Why do we need Firewalls?

Internet connectivity is a must for most people

and organizations
especially for me
But a convenient Internet connectivity is an
invitation for intruders and hackers
yetanother example of tradeoff between convenience
and security
Question: What do we mean by convenient Internet
connection?
Firewall basically provides us an option to play
within the spectrum of this tradeoff
What is a Firewall?
Effective means of protecting local
network of systems from network-based
security threats from outer world
while providing (limited) access to the outside
world (the Internet)
 Firewall Basics
The firewall is inserted between the internal
network and the Internet (a choke point)
Establish a controlled link and protect the network
from Internet-based attacks
keeps unauthorized users away,
imposes restrictions on network services; only authorized
traffic is allowed
Location for monitoring security-related events
auditing, alarms can be implemented

some firewalls supports IPSec, so VPNs can be

implemented firewall-to-firewall
some firewalls support NAT (not so security
related)
Open discussion: cant we put one firewall for
each station within the local network? What
are pros and cons?
Firewall Characteristics - 1
Design goals:
Alltraffic from inside from/to outside must pass
through the firewall
Only authorized traffic (defined by the local security
policy) will be allowed to pass
The firewall itself should be immune to penetration
(use of trusted system with a secure operating
system)
 Firewall Characteristics - 2
General techniques for access control
Service control
Determines the types of Internet services that can be accessed
Mostly using TCP/UDP port numbers
Direction of traffic is important for the decision
Some services are open for outbound, but not inbound (or vice
versa)
User control
Controls access to a service according to which user is
attempting to access it
need to authenticate users. This is easy for internal users, but
what can be done for external ones?
Behavior control
Controls how particular services are used (e.g. filter e-mail for
spam control)
Firewall Limitations

cannot protect from attacks bypassing it

typical example: dial-in, dial-out
cannot protect against internal threats
e.g. fired sysadmin
cannot protect against transfer of all virus
infected programs or files
because of heavy traffic and huge range of O/S &
file types
Types of Firewalls
Packet-filtering routers
Application-level gateways
Circuit-level gateways (not common, so
skipped)
Packet-filtering Router
Foundation of any firewall system
Applies a set of rules to each incoming IP packet and
then forwards or discards the packet (in both
directions)
The packet filter is typically set up as a list of rules
based on matches to fields in the IP or TCP header
context is not checked
Two default policies (discard or forward)
Packet-filtering Router
Filtering rules are based on
Source and Destination IP addresses
Source and destination ports (services) and
transport protocols (TCP or UDP)
Routers physical interface
Rules are listed and a match is tried to be
found starting with the first rule
Action is either forward or discard
Generally first matching rule is applied
If no match, then default policy is used
Default is either discard or forward
Packet-filtering Router
Advantages:
Simplicity
High speed
Transparency to users
Disadvantages
Difficulty of setting up packet filter rules
configuration is error-prone

a port is either open or close; no application layer

flexibility
IP address spoofing
attacker uses an internal IP address and hopes that packet
penetrates into the system
countermeasure: do not accept internal IPs from external
interface
Application-level Gateway
Application-level Gateway (proxy server)
Acts as a relay of application-level traffic
Proxy obtains application specific information from
the user and relays to the server
Optionally authenticates the users
Only allowable applications can pass through
Feature-based processing is possible
Additional processing overhead on each connection
Bastion Host
A system identified by the firewall administrator
as a critical strong point in the network security
Used in various firewall configuration (well see now)
The bastion host serves as a platform for an
application-level gateway
i.e. a proxy
Potentially exposed to "hostile" elements, hence
is secured to withstand this
Trusted system
Carefully configured and maintained
Firewall Configurations
In addition to the use of simple
configuration of a single system (single
packet filtering router or single gateway),
more complex configurations are possible
Screened host firewall system
(dual-homed bastion host)
Only packets from and to the bastion host are
allowed to pass through the router
The bastion host performs authentication and
proxy functions
Dual-homed Bastion Host
Good security because of two reasons:
This configuration implements both packet-level and
application-level filtering
An intruder must generally penetrate two separate
systems in order to get to the internal network
This configuration also has flexibility in providing
direct Internet access to a public information
server, e.g. Web server
by configuring the router
Screened-subnet Firewall System
securer
creates an isolated sub-network between routers
Internet and private network have access to this subnet
Traffic across the subnet is blocked
This subnet is called DMZ (demilitarized zone)
Internal network is invisible to the Internet

Outside packet Inside packet

filtering router filtering router

DMZ
Host-Based Firewalls
Software module to secure individual hosts
filter
packet flows
Available as add-on for many OSs
Often used on servers
Advantages:
additional layer of protection to organizational
firewall
tailored filter rules for specific host needs
protection from both internal / external attacks
Personal Firewall
controls traffic flow to/from PC/workstation
for both home or corporate use
software module on PC
or in home cable/ADSL router/gateway
typically less complex than standalone
firewalls
primary role to deny unauthorized access
may also monitor/detect/block malware
activity