Project Design 2012 Firewall & internet security

CONTENTS
TOPIC PAGE NO.

1. BLOCK DIAGRAM 2

2. NETWORK CONCEPTS 4

3. VARIOUS PROTOCOLS 7

4. IMPLEMENTATION OF NETWORK IN ORGANIZATION 8

5. FIREWALL 9

6. NETWORK SECURITY IMPLEMENTATION 12

7. JOURNALS 18

8. CONCLUSION 30

Dept of ECE 1
CUCEK 2012
Project Design 2012 Firewall & internet security

1. BLOCK DIAGRAM

Explanation

Private network

Network categorization based on the geographical size, its owner ship, the distance it covers and
its physical architecture, networks can be categorized by as:
1. Personal Area Network(PAN)
2. Local Area Network(LAN)
3. Metropolitan Area Network(MAN)
4. Wide Area Network(WAN)
PAN
A personal area network (PAN) is a computer network used for
communication among computer devices, including telephones and personal
digital assistants, in proximity to an individual's body. The devices may or
may not belong to the person in question. The reach of a PAN is typically a
few meters. PANs can be used for communication among the personal
devices themselves (intrapersonal communication), or for connecting to a
higher level network and the Internet (an uplink).

Fire wall
A firewall is a device or set of devices designed to permit or deny network transmissions based
upon a set of rules and is frequently used to protect networks from unauthorized access while
permitting legitimate communications to pass. With broad band internet becoming much more

Dept of ECE 2
CUCEK 2012
Project Design 2012 Firewall & internet security

popular and accessible to the masses, many users are becoming increasingly concerned about any
security issues that an 'always on' connection my present. As such many are looking for ways to
secure their system and files from the outside
There are basically two types of firewalls, these are hardware firewalls and software firewalls. A
hardware firewall is a physical device that is installed between the modem and computer or, in
the case of network of computers, it may be linked/incorporated into a broad band router being
used to share the internet connection can also act as a firewall device. A software firewall
however is a software application that is installed onto the computer system that you wish to
protect and this is usually the computer with the modem attached to it.

Figure 13: Firewall

Dept of ECE 3
CUCEK 2012
Project Design 2012 Firewall & internet security

2. NETWORK CONCEPTS

A network is nothing more than two or more computers connected to each other so that they can
exchange information, such as:
e mail messages or documents,

share resources, such as disk storage or printers

The connection may be via electrical cables that carry electrical signals or fiber-optic cables by
using impulses of light. Wireless network let computers communicate by using radio signals .

Figure 1 : basic network diagram

Need for a computer Network

If your company/business has more than one computer, chances are you could benefit from
networking them. A local area network (LAN) connects your company's computers, allowing

Dept of ECE 4
CUCEK 2012
Project Design 2012 Firewall & internet security

them to share and exchange a variety of information. While one computer can be useful on its
own, several networked computers can be much more useful.
Here are some of the ways a computer network can help you:
File sharing: Have you ever needed to access a file stored on another computer? A
network makes it easy for everyone to access the same file and prevents people from
accidentally creating different versions.
Printer sharing: If you use a computer, chances are you also use a printer. With a
network, several computers can share the same printer. Although you might need a more
expensive printer to handle the added workload, it's still cheaper to use a network printer
than to connect a separate printer to every computer in your office.
Communication and collaboration: It's hard for people to work together if no one knows
what anyone else is doing. A network allows employees to share files, view other
people's work, and exchange ideas more efficiently. In a larger office, you can use e-mail
and instant messaging tools to communicate quickly and to store messages for future
reference.
Organization: A variety of scheduling software is available that makes it possible to
arrange meetings without constantly checking everyone's schedules. This software
usually includes other helpful features, such as shared address books and to-do lists.
Remote access: Having your own network allows greater mobility while maintaining the
same level of productivity. With remote access in place, users are able to access the same
files, data, and messages even when they're not in the office. This access can even be
given to mobile handheld devices.
Data protection: You should know by now that it's vital to back up your computer data
regularly. A network makes it easier to back up all of your company's data on an offsite
server, a set of tapes, CDs, or other backup systems. Of course, another aspect of data
protection is data security.

Whenever you are connecting your network to internet, you should think of network security.
This includes firewall and Internet security suit.

Dept of ECE 5
CUCEK 2012
Project Design 2012 Firewall & internet security

Need for Network Security

Many network security threats today are spread over the Internet. The most common include:
Virus ,worms and Trojan horses
Spyware and adware
Zero day attacks , also called zero hour attacks
Hacker attacks
Denial of service attacks
Data Interception and theft
Identify theft

Network address translation (NAT)

In computer networking, network address translation (NAT) is the process of modifying IP
address information in IP packet headers while in transit across a traffic routing device. The
simplest type of NAT provides a one to one translation of IP addresses. RFC 2663 refers to this
type of NAT as basic NAT. It is often also referred to as one-to-one NAT. In this type of NAT
only the IP addresses, IP header checksum and any higher level checksums that include the IP
address need to be changed. The rest of the packet can be left untouched (at least for basic
TCP/UDP functionality, some higher level protocols may need further translation). Basic NAT s
can be used when there is a requirement to interconnect two IP networks with incompatible
addressing.
Network address translation has serious drawbacks on the quality of Internet connectivity and
requires careful attention to the details of its implementation. In particular all types of NAT break
the originally envisioned model of IP end-to-end connectivity across the Internet and NAPT
makes it difficult for systems behind a NAT to accept incoming communications. As a result,
NAT traversal methods have been devised to alleviate the issues encountered.

Protocols
In information technology, a protocol is the special set of rules that end points in a
telecommunication connection use when they communicate. Protocols specify interactions
between the communicating entities.
Protocols exist at several levels in a telecommunication connection. For example, there are
protocols for the data interchange at the hardware device level and protocols for data interchange
at the application program level. In the standard model known as Open Systems Interconnection
(OSI), there are one or more protocols at each layer in the telecommunication exchange that both

Dept of ECE 6
CUCEK 2012
Project Design 2012 Firewall & internet security

ends of the exchange must recognize and observe. Protocols are often described in an industry or
international standard.
The TCP/IP Internet protocols, a common example, consist of:
Transmission Control Protocol (TCP), which uses a set of rules to exchange messages
with other Internet points at the information packet level
Internet Protocol (IP), which uses a set of rules to send and receive messages at the
Internet address level
Additional protocols that include the Hypertext Transfer Protocol (HTTP) and File
Transfer Protocol (FTP), each with defined sets of rules to use with corresponding
programs elsewhere on the Internet

3. VARIOUS PROTOCOLS
Transmission Control Protocol
The Transmission Control Protocol (TCP) is one of the core protocols of the Internet Protocol
Suite. TCP is one of the two original components of the suite, complementing the Internet
Protocol (IP), and therefore the entire suite is commonly referred to as TCP/IP. TCP provides
reliable, ordered delivery of a stream of bytes from a program on one computer to another
program on another computer. TCP is the protocol that major Internet applications such as the
World Wide Web, email, remote administration and file transfer rely on. Other applications,
which do not require reliable data stream service, may use the User Datagram Protocol (UDP),
which provides a datagram service that emphasizes reduced latency over reliability.

Internet protocol
The Internet protocol suite is the set of communications protocols used for the Internet and other
similar networks. It is commonly known as TCP/IP from its most important protocols:
Transmission Control Protocol (TCP) and Internet Protocol (IP), which were the second
networking protocols defined in this standard. Modern IP networking represents a synthesis of
several developments that began to evolve in the 1960s and 1970s, namely the precursors of the
Internet and local area networks, which emerged during the 1980s, together with the advent of
the World Wide Web in the early 1990s.
The Internet protocol suite classifies its methods and protocols into four hierarchical abstraction
layers. From the lowest to the highest communication layer, these are the link layer, the internet
layer, the transport layer, and the application layer.[1][2] The layers define the operational scope

Dept of ECE 7
CUCEK 2012
Project Design 2012 Firewall & internet security

or reach of the protocols in each layer, reflected loosely in the layer names. Each layer has
functionality that solves a set of problems in its scope.
The link layer contains communication technologies for the local network to which the host is
connected directly by hardware components. The internet layer facilitates the interconnection of
local networks. As such, this layer establishes the Internet. Host-to-host communication tasks are
handled in the transport layer, which provides a general application-agnostic framework to
transmit data between hosts using protocols like the Transmission Control Protocol and the User
Datagram Protocol (UDP). Finally, the highest-level application layer contains all protocols that
are defined each specifically for the functioning of the vast array of data communications
services. This layer handles application-based interaction on a process-to-process level between
communicating Internet hosts.

Hypertext Transfer Protocol

The Hypertext Transfer Protocol (HTTP) is a networking protocol for distributed, collaborative,
hypermedia information systems. HTTP is the foundation of data communication for the World
Wide Web.

The standards development of HTTP has been coordinated by the Internet Engineering Task
Force (IETF) and the World Wide Web Consortium (W3C), culminating in the publication of a
series of Requests for Comments (RFC), most notably RFC 2616 (June 1999), which defines
HTTP/1.1, the version of HTTP in common use.
File Transfer Protocol
The File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one
host to another host over a TCP-based network, such as the Internet. FTP is built on a client-
server architecture and utilizes separate control and data connections between the client and
server. FTP users may authenticate themselves using a clear-text sign-in protocol but can connect
anonymously if the server is configured to allow it.
The first FTP client applications were interactive command-line tools, implementing standard
commands and syntax. Graphical user interface clients have since been developed for many of
the popular desktop operating.

Dept of ECE 8
CUCEK 2012
Project Design 2012 Firewall & internet security

4. IMPLEMENTATION OF A NETWORK IN AN ORGANIZATION

1. Network Structure of a company
A company consist of so many blocks and buildings such as Administrative block, Institution
block, Lab block and hostel block etc. To provide internet for each block there must be a network
such as LAN, LAN ranges up to 100 m. The network consists of Firewall, Switches, LAN
extender etc. WI-FI is also used for this purpose without any wired connections. To access
Internet more than a distance of 100m, LAN extender can be used

Figure 14: Structure of a company

5. FIREWALL
A firewall is a device or set of devices designed to permit or deny network transmissions based
upon a set of rules and is frequently used to protect networks from unauthorized access while
permitting legitimate communications to pass.
Configuration of FIREWALL

For configuring Firewall enter the user name and password. Click Login

Dept of ECE 9
CUCEK 2012
Project Design 2012 Firewall & internet security

Sonic Wall TZ 170

Click the SYSTEM option. From this we can access the IP address and Link status of the LAN,
WAN and optional WAN

To add the computer, enter the Name, Zone Assignment, Type and IP Address of the particular
Computer and click ok

Dept of ECE 10
CUCEK 2012
Project Design 2012 Firewall & internet security

To get internet, to the added computer it should be added to a group. Select the added PC from
left side and click the button. Click OK

Bind the IP address with MAC (Media Access Control) address to avoid the unauthorized access.
Enter the IP address and Interface as LAN then we gets the Mac address. Check Bind MAC
Address. Click ok

Dept of ECE 11
CUCEK 2012
Project Design 2012 Firewall & internet security

Figure showing the list of computers connected to this network is shown below. So by enabling
or disabling we can be secure about the connectivity.

We can even find the log view list as shown below

6. NETWORK SECURITY IMPLEMENTATION

Many network security threats today are spread over the internet. The most common include:
Virus, worms and Trojan horses
Spy ware and ad ware
Zero day attacks, also called Zero hour attacks

Dept of ECE 12
CUCEK 2012
Project Design 2012 Firewall & internet security

Hacker attacks
Denial of service attacks
Data interception and theft
Identify theft

Network security
In the field of networking, the area of network security[1] consists of the provisions and policies
adopted by the network administrator to prevent and monitor unauthorized access, misuse,
modification, or denial of the computer network and network-accessible resources. Network
security involves the authorization of access to data in a network, which is controlled by the
network administrator. Users choose or are assigned an ID and password or other authenticating
information that allows them access to information and programs within their authority. Network
security covers a variety of computer networks, both public and private, that are used in everyday
jobs conducting transactions and communications among businesses, government agencies and
individuals. Networks can be private, such as within a company, and others which might be open
to public access. Network security is involved in organizations, enterprises, and other types of
institutions. It does as its title explains: It secures the network, as well as protecting and
overseeing operations being done. The most common and simple way of protecting a network
resource is by assigning it a unique name and a corresponding password.
Benefits of Network security
With network security in place your company will experience many Business benefits. Your
company is protected against business disruption, which helps employees productive. Network
security helps your company meet mandatory regulatory compliance. Because network security
protects your customers data, it reduces the risk of legal action from data theft.
Ultimately, network security helps protect a businesss reputation, which is one of its most
important assets.

Dept of ECE 13
CUCEK 2012
Project Design 2012 Firewall & internet security

Figure 17: Internet users and Firewall security.

Figure 18: Firewall in an organizations WAN setup.

Inside the Firewall

Engineering the complexity out of enterprise-class network security, the Sonic Wall Unified
Threat Management (UTM) platform unifies multiple protection and productivity technologies
into a complete and easily managed solution.
The Sonic Wall combines a Packet Inspection firewall with comprehensive:
Anti-Virus protection
Anti-Spy ware protection
Intrusion Prevention
Virtual Private Networking (VPN)
Content Filtering and Application Control
Spam Blocking
Secure Wireless Networking
Centralized Management and Reporting

Antivirus security
A virus is executable code that infects or attaches itself to other executable code to reproduce
itself. Some malicious viruses erase files or lock up systems, while other viruses merely infect
files and can overwhelm the target host or network with bogus data. Antivirus or anti-virus

Dept of ECE 14
CUCEK 2012
Project Design 2012 Firewall & internet security

software is used to prevent, detect, and remove mal ware, including but not limited to computer
viruses, computer worm, Trojan horses, spy ware and ad ware. This page talks about the software
used for the prevention and removal of such threats, rather than computer implemented by
software methods.
A variety of strategies are typically employed. Signature-based detection involves searching for
known patterns of data within executable code. However, it is possible for a computer to be
infected with new mal ware for which no signature is yet known. To counter such so-called zero,
heuristics can be used. One type of heuristic approach, generic signatures, can identify new
viruses or variants of existing viruses by looking for known malicious code, or slight variations
of such code, in files. Some ant virus software can also predict what a file will do by running it in
a sandbox and analyzing what it does to see if it performs any malicious actions.
No matter how useful ant virus software can be, it can sometimes have drawbacks. Antivirus
software can impair a computer's performance. Inexperienced users may also have trouble
understanding the prompts and decisions that ant virus software presents them with. An incorrect
decision may lead to a security breach. If the ant virus software employs heuristic detection,
success depends on achieving the right balance between false positives and false negatives. False
positives can be as destructive as false negatives. Finally, antivirus software generally runs at the
highly trusted kernel level of the operating system, creating a potential avenue of attack. It can be
subdivided in to two. Server based and client based Antivirus.

Server based Anti virus

In server based antivirus the server provide security to its all clients that mean the it need only the
updating of server. Norton antivirus is one of most used server based antivirus.
Norton Anti Virus, developed and distributed by Symantec Corporation, provides mal ware
prevention and removal during a subscription period. It uses signatures and heuristics to identify
viruses. Other features include e-mail Spam filtering and phishing protection.
Symantec distributes the product as a download, a box copy, and as OEM software. Norton
Antivirus and Norton Internet Security, a related product, held a 61% US retail market share for
security suites as of the first half of 2007. Competitors, in terms of market share in this study,
include antivirus products from CA, Trend Micro, and Kaspersky Lab.
Norton Antivirus runs on Microsoft Windows and Mac OS X. Windows 7 support is in
development for versions 2006 through 2008. Version 2009 has Windows 7 supported update

Dept of ECE 15
CUCEK 2012
Project Design 2012 Firewall & internet security

already. Versions 2010, 2011, and 2012 all natively support Windows 7, without needing an
update. Version 12 is the only version fully compatible with Mac OS X Lion.
In the server based antivirus there is only common one updating is needed because , in the server
based the antivirus is initiated only in the server and their by the clients use its advantages .So if
we update the server the clients will get the benefit.

We have to log on to the Norton, by entering the User name and Password.

Dept of ECE 16
CUCEK 2012
Project Design 2012 Firewall & internet security

By log on to the Symantec antivirus software we can see the security statues of the server
network.

By clicking the monitor option we can see the security status of a particular machine.

Dept of ECE 17
CUCEK 2012
Project Design 2012 Firewall & internet security

7. JOURNALS

Firewalls and Internet Security, the Second Hundred (Internet) Years

by Frederic Avolio, Avolio Consulting

Interest and knowledge about computer and network security is growing along with the need for
it. This interest is, no doubt, due to the continued expansion of the Internet and the increase in the
number of businesses that are migrating their sales and information channels to the Internet. The
growth in the use of networked computers in business, especially for e-mail, has also fueled this
interest. Many people are also presented with the postmortems of security breaches in high-
profile companies in the nightly news and are given the impression that some bastion of defense
had failed to prevent some intrusion. One result of these influences is that that many people feel
that Internet security and Internet firewalls are synonymous. Although we should know that no

Dept of ECE 18
CUCEK 2012
Project Design 2012 Firewall & internet security

single mechanism or method will provide for the entire computer and network security needs of
an enterprise, many still put all their network security eggs in one firewall basket.

Computer networks may be vulnerable to many threats along many avenues of attack, including:

Social engineering, wherein someone tries to gain access through social means
(pretending to be a legitimate system user or administrator, tricking people into revealing
secrets, etc.)

War dialing, wherein someone uses computer software and a modem to search for
desktop computers equipped with modems that answer, providing a potential path into a
corporate network

Denial-of-service attacks, including all types of attacks intended to overwhelm a

computer or a network in such a way that legitimate users of the computer or network
cannot use it

Protocol-based attacks, which take advantage of known (or unknown) weaknesses in

network services

Host attacks, which attack vulnerabilities in particular computer operating systems or in

how the system is set up and administered

Password guessing

Eavesdropping of all sorts, including stealing e-mail messages, files, passwords, and other
information over a network connection by listening in on the connection.

Internet firewalls have been around for a hundred years-in Internet time. Firewalls can help
protect against some of these attacks, but certainly not all. Firewalls can be very effective at what
they do. The people who set up and use them must have the knowledge of how they work, and
also be aware of what they can and cannot protect. In this article, we examine the Internet
firewall, touch on its history, see how firewalls are used today, and discuss changes that are in
place for the next hundred years.

Internet History

Dept of ECE 19
CUCEK 2012
Project Design 2012 Firewall & internet security

In the beginning, there was no Internet. There were no networks. There was no e-mail, and
people relied on postal mail or the telephone to communicate. The very busy sent telegrams. Few
people used ugly names to refer to others whom they had never met. Of course, the Internet has
changed all this. The Internet, which started as the Advanced Research Projects Agency Network
(ARPANET), was a small, almost closed, community. It was a place, to borrow a line from the
theme to Cheers, "where everybody knows your name, and they're always glad you came."

On November 2, 1988, something happened that changed the Internet forever. Reporting this
incident, Peter Yee at the NASA Ames Research Center sent a note out to the TCP/IP Internet
mailing list that reported, "We are currently under attack from an Internet VIRUS! It has hit
Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames." Of course, this
report was the first documentation of what was to be later called The Morris Worm. The
researchers and contributors that had built the Internet, as well as the organizations that were
starting to use it, realized at that moment that the Internet was no longer a closed community of
trusted colleagues. In fact, it hadn't been for years. To their credit, the Internet community did not
overreact to this situation. Rather, they started sharing information on their practices to prevent
future disruptions.

(One of the results of this problem was a growth in the number of Internet mailing lists dedicated
to security and bug tracking. The firewalls list-subscribe with e-mail to the bugtraqs list- -are two
examples, as well as the CERT Coordination CenterOther famous, and general, attacks followed:

Bill Cheswick's "evening with Berferd" [4]

Clifford Stoll's run-in with German spies [7]

The massive password capture of the winter of 1994

The IP spoofing attack that Kevin Mitnick used against Tsutomu Shimomura [6]

The rash of denial-of-service attacks in January 1996, and the "Web site break-in of the
week."

All these viruses have made it into the popular press, and all have raised awareness of the need
for good computer and network security. As these, and other, events were unfolding, the firewall
was starting its rapid evolution. Although the development of firewall technology and products

Dept of ECE 20
CUCEK 2012
Project Design 2012 Firewall & internet security

may be seen as very fast, it sometimes seems that firewalls are just barely keeping up with the
new applications and services that spring up and immediately become a "requirement" for many
Internet users.

Firewall History

We are used to firewalls in other disciplines, and, in fact, the term did not originate with the
Internet. We have firewalls in housing, separating, for example, a garage from a house, or one
apartment from another. Firewalls are barriers to fire, meant to slow down its spread until the fire
department can put it out. The same is true for firewalls in automobiles, segregating the
passenger and engine compartments. Cheswick and Bellovin, in the definitive text on Internet
firewalls [4] , said an Internet firewall has the following properties: it is a single point between
two or more networks where all traffic must pass (choke point); traffic can be controlled by and
may be authenticated through the device, and all traffic is logged. In a talk, Bellovin later stated,
"Firewalls are barriers between 'us' and 'them' for arbitrary values of 'them.'" The first network
firewalls appeared in the late 1980s and were routers used to separate a network into smaller
LANs. In these scenarios and using Bellovin's definition, above "us" might be well, "us." And
"them" might be the English Department. Firewalls like this were put in place to limit problems
from one LAN spilling over and affecting the whole network. All this was done so that the
English Department could add any applications to its own network, and manage its network in
any way that the department wanted. The department was put behind a router so that problems
due to errors in network management, or noisy applications, did not spill over to trouble the
whole campus network. The first security firewalls were used in the early 1990s. They were IP
routers with filtering rules. The first security policy was something like the following: allow
anyone "in here" to access "out there." Also, keep anyone (or anything I don't like) "out there"
from getting "in here." These firewalls were effective, but limited. It was often very difficult to
get the filtering rules right, for example. In some cases, it was difficult to identify all the parts of
an application that needed to be restricted. In other cases, people would move around and the
rules would have to be changed.

The next security firewalls were more elaborate and more tunable. There were firewalls built on
so called bastion hosts. Probably the first commercial firewall of this type, using filters and
application gateways (proxies), was from Digital Equipment Corporation, and was based on the
DEC corporate firewall. Brian Reid and the engineering team at DEC's Network Systems Lab in
Palo Alto originally invented the DEC firewall. The first commercial firewall was configured for

Dept of ECE 21
CUCEK 2012
Project Design 2012 Firewall & internet security

and delivered to the first customer, a large East Coast-based chemical company, on June 13,
1991. During the next few months, Marcus Ranum at Digital invented security proxies and
rewrote much of the rest of the firewall code. The firewall product was produced and dubbed
DEC SEAL (for Secure External Access Link). The DEC SEAL was made up of an external
system, called Gatekeeper, the only system the Internet could talk to, a filtering gateway, called
Gate, and an internal Mailhub (see Figure 1).

In this same time frame, Cheswick and Bellovin at Bell Labs were experimenting with circuit
relay-based firewalls. Raptor Eagle came out about six months after DEC SEAL was first
delivered, followed by the ANS InterLock.

Figure 1: DEC SEAL-First Commercial Firewall

* On October 1, 1993, the Trusted Information Systems (TIS) Firewall Toolkit (FWTK) was
released in source code form to the Internet community. It provided the basis for TIS' commercial
firewall product, later named Gauntlet. At this writing, the FWTK is still in use by experimenters,
as well as government and industry, as a basis for their Internet security. In 1994, Check Point
followed with the Firewall-1 product, introducing "user friendliness" to the world of Internet
security. The firewalls before Firewall-1 required editing of ASCII files with ASCII editors.
Check Point introduced icons, colors, and a mouse-driven, X11 based configuration and
management interface, greatly simplifying fire-wall installation and administration.

Early firewall requirements were easy to support because they were limited to the Internet
services available at that time. The typical organization or business connecting to the Internet
needed secure access to remote terminal services (Telnet), file transfer (File Transfer Protocol
[FTP]), electronic mail (Simple Mail Transfer Protocol [SMTP]), and USENET News (the
Network News Transfer Protocol-NNTP). Today, we add to this list of "requirements" access to

Dept of ECE 22
CUCEK 2012
Project Design 2012 Firewall & internet security

the World Wide Web, live news broadcasts, weather information, stock quotes, music on demand,
audio and videoconferencing, telephony, database access, file sharing, and the list goes on.

What new vulnerabilities are there in these new "required" services that are daily added to some
sites? What are the risks? Too often, the answer is "we don't know."

Types of Firewalls

There are four types of Internet firewalls, or, to be more accurate, three types plus a hybrid. The
details of these different types are not discussed here because they are very well covered in the
literature. [1, 3, 4, 5]

Packet Filtering

One kind of firewall is a packet filtering firewall. Filtering firewalls screen packets based on
addresses and packet options. They operate at the IP packet level and make security decisions
(really, "to forward, or not to forward this packet, that is the question") based on the headers of
the packets.

The filtering firewall has three subtypes:

Static Filtering, the kind of filtering most routers implement-filter rules that must be
manually changed

Dynamic Filtering, in which an outside process changes the filtering rules dynamically,
based on router-observed events (for example, one might allow FTP packets in from the
outside, if someone on the inside requested an FTP session)

Stateful Inspection, a technology that is similar to dynamic filtering, with the addition of
more granular examination of data contained in the IP packet

Dynamic and stateful filtering firewalls keep a dynamic state table to make changes to the
filtering rules based on events.

Circuit Gateways

Dept of ECE 23
CUCEK 2012
Project Design 2012 Firewall & internet security

Circuit gateways operate at the network transport layer. Again, connections are authorized based
on addresses. Like filtering gateways, they (usually) cannot look at data traffic flowing between
one network and another, but they do prevent direct connections between one network and
another.

Application Gateways

Application gateways or proxy-based firewalls operate at the application level and can examine
information at the application data level. (We can think of this as the contents of the packets,
though strictly speaking proxies do not operate with packets.) They can make their decisions
based on application data, such as commands passed to FTP, or a URL passed to HTTP. It has
been said that application gateways "break the client/server model."

Hybrid firewalls, as the name implies, use elements of more than one type of firewall. Hybrid
firewalls are not new. The first commercial firewall, DEC SEAL, was a hybrid, using proxies on
a bastion host (a fortified machine, labeled "Gatekeeper" in Figure 1), and packet filtering on the
gateway machine ("Gate"). Hybrid systems are often created to quickly add new services to an
existing firewall. One might add a circuit gateway or packet filtering to an application gateway
firewall, because it requires new proxy code to be written for each new service provided. Or one
might add strong user authentication to a stateful packet filter by adding proxies for the service or
services.

No matter what the base technology, a firewall still basically acts as a controlled gateway
between two or more networks through which all traffic must pass. A firewall enforces a security
policy and it keeps an audit trail.

What a Firewall Can Do

Dept of ECE 24
CUCEK 2012
Project Design 2012 Firewall & internet security

A firewall intercepts and controls traffic between networks with differing levels of trust. It is part
of the network perimeter defense of an organization and should enforce a network security
policy. By Cheswick's and Bellovin's definition, it provides an audit trail. A firewall is a good
place to support strong user authentication as well as private or confidential communications
between firewalls. As pointed out by Chapman and Zwicky [2] , firewalls are an excellent place
to focus security decisions and to enforce a network security policy. They are able to efficiently
log internetwork activity, and limit the exposure of an organization.

The exposure to attack is called the "zone of risk." If an organization is connected to the Internet
without a firewall (Figure 2), every host on the private network can directly access any resource
on the Internet. Or to put it as a security officer might, every host on the Internet can attack every
host on the private network. Reducing the zone of risk is better. An internetwork firewall allows
us to limit the zone of risk. As we see in Figure 3, the zone of risk becomes the firewall system
itself. Now every host on the Internet can attack the firewall. With this situation, we take Mark
Twain's advice to "Put all your eggs in one basket and watch that basket."

Figure 2: Zone of Risk for an Unprotected Private Network

Figure 3: Zone of Risk with a Firewall

What a Firewall Cannot Do

Dept of ECE 25
CUCEK 2012
Project Design 2012 Firewall & internet security

Firewalls are terrible at reading people's minds or detecting packets of data with "bad intent."
They often cannot protect against an insider attack (though might log network activity, if an
insider uses the Internet gateway in his crime). Firewalls also cannot protect connections that do
not go through the firewall. In other words, if someone connects to the Internet through a desktop
modem and telephone, all bets are off. Firewalls provide little protection from previously
unknown attacks, and typically provide poor protection against computer viruses.

Firewalls Today: Additions

The first add-on to Internet firewalls was strong user authentication. If your security policy
allows access to the private network from an outside network, such as the Internet, some kind of
user authentication mechanism is required. User authentication simply means "to establish the
validity of a claimed identity." A username and password provides user authentication, but not
strong user authentication. On a nonprivate connection, such as an unencrypted connection over
the Internet, a username and password can be copied and replayed. Strong user authentication
uses cryptographic means, such as certificates, or uniquely keyed cryptographic calculators.
These certificates prevent "replay attacks" where, for example, a username and password are
captured and "replayed" to gain access. Because of where it sits on both the "trusted" and
"untrusted" networks and because of its function as a controlled gateway, a firewall is a logical
place to put this service.

The next add-on to Internet firewalls was firewall-to-firewall encryption, first introduced on the
ANS InterLock Firewall. Today, such an encrypted connection is known as a Virtual Private
Network, or VPN. It is "private" through the use of cryptography. It is "virtually" private because
the private communication flows over a public network the Internet, for example. Although
VPNs were available before firewalls via encrypting modems and routers, they came into
common use running on firewalls. Today, most people expect a firewall vendor to offer a VPN
option. Firewalls act as the endpoint for VPNs between the enterprise and mobile users or
telecommuters, keeping communication confidential from notebook PC, home desktop, or
remote office.

In the past two years, it has become popular for firewalls to also act as content screening devices.
Some additions to firewalls in this area include virus scanning, URL screening, and key word
scanners (also known in U.S. government circles as "guards"). If the security policy of your
organization mandates screening for computer viruses and it should it makes sense to put such

Dept of ECE 26
CUCEK 2012
Project Design 2012 Firewall & internet security

screening at a controlled entry point for computer files, such as the firewall. In fact, standards
exist for plugging antivirus software into the data flow of the firewall, to intercept and analyze
data files. Likewise, URL screening firewall controlled access to the World Wide Web-and
content screening of files and messages seem like logical additions to a firewall. After all, the
data is flowing through the fingers of the firewall system, so why not examine it and allow the
firewall to enforce the security policies of the organization? The downside to this scenario is
performance. Also virus scanning must ultimately be performed on each desktop because data
may come in to the desktops from paths other than through the firewall-for instance, the floppy.

Recently, some firewall and router vendors have been making the case for a relatively new
firewall add-on called "flow control" to deliver Quality of Service (QoS). QoS, for example, can
limit the amount of network bandwidth any one user can take up, or limit how much of the
network capacity can be used for specific services (such as FTP or the Web). Once again, because
the firewall is the gateway, it is the logical place to put a QoS arbitrating mechanism.

Firewalls Tomorrow

In 1997, The Meta Group, and others, predicted that firewalls would be the center of network and
internetwork security [7] . After all, firewalls were the first big security item, the first successful
Internet security product, and the most visible security device. They quickly became a "must
have" this is good and a "good enough" this is not good because firewalls alone are not sufficient.
Firewalls became synonymous with security, as mentioned above. The firewall console becoming
the network security console seemed natural at that time. But this scenario has not happened, nor
will it happen. The reason? The firewall is just another mechanism used to enforce a security
policy. This specific enforcement device will not be the policy management device.

As organizations broaden the base of measures and countermeasures used to implement a

comprehensive network and computer security policy, firewalls will need to communicate with
and interact with other devices. Intrusion detection devices running on or separate from the
firewall must be able to reconfigure the firewall to meet a new perceived threat (just as dynamic
filtering firewalls today "reconfigure" themselves to meet the needs of a user).

Firewalls will have to be able to communicate with network security control systems, reporting
conditions and events, allowing the control system to reconfigure sensors and response systems.
A firewall could signal an intrusion detection system to adjust its sensitivity, as the firewall is

Dept of ECE 27
CUCEK 2012
Project Design 2012 Firewall & internet security

about to allow an authenticated connection from outside the security perimeter. A central
monitoring station could watch all this, make changes, react to alarms and other notifications,
and make sure that all antivirus software and other content screening devices were functioning
and "up to rev." Some products have started down this path already. The Intrusion Detection
System (IDS) and firewall reconfiguration of network routers based on perceived threat is a
reality today. Also, firewall resident IDS and help-desk software enable another vendor's system
to expand from a prevention mechanism into detecting and responding. The evolution continues
and firewalls are changing rapidly to address the next 100 (Internet) years.

In June 1994, the author wrote [5] , "Firewalls are a stopgap measure needed because many
services are developed that operate either with poor security or no security at all." This statement
is erroneous. Firewalls are not a stopgap measure. Firewalls play an important part in a
multilevel, multilayer security strategy. Internet security firewalls will not go away, because the
problem firewalls address-access control and arbitration of connections in light of a network
security policy will not go away.

As use of the Internet and internetworked computers continues to grow, the use of Internet
firewalls will grow. They will no longer be the only security mechanism, but will cooperate with
others on the network. Firewalls will morphas they have from what we recognize today, just as
walls of brick and mortar were eventually replaced by barbed wire, motion sensors, and video
cameras and brick and mortar. But Internet firewalls will continue to be a required part of the
methods and mechanisms used to enforce a corporate security policy. References

1. Avolio, F. and Ranum, M., "A Network Perimeter with Secure External Access,"
Proceedings of the ISOC NDSS Symposium, 1996.

2. Chapman, D. B. and Zwicky, E., Building Internet Firewalls, ISBN 1-56592-124-0,

O'Reilly and Associates, 1995.

3. Cheswick, W. and Bellovin, S., Firewalls and Internet Security: Repelling the Wily
Hacker, ISBN 0201633574, Addison-Wesley, 1994.

4. Ranum, M. and Avolio, F., "A Toolkit and Methods for Internet Firewalls," Proceedings of
the summer USENIX conference, 1994.)

Dept of ECE 28
CUCEK 2012
Project Design 2012 Firewall & internet security

5. Shimomura, T. and Markoff, J., Takedown: The Pursuit and Capture of Kevin Mitnick,
America's Most Wanted Computer Outlaw-By the Man Who Did It, ISBN 0-7868-89136,
Warner Books, 1996.

6. Stoll, C., The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage,
ISBN 0671726889, Reprint edition, Pocket Books, 1995.

7. Meta Global Networking Strategies File 549, November 24, 1997.

FREDERICK M. AVOLIO is an independent security consultant. He has lectured and consulted

on Internet gateways and firewalls, security, cryptography, and electronic mail configuration for
both government and industry, working in the UNIX and TCP/IP communities since 1979. He is
a top-rated speaker and contributor to NetWorld+Interop, USENIX, SANS, TISC, and other
security-related forums. With Paul Vixie, Avolio wrote the book Sendmail: Theory and Practice,
published by Digital Press. He has an undergraduate degree in Computer Science from the
University of Dayton and a Master of Science from Indiana University.

Cameron calls for firewall

By Sam Lister and Geoff Meade

Published: 22/02/2012

David Cameron called for tough action to prevent Greek debt turmoil spreading as City
analysts warned that yesterdays 110billion bailout did not spell the end of the crisis
marathon.
The prime minister said Europe must focus on creating a firewall capable of preventing
contagion within the eurozone after a second massive rescue package for Greece was finally
delivered.
European ministers have cautiously welcomed the deal, but it has been dismissed by some
experts as undeliverable.

Security Manager's Journal: New firewalls should increase protection

Our manager's company is trying out the latest generation of firewalls, which offers some
exciting possibilities.

By Mathias Thurman

Dept of ECE 29
CUCEK 2012
Project Design 2012 Firewall & internet security

March 7, 2011 06:00 AM ET

Computerworld - This week, my company began deploying new firewalls. The old ones
have been in place for more than six years; the new ones will allow us to take advantage of
the next generation of features.

Today, application-based (Layer 7) firewalls provide far more flexibility than was available
before. The methods of inspecting traffic enable us to allow or deny traffic based on a
variety of factors. In addition, the firewall we chose, which is from Palo Alto Networks,
offers what has been termed unified threat management (UTM), so we can eliminate several
extra appliances and management consoles. UTM-type devices are not new, and in the past
I'd found that all the functionality they offered had a big impact on performance. That's still
a problem to some degree, but Palo Alto's system uses several chip sets for offloading and
parallel-processing some of the functionality. That seems to minimize the performance hit to
a satisfactory degree.

Trouble Ticket

At issue: Firewalls have gotten a lot more sophisticated since the company's were installed six
years ago.

Action plan: Try out a new firewall system at some smaller sites, then embark on a
companywide deployment if all goes well.

One thing about the new firewall technology that I like a lot is that it can be integrated with
Active Directory, allowing us to build application-specific firewall rules based on individual
needs. For example, if our remote-access policy didn't authorize the use of pcAnywhere but
someone had a legitimate business need for it, I could write a rule and enable the use of that
software, even by a single employee. At the same time, I could restrict that sort of remote
access based upon time of day.

Naturally, the firewall offers URL content filtering for restricting access to certain Web sites
and Web-based applications. But now we can do more than just block sites that traffic in
porn, crime, terrorism and gambling; we can also define the sorts of activities that are
permissible on some allowed sites. As things stand now, we give our employees access to
third-party chat applications such as Yahoo Messenger, Google Talk and even Skype. But the

Dept of ECE 30
CUCEK 2012
Project Design 2012 Firewall & internet security

firewall lets us prevent file transfers over such systems. That gives us a new way to
further protect our intellectual property by stopping the illicit dissemination of sensitive
documents. And again, if someone has a business need, I can make an exception.

Meanwhile -- and for me this just adds to the excitement -- we are directing the firewall logs
to our new security event management tool. I hope to combine the rules from the firewall
with rules from other application and server logs, as well as NetFlow traffic from our Cisco
infrastructure, to provide meaningful information related to potential incidents. For example,
if the firewall blocks a Port 80 connection to a malicious command-and-control server, we
can correlate that with other data to determine how the user introduced malware, the origin
of the infection and how many other resources were affected.

Not All at Once

For some of our smaller offices, we will also be enabling the intrusion-prevention feature
(although we won't block traffic until we're confident that the rules are properly tuned).
Other cool features include real-time detection and prevention of viruses and malware,
traditional VPN options, and quality-of-service rules that will allow us to prioritize various
types of traffic.

The initial rollout involves a half-dozen firewalls at some of our smaller sites. If we're happy
with our experience, we'll continue the deployment in stages to the remaining 40-plus
Internet points of presence that the company currently supports.

I am excited about this new technology and am hopeful for its success in our environment.
But just in case, we're not getting rid of the old firewalls just yet.

8. CONCLUSION

We have successfully implemented the project Design and implementation of Internet

security for an organisation using Firewall. It is recommended to have a firewall centrally and

Dept of ECE 31
CUCEK 2012
Project Design 2012 Firewall & internet security

a server based or client based antivirus is recommended for a network for its proper and smooth
running.

Dept of ECE 32
CUCEK 2012