Firewalls and VPNs

1
 Firewalls

• Prevent specific types of information from

moving between the outside world (untrusted
network) and the inside world (trusted network)
• May be separate computer system; a software
service running on existing router or server; or a
separate network containing supporting devices
• A Roadmap
– Firewall categorization
– Firewall configuration and management

2
 Firewall Categorization
①Processing mode
②Development era
③Intended deployment structure
④Architectural implementation

3
 Firewall Categorization (1):
Processing Modes
• Packet filtering
• Application gateways
• Circuit gateways
• MAC layer firewalls
• Hybrids

4
Firewall Proc. Modes: Network Layers
Processing Mode Network Layer (OSI) Network Layer (TCP/IP)
Application gateways 7: Application 5: Application
6: Presentation
5: Session
Circuit gateways 4: Transport 4: Transport
Packet filtering 3: Network 3: Network
MAC address filtering 2: Data Link 2: Data Link
– 1: Physical 1: Physical

Source: Adapted from Fig. 6-5 in the textbook

5
 Packet Filtering
(1)
• Packet filtering firewalls examine header info. for data
pkts
• Most often based on combination of:
– Internet Protocol (IP) source and destination
address
– Direction (inbound or outbound)
– Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP), destination port requests
• Simple firewall models enforce rules that prohibit
packets with certain IP address ranges
6
 Packet Filtering
•
(2)
Three subsets of packet filtering firewalls:
– Static filtering: requires manual configuration of
firewall rules that determine which packets are
allowed, denied
– Dynamic filtering: firewall can react to emergent
event, update/create rules to deal with it
– Stateful inspection: firewalls track each network
connection between internal and external systems
using a state table

7
IPv4 Packet Structure (Fig. 6-
1)

8
 TCP, UDP Segment Structures
TCP Segment UDP Segment
32 bits 32 Bits

Source port # Dest port # Source Port # Dest Port #

Sequence number Length Checksum
Acknowledgement number
Head Not
Len Used
UAP R S F Rcvr window size
Checksum Ptr urgent data
Application
Options (variable length) data
(message)
Application
data
(variable length) Source: J.F. Kurose and K.W. Ross,
Computer Networking: A Top-Down Approach,
7th ed., Addison-Wesley, 2013. 9
Packet Filtering Router (Fig. 6-
4)

10
Sample Firewall Rules (Table 6-1)

11
 Application
Gateways
• Frequently installed on a dedicated computer;
also called proxy server
• Proxy server is often placed in unsecured area
of network (e.g., DMZ) ⇒ it faces higher
levels of risk from attackers
• We can place extra filtering routers behind the
proxy server to protect internal systems

12
 Circuit Gateways

• Circuit gateway firewall: transport layer

• Does not usually look at data traffic flowing
between two networks; prevents direct
connections between one network and
another
• Mechanism: create tunnels connecting specific
processes/systems on each side of firewall;
only allow authorized traffic in tunnels

13
 MAC Layer Firewalls
• Operates at data-link layer
• Considers specific host computer’s identity in
filtering decision
• Only outbound traffic originating from MAC
addresses of specific computers allowed
– Mechanism: link (MAC address, Ethernet port #),
administered via switches

14
 Hybrid Firewalls
• Combine elements of multiple types of
firewalls (e.g., packet filtering and proxy
servers; packet filtering and circuit gateways)
• Alternately, may consist of two separate
firewall devices; separate firewall systems
connected to work together

15
Firewall Categorization (2): Development Era

• First generation: static packet filtering firewalls

• Second generation: application-level firewalls or
proxy servers
• Third generation: stateful inspection firewalls
• Fourth generation: dynamic packet filtering
firewalls; allow only packets with particular
source, destination and port addresses to enter
• Fifth generation: kernel proxies; specialized form
working under operating system kernel

16
 Firewall Categorization (3): Deployment
Structure
• Most firewalls are appliances: stand-alone,
self-contained systems
• Commercial firewall systems: consists of
firewall software running on general-purpose
computer
• Small office/home office (SOHO) or
residential firewalls connect users’ LANs or
specific computers to network devices
– Often, firewall software placed on user system

17
Sample Firewall Devices (Fig. 6-
6)

18
 Firewalls Categorization (4):
Architectural
Implementation
• Firewall devices can be configured in a
number of network connection architectures
• Four common architectural implementations of
firewalls:
– Packet filtering routers
– Screened host firewalls
– Dual-homed firewalls
– Screened subnet firewalls

19
 Packet Filtering Routers

• Most organizations with Internet connection

have a router connecting to Internet

• Routers can be configured to reject packets

that org. forbids entering its network

• Drawbacks: limited auditing, weak

authentication

20
Packet Filtering Router (Fig. 6-
4)

21
 Screened Host Firewalls

• Combines packet filtering router with stand-

alone firewall (e.g., application proxy server)
• Allows router to pre-screen packets to
minimize load on internal proxy
• Separate host is often referred to as bastion
host; can be rich target for external
attacks, needs to be secured carefully

22
Screened Host Firewall (Fig. 6-
11)

23
 Dual-Homed Host Firewalls

• Bastion host contains two network interface

cards (NICs): one connected to external
network, other connected to internal network

• Architecture typically uses network address

translation (NAT)

– Another barrier to intrusion from attackers

24
 Non-Routable IP Address Ranges
Type IP Address Range CIDR Mask IP Subnet Mask # Addresses
Class A 10.0.0.0 – /8 255.0.0.0 224 (> 16 M)
10.255.255.255
Class B 172.16.0.0 – /12 or /16 255.240.0.0 or 212 (4,096) or 216 (> 65K)
172.31.255.255 255.255.0.0
Class C 192.168.0.0 – /16 or /24 255.255.0.0 or 216 (> 65K) or 28 (256)
192.168.255.255 255.255.255.0

Source: Adapted from Table 6-4 in textbook, RFC 1918

25
Dual-Homed Firewall (Fig.
6.12)

26
Screened Subnet Firewalls (DMZ) (1)
• Dominant architecture used today
• Typically has ≥ 2 internal bastion hosts behind
packet filtering router, each host protects
trusted network:
– Connections from outside (untrusted network)
routed through external filtering router
– Connections from outside (untrusted network)
are
routed into, out of routing firewall to separate
network segment: demilitarized zone (DMZ)
– Connections into trusted internal network allowed
only from DMZ bastion host servers

27
Screened Subnet Firewalls (DMZ) (2)

• Screened subnet performs two functions:

– Protects DMZ systems and information from

outside threats

– Protects the internal networks by limiting how

external connections can gain access to internal
systems

• Another facet of DMZs: extranets

28
Screened Subnet Firewall (Fig. 6-13)

29
 Selecting the Right Firewall

• When selecting firewall, consider a number of factors:

– Which is the best trade-off between protection, cost for
needs of organization?
– What’s included (and what’s not) in base price?
– How easy is configuration? Are staff technicians available
for this purpose?
– How well firewall adapt to org.’s growing
network?

• Second most important issue: cost

30
 Configuring and Managing Firewalls

• Each firewall device must have own set of

configuration rules regulating its actions

• Firewall policy configuration is usually

complex and difficult (“black art”)

• When security rules conflict with business

performance, security often loses!

• Linux firewall
31
 Best Practices for Firewalls
• All traffic from trusted network is allowed out
• Use MAC address filtering for Ethernet ports, authentication
for wireless LANs
• Firewall device never directly accessed from public network
• Allow Simple Mail Transport Protocol (SMTP)
• Deny Internet Control Message Protocol (ICMP)
• Telnet access to internal servers should be blocked
• If Web services offered outside firewall, block HTTP traffic
from reaching internal networks

32
 Firewall Rules

• Operate by examining data packets and

performing comparison with predetermined
logical rules

• Logic based on set of guidelines most

commonly referred to as firewall rules, rule
base, or firewall logic

• Most firewalls use packet header information to

determine whether specific packet should be
allowed or denied
33
Example Network Config. (Fig. 6-14)

34
Firewall Rules (1) (Table 6-16)

35
Firewall Rules (2) (Table 6-17)

36
 Virtual Private Networks (VPNs) (1)

• Private, secure network connection between

systems over insecure, public Internet
• Securely extends org.’s internal network
connections to remote locations beyond its
perimeter

37
 Virtual Private Networks (VPNs) (2)

• VPN must achieve three goals:

– Encapsulate incoming, outgoing data

– Encrypt incoming, outgoing data

– Authenticate remote computer, user (?)

38
 Transport Mode
• IP packet data is encrypted, header info. is not
• Lets user establish secure link directly with
remote host easily
• Two popular uses:
– End-to-end transport of encrypted data
– Remote worker connects to office network over
Internet by connecting to VPN server at perimeter

39
Transport Mode VPN (Fig. 6-
18)

40
 Tunnel Mode
• Org. sets up two perimeter tunnel servers as
encryption points: all net traffic encrypted in transit
• Main benefit to tunnel mode: intercepted packets
reveal nothing about true destination
• Examples of tunnel mode VPNs:
– Pulse Secure appliance
– Microsoft Internet Application Gateway

41
Tunnel Mode VPN (Fig. 6-
19)

42
Example VPN: Pulse Secure
Source: Pulse Secure, LLC; https://
www.pulsesecure.net/products/psa-series/ (PSA
5000)

– More VPN info: A. Marshall, Tech Radar,

https://www.techradar.com/vpn/best-vpn,
16 May 2019.

43
 Summary

• Firewall technology

– Four methods for categorization

– Firewall configuration and management

• Virtual Private Networks

– Two modes

44