Firewalls

Prepared by
Mr. S. Saravanan,
Asst. Prof, Amrita School of Computing,
Chennai
 What is a Firewall?
 A choke point of control and monitoring
 Interconnects networks with diering trust
 Imposes restrictions on network services
 only authorized traic is allowed
 Auditing and controlling access
 can implement alarms for abnormal behavior
 Itself immune to penetration
 Provides perimeter defence
4 controls provided by
#rewall
Classi#cation of Firewall

 Packet ltering
 Stateful inspection rewall
 Circuit gateways
 Application gateways

 Combination of above is dynamic packet

lter
Firewalls – Packet Filters
 Firewalls – Packet Filters

A packet ltering rewall applies a set of rules
to each incoming and outgoing IP packet and
then forwards or discards the packet

 Filtering rules are based on information

contained in a network packet
 IP Source Address, Destination Address
 Source & destination ports
 Interface: For a rewall with three or more ports,

which interface of the rewall the packet came

from or which interface of the rewall the packet
is destined for.
 Usage of Packet Filters
 The packet lter is typically set up as a list of rules
based on matches to elds in the IP or TCP header.
 If there is a match to one of the rules, that rule is

invoked to determine whether to forward or discard

the packet.
 If there is no match to any rule, then a default

action is taken.

Two default policies are possible:

 Default = discard

 Default = forward
The default = discard policy is more conservative.
Initially, everything is blocked, and services must
be added on a case-by-case basis. This policy is
more visible to users, who are more likely to see
the rewall as a hindrance. However, this is the
policy likely to be preferred by businesses and
government organizations. Further visibility to
users diminishes as rules are created.

 The default = forward policy increases ease of use

for end users but provides reduced security; the
security administrator must, in essence, react to
each new security threat as it becomes known. This
policy may be used by generally more open
organizations, such as universities.
Weaknesses of packet #lter #rewall
 Because packet lter rewalls do not

examine upper-layer data, they cannot

prevent attacks that employ
application-specic vulnerabilities or
functions.
 Packet lter rewalls are generally

vulnerable to attacks and exploits that

take advantage of problems within the
TCP/IP specication and protocol stack,
such as network layer address spoong
IMPORTANT
 How to Con#gure a
Packet Filter
 Start with a security policy

 Specify allowable packets in terms of

logical expressions on packet elds

 Rewrite expressions in syntax

supported by your vendor
Every ruleset is followed by an
implicit rule reading like this.
Example 1:
Suppose we want to allow inbound mail
(SMTP, port 25) but only to our gateway
machine. Also suppose that mail from some
particular site SPIGOT is to be blocked.
 Example 2:
Now suppose that we want to
implement the policy “any inside
host can send mail to the outside”.

This solution allows calls to come from any

port on an inside machine, and will direct
them to port 25 on the outside.
 Example 3

 Thus, this rule set states that it allows IP

packets where: the source IP address is one
of a list of designated internal hosts and the
destination TCP port number is 25. It also
allows incoming packets with a source port
number of 25 that include the ACK <ag in the
TCP segment
 Port Numbering
 You have opened a web browser in your
laptop and accessing google.co.in
directly by giving its IP address(). when
you access this website, packets will be
leaving your laptop to google.co.in server
machine. what would be the source ip
address, source port number, destination
ip address and destination port number
of the packet that leaves your laptop to
google.co.in server?
A simple packet ltering rewall must
permit inbound network traic on all
these high-numbered ports for TCP-
based traic to occur. This creates a
vulnerability that can be exploited
by unauthorized users.
 Firewalls – Stateful Packet
Filters
 Traditional packet lters do not examine higher layer context
 ie matching return packets with outgoing <ow

 A stateful inspection packet rewall tightens up the rules for TCP traic by
creating a directory of outbound TCP connections, as shown in table in next
slide. There is an entry for each currently established connection. The
packet lter will now allow incoming traic to high-numbered ports only for
those packets that t the prole of one of the entries in this directory.

 It keeps track of the state of active connections and makes decisions based
on the context of the entire communication session

 it can keep track of the state of active connections. This enhances the
rewall's ability to make intelligent decisions based on the context of
network traic
 Stateful Filtering

A stateful packet inspection firewall reviews the same packet information as a

packet filtering firewall, but also records information about TCP connections. Some
stateful firewalls also keep track of TCP sequence numbers to prevent
attacks that depend on the sequence number, such as session hijacking.
SMTP (Simple Mail Transfer Protocol) is the standard protocol for
transferring mail between hosts over TCP. The server listens on
TCP port 25 for incoming connection requests. The user end of
the connection is on a TCP port number above 1023. Suppose
you wish to build a packet lter rule set allowing inbound and
outbound SMTP traic. You generate the following rule set.
Your host in this example has IP address 172.16.1.1. Someone
tries to send email from a remote host with IP address
192.168.3.4. If successful, this generates an SMTP dialogue
between the remote user and the SMTP server on your host
consisting of SMTP commands and mail. Additionally, assume
that a user on your host tries to send email to the SMTP server
on the remote system. Four typical packets for this scenario are
as shown:
APPLICATION LEVEL GATEWAY OR
APPLICATION PROXY
Proxies in networking are devices that have been given the
authorization to access a server on behalf of a client in a
network connection.

A proxy server or proxy rewall, for example, connects to a

webpage or other service on behalf of an inside individual.
Reverse proxies link external clients to corporate-hosted
assets, such as linking remote users to an intranet webpage
and an administrative le and email server through a business
web portal.
• The data moving around within the network is
controlled by a gateway proxy, which ensures security.

• To maintain the system secure and free from attackers

and malware, rewall proxy servers analyze, store,
record, and manage requests originating from a user.

• Because the proxy rewall has its IP address, the

network system never connects directly to the internet.
It's also known as an application rewall because it
analyzes communications at the application level.
The proxy rewall serves as a bridge between a secure local
network and the public internet. If internal network devices
want to access the internet, they must rst interact with the
proxy gateway.

Proxy, on the other hand, transfers data from the local network
to the internet and receives information from the
database/web server, and delivers it back to the local network.

The proxy rewall protects the internal system from outside

network invaders and prohibits direct connections between
the local network and the internet.

Proxy rewall has its own IP (internet protocol) address so that

internal network never makes a direct connection with outside
internet. Since it monitors information at the application level,
it is also known as application rewall
A user attempting to access an external site through a proxy
#rewall would do so through these steps:

Step1:The user requests access to the internet through a protocol

such as File Transfer Protocol (FTP) or Hypertext Transfer Protocol
(HTTP).

Step2:The user’s computer attempts to create a session between

them and the server, sending a synchronize (SYN) message packet
from their IP address to the server’s IP address.

Step3:The proxy rewall intercepts the request, and if its policy

allows, replies with a synchronize-acknowledge (SYN-ACK) message
packet from the requested server’s IP

Step4:When the SYN-ACK packet is received by the user’s computer,

it sends a nal ACK packet to the server’s IP address. This ensures a
connection to the proxy but not a valid Transmission Control
Protocol (TCP) connection.
Step5: The proxy completes the connection to the
external server by sending a SYN packet from its IP
address. When it receives the server’s SYN-ACK packet,
it responds with an ACK packet. This ensures a valid
TCP connection between the proxy and the user’s
computer and between the proxy and the external
server.

Step6: Requests made through the client-to-proxy

connection then the proxy-to-server connection will be
analyzed to ensure they are correct and comply with the
corporate policy until either side terminates the
connection.
Application proxy vs Packet #lter

Application-level gateways tend to be more

secure than packet lters.

Rather than trying to deal with the

numerous possible combinations that are
to be allowed and forbidden at the TCP
and IP level, the application-level gateway
need only scrutinize a few allowable
applications. In addition, it is easy to log
and audit all incoming traic at the
application level.
 Application Aware
Firewall
The application aware rewall feature allows you to
apply DPI (is a form of network packet ltering delves
deeper into the actual payload or content of the
packets)processing to rewall rules in a stateful
rewall session.

The recommended use case is to restrict or limit the

expected protocol on a port. For example, if you have
opened a port for SMTP traic, you can use the
application aware rewall to ensure that the port is
used only for SMTP. You can also open a port and then
restrict the set of applications that can run on the port
 iptables

It is linux user-space utility program

that allows users or system
administrators to dene rules that
control which network traic is
allowed or denied on their Linux
system
Chains: A chain is a set of rules. When a packet is received,
iptables nds the appropriate table, then runs it through the
chain of rules until it nds a match.

Tables: A table contains a number of built-in chains and may also

contain user-dened chains.
Filter table

The Filter table is the most frequently used one. It

acts as a bouncer, deciding who gets in and out of
your network. It has the following default chains:

Input – the rules in this chain control the packets

received by the server.
Output – this chain controls the packets for
outbound traic.
Forward – this set of rules controls the packets
that are routed through the server.
Target: A target is what happens after a packet matches a rule criteria.
Non-terminating targets keep matching the packets against rules in a
chain even when the packet matches a rule.

With terminating targets, a packet is evaluated immediately and is not

matched against another chain.

The terminating targets in Linux iptables are:

Accept – this rule accepts the packets to come through the iptables
rewall.
Drop – the dropped packet is not matched against any further chain.
When Linux iptables drop an incoming connection to your server, the
person trying to connect does not receive an error. It appears as if
they are trying to connect to a non-existing machine.
Return – this rule sends the packet back to the originating chain so you
can match it against other rules.
Reject – the iptables rewall rejects a packet and sends an error to the
connecting device.
 Firewalls Aren’t Perfect?
 Useless against attacks from the inside
 Evildoer exists on inside
 Malicious code is executed on an internal
machine
 Organizations with greater insider threat
 Banks and Military
 Protection must exist at each layer
 Assess risks of threats at every layer
 Cannot protect against transfer of all
virus infected programs or les
 because of huge range of O/S & le types