Firewalls

• A firewall forms a barrier through which the traffic going in

each direction must pass.

• A firewall security policy dictates which traffic is

authorized to pass in each direction.

• A firewall may be designed to operate as a filter at the level

of IP packets, or may operate at a higher protocol layer.

 Firewall Design Principles

• The firewall is inserted between the premises network and

internet.
Aims:
• Establish a controlled link
• Protect the premises network from internet-based attacks
• Provide a single choke point
– Firewall characteristics

– Types of firewalls

– Firewall configurations
 Firewall Characteristics

1. All traffic from inside to outside, and vice versa, must pass

through the firewall. This is achieved by physically blocking all

access to the local network except via the firewall.

2. Only authorized traffic, as defined by the local security policy, will

be allowed to pass.

3. The firewall itself is immune to penetration . This implies that use of

a trusted system with a secure operating system.

 [SMIT97] lists four general techniques that firewalls use to

control access and enforce the site's security policy.

1. Service control: Determines the types of Internet services that

can be accessed, inbound or outbound

2. Direction control: Determines the direction in which service

requests may be initiated and allowed to flow through the firewall.

3. User control: Controls access to a service according to which

user is attempting to access it.

4. Behavior control: Controls how particular services are used.

For example, the firewall may filter e-mail to eliminate spam, or it may enable

external access to only a portion of the information on a local Web server.

 The following capabilities are within the scope of a firewall:

1. A firewall defines a single choke point that keeps unauthorized

users out of the protected network, prohibits potentially vulnerable
services from entering or leaving the network, and provides
protection from various kinds of IP spoofing and routing attacks.

2. A firewall provides a location for monitoring security-related

events.

3. A firewall is a convenient platform for several Internet functions

that are not security related.
These include a network address translator, which maps local addresses to Internet
addresses, and a network management function that audits or logs Internet usage

4. A firewall can serve as the platform for IP Security.

• Firewalls have their limitations, including the following:

1. The firewall cannot protect against attacks that bypass the

firewall.

2. The firewall does not protect against internal threats.

3. The firewall cannot protect against the transfer of virus-infected

programs or files.

• Because of the variety of operating systems and applications supported

inside the perimeter, it would be impractical and perhaps impossible for

the firewall to scan all incoming files, e-mail, and messages for viruses.
 Types of Firewalls

• There are three common types of firewalls:

1. Packet filters

2. Application-level gateways

3. Circuit-level gateways.
 Packet-Filtering Router

• A packet-filtering router applies a set of rules to each

incoming and outgoing IP packet and then forwards or
discards the packet.
• The router is typically configured to filter packets going in
both directions (from and to the internal network).
Firewalls – Packet Filters
 Filtering rules are based on information contained in a network packet such
as
• Source IP address: The IP address of the system that originated the IP
packet (e.g., 192.178.1.1)
• Destination IP address: The IP address of the system the IP packet is
trying to reach (e.g., 192.168.1.2)
• Source and destination transport-level address: The transport level (e.g.,
TCP or UDP) port number, which defines applications such as SNMP or
TELNET.
• IP protocol field: Defines the transport protocol

• Interface: For a router with three or more ports, which interface of the
router the packet came from or which interface of the router the packet is
destined for
 If there is a match to one of the rules, that rule is invoked
to determine whether to forward or discard the packet. If
there is no match to any rule, then a default action is taken.
 Two default policies are possible:

– Default = discard: That which is not expressly

permitted is prohibited.
– Default = forward: That which is not expressly
prohibited is permitted.
• following are weaknesses of packet filter firewalls:

• Because packet filter firewalls do not examine upper-layer data,

they cannot prevent attacks that employ application-specific
vulnerabilities or functions.
• Because of the limited information available to the firewall, the
logging functionality present in packet filter firewalls is limited.
• Most packet filter firewalls do not support advanced user
authentication schemes.

• Finally, due to the small number of variables used in access

control decisions, packet filter firewalls are vulnerable to security

breaches caused by improper configurations.

• Some of the attacks that can be made on packet-filtering routers and the
appropriate countermeasures are the following:
• IP address spoofing: The intruder transmits packets from the outside with a source
IP address field containing an address of an internal host.
• Source routing attacks: The source station specifies the route that a packet
should take as it crosses the Internet, in the hopes that this will bypass security
measures that do not analyze the source routing information. The countermeasure is
to discard all packets that use this option.
• Tiny fragment attacks: The intruder uses the IP fragmentation option to create
extremely small fragments and force the TCP header information into a separate
packet fragment.
• Typically, a packet filter will make a filtering decision on the first fragment of a packet. A
tiny fragment attack can be defeated by enforcing a rule that the first fragment of a packet
must contain a predefined minimum amount of the transport header. If the first fragment
is rejected, the filter can remember the packet and discard all subsequent fragments.
 Application-Level Gateway
• An application-level gateway, also called a proxy server, acts as a

relay of application-level traffic (figure 20.1b). The user contacts the

gateway using a TCP/IP application, such as Telnet or FTP, and the

gateway asks the user for the name of the remote host to be accessed.

• When the user responds and provides a valid user ID and

authentication information, the gateway contacts the application on

the remote host and relays TCP segments containing the application data

between the two endpoints.

Application-Level Gateway (or Proxy)
• Application-level gateways tend to be more secure than packet filters.

• The application-level gateway need only scrutinize a few allowable

applications.
• It is easy to log and audit all incoming traffic at the application level.

• A prime disadvantage of this type of gateway is the additional

processing overhead on each connection.
• In effect, there are two spliced connections between the end users, with
the gateway at the splice point, and the gateway must examine and
forward all traffic in both directions.
 Circuit-Level Gateway

• A third type of firewall is the circuit-level gateway (Figure 20.1c).

This can be a stand-alone system or it can be a specialized function

performed by an application-level gateway for certain applications.

• A circuit-level gateway does not permit an end-to-end TCP

connection; rather, the gateway sets up two TCP connections,

– one between itself and a TCP user on an inner host and

– one between itself and a TCP user on an outside host.

Firewalls - Circuit Level Gateway
• Once the two connections are established, the gateway typically
relays TCP segments from one connection to the other without
examining the contents.
• A typical use of circuit-level gateways is a situation in which the
system administrator trusts the internal users.
• In this configuration, the gateway can sustain the processing
overhead of examining incoming application data for forbidden
functions but does not sustain that overhead on outgoing data.
 Bastion Host

• A bastion host is a system identified by the firewall

administrator as a critical strong point in the
network's security.
• Typically, the bastion host serves as a platform for an
application-level or circuit-level gateway.
• Common characteristics of a bastion host include the following:
 The bastion host hardware platform executes a secure version of its operating
system, making it a trusted system.
 The bastion host may require additional authentication before a user is
allowed access to the proxy services.

• Each proxy service may require its own authentication before granting user

access.

• Each proxy is configured to support only a subset of the standard

application's command set.

• Each proxy module is a very small software package specifically designed

for network security.

• Each proxy is independent of other proxies on the bastion host.

 A proxy generally performs no disk access other than to read

its initial configuration file. This makes it difficult for an

intruder to install Trojan horse sniffers or other dangerous files

on the bastion host.

 Each proxy runs as a nonprivileged user in a private and

secured directory on the bastion host.

• Each proxy is configured to allow access only to specific host

systems.

• Each proxy maintains detailed audit information by logging

all traffic, each connection, and the duration of each connection

 Firewall Configurations

• In addition to the use of a simple configuration consisting of

a single system, such as a single packet-filtering router or a
single gateway , more complex configurations are possible
and indeed more common.
• Figure 20.2 illustrates three common firewall
configurations.
1. Screened host firewall, single-homed bastion
2. Screened host firewall, dual-homed bastion
3. Screened subnet firewall
1. In the screened host firewall, single-homed bastion configuration ,the firewall

consists of two systems: a packet-filtering router and a bastion host.

• Typically, the router is configured so that

A. For traffic from the Internet, only IP packets destined for the bastion host are

allowed in.

B. For traffic from the internal network, only IP packets from the bastion host are

allowed out.

• The bastion host performs authentication and proxy functions.

• This configuration has greater security than simply a packet-filtering router or an

application-level gateway alone, for two reasons.

• First, this configuration implements both packet-level and application-level filtering,

allowing for considerable flexibility in defining security policy.

• Second, an intruder must generally penetrate two separate systems before the security of the
Firewall Configurations
• This configuration also affords flexibility in providing
direct Internet access.
– For example, the internal network may include a public information
server, such as a Web server, for which a high level of security is
not required. In that case, the router can be configured to allow
direct traffic between the information server and the Internet.

• In the single-homed configuration just described, if the

packet-filtering router is completely compromised, traffic
could flow directly through the router between the
Internet and other hosts on the private network.
2. The screened host firewall, dual-homed bastion configuration

physically prevents such a security breach.

• The advantages of dual layers of security that were present in the

previous configuration are present here as well.

• An information server or other hosts can be allowed direct

communication with the router if this agrees with the

security policy.
Firewall Configurations
3. The screened subnet firewall configuration of Figure

20.2c is the most secure of those we have considered.

• In this configuration, two packet-filtering routers are

used, one between the bastion host and the Internet and

one between the bastion host and the internal network .

Firewall Configurations
• This configuration creates an isolated sub network, which
may consist of simply the bastion host but may also include one
or more information servers and modems for dial-in capability.
• This configuration offers several advantages:
• There are now three levels of defense to thwart intruders.

• The outside router advertises only the existence of the screened

subnet to the Internet; therefore, the internal network is
invisible to the Internet.
• Similarly, the inside router advertises only the existence of the
screened subnet to the internal network; therefore, the systems
on the inside network cannot construct direct routes to the