Firewalls

1
Firewalls
The Arab Academy for Banking and Financial
Sciences
Security Technologies

• Supervised By
• Dr. Loai Tawalbeh
• Done by
• SHADI SAMARA
• ALA AL_SAYYED

2
Aims and Objectives

• Understand what a Firewall is and why
• it is needed
• Advantages and Disadvantages of a
• Firewall
• Different types of Firewall
• Authentication techniques used by
• Firewalls
• Different Configurations of Firewalls

3
What is Security?

• The quality or state of being secureto be free
  from danger
• A successful organization should have multiple
  layers of security in place
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
• Information security

4
Characteristics of Information

• The value of information comes from the
  characteristics it possesses
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession

5

• Physical Design
• Physical design of an information security
  program is made up of two parts
• Security technologies
• Physical security
•  Physical design process
• select specific technologies.
• -Identifies complete technical solutions based on
  these technologies (deployment, operations and
  maintenance elements)
• -Design physical security measures to support the
  technical solution.

6

• Firewalls
• A software or hardware component that restricts
  network communication between two computers or
  networks.
• In buildings, a firewall is a fireproof wall
  that restricts the spread of a fire.
• Network firewall prevents threats from spreading
  from one network to another
• Prevent specific types of information from
  moving between the outside world (untrusted
  networks) and the inside world (trusted networks)
  
• The firewall may be a separate computer system, a
  software service running on an existing router
  all server, or a separate network containing a
  number of supporting devices.

7
Internet Firewalls
8
The Internet Protocol Stack
9
What Firewalls do

• Protects the resources of an internal network.
• - Restrict external access.
• - Log Network activities.
• -Intrusion detection
• -DoS
• - Act as intermediary
• - Centralized Security Management
• Carefully administer one firewall to control
  internet traffic of many machines.
• Internal machines can be administered with less
  care.

10
Types of Firewalls (General)

• Firewalls types can be categorized depending on
• The Function or methodology the firewall use
• Whether the communication is being done between a
  single node and the network, or between two or
  more networks.
• Whether the communication state is being tracked
  at the firewall or not.

11
Types of Firewalls

• 2. With regard to the scope of filtered
  communications the done between a single node and
  the network, or between two or more networks
  there exist
• Personal Firewalls, a software application which
  normally filters traffic entering or leaving a
  single computer.
• Network firewalls, normally running on a
  dedicated network device or computer positioned
  on the boundary of two or more networks.

12

• Firewall categorization methods
• 1-The Function or methodology the firewall use
• Five processing modes that firewalls can be
  categorized by are
• 1.  packet filtering
• 2.  application gateways
• 3.  circuit gateways
• 4.  MAC layer firewalls
• 5.  hybrids

13

• 1- packet filtering
• examine the header information of data packets
  that come into a network.
• a packet filtering firewall installed on TCP/IP
  based network and determine wether to drop a
  packet or forward it to the next network
  connection based on the rules programmed in the
  firewall.
• Packet filtering firewalls scan network data
  packets looking for violation of the rules of the
  firewalls database.
• Filtering firewall inspect packets on at the
  network layers.
• If the device finds a packet that matches a
  restriction it stops the packet from traveling
  from network to another.

14
Packet Filtering (cont)

• filters packet-by-packet, decides to
  Accept/Deny/Discard packet based on
  certain/configurable criteria Filter Rule sets.
• Typically stateless do not keep a table of the
  connection state of the various traffic that
  flows through them
• Not dynamic enough to be considered true
  firewalls.
• Usually located at the boundary of a network.
• Their main strength points Speed and
  Flexibility.

15

• There are three subsets of packet filtering
  firewalls
• -static filtering
• -dynamic filtering
• -stateful inspection
•  static filtering
• -requires that the filtering rules coverning how
  the firewall decides which packets are allowed
  and which are denied.
• -This type of filtering is common in network
  routers and gateways.

16

• Dynamic filtering
• - allows the firewall to create rules to deal
  with event.
• -This reaction could be positive as in allowing
  an internal user to engage in a specific activity
  upon request or negative as in dropping all
  packets from a particular address
•  Stateful inspection
• -keep track of each network connection
  between internal and external systems using a
  state table.
• -A state table tracks the state and context
  of each packet in the conversation by recording
  which station send , what packet and when.
• -More complex than their constituent
  component firewalls
• -Nearly all modern firewalls in the market
  today are staful

17
Stateful Inspection Firewalls
18
Basic Weaknesses Associated with Packet Filters\
Statful

• They cannot prevent attacks that employ
  application-specific vulnerabilities or
  functions.
• Logging functionality present in packet filter
  firewalls is limited
• Most packet filter firewalls do not support
  advanced user authentication schemes.
• Vulnerable to attacks and exploits that take
  advantage of problems within the TCP/IP
  specification and protocol stack, such as network
  layer address spoofing.
• Susceptible to security breaches caused by
  improper configurations.

19
Packet Filtering Summary

• Advantages
• One packet filter can protect an entire network
• Efficient (requires little CPU)
• Supported by most routers
• Disadvantages
• Difficult to configure correctly
• Must consider rule set in its entirety
• Difficult to test completely
• Performance penalty for complex rulesets
• Stateful packet filtering much more expensive
• Enforces ACLs at layer 3 4, without knowing any
  application details

20
Packet Filtering Firewalls

• The original firewall
• Works at the network level of the OSI
• model
• Applies packet filters based on access
• Rules
• Source IP address
• Destination IP address
• Application or protocol
• Source port number
• Destination port number

21
Packet Filtering Firewalls Firewalls
22

• 2- application gateways
• is also known as proxy server since it runs
  special software that acts as a proxy for a
  service request.
• One common example of proxy server is a firewall
  that blocks or requests for and responses to
  request for web pages and services from the
  internal computers of an organization.
• The primary disadvantage of application level
  firewalls is that they are designed for a
  specific protocols and cannot easily be
  reconfigured to protect against attacks in other
  protocols.
• Application firewalls work at the application
  layer.

23
Application/Proxy Serverscont

• Filters packets on application data as well as on
  IP/TCP/UDP fields.
• The interaction is controlled at the application
  layer
• A proxy server is an application that mediates
  traffic between two network segments.
• With the proxy acting as mediator, the source and
  destination systems never actually connect.
• Filtering Hostile Code Proxies can analyze the
  payload of a packet of data and make decision as
  to whether this packet should be passed or
  dropped.
• .

24
Application/Proxy Serverscont
25
Application/Proxy Serverscont

• No proxy, no Internet application
• Typical proxies include
• FTP
• SMTP, POP3
• Telnet
• DNS
• Http

26
Application/Proxy Serverscont

• Advantages
• Extensive logging capability
• Allow security enforcement
• of user authentication .
• less vulnerable to address
• spoofing attacks.
• Disadvantages
• Complex Configuration.
• limited in terms of support for new
• network applications and protocols.
• Speed!!.

27

• 3- circuit gateways
• operates at the transport layer.
• Connections are authorized based on addresses ,
  they prevent direct connections between network
  and another.
• They accomplish this prevention by creating
  channels connecting specific systems on each side
  of the firewall and then allow only authorized
  traffic.

28
circuit gateways ..cont

• relays two TCP connections (session layer)
• imposes security by limiting which such
  connections are allowed
• once created usually relays traffic without
  examining contents
• Monitor handshaking between packets to decide
  whether the traffic is legitimate
• typically used when trust internal users by
  allowing general outbound connections
• SOCKS commonly used for this

29
Circuit Level Firewalls Example
30
circuit gateways ..cont
Disadvantages

• Individual packets are not filtered.
• Access control mechanisms are needed, since
• logs cant catch all the abuses.
• Time limit on how long ports will last.
• List of permissible outside called to the port.
• The other big problem is need to provide new
• client program.
• Code changes issues include availability of
• application source code for various platforms,
• version control, distribution and more.

31

• 4- MAC layer firewalls
• design to operate at the media access control
  layer.
• Using this approach the MAC addresses of specific
  host computers are linked to ACL entries that
  identify the specific types of packets that can
  be send to each host and all other traffic is
  blocked.

32

• 5- Hybrids firewalls
• companied the elements of other types of
  firewalls , example the elements of packet
  filtering and proxy services, or a packet
  filtering and circuit gateways.
• That means a hybrids firewalls may actually of
  two separate firewall devices each is a separate
  firewall system, but they are connected so that
  they work together.

33
General Performance
34
Types of Firewalls

• 3. Finally, Types depending on whether the
  firewalls keeps track of the state of network
  connections or treats each packet in isolation,
  two additional categories of firewalls exist
• Stateful firewall
• Stateless firewall

35
Types of Firewalls ..cont

• Stateful firewall
• keeps track of the state of network connections
  (such as TCP streams) traveling across it.
• Stateful firewall is able to hold in memory
  significant attributes of each connection, from
  start to finish. These attributes, which are
  collectively known as the state of the
  connection, may include such details as the IP
  addresses and ports involved in the connection
  and the sequence numbers of the packets
  traversing the connection.

36
Types of Firewalls ..cont

• Stateless firewall
• Treats each network frame (Packet) in
  isolation. Such a firewall has no way of knowing
  if any given packet is part of an existing
  connection, is trying to establish a new
  connection, or is just a rogue packet.
• The classic example is the File Transfer
  Protocol, because by design it opens new
  connections to random ports.

37
Network Address Translation (NAT)

• - Existed for a short period of time now NAT is
  part of every firewall
• -Developed in response to two major issues in
  network engineering and security
• First, network address translation is an
  effective tool for hiding the network-addressing
  schema present behind a firewall environment.
• Second, the depletion of the IP address space has
  caused some organizations to use NAT for mapping
  non-routable IP addresses to a smaller set of
  legal addresses.

38
Network Address Translation ..cont

• NAT goals
• Allow use of internal IP-addresses
• Hide internal network structure
• Disable direct internet connections
• NAT-types
• Dynamic
• For connections from inside to outside
• There may be fewer outside addresses than
  internal addresses
• Static
• For connections from outside to specific
  servers inside
• One-to-one address mapping (fixed)

39
Network Address Translation ..cont
40
Firewall Configurations or (Architecture)

• Packet Filtering Router
• Dual Homed Gateway
• Screened Host Gateway (bastion host )
• Screened Subnet Gateway or Demilitarized Zone
  (DMZ)
• Firewall Appliance

41
Packet Filtering Router

• A packet filtering router is a router configured
  to screen packets between two networks. It routes
  traffic between the two networks and uses packet
  filtering rules to permit or deny traffic.
  Implementing security with a router is usually
  not that easy. Most routers were designed to
  route traffic, not to provide firewall
  functionality, so the command interface used for
  configuring rules and filters is neither simple
  nor intuitive.

42
Dual Homed Gateway

• This is a secure firewall design comprising an
  application gateway and a packet
• filtering router. It is called dual homed
  because the gateway has two network
• interfaces, one attached to the Internet, the
  other to the organization's network. Only
• applications with proxy services on the
  application gateway are able to operate
• through the firewall. Since IP forwarding is
  disabled in the host, IP packets must be
• directed to one of the proxy servers on the host,
  or be rejected. Some manufacturers
• build the packet filtering capability and the
  application proxies into one box,
• thereby simplifying the design (but removing the
  possibility of having an optional
• info server and modems attached to the screened
  subnet,
• disadvantages of the dual homed gateway are that
  it may be a bottleneck to
• performance, and it may be too secure for some
  sites (!) since it is not possible to let
• trusted applications bypass the firewall and
  communicate directly with peers on the
• Internet. They must have a proxy service in the
  firewall.

43
Dual Homed Gateway ..cont

• A dual-homed gateway typically sits behind the
  gateway (usually a router) to the untrusted
  network and most often is a host system with two
  network interfaces. Traffic forwarding on this
  system is disabled, thereby forcing all traffic
  between the two networks to pass through some
  kind of application gateway or proxy. Only
  gateways or proxies for the services that are
  considered essential are installed on the system.
  This particular architecture will usually require
  user authentication before access to the
  gateway/proxy is allowed. Each proxy is
  independent of all other proxies on the host
  system.

44
Screened Host Gateway (bastion host )

• The screened host gateway is similar to the
  above, but more flexible and less secure,
• since trusted traffic may pass directly from the
  Internet into the private network,
• thereby bypassing the application gateway. In
  this design the application gateway
• only needs a single network connection.
• The IP router will normally be configured to pass
  Internet traffic to the application
• gateway or to reject it. Traffic from the
  corporate network to the Internet will also
• be rejected, unless it originates from the
  application gateway. The only exception to
• these rules will be for trusted traffic that will
  be allowed straight through.

45
Screened Host Gateway ..cont

• The screened host, or bastion host, is typically
  located on the trusted network, protected from
  the untrusted network by a packet filtering
  router. All traffic coming in through the packet
  filtering router is directed to the screened
  host. Outbound traffic may or may not be directed
  to the screened host. This type of firewall is
  most often software based and runs on a
  general-purpose computer that is running a secure
  version of the operating system. Security is
  usually implemented at the application level.

46
Screened Host Gateway ..cont

• highly secure host system
• potentially exposed to "hostile" elements
• hence is secured to withstand this
• may support 2 or more net connections
• may be trusted to enforce trusted separation
  between network connections
• runs circuit / application level gateways
• or provides externally accessible services

47
Screened Subnet Gateway

• This configuration creates a small isolated
  network between the Internet and the
• corporate network, which is sometimes referred to
  as the demilitarised zone (DMZ),
• The advantages of this configuration is that
  multiple hosts and
• gateways can be stationed in the DMZ, thereby
  achieving a much greater throughput
• to the Internet than the other configurations
  plus the configuration is very secure as
• two packet filtering routers are there to protect
  the corporate network.
• The IP router on the Internet side will only let
  through Internet traffic that is
• destined for a host in the DMZ (and vice versa).
  The IP router on the corporate
• network side will only let site traffic pass to a
  host in the DMZ (and vice versa).
• This system is as secure as the dual homed
  gateway, but it is also possible to allow
• trusted traffic to pass straight through the DMZ
  if required. This configuration is of
• course more expensive to implement!

48
Screened Subnet Gateway ..cont

• A screened subnet or DMZ is typically created
  between two packet filtering routers. When using
  this architecture, the firewall solution is
  housed on this screened subnet segment along with
  any other services available to the untrusted
  network. Conceptually, this architecture is
  similar to that of a screened host, except that
  an entire network rather than a single host is
  reachable from the outside

49
Firewall Appliance

• A firewall appliance typically sits behind the
  gateway (usually a router) to the untrusted
  network. This architecture resembles the packet
  filtering router and dual-homed Gateway
  architectures in that all traffic must pass
  through the appliance. In most instances these
  appliances come pre-configured on their own box.
  They may also have other services built in, such
  as Web servers and e-mail servers. Because they
  usually don't need the extensive configuration
  that other firewalls often require, they are
  touted as being much simpler and faster to use.
  Some manufacturers market them as "plug-and-play"
  firewall solutions

50
Firewall Appliance ..cont

• For some networks, implementing more than one
  firewall solution may be a more effective option.
  For example, implement a packet filtering router
  at the entrance to the network for perimeter
  security and then configure an application
  gateway for a specific department or building.
  This type of solution would not only protect the
  trusted network from the outside, but would also
  protect a specific department or building from
  unauthorized users on the trusted network

51
Network Configuration Examples

• Protected Private Network
• Semi-Militarised Zone
• Private LAN stays secure

52
Protected Private Network

• Allow all access from private network to the
• Internet.
• Deny all access from the Internet to the private
• network.

53
Semi-Militarised Zone
54
Private LAN stays secure
55
Advantages of a Firewall

• Stop incoming calls to insecure services
• such as rlogin and NFS
• Control access to other services
• Control the spread of viruses
• Cost Effective
• More secure than securing every
• system

56
Disadvantages of a Firewall

• Central point of attack
• Restrict legitimate use of the Internet
• Bottleneck for performance
• Does not protect the back door
• Cannot always protect against
• smuggling
• Cannot prevent insider attacks

57
Firewalls have weaknesses

• Some security hackers boast there is
• not a single firewall that they cannot
• Penetrate
• They cannot keep out data carried inside
• applications, such as viruses within email
• Messages
• Although firewalls provide a high level of
  security
• in today's private networks to the outside world
• we still need the assistance of other related
• security components in order to guarantee
• proper network security.

58

• Firewalls categorized by development generation
• First generation firewalls are static packet
  filtering firewalls.
• Second generation firewalls are
  application-level firewalls or proxy service.
• Third generation firewalls are stateful
  inspection firewalls.
• Fourth generation firewalls dynamic packets
  filtering firewalls, allow only a particular
  packet with a particular source, destination, and
  port address to enter.
• Fifth generation firewalls is the kernel proxy.

59

• Selecting the right firewall
• Most important of these is the extend to which
  the firewall design provides the desired
  protection. 
• what type of firewall technology offers the right
  balance between protection and cost for the needs
  of the organization?
• how easy is it to set up and configure the
  firewall.
•  The second most important issue is cost.

60
Selecting Firewall Solution

• In order to pick the best architecture and packet
  screening method for a firewall solution, the
  following questions should be considered
• What does the firewall need to do?
• What additional services would be desirable?
• How will it fit in the existing network?
• How will it effect existing services and users?

61
Firewall Products Classification

• H/W Platform
• -Linux, Solaris, Windows,.system.
• -Proprietary (Nokia-Box, Cisco PIX)
• Software
• -Checkpoint FireWall 1 (FW-1)
• -NetGuard Guardian

• Perimeter Firwall
• -Checkpoint
• -PIX
• -Sun SPF
• Stand Alone Box (Appliance)
• - Satic Wall
• - Watch Guard FireBox
• - Netscreen
• Personal FireWall
• BlackICE
• Zone Alarm

62
References

• Steven Bellovin, Security Problems in the TCP/IP
  Protocol Suite, Computer Communication Review,
  Vol. 19, No. 2, pp. 32-48, April 1989.
• Matt Bishop, Introduction to Computer Security,
  Addison-Wesley, 2005.
• William Cheswick, Steven Bellovin, and Avriel
  Rubin, Firewalls and Internet Security, 2nd
  edition, 2003.
• Fyodor, The Art of Port Scanning,
  http//www.insecure.org/nmap/nmap_doc.html
• Fyodor, NMAP man page, http//www.insecure.org/nma
  p/data/nmap_manpage.html

63
THANK YOU
THE END