Firewalls concept in Network Security

V.Ramalinga Raju
Gokaraju Rangaraju Institute of Engineering & Technology
Bachupally, Hyderabad
ramalingarajuv@yahoo.com

Abstract

A firewall is hardware, software, or a Attackers are Leaking Information From

combination of both that is used to Internet To Private Network and Adding
prevent unauthorized programs or Content To Internet From Private
Internet users from accessing a private Network.
network and/or a single computer.

Firewall Is Like Gate man In a Person

House .When Gate Man Check Incoming
Persons He Has Any Doubt Same Way
Firewall Checks All Incoming and
Outgoing Packets .Any Unauthorized
Packets Discarded .Authorized Packets
Only Allowed.

The term "fire wall" originally meant,

and still means, a fireproof wall
intended to prevent the spread of fire
from one room or area of a building to
another. The Internet is a volatile and
unsafe environment when viewed from a
computer-security perspective, therefore
"firewall" is an excellent metaphor for
network security. 1.1 Solutions

1. Why Firewall came Into The Two Problems In Networks Can

be Solved using Two
Existence
Network So Many No of Users &
Computers.
Communication b/w Computers In The
Network Some problems Arise.
1.Leaking of Information Internet To
Private Network.
2.Adding of Information Private
Network To Internet.
1. Encryption
2. Firewall
 Encryption can’t solve all
problems the best is Firewall
Firewall Is Like Gate man In a
Person House .When Gate Man
Check Incoming Persons He Has
Any Doubt Same Way Firewall
Checks All Incoming and Outgoing
Packets.

1
2. Introduction To Firewall
Firewall helps protecting your computer
by preventing unauthorized users from
gaining access to your computer through
a network or internet.
The term "fire wall" originally meant,
and still means, a fireproof wall intended
to prevent the spread of fire from one
room or area of a building to another.
The Internet is a volatile and unsafe
environment when viewed from a
computer-security perspective, therefore
"firewall" is an excellent metaphor for
network security.
In computer networking, the term
firewall is not merely descriptive of a
general idea. It has come to mean some
very precise things.
2.1 What Is Firewall
A firewall is hardware, software, or a
combination of both that is used to
prevent unauthorized programs or
Internet users from accessing a private
network and/or a single computer
Firewall Is Like Gate man In a Person
House .When Gate Man Check
Incoming Persons He Has Any Doubt
Same Way Firewall Checks All
Incoming and Outgoing Packets .Any
Unauthorized Packets Discarded
.Authorized Packets Only Allowed.
A security system that acts as a
protective boundary between a network
and the outside world.
Isolates a computer or network from the
“outside” based on a defined set of rules
Inspects each individual "packet" of data
as it arrives at either side of the firewall
Maintains a state table.
Determine whether traffic should be
allowed to pass or be blocked.
Firewall b/w the Internet And Private
Network.
All Must pass Through Firewall.
All Incoming from Internet And
Outgoing from Private Network Must
pass Through Firewall.
2.2 Firewall Goals
1.All traffic from outside to inside and
vice-versa passes through the firewall.
2.Only authorized traffic, as defined by
local security policy, will be allowed to
pass.
3.The firewall itself is immune to
penetration
2.3 Firewall Rules
1.Allow – traffic that flows
automatically because it has been
deemed as “safe” (Ex. Meeting Maker,
Eudora, etc.
2
2.Block – traffic that is blocked because
it has been deemed dangerous to your
computer
3.Ask – asks the user whether or not the
traffic is allowed to pass through
2.4 Firewall Limitations
1.Viruses - not all firewalls offer
protection against computer viruses as
there are many ways to encode files and
transfer them over the Internet.
2. Attacks - firewalls can’t protect
against attacks that don’t go through the
firewall. For example, your firewall may
restrict access from the Internet, but may
not protect your equipment from dial in
access to your computer systems
3. Architecture - firewalls reflect the
overall level of security in the network.
An architecture that depends upon one
method of security or one security
mechanism has a single point of failure
and may open the organization to
intruders.
4. Configuration - a firewall can't tell
you if it has been incorrectly configured.
Only professionals have the experience
to minimize security risks.
5. Monitoring - firewalls can’t notify
you if someone has hacked into your
network. Many organizations need
additional security monitoring tools.
2.5 Need Of Firewall
what Happens if we don’t use firewall:
1.subnet system expose themselves to
inherently insecure services such as NFS
or NIS to probes and attacks from hosts
elsewhere on the network.
2. network security relies totally on host
security and all hosts must,in a sense,
cooperate to achieve a uniformly high
level of security
3. the larger the subnet, the less
manageable it is to maintain all hosts at
the same level of security
3. Firewall Types
Two types of firewalls
1. Hardware Firewall(Router
Firewall)
2. Software Firewall(windows
Firewall)
3.1 Hardware vs. Software Firewalls
Hardware Firewalls(Router firewall)
 Protect an entire network
 Implemented on the router
level
 Usually more expensive,
harder to configure
Software Firewalls(Windows firewall)
 Protect a single computer
 Usually less expensive,
easier to configure
 Implemented in single
System
3.2 Hardware Firewall or Router
Firewall
1.Hardware Firewall implemented In
Entire Network.
2.Hardware Firewall Cost is High.
Implementation Can Be Done At Router
Level.
3.In Hardware Firewall Include Internet
and Private Network.
4.Firewall b/w the Internet and Private
Network.
5.Authorized Request Must pass
Through Firewall. Un Authorized
3
Request don’t pass Through The 4 . Classification of Firewalls
Firewall.
Classification Is 3 Types

1. Packet filtering
2. Application gateways
3. Circuit gateways

4.1 Packet Filter Firewall

1.Work at the network level.

2.compared to a set of criteria before it is
forwarded.

3.3 Software Firewall or Windows

Firewall
1.Software Firewall Implemented In
Single System.
2.Software Firewall Is Low Cost.
3.Configure Is Very High.
4.Software Firewall Implemented In
AVG antivirus.
5.Software Firewall b/w The Single
System and Internet.

3.Simplest of components
4.Uses transport-layer information only
IP Source Address,
Destination Address
Protocol/Next Header (TCP, UDP,
ICMP, etc)
TCP or UDP source & destination ports
TCP Flags (SYN, ACK, FIN, RST, PSH,
etc)
ICMP message type
5.Examples
DNS uses port 53

4
No incoming port 53 packets except
known trusted servers
Usage of Packet Filters
1.Filtering with incoming or outgoing
interfaces.
E.g., Ingress filtering of spoofed IP
addresses
Egress filtering
2.Permits or denies certain services.
Requires intimate knowledge of TCP
and UDP port utilization on a number of
operating systems
How to Configure a Packet Filter
1.Start with a security policy.
2.Specify allowable packets in terms of
logical expressions on packet fields.
3.Rewrite expressions in syntax
supported by your vendor.
4.General rules - least privilege.
All that is not expressly permitted is
prohibited.
If you do not need it, eliminate it.
Advantages and disadvantages of
traditional packet filters
Advantages
One screening router can protect entire
network.
Can be efficient if filtering rules are kept
simple.
Widely available. Almost any router,
even Linux boxes.
Disadvantages
Can possibly be penetrated.
Cannot enforce some policies. For
example, permit certain users.
Rules can get complicated and difficult
to test.
Security & Performance of Packet
Filters
1.IP address spoofing.
Fake source address to be trusted
Add filters on router to block
2.Tiny fragment attacks
Split TCP header info over several tiny
packets
Either discard or reassemble before
check
3.Degradation depends on number of
rules applied at any point.
4.Order rules so that most common
traffic is dealt with first.
5.Correctness is more important than
speed.
4.2 Application Gateway
1.work at the application layer.
2.Incoming or outgoing packets cannot
access services for which there is no
proxy .
3.filter application specific commands.
4.can also be used to log user activity
and logins.
5.Gateway sits between user on inside
and server on outside. Instead of talking
5
directly, user and server talk through  NTP (Network Time
proxy. Protocol)
 custom services
6.Allows more fine grained and generally not supported
sophisticated control than packet
filtering. For example, ftp server may 4.3 Circuit Gateway
not allow files greater than a set size.
7.A mail server is an example of an 1.work at the session layer.
application gateway. 2.monitor TCP handshaking between
Can’t deposit mail in recipient’s mail packets to determine whether a
server without passing through sender’s requested session is legitimate.
mail server . 3.Information passed to remote
Advantages and disadvantages of computer through a circuit level gateway
proxy gateways appears to have originated from the
gateway.
Advantages
Proxy can log all connections, activity in
connections.
Proxy can provide caching.
Proxy can do intelligent filtering based
on content.
Proxy can perform user-level
authentication.

Disadvantages
Not all services have proxied versions.
May need different proxy server for each
service.
Requires modification of client.
Performance.

Application-Level Filtering

Has full access to protocol

 user requests service from
proxy
 proxy validates request as
legal
 then actions request and
returns result to user
Need separate proxies for each service
 E.g., SMTP (E-Mail)
 NNTP (Net news)
 DNS (Domain Name
System)
4.two TCP connections
5.Imposes security by limiting which
such connections are allowed
6.Once created usually relays traffic
without examining contents
7.Typically used when trust internal
users by allowing general outbound
connections
8.SOCKS commonly used for this

6
Bastion Host
 Highly secure host system 5.1 Screened Host Firewall
 Potentially exposed to "hostile"
elements
 Hence is secured to withstand
this
 Disable all non-required
services; keep it simple
 Trusted to enforce trusted
separation between network
connections
 Runs circuit / application level
gateways
 Install/modify services
you want
 Or provides externally accessible
services

Advantages and disadvantages of

circuit gateways

Advantages
relatively inexpensive
hiding information about the private
network
Disadvantages
they do not filter individual packets
5 . Firewall Topology
3 Types of Topology in Firewall
1) Screened Host Firewall
2) Dual Homed Host Firewall
3) Screened Subnet Firewall
In this Type Of Topology one packet
Filter Firewall and one Bastion
Host(Application Gateway).
When Information Coming From
Internet To Private Network First pass
Through Screening Router(Packet
Filter).
Packet Filter applying Some Rules On
Each Ip Packet.
After Ip Packet Pass Through Bastion
Host They Can Check Authentication
Finally Pass Through Private Network.
One Drawback is Attackers In The
Internet can Easily access Private
Network Because Of No Bastion Host
Between Internet And Private Network
• Provides services from a host
attached to internal network
• Security provided by packet
filtering
– only certain operations
allowed (e.g. deliver
email)

7
 – outside connections can
only go to bastion host
• allow internal hosts to originate
connections over Internet
• if bastion host is compromised.
5.2 Dual Homed Host Firewall
Through Bastion Host and Enter Into
Private Network
• Built around dual-homed host
computer
• Disable ability to route between
networks
– packets from Internet are
not routed directly to the
internal network
– services provided by
proxy
– users log into dual-homed
host to access Internet
– user accounts present
security problems

Advantage
Security Is More Then Screened Host
Firewall
Two Bastion Host

5.3 Screened Subnet Firewall

In this Type Of Topology one packet

Filter Firewall and Two Bastion
Host(Application Gateway).
When Information Coming From
Internet To Private Network First pass
Through Screening Router(Packet
Filter).
Packet Filter applying Some Rules On
Each Ip Packet.
After Ip Packet Pass Through Bastion
Host They Can Check Authentication
Finally Pass Through Private Network.
Dual Homed Host Firewall Security is
More then Screened Host Firewall
Because Of They Compulsory Pass

8
 – does most of packet
filtering for firewall
– allows selected outbound
services from internal
network
– limit services between
bastion host and internal
network

Advantage
Security Is More.

In this Type Of Topology Two packet

Filter Firewall and one Bastion 6. Conclusion
Host(Application Gateway).
One Packet Filter Firewall Is Between
In conclusion inter net is the dangerous
Internet and Bastion Host. The packet
place..
Filter Firewall Is Known As Exterior
Without firewall not connected to
Router.
internet.
Second Packet Filter Firewall Is
Firewall protect private file from
Between Bastion Host and Private
outsiders.
Network. The Packet Filter Firewall Is
Hacker crackers and viruses and harm
Known As Interior Host.
full for personal data.
Security Is More Then Other Two
Firewall provide necessary security for
Topologies Because of Two Packet
such type of illegal access.
Filter Firewall .
Exterior router (access router)
– protects DMZ and
7. Future Scope
internal network from
Internet
Firewall technology has evolved
Interior router (choke router) significantly since the days of basic
packet filters and network address
– protects internal network
translation. We now have not just
from Internet and DMZ firewalls but “intrusion detection

9
devices”, which do far more complex
things to the traffic they see in an
attempt to prevent the network from
being attacked. So where are firewalls
going? The main problem with today’s
firewall technology is that it’s doing so
much work that as the capacity of the
average Internet connection grows, the
firewall becomes a bottleneck. This is
hardly surprising. Many of today’s
firewalls don’t just filter packets but also
do clever stuff like checking whether
incoming Java applets contain dangerous
code, or decoding email messages and
passing their attachments to an AV
package for analysis. The other problem
with doing loads of different functions
within a single firewall is that no one
product will manage to be the “best of
breed”. Generally, you find that a multi-
function device does all things
averagely, instead of doing any one
function brilliantly. This is addressed by
some firewall manufacturers, who
instead of doing advanced work such as
AV protection internally, pass the task to
an external system running a mainstream
application with a reputation for
excellence in its field. Strangely, though,
the current penchant for bundling
firewalls as all-in-one “appliances” goes
against this idea, and security can only
suffer as a consequence. Sharing the
load
So how do we address these issues of
bottlenecking and fitness for purpose? It
seems to us that the obvious way is to
move away from having a firewall
device, toward having an “edge
network” of smaller devices. Each of
these would perform their own particular
function under the supervision of a
“master” device, possibly the firewall
itself, but not necessarily relying on the
firewall for intercommunication.
Transmissions have to negotiate their
way through all relevant components of
this “edge network” before being
allowed into the corporate network.
Imagine an email arrives in the network.
The firewall checks that it’s destined for
the right server, on the right port, and
verifies that it’s passed the basic entry
criteria. It then passes it on to an email
decoder for the attachments to be
extracted. The email decoder knows that
before it can do anything with the
message, it needs to examine the
attachments for viruses, so it unbundles
them and passes them to an AV package.
The AV package verifies that the files
are clean, and notifies this fact to the
email decoder, which knows it can now
pass the original message on to the email
server for delivery. For each type of
incoming and outgoing traffic, a similar
type of workflow arrangement is
implemented, with each device in the
network knowing (a) how to do its own
job and (b) what to do with the results
should the test it’s performing pass or
fail. Learn from ERP
This kind of workflow implementation is
commonplace in corporate ERP systems.
Since network protection is no longer a
basic filtering exercise but a vast pile of
intricate logic with some nasty,
nondeterministic heuristics thrown in for
good measure, it’s not unreasonable to
think that ERP-style workflow
management might be a useful addition.
Because there’s a large amount of
processing to be done to analyse the
traffic, it’s also sensible to think that
there would be several separate
machines sharing the load and passing
messages between each other. Some
machines would be dedicated to one task
(e.g. AV processing) while others could
handle two or three lesser tasks. Taking
the concept to extremes, one can
imagine the “edge network” as
10
comprising a collection of general-
purpose machines that simply do the
jobs they’re asked to do by a central
scheduler. So far, we’ve mentioned the
concept of having (say) an AV machine
that does AV processing on request, and
an email decoder for extracting
attachments, with the data that needs
processing being passed in by external
devices. Imagine for a moment that we
simply have a cluster of general purpose
machines, with no specific purpose.
Instead of passing data in for processing,
the external device passes in both the
data and the code it wants to run on the
data. So one minute a machine is
receiving a message that says: “Here’s
some data to check for viruses and
here’s the code you need to use to do the
check” and the next it’s hearing: “Please
decode these emails and pull out the
attachments – here’s a lump of code you
can use to do it”.
8. References
[1]Allman, E., "Sendmail - An
Internetwork Mail Router", University of
California, Berkeley, Issued with the
BSD UNIX documentation
set, 1983.
[2]Postel, J., "Simple Mail Transfer
Protocol", RFC 821,
USC/InformationSciences Institute,
August 1982.
[3]Harrenstien,K., "NAME/FINGER",
RFC 742, SRI, December 1977.
[4]Internet Activities Board, "Ethics and
the Internet", RFC 1087,IAB, January
1989. Also appears in the
Communications of the ACM, Vol. 32,
No. 6, Pg. 710, June 1989.
[5]National Science Foundation, "NSF
Poses Code of Networking Ethics",
Communications of the ACM, Vol. 32,
No. 6, Pg. 688,June 1989. Also appears
in the minutes of the regular meeting of
the Division Advisory Panel for
Networking and Communications
Research and Infrastructure, Dave
Farber, Chair, November 29-30 1988.
[6]Massachusetts Institute of
Technology, "Teaching Students About
Responsible Use of Computers", MIT,
1985-1986. Also reprinted in the
Communications of the ACM, Vol. 32,
No. 6, Pg. 704,
Athena Project, MIT, June 1989.
[7]Computer Professionals for Social
Responsibility, "CPSR
Statement on the Computer Virus",
CPSR, Communications of the ACM,
Vol. 32, No. 6, Pg. 699, June 1989.
[8]Eisenberg, T., D. Gries, J. Hartmanis,
D. Holcomb, M. Lynn, and T. Santoro,
"The Computer Worm", Cornell
University,6 February 1989.
[9]Eichin, M., and J. Rochlis, "With
Microscope and Tweezers: An
Analysis of the Internet Virus of
November 1988", Massachusetts
Institute of Technology, February 1989.
[10]Seeley, D., "A Tour of the Worm",
Proceedings of 1989 Winter
USENIX Conference, Usenix
Association, San Diego, CA, February
1989.
[11]Spafford, E., "The Internet Worm
Program: An Analysis",
ComputerCommunication Review, Vol.
19, No. 1, ACM SIGCOM, January
11
1989.Also issued as Purdue CS
Technical Report CSD-TR-823, 28
November 1988.

[12]DCA DDN Defense

Communications System, "DDN
Security Bulletin 03", DDN Security
Coordination Center, 17 October 1989.

12