INFORMATION SECURITY ANALYSIS AND AUDIT

CSE 3501

REVIEW-2
“FIREWALL POLICY”

Submitted by:-
Yogesh Mahato(18BCE2471)
Hansraj Kumar Rouniyar (18BCE2472)
Sundaram Yadav(18BCE2476)
Ashish Paudel(18BCE2494)

Submitted to: - Prof. RAJARAJAN.G

VIDEO LINK: -
Part 1:- https://www.youtube.com/watch?v=qmer35U3cDQ
Part 2:- https://www.youtube.com/watch?v=GsHXAeEeB_0&feature=youtu.be
INTRODUCTION
PURPOSE AND SCOPE
FIREWALL RULES
TYPES OF FIREWALL
POLICIES
FUTURE WORK
CONCLUSION
REFERENCES
Is hardware, software, or a combination of both

used to prevent unauthorized programs or

Internet users from accessing a private
network and/or a single computer.
This document seeks to assist organizations in
understanding the capabilities of firewall technologies
and firewall policies.
It provides practical guidance on developing firewall
policies and selecting, configuring, testing,
deploying, and managing firewalls.
Allow – traffic that flows automatically because it has been deemed

Block – traffic that is blocked because it has been deemed dangerous

to your computer

Ask – asks the user whether or not the traffic is allowed to pass
through
Packet Filtering Firewall

Application level Gateway

Circuit level gateway

Remote login

SMTP session hijacking

Operating system bugs

Spam

E-mail bombs

Source routing
1) Policies based on IP Addresses
and Protocols
2) Policies Based Applications
3) Policies Based on User Identity
4) Policies Based on Network Activity
Firewall Technologies : -Firewalling is often combined with other
technologies— most notably routing—and many technologies
often associated with firewalls are more accurately part of these
other technologies.
Packet Filtering: -The most basic feature of a firewall is the packet filter.
Packet filtering capabilities are built into most operating systems and
devices capable of routing; the most common example of a pure packet
filtering device is a network router that employs access control lists.
Stateful Inspection: - Stateful inspection improves on the functions of
packet filters by tracking the state of connections and blocking packets
that deviate from the expected state.
Application Firewalls : - Application firewalls can enable the
identification of unexpected sequences of commands, such as issuing the
same command repeatedly or issuing a command that was not preceded
by another command on which it is dependent.
Virtual Private Networking : - VPNs are most often used to provide
secure network communications across untrusted networks. For
example, VPN technology is widely used to extend the protected
network of a multi-site organization across the Internet, and sometimes
to provide secure remote user access to internal organizational
networks via the Internet.
 Network Layouts with Firewalls : -The unprotected side
of the firewall connects to the single path labeled “WAN,”
and the protected side connects to three paths labeled
“LAN1,” “LAN2,” and “LAN3.” The firewall acts as a
router for traffic between the wide area network (WAN)
path and the LAN paths. In the figure, one of the LAN
paths also has a router; some organizations prefer to use
multiple layers of routers due to legacy routing policies
within the network.
 Firewalls Acting as Network Address Translators : - Most firewalls can
perform NAT, which is sometimes called port address translation (PAT) or
network address and port translation (NAPT). Despite the popular
misconception, NAT is not part of the security functionality of a firewall. The
security benefit of NAT—preventing a host outside the firewall from
initiating contact with a host behind NAT—can just as easily be achieved by a
stateful firewall with less disruption to protocols that do not work as well
behind NAT.
 Architecture with Multiple Layers of Firewalls: - A typical situation that
requires multiple layers of network firewalls is the presence of internal users
with varying levels of trust. For example, an organization might want to
protect its accounting databases from being accessed by users who are not part
of the accounting department. This could be accomplished by placing one
firewall at the edge of the network (to prevent general access to the network
from the Internet) and another at the edge of the internal network that defines
the boundary of the accounting department
 A firewall policy dictates how firewalls should handle network traffic for
specific IP addresses and address ranges, protocols, applications, and content
types (e.g., active content) based on the organization’s information security
policies.
 Policies Based on IP Addresses and Protocols : -Firewall policies should only
allow necessary IP protocols through. Examples of commonly used IP
protocols, with their IP protocol numbers,17 are ICMP (1), TCP (6), and UDP
(17). Other IP protocols, such as IPsec components Encapsulating Security
Payload (ESP) (50) and Authentication Header (AH) (51) and routing
protocols, may also need to pass through firewalls.
 These necessary protocols should be restricted whenever possible to the
specific hosts and networks within the organization with a need to use them.
By permitting only necessary protocols, all unnecessary IP protocols are
denied by default.
 Firewall policies should only permit appropriate source and destination IP
addresses to be used. Specific recommendations for IP addresses include:
Traffic with invalid source or destination addresses should always be blocked,
regardless of the firewall location. Examples of relatively common invalid
IPv4 addresses are 127.0.0.0 to 127.255.255.255 (also known as the localhost
addresses) and 0.0.0.0 (interpreted by some operating systems as a localhost
or a broadcast address). These have no legitimate use on a network.
 Traffic with a private destination address for incoming traffic or source
address for outgoing traffic (an “internal” address) should be blocked at the
network perimeter. Perimeter devices can perform address translation
services to permit internal hosts with private addresses to communicate
through the perimeter, but private addresses should not be passed through
the network perimeter.
 IPv6 is a new version of IP that is increasingly being deployed. Although IPv6’s internal format and address length
differ
from those of IPv4, many other features remain the same—and some of these are relevant to firewalls.
 Every organization, whether or not it allows IPv6 traffic to enter its internal network, needs a firewall that is capable of
filtering this traffic. These firewalls should have the following capabilities:
 The firewall should be able to use IPv6 addresses in all filtering rules that use IPv4 addresses.
 The administrative interface should allow administrators to clone IPv4 rules to IPv6 addresses to make
administration easier.
 The firewall needs to be able to filter ICMPv6, as specified in RFC 4890, Recommendations for Filtering
ICMPv6 Messages in Firewalls.
 The firewall should be able to block IPv6-related protocols such as 6-to-4 and 4-to-6 tunneling, Teredo, and Intra-
site Automatic Tunnel Addressing Protocol (ISATAP) if they are not required.
 Many sites tunnel IPv6 packets in IPv4 packets. This is particularly common for sites experimenting with IPv6,
because it is currently easier to obtain IPv6 transit from a tunnel broker through a v6-to-v4 tunnel than to get native
IPv6 transit from an Internet service provider (ISP). A number of ways exist to do this, and standards for tunneling
are still evolving. If the firewall is able to inspect the contents of IPv4 packets, it needs to know how to inspect traffic
for any tunneling method used by the organization. A corollary to this is that if an organization is using a firewall to
prohibit IPv6 coming into or going out of its network, that firewall needs to recognize and block all forms of v6-to-v4
tunneling.
 Application protocols can use TCP, UDP, or both, depending on the
design of the protocol. An application server typically listens on one or
more fixed TCP or UDP ports. Some applications use a single port, but
many applications use multiple ports.
 For example, although SMTP uses TCP port 25 for sending mail, it uses
TCP port 587 for mail submission. Similarly, FTP uses at least two
ports, one of which can be unpredictable, and while most web servers
use only TCP port 80, it is common to have web sites that also use
additional ports such as TCP port 8080.
 Some applications use both TCP and UDP; for example, DNS lookups
can occur on UDP port 53 or TCP port 53. Application clients typically
use any of a wide range of ports.
 Attackers can use various ICMP types and codes to perform reconnaissance
or manipulate the flow of network traffIC.18 However, ICMP is needed for
many useful things, such as getting reasonable performance across the
Internet.
 Some firewall policies block all ICMP traffic, but this often leads to problems
with diagnostics and performance. Other common policies allow all outgoing
ICMP traffic, but limit incoming ICMP to those types and codes needed for
Path Maximum Transmission Unit (PMTU) discovery (ICMP code 3) and
destination reachability.
 ICMP is often used by low-level networking protocols to increase the speed
and reliability of networking. Therefore, ICMP within an organization’s
network generally should not be blocked by firewalls that are not at the
perimeter of the network, unless security needs outweigh network operational
needs. Similarly, if an organization has more than one network, ICMP that
comes from or goes to other networks within the organization should not be
blocked.
 An organization needs to have a policy whether or not to allow IPsec
VPNs that start or end inside its network perimeter.
 The ESP and AH protocols are used for IPsec VPNs, and a firewall that
blocks these protocols will not allow IPsec VPNs to pass. While
blocking ESP can hinder the use of encryption to protect sensitive
data, it can also force users who would normally encrypt their data
with ESP to allow it to be inspected—for example, by a stateful
inspection firewall or an application-proxy gateway
 Most early firewall work involved simply blocking unwanted or suspicious traffic at
the network boundary. Inbound application firewalls or application proxies take a
different approach—they let traffic destined for a particular server into the network,
but capture that traffic in a server that processes it like a port-based firewall.
 The application-based approach provides an additional layer of security for
incoming traffic by validating some of the traffic before it reaches the desired
server.
 The theory is that the inbound application firewall’s or proxy’s additional security
layer can protect the server better than the server can protect itself—and can also
remove malicious traffic before it reaches the server to help reduce server load.
 In some cases, an application firewall or proxy can remove traffic that the server
might not be able to remove on its own because it has greater filtering capabilities.
An application firewall or proxy also prevents the server from having direct access to
the outside network.
 Traditional packet filtering does not see the identities of the users who
are communicating in the traffic traversing the firewall, so firewall
technologies without more advanced capabilities cannot have policies
that allow or deny access based on those identities.
 However, many other firewall technologies can see these identities
and therefore enact policies based on user authentication. One of the
most common ways to enforce user identity policy at a firewall is by
using a VPN. Both IPsec VPNs and SSL VPNs have many ways to
authenticate users, such as with secrets that are provisioned on a
user-by-user basis, with multi-factor authentication (e.g., time-based
cryptographic tokens protected with PINs), or with digital certificates
controlled by each user.
 Many firewalls allow the administrator to block established connections
after a certain period of inactivity. For example, if a user on the outside
of a firewall has logged into a file server but has not made any requests
during the past 15 minutes, the policy might be to block any further
traffic on that connection.
 Time-based policies are useful in thwarting attacks caused by a logged-
in user walking away from a computer and someone else sitting down
and using the established connections (and therefore the logged-in
user’s credentials). However, these policies can also be bothersome for
users who make connections but do not use them frequently.
 It is clear that some form of security for private
networks connected to the Internet is essential
 A firewall is an important and necessary part of
that security, but cannot be expected to perform
all the required security functions.