WQD7010 Network & Security: Dr. Saaidal Razalli Bin Azzuhri
WQD7010 Network & Security: Dr. Saaidal Razalli Bin Azzuhri
WQD7010 Network & Security: Dr. Saaidal Razalli Bin Azzuhri
Firewalls
Lecture 9: Learning Objectives
On completion of this session you should:
Understand why firewalls are necessary
Discuss the design goals of firewalls
Discuss what firewalls can do and cannot do
Be familiar with different types of firewalls
Describe the advantages and disadvantages of different
types of firewalls
Be familiar with various firewall configurations
Discuss what level of security each configuration offers
Outline
What is a firewall?
Firewall design goals
What firewalls can do
What firewalls can’t do
Types of firewalls
Firewall configurations
Introduction
Information systems have evolved
from centralized data processing system to Inter networked distributed
data access and Internet connection
This growth has introduced persistent security concerns,
because
it is not practical to equip each workstation and server with intrusion
protection
flawless OS and software can’t be guaranteed
networks usually consists of hundreds and thousands of systems
running mixed version of software
A firewall can add to the security scheme
erects an outer security wall
provides a single point where security and audit can be imposed
acts as the first line of defense
The Need for firewalls
Internet connectivity is no longer optional for organizations
Individual users within the organization want and need Internet access
While Internet access provides benefits to the organization, it enables
the outside world to reach and interact with local network assets
This creates a threat to the organization
While it is possible to equip each workstation and server on the premises network with strong
security features, this may not be sufficient and in some cases is not cost-effective
Firewall
An alternative, or at least complement, to host-based security services
Is inserted between the premises network and the Internet to establish a
controlled link and to erect an outer security wall or perimeter
The aim of this perimeter is to protect the premises network from Internet-
based attacks and to provide a single choke point where security and
auditing can be imposed
May be a single computer system or a set of two or more systems that
cooperate to perform the firewall function
Firewall: Design Goals
Firewalls are based on the following
design goals:
all traffic in both direction must pass through
the firewall
implemented by physically blocking all accesses to the
local network except via the firewall
only authorized traffic, defined by local security
policies, will be allowed to pass
firewall itself must be immune to penetration
underpins the use of trusted system with a secure
operating system
Firewall Characteristics
Characteristics that a firewall access policy could use to filter
traffic:
IP Address and Protocol Values
• Controls access based on the source or destination addresses and port numbers,
direction of flow being inbound or outbound, and other network and transport layer
characteristics
Application Protocol
• Controls access on the basis of authorized application protocol data
User Identity
• Controls access based on the user’s identity, typically for inside users who identify
themselves using some form of secure authentication technology, such as IPSec
Network Activity
• Controls access based on considerations such as the time or request
Firewall expectations
A firewall
Table 12.1 is a simplified example of a ruleset for SMTP traffic. The goal is to allow inbound and outbound
e-mail traffic but to block all other traffic. The rules are applied top to bottom to each packet.
A. Inbound mail from an external source is allowed (port 25 is for SMTP incoming).
E. This is an explicit statement of the default policy. All rulesets include this rule implicitly as the last rule.
Packet Filtering firewalls
Weaknesses
• Because packet filter firewalls do not examine upper-layer data, they
cannot prevent attacks that employ application-specific vulnerabilities or
functions
• Because of the limited information available to the firewall, the logging
functionality present in packet filter firewalls is limited
• Most packet filter firewalls do not support advanced user authentication
schemes
• Packet filter firewalls are generally vulnerable to attacks and exploits that
take advantage of problems within the TCP/IP specification and protocol
stack
• Due to the small number of variables used in access control decisions,
packet filter firewalls are susceptible to security breaches caused by
improper configurations
Strengths
• Its simplicity
• Transparent to users and are very fast
Attacks and countermeasures
Source Tiny
IP address
routing fragment
spoofing
attacks attacks
The source station specifies
the route that a packet The intruder uses the IP
The intruder transmits
should take as it crosses the fragmentation option to
packets from the outside
internet, in the hopes that create extremely small
with a source IP address
this will bypass security fragments and force the TCP
field containing an address
measures that do not header information into a
of an internal host
analyze the source routing separate packet fragment
information
Countermeasure is to
Countermeasure is to
discard packets with an Countermeasure is to enforce a rule that the first
fragment of a packet must
inside source address if the discard all packets that use contain a predefined
packet arrives on an this option
minimum amount of the
external interface
transport header
Firewalls – Stateful Packet Filters
Traditional packet filters do not examine
transport layer context
ie matching return packets with outgoing flow
Stateful packet filters address this need
They examine each IP packet in context
Keep track of client-server sessions
Check each packet validly belongs to one
Hence are better able to detect bogus
packets out of context
Stateful Filtering
Table 12.2
Example Stateful Firewall
Connection State Table
A stateful inspection packet firewall tightens up the rules for TCP traffic by creating
a directory of outbound TCP connections, as shown in Table 12.2. There is an entry
for each currently established connection. The packet filter will now allow incoming
traffic to high-numbered ports only for those packets that fit the profile of one of the
entries in this directory.
Some stateful firewalls also keep track of TCP sequence numbers to prevent
attacks that depend on the sequence number, such as session hijacking.
Some even inspect limited amounts of application data for some well-known
protocols like FTP, IM and SIPS commands, in order to identify and track related
connections.
Firewall Gateways
Firewall runs set of proxy programs
Proxies filter incoming, outgoing packets
All incoming traffic directed to firewall
All outgoing traffic appears to come from firewall
Policy embedded in proxy programs
Two kinds of proxies
Application-level gateways/proxies
Tailored to http, ftp, smtp, etc.
Circuit-level gateways/proxies
Working on TCP level
Application Level Gateway
Also called an application proxy
Acts as a relay of application-level traffic
If the gateway does not implement the proxy code for a specific
application, the service is not supported and cannot be forwarded
across the firewall
The gateway can be configured to support only specific features
of an application that the network administrator considers
acceptable while denying all other features
Tend to be more secure than packet filters
Disadvantage:
The additional processing overhead on each connection
Firewalls - Application Level Gateway (or Proxy)
Application Level Gateway - Operation
A client on the internal network requests access to an
application (e.g. web access) on the external network
The request is forwarded to the proxy sever (e.g., HTTP
proxy server)
The proxy determines whether the request is valid
checks against the security policies of the organization
Then sends a new request on behalf of the client to the
destination
no direct connection from internal to external network
the request appears to have originated from the application gateway/proxy