Firewall

A firewall controls access between networks. It generally consists of

gateways and filters which vary from one firewall to another. Firewalls
also screen network traffic and are able to block traffic that is dangerous.
Firewalls act as the intermediate server between SMTP and HTTP
connections.

Role of firewalls in web security

1. Firewalls impose restrictions on incoming and outgoing packets to and from
private networks. All the traffic, whether incoming or outgoing, must pass
through the firewall; only authorized traffic is allowed to pass through it.
Firewalls create checkpoints between an internal private network and the public
Internet.
2. Firewalls can create choke points based on IP source and TCP port number.
They can also serve as the platform for IPs. Using tunnel mode capability,
firewall can be used to implement VPNs.
3. Firewalls can also limit network exposure by hiding the internal network system
and information from the public Internet.
Firewall Components
 There are three primary components (or aspects) for firewall systems, those being

1) Packet filtering
2) Application gateways
3) Logging and detection of suspicious activity

The last item may range in capability, from creating log entries for excessive login
attempts to notification of operators via e-mail or pagers to intrusion/detection
systems that build user profiles and raise alarms when out-of-bound behavior occurs.

Up until now, the term ``firewall'' has been used here somewhat loosely, since firewall
systems can range greatly in how well they implement the above components. The
most common type of firewall is simply a router that has the capability to filter
TCP/IP packets based on information fields in each packet. Less common but more
secure are systems that include packet filtering as well as logging and application
gateways for telnet, ftp, or e-mail. These firewalls may actually be a collection of
systems such as a router, an application gateway system, and a system for logging.
Also found are firewall systems that simply block all traffic, thus completely cutting
off network access except for those users with accounts on the firewall system.
However, since packet filtering capability appears to be the common component in
most firewall systems, the following paragraphs go into more detail on packet filtering
than the other components.

1) Packet Filtering

The primary activity of a firewall is filtering packets that pass to and from the Internet
and the protected subnet. Filtering packets can limit or disable services such as NFS
or telnet, restrict access to and from specific systems or domains, and hide
information about subnets. A firewall could filter the following fields within packets:

 Packet type, such as IP, UDP, ICMP, or TCP;

 Source IP address, the system from which the packet originated;
 Destination IP address, the system for which the packet is destined;
 Destination TCP/UDP port, a number designating a service such as telnet, ftp,
smtp, nfs, etc., located on the destination host, and
 Source TCP/UDP port, the port number of the service on the host originating
the connection.

In almost all cases, packet filtering is done using a packet filtering router designed for
filtering packets as they pass between the router's interfaces.
2) Application Gateways

After packet filtering and logging, application gateways function to provide a higher
level of security for applications such as telnet, ftp, or SMTP that are not blocked at
the firewall. An application gateway is typically located such that all application
traffic destined for hosts within the protected subnet must first be sent to the
application gateway (in other words, any application traffic that is not directed at the
application gateway gets rejected via packet filtering). After performing some action,
the application gateway may pass the traffic on to a host or may reject the traffic if it
is not authorized. Application gateways are also referred to as ``proxy servers.''

A site would use application gateways to provide a ``guarded gate'' through which
application traffic must first pass before being permitted access to specific systems.
As an example of an application gateway for telnet, a site might advertise only the
name of the telnet gateway to outside users and not the names of specific hosts. The
protocol for connecting to specific internal hosts would be as follows:

1. a user first telnets to the application gateway and enters the name of the desired
host;
2. the gateway perhaps checks the user's source IP address and accepts or rejects it
according to any access criteria in place;
3. the user may need to authenticate herself using an authentication token such as
a challenge-response device;
4. the gateway then creates a telnet connection to the desired host;
5. the user's system knows only that the telnet session is between the user's system
and the application gateway; and
6. the application gateway logs the connection, including the connection's
origination address, destination, time of day, and duration.

Application gateways, then, have a number of advantages over the default mode of
permitting application traffic directly to internal hosts:

 Information hiding, in which the names of internal systems need not

necessarily be made known via DNS to outside systems, since the application
gateway may be the only host whose name must be made known to outside
systems;
 Robust authentication and logging, in which the application traffic can be
pre-authenticated before it reaches internal hosts and can be logged more
effectively than if logged with standard host logging;
 Cost-effectiveness; because third-party software or hardware for authentication
or logging need be located only at the application gateway; and
  Less-complex filtering rules, in which the rules at the packet-filtering router
will be less complex than they would if the router needed to filter application
traffic and direct it to a number of specific systems. The router need only allow
application traffic destined for the application gateway and reject the rest.

A disadvantage of application gateways is that, in the case of client-server protocols

such as telnet, two steps are required to connect inbound or outbound. This may prove
somewhat tedious for users; however it is a small price to pay for the increase in
security.

3) Logging and Detection of Suspicious Activity

Packet-filtering routers unfortunately suffer from a number of weaknesses. The

filtering rules can be difficult to specify, usually no testing facility exists thus testing
must be done manually, and the filtering rules can be very complex depending on the
site's access requirements. No logging capability exists, thus if a router's rules still let
``dangerous'' packets through, the packets may not be detected until a break-in has
occurred. In addition, some packet filtering routers filter only on the destination
address not on the source address.

What type of traffic should be logged? In addition to standard logging that would
include statistics on packet types, frequency, and source/destination addresses, the
following types of activity should be captured:

 Connection information, including point of origin, destination, username,

time of day, and duration;
 Attempts to use any ``banned'' protocols such as tftp, domain name service
zone transfers, portmapper and rpc-based services, all of which would be
indicative of probing or attempts to break in;
 Attempts to spoof internal systems such as traffic from outside systems
attempting to masquerade as internal system; and
 Routing re-directions that come from unauthorized sources (unknown
routers).

Logs will have to be read frequently. If suspicious behavior is detected, a call to the
site's administrator can often determine the source of the behavior and put an end to it,
however the firewall administrator also has the option of blocking traffic from the
offending site.
Firewall Limitations

A firewall is a crucial component of securing your network and is designed to address

the issues of data integrity or traffic authentication (via stateful packet inspection) and
confidentiality of your internal network (via NAT). Your network gains these benefits
from a firewall by receiving all transmitted traffic through the firewall. Your network
gains these benefits from a firewall by receiving all transmitted traffic through the
firewall. The importance of including a firewall in your security strategy is apparent;
however, firewalls do have the following limitations:

1. A firewall cannot prevent users or attackers with modems from dialing in to or

out of the internal network, thus bypassing the firewall and its protection
completely.
2. Firewalls cannot enforce your password policy or prevent misuse of passwords.
Your password policy is crucial in this area because it outlines acceptable
conduct and sets the ramifications of noncompliance.
3. Firewalls are ineffective against nontechnical security risks such as social
engineering, as discussed in Chapter 1, “There Be Hackers Here.”
4. Firewalls cannot stop internal users from accessing websites with malicious
code, making user education critical.
5. Firewalls cannot protect you from poor decisions.
6. Firewalls cannot protect you when your security policy is too lax.

7. Another well-known threat, not covered by traditional firewalls, is unsolicited

commercial email, better known as spam. Dealing with spam can seriously
affect productivity, and because spam often contains viruses and phishing
attempts, it is a direct security threat.