FIREWALLS

Firewall design principles Internet connectivity is no longer an option for most

organizations. However, while internet access provides benefits to the organization, it enables
the outside world to reach and interact with local network assets.

This creates the threat to the organization. While it is possible to equip each workstation
and server on the premises network with strong security features, such as intrusion protection,
this is not a practical approach. The alternative, increasingly accepted, is the firewall.

The firewall is inserted between the premise network and internet to establish a
controlled link and to erect an outer security wall or perimeter.

The aim of this perimeter is to protect the premises network from internet based attacks
and to provide a single choke point where security and audit can be imposed.

The firewall can be a single computer system or a set of two or more systems that
cooperate to perform the firewall function.

Firewall characteristics:

All traffic from inside to outside, and vice versa, must pass through the firewall. This is
achieved by physically blocking all access to the local network except via the firewall.

Various configurations are possible. Only authorized traffic, as defined by the local
security policy, will be allowed to pass. Various types of firewalls are used, which implement
various types of security policies.

The firewall itself is immune to penetration. This implies that use of a trusted system with
a secure operating system. This implies that use of a trusted system with a secure operating
system.

Four techniques that firewall use to control access and enforce the site’s security policy is
as follows:
1) Service control – determines the type of internet services that can be accessed, inbound
or outbound. The firewall may filter traffic on this basis of IP address and TCP port
number; may provide proxy software that receives and interprets each service request
before passing it on; or may host the server software itself, such as web or mail service.
2) Direction control – determines the direction in which particular service request may be
initiated and allowed to flow through the firewall.
3) User control – controls access to a service according to which user is attempting to
access it.
4) Behavior control – controls how particular services are used.
Capabilities of firewall:

A firewall defines a single choke point that keeps unauthorized users out of the protected
network, prohibits potentially vulnerable services from entering or leaving the network, and
provides protection from various kinds of IP spoofing and routing attacks.
A firewall provides a location for monitoring security related events. Audits and alarms
can be implemented on the firewall system.
A firewall is a convenient platform for several internet functions that are not security
related. A firewall can serve as the platform for IPsec.

Limitations of firewall

 The firewall cannot protect against attacks that bypass the firewall.
 Internal systems may have dial-out capability to connect to an ISP. An internal LAN may
support a modem pool that provides dial-in capability for traveling employees and
telecommuters.
 The firewall does not protect against internal threats. The firewall does not protect against
internal threats, such as a disgruntled employee or an employee who unwittingly cooperates
with an external attacker.
 The firewall cannot protect against the transfer of virus-infected programs or files. Because
of the variety of operating systems and applications supported inside the perimeter, it would
be impractical and perhaps impossible for the firewall to scan all incoming files, e-mail, and
messages for viruses.

Types of firewalls

There are 3 common types of firewalls.

 Packet filters
 Application-level gateways
 Circuit-level gateways

Packet filtering router

 A packet filtering router applies a set of rules to each incoming IP packet and then forwards
or discards the packet.
 The router is typically configured to filter packets going in both directions.
 Filtering rules are based on the information contained in a network packet:
Source IP address – IP address of the system that originated the IP packet.
Destination IP address – IP address of the system, the IP is trying to reach.
Source and destination transport level address – transport level port number.
IP protocol field – defines the transport protocol.
Interface – for a router with three or more ports, which interface of the router the packet
come from or which interface of the router the packet is destined for.
 The packet filter is typically set up as a list of rules based on matches to fields in the IP or
TCP header. If there is a match to one of the rules, that rule is invoked to determine whether to
forward or discard the packet. If there is no match to any rule, then a default action is taken.

Two default policies are possible:

Default = discard: That which is not expressly permitted is prohibited.

Default = forward: That which is not expressly prohibited is permitted.

The default discard policy is the more conservative. Initially everything is blocked, and
services must be added on a case-by-case basis. This policy is more visible to users, who are
most likely to see the firewall as a hindrance. The default forward policy increases ease of use
for end users but provides reduced security.

Advantages of packet filter router

 Simple
 Transparent to users
 Very fast
Weakness of packet filter firewalls
 Because packet filter firewalls do not examine upper-layer data, they cannot prevent attacks
that employ application specific vulnerabilities or functions.
 Because of the limited information available to the firewall, the logging functionality present
in packet filter firewall is limited.
 It does not support advanced user authentication schemes.
 They are generally vulnerable to attacks such as layer address spoofing.

Some of the attacks that can be made on packet filtering routers and the appropriate
counter measures are the following:

IP address spoofing –
 The intruders transmit packets from the outside with a source IP address field containing an
address of an internal host.
Countermeasure: to discard packet with an inside source address if the packet arrives on an
external interface.
 Source routing attacks – the source station specifies the route that a packet should take as it
crosses the internet; i.e., it will bypass the firewall.
Countermeasure: to discard all packets that uses this option.
 Tiny fragment attacks – the intruder create extremely small fragments and force the TCP
header information into a separate packet fragment. The attacker hopes that only the first
fragment is examined and the remaining fragments are passed through.
Countermeasure: to discard all packets where the protocol type is TCP and the IP Fragment
offset is equal to 1.