Documentos de Académico
Documentos de Profesional
Documentos de Cultura
V.Ramalinga Raju
Gokaraju Rangaraju Institute of Engineering & Technology
Bachupally, Hyderabad
ramalingarajuv@yahoo.com
Abstract
1
2. Introduction To Firewall Firewall Is Like Gate man In a Person
House .When Gate Man Check
Firewall helps protecting your computer Incoming Persons He Has Any Doubt
by preventing unauthorized users from Same Way Firewall Checks All
gaining access to your computer through Incoming and Outgoing Packets .Any
a network or internet. Unauthorized Packets Discarded
.Authorized Packets Only Allowed.
The term "fire wall" originally meant,
and still means, a fireproof wall intended A security system that acts as a
to prevent the spread of fire from one protective boundary between a network
room or area of a building to another. and the outside world.
The Internet is a volatile and unsafe
environment when viewed from a Isolates a computer or network from the
computer-security perspective, therefore “outside” based on a defined set of rules
"firewall" is an excellent metaphor for Inspects each individual "packet" of data
network security. as it arrives at either side of the firewall
Maintains a state table.
In computer networking, the term Determine whether traffic should be
firewall is not merely descriptive of a allowed to pass or be blocked.
general idea. It has come to mean some
very precise things. Firewall b/w the Internet And Private
Network.
All Must pass Through Firewall.
All Incoming from Internet And
Outgoing from Private Network Must
pass Through Firewall.
2
2.Block – traffic that is blocked because 2. network security relies totally on host
it has been deemed dangerous to your security and all hosts must,in a sense,
computer cooperate to achieve a uniformly high
3.Ask – asks the user whether or not the level of security
traffic is allowed to pass through 3. the larger the subnet, the less
manageable it is to maintain all hosts at
the same level of security
3
Request don’t pass Through The 4 . Classification of Firewalls
Firewall.
Classification Is 3 Types
1. Packet filtering
2. Application gateways
3. Circuit gateways
3.Simplest of components
4.Uses transport-layer information only
IP Source Address,
Destination Address
Protocol/Next Header (TCP, UDP,
ICMP, etc)
TCP or UDP source & destination ports
TCP Flags (SYN, ACK, FIN, RST, PSH,
etc)
ICMP message type
5.Examples
DNS uses port 53
4
No incoming port 53 packets except Security & Performance of Packet
known trusted servers Filters
Advantages
One screening router can protect entire
network.
Can be efficient if filtering rules are kept
simple.
Widely available. Almost any router,
even Linux boxes.
Disadvantages
Can possibly be penetrated.
Cannot enforce some policies. For
example, permit certain users.
Rules can get complicated and difficult
to test. 5.Gateway sits between user on inside
and server on outside. Instead of talking
5
directly, user and server talk through NTP (Network Time
proxy. Protocol)
custom services
6.Allows more fine grained and generally not supported
sophisticated control than packet
filtering. For example, ftp server may 4.3 Circuit Gateway
not allow files greater than a set size.
7.A mail server is an example of an 1.work at the session layer.
application gateway. 2.monitor TCP handshaking between
Can’t deposit mail in recipient’s mail packets to determine whether a
server without passing through sender’s requested session is legitimate.
mail server . 3.Information passed to remote
Advantages and disadvantages of computer through a circuit level gateway
proxy gateways appears to have originated from the
gateway.
Advantages
Proxy can log all connections, activity in
connections.
Proxy can provide caching.
Proxy can do intelligent filtering based
on content.
Proxy can perform user-level
authentication.
Disadvantages
Not all services have proxied versions.
May need different proxy server for each
service.
Requires modification of client.
Performance.
Application-Level Filtering
6
Bastion Host
Highly secure host system 5.1 Screened Host Firewall
Potentially exposed to "hostile"
elements
Hence is secured to withstand
this
Disable all non-required
services; keep it simple
Trusted to enforce trusted
separation between network
connections
Runs circuit / application level
gateways
Install/modify services
you want
Or provides externally accessible
services
Advantages
relatively inexpensive In this Type Of Topology one packet
hiding information about the private Filter Firewall and one Bastion
network Host(Application Gateway).
When Information Coming From
Disadvantages Internet To Private Network First pass
they do not filter individual packets Through Screening Router(Packet
Filter).
Packet Filter applying Some Rules On
5 . Firewall Topology Each Ip Packet.
After Ip Packet Pass Through Bastion
3 Types of Topology in Firewall Host They Can Check Authentication
Finally Pass Through Private Network.
1) Screened Host Firewall One Drawback is Attackers In The
2) Dual Homed Host Firewall Internet can Easily access Private
3) Screened Subnet Firewall Network Because Of No Bastion Host
Between Internet And Private Network
• Provides services from a host
attached to internal network
• Security provided by packet
filtering
– only certain operations
allowed (e.g. deliver
email)
7
– outside connections can Through Bastion Host and Enter Into
only go to bastion host Private Network
• allow internal hosts to originate • Built around dual-homed host
connections over Internet computer
• if bastion host is compromised. • Disable ability to route between
networks
5.2 Dual Homed Host Firewall – packets from Internet are
not routed directly to the
internal network
– services provided by
proxy
– users log into dual-homed
host to access Internet
– user accounts present
security problems
Advantage
Security Is More Then Screened Host
Firewall
Two Bastion Host
8
– does most of packet
filtering for firewall
– allows selected outbound
services from internal
network
– limit services between
bastion host and internal
network
Advantage
Security Is More.
9
devices”, which do far more complex way through all relevant components of
things to the traffic they see in an this “edge network” before being
attempt to prevent the network from allowed into the corporate network.
being attacked. So where are firewalls Imagine an email arrives in the network.
going? The main problem with today’s The firewall checks that it’s destined for
firewall technology is that it’s doing so the right server, on the right port, and
much work that as the capacity of the verifies that it’s passed the basic entry
average Internet connection grows, the criteria. It then passes it on to an email
firewall becomes a bottleneck. This is decoder for the attachments to be
hardly surprising. Many of today’s extracted. The email decoder knows that
firewalls don’t just filter packets but also before it can do anything with the
do clever stuff like checking whether message, it needs to examine the
incoming Java applets contain dangerous attachments for viruses, so it unbundles
code, or decoding email messages and them and passes them to an AV package.
passing their attachments to an AV The AV package verifies that the files
package for analysis. The other problem are clean, and notifies this fact to the
with doing loads of different functions email decoder, which knows it can now
within a single firewall is that no one pass the original message on to the email
product will manage to be the “best of server for delivery. For each type of
breed”. Generally, you find that a multi- incoming and outgoing traffic, a similar
function device does all things type of workflow arrangement is
averagely, instead of doing any one implemented, with each device in the
function brilliantly. This is addressed by network knowing (a) how to do its own
some firewall manufacturers, who job and (b) what to do with the results
instead of doing advanced work such as should the test it’s performing pass or
AV protection internally, pass the task to fail. Learn from ERP
an external system running a mainstream This kind of workflow implementation is
application with a reputation for commonplace in corporate ERP systems.
excellence in its field. Strangely, though, Since network protection is no longer a
the current penchant for bundling basic filtering exercise but a vast pile of
firewalls as all-in-one “appliances” goes intricate logic with some nasty,
against this idea, and security can only nondeterministic heuristics thrown in for
suffer as a consequence. Sharing the good measure, it’s not unreasonable to
load think that ERP-style workflow
So how do we address these issues of management might be a useful addition.
bottlenecking and fitness for purpose? It Because there’s a large amount of
seems to us that the obvious way is to processing to be done to analyse the
move away from having a firewall traffic, it’s also sensible to think that
device, toward having an “edge there would be several separate
network” of smaller devices. Each of machines sharing the load and passing
these would perform their own particular messages between each other. Some
function under the supervision of a machines would be dedicated to one task
“master” device, possibly the firewall (e.g. AV processing) while others could
itself, but not necessarily relying on the handle two or three lesser tasks. Taking
firewall for intercommunication. the concept to extremes, one can
Transmissions have to negotiate their imagine the “edge network” as
10
comprising a collection of general-
purpose machines that simply do the [5]National Science Foundation, "NSF
jobs they’re asked to do by a central Poses Code of Networking Ethics",
scheduler. So far, we’ve mentioned the Communications of the ACM, Vol. 32,
concept of having (say) an AV machine No. 6, Pg. 688,June 1989. Also appears
that does AV processing on request, and in the minutes of the regular meeting of
an email decoder for extracting the Division Advisory Panel for
attachments, with the data that needs Networking and Communications
processing being passed in by external Research and Infrastructure, Dave
devices. Imagine for a moment that we Farber, Chair, November 29-30 1988.
simply have a cluster of general purpose
machines, with no specific purpose. [6]Massachusetts Institute of
Instead of passing data in for processing, Technology, "Teaching Students About
the external device passes in both the Responsible Use of Computers", MIT,
data and the code it wants to run on the 1985-1986. Also reprinted in the
data. So one minute a machine is Communications of the ACM, Vol. 32,
receiving a message that says: “Here’s No. 6, Pg. 704,
some data to check for viruses and Athena Project, MIT, June 1989.
here’s the code you need to use to do the
check” and the next it’s hearing: “Please [7]Computer Professionals for Social
decode these emails and pull out the Responsibility, "CPSR
attachments – here’s a lump of code you Statement on the Computer Virus",
can use to do it”. CPSR, Communications of the ACM,
Vol. 32, No. 6, Pg. 699, June 1989.
[4]Internet Activities Board, "Ethics and [11]Spafford, E., "The Internet Worm
the Internet", RFC 1087,IAB, January Program: An Analysis",
1989. Also appears in the ComputerCommunication Review, Vol.
Communications of the ACM, Vol. 32, 19, No. 1, ACM SIGCOM, January
No. 6, Pg. 710, June 1989.
11
1989.Also issued as Purdue CS
Technical Report CSD-TR-823, 28
November 1988.
12