Module 5

• Firewalls: The Need for firewalls, Firewall Characteristics, Types of

Firewalls, Firewall Biasing, Firewall location and configuration
(Chapter22-Text 1) L1, L2
◆ A firewall forms a barrier through which the traffic going in each
direction must pass. A firewall security policy dictates which traffic is
authorized to pass in each direction.

◆ A firewall may be designed to operate as a filter at the level of IP

packets, or may operate at a higher protocol layer.
 NEED FOR FIREWALL
Information systems in corporations, government agencies,
and other organizations have undergone a steady evolution.
The following are notable developments:
• Centralized data processing system, with a central mainframe supporting a
number of directly connected terminals
• Local area networks (LANs) interconnecting PCs and terminals to each
other and the mainframe
• Premises network, consisting of a number of LANs, interconnecting PCs,
servers, and perhaps a mainframe or two
• Enterprise-wide network, consisting of multiple, geographically distributed
premises networks interconnected by a private wide area network (WAN)
• Internet connectivity, in which the various premises networks all hook into
the Internet and may or may not also be connected by a private WAN
 FIREWALL CHARACTERISTICS
• Design goals for a firewall:
• All traffic from inside to outside, and vice versa, must pass through the
firewall. This is achieved by physically blocking all access to the local network
except via the firewall. Various configurations are possible, as explained later
in this chapter.
•
• Only authorized traffic, as defined by the local security policy, will be allowed
to pass. Various types of firewalls are used, which implement various types of
security policies, as explained later in this chapter.

• The firewall itself is immune to penetration. This implies the use of a hardened
system with a secured operating system. Trusted computer systems are
suitable for hosting a firewall and often required in government applications
 Originally, firewalls focused primarily on service control,
but they have since evolved to provide all four
• Service control: Determines the types of Internet services that can be accessed, inbound
or outbound. The firewall may filter traffic on the basis of IP address, protocol, or port
number; may provide proxy software that receives and interprets each service request
before passing it on; or may host the server software itself, such as a Web or mail service.

• Direction control: Determines the direction in which particular service requests may be
initiated and allowed to flow through the firewall.

• Service control: Determines the types of Internet services that can be accessed, inbound
or outbound. The firewall may filter traffic on the basis of IP address, protocol, or port
number; may provide proxy software that receives and interprets each service request
before passing it on; or may host the server software itself, such as a Web or mail service.

• Direction control: Determines the direction in which particular service requests may be
initiated and allowed to flow through the firewall
 The following capabilities are within the scope of a firewall:

• A firewall defines a single choke point that keeps unauthorized users out of the protected
network, prohibits potentially vulnerable services from entering or leaving the network,
and provides protection from various kinds of IP spoofing and routing attacks. The use of
a single choke point simplifies security management because security capabilities are
consolidated on a single system or set of systems.

• A firewall provides a location for monitoring security-related events. Audits and alarms
can be implemented on the firewall system.

• A firewall is a convenient platform for several Internet functions that are not security
related. These include a network address translator, which maps local addresses to
Internet addresses, and a network management function that audits or logs Internet
usage.

• A firewall can serve as the platform for IPsec. Using the tunnel mode capability described
in Chapter 19, the firewall can be used to implement virtual private networks
 Firewalls have their limitations, including the following:

• The firewall cannot protect against attacks that bypass the firewall. Internal
systems may have dial-out capability to connect to an ISP. An internal LAN
may support a modem pool that provides dial-in capability for traveling
employees and telecommuters.
• The firewall may not protect fully against internal threats, such as a
disgruntled employee or an employee who unwittingly cooperates with an
external attacker.
• An improperly secured wireless LAN may be accessed from outside the
organization. An internal firewall that separates portions of an enterprise
network cannot guard against wireless communications between local
systems on different sides of the internal firewall.
• A laptop, PDA, or portable storage device may be used and infected outside
the corporate network, and then attached and used internally.
 Types of Firewall

• A firewall may act as a packet filter.

• It can operate as a positive filter, allowing to pass only packets that
meet specific criteria, or as a negative filter, rejecting any packet that
meets certain criteria.
• Depending on the type of firewall, it may examine one or more
protocol headers in each packet, the payload of each packet, or the
pattern generated by a sequence of packets.
Packet Filtering Firewall

• A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet and then
forwards or discards the packet (Figure).
• The firewall is typically configured to filter packets going in both directions (from and to the
internal network).
• Filtering rules are based on information contained in a network packet:
• Source IP address: The IP address of the system that originated the IP packet (e.g., 192.178.1.1)
• Destination IP address: The IP address of the system the IP packet is trying to reach (e.g.,
192.168.1.2)
• Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port
number, which defines applications such as SNMP or TELNET
• IP protocol field: Defines the transport protocol
• Interface: For a firewall with three or more ports, which interface of the firewall the packet came
from or which interface of the firewall the packet is destined for.
 Firewall Biasing
• some additional firewall basing considerations.
• Bastion Host
• A bastion host is a system identified by the firewall administrator as a critical strong
point in the network’s security. Typically, the bastion host serves as a platform for an
application-level or circuit-level gateway.
• Common characteristics of a bastion host are as follows:
• The bastion host hardware platform executes a secure version of its operating system,
making it a hardened system.
• Only the services that the network administrator considers essential are installed on
the bastion host. These could include proxy applications for DNS, FTP, HTTP, and SMTP.
• The bastion host may require additional authentication before a user is allowed access
to the proxy services. In addition, each proxy service may require its own
authentication before granting user access.
• Each proxy is configured to support only a subset of the standard application’s command
set.
• Each proxy is configured to allow access only to specific host systems. This means that
the limited command/feature set may be applied only to a subset of systems on the
protected network

• Each proxy maintains detailed audit information by logging all traffic, each connection,
and the duration of each connection. The audit log is an essential tool for discovering and
terminating intruder attacks.
• Each proxy module is a very small software package specifically designed for network
security. Because of its relative simplicity, it is easier to check such modules for security
flaws. For example, a typical UNIX mail application may contain over 20,000 lines of code,
while a mail proxy may contain fewer than 1000.
• Each proxy is independent of other proxies on the bastion host. If there
is a problem with the operation of any proxy, or if a future vulnerability
is discovered, it can be uninstalled without affecting the operation of the
other proxy applications. Also, if the user population requires support
for a new service, the network administrator can easily install the
required proxy on the bastion host.
• A proxy generally performs no disk access other than to read its initial
configuration file. Hence, the portions of the file system containing
executable code can be made read only. This makes it difficult for an
intruder to install Trojan horse sniffers or other dangerous files on the
bastion host.
• Each proxy runs as a nonprivileged user in a private and secured
directory on the bastion host.
Host-Based Firewalls
• A host-based firewall is a software module used to secure an individual host. Such
modules are available in many operating systems or can be provided as an add-on
package. Like conventional stand-alone firewalls, host-resident firewalls filter and
restrict the flow of packets. A common location for such firewalls is a server.
• There are several advantages to the use of a server-based or workstation based
firewall:
• Filtering rules can be tailored to the host environment. Specific corporate security
policies for servers can be implemented, with different filters for servers used for
different application.
• Protection is provided independent of topology. Thus both internal and external
attacks must pass through the firewall.
• Used in conjunction with stand-alone firewalls, the host-based firewall provides an
additional layer of protection. A new type of server can be added to the network,
with its own firewall, without the necessity of altering the network firewall
configuration
Personal Firewall

• A personal firewall controls the traffic between a personal computer

or workstation on one side and the Internet or enterprise network on
the other side.
• Personal firewall functionality can be used in the home environment
and on corporate intranets.
• Typically, the personal firewall is a software module on the personal
computer.
• The list of inbound services that can be selectively reenabled, with their port numbers,
includes the following:
• Personal file sharing (548, 427)
• Windows sharing (139)
• Personal Web sharing (80, 427)
• Remote login - SSH (22)
• FTP access (20-21, 1024-64535 from 20-21)
• Remote Apple events (3031)
• Printer sharing (631, 515)
• IChat Rendezvous (5297, 5298)
• ITunes Music Sharing (3869)
• CVS (2401
Firewall location and Configuration

Example Firewall Configuration

A VPN Security Scenario
Example Distributed Firewall Configuration