Seminar On

FIREWALL

JSS MAHAVIDYAPEETHA
JSS ACADEMY OF TECHNICAL EDUCATION
NOIDA

Department of Computer Science and Engineering

SUBMITTED BY:

SACHIN GOYAL
ROLL NO-0809110422
CONTENTS:

 What is firewall ?
 Types of firewall
 Modes of operation
 Where should a firewall be situated
 What firewall protects us from
 Design and implementation issue
 Evaluating a firewall solution
 Popular hardware and software firewall
 Case study
 References

1. What is Firewall ?
Firewall is a system that implements and enforces an access control (or
security) policy between two networks; it usually guards an internal
private network from an external public one, isolating an intranet from
the Internet. Essentially a firewall connects two or more networks but
only allows specified forms of traffic to flow between them. The firewall
is a means by which a security policy can be enforced.
A security policy defines general security principles for a site. In
general, it will state what standards, guidelines and practices should be
adhered to. It need not go into specific detail, but may specify policies
such as “e-mail may only be delivered into the site to e-mail servers
maintained by authorised systems support staff”. The trick is choosing
the right policy for the right environment. Some degree of flexibility is
required such that a site’s users can continue to work and exchange
information with remote sites.

2.Types of Firewall
There have historically been two main types of firewall; application
layer and network layer:

1. Application layer firewalls implement a proxy server for each

service required. A proxy is a server that enables connections between a
client and server, such that the client talks to the proxy, and the proxy to
the server on behalf of the client. They prevent traffic from passing
directly between networks, and as the proxies are often implemented for
a specific protocol they are able to perform sophisticated logging and
auditing of the data passing through them.
A disadvantage of application layer firewalls is that a proxy must exist
for each protocol that you wish to pass through the firewall; if one does
not exist then that protocol cannot be used.
Some protocols, such as SMTP for e-mail, are natural proxies. Others,
such as FTP for file transfer, are not.
2. Network layer firewalls make decisions on whether to allow or
disallow individual Internet Protocol (IP) packets to pass between the
networks. IP is the protocol by which almost all data is routed around
the Internet. IP connections rely on a unique source and destination IP
address for the communicating hosts. TCP layer port numbers (the
“application layer endpoints”) are also readily available to a network
layer firewall. For example, port 25 is the agreed port number for SMTP
e-mail transfer. The firewall can make filtering decisions based on the IP
and port number values. This type of firewall can be very flexible.
However the added complexity increases the risk of security holes
through misconfiguration.
Modern firewall architectures tend to lie somewhere between these two
firewall types. "Stateful inspection" techniques allow network layer
firewalls to parse IP packets more fully (by looking inside the packet to
the embedded TCP layer data) and to keep track of individual
connections. In doing so they allow comprehensive logging and auditing
to occur. Additionally, many firewall solutions provide application
proxies for some protocols, while handling others through a packet
filtering system.
Some firewalls, such as Sunscreen EFS3 [SUNEFS3], can operate in a
stealth mode. In doing so they present no targetable IP address to
internal or external hosts. The firewall acts similarly to a layer 2 switch
– it does not route packets but can filter based on IP addresses and
interfaces.
TCP layer proxies also exist for relaying connections between an
internal and external network.
An example of such a proxy is SOCKS [NECSOCK], currently at
version 5 [RFC1928]. SOCKS can be used in situations where enabling
full access to a host inside your network is undesirable.
For example, in the case of the ICQ chat system, by acting as a “smart”
relay the external host will interact with the (secure) SOCKS gateway
and not the (relatively vulnerable) client host. This allows the client to
receive data without the need to open up permanent “holes” in the
firewall.
The very latest firewalls offer layer 4 (transport) and 5 (application)
filtering or switching abilities, e.g. the ability to switch data based on
Web browser cookie content. However, the principles of firewall
deployments described in this report remain the same. Protocols such as
FTP, HTTP (Web) and SMTP (e-mail) may be intercepted by a firewall
(e.g. Firewall-1) and “vectored” intelligently to a separate process (on a
separate server) for filtering. The Content Vectoring Protocol (CVP)
[CVP] is Check Point’s open protocol by which application layer
content can be passed to a server for processing; one typical use is e-
mail virus scanning by a cooperating product such as InterScan
VirusWall [ISVW].

3. Modes of operation
There are two very distinct and different modes for network firewalls to
operate in.

1. Default allow firewalls allow all traffic in and out of a site. Some
specified services may be blocked on the firewall, but all others can
freely pass through.

2. Default deny firewalls block all traffic in or out of a site (though

commonly they only block inbound, rather than outbound, traffic). Only
named services are allowed to pass through the firewall.

4.Where should a Firewall be situated?

Most networks will have a single point of presence on the network
through which they connect to the Internet. For a campus site, that is
typically the router (backbone edge node or BEN) through which they
attach to JANET. For a department, it may be their link to the campus
network, though in many cases a department may be spread across many
buildings.
In the case where a router is used, it may be possible to run a firewall on
that router (e.g. on a Cisco router running IOS and a Firewall-1 module,
or within a Cisco router itself [CISCOR]). It may be possible to also run
an IDS on the router. If a router solution is not possible, or if the router
is unable to meet the processing and logging/management requirements
of a high-capacity firewall, then a separate dedicated system can be
used.

A traditional DMZ topology

5.What firewall protects us from

 Remote login
 Application backdoors
 Operating system bugs
 Denial of service
  Email bombs
 Viruses
 Spams
 Trojens
 …..

6.Design and implementation issue

When addressing secure network connectivity,administrators need
to consider the following:
 Security:Employees not only work from corporate offices,but also
from branch offices,home offices,road.providing remote
connectivity requires solutions that are secure standards-based,and
manageable.
 Management complexity:Many vendors offer dedicated product
solutions with little integration with other products and
infrastructure.Setting up wireless clients with centralized
authentication and policies can be a challenge unless there are
integrated solutions.
 Lowering cost:Secuere networking can be expensive if there are
multiple products and technologies with separate licensing, support
contracts,and training.For example,a secure VPN implementation
might require a separate certificate authority for PKI, a separate
authentication model,client-side software ,and additional server
gateways and firewalls.

7. Evaluating a Firewall Solution

There are many yardsticks against which a firewall system can be
measured. We discuss these in this section, with the aim of generalising
the selection criteria for a firewall system, rather than discussing
specifics of individual systems. This will hopefully make the criteria
relevant for those considering a firewall deployment in the future.
7.1 Cost
When putting together a firewall system, it is worth remembering that
the cost involved does not end with the hardware and software
purchases; there may also be costs involved concerning the installation
of the system and the training of the firewall administrators.
Additionally, there are likely to be ongoing costs associated with
external support and internal administration of the firewall, as regular
policy reviews and security audits are recommended. There is little point
in operating a firewall that has not been recently updated with the latest
security fixes and patches (it is worth noting that even a market leader
such as Firewall-1 v4.0 has had five service packs released for it).
It is also prudent to investigate exactly which features are included as
standard with a firewall product, and which are only available at extra
cost, or even not at all.
The purchase cost will vary from nothing for the likes of Linux ipchains,
to tens of thousands of pounds for high-throughput silicon firewalls.
Educational discounts are available on some products, e.g. through
CHEST [CHEST], where ESOFT [ESOFT] resell Firewall-1. ECS
originally bought Firewall-1 from CenturyCom [CCOM], but then
discovered that CenturyCom had stopped their educational discount. We
thus renewed our maintenance and support contract through ESOFT.
However, consider what may happen if the ESOFT deal with CHEST is
discontinued – ongoing support costs may rise as a result.

7.2 Functionality
The functionality of a firewall solution is perhaps the most important
criteria for evaluation; does a chosen solution fully meet your current
and predicted requirements? You should have a growth plan for your
network. Will your firewall still work three years from now? You might
want to run the same software product but on different or upgraded
physical hardware (e.g. to meet rising bandwidth usage). The lifecycles
of network equipment for Internet connections are fairly short, so you
should make sure that the basic architecture that you put in place is
likely to be viable in the long term.
Note that every feature the firewall has that is not being used adds an
extra unnecessary risk, in that it can be targeted by a potential attacker.
This might be unused functionality on the operating system of a software
firewall (e.g. Windows NT or Solaris), or unused hardware, such as a
hard disk in a floppy-based firewall such as the GNAT Box.
General firewall references on the net that have already been mentioned
carry useful pointers to factors to consider. Two other good references
are “How to Pick an Internet Firewall” [FPICK] and the Great Circle
Associates site [GCA], originally set up by firewall guru Brent Chapman
of “Building Internet Firewalls” [CHAP] fame.
Factors and features to consider include:
 De-Militarised Zone
A DMZ, also known as a perimeter network, is a third network added
between the internal and external networks, or alternatively an extra
independent interface (or more) on your firewall host. Services that you
wish to be made available to external users may be located on the DMZ.
If these services are compromised by an attacker, they will not have
access to your internal network, because you will have another firewall,
or rules applicable across another interface, to protect your internal
network.
 Virtual Private Networking
Virtual Private Networks, or VPNs, are a low-cost alternative to
dedicated leased lines for connecting two or more sites. In essence, a
VPN works by creating encrypted virtual channels over a public
network, such as the Internet. Modern firewall solutions often include
support for creating VPNs, either built-in or as an associated product,
e.g. SecuRemote [SECU] for Firewall-1. Client software should be
available for mobile users, enabling them to securely connect to the
internal network from anywhere. There are several standards for VPN
product compatability (eg. IPsec, S/WAN), and it is worth investigating
if remote sites you wish to work with are running firewall products, and
if so which standards are supported by them. It may be advantageous to
have an integrated firewall and VPN solution, as a separate VPN
solution opens a second avenue of attack into your network. However,
public domain VPN technology can be used, as discussed later in this
report.
 Network Address Translation
A firewall may hide the IP addresses of machines on the internal
network, by keeping track of connections from a machine to the outside
and rewriting packets on the fly. NAT is invariably used where a site has
more hosts than available IP addresses, or where it wishes to
masquerade multiple hosts behind one IP address for administrative or
other reasons. NAT helps to protect machines on the Internet network
from being discovered and targeted by attackers, but it also breaks the
end-to-end security model and transparency of the Internet; this is one
reason why IPv6 [V6F], with its much greater IP address space is an
attractive protocol. A department using NAT on a campus network
introduces a second level of network administration, which is both a cost
and a potential insecurity.
 Media
Does the firewall system under evaluation support the media interfaces
required, e.g. 10 or 100Mbit Ethernet, quad Ethernet cards, Gigabit
Ethernet, ATM or FDDI?
 Filtering
• If a firewall performs stateful inspection of packets (e.g. SMTP, FTP
or HTTP), or uses a proxy system, which protocols does it cover?
• Can it filter by time of day?
 Number of interfaces
It is worth checking that the system under evaluation supports the
number of network interfaces that are required; most firewalls should be
able to perform filtering between more than two networks, e.g. for a
“collapsed” DMZ configuration.

 Transparency
How transparent is the firewall to the end user, in both outgoing and
incoming directions?
Does the user need special software or configurations in order to
perform their tasks?
  Authentication
• Does it support standard passwords, S/Key, RADIUS, TACACS or
SecurID?
• The firewall typically does not take the place of the vendor’s
authentication server.
Rather, it forwards requests from the user to the authentication server,
and, depending on the authentication result, either allows or disallows
the connection.
 Content Control
Does the firewall have the ability to control the content of the data that
passes through it? For example, firewalls often have the ability to
provide access control and enforce policy for web browsing, and may
also scan for possibly malicious content such as Java applets, ActiveX
controls, or even viruses in e-mail attachments. Firewalls may
alternatively be able to redirect content to another server for processing
or filtering.
 Denial-of-service (DoS) attack detection
• This is a more recent development, and is typified by intrusion
detection systems (IDS) such as Check Point’s Real Secure [RSEC].
Which DoS attacks does a firewall support?
Or will you run a separate IDS?
• Can the IDS modify firewall rules on the fly to react to DoS or other
attacks?
• Can “dangerous” live connections be manually killed if detected?

 Reporting
Reports are one of the most important aspects of a firewall's
functionality; the firewall may be preventing someone attacking your
internal network, but does it provide you with enough information about
the attacks for investigation and maintenance? The following are some
points to be considered.
• How much detail of events do the reports give, and can the detail level
be tailored? Is it possible to change the level of detail by event type, so
that important events are recorded in detail but not obscured by huge
numbers of unimportant ones?
• Can the reports be securely logged to a remote machine, printer or
other device? If your firewall is compromised, the logs may be altered or
erased by the attacker to cover their tracks.
• Are comprehensive log analysis tools included as standard with the
firewall product, or is one available at extra cost? A good log analysis
program can save a lot of time in identifying and tracing attacks. Can the
logs be exported to plain text or an open format for processing by your
own scripts?
• What sort of intrusion detection capabilities does the firewall have, and
will it be able to alert you under specified conditions? For example, you
may wish to be alerted to an ongoing attack by visual and audible
signals, by pager or by phone, or even by email for less serious cases to
be investigated later. Can you silence individual alerts if necessary,
leaving the others active?
• How easy-to-read are the reports (no cryptic error messages or
warnings), and in what formats can they be generated? (e.g. plain text,
HTML...)
 User interface
• Where can the system be managed from? (console, internal, external,
dialup,…)
• Is it terminal-based, command line, a good GUI, or Web browser
based?
• Is there a remote configuration tool (if so, how secure is it?)
• Can you run a single console to manage multiple firewalls?
• What SNMP management is offered, if any?
• How secure is access to the user interface, and the system the interface
runs on? (It is worth noting that independent of the firewall itself, a
dedicated secure room may be warranted for the firewall management
point. Dedicated fibre optic cabling may also be desirable.)
• What is the level of ease of configuration (there is probably less risk of
introduction of security holes through mis-configuration on a simpler
system)
• The interface should allow an unsophisticated user to build a simple
configuration in line with policy, but also allow an expert user to fine-
tune the configuration as necessary.
• What log management system exists?
 Firewall security
• How secure is the firewall platform itself?
• Is it running on a hardened kernel and operating system?
 Firewall architecture
• Does it offer proxies for control of some applications, e.g. ICQ?
• Does it offer packet filtering for speed or where proxies aren’t needed?
• Are there hooks for third-party or add-on systems (authentication, VPN
etc)?
• Is there significant “freeware” support from a large user community?
• Is there standards adherence (e.g. Internet Key Exchange protocol,
IPsec...)?
• If the firewall is a software product, be sure that the hardware that you
plan on using is supported and sufficient. These criteria vary depending
on the firewall product.
• How many systems are in the architecture? This affects maintenance
time and cost and the importance of a centralised maintenance station.
 Platform architecture
• Can the hardware be upgraded while keeping the same firewall
software, in the event of faster processing or greater throughput being
required?
• Is the hardware proprietary or open?
• Would you run your firewall on NT, or should you demand a Unix
version? A Unix (e.g.Solaris) version may be more robust, but may cost
more.
• Is the existence of and support for the OS guaranteed for the
foreseeable future?
• Can security patches be applied to the OS independently of the firewall
package?
 Fault tolerance
• If the firewall goes down or is compromised, can a backup system take
over automatically?
 Performance
• Does it run in silicon or software? While a software version may be
slower, it may be more readily upgradable.
• What is the maximum packet forwarding rate?
• What is the VPN encryption overhead?
• What is the stateful inspection overhead?
• Can it handle large rule sets and host or protocol object lists?
• Can it load-balance on multiple firewall interfaces, or between co
operative firewalls?
7.3 Training, Support and Documentation
 Documentation
• How comprehensive is the documentation? Some trial or beta versions
of firewalls come with manuals that are very similar to the full release
versions, so you can judge the quality well.
• Is the documentation printed, on the Web, or on CD?
• Are there easy-to-follow tutorials?
 Technical support
• Where is it based? In the UK?
• Availability
• What is the response time?
• What about support on the hardware platform and its OS, if separate?
• Is it 24-hour support, 7 days a week?
• Will support be on-site, or available by phone, fax, or e-mail?
• Is it from the vendor or an independent consultant or reseller? Beware
“box shifters” who don’t understand their product.
• Is support included in package, or extra? If extra, how much does it
cost?
• What is the upgrade and patch availability now? Future support will
likely be of the same quality.
 7.4 Miscellaneous features
Other factors include:
• Has the firewall been subject to third party certification, e.g. by
ICSA.net [ICSA]?
• Are there good product reviews in reputable publications?
• Can you find reference sites that will vouch for the product’s reliability
and performance?
• What about the firewall author company credentials
• Number of years in business (overall, and on the security and firewall
side)
• Size of installed user base
• Can you obtain a demonstration version for evaluation for a suitable
period, e.g. 4-8 weeks?
• Make sure the firewall will integrate with your existing network
configuration.

8.Popular hardware & software firewalls

Software Firewall Hardware Firewall
Ms. ISA Server Cisco PIX
Norton Internet Security Fortiguard
Mcafee Internet Security Cyberoam
ZoneAlarm Check Point
Kerio NetScreen
BlackICE NetD
Outpost WatchGuard

9.Case Study : Internal Firewall

In this case study we consider the use of internal firewalls for small
departmental LANs. These notes refer to installations undertaken at
Southampton.
A single firewall at the external connection to a campus network does
not prevent parts of that network from attack by users who have access
inside the firewall. This potential threat might include tens of thousands
of users. This is one of the reasons for internal firewalls, which also
provide additional layers of protection in the event of a security breach
of outer firewalls. As a general principle, internal firewalls can be more
restrictive than external ones. Internal firewalls provide a level of
defence between individual machines and the campus level, protecting
parts of the network, perhaps just a few offices.
The ultimate internal firewall is of course the machine itself - individual
machines should be configured with a view to security, only making
essential network services available and monitoring access. As well as
protecting the machine, this can also help reduce internal problems
by preventing machines being used as a staging post in attacks.
Techniques such as TCP wrappers support this approach by providing
access control when TCP services are requested.
Consider a small department with ten members of staff, wishing to
install workstations to provide access to a local server as well as campus
and Internet services. The local network is to carry confidential data. We
have investigated several installations of this type, categorised as
follows:
1. The server has two network adapters, one to the campus network and
one to the private network and acts as a router, configured defensively to
control access.
2. A machine is dedicated to being the firewall, as above but without
other services running.
3. The private LAN is connected via routers (e.g. a satellite site using
ISDN) which can be configured to control access.
Option (1) is inappropriate if a high degree of protection is required for
the server but in fact it is a common configuration, providing improved
security at the cost of an extra network card -arguably it should not be
described as a firewall. Indeed, sometimes external access to the server
is desirable, such as for a Web server. This is discussed in the following
section.
Options (1) and (2) are characteristic of internal firewalls in that they are
host-based solutions.
Internal firewalls are typically LAN-to-LAN and can therefore be
implemented on a PC with two network adapters, i.e. off-the-shelf
hardware which is familiar to systems administrators of small networks.
The LAN-to-LAN interconnectivity can also sometimes imply
performance requirements which exceed those of firewall solutions
designed for Internet connectivity to service providers using lower
bandwidth leased lines. While firewall performance is an issue with
larger departmental LANs, our 10-client scenario can readily be
supported by a PC-based solution.
In all three cases the configuration follows standard firewall practice for
‘screening routers’, controlling access by protocol types, Internet
Protocol (IP) addresses and port numbers.
Configurations can be far simpler than campus firewalls because there
are fewer services on the private network so external access to the
private network can be highly restricted. A typical starting point is to
give the private users full access to the campus but deny all access from
users on the campus side. Restricting outbound traffic might be a better
security policy but introduces an ongoing support task. The trade off
between security and support is discussed later.
In addition to protecting small departmental LANs, sometimes an
internal firewall is used to control access from a ‘public’ area such as a
seminar or meeting room. This requires a set of rules which permit only
certain traffic such as DNS traffic to specific nameservers, telnet and
FTP, HTTP (possibly just to campus hosts and a proxy), SMTP and
IMAP to specific mail servers, SSH and specific ICMP packets. Note
that if the private LAN has any form of external access (such as dial-up)
then this amounts to the same situation.
When a department is split across a site, internal firewalls could be
introduced between each part and the campus; however, the users on the
two private LANs will wish to function as if on a single private LAN.
This involves creation of a Virtual Private Network (VPN). While a
number of solutions exist off-the-shelf, the extra costs of configuration
and maintenance appear to be a deterrent to introducing internal
firewalls in this situation. An alternative is to run a private network link
(fibre or otherwise) between the remote locations.
References :
 . www.cisco.com
  www.isaserver.org
  www.wikipedia.com
  www.cert.org
  www.google.com
  www.zonelabs.com
  www.symantec.com