HET105 Professional Skills Telecommunications

Engineering Faculty Swinburne University of Technology Technical Report

Network Security with Firewall.

Rina Eryssha Mohd Yazah ID: 6615848 Date of submission: 14th May 2009.

Executive Summary The aim of this report is to provide a clear view of what firewall security is. Firewall security is one of the technologies made for us users to secure the computer network system. It is an effective tool used for intrusion detection and provides protection against attacks on the computer system or network. The protection from the firewall is critical, as attacks or intrusions can come from many different sources. Lately, there has been a tremendous increase in awareness and research relating to the firewall system. This report will first define the firewall, recollecting some of its historical background and discuss how and when the firewalls can be utilized as security in the networking environment. The second part of the report will discuss the currently available firewall systems and reviews its future technologies.

Contents Page 1.0 1.1 1.2 1.3 1.4 1.5 Introduction What is firewall? History of firewall How does the firewall work and when to use it? Current firewall technologies Future development

2.0 3.0 4.0

Conclusions References Appendixes

1.0

Introduction 1.1 What is Firewall?

Network security has become important as there has been a rapid increase I internet usage since the past decade. It is taken seriously as the majority of users do not know or have the basic understanding of what they are at risk to.. When you connect your private network to the Internet, you are physically connecting your network to well over 50,000 unknown networks and all of their users. While such connections open the door to many useful applications and provide great opportunities for information sharing, most private networks contain some information that should not be shared with outside users on the Internet. In addition, not all Internet users are involved in lawful activities. ( http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch2.htm) According to figure 1,

Home Computer and Internet Use in the United States: August 2000, September 2001 <http://www.census.gov/prod/2001pubs/p23-207.pdf>.

Firewall is an important security component in computer networking system. Ingham and Forrest (2002) defined a firewall as a machine or collection of machines between two networks that meets the following criteria: i. ii. iii. The firewall is at the boundary between the two networks; All traffic between the two networks must pass through the firewall; The firewall has a mechanism to allow some traffic to pass while blocking other traffic. The rules describing what traffic is allowed enforce the firewall's policy.

Many experts have emphasized the importance of firewall as a computer security system, for example ( source? , ) stressed the needs of an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria (Wikipedia, 2009 ) Firewalls are an important line of defense for any computer networks; it is often the only defense against rouge users mounting attacks from within and outside of the network. As long as a computer is connected to another computer, there are always security risks 1.2 History of Firewall The term "firewall" originally meant a wall to confine a fire or potential fire within a building, c.f. firewall (construction), emerging in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s to separate networks from one another. The view of the Internet as a relatively small community of compatible users who valued openness for sharing and collaboration was ended by a number of major internet security breaches, which occurred in the late 1980s. The growth of firewall coincides with the increase in computer usage. Avolio, 1999, asserted that interest and knowledge about computer and network security is growing along with the need for it. This interest is, no doubt, due to the continued expansion of the Internet and the increase in the number of businesses that are migrating their sales and information channels to the Internet. The growth in the use of networked computers in business, especially for e-mail, has also fueled this interest. According to___________in the past most firewalls have been implemented as software solutions running under an operating system and process or scan one particular protocol. Performances of such systems are adequate for speeds of up to 100Mbits/s but with the rapid uptake of gigabit Ethernets. It has been stated that a single fast computer is not capable of filtering packet traversing through gigabit Ethernet as it consumes valuable

CPU resources and because of the sequential processing nature of software, these solutions are too slow to keep pace. [SUNG LY and ABBAS BIGDEL, 2005]. 1.3 How does the firewall work and when to use it? Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.(Wikipedia is not a good souce, find other source?). Uncomplicated Firewall (ufw) is a firewall that is designed to be easy to use. It uses a command line interface consisting of a small number of simple commands, and uses iptables for configuration.(Refer to diagram A in Appendix 1) An Internet firewall has the following properties: it is a single point between two or more networks where all traffic must pass (choke point); traffic can be controlled by and may be authenticated through the device, and all traffic is logged (Cheswick, 1990) Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic and reflect the level of security in the entire network. (Curtin, 2001) Firewalls are an excellent place to focus security decisions and to enforce a network security policy. They are able to efficiently log internetwork activity, and limit the exposure of an organization. It has been stated that a single fast computer is not capable of filtering packet traversing through gigabit Ethernet as it consumes valuable CPU resources and because of the sequential processing nature of software, these solutions are too slow to keep pace. (Ly, S. and Bigdell, A, 2005) Firewalls are a stopgap measure needed because many services are developed that operate either with poor security or no security at all. Shimomura, T. and Markoff, J. (1996)

1.4

Current firewall technologies

Some firewalls permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections, and block services that are known to be problems. Generally,

firewalls are configured to protect against unauthenticated interactive logins from the outside world which helps prevent vandals from logging into machines on your network. Firewalls are also important since they can provide a single ``choke point'', where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective ``phone tap'' and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it. (Curtin, 2001) According to Avolio (1999), there are currently, four types of firewall techniques listed as as folows: 1. Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. 2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. 3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. 4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. Firewall technology in TCP/IP internetworks provides a mechanism to help enforce access policies on communication traffic entering or leaving networks. Usually an\inside" network domain is protected against anoutside un-trusted network, or parts of a network are protected against each other. A firewall is a security architecture placed on the data transmission path between networks, or on a bastion host placed in a demilitarized zone network between the inside and the outside. In current firewall practice, security policies are translated into simple lists of rules. Each rule explicitly or implicitly allows or denies data through the firewall based on some semantic interpretation of the data contents. Rules interact with each other, for example through their order. Different types of firewalls operate on different layers of abstraction of passed data: network layer (packet filtering), transport layer (circuit {level), and application layer (application{level) (Lyles. and Schuba, 1996) Types of firewall;;;;

How Does Firewall Management Work?

http://www.secureworks.com/research/articles/firewall-security 29 march

A firewall management program can be configured one of two basic ways:

A default-deny policy. The firewall administrator lists the allowed network services, and everything else is denied. A default-allow policy. The firewall administrator lists network services which are not allowed, and everything else is accepted.

A default-deny approach to firewall security is by far the more secure, but due to the difficulty in configuring and managing a network in that fashion, many networks instead use the default-allow approach. Let's assume for the moment that your firewall management program utilizes a default-deny policy, and you only have certain services enabled that you want people to be able to use from the Internet. For example, you have a web server which you want the general public to be able to access. What happens next depends on what kind of firewall security you have.

Packet filtering firewall

This type of firewall has a list of firewall security rules which can block traffic based on IP protocol, IP address and/or port number. Under this firewall management program, all web traffic will be allowed, including web-based attacks. In this situation, you need to have intrusion prevention, in addition to firewall security, in order to differentiate between good web traffic (simple web requests from people browsing your website) and bad web traffic (people attacking your website). A packet filtering firewall has no way to tell the difference. An additional problem with packet filtering firewalls which are not stateful is that the firewall can't tell the difference between a legitimate return packet and a packet which pretends to be from an established connection, which means your firewall management system configuration will have to allow both kinds of packets into the network.

Stateful firewall
This is similar to a packet filtering firewall, but it is more intelligent about keeping track of active connections, so you can define firewall management rules such as "only allow packets into the network that are part of an already established outbound connection." You have solved the established connection issue described above, but you still can't tell the difference between "good" and "bad" web traffic. You need intrusion prevention to detect and block web attacks.

Deep packet inspection firewall

An application firewall actually examines the data in the packet, and can therefore look at application layer attacks. This kind of firewall security is similar to intrusion prevention technology, and, therefore, may be able to provide some of the same functionality.

There are three caveats, however: first, for some vendors, the definition of "deep" extends to some particular depth in the packet and does not necessarily examine the entire packet. This can result in missing some kinds of attacks. Second, depending on the hardware, a firewall may not have adequate processing power to handle the deep packet inspection for your network. Be sure to ask questions about how much bandwidth it can handle while performing such inspection. And finally, embedded firewall management technology may not have the flexibility to handle all attacks.

Application-aware firewall
Similar to deep packet inspection, except that the firewall understands certain protocols and can parse them, so that signatures or rules can specifically address certain fields in the protocol. The flexibility of this approach to computer firewall protection is great and permits the signatures or rules to be both specific and comprehensive. There are no specific drawbacks to this approach to firewall security as generally it will yield improvements over a standard "deep packet inspection" approach. However, some actual attacks may be overlooked (false negatives) because the firewall security parsing routines are not robust enough to handle variations in real-world traffic.

Application proxy firewall

An application proxy acts as an intermediary for certain application traffic (such as HTTP, or web, traffic), checking them before passing them along. This type of firewall is similar to certain kinds of intrusion prevention. The implementation of a full application proxy is, however, quite difficult, and each proxy can only handle one protocol (e.g. web or incoming email). For an application proxy firewall to be effective as computer firewall protection, it has to be able to understand the protocol completely and to enforce blocking on violations of the protocol. Because implementations of the protocol being examined often do not follow a protocol correctly, or because implementers add their own extensions to a protocol, this can result in the proxy blocking valid traffic (false positives). Because of these kinds of problems, end users will often not enable these technologies.

1.5

Future Development

2.0

Conclusions

Firewall is an important safety features in computer network system especially to those which are linked directly to the internet system It protects against threats from the outside not only for the big organization but also home users with full-time Internet connections who are less likely to be well protected. Because of this we will likely see increased use of the distributed firewall architecture. The beginnings of a simple form of distributed firewalls are already here, with personal firewalls being installed on individual machines. However, many organizations will require that this individual firewall respond to configuration directives from a central policy server. This raised the vulnerability of attack to the whole computer system. The rise of email based attacks is one example of this change. The future is likely to see more improvement of the existing firewall system to fight more sophisticated threat from outside.

3.0

References

Avolio, F. (1999). Firewalls and Internet Security, the Second Hundred (Internet) years. The Internet Protocol Journal 2, 2 (June), 24{32). http://www.cisco .com /warp/public/759/ipj_2-2/ipj_2-2_fis1.html Accessed 2009 March 20. Chapman, D. B. and Zwicky, E.(1995). Building Internet Firewalls, ISBN 1-56592-124-0, O'Reilly and Associates, 1995. Cheswick, B. 1990. The design of a secure Internet gateway. In USENIX 1990 Summer Conference. USENIX Association, Berkeley, CA. http://www.cheswick.com/ches/papers/gateway.ps Accessed 2009 March 20. Curtin, M.C. (2001). Firewalls in FAQ, July, 2001, http://www.interhack.net/pubs/fwfaq/ assessed 2009, March 24. Ingham, K. and Forrest, S ( 2002). A History and Survey of Network Firewalls in The University of New Mexico Computer Science Department Technical Report 2002-37 in ACM Journal Name, Vol. V, No. N, Month 20YY, p. 2. http://www.cs. unm.edu/ ~ treport /tr /02-12/firewall.pdf, Accessed 2009 March 18.

Ly, S. and Bigdell, A.(2005) International Journal of Software Engineering & Knowledge Engineering, Vol. 15 Issue 2, p363-371, 9p, Embedded Systems Research Group, Department of Electrical and Computer Engineering, University of Auckland, Auckland, New Zealand.

Shimomura, T. and Markoff, J.(1996) Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It, ISBN 07868-89136, Warner Books, 1996. Lyles, J. B. and Schuba, C. L. 1996b. A reference model for _rewall technology and its implications for connection signaling. Tech. Rep. CSD-TR-94-061, Reprinted as Departmentof Computer Sciences, Purdue University, Purdue University, 1398 Computer ScienceBuilding, West Lafayette, IN 47907-1398. Proceedings Open Signaling Workshop, Columbia, University, New York, NY, October 1996. https://www.cerias.purdue.edu/techreports-ssl/public/csd_94-061.pdf Accessed 2002, Feb 20.
Firewall, Wikipedia, the free encyclopedia, viewed http://en.wikipedia.org/wiki/Firewall_(networking)#Types 30th March 2009,

3.0

Appendix1

10

Diagram 1: GUI or graphical user interface for Uncomplicated Firewall (GUFW) (Uncomplicated Firewall) system designed for Ubuntu (sources from super ubuntu homepage, http://gufw.tuxfamily.org)

11