Network Firewalls

An Introduction
Outlines

● Introduction to Firewalls
● Firewalls Types
● Firewall Deployment Options

2
The Need for Firewalls

Internal Network External Network

(LAN) (WAN/Internet)
router/gateway

3
The Need for Firewalls

Workstation Workstation
A B

Internal
External
Network
Network
(LAN)
(WAN/Internet
router/gateway
)

Database Application
4
Server Server
The Need for Firewalls

Workstation Workstation
A B

Internal
External
Network
Network
(LAN)
(WAN/Internet
router/gateway
)

Database Application Clients & 5

Server Server Customers
The Need for Firewalls

Workstation Workstation
A B

Internal
External
Network
Network
(LAN)
(WAN/Internet
router/gateway
)

Database Application Clients & 6

Server Server Customers
The Need For Firewalls

• Nowadays, every organization network is connected to the internet. This

connectivity comes with the risk of potential external network attacks that
target the internal organization network.
• How we control the way, the network traffic enters our network to eliminate
bad traffic at our network border.
• Example of bad traffic is probing traffic, attempt to connect to internal
services from unauthorized source, crafted network packets (e.g. land attack)
• The solution for that above problem is implementing appropriate network
access control policies

7
Network Access Control Policy
• Any Network Security policy focus on two main aspects:
– Preventing external threats
– Control internal risks of abusing network resources.
• The process of creating network access control policy consist of:
1. Identify all the assets that we are trying to protect.
2. Identify all the vulnerabilities and threats.
3. Evaluation of Measures and Controls.
4. Communicate Findings.
5. Writing the Security Policy.
6. Implementation & Enforcement.
7. Monitoring and Review.
8
The Need for Firewalls

Workstation Workstation
A B

Internal
External
Network
Network
(LAN)
(WAN/Internet
router/gateway
)

Database Application Clients & 9

Server Server Customers
Network Access Control Policy Examples

1. The Application Server is accessible to all incoming traffic.

2. The Database Server is only accessible to internal network traffic.
3. The Database Server is only accessible to workstation B and
application server.
4. Workstations A and B are accessible via SSH
5. All incoming RDP traffic are not allowed.
6. All outgoing traffic to facebook, twitter, instagram are not allowed.

10
Firewalls
• One method to implement and enforce network access control policy is using
firewalls.
• A firewall is an additional layer of security that control the network traffic
between two or more computer networks.
• A firewall is a prevention access control system.
• A firewall could be a hardware appliance ( a dedicated computing unit tuned
and customized to inspect and filter network traffic), or it could be a software
tool deployed on a workstation or node in your network.
• A firewall is typically located at the point the network connects to the Internet or
other networks.
• The firewall is responsible for filtering traffic according to the security policy. 11
The Need for Firewalls

Workstation Workstation
A B

Internal External
Network Network
(LAN) Firewall router/gatew (WAN/Internet)
ay

Database Application
12
Server Server Clients & Customers
The Need for Firewalls
Ports status

80, 443, 22 open

21, 23, 3389 closed

Workstation Workstation
A B

Internal External
Network Network
(LAN) Firewall router/gatew (WAN/Internet)
ay

Database Application
13
Server Server Clients & Customers
Firewall Characteristics

● All traffic from inside to outside (outbound traffic) and

outside to inside (inbound traffic) pass through the
firewall.
● Only authorized traffic, as defined by the local security
policy, will be allowed to pass.
● The firewall itself is immune to penetration (assumption).
● The firewall cannot protect against attacks that bypass the
firewall (e.g. application specific attack).

14
Firewall Characteristics

● The firewall may not protect fully against internal threats

● Firewall protection is limited to network traffic, therefore, organization
that allow BYOD are vulnerable
● Firewall rules and configuration are crucial to the protection level
provided by the firewall.
● An improperly configured firewall could result in a denial of service.
● Auditing and monitoring firewall behaviours and operations is an
expensive process.

15
Firewalls Security Controls

Any firewall system perform one or more of the following security controls:
– Service Control: Determines the types of Internet/Network services that
can be accessed, inbound or outbound.
– Direction control: Determines the direction in which particular service
requests may be initiated and allowed.
– User control: Controls access to a service according to which user is
attempting to access it.
– Behavior control: Controls how particular services are used.

16
Types of Firewalls

Firewalls systems are categorized into three main categories,

namely,

1. Packet Filtering Firewall

2. Stateful Inspection Firewall
3. Application Proxy Firewall

17
Packet Filtering Firewalls

• Applies a set of rules to each incoming and outgoing IP packet and then
forwards or discards the packet
• It can operate as a positive filter, allowing to pass only packets that
meet specific criteria, or as a negative filter, rejecting any packet that
meets certain criteria.
• Typically configured to filter packets going in both directions (from and
to the internal network).
• Filtering rules are based on information contained in a network packet.

18
Packet Filtering Firewalls

A packet filtering firewall uses the following

information
1. Source and destination IP
2. Source and Destination Port number
3. Transport Layer Protocol (UDP, TCP)
4. Network Interface
In general, the packet filtering firewall will
either drop or pass the
(incoming/outgoing)packet.

19
Packet Filtering Firewalls

20
Packet Filtering Firewalls
• The packet filter is typically set up as a list of rules based on matches to fields
in the IP or TCP header.
• If there is a match to one of the rules, that rule is invoked to determine
whether to forward or discard the packet.
• The rules are checked in sequential order from top to bottom and the first
match is applied.
• If there is no match to any rule, then a default action is taken.
In your opinion should the default action be pass (forward) or drop (discard), and
why?

21
Packet Filtering Firewalls

22
Packet Filtering Firewalls

• Packet filtering firewall is simple to implement and has a high

performance ( transparent to users and are very fast)
• Can not prevent attacks that employ application-specific
vulnerabilities or functions.
• Packet filtering firewall is vulnerable to IP address spoofing, tiny
fragment attack, and source routing attacks.
• The logging functionality present in packet filter firewalls is limited.
Packet filter logs normally contain the same information used to make
access control decisions

23
Stateful Inspection Firewalls

• Packet filter makes filtering

decisions on an individual packet
basis and does not take into
consideration any higher layer
context
• A stateful inspection packet
firewall tightens up the rules for
TCP traffic by creating a directory
of outbound TCP connections.

24
Stateful Inspection Firewalls

• A stateful packet inspection firewall

reviews the same packet information
as a packet filtering firewall but also
records information about TCP
connections.
• A stateful firewall also keep track of
TCP sequence numbers to prevent
attacks that depend on the sequence
number, such as session hijacking.

25
Stateful Inspection Firewalls
• Stateful inspection tracks connections by maintaining a state table
• This allows knowing the state of a connection for each packet that gets
processed.
• The connection tracking states used in building rules include the following:

State Meaning

NEW This packet belongs to a session that is not an already known connection. Thus,
it is considered to be a NEW connection.

ESTABLISHED Packets belong to a session that has seen traffic flowing in both directions.
RELATED This connection is related to another connection (in NEW or ESTABLISHED
state).
INVALID A state that denotes an error. 26
Stateful Inspection Firewalls

27
Application-Level Firewalls

• Also known as application proxy or application-level gateway

• Acts as an application-layer gateway between the protected network
and the untrusted network.
• It does not permit an end-to-end TCP connection rather the gateway
sets up two TCP connections, one between itself and a TCP user on an
inner host and one between itself and a TCP user on an outside host.
• Operates at the application layer and able to examine traffic in detail
and, therefore, it is considered the most secure type of firewalls.

28
Application-Level Firewalls

29
Application-Level Firewalls

• It acts as a middleman between the protected assets and the external world.
• It more complex and expensive to implement and operate (additional
processing overhead on each connection).
• It is application specific and the firewall needs to implement and understand
the application protocol (e.g. HTTP, FTP, etc)
• It can prevent application specific attacks such as SQL injection, Dictionary
Attacks, XSS attacks.
• The most common application firewalls are web application firewalls.

30
Application-Level Firewalls
● Prevent direct connection between a host on untrusted network
● The direct connection is broken in two connections with the proxy mediating
between the two hosts.
Place a router behind the gateway
to protect connections between the
gateway and the internal hosts

31
Application-Level Firewalls
● The function of the proxy consists of protecting the internal network by hiding
information and restricting access to users info and services.
● Perform deep packet inspection on all packets
Place a router behind the gateway
to protect connections between the
gateway and the internal hosts

32
Firewalls Deployment Options
Single-Homed Bastion System (SHBS)
• Consists of a packet-filtering router and a bastion host
• The router connects internal network to external network
• The bastion host is inside the internal network

33
Firewalls Deployment Options
Single-Homed Bastion System (SHBS)
• Bastion Host:
– Systems with strong defensive mechanisms
– Serve as hosts computers for implementing (application gateway and deep packet
inspection)
– Operated on a trusted operating system
• Ingress packets go through PF firewall and then bastion host before reaching
destination
• PF firewall inspects each egress and blocks it if its source address is not the IP
address of bastion host
• Issue: If the PF router is compromised, the attacker can modify the ACLs and bypass
the bastion host
34
Firewalls Deployment Options

Dual-Homed Bastion System (DHBS)

• Two zones in the internal network:
– Inner zone: hosts are unreachable from external
– Outer zone: hosts may be reached from Internet
• Hosts in inner zone are protected by both bastion host and PF router
• Servers in outer zone protected by PF router
• Prevents access to the internal network even if the external PF router is
compromised

35
Firewalls Deployment Options

Dual-Homed Bastion System (DHBS)

36
Firewalls Deployment Options
Demilitarized Zones (DMZ)
• Also known as screened subnet deployment/triple homed firewall
• A SHBH network paired with a second PF router for the internal network
• Area between the two PF routers is called a screened subnet
• Hides the internal network structure from external hosts
In this deployment option the Firewalls divide networks into three areas:
• Distrusted region (Internet): bounded by outer firewall
• Semi-trusted region (DMZ): bounded by outer and inner firewall
• Trusted region: bounded by inner firewall

37
Firewalls Deployment Options
Demilitarized Zones (DMZ)

38
The End
Questions??

39