FIREWALL is a security device or software that monitors and controls incoming

and outgoing network traffic based on predetermined security rules.

• Separate trusted and untrusted components of a network
1. Filtering Data
 Packet Filtering: Examines packets for specific attributes
(source/destination IP addresses, ports, protocols) and allows or blocks
them based on defined rules.
 Application Layer Filtering: Inspects traffic at a higher level, analyzing
the data payload and enforcing security policies based on the type of
application or service.
 Content Filtering: Blocks or allows data based on specific content (e.g.,
malware signatures or prohibited website categories).
2. Redirecting Traffic
 Traffic Forwarding: Redirects traffic to different ports or addresses based
on predefined rules, which can be useful for load balancing or routing.
 Proxy Services: Acts as an intermediary for requests from clients seeking
resources from other servers, often caching data and filtering content.
 NAT (Network Address Translation): Hides internal IP addresses by
translating them into a single public IP address for outgoing traffic,
improving security and conserving IP address space.
3. Protecting Against Network Attacks
 Intrusion Prevention System (IPS): Monitors network traffic for
suspicious activity and can actively block or mitigate attacks in real time.
 DDoS Protection: Identifies and mitigates Distributed Denial of Service
attacks that aim to overwhelm a network with traffic.
 Stateful Inspection: Keeps track of active connections and makes
dynamic decisions based on the state of the connection, preventing
unauthorized access.
Additional Functions
 Logging and Monitoring: Records traffic data and security events,
providing valuable insights for analysis and compliance.
 VPN Support: Facilitates secure remote access by creating encrypted
tunnels for data transmission.
 User Authentication: Enforces access controls by requiring users to
authenticate before accessing network resources.
An Ideal Firewall
Firewall Requirements Explained Simply

1. Traffic Between Trusted Zones:

o All data and communication between two trusted areas of the
network (like internal departments) must go through the firewall.
This ensures that the firewall can monitor and control what’s
happening between these areas.
2. Authorized Traffic Only:
o The firewall should only allow traffic that meets specific security
rules set in the security policy. This means only approved data can
pass through, blocking anything that could be harmful or
unauthorized.
3. Hardened Firewall:
o The firewall itself must be secure and resistant to attacks. This
requires using a strong, protected operating system that minimizes
vulnerabilities, ensuring the firewall is tough against any hacking
attempts.
Firewall Actions Explained Simply
1. Accepted:
o If a piece of data is deemed safe and meets the security policy
rules, it is allowed to enter the protected network. This means the
firewall lets the traffic pass through.
2. Denied:
o If the traffic doesn’t meet the security rules, it is simply blocked
from entering the other side of the firewall. The source of the traffic
won’t receive any notification that their request was blocked.
3. Rejected:
o Similar to "denied," but in this case, the firewall sends a message
back to the source using an ICMP packet (like a “network error”
message). This tells the sender that their traffic was rejected and
explains that it didn’t meet the required criteria.

Firewall policy
A firewall policy is a set of rules and configurations that define how a firewall
should behave and what traffic it should allow or block. These policies are crucial
for maintaining network security and ensuring that only authorized traffic is
permitted.
Firewall controls
specific mechanisms and rules that dictate how a firewall manages and regulates
the flow of traffic based on various services and protocols.
SERVICE CONTROL
• Determines which services on internal hosts are accessible from
outside
• Reject all other incoming services
• Outgoing service requests and corresponding responses may also
be controlled
• Filtering is based on the contents of IP packets and the type of
requests
• Example: Reject all HTTP requests unless directed to an official web
server
BEHAVIOUR CONTROL
• Infringing organizational policy
• Anti-social activities on a network
• Suspected attack
• Filtering action:
• May be applicable at IP or TCP level
• May require further interpretation of messages at a higher
level
• Example: Filtering of spam emails. Would require sender’s email
address in message headers. May require to scan through the
message contents.
USER cONTROL
• Discriminate between users
• Some users can access external services, others can’t
• Inhibit some users from gaining access to services

Egress and ingress

Ingress Filtering
 Definition: Refers to the filtering of incoming traffic to a network.
 Purpose: To prevent unauthorized access and malicious traffic from
entering the network.
Common Use Cases: Blocking unauthorized access attempts, preventing
malware from entering, and enforcing security policies.

Egress Filtering
 Definition: Refers to the filtering of outgoing traffic from a network.
 Purpose: To prevent sensitive data from leaving the network and to
control the types of traffic that can exit.
Common Use Cases: Preventing data leaks, stopping malware from
communicating with external servers, and controlling access to the internet.
Key Differences between ingress and egress
 Direction:
o Ingress: Deals with incoming traffic.

o Egress: Deals with outgoing traffic.

 Focus:
o Ingress Filtering: Aims to block unauthorized access and protect
the network from external threats.
o Egress Filtering: Aims to prevent unauthorized data transmission
and control outbound communication.
Types of filters
1. Stateless Filtering
 Definition: Stateless filtering evaluates each packet in isolation, without
considering the context of any previous packets.
 How It Works:
o Each packet is analyzed based solely on predefined rules regarding
source/destination IP addresses, ports, and protocols.
o The firewall makes decisions based on this static information
without maintaining any connection state.
 Advantages:
o Faster processing since there’s no need to track connections.

o Simpler to implement and configure.

 Disadvantages:
o Less secure, as it doesn’t recognize established connections or the
context of traffic.
o More vulnerable to spoofing and other attacks.

2. Stateful Filtering
 Definition: Stateful filtering tracks active connections and makes
decisions based on the state of these connections.
 How It Works:
o The firewall maintains a state table that records details about
ongoing connections (e.g., TCP handshakes).
o It allows packets that are part of established connections while
applying rules to new connection requests.
 Advantages:
o More secure than stateless filtering, as it understands the context of
packets and can detect unauthorized access attempts.
o Better protection against certain types of attacks, such as session
hijacking.
 Disadvantages:
o More resource-intensive, as it requires maintaining connection state
information.
o Slightly more complex to configure compared to stateless firewalls.

3. Application-Level Filtering (Deep Packet Inspection)

  Definition: Application-level filtering inspects the actual content of
packets at the application layer (Layer 7 of the OSI model).
 How It Works:
o The firewall analyzes data payloads of packets to understand the
type of application traffic (e.g., HTTP, FTP).
o It can apply rules based on the specific application, user identity, or
even the content being transmitted.
 Advantages:
o Provides a high level of security by blocking specific types of attacks
or unwanted content.
o Can enforce policies based on applications (e.g., blocking certain
websites or file types).
 Disadvantages:
o Slower than stateless or stateful filtering due to the additional
processing required.
o More complex to configure and manage because of the deeper
inspection capabilities.

Netfilter is a powerful framework within the Linux kernel that provides firewall
capabilities and packet filtering.
ey Concepts of Netfilter
1. Packet Traversal Hooks:
o As packets travel through the Linux kernel's networking stack, they
pass through various layers (e.g., network, transport, application).
o The kernel defines specific points, known as hooks, along this
traversal path. These hooks allow developers to interact with
packets at various stages.
2. Callback Functions:
o Developers can create kernel modules that register callback
functions with these hooks.
o When a packet reaches a particular hook, the associated callback
function is invoked.
3. Decision Making:
o The callback functions have the power to make decisions about the
packet:
 Forward: If the packet is deemed safe and meets the criteria
defined in the firewall rules, the callback function allows it to
continue through the stack to its destination.
  Drop: If the packet is identified as harmful or does not
comply with the security rules, the callback function can drop
the packet, effectively preventing it from reaching its
intended destination.
How It Works in Practice

1. Hook Points:
o Netfilter defines several hook points, such as:

 PREROUTING: Before the routing decision is made, allowing

filtering based on destination.
 INPUT: For packets destined for the local system.
 FORWARD: For packets being routed through the system.
 OUTPUT: For packets generated by the local system.
 POSTROUTING: After routing, allowing modifications before
the packet is sent out.
2. Packet Filtering:
o When a packet arrives at a hook, the corresponding callback
function checks its attributes (such as source/destination IP, ports,
and protocols).
o Based on the rules defined in the callback (which can include
custom logic), it decides whether to forward or drop the packet.
3. Integration with iptables:
 o While Netfilter provides the core framework, iptables is a user-
space utility that allows users to configure the rules and policies for
packet filtering.
o Users can define rules for each hook, specifying actions like
ACCEPT, DROP, or REJECT based on various criteria.
Advantages of Netfilter
 Flexibility: Developers can create complex filtering rules and custom
processing logic by implementing their callback functions.
 Performance: As part of the kernel, Netfilter operates at a low level,
allowing efficient packet processing without significant overhead.
 Modular Design: Kernel modules can be loaded or unloaded as needed,
providing a lightweight solution for adding or modifying firewall
capabilities.

Netfilter: Verdict on Packets (Return Values)

• NF_ACCEPT: Let the packet flow through the stack
• NF_DROP: Discard the packet
• NF_QUEUE: Pass the packet to the user space. Can be used to perform
packet handling in user space
• NF_STOLEN: Inform the netfilter to forget about this packet, The packet is
further processed by the module. Typically use for stateful filtering, the
module can store the packet fragments and analyze in a single context
• NF_REPEAT: Request the netfilter to call this module again

iptables Firewall in Linux

iptables is a powerful tool used for configuring the Linux kernel's Netfilter
framework, allowing you to set up, manage, and maintain firewall rules on Linux
systems. It operates at the network layer and can filter traffic based on various
criteria, providing essential security for servers and networks.
Key Features of iptables
1. Packet Filtering:
o Allows or blocks packets based on rules defined by the user.

o Can filter based on source/destination IP addresses, ports, protocols,

and other attributes.
2. Connection Tracking:
 o Supports stateful filtering, meaning it can keep track of active
connections and allow or block packets based on the connection
state (e.g., NEW, ESTABLISHED).
3. NAT (Network Address Translation):
o Facilitates the modification of packet headers to allow multiple
devices on a local network to share a single public IP address.
4. Logging:
o Can log packets for auditing and monitoring purposes, providing
insights into network activity.
5. Modular Design:
o Supports various modules for extended functionality, allowing for
customized packet processing.
Basic Structure
iptables operates with three main components:
1. Tables:
o filter: The default table for packet filtering.

o nat: Used for NAT operations.

o mangle: For specialized packet alterations.

o raw: For exemptions from connection tracking.

2. Chains:
o Each table has built-in chains where rules are applied:

 INPUT: For incoming packets to the local system.

 OUTPUT: For outgoing packets from the local system.
 FORWARD: For packets being routed through the system.
3. Rules:
o Each chain contains rules that define actions (ACCEPT, DROP,
REJECT, LOG) based on packet attributes.
Tables and chains

Tables
iptables utilizes different tables, each serving a specific purpose. The most
commonly used tables are:
1. filter:
o Purpose: This is the default table used for packet filtering.

o Functionality: It contains chains that control the acceptance or

rejection of network traffic based on user-defined rules.
o Chains:

 INPUT: For packets destined for the local machine.

 OUTPUT: For packets originating from the local machine.
 FORWARD: For packets routed through the machine (not
destined for it).
2. nat:
o Purpose: Used for Network Address Translation (NAT).

o Functionality: This table allows you to alter the source or

destination addresses of packets, which is especially useful for
sharing a single IP address among multiple devices.
o Chains:

 PREROUTING: Alters packets before routing.

 POSTROUTING: Alters packets after routing.
 OUTPUT: Alters locally generated packets before they are
sent out.
3. mangle:
o Purpose: Used for specialized packet alteration.
 o Functionality: It allows modification of packet headers, which can
affect routing and quality of service (QoS).
o Chains:

 PREROUTING: For packets before routing.

 POSTROUTING: For packets after routing.
 INPUT: For incoming packets.
 OUTPUT: For outgoing packets.
 FORWARD: For forwarded packets.
4. raw:
o Purpose: Used to configure exemptions from connection tracking.

o Functionality: Allows you to make decisions about whether

packets should be tracked.
o Chains:

 PREROUTING: For packets before they are processed by

connection tracking.
 OUTPUT: For locally generated packets.
Chains
Each table consists of chains that are lists of rules. Here’s how they work:
1. INPUT Chain:
o Handles incoming packets destined for the local system.

o Rules here determine whether incoming traffic is accepted or

rejected.
2. OUTPUT Chain:
o Manages outgoing packets generated by the local system.

o Rules here control what traffic can leave the system.

3. FORWARD Chain:
o Deals with packets that are being routed through the system but are
not destined for it.
o This chain is relevant in situations where the machine acts as a
router.
4. PREROUTING Chain (in nat and mangle tables):
o Alters packets as they arrive at the interface, before any routing
decisions are made.
5. POSTROUTING Chain (in nat and mangle tables):
 o Alters packets just before they leave the interface, allowing for last-
minute changes.
Rule Processing Order
 Rules within each chain are processed in a top-down manner.
 When a packet matches a rule, the associated action (like ACCEPT, DROP,
REJECT, or LOG) is taken, and no further rules in that chain are evaluated.

Managing rules in a firewall

• In iptables, packets are sequentially compared against the rules until a
match is found
• Then appropriate target action is executed
• This does not scale with
• Traffic speed
• Number of rules

Building a simple firewall

• Flush all existing firewall configurations

• Default policy is set to ACCEPT before all the rules
• Rule on INPUT chain to allow TCP traffic to ports 22 and 80
• Rule on OUTPUT chain to allow all outgoing TCP traffic
• Allow the use of loopback interface
• Allow DNS queries and response to pass through
 Limitation of the simple firewall:

Stateful Firewall
• A stateful firewall monitors incoming and outgoing packets over a period
of time
• Records aspects about connection state (such as IP address, port numbers,
sequence numbers)
• The state enables filtering decisions to be based on context of a packet
(not just headers)
• Tracking TCP Connections
• Stateful firewalls can monitor TCP handshake protocols between two
machines to identify if there is a connection established between
the two of them.
• Example: monitoring 3-way handshake protocol or 4-way
termination protocols
• Tracking UDP Connections
• Connection less protocol
 • Stateful firewalls monitor stream of packets between client and
server. If no packets are exchanged for a certain period of time, the
connection is considered to be terminated
• Tracking ICMP Connections
• Not always possible, when only one ICMP packet is sent from client
to server
• If the ICMP packet has a request and response, then tracking of
ICMP connections is possible
• Tracking Application connections
• Some firewalls may be able to track certain application protocols
such as HTTP, FTP, IRC etc.

Connection Tracking Framework in Linux:

• Nf_conntrack is a connection tracking framework in Linux kernel built on
the top of netfilter
• Each incoming packet is marked with a connection state:
• NEW: The connection is starting and packet is a part of a valid
initialization sequence
• ESTABLISHED: The connection has been established and is a two-
way communication
• RELATED: Special state that helps to establish relationships among
different connections. E.g. FTP Control traffic and FTP Data traffic
are related
• INVALID: This state is used for packets that do not follow the
expected behavior of a connection

Example: Set up a Stateful Firewall

• To set up a firewall rule to only allow outgoing TCP packets if they belong
to an established TCP connection
• We only allow ssh and http connection and block all the outgoing TCP
traffic if they are not part of an ongoing ssh or http connection
• We will replace the earlier rule with this one based on the connection state

Application/Proxy Firewall and

Web Proxy
• Inspects network traffic up to the application layer
• Typical implementation of an application firewall is an application proxy
• Web proxy: To control what browsers can access
• To set up a web proxy in a network, we need to ensure that all the web
traffic goes through the proxy server by:
 • Configuring each host computer to redirect all the web traffic to the
proxy (Browser’s network settings or using iptables)
• Place web proxies on a network bridge that connects internal and
external networks

EVADING FIREWALLS
1.SSH tunnelling to evade firewalls
SSH tunneling involves redirecting network traffic through an encrypted SSH
connection. This can be done in several ways, primarily through local and remote
port forwarding.
SSH tunneling can be effective for bypassing firewalls due to the following
reasons:
1. Encryption: Since SSH connections are encrypted, firewalls cannot
inspect the content of the packets. They only see that an SSH connection
is being established.
2. Port Whitelisting: Many firewalls allow outgoing connections on standard
ports like 22 (SSH), making it easier to establish a connection without
raising alarms.
3. Accessing Blocked Resources: By forwarding traffic through an SSH
server located outside the restrictive network, you can access services
that are normally blocked by a firewall.
Considerations and Risks
While SSH tunneling can be a useful tool, it’s important to consider the following:
 Security Policies: Bypassing firewalls may violate organizational security
policies and could lead to disciplinary actions.
 Monitoring: Some organizations monitor for unusual SSH usage, and
frequent or suspicious tunneling might raise flags.
 Potential for Misuse: Tunneling can also be used maliciously to exfiltrate
sensitive data, which is a risk that organizations need to mitigate.
2.dynamic port forwarding
 SOCKS Proxy:
 When you set up dynamic port forwarding, you create a SOCKS proxy on
your local machine. This proxy listens on a specified local port and can
forward requests to any destination server.
 SSH Tunnel:
 The SSH client establishes an encrypted tunnel to the SSH server, through
which all traffic routed via the SOCKS proxy will pass. The server forwards
the requests to the desired destination.
 Traffic Routing:
  Applications that support SOCKS proxies can be configured to send their
traffic through the local proxy, allowing users to access external services
as if they were connecting directly from the SSH server's network.
3.using VPN
• Using VPN, one can create a tunnel between a computer inside the
network and another one outside. IP packets can be sent using this tunnel.
Since the tunnel traffic is encrypted, firewalls are not able to see what is
inside this tunnel and cannot conduct filtering. This topic will be covered in
detail in VPN
Major Firewall Drawbacks / Vulnerabilities
• Insider Attacks
• Anomalies in Firewall configurations
• Firewall policy not updated (Missed Security Patches)
• Lack of deep packet inspection
• DDoS attacks

Next Gen Firewalls

Key Features of Next-Generation Firewalls
1. Deep Packet Inspection (DPI):
o NGFWs analyze the entire packet, including the payload, to detect
and block threats based on content, rather than just header
information.
2. Application Awareness and Control:
o They can identify and control applications regardless of the port or
protocol being used, allowing organizations to enforce policies
based on application type (e.g., allowing Skype while blocking P2P
file sharing).
3. Integrated Intrusion Prevention System (IPS):
o NGFWs often include IPS capabilities, which monitor network traffic
for suspicious activities and actively block attacks in real-time.
4. User Identity Awareness:
o These firewalls can integrate with directory services (like Active
Directory) to enforce security policies based on user identity,
allowing more granular control.
5. Advanced Threat Protection:
o Many NGFWs include features like sandboxing, which allows
suspicious files to be executed in a safe environment to analyze
their behavior before being allowed into the network.
6. SSL Inspection:
 o They can decrypt and inspect encrypted traffic (SSL/TLS) to detect
threats hidden within secure connections.
7. Automated Threat Intelligence:
o NGFWs often utilize threat intelligence feeds to stay updated on the
latest threats, improving their ability to detect and respond to
emerging risks.
8. VPN Support:
o They provide secure remote access solutions through Virtual Private
Network (VPN) support, allowing secure connections for remote
users.
9. Cloud Integration:
o Many NGFWs can integrate with cloud services and provide security
for cloud-based applications, helping to secure hybrid
environments.
Benefits of Next-Generation Firewalls
 Comprehensive Security: By combining multiple security functions,
NGFWs provide a more holistic approach to network security.
 Granular Control: Organizations can implement fine-tuned policies based
on applications, users, and other contextual factors.
 Improved Visibility: Enhanced monitoring capabilities give security
teams greater insight into network traffic and user behavior.
 Reduced Complexity: By integrating multiple security functions into a
single device, NGFWs can simplify security management and reduce the
need for multiple point solutions.
Considerations When Choosing an NGFW
1. Performance: Ensure that the NGFW can handle the throughput required
for your network without introducing latency.
2. Scalability: Consider whether the firewall can grow with your organization
and support increasing traffic and additional security features.
3. Ease of Management: Look for solutions that offer user-friendly
interfaces and centralized management capabilities for easier policy
enforcement and monitoring.
4. Integration: Check for compatibility with existing security tools and
infrastructure, as well as support for cloud services if needed.
5. Cost: Evaluate the total cost of ownership, including licensing,
maintenance, and any additional hardware requirements.