36 Firewalls
Learning Objectives
- Outlined the purpose of Firewalls.
- Discuss about the basic firewall components.
- Discuss about the firewall architecture and various types of firewalls.
1. Introduction
Firewalls are computer security systems that protect your office/home PCs or your network from intruders, hackers & malicious code. Firewalls protect you from offensive software that may come to reside on your systems or from prying hackers. In a day and age when online security concerns are the top priority of the computer users, Firewalls provide you with the necessary safety and protection. Firewalls are software programs or hardware devices that filter the traffic that flows into you PC or your network through an internet connection. They shift through the data flow & block that which they deem (based on how & for what you have tuned the firewall) harmful to your network or computer system. When connected to the internet, even a standalone PC or a network of interconnected computers make easy targets for malicious software & unscrupulous hackers. A firewall can offer the security that makes you less vulnerable and also protect your data from being compromised or your computers being taken hostage.
1.1 What do Firewalls Protect?
- Data
- Proprietary corporate information.
- Financial information
- Sensitive employee or customer data
- Resources
- Computing resources consists of any physical or virtual part of constrained accessibility inside a computer framework. Each device associated with a computer framework is an asset.
- Time resources includes asset that reports new forms on a designed interval. The level of interval can be subjectively long. This asset is worked to fulfill “trigger this work in any event once at regular intervals,” not “trigger this expand on the tenth hour of each Sunday.”
- Reputation:When the Intruder uses an organization’s network to attack other sites, leads to loss of confidence in an organization.
1.2 Who do Firewalls Guard Against?
- Internal Users
- Hackers
- Corporate Espionage
- Cyber Terrorists
- Basic Firewall Components
2.1 Policy: Building a secure strategy.
2.2 Advanced authentication (or) “Two-Factor Authentication“: requires an extra separate factor or accreditation with a specific end goal to finish the sign in process. This second qualification is regularly sent as a one time PIN (OTP) that is gotten by something that the client physically has in his or her ownership (e.g. an application or SMS content to a PDA, a hard token or a paper token)
2.3 Packet inspection:Deep Packet Inspection and filtering enables advanced network management, user service, and security functions as well as internet data mining, eavesdropping, and internet censorship.
2.4 Application gateway: is an application program that keeps running on a firewall framework between two systems. When a client program establishes a connection to a destination service, it connects to an application gateway, or proxy.
2.5 Common Internet Threats:Some of the common internet threats are given below:
- Malware
- Computer Virus
- Rogue Security Software
- Trojan horse
- Malicious spyware
- Computer worm
- Botnet
- Spam
- Rootkit
- Phishing
- Denial of service attacks
The Specific attacks that can cause a server crash or Flooding the server with traffic to disrupt or deny service.
- Intrusion threats
- Attacks on services/exploits
The backend server may not be hardened enough for adequate protection, but the firewall can block external attacks.
- Information threats
- “Viral” threats
- Defacement
- How Vulnerable are Internet Services?
3.1 E-mail or smtp – Simple Mail Transfer Protocol
- TCP/IP based port 25 (POP 110) In processing, the Post Office Protocol (POP) is an application-layer Internet standard convention utilized by neighborhood email customers to recover email from a remote server over a TCP/IP association.
- E-mail bombing (stalking): In Internet use, an email bomb is a type of net manhandle comprising of sending enormous volumes of email to a deliver trying to flood the letter drop or overpower the server where the email address is facilitated in a dissent of-benefit assault.
Anonymous harassment: Work environment badgering is a difficult issue that must not be messed with not withstanding when the complainant does not know the wellspring of the provocation and the annoying behavior is unknown.
Large amounts of e-mail to a single user address
- Spamming
Messages sent to numerous different users from a host
- Virus download mechanism
Code Red: “Code Red” and “Code Blue” are the two terms that are regularly used to allude to a cardiopulmonary capture, yet different sorts of crises (for instance bomb dangers, psychological militant movement, kid kidnappings, or mass setbacks) might be given “Code” assignments as well.
Nimda: Nimda is a malignant document contaminating PC worm. It spreads, outperforming the monetary harm caused by past flare-ups, for example, Code Red.
TCP/IP based port 25 (POP 110) are not always traceable and can be very insecure.
4.2 FTP – File Transfer Protocol
- TCP/IP based port 20/21:
- Risks include the Unencrypted authentication and data transfers.The usernames and the passwords can be ”sniffed” .Unencrypted data transfer happens.Data can be viewed oftenas the part of default installations.Anonymous ftp is possible.
-
4.3 HTTP – Hypertext Transfer Protocol
TCP/IP based port 80
Risks Include
Browsers can be used to run dangerous commands
Protocol can be used between user agents and other protocols i.e.. smtp, nntp, ftp
Difficult to secure
Remote execution of commands and execution (server side)
Non-secure add-on applications
- Java
- Cookies
- soap
4.4 HTTPS – Secure Hypertext Transfer Protocol
TCP/IP based port 443: TCP port 443 is the standard TCP port that is utilized for site which utilize SSL. When you go to a site which utilizes the https towards the starting you are associating with port 443.
Risks: Includes the browsers can be used to run dangerous commands. Remote execution of commands and execution (server side), becomes a tunnel for any data.This can be used to subvert firewall/security controls.
4.5 DNS
The DNS service uses the port number 53 for both TCP and UDP in the transport layer. One of the major risks include DNS cache poisoning. Attacker link used to redirect valid connections to the unkown server this called DNS spoofing.Absolutely needed for network services
5. Firewall Architecture Overview
The configuration that works best for a particular organization depends on three factors:
The objectives of the network, the organization‘s ability to develop and implement the architectures, and the budget available for the function.
There are four common architectural implementations of firewalls.These implementations are
a) Packet Filtering routers,
b) Screened host firewalls,
c) Dual-homed firewalls,and
d) Screened subnet firewalls.
Packet Filtering Routers
The organizations uses Internet connections should have the router as an interface at the perimeter between the internal networks and the external service provider. Therouters can be configured with access control list (ACL) to reject packets that does not allow into the network. This kind of firewall reduceses the risk from external attack.
Screened host firewalls
This Firewall combines the packet filtering router with a separate, dedicated firewall, such as an application proxy server. This technique allows the router to pre-screen packets to minimize the network traffic and loads on the internal proxy.The application proxy verifies the application layer protocol, such as HTTP, and provides the proxy services. This type of host is often termed as a bastion host and should be very highly secured.This bastion host/application proxy actually contains only cached copies of the internal Web documents, it can still present a promising target, because compromise of the bastion host can disclose the configuration of internal network. To its advantage, this configuration requires the external attack to compromise two separate systems, before the attack can access internal data.
Dual-Homed Host Firewalls
The Dual-Homed Host Firewall architectural approach is used, the bastion host contains two NICs (Network Interface Cards) rather than one, as in the bastion host configuration. One NIC is connected to the external network, and one is connected to the internal network, providing an additional layer of protection. With 2 NICs , all traffic must physically go through the firewall to move between the internal and external networks. NAT is a method of mapping real, valid, external IP addresses to special ranges of non-routable internal IP addresses, thereby creating yet another barrier to intrusion from external attackers.
Screened Subnet Firewalls
The most common architecture used in firewall is the screened subnet firewall. The architecture of a screened subnet firewall provides a DMZ. The DMZ uses a dedicated port on the firewall to link a single bastion host, or a screened subnet. The DMZ is commonly placed in untrusted network where the servers provides various services.
Basic Firewall Components consists of
- Software
- Hardware
- Purpose Built/Appliance based
- Problems related to Firewall
There are some problems related with implementation and maintenance of the firewall which are,
- Administrative limitations
- Access
- Monitoring
- logging
- Management requirements
- Additional control points
- Additional non-secure applications required
- Software limitations
- Capacity
- Availability
- Hardware
- 1 Packet Filtering Firewalls
Products
- First Generation Firewalls
- Typically routers
First Generation Firewall Technology
Most organizations has an Internet connections uses router as the interface at the perimeter between the organization‘s internal networks and the external service provider. Most of these routers can be configured to reject packets that the organization does not allow into the network. This is a simple but effective way to protect the organization‘s risk from external attack. The drawbacks to this type of firewall include a lack of auditing and strong authentication
Application Level Firewalls:
Web Proxy Severs
A web proxy server is a computer is used between the computer and a website server when a data/webpage is requested. There are two common reasons for using a web proxy:
- To speed up browsing by caching webpage data (a Web cache).
- To remain anonymous towards the website while visiting whereby the web proxy acts as a go between the user and the server.
Application Proxy Servers
Web Application Proxy provides organizations with the ability to provide selective access to applications running on servers inside the organization to end users located outside of the organization.
The process to make the application available externally is known as publishing.
Products
None that are strictly Proxy based
“Gateway Servers”
Second Generation Firewall Technology
In 1989-1990 from AT&T Bell Labs developed second generation firewall calling it circuit level gateway. This operates up to Layer 4 (Transport Layer). To achieved by retaining enough packets in the buffer until enough information is availabe to make a judgement about its state. Thus, it records all connections passing through it and determines if a packet is a part of current connection or new connection. This firewall also known as stateful packet inspection.
Hybrid Firewalls
This hybrid firewall provides bith Packet Filtering functions and Application Proxy functions.This type belongs to the third Generation Firewall. The key benefit is that it can understand certain Application Layer protocols (FTP, HTTP, DNS). This generation of firewall is very useful to detect if unwanted protocol is trying to use standard port from known applications (e.g. HTTP) to bypass firewall. This firewall can inspect if packet contains virus signatures. Hooks into socket calls automatically. Disadvantages are that it is quite slow and that rules can get complicated. It also can’t possibly support of applications at application layer.
Products
- Raptor Firewall by Symantec .
- Firewall by Checkpoint.
- Sidewinder Firewall by Secure Computing.
- Lucent Brick by Lucent
6.2 Firewall Hardware Types
Three basic hardware options
- Appliance based systems
They are Purpose built and Simply Highl integrated.
- 3rd Party servers
They are generaly useful systems and the additionally support the channel with g areater flexibility.Hybrid servers are purpose built for a limited product line.They are often closely integrated with software offerings and may have separate support channel. Most of the components are highly integrated.
- Network Firewall Architectures
Screening Router
Access Lists provide security against attacker in the network layer.Routers are not aware of application layer. This router only inspects network level information. The packet at the layer 3 of the OSI model.
Disadvantages:
- Does not provide a great deal of security
- Very fast
- Not commonly used alone for security
Simple Firewall: Simple Fire wall is a simple to utilize program for Microsoft Windows gadgets to permit, or piece programs from associating with the Internet.
Multi-Legged Firewall: This is utilized in Small to large sized business.Security requirement is expanded. Provides stronger security and creates a secure sandbox for semi-trusted servicesFlexible and secure.
Firewall Sandwich
These are Layered Firewall Approaches with large enterprises and low risk tolerance.It Separates the internal environments and reduces the most happening computer crimes.Mostly the attacks are internally based.
Advantages:Layered security is considered the best providing strong security controls coupled with audit, administrative reviews, and an effective security response plans will provide a strong holistic defense.
Summary
- Outlined the purpose of Firewalls.
- Discussed about the basic firewall components.
- Discussed about the firewall architecture and various types of firewalls.
you can view video on Firewalls |