
and widely used despite violation of original design principle of
Internet

Eike Ritter Network Security - Lecture 9 7

 Iptables
• Program on linux to view and manipulate firewall rules
• Implements stateful firewall with network address
translation
• Used in many routers, both for home and commercial
use
• Has been extended over the years to include rules
preventing many of the TCP/IP-attacks presented
earlier

Eike Ritter Network Security - Lecture 9 8