Firewalls

What is a Firewall ?
A firewall is a network security device that supervise inbound and outbound network
traffic and chooses whether to permit or denies precise traffic based on a distinct fixed of
security rules.

Firewalls have been a first line of safety in network security. They begin a fence between
protected and precise internal networks that can be important and untrusted outside
networks, such as the Internet. The Firewall can be a Hardware appliance or a software
based application.

Proxy firewall- Initial way of securing Internal Network

An initial type of firewall method, a proxy firewall helps as the entry and exit from one
network to another for a precise application. Proxy servers can deliver extra functionality
such as content caching and security by avoiding straight connections from external
network. Though, this also may influence throughput abilities and the applications they
can support.
Stateful inspection firewall
The other way used in the traditional networking is the stateful inspection firewall. This is
the initial approach to safeguard the attacks from the external world. A stateful inspection
firewall permits or denies traffic based on state, port, and protocol.
It inspects all activity from the beginning of a connection until it is shut. Filtering
judgements are created based on both admins described guidelines as well as context,
which denotes to using data from earlier connections and packets fitting to the same
connection. Cisco ASA are the stateful inspection firewall as an example.

Unified threat management (UTM) firewall

Many of the vendors are selling UTM as a safeguard device with extra features. A UTM
device usually have the functions of a stateful inspection firewall with intrusion prevention
and antivirus. It may also include added services and often cloud management. UTMs focus
on simplicity and ease of use.

Many of the vendors uses UTM as a safeguard such as Sophos, SonicWall, Fortinet.
Next-generation firewall (NGFW)

In the modern Era, NGFW is the hot topic and use to safeguard the internal network from the
internet or the external world. Since Firewalls have grown beyond modest packet filtering and
stateful inspection. Most companies are deploying next-generation firewalls to denies
modern threats such as advanced malware and application-layer attacks.

With the help of the NGFW, you can have the features like AVC, so called Application Visibility
and Control with the IPS- Intrusion PreventionSystem, AMP- Advance Malware Protection
with URL-Filtering as a necessary features.

Vendors like Cisco, Palo-Alto, Checkpoint, Fortinet, Force-point and so on.

Firewalls History

• First generation - packet filters

The first paper published on firewall technology was in 1988, when Jeff Mogul from Digital Equipment Corporatin (DEC)
developed filter systems known as packet filter firewalls.

• Second generation - circuit level

From 1980-1990 two colleagues from AT&T Company, developed the second generation of firewalls known as circuit level
firewalls.

• Third generation - application layer

Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories described a third generation
firewall. also known as proxy based firewalls.
Firewall Design
Principles
• The firewall is inserted between the premises network and
the Internet
• Aims:
• Establish a controlled link
• Protect the premises network from Internet-based attacks
• Provide a single choke point

6
Firewall Characteristics
• Design goals:
• All traffic from inside to outside must pass through the firewall
(physically blocking all access to the local network except via the
firewall)
• Only authorized traffic (defined by the local security police) will
be allowed to pass
• The firewall itself is immune to penetration (use of trusted system
with a secure operating system)

7
Firewall Characteristics
• Four general techniques:
• Service control
• Determines the types of Internet services that can be accessed, inbound
or outbound
• Direction control
• Determines the direction in which particular service requests are allowed
to flow
• User control
• Controls access to a service according to which user is attempting to
access it
• Behavior control
• Controls how particular services are used (e.g. filter e-mail)

Henric Johnson 8
Types of Firewalls

• Three common types of Firewalls:

• Packet-filtering routers
• Application-level gateways
• Circuit-level gateways
• (Bastion host)

Henric Johnson 9
Firewalls – Packet Filters
Packet Filtering Firewall

• A packet filtering firewall is often called a network layer firewall because the filtering is primarily done at the network layer
(layer three) or the transport layer (layer four) of the OSI reference model.
Firewalls – Packet Filters
• Simplest of components
• Uses transport-layer information only
• IP Source Address, Destination Address
• Protocol/Next Header (TCP, UDP, ICMP, etc)
• TCP or UDP source & destination ports
• TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
• ICMP message type
• Examples
• DNS uses port 53
• No incoming port 53 packets except known trusted servers
Packet Filtering Firewall

Packet filtering rules or filters can be configured to allow or deny traffic based on one or more of the following variables:

• Source IP address
• Destination IP address
• Protocol type (TCP/UDP)
• Source port
• Destination port
Usage of Packet Filters
• Filtering with incoming or outgoing interfaces
• E.g., Ingress filtering of spoofed IP addresses
• Egress filtering
• Permits or denies certain services
• Requires intimate knowledge of TCP and UDP port utilization on
a number of operating systems
Security & Performance of Packet Filters
• IP address spoofing
• Fake source address to be trusted
• Add filters on router to block
• Tiny fragment attacks
• Split TCP header info over several tiny packets
• Either discard or reassemble before check
• Degradation depends on number of rules applied at any
point
• Order rules so that most common traffic is dealt with first
• Correctness is more important than speed
Port Numbering
• TCP connection
• Server port is number less than 1024
• Client port is number between 1024 and 16383
• Permanent assignment
• Ports <1024 assigned permanently
• 20,21 for FTP 23 for Telnet
• 25 for server SMTP 80 for HTTP
• Variable use
• Ports >1024 must be available for client to make any connection
• This presents a limitation for stateless packet filtering
• If client wants to use port 2048, firewall must allow incoming traffic on this
port
• Better: stateful filtering knows outgoing requests
Firewalls – Stateful Packet Filters
• Traditional packet filters do not examine higher layer
context
• i.e matching return packets with outgoing flow
• Stateful packet filters address this need
• They examine each IP packet in context
• Keep track of client-server sessions
• Check each packet validly belongs to one
• Hence are better able to detect bogus packets out of
context
Stateful Filtering
Stateful Packet Inspection

• Stateful packet inspection uses the same fundamental packet screening technique that packet filtering does. In addition, it
examines the packet header information from the network layer of the OSI model to the application layer to verify that
the packet is part of a legitimate connection and the protocols are behaving as expected.
Stateful Packet Inspection Firewall

As packets pass through the firewall, packet header information is examined and fed into a dynamic state table where it is
stored. The packets are compared to pre-configured rules or filters and allow or deny decisions are made based on the
results of the comparison.

The data in the state table is then used to evaluate subsequent packets to verify that they are part of the same
connection.
Stateful Packet Inspection Firewall

This method can make decisions based on one or more of the following:

• Source IP address
• Destination IP address
• Protocol type (TCP/UDP)
• Source port
• Destination port
• Connection state
Stateful Packet Inspection Firewall

Trusted Untrusted
Network Network

Packet is Blocked or Discarded

Stateful Packet Inspection
Strengths :

• Like packet filtering firewalls, have very little impact on network performance.

• More secure than basic packet filtering firewalls. Because stateful packet inspection digs deeper into the packet header
information to determine the connection state between endpoints.

• Usually it have some logging capabilities. Logging can help identify and track the different types of traffic that pass though
the firewall.

Weaknesses

• Like packet filtering, stateful packet inspection does not break the client/server model and therefore allows a direct
connection to be made between the two endpoints

• Rules and filters in this packet screening method can become complex, hard to manage, prone to error and difficult to test.
Stateful Packet Inspection

Weaknesses

• Like packet filtering, stateful packet inspection does not break the client/server model and therefore allows a direct
connection to be made between the two endpoints

• Rules and filters in this packet screening method can become complex, hard to manage, prone to error and difficult to test.
Firewalls - Application Level Gateway (or Proxy)
Application Gateways/Proxies
 Application-Level Filtering
• Has full access to protocol
• user requests service from proxy
• proxy validates request as legal
• then actions request and returns result to user
• Need separate proxies for each service
• E.g., SMTP (E-Mail)
• NNTP (Net news)
• DNS (Domain Name System)
• NTP (Network Time Protocol)
• custom services generally not supported
App-level Firewall Architecture

FTP
Telnet proxy SMTP
proxy proxy

Telnet FTP SMTP

daemon daemon daemon
Network Connection

Daemon spawns proxy when communication detected …