Information Security &

Privacy
AlBaha University
Faculty of Computer Science and Information Technology
Department of Computer Science

Dr. Sonia ABDELKARIM

1.1
Network Security
Firewalls
Chapter 8

AlBaha University Faculty of Computer Science and Information Technology Dr. Sonia Abdelkarim 1.2
Introduction

• Functionality and design principals

• Firewall characteristics
• Security of Firewall
• Concept of trusted system or secure
operating system

3
 Firewalls and Network
Defense
•Firewalls can be an effective means of
protecting a local system or network from
network based security threats
•At the same time it offers access to the
outside world via WANS and the Internet
4
Information System Evolution
• Central mainframe with directly connected terminals
• LANs interconnecting PCs and a mainframe
• Networks consisting of several LANs, PCs Servers, and a
mainframe or two
• Enterprise wide network with multiple distributed
networks, connected through WAN
• Internet connectivity - all networks connected through
internet and may or may not be connected by a private
WAN
5
Firewall Design Principles
• Internet connectivity - no longer appropriate
for most organizations
• provides benefits but also threats
• Can equip each workstation with intrusion
protection - but not practical
• An alternative is a firewall- used to protect the
network form Internet based attacks.
6
 Firewalls
• Idea: separate local network from the Internet

Trusted hosts and

networks Firewall

Router
Intranet

DMZ Demilitarized Zone:

publicly accessible
servers and networks

7
 Firewall Characteristics
• All traffic in both directions (inside <->
outside) must pass through the firewall
• Only authorized traffic, allowed by local
security policy, is allowed to pass
• The firewall is immune to penetration and
provides perimeter defense

8
Castle and Moat Analogy
• More like the moat around a castle than a firewall
• Restricts access from the outside
• Restricts outbound connections, too (!!)
• Important: filter out undesirable activity from internal hosts!
9
 Firewall Limitations
• Cannot protect from attacks bypassing it
• eg sneaker net, utility modems, trusted organizations, trusted
services (eg SSL/SSH)
• Cannot protect against internal threats
• eg disgruntled employee
• Cannot protect against transfer of all virus infected
programs or files
• because of huge range of OS and file types
10
 Firewall Locations
in the Network
• Between internal LAN and external network
• At the gateways of sensitive sub-networks within the
organizational LAN
• Payroll’s network must be protected separately within the
corporate network
• On end-user machines
• “Personal firewall”
• Microsoft’s Internet Connection
Firewall (ICF) comes standard
with Windows XP
11
Firewall Types
• Packet- filtering Routers
• Application level gateways
• Circuit level Gateways

12
Firewalls – Packet Filters
OSI Layers Addressed 13
 Firewall Types:
Packet Filters
• Packet- or session-filtering router (filter)
• filters packets in both directions, based on IP address, IP protocol and interface
• set up as a list of rules, based on matches to fields
• if there is a match the rule is invoked
• otherwise a default action is taken
• default = discard anything not permitted is prohibited OR
• default = forward anything not expressly prohibited
• Advantages - simplicity and speed
• Weaknesses : cannot prevent attacks that employ application specific vulnerabilities;
they have limited logging functionality; do not support advanced user
authentication; vulnerable to network layer address spoofing and security breaches
caused by improper configuration
14
 Packet Filtering

• For each packet, firewall decides whether to allow it to

proceed
• Decision must be made on per-packet basis
• Stateless; cannot examine packet’s context (TCP connection, application
to which it belongs, etc.)
• To decide, use information available in the packet
• IP source and destination addresses, ports
• Protocol identifier (TCP, UDP, ICMP, etc.)
• TCP flags (SYN, ACK, RST, PSH, FIN)
• ICMP message type
• Filtering rules are based on pattern-matching
15
Packet Filtering Examples
16
 Stateless Filtering Is Not Enough
• In TCP connections, ports with numbers less than 1024 are
permanently assigned to servers
• 20, 21 for FTP, 23 for telnet, 25 for SMTP, 80 for HTTP…
• Clients use ports numbered from 1024 to 16383
• They must be available for clients to receive responses
• What should a firewall do if it sees, say, an incoming request
to some client’s port 5612?
• It must allow it: this could be a server’s response in a previously
established connection…
• …OR it could be malicious traffic
• Can’t tell without keeping state for each connection
17
 Firewalls – Stateful Packet Filters
• examine each IP packet in context
• keeps tracks of client-server sessions
• checks each packet validly belongs to one
• better able to detect bogus packets out of
context

18
Example: Variable Port Use

Inbound SMTP Outbound SMTP

19
 Session Filtering
• Decision is still made separately for each packet, but in the
context of a connection
• If new connection, then check against security policy
• If existing connection, then look it up in the table and update the table, if
necessary
• Only allow incoming traffic to a high-numbered port if there is an
established connection to that port
• Hard to filter stateless protocols (UDP) and ICMP
• Typical filter: deny everything that’s not allowed
• Must be careful filtering out service traffic such as ICMP
• Filters can be bypassed with IP tunneling
20
Example: Connection State Table
21
Example: FTP
(borrowed from Wenke Lee)
FTP server FTP client
20 21 Connection from
Data Command a random port on 5150 5151
 Client opens an external host
command
channel to 
server; tells
server second

port number 
 Server
acknowledges
 Server opens
data channel to
client’s second 
port
 Client
acknowledges
22
FTP Packet Filter
The following filtering rules allow a user to FTP from any IP
address to the FTP server at 172.168.10.12
access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21
access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20
! Allows packets from any client to the FTP control and data ports
access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023
access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023
! Allows the FTP server to send packets back to any IP address with TCP ports > 1023
interface Ethernet 0
access-list 100 in ! Apply the first rule to inbound traffic
access-list 101 out ! Apply the second rule to outbound traffic
!
Anything not explicitly permitted
by the access list is denied!
23
Thank You