Configuring Firewall

• What Firewall Software Does?

• Firewall Configuration

• Why Firewall Security?

• Configuring a Simple Firewall

 What Firewall Software Does?
• A firewall is simply a program or hardware device that filters the information
coming through the Internet connection into your private network or computer
system.

• If an incoming packet of information is flagged by the filters, it is not allowed

through.

• With a firewall in place, the landscape is much different. A company will place
a firewall at every connection to the Internet.

• The firewall can implement security rules. For example, one of the security
rules inside the company might be:

• Out of the 500 computers inside this company, only one of them is permitted to
receive public FTP traffic. Allow FTP connections only to that one computer
and prevent them on all others
 What Firewall Software Does?

• Firewalls use one or more of three methods to control traffic flowing in and
out of the network:

• Packet filtering

• Proxy service

• Stateful inspection
• A newer method that doesn't examine the contents of each packet but
instead compares certain key parts of the packet to a database of trusted
information
Working of Firewall
 Firewall Software Configuration
• Firewalls are customizable. This means that you can add or remove filters
based on several conditions. Some of these are:

• IP addresses
• For example, if a certain IP address outside the company is reading too
many files from a server, the firewall can block all traffic to or from that IP
address

• Domain names
• A company might block all access to certain domain names, or allow access
only to spe cific domain names. Ex: www.howstuffworks.com
 Some common protocols that you can set
firewall filters for include:
• IP (Internet Protocol) - the main delivery system for information over the
Internet
• TCP (Transmission Control Protocol) - used to break apart and rebuild
information that travels over the Internet
• HTTP (Hyper Text Transfer Protocol) - used for Web pages
• FTP (File Transfer Protocol) - used to download and upload files
• UDP (User Datagram Protocol) - used for information that requires no
response, such as streaming audio and video
• ICMP (Internet Control Message Protocol) - used by a router to exchange
the information with other routers
• SMTP (Simple Mail Transport Protocol) - used to send text-based
information (e-mail)
• SNMP (Simple Network Management Protocol) - used to collect system
information from a remote computer
• Telnet - used to perform commands on a remote computer
 Firewall Software Configuration
• Ports
• For example, if a server machine is running a Web (HTTP) server and an
FTP server, the Web server would typically be available on port 80, and the
FTP server would be available on port 21.
• A company might block port 21 access on all machines but one inside the
company.

• Specific words and phrases

• The firewall will sniff (search through) each packet of information for an
exact match of the text listed in the filter.
• For example, you could instruct the firewall to block any packet with the
word "X-rated" in it. The key here is that it has to be an exact match.
• The "X-rated" filter would not catch "X rated" (no hyphen). But you can
include as many words, phrases and variations of them as you need. Some
operating systems come with a firewall built in.
 Why Firewall Security?
• Access or abuse of unprotected computers
• Remote login
• Application backdoors
• SMTP session hijacking
• Operating system bugs
• Denial of service
• E-mail bombs
• Macros
• Viruses
• Spam
• Redirect bombs - Hackers can use ICMP to change (redirect) the path
information takes by sending it to a different router
• Source routing
 Security against unauthorized access or abuse

• Proxy Servers and DMZ

• A function that is often combined with a firewall is a proxy server. The

proxy server is used to access Web pages by the other computers.

• Proxy servers can also make your Internet access work more efficiently. If
you access a page on a Web site, it is cached (stored) on the proxy server.

• DMZ is just an area that is outside the firewall.

• Setting up a DMZ is very easy. If you have multiple computers, you can
choose to simply place one of the computers between the Internet
connection and the firewall.
 Configuring a Simple Firewall

• The Cisco 1800 integrated services routers support network traffic filtering
by means of access lists.
• The router also supports packet inspection and dynamic temporary access
lists by means of Context Based Access Control (CBAC).

• The use of inspection rules in CBAC allows the creation and use of
dynamic temporary access lists.
• These dynamic lists allow temporary openings in the configured access lists
at firewall interfaces.
• These openings are created when traffic for a specified user session exits
the internal network through the firewall.
1. Multiple networked devices—Desktops, laptop PCs, switches
2 Fast Ethernet LAN interface (the inside interface for NAT)
3 PPPoE or PPPoA client and firewall implementation—Cisco
1811/1812 or Cisco 1801/1802/1803 series integrated services router,
respectively
4 Point at which NAT occurs
5 Protected network
6 Unprotected network
7 Fast Ethernet or ATM WAN interface (the outside interface for NAT)
• The firewall is applied to the outside WAN interface (FE0) on the Cisco
1811 or Cisco 1812 and protects the Fast Ethernet LAN on FE2 by filtering
and inspecting all traffic entering the router on the Fast Ethernet WAN
interface FE1.
• Note that in this example, the network traffic originating from the corporate
network, network address 10.1.1.0, is considered safe traffic and is not
filtered
 Configuration Tasks

• Configure Access Lists

• Configure Inspection Rules

• Apply Access Lists and Inspection Rules to Interfaces

 Configure Access Lists
• Step 1
• access-list access-list-number {deny | permit} protocol

• Ex:
• Router(config)# access-list 103 permit host 200.1.1.1 eq isakmp any

• Creates an access list which prevents Internet- initiated traffic from reaching
the local (inside) network of the router, and which compares source and
destination ports.

• Step 2
• access-list access-list-number {deny | permit} protocol source source-wildcard
destination destination-wildcard

• Example:

• Router(config)# access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0

0.0.255.255
• Creates an access list that allows network traffic to pass freely between the
corporate network and the local networks through the configured VPN tunnel.
 Configure Inspection Rules
• Perform these steps to configure firewall inspection rules for all TCP and
UDP traffic, as well as specific application protocols as defined by the
security policy, beginning in global configuration mode

• Step 1 ip inspect name inspection-name protocol

• Defines an inspection rule for a particular protocol

• Example: Router(config)# ip inspect name firewall tcp Router(config)#
 Configure Inspection Rules
• Step 2 ip inspect name inspectionname protocol

• Repeat this command for each inspection rule that you wish to use.

• Router(config)# ip inspect name firewall rtsp

• Router(config)# ip inspect name firewall ftp
• Router(config)#
Apply Access Lists and Inspection Rules
to Interfaces
• Perform these steps to apply the ACLs and inspection rules to the network
interfaces, beginning in global configuration mode:

• Step 1 interface type number

• Enters interface configuration mode for the inside network interface on
your router.
• Example: Router(config)# interface vlan 1 Router(config-if)#
Apply Access Lists and Inspection Rules
to Interfaces
• Step 2 ip inspect inspection-name { in | out }
• Assigns the set of firewall inspection rules to the inside interface on the
router

• Example: Router(config-if)# ip inspect firewall in

• Router(config-if)#

• Step 3 exit
• Returns to global configuration mode.
• Example: Router(config-if)# exit
• Router(config)#
Apply Access Lists and Inspection Rules
to Interfaces
• Step 4 interface type number
• Enters interface configuration mode for the outside network interface on
your router.
• Example:
• Router(config)# interface fastethernet 0
• Router(config-if)#

• Step 5 ip access-group { access-list-number | access-list-name } { in | out }

• Example: Router(config-if)# ip access-group 103 in
• Router(config-if)#

• Step 6 exit
 Configuration Example
• A telecommuter is granted secure access to a corporate network, using
IPSec tunnelling.

• Security to the home network is accomplished through firewall inspection.

The protocols that are allowed are all TCP, UDP, RTSP, H.323, NetShow,
FTP, and SQLNet. There are no servers on the home network; therefore, no
traffic is allowed that is initiated from outside.

• IPSec tunnelling secures the connection from the Home LAN to the
corporate network.

• Like the Internet Firewall Policy, HTTP need not be specified because Java
blocking is not necessary. Specifying TCP inspection allows for single-
channel protocols such as Telnet and HTTP. UDP is specified for DNS.
 Configuration Example
• The following configuration example shows a portion of the configuration
file for the simple firewall scenario described in the preceding sections
• ip inspect name firewall tcp
• ip inspect name firewall udp
• ip inspect name firewall rtsp
• ip inspect name firewall h323
• ip inspect name firewall netshow
• ip inspect name firewall ftp
• ip inspect name firewall sqlnet
 Configuration Example
• interface vlan 1 ! This is the internal home network
• ip inspect firewall in ! inspection examines outbound traffic
• no cdp enable
• interface fastethernet 0 ! FE0 is the outside or internet exposed
interface
• ip access-group 103 in ! acl 103 permits ipsec traffic from the
corp. router as well as denies internet initiated traffic inbound.
• ip nat outside
• no cdp enable
 Configuration Example
• ! acl 103 defines traffic allowed from the peer for the ipsec tunnel.

• access-list 103 permit udp host 200.1.1.1 any eq isakmp

• access-list 103 permit udp host 200.1.1.1 eq isakmp any

• access-list 103 permit esp host 200.1.1.1 any

• access-list 103 permit icmp any any ! allow icmp for debugging but should
be disabled due to security implications.

• access-list 103 deny ip any any ! prevents internet initiated traffic inbound.
no cdp run
Information Security Management
CSE3502

Dr. Parimala M,
Associate Professor, SITE
Module – 1: Information Security
Devices

• Identify And Access Management (IAM)

• Networks (Wired And Wireless) Devices
• Endpoints/Edge Devices
• Storage Devices
• Servers, Infrastructure Devices (e.g. Routers, Firewall Services)
• Computer Assets, Storage Networks
• Content management, IDS/IPS
 Identifying Unauthorized Devices
• Asset management

 Most organizations today use some form of asset management.

 The challenge with rogue devices is that they are not part of the
management framework.
 The greater the number of unmanaged systems, the greater the risk to the
network.
 Identify Assets
• On-access or real-time detection
• On-demand or scheduled detection
 Asset Inventory Tool
• Automated asset inventory discovery tool -build a preliminary asset
inventory of systems connected to an organization’s public and private
network(s).

• Active tools – scan through network address ranges

• Passive tools – identify hosts based on analyzing their traffic should be

employed

• DHCP Server logging - utilize a system to improve the asset inventory and
help detect unknown systems through this DHCP information
 Asset Inventory Tool Cont.…
• All equipment acquisitions should automatically update the inventory system

• Maintain an asset inventory of all systems connected to the network and the
network devices themselves

• The inventory should include every system that has an Internet Protocol (IP)
address on the network

• The asset inventory created must also include data on whether the device is a
portable and/or personal device

• Make sure that asset inventory database is properly protected and a copy stored
in a secure location.

• In addition to an inventory of hardware, organizations should develop an

inventory of information assets that identifies their critical information.
• A department and individual responsible for each information asset should
be identified, recorded, and tracked.
• Further to the asset inventory tool the organisation needs to:

– Deploy network level authentication via 802.1x to limit and control

which devices can be connected to the network.

– Deploy network access control (NAC) to monitor authorized systems

so if attacks occur, the impact can be remediated by moving the
untrusted system to a virtual local area network that has minimal
access.

– Create separate VLANs for BYOD (bring your own device) systems or
other untrusted devices.

– Utilize client certificates to validate and authenticate systems prior to

connecting to the private network.
• Mapping of asset attributes and owner-to-MAC address can be stored in a
free or commercial database management system.

• Use tools to pull information from network assets such as switches and
routers regarding the machines connected to the network.

• Effective organizations configure free or commercial network scanning

tools to perform network sweeps on a regular basis

• other asset identification tools passively listen on network interfaces

looking for devices to announce their presence by sending traffic.

• The asset inventory database and alerting system must be able to identify
the location, department, and other details of where authorized and
unauthorized devices are plugged into the network.
• To evaluate the implementation of Control 1 on a periodic basis, the
evaluation team
– will connect hardened test systems to at least 10 locations on the
network, including a selection of subnets associated with demilitarized
zones (DMZs), workstations, and servers. Two of the systems must be
included in the asset inventory database, while the other systems are
not.
– must verify that the systems generate an alert or e-mail notice regarding
the newly connected systems within 24 hours of the test machines
being connected to the network.
– must verify that the system provides details of the location of all the
test machines connected to the network.
– must verify that the system provides information about the asset owner.
– must verify that the test systems are automatically isolated from the
production network within one hour of initial notification and that an e-
mail or alert indicating the isolation has occurred.
– must verify that the connected test systems are isolated from production
systems.
 1.2. Testing the Traffic Filtering Devices
• Traffic Filtering - to reduce security threats, organisations
use various devices, technologies and techniques
• institution/organisation - to improve the efficiency of
filtering and increase the level of security in its network
should apply the following recommendations:
– Define traffic-filtering rules
– Select a traffic-filtering technology
– Implement defined rules
– Maintain all the components of the solution
 Packet-filtering functionality
(stateless firewall)
• A packet filter enables the implementation of control of access to resources
by deciding whether a packet should be allowed to pass, based on the
information contained in the IP packet header.

• Does not analyse the content of the packet (unlike a content filter), nor does
it attempt to determine the sessions to which individual packets belong,
based on the information contained in the TCP or UPD header, and
therefore it does not make any further decisions in that regard. For this
reason, the process is also known as stateless packet inspection

• As it not tracking the information on the state of connections, it is

necessary to explicitly allow two traffic on the connection when
configuring a stateless firewall device. A packet filter is applied on the
router using Access Control List (ACL)

• Stateless firewall devices analyse each packet individually and filter them
based on the information contained in Layers 3 and 4 of the OSI reference
model
 Packet Filters
Filtering Decision is made based on the following information:
• source IP address
• destination IP address
• protocol
• source port number
• destination port number
The advantages of applying packet filters:
• simple implementation
• supported by most routers, so there is no need to invest in new equipment and software
• rarely cause bottlenecks in the area of their application, even at high speeds in Gigabit
networks.
The disadvantages of applying packet filters:
• vulnerability to IP spoofing attacks
• vulnerability to attacks that exploit problems within the TCP/IP specification and the protocol
stack
• problems with filtering packets that are fragmented (causing interoperability and
nonfunctioning of VPN connections)
• no support for the dynamic filtering of some services
• dynamic negotiation about the ports that will be used in communication – passive FTP).
 Stateful packet inspection
• improves the packet filtering process by monitoring the state of each connection
established through a firewall device.

• TCP protocol, allows two-way communication and that TCP traffic is characterized by
three phases:
• establishing the connection- records each connection in the state table
• data transfer
– -device monitors the parameters in the header of L3 packet and L4 segment and
makes a filtering decision depending on their values and the content of state table.
– The state-table contains all currently active connections. As a result, a potential
attacker trying to spoof a packet with a header indicating that the packet is a part of
an established connection can only be detected by the stateful inspection firewall
device, which verifies whether the connection is recorded in the state-table.

• terminating the connection

• It also monitors the state if individual flows and match different flows when they
logically correspond to each other.
• State table contains the following information:
– source IP address;
– destination IP address;
– source port number;
– destination port number;
– TCP sequence numbers;
– TCP flag values.

Advantages of applying stateful firewall devices:

– a higher level of protection compared to stateless firewall devices (greater efficiency
and more detailed traffic analysis)
– detection of IP spoofing and DoS attacks
– more log information compared to packet filters

Disadvantages of applying stateful firewall devices:

– no protection against application layer attacks
– performance degradation of the router on which they are deployed (this depends on
the size of the network and other services run on the router)
– not all of them provide support for UDP, GRE and IPSEC protocols, treating them
in the same way as stateless firewall devices
– no support for user authentication
 Deep Packet Inspection - DPI

• The improved version, called stateful protocol analysis, also

known as DPI analysis of data on the application layer.
• Includes
Application Firewall
Application Proxy Gateways
Proxy servers

• Unlike stateful firewall devices that filter traffic based on

the data on layers 3, 4 and 5 of the OSI reference model,
these devices also enable traffic filtering based on the
information on the application layer of the OSI reference
model (Layer 7).
 Application Firewall (AF)
• AF devices perform a stateful protocol analysis of the
application layer.
• Support numerous common protocols, such as HTTP, SQL, e-
mail service (SMTP, POP3 and IMAP), VoIP and XML.
• Stateful protocol analysis relies on predefined profiles of
acceptable operating modes for the selected protocol
• Problems may arise if there is a conflict between the operating
mode of a specific protocol, which is defined on the AF
device, and
• the way in which the protocol is implemented in the specific
version of the application or of the operating systems used in
the network
 Stateful Protocol Analysis

• determine whether an e-mail message contains a type of attachment that is

not allowed (e.g., exec files);
• determine whether instant messaging is used via an HTTP port;
• block the connection through which an unwanted command is executed
(e.g., an FTP put command on the FTP server);
• block access to a page with unwanted active content (e.g., Java);
• identify an irregular sequence of commands exchanged in the
communication between two hosts
• enable the verification of individual commands and the minimum and
maximum length of appropriate command-line arguments
eg., number of characters used in username
• Main of the method of stateful protocol analysis is the intensive use of AF
devices.
 Disadvantage of Application Firewall
• AF device cannot detect attacks such DoS
attacks caused by the repetition of a large
number of acceptable messages sequences in
a short time interval.
• Due to the complexity of analysis they
perform and large number of concurrent
session they monitor there exists intensive use
of AF devices.
 Application Proxy Gateway (APG)
• APG devices also perform an analysis of the traffic flow on the application layer.

• APG devices contain proxy agents or “intermediaries” in the communication

between two end hosts. In this way, they prevent direct communication between
them

• Based on the filtering rules defined on the APG device, proxy agents decide
whether network traffic will be allowed or not.

• Traffic-filtering decisions can also be made based on the information contained in

the header of an application-layer message or even based on the content conveyed
by that message.

• Proxy agents can require user authentication.

• There are also APG devices with the capability of packet decryption, analysis and
re-encryption, before a packet is forwarded to the destination host.
 APG devices Deficiencies
• requires a significantly greater utilisation of resources, i.e., they require
more memory and greater utilization of processor time for analyzing and
interpreting each packet passing through the device.
• As a result, APG devices are not suitable for filtering real-time
applications.
• Another deficiency of these devices is the limitation in the number of
services that can be filtered through them.
• APG devices do not always support the filtering of new applications or
protocols.
• Due to their price, APG devices are commonly used for protecting data
centres or other networks containing publicly available servers that are of
high importance to an organisation.
• In order to reduce the load on APG devices and achieve greater efficiency,
modern networks more frequently use dedicated proxy servers.
 Dedicated Proxy (DP) Server
• Dedicated Proxy (DP) servers also have a role as “intermediaries” in
the communication between two hosts, although their traffic-
filtering capabilities are significantly lower,
• intended for the analysis of the operation of specific services and
protocols (e.g., HTTP or SMTP).
• Due to their limited traffic-filtering capabilities, DP devices are
deployed behind firewall devices in the network architecture.
• Their main function is to perform specialised filtering of a specific
type of traffic (based on a limited set of parameters) and carry out
the logging operation.
• The execution of these specific activities significantly reduces the
load on the firewall device itself, which is located in front of the DP
server.
• The most widely used devices of this type are Web Proxy servers.
 Solutions Combining Traffic Filtering with
Other Technologies
1. NAT (Network Address Translation)
NAT is a technology that enables devices that use private IP
addresses to communicate with devices on the Internet.
• This technology translates private IP addresses, which can be
used by devices within a Local Area Network (LAN), into
publicly available Internet addresses.
• There are three types of NAT translations:
– Dynamic NAT- dynamically allocates the private address to
publicly available IP addresses
– Static NAT – Each private address is translated into
separate public IP address
– Port Address Translation PAT- Each client on a LAN
establishes a connection with a device on the internet is
assigned a different port number of the public IP address
 2. VPN (Virtual Private Network)
• VPN (Virtual Private Network) technology is used to increase the security
of data transfer through a network infrastructure that does not provide a
sufficient degree of data security.
• It enables the encryption and decryption of network traffic between
external networks and an internal, protected network.
• VPN functionality - available on firewall devices or implemented on VPN
servers that are placed behind firewall devices in the network architecture.
• firewall device cannot perform an inspection, access control or logging of
the network traffic, and therefore cannot scan it for certain security threats.
• VPN service requires the application of certain filtering rules of the firewall
device in order to enable its uninterrupted operation.
• special attention should always be paid to making sure that the appropriate
protocols and the TCP/UDP services that are necessary for the functioning
of the chosen VPN solution are supported.
 3. IDP (Intrusion Detection and Prevention)
• Network Intrusion Detection (ID)
– based on monitoring the operation of computer systems or networks
and analysing the processes they perform, which can point to certain
incidents.
• Network Intrusion Prevention (IP)
– process of detecting network intrusion events, but also includes the
process of preventing and blocking detected or potential network
incidents.
• Network Intrusion Detection and Prevention systems (IDP)
– based on identifying potential incidents
– logging information about them
– attempting to prevent them
– alerting the administrators responsible for security
– identify problems concerning the adopted security policies
– To document existing security threats and
– To discourage individuals from violating security rules
– IDP systems use various incident detection methods
Primary Classes of Detection Methodology

– 1. Signature-based detection-
• process of comparing the known forms in which the
threat has appeared in the network
• Cannot identify new threats and complex forms of
communication
– 2. Anomaly-based detection
• Based on behaviour of users, hosts or application
• It detects even the previously unknown threats
– 3. Detection based on stateful protocol analysis
• Protocols are defined by the manufactures of IDP
devices
Intrusion Detection
System
Configuring Secure Content
Management
 Content Management
• Advent of Web 2.0 technologies and proliferation of file sharing
protocols, data sharing portals, media streaming, etc. by the users
expand the attack surface of an organization. They create enormous
opportunities for external threats to exploit weaknesses.
• Allowing the inbound and outbound connections — as access given
to the employees to initiate or receive traffic — creates issues of
employee productivity. Also contributes to bandwidth issue as
connection to public or media streaming sites consumes an
organization’s network bandwidth.
• While allowing legitimate traffic, organizations may not like their
employee to indulge in different forms of entertainment and
attractions available online, which can lead to security threats, data
leakage and productivity issues.
• Security has been evolving to address these challenges through a set
of practices and technical solutions under a category which can
broadly be classified as ‘Secure Content Management’ (SCM).
 The Importance of Secure Content
Management
Unrestricted Access - The Risks include:
• Impacted employee productivity
– Prevent non-productive web surfing
– Preserves network bandwidth
• Liability Exposure
– Peer-to-peer networking
– File sharing
• Hacker Attacks and Privacy Violations
– Vulnerable to backdoor attacks
 How Secure Content Management Works
• Securing content starts with controlling access to
certain Web sites based on predetermined criteria.
– At a basic level, user access to Internet content is
controlled using the URL address or the URL content
category (such as nudity or gambling).
– Basic content management solutions can also examine
the way the content is delivered, such as through Java
applets or ActiveX scripts, and determine access
permissions accordingly.
• More advanced content management solutions
also provide the ability to block applications such
as instant messaging and peer-to-peer services.
 Site Blocking Versus Content
Monitoring
Site Blocking
list-based or URL-based filters to
identify and block certain Web sites
Some solutions rely on white lists that
allow access to only those sites that
appear on the list.
Ex: a retail store might create a white list
containing only the company’s Web site,
shipping Web sites and supplier Web sites.
Other solutions use black lists, which
permit access to all sites except those on
the black list. The black list approach is
preferable for businesses whose
employees need less restrictive Internet
access. With a black list approach, the
database of Web sites is organized into
categories, such as “violence” or “drugs,”
and network administrators can
Content Monitoring
keyword-blocking approach
compares the keyboard data to a user-
defined library of words and phrases.
When a match to one of the blocked
words or phrases is detected, the solution
filters or blocks the data, or in some
cases even closes the application.
The problem with this approach is that it
can inadvertently block legitimate pages
based on the fact that they contain one or
more targeted keywords.
For example, a Web site about cancer
research could be blocked because it
contains the word “breast.”
More advanced content monitoring
solutions not only examine the individual
 Site Blocking
• Effectiveness and manageability of site blocking
depends on a number of factors:
– Database size
– Update frequency
– Category organization
• A general limitation of site blocking is that it
focuses exclusively on HTTP-based Web traffic.
• It does not block instant messaging, e-mail
attachments, peer-to-peer applications and other
applications that could contain security threats.
 Solution Architecture
• CMS can be embedded on a network device
such as a proxy server, on firewall or on
dedicated server.
• Three deployment methods includes,
– Client solutions
– Standalone solutions
– Integrated solutions