Firewall Technologies

The Nature of Today’s Attackers

• Who are these “hackers” who are trying to break into your
computer?

Most people imagine someone at a keyboard late at night,

guessing passwords to steal confidential data from a computer
system.
This type of attack does happen, but it makes up a very small
portion of the total network attacks that occur.

Today, worms and viruses initiate the vast majority of attacks.

Worms and viruses generally find their targets randomly.

As a result, even organizations with little or no confidential

information need firewalls to protect their networks from these
automated attackers.
 What Is a Firewall ?
• The term firewall has been around for quite some time and
originally was used to define a barrier constructed to prevent
the spread of fire from one part of a building or structure to
another. Network firewalls provide a barrier between networks
that prevents or denies unwanted or unauthorized traffic.

• Definition: A Network Firewall is a system or group of

systems used to control access between two networks -- a
trusted network and an untrusted network -- using pre-
configured rules or filters.
 What Is a Firewall ?

 Device that provides secure connectivity between networks

(internal/external; varying levels of trust)
 Used to implement and enforce a security policy for
communication between networks
• Firewalls can either be hardware and/or software based.
 Firewalls History

• Firewall technology emerged in the late 1980s when the

Internet was a fairly new technology in terms of its global use
and connectivity. The original idea was formed in response to
a number of major internet security breaches, which occurred
in the late 1980s.
 Firewalls History

• First generation - packet filters

The first paper published on firewall technology was in 1988,
when Jeff Mogul from Digital Equipment Corporatin (DEC)
developed filter systems known as packet filter firewalls.

• Second generation - circuit level

From 1980-1990 two colleagues from AT&T Company,
developed the second generation of firewalls known as circuit
level firewalls.

• Third generation - application layer

Publications by Gene Spafford of Purdue University, Bill
Cheswick at AT&T Laboratories described a third generation
firewall. also known as proxy based firewalls.
 Firewalls History

• Subsequent generations

In 1992, Bob Braden and Annette DeSchon at the University

of Southren California (USC) were developing their own
fourth generation packet filter firewall system.

In 1994 an Israeli company called Check Point Software

Technologies built this into readily available software known
as FireWall-1.

Cisco, one of the largest internet security companies in the

world released their PIX ” Private Internet EXchange ”
product to the public in 1997.
 What Firewalls Do (Positive Effects)

Positive Effects

• User authentication.
Firewalls can be configured to require user authentication.
This allows network administrators to control ,track specific
user activity.

• Auditing and logging.

By configuring a firewall to log and audit activity, information
may be kept and analyzed at a later date.
 What Firewalls Do (Positive Effects)
• Anti-Spoofing - Detecting when the source of the network
traffic is being "spoofed", i.e., when an individual attempting
to access a blocked service alters the source address in the
message so that the traffic is allowed.

• Network Address Translation (NAT) - Changing the network

addresses of devices on any side of the firewall to hide their
true addresses from devices on other sides. There are two ways
NAT is performed:

– One-to-One - where each true address is translated to a

unique translated address.
– Many-to-One - where all true addresses are translated to a
single address, usually that of the firewall.
 What Firewalls Do (Positive Effects)

• Virtual Private Networks

VPNs are communications sessions traversing public

networks that have been made virtually private through the
use of encryption technology. VPN sessions are defined by
creating a firewall rule that requires encryption for any session
that meets specific criteria.
 What Firewalls Do (Negative Effects)

• Negative Effects

Although firewall solutions provide many benefits, negative

effects may also be experienced.

– Traffic bottlenecks. By forcing all network traffic to pass

through the firewall, there is a greater chance that the
network will become congested.

– Single point of failure. In most configurations where

firewalls are the only link between networks, if they are not
configured correctly or are unavailable, no traffic will be
allowed through.
 What Firewalls Do (Negative Effects)

– Increased management responsibilities. A firewall often

adds to network management responsibilities and makes
network troubleshooting more complex.
 What Firewalls Cannot Do

• The most common misconception about firewalls is that they

guarantee security for your network.

• A firewall cannot and does not guarantee that your network is

100% secure.

• Firewalls cannot offer any protection against inside attacks.

A high percentage of security incidents today come from
inside the trusted network.
 What Firewalls Cannot Do

• In most implementations, firewalls cannot provide

protection against viruses or malicious code. Since most
firewalls do not inspect the payload or content of the packet,
they are not aware of any threat that may be contained inside.

• Finally, no firewall can protect against inadequate or

mismanaged policies.
 How Firewalls Work

• There are two security design logic approaches network

firewalls use to make access control decisions.

– Everything not specifically permitted is denied.

– Everything not specifically denied is permitted.

• The one most often recommended is everything not

specifically permitted is denied.
 How Firewalls Work

• Basic TCP/IP Flow review

 Types of Firewalls

• Firewalls types can be categorized depending on:

– The Function or methodology the firewall use
– Whether the communication is being done between a single
node and the network, or between two or more networks.
– Whether the communication state is being tracked at the
firewall or not.
 Types of Firewalls

 Packet Filtering/ stateless packet inspection

 Stateful Packet Inspection
 Application Gateways/Proxies
 Adaptive Proxies
 Circuit Level Gateway
 Packet-filtering functionality (stateless firewall)

• The first firewall devices, with only a packet filter,

were also called stateless inspection firewalls.
Unlike them, modern firewall devices provide far
more possibilities for packet filtering.
• A packet filter enables the implementation of
control of access to resources by deciding
whether a packet should be allowed to pass, based
on the information contained in the IP packet
header.
 Packet Filtering Firewall

Packet Filtering Firewall

Trusted Firewall Untrusted

Network rule set Network

Packet is Blocked or Discarded

 Packet Filtering Firewall

• A packet filtering firewall is often called a network layer

firewall because the filtering is primarily done at the network
layer (layer three) or the transport layer (layer four) of the OSI
reference model.
Packet-filtering functionality (stateless firewall)

• The packet filter does not analyse the content of

the packet (unlike a content filter), nor does it
attempt to determine the sessions to which
individual packets belong, based on the
information contained in the TCP or UPD
header, and therefore it does not make any further
decisions in that regard.
Packet-filtering functionality (stateless firewall)

• For this reason, the process is also known as

stateless packet inspection. Due to its manner of
operation, which does not track the information
on the state of connections, it is necessary to
explicitly allow two-way traffic on the connection
when configuring a stateless firewall device.
• Stateless firewall devices analyse each packet
individually and filter them based on the
information contained in layers 3 and 4 of the
OSI reference model.
Packet-filtering functionality (stateless
firewall)

• A filtering decision is made based on the

following information:
Source IP address;
Destination IP address;
Protocol;
Source port number;
Destination port number.
They are commonly implemented as a part of the
functionality on routers (ACL, firewall filters, etc.),
But can also be implemented on servers
 Stateful packet inspection
• It improves the packet filtering process by
monitoring the state of each connection
established through a firewall device. It is known
that the TCP protocol, allows two-way
communication and that TCP traffic is
characterised by three phases: establishing the
connection, data transfer, and terminating the
connection.
 Stateful Packet Inspection
• Stateful packet inspection uses the same fundamental packet
screening technique that packet filtering does. In addition, it
examines the packet header information from the network
layer of the OSI model to the application layer to verify that
the packet is part of a legitimate connection and the protocols
are behaving as expected.
 Stateful packet inspection
• In the connection establishment phase, stateful
packet inspection records each connection in the
state-table.
• In the data transfer phase, the device monitors
certain parameters in the header of the L3
packet and L4 segment and makes a filtering
decision depending on their values and the
content of the state-table.
 Stateful packet inspection
• The state-table contains all currently active
connections. As a result, a potential attacker
trying to spoof a packet with a header
indicating that the packet is a part of an
established connection can only be detected by
the stateful inspection firewall device, which
verifies whether the connection is recorded in the
state-table.
 Stateful packet inspection

• The state-table contains the following

information:
Source IP address;
Destination IP address;
Source port number;
Destination port number;
TCP sequence numbers;
TCP flag values.
Stateful Packet Inspection Firewall

Trusted Untrusted
Network Network

Packet is Blocked or Discarded

 Stateful packet inspection

• The state of the synchronize (SYN), reset (RST),

acknowledgment (ACK) and finish (FIN) flags are
monitored within the TCP header and a conclusion is
reached about the state of a specific connection.
• The UDP protocol does not have a formal
procedure for establishing and terminating a
connection.
 Stateful packet inspection

• However, devices with stateful inspection can

monitor the state of individual flows and match
different flows when they logically correspond to
each other (e.g., A DNS response from an external
server will only be allowed to pass if the
corresponding DNS query from the internal source
to that server has previously been recorded).
 Application Gateways/Proxies

• The proxy plays middleman in all connection attempts.

• The application gateway/proxy acts as an intermediary

between the two endpoints. This packet screening method
actually breaks the client/server model in that two connections
are required: one from the source to the gateway/proxy and
one from the gateway/proxy to the destination. Each endpoint
can only communicate with the other by going through the
gateway/proxy.
 Application Gateways/Proxies

• This type of firewall operates at the application level of the

OSI model. For source and destination endpoints to be able to
communicate with each other, a proxy service must be
implemented for each application protocol.

• The gateways/proxies are carefully designed to be reliable

and secure because they are the only connection point between
the two networks.
Application Gateways/Proxies
 Application Gateways/Proxies Firewall

• When a client issues a request from the untrusted network,

a connection is established with the application
gateway/proxy. The proxy determines if the request is valid
(by comparing it to any rules or filters) and then sends a new
request on behalf of the client to the destination. By using this
method, a direct connection is never made from the trusted
network to the untrusted network and the request appears to
have originated from the application gateway/proxy.

Application Untrusted
Gateway (Proxy Network
service)
Work Station
 Application Gateways/Proxies Firewall
• The response is sent back to the application gateway/proxy,
which determines if it is valid and then sends it on to the client.

• By breaking the client/server model, this type of firewall can

effectively hide the trusted network from the untrusted network.

• It is important to note that the application gateway/proxy actually

builds a new request, only copying known acceptable commands
before sending it on to the destination.

• Unlike packet filtering and stateful packet inspection, an application

gateway/proxy can see all aspects of the application layer so it can
look for more specific pieces of information
 Application Gateways/Proxies

Strengths

• Application gateways/proxies do not allow a direct

connection to be made between endpoints. They actually
break the client/server model.

• Typically have the best content filtering capabilities. Since

they have the ability to examine the payload of the packet,
they are capable of making decisions based on content.

• Allow the network administrator to have more control over

traffic passing through the firewall. They can permit or deny
specific applications or specific features of an application.
 Application Gateways/Proxies

Weaknesses

• The most significant weakness is the impact they can have on

performance.
it requires more processing power and has the potential to
become a bottleneck for the network.

• Typically require additional client configuration. Clients on the

network may require specialized software or configuration
changes to be able to connect to the application
gateway/proxy.
 Adaptive Proxies

• Known as dynamic proxies

• Developed as an enhanced form of application

gateways/proxies. Combining the merits of both application
gateways/proxies and packet filtering
 Circuit-level Gateway

• Unlike a packet filtering firewall, a circuit-level gateway does

not examine individual packets. Instead, circuit-level
gateways monitor TCP or UDP sessions.

• Once a session has been established, it leaves the port open to

allow all other packets belonging to that session to pass. The
port is closed when the session is terminated.

• Circuit-level gateways operate at the transport layer (layer 4)

of the OSI model.
 Types of Firewalls

2. With regard to the scope of filtered communications done

between a single node and the network, or between two or
more networks there exist :

– Personal Firewalls, a software application which normally

filters traffic entering or leaving a single computer.
– Network firewalls, normally running on a dedicated
network device or computer positioned on the boundary of
two or more networks.
 Do you need a firewall?
– What would the firewall control?
• Access into the network
• Access out of the network
• Access between internal networks, departments, or
buildings
• Access for specific groups, users or addresses
• Access to specific resources or services
 Do you need a firewall?

• What would it need to protect?

– Specific machines or networks

– Specific services
– Information - private or public
– Users
 Do you need a firewall?
• What impact will a firewall have on your organization,
network and users?

– What resources will be required to implement and maintain

a firewall solution?
– Who will do the work? Are experienced technical
personnel available for the job or will someone need to be
hired from outside your organization?
– Is hardware available that meets the requirements to
support a firewall solution?
 Do you need a firewall?
– Will existing services be able to function through a
firewall?
– What will the financial impact be on the organization?
(Financial impact should include initial implementation
costs, ongoing maintenance and upgrades, hardware and
software costs, and technical support costs, whether the
support is provided in-house or from an outside source.)
 Security Policy

The success of any firewall solution's implementation is directly

related to the existence of a well-thought-out and consistently-
implemented security policy.
Some of the topics a security policy may address are:

Administrative Issues

– User access - Which users will be allowed access to and

from the network?
– Access to services - Which services will be allowed in and
out of the network?
– Access to resources - Which resources will be available to
users? on decisions?
 Security Policy
Administrative Issues

– User authentication - Will the organization require user

authentication?
– Logging and auditing - Will the organization want to keep
log and audit files.
– Policy violation consequences - What will be the
consequences of policy violation?
– Responsibilities - Who will oversee and administer the
security policy? Who has final authority on decisions?
 Security Policy

Technical Issues

– Remote access - Will the organization allow remote access

to the network?

– Physical security - How will physical security of

machines, one of the most obvious security elements that is
often overlooked, be achieve?

– Virus protection - How will the organization handle virus

protection?
 Implementations

• Software
– Devil-Linux
– Dotdefender
– ipfirewall
– PF
– Symantec …

• Hardware
– Cisco PIX
– DataPower
– SofaWare Technologies