Network Security

Essentials
Chapter 12
6th Edition
by William Stallings
 Introduction

• seen evolution of information systems

• now everyone want to be on the Internet
• and to interconnect networks
• has persistent security concerns
• can’t easily secure every system in org
• typically use a Firewall
• to provide perimeter defence
• as part of comprehensive security strategy
 Design goals

1. All traffic from inside to outside, and vice versa, must pass through the firewall.

2. Only authorized traffic, as defined by the local security policy, will be allowed to
pass.

3. The firewall itself is immune to penetration. This implies the use of a hardened
system with a secured operating system.
 Firewalls techniques

• Service control: Determines the types of Internet services that can be

accessed, inbound or outbound.
• Direction control: Determines the direction in which particular service
requests may be initiated and allowed to flow through the firewall.
• User control: Controls access to a service according to which user is
attempting to access it (typically applied to users inside the firewall).
• Behavior control: Controls how particular services are used. For
example, the firewall may filter e-mail to eliminate spam.
 What is a Firewall?
• a choke point of control and monitoring
• interconnects networks with differing trust
• imposes restrictions on network services
• only authorized traffic is allowed
• auditing and controlling access
• can implement alarms for abnormal behavior
• Provide not security related functions i.e. NAT &
usage monitoring
• implement VPNs using IPSec
• must be immune to penetration
 Firewall Limitations

• cannot protect from attacks bypassing it

• eg sneaker net, utility modems, trusted organisations, trusted
services (eg SSL/SSH)
• cannot protect against internal threats
• eg disgruntled or colluding employees
• cannot protect against transfer of all virus infected
programs or files
• because of huge range of O/S & file types
 Firewalls types

• Packet Filters
• Stateful Packet Filters
• Application-Level Gateway
• Circuit Level Gateway
 Firewalls – Packet Filters

• It can operate as a positive filter, allowing to pass only

packets that meet specific criteria, or
• a negative filter, rejecting any packet that meets certain
criteria.
• Depending on the type of firewall, it may examine one or
more protocol headers in each packet, the payload of each
packet, or the pattern generated by a sequence of packets
 Firewalls – Packet Filters

• Transparent to users
• simplest, fastest firewall component
• foundation of any firewall system
• examine each IP packet (no context) and permit or deny according to
rules
• hence restrict access to services (ports)
• possible default policies
• that not expressly permitted is prohibited
• that not expressly prohibited is permitted
Firewalls – Packet Filters
 Firewalls – Packet Filters

• A packet filtering firewall applies a set of rules to each incoming and outgoing IP
packet and then forwards or discards the packet
• The firewall is typically configured to filter packets going in both directions (from
and to the internal network).
• Filtering rules are based on information contained in a network packet:
• Source IP address
• Destination IP address
• Source and destination transport-level address (e.g., TCP or UDP) port
• IP protocol field
• Interface
• Default Policy
Firewalls – Packet Filters
Firewalls – Packet Filters
 Firewalls – Packet Filters
Limitation

• do not examine upper-layer data,

• cannot prevent attacks that employ application-specific vulnerabilities
• cannot block specific application commands
• limited information available to the firewall
• the logging functionality present in packet filter firewalls is limited.
• do not support advanced user authentication
• vulnerable to attacks and exploits such as network layer address
spoofing.
• susceptible to security breaches due to the small number of variables
used in decisions
 Firewalls – Packet Filters
Attacks

• IP address spoofing
• fake source address to be trusted
• add filters on router to block
• source routing attacks
• attacker sets a route other than default
• block source routed packets
• tiny fragment attacks
• split header info over several tiny packets
• either discard or reassemble before check
Firewalls – Stateful Packet Filters
 Firewalls – Stateful Packet Filters

• traditional packet filters do not examine higher layer

context
• ie matching return packets with outgoing flow
• stateful packet filters address this need
• they examine each IP packet in context
• keep track of client-server sessions
• check each packet validly belongs to one
• hence are better able to detect bogus packets out of
context
Firewalls – Stateful Packet Filters
Firewalls – Application Level Gateway
(or Proxy)
Firewalls - Application Level Gateway
(or Proxy)
• have application specific gateway / proxy
• has full access to protocol
• user requests service from proxy )contacts the gateway
using a TCP/IP application, such as Telnet or FTP)
• proxy validates request as legal (by asking the user for
the name of the remote host and getting user the user
authentication information)
• then actions request and returns result to user (by
contacting the application on the remote host and
relaying the application data)
• can log / audit traffic at application level
• need separate proxies for each service
Firewalls - Application Level Gateway
(or Proxy)
Firewalls - Application Level Gateway
(or Proxy)
• Adv.
• It is more secure than packet filters
• It is easy to log and audit all incoming traffic at the
application level.
• Dis.
• The additional processing overhead on each connection
• There are two spliced connections between the end
users, with the gateway at the splice point, and the
gateway must examine and forward all traffic in both
directions.
 Firewalls - Circuit Level Gateway

• relays two TCP connections

• imposes security by limiting which such connections are allowed
• once created usually relays traffic without examining contents
• typically used when trust internal users by allowing general
outbound connections (Eg. The gateway can be configured to
support application-level or proxy service on inbound connections
and circuit-level functions for outbound connections.)
• SOCKS is commonly used
Firewalls - Circuit Level Gateway
Firewalls - Circuit Level Gateway
 Firewall Basing
• It is common to base a firewall on a stand-alone machine running
a common operating system, such as UNIX or Linux.
• Firewall functionality can also be implemented as a software
module in a router or LAN switch.
• additional firewall basing considerations:
• Bastion Host
• Host-Based Firewalls
• Personal Firewalls
 Bastion Host
• Typically serves as an application-level or circuit-level gateway
• highly secure host system
• runs circuit / application level gateways
• or provides externally accessible services
• potentially exposed to "hostile" elements
• hence is secured to withstand this
• hardened O/S, essential services, extra auth
• Proxies are small, secure, independent
• may support 2 or more net connections
 Host-based Firewalls
• A software module to secure an individual host
• Like conventional stand-alone firewalls, host-resident firewalls
filter and restrict the flow of packets
• A common location for such firewalls is a server
• Filtering rules can be tailored to the host environment
• Used in conjunction with stand-alone firewalls, the host-based
firewall provides an additional layer of protection
 Personal Firewalls
• A personal firewall controls the traffic between a personal computer or
workstation on one side and the Internet or enterprise network on the
other side
• can be used in the home environment and on corporate intranets
• Typically, the personal firewall is a software module on the personal
computer
• In a home environment with multiple computers: firewall functionality
can also be housed in a router that connects all of the home computers to
a DSL, cable modem, or other Internet interface
• are much less complex than either server-base firewalls or stand-alone
firewalls
• The primary role of the personal firewall is to deny unauthorized
remote access to the computer. The firewall can also monitor outgoing
activity in an attempt to detect and block worms and other malware.
 Personal Firewalls

Example Personal Firewall Interface

 Firewall Configurations
• Generally, a security administrator must decide on the location
and on the number of firewalls needed.
• Here, we look at some common options:
Firewall Configurations
Firewall Configurations
Firewall Configurations
 Summary

• have considered:
• Firewalls and its types
• Location of firewalls
• Firewalls configurations