Security Technologies

Firewalls
By:

Engr. Carlo N. Romero, ECE, M.Eng’g. – ECE, CCTT, CCNA, ECT

 Aims and Objectives
 Understand what a Firewall is and why
it is needed
 Advantages and Disadvantages of a
Firewall
 Different types of Firewall
 Authentication techniques used by
Firewalls
 Different Configurations of Firewalls
What is Security?
 The quality or state of being secure—to be free from danger”
 A successful organization should have multiple layers of
security in place:
◼ Physical security
◼ Personal security
◼ Operations security
◼ Communications security
◼ Network security
◼ Information security
 Characteristics of Information
 The value of information comes from the characteristics it
possesses:
◼ Availability
◼ Accuracy
◼ Authenticity
◼ Confidentiality
◼ Integrity
◼ Utility
◼ Possession
 Physical Design
Physical design of an information security program is made
up of two parts:
1.Security technologies
2.Physical security

Physical design process:

- select specific technologies.
-Identifies complete technical solutions based on these
technologies (deployment, operations and maintenance
elements)
-Design physical security measures to support the technical
solution.
 Firewalls
A software or hardware component that restricts network
communication between two computers or networks.
In buildings, a firewall is a fireproof wall that restricts the
spread of a fire.
Network firewall prevents threats from spreading from one
network to another
 Prevent specific types of information from moving between the
outside world (untrusted networks) and the inside world (trusted
networks)
 The firewall may be a separate computer system, a software
service running on an existing router all server, or a separate
network containing a number of supporting devices.
Internet Firewalls
The Internet Protocol Stack
 What Firewalls do
Protects the resources of an internal network.
- Restrict external access.
- Log Network activities.
-Intrusion detection
-DoS
- Act as intermediary
- Centralized Security Management
 Carefully administer one firewall to control internet
traffic of many machines.
 Internal machines can be administered with less care.
 Types of Firewalls (General)
 Firewalls types can be categorized depending
on:
◼ The Function or methodology the firewall use
◼ Whether the communication is being done
between a single node and the network, or
between two or more networks.
◼ Whether the communication state is being tracked
at the firewall or not.
 Types of Firewalls
2. With regard to the scope of filtered communications the
done between a single node and the network, or between
two or more networks there exist :

◼ Personal Firewalls, a software application which normally

filters traffic entering or leaving a single computer.
◼ Network firewalls, normally running on a dedicated
network device or computer positioned on the boundary
of two or more networks.
 Firewall categorization methods
1-The Function or methodology the firewall use
Five processing modes that firewalls can be categorized by
are :
1. packet filtering
2. application gateways
3. circuit gateways
4. MAC layer firewalls
5. hybrids
1- packet filtering:

 examine the header information of data packets that come into a

network.
 a packet filtering firewall installed on TCP/IP based network and
determine wether to drop a packet or forward it to the next
network connection based on the rules programmed in the
firewall.
 Packet filtering firewalls scan network data packets looking for
violation of the rules of the firewalls database.
 Filtering firewall inspect packets on at the network layers.
 If the device finds a packet that matches a restriction it stops the
packet from traveling from network to another.
 Packet Filtering (cont)
 filters packet-by-packet, decides to Accept/Deny/Discard
packet based on certain/configurable criteria – Filter Rule
sets.
 Typically stateless: do not keep a table of the connection state
of the various traffic that flows through them
• Not dynamic enough to be considered true firewalls.
• Usually located at the boundary of a network.
• Their main strength points: Speed and Flexibility.
*There are three subsets of packet filtering
firewalls:
-static filtering
-dynamic filtering
-stateful inspection
static filtering:
-requires that the filtering rules coverning how the firewall
decides which packets are allowed and which are denied.
-This type of filtering is common in network routers and
gateways.
 Dynamic filtering
- allows the firewall to create rules to deal with event.
-This reaction could be positive as in allowing an internal user to
engage in a specific activity upon request or negative as in
dropping all packets from a particular address
Stateful inspection
-keep track of each network connection between internal and
external systems using a state table.
-A state table tracks the state and context of each packet in the
conversation by recording which station send , what packet and
when.
-More complex than their constituent component firewalls
-Nearly all modern firewalls in the market today are staful
Stateful Inspection Firewalls
Basic Weaknesses Associated with Packet Filters\
Statful
• They cannot prevent attacks that employ application-
specific vulnerabilities or functions.
• Logging functionality present in packet filter firewalls is
limited
• Most packet filter firewalls do not support advanced user
authentication schemes.
• Vulnerable to attacks and exploits that take advantage of
problems within the TCP/IP specification and protocol
stack, such as network layer address spoofing.
• Susceptible to security breaches caused by improper
configurations.
 Packet Filtering Summary
Advantages:
◼ One packet filter can protect an entire network
◼ Efficient (requires little CPU)
◼ Supported by most routers
Disadvantages:
◼ Difficult to configure correctly
Must consider rule set in its entirety
◼ Difficult to test completely
◼ Performance penalty for complex rulesets
Stateful packet filtering much more expensive
◼ Enforces ACLs at layer 3 + 4, without knowing any application
details
 Packet Filtering Firewalls
 The original firewall
 Works at the network level of the OSI
model
 Applies packet filters based on access
Rules:
– Source IP address
– Destination IP address
– Application or protocol
– Source port number
– Destination port number
Packet Filtering Firewalls Firewalls
2- application gateways:

 is also known as proxy server since it runs special software that

acts as a proxy for a service request.
 One common example of proxy server is a firewall that blocks or
requests for and responses to request for web pages and services
from the internal computers of an organization.
 The primary disadvantage of application level firewalls is that
they are designed for a specific protocols and cannot easily be
reconfigured to protect against attacks in other protocols.
 Application firewalls work at the application layer.
Application/Proxy Servers…cont
 Filters packets on application data as well as on IP/TCP/UDP fields.
 The interaction is controlled at the application layer
 A proxy server is an application that mediates traffic between
two network segments.
 With the proxy acting as mediator, the source and destination
systems never actually “connect”.
 Filtering Hostile Code: Proxies can analyze the payload of a
packet of data and make decision as to whether this packet
should be passed or dropped.
.
Application/Proxy Servers…cont
 Application/Proxy Servers…cont
 No proxy, no Internet application
 Typical proxies include:

• FTP
• SMTP, POP3
• Telnet
• DNS
• Http
 Application/Proxy Servers…cont
Advantages:
 Extensive logging capability
 Allow security enforcement
 of user authentication .
 less vulnerable to address
 spoofing attacks.

Disadvantages:
 Complex Configuration.
 limited in terms of support for
new
 network applications and
protocols.
 Speed!!.
3- circuit gateways:

 operates at the transport layer.

 Connections are authorized based on addresses , they prevent

direct connections between network and another.

 They accomplish this prevention by creating channels

connecting specific systems on each side of the firewall and then
allow only authorized traffic.
circuit gateways ..cont
 relays two TCP connections (session layer)
 imposes security by limiting which such connections are
allowed
 once created usually relays traffic without examining contents
 Monitor handshaking between packets to decide whether the
traffic is legitimate
 typically used when trust internal users by allowing general
outbound connections
 SOCKS commonly used for this
Circuit Level Firewalls Example
 Disadvantages
circuit gateways ..cont
Individual packets are not filtered.
• Access control mechanisms are needed, since
logs cant catch all the abuses.
– Time limit on how long ports will last.
– List of permissible outside called to the port.
• The other big problem is need to provide new
client program.
• Code changes issues include availability of
application source code for various platforms,
version control, distribution and more.
4- MAC layer firewalls:
 design to operate at the media access control layer.

 Using this approach the MAC addresses of specific host

computers are linked to ACL entries that identify the
specific types of packets that can be send to each host and
all other traffic is blocked.
5- Hybrids firewalls:
 companied the elements of other types of firewalls ,
example the elements of packet filtering and proxy
services, or a packet filtering and circuit gateways.

 That means a hybrids firewalls may actually of two

separate firewall devices; each is a separate firewall
system, but they are connected so that they work together.
General Performance
 Types of Firewalls
3. Finally, Types depending on whether the firewalls keeps
track of the state of network connections or treats each
packet in isolation, two additional categories of firewalls
exist:

◼ Stateful firewall
◼ Stateless firewall
 Types of Firewalls ..cont
Stateful firewall

keeps track of the state of network connections (such as

TCP streams) traveling across it.

Stateful firewall is able to hold in memory significant

attributes of each connection, from start to finish. These
attributes, which are collectively known as the state of the
connection, may include such details as the IP addresses
and ports involved in the connection and the sequence
numbers of the packets traversing the connection.
 Types of Firewalls ..cont
Stateless firewall

Treats each network frame (Packet) in isolation. Such a

firewall has no way of knowing if any given packet is part
of an existing connection, is trying to establish a new
connection, or is just a rogue packet.

The classic example is the File Transfer Protocol, because

by design it opens new connections to random ports.
 Network Address Translation (NAT)
- Existed for a short period of time; now NAT is part of every
firewall

-Developed in response to two major issues in network

engineering and security:
 First, network address translation is an effective tool for
hiding the network-addressing schema present behind a
firewall environment.
 Second, the depletion of the IP address space has caused
some organizations to use NAT for mapping non-routable IP
addresses to a smaller set of legal addresses.
 Network Address Translation ..cont
NAT goals
– Allow use of internal IP-addresses
– Hide internal network structure
– Disable direct internet connections

NAT-types
– Dynamic
• For connections from inside to outside
• There may be fewer outside addresses than internal addresses
– Static
• For connections from outside to specific servers inside
• One-to-one address mapping (fixed)
Network Address Translation ..cont
 Firewall Configurations or
(Architecture)
 Packet Filtering Router
 Dual Homed Gateway
 Screened Host Gateway (bastion host )
 Screened Subnet Gateway or Demilitarized Zone (DMZ)
 Firewall Appliance
 Packet Filtering Router
 A packet filtering router is a router configured to screen packets
between two networks. It routes traffic between the two networks
and uses packet filtering rules to permit or deny traffic.
Implementing security with a router is usually not that easy. Most
routers were designed to route traffic, not to provide firewall
functionality, so the command interface used for configuring rules
and filters is neither simple nor intuitive.
 Dual Homed Gateway
This is a secure firewall design comprising an application gateway and a packet
filtering router. It is called “dual homed” because the gateway has two network
interfaces, one attached to the Internet, the other to the organization's network. Only
applications with proxy services on the application gateway are able to operate
through the firewall. Since IP forwarding is disabled in the host, IP packets must be
directed to one of the proxy servers on the host, or be rejected. Some manufacturers
build the packet filtering capability and the application proxies into one box,
thereby simplifying the design (but removing the possibility of having an optional
info server and modems attached to the screened subnet,
disadvantages of the dual homed gateway are that it may be a bottleneck to
performance, and it may be too secure for some sites (!) since it is not possible to let
trusted applications bypass the firewall and communicate directly with peers on the
Internet. They must have a proxy service in the firewall.
 Dual Homed Gateway ..cont
 A dual-homed gateway typically sits behind the gateway (usually a
router) to the untrusted network and most often is a host system
with two network interfaces. Traffic forwarding on this system is
disabled, thereby forcing all traffic between the two networks to
pass through some kind of application gateway or proxy. Only
gateways or proxies for the services that are considered essential
are installed on the system. This particular architecture will usually
require user authentication before access to the gateway/proxy is
allowed. Each proxy is independent of all other proxies on the host
system.
 Screened Host Gateway (bastion host )
The screened host gateway is similar to the above, but more flexible and less secure,
since trusted traffic may pass directly from the Internet into the private network,
thereby bypassing the application gateway. In this design the application gateway
only needs a single network connection.

The IP router will normally be configured to pass Internet traffic to the application
gateway or to reject it. Traffic from the corporate network to the Internet will also
be rejected, unless it originates from the application gateway. The only exception to
these rules will be for trusted traffic that will be allowed straight through.
 Screened Host Gateway ..cont
 The screened host, or bastion host, is typically located on the
trusted network, protected from the untrusted network by a packet
filtering router. All traffic coming in through the packet filtering
router is directed to the screened host. Outbound traffic may or
may not be directed to the screened host. This type of firewall is
most often software based and runs on a general-purpose computer
that is running a secure version of the operating system. Security is
usually implemented at the application level.
 Screened Host Gateway ..cont
 highly secure host system
 potentially exposed to "hostile" elements
 hence is secured to withstand this
 may support 2 or more net connections
 may be trusted to enforce trusted separation between network
connections
 runs circuit / application level gateways
 or provides externally accessible services
 Screened Subnet Gateway
This configuration creates a small isolated network between the Internet and the
corporate network, which is sometimes referred to as the demilitarised zone (DMZ),
The advantages of this configuration is that multiple hosts and
gateways can be stationed in the DMZ, thereby achieving a much greater throughput
to the Internet than the other configurations; plus the configuration is very secure as
two packet filtering routers are there to protect the corporate network.
The IP router on the Internet side will only let through Internet traffic that is
destined for a host in the DMZ (and vice versa). The IP router on the corporate
network side will only let site traffic pass to a host in the DMZ (and vice versa).
This system is as secure as the dual homed gateway, but it is also possible to allow
trusted traffic to pass straight through the DMZ if required. This configuration is of
course more expensive to implement!
 Screened Subnet Gateway ..cont
 A screened subnet or DMZ is typically created between two
packet filtering routers. When using this architecture, the
firewall solution is housed on this screened subnet segment
along with any other services available to the untrusted
network. Conceptually, this architecture is similar to that of a
screened host, except that an entire network rather than a
single host is reachable from the outside
 Firewall Appliance
 A firewall appliance typically sits behind the gateway
(usually a router) to the untrusted network. This architecture
resembles the packet filtering router and dual-homed
Gateway architectures in that all traffic must pass through the
appliance. In most instances these appliances come pre-
configured on their own box. They may also have other
services built in, such as Web servers and e-mail servers.
Because they usually don't need the extensive configuration
that other firewalls often require, they are touted as being
much simpler and faster to use. Some manufacturers market
them as "plug-and-play" firewall solutions
 Firewall Appliance ..cont
 For some networks, implementing more than one firewall solution may be
a more effective option. For example, implement a packet filtering router
at the entrance to the network for perimeter security and then configure an
application gateway for a specific department or building. This type of
solution would not only protect the trusted network from the outside, but
would also protect a specific department or building from unauthorized
users on the trusted network
 Network Configuration Examples
 Protected Private Network
 Semi-Militarised Zone
 Private LAN stays secure
 Protected Private Network
 Allow all access from private network to the
Internet.
 Deny all access from the Internet to the private
network.
Semi-Militarised Zone
Private LAN stays secure
 Advantages of a Firewall
 Stop incoming calls to insecure services
such as rlogin and NFS
 Control access to other services

 Control the spread of viruses

 Cost Effective

 More secure than securing every

system
 Disadvantages of a Firewall
 Central point of attack
 Restrict legitimate use of the Internet
 Bottleneck for performance
 Does not protect the ‘back door’
 Cannot always protect against
smuggling
 Cannot prevent insider attacks
 Firewalls have weaknesses
 Some security hackers boast there is
not a single firewall that they cannot
Penetrate
 They cannot keep out data carried inside

applications, such as viruses within email

Messages
 Although firewalls provide a high level of security

in today's private networks to the outside world

we still need the assistance of other related
security components in order to guarantee
proper network security.
Firewalls categorized by development generation:

 First generation firewalls: are static packet filtering firewalls.

 Second generation firewalls: are application-level firewalls or
proxy service.
 Third generation firewalls: are stateful inspection firewalls.
 Fourth generation firewalls: dynamic packets filtering firewalls,
allow only a particular packet with a particular source,
destination, and port address to enter.
 Fifth generation firewalls: is the kernel proxy.
 Selecting the right firewall

Most important of these is the extend to which the firewall design

provides the desired protection.

1.what type of firewall technology offers the right balance between

protection and cost for the needs of the organization?

2.howeasy is it to set up and configure the firewall.

The second most important issue is cost.
 Selecting Firewall Solution
In order to pick the best architecture and packet screening
method for a firewall solution, the following questions
should be considered:

 What does the firewall need to do?

 What additional services would be desirable?

 How will it fit in the existing network?

 How will it effect existing services and users?

 Firewall Products Classification
 H/W – Platform  Perimeter Firwall
-Linux, Solaris, -Checkpoint
Windows,….system. -PIX
-Proprietary (Nokia-Box, Cisco -Sun SPF
PIX)
 Stand Alone Box
 Software (Appliance)
-Checkpoint FireWall 1 (FW-1) - Satic Wall
-NetGuard Guardian - Watch Guard FireBox
- Netscreen
 Personal FireWall
◼ BlackICE
◼ Zone Alarm
 References
1. Steven Bellovin, “Security Problems in the TCP/IP Protocol
Suite”, Computer Communication Review, Vol. 19, No. 2,
pp. 32-48, April 1989.
2. Matt Bishop, Introduction to Computer Security, Addison-
Wesley, 2005.
3. William Cheswick, Steven Bellovin, and Avriel Rubin,
Firewalls and Internet Security, 2nd edition, 2003.
4. Fyodor, “The Art of Port Scanning,”
http://www.insecure.org/nmap/nmap_doc.html
5. Fyodor, NMAP man page,
http://www.insecure.org/nmap/data/nmap_manpage.html
THANK YOU