DM 426

Computers and
Information Security
Fall 2023/2024

Lecture # 11
Firewalls
1
 Contents
1. The Need for Firewalls

2. Firewall Characteristics and Access Policy

3. Types of Firewalls

4. Firewall Positioning

10.2
 Learning Objectives

• Explain the role of firewalls as part of a computer and network security

strategy.
• List the key characteristics of firewalls.
• Discuss the various basing options for firewalls.
• Distinguish between firewalls and intrusion prevention systems.
• Define the concept of a unified threat management system.
 The Need for Firewalls
❑ Notable development in information systems in corporations, government agencies,
and other organizations:

➢ Centralized data processing system.

➢ Local area networks (LANs)

➢ Premises network, consisting of a number of LANs

➢ Enterprise-wide network

➢ Internet connectivity, which is no longer optional

 The Need for Firewalls

❑ While Internet access provides benefits to the organization, it enables

the outside world to reach and interact with local network assets.

❑This creates a threat to the organization.

❑It is possible to equip each workstation and server on the premises

network with strong security features (but this may not be sufficient,
not cost-effective).
 The Need for Firewalls
❑The firewall is inserted between the premises network and the Internet
to establish a controlled link and to create an outer security wall or
perimeter.
❑The aim of this perimeter is to protect the premises network from
Internet-based attacks and to provide a single choke point where -
security and auditing can be imposed.
❑The firewall, then, provides an additional layer of defense, insulating
the internal systems from external networks.
 The Need for Firewalls
❑The firewall may be a single computer system or a set of two or
more systems that cooperate to perform the firewall function.
 Firewall Characteristics
❑Design goals of a firewall:
▪ All traffic from inside to outside, and vice versa, must pass through
the firewall → achieved by physically blocking all access to the
local network except via the firewall.
▪ Only authorized traffic, as defined by the local security policy, will
be allowed to pass → achieved by using different types of firewalls.
▪ The firewall itself is immune to penetration → achieved by the use
of a hardened system with a secured operating system.
 Access Policy

❑A critical component in the planning and implementation of a

firewall is specifying a suitable access policy.
❑This lists the types of traffic authorized to pass through the firewall,
including address ranges, protocols, applications and content types.
❑This policy should be developed from the organization’s
information security risk assessment and policy.
 Characteristics of Firewall Access Policy

❑ IP Address and Protocol Values: Controls access based on the source or destination
addresses and port numbers, direction of flow being inbound or outbound, and other
network and transport layer characteristics.
❑ Application Protocol: Controls access on the basis of authorized application protocol
data.
❑ User Identity: Controls access based on the user’s identity, typically for inside users
who identify themselves using some form of secure authentication technology, such as
IPSec.
❑ Network Activity: Controls access based on considerations such as the time or request.
 What to expect from a firewall?

1. A firewall defines a single choke point that attempts to keep unauthorized

users out of the protected network, prohibit potentially vulnerable services
from entering or leaving the network, and provide protection from various
kinds of IP spoofing and routing attacks.

2. A firewall provides a location for monitoring security-related events.

3. A firewall is a convenient platform for several Internet functions that are

not security related.

4. A firewall can serve as the platform for IPSec. Using the tunnel mode
capability, the firewall can be used to implement virtual private networks.
 Limitations of Firewalls
❑The firewall cannot protect against attacks that bypass the firewall.
❑The firewall may not protect fully against internal threats, such as a
disgruntled employee or an employee who unwittingly cooperates with an
external attacker.
❑An improperly secured wireless LAN may be accessed from outside the
organization. An internal firewall that separates portions of an enterprise
network cannot guard against wireless communications between local
systems on different sides of the internal firewall.
❑A laptop, PDA, or portable storage device may be used and infected
outside the corporate network and then attached and used internally.
 Types of Firewalls
❑ A firewall can monitor network traffic at a number of levels, from low-level
network packets, either individually or as part of a flow, to all traffic within a
transport connection, up to inspecting details of application protocols.

❑ The choice of which level is appropriate is determined by the desired firewall

access policy.

❑ A firewall can operate as a positive filter, allowing to pass only packets that meet
specific criteria, or as a negative filter, rejecting any packet that meets certain
criteria.

❑ Depending on the type of firewall, it may examine one or more protocol headers
in each packet, the payload of each packet, or the pattern generated by a sequence
of packets.
 Packet-Filtering Firewall
❑ A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet
and then forwards or discards the packet.
❑ The firewall is typically configured to filter packets going in both directions (from and
to the internal network). Filtering rules are based on information contained in a network
packet:
▪ Source IP address
▪ Destination IP address
▪ Source and destination transport-level address
▪ IP protocol field
▪ Interface
 Packet-Filtering Firewall

❑ The packet filter is typically set up as a list of rules based on matches to fields in
the IP or TCP header.
❑ If there is a match to one of the rules, that rule is invoked to determine whether to
forward or discard the packet.
❑ If there is no match to any rule, then a default action is taken. Two default policies
are possible:
▪ Default = discard: That which is not expressly permitted is prohibited.
▪ Default = forward: That which is not expressly prohibited is permitted.
 Packet-Filtering Firewall

❑ The default discard policy is more conservative.

❑ This is the policy likely to be preferred by businesses and government
organizations.
❑ The default forward policy increases ease of use for end users but provides reduced
security.
❑ This policy may be used by generally more open organizations, such as
universities.
Packet-Filtering Firewall
 Packet-Filtering Firewall
❑ One advantage of a packet filtering firewall is its simplicity. Also, packet filters
typically are transparent to users and are very fast.
❑ Weaknesses:
▪ They cannot prevent attacks that employ application-specific vulnerabilities or functions.
▪ Because of the limited information available to the firewall, the logging functionality
present in packet filter firewalls is limited.
▪ Most packet filter firewalls do not support advanced user authentication schemes.
▪ Packet filter firewalls are generally vulnerable to attacks and exploits such as network layer
address spoofing.
▪ Finally, due to the small number of variables used in access control decisions, packet filter
firewalls are susceptible to security breaches caused by improper configurations.
 Stateful Inspection Firewalls
❑ A stateful packet inspection firewall tightens up the rules for
TCP traffic by creating a directory of outbound TCP
connections.
❑ The packet filter will now allow incoming traffic to high-
numbered ports only for those packets that fit the profile of
one of the entries in this directory.
❑ A stateful packet inspection firewall reviews the same packet
information as a packet filtering firewall, but also records
information about TCP connections.
❑ Some stateful firewalls also keep track of TCP sequence
numbers to prevent attacks that depend on the sequence
number.
 Application-Level Gateway
❑ An application-level gateway, also called an application
proxy, acts as a relay of application-level traffic.
❑ The user contacts the gateway using a TCP/ IP application,
such as Telnet or FTP, and the gateway asks the user for
the name of the remote host to be accessed.
❑ When the user responds and provides a valid user ID and
authentication information, the gateway contacts the
application on the remote host and relays TCP segments
containing the application data between the two endpoints.
❑ If the gateway does not implement the proxy code for a
specific application, the service is not supported and
cannot be forwarded across the firewall.
 Application-Level Gateway
❑ Application-level gateways tend to be more secure than
packet filters.
❑ It is easy to log and audit all incoming traffic at the
application level.
❑ A prime disadvantage of this type of gateway is the
additional processing overhead on each connection.
 Circuit-Level Gateway
❑ A circuit-level gateway can be a stand-alone system, or it can be a
specialized function performed by an application-level gateway for
certain applications.
❑ A circuit-level gateway does not permit an end-to-end TCP connection;
rather, the gateway sets up two TCP connections, one between itself
and a TCP user on an inner host and one between itself and a TCP user
on an outside host.
❑ The security function consists of determining which connections will
be allowed.
❑ A typical use of circuit-level gateways is a situation in which the
system administrator trusts the internal users.
❑ The protocol described here is designed to provide a framework for
client-server applications in both the TCP and UDP domains to
conveniently and securely use the services of a network firewall.
Firewall positioning
 Firewall Positioning
❑ An external firewall is placed at the edge of a local or enterprise network, just inside
the boundary router that connects to the Internet or some wide area network (WAN).
❑ One or more internal firewalls protect the bulk of the enterprise network.
❑ Between these two types of firewalls are one or more networked devices in a region
referred to as a DMZ (demilitarized zone) network.
❑ Systems that are externally accessible but need some protections are usually located on
DMZ networks.
❑ Typically, the systems in the DMZ require or foster external connectivity, such as a
corporate Web site, an e-mail server, or a DNS (domain name system) server.
❑ The external firewall provides a measure of access control and protection for the DMZ
systems consistent with their need for external connectivity.