Network

Security

Chapter 12
Firewalls
 Quotations

The function of a strong position is to make the

forces holding it practically unassailable.
— On War, Carl Von Clausewitz
On the day that you take up your command, block
the frontier passes, destroy the official tallies, and
stop the passage of all emissaries.
—The Art of War, Sun Tzu
2 4/17/2022
 The Need for firewalls
• Internet connectivity is no longer optional for organizations
• Individual users within the organization want and need Internet access

• While Internet access provides benefits to the organization, it enables the

outside world to reach and interact with local network assets
• This creates a threat to the organization
• While it is possible to equip each workstation and server on the premises network
with strong security features, this may not be sufficient and in some cases is not cost-
effective

• Firewall
• An alternative, or at least complement, to host-based security services
• Is inserted between the premises network and the Internet to establish a controlled
link and to erect an outer security wall or perimeter
• The aim of this perimeter is to protect the premises network from Internet-based
attacks and to provide a single choke point where security and auditing can be
imposed
• May be a single computer system or a set of two or more systems that cooperate to
perform the firewall function
3 4/17/2022
Firewall characteristics
• Design goals for a firewall:
• All traffic from inside to outside, and vice versa, must pass through the
firewall
• Only authorized traffic, as defined by the local security policy, will be
allowed to pass
• The firewall itself is immune to penetration

• Techniques that firewalls use to control access and enforce the site’s
security policy:
Service control
• Determines the types of Internet services that can be accessed, inbound or outbound
Direction control
• Determines the direction in which particular service requests may be initiated and allowed
to flow through the firewall
User control
• Controls access to a service according to which user is attempting to access it
Behavior control
4 • Controls how particular services are used 4/17/2022
 Firewall expectations
Defines a single choke point that
keeps unauthorized users out of
the protected network, prohibits Provides a location for
potentially vulnerable services
from entering or leaving the monitoring security-related
network, and provides protection events
from various kinds of IP spoofing
and routing attacks

A firewall

Is a convenient platform for

Can serve as the platform for
several Internet functions
IPsec
that are not security related
5 4/17/2022
 Firewall limitations

Cannot protect against

attacks that bypass the
firewall

A laptop, PDA, or May not protect fully

portable storage device against internal threats,
may be used and infected such as a disgruntled
outside the corporate A Firewall employee or an employee
network, and then who unwittingly
attached and used cooperates with an
internally external attacker

Cannot guard against

wireless communications
between local systems on
different sides of the
internal firewall
6 4/17/2022
7 4/17/2022
 Table 12.1
Packet-Filtering Example
8 4/17/2022
Packet Filtering firewalls
Weaknesses
• Because packet filter firewalls do not examine upper-layer data, they cannot
prevent attacks that employ application-specific vulnerabilities or functions
• Because of the limited information available to the firewall, the logging
functionality present in packet filter firewalls is limited
• Most packet filter firewalls do not support advanced user authentication
schemes
• Packet filter firewalls are generally vulnerable to attacks and exploits that take
advantage of problems within the TCP/IP specification and protocol stack
• Due to the small number of variables used in access control decisions, packet
filter firewalls are susceptible to security breaches caused by improper
configurations

Strengths
• Its simplicity
• Transparent to users and are very fast

4/17/2022 9
 Attacks and
countermeasures
IP address Source routing Tiny fragment
spoofing attacks attacks
The source station specifies the
The intruder uses the IP
route that a packet should take
The intruder transmits packets fragmentation option to create
as it crosses the internet, in the
from the outside with a source extremely small fragments and
hopes that this will bypass
IP address field containing an force the TCP header
security measures that do not
address of an internal host information into a separate
analyze the source routing
packet fragment
information

Countermeasure is to enforce
Countermeasure is to discard
a rule that the first fragment of
packets with an inside source Countermeasure is to discard
a packet must contain a
address if the packet arrives on all packets that use this option
predefined minimum amount
an external interface
of the transport header

10 4/17/2022
 Table 12.2
Example Stateful Firewall Connection State Table [SCAR09b]

11 4/17/2022
Application Level Gateway
• Also called an application proxy
• Acts as a relay of application-level traffic
• If the gateway does not implement the proxy code for a specific
application, the service is not supported and cannot be forwarded
across the firewall
• The gateway can be configured to support only specific features of
an application that the network administrator considers
acceptable while denying all other features
• Tend to be more secure than packet filters
• Disadvantage:
• The additional processing overhead on each connection

12 4/17/2022
Circuit-Level Gateway
• Also called circuit-level proxy
• Can be a stand-alone system or it can be a specialized function
performed by an application-level gateway for certain applications
• Does not permit an end-to-end TCP connection
• The security function consists of determining which connections
will be allowed
• Typical use is a situation in which the system administrator trusts
the internal users
• Can be configured to support application-level or proxy service on
inbound connections and circuit-level functions for outbound
connections
• Example of implementation is the SOCKS package
13 4/17/2022
 Bastion Host
• A system identified by the firewall administrator as a critical strong point in the
network’s security

• Typically serves as a platform for an application-level or circuit-level gateway

• Common characteristics:
• Executes a secure version of its operating system, making it a hardened system
• Only the services that the network administrator considers essential are installed
• May require additional authentication before a user is allowed access to the proxy services
• Each proxy is configured to support only a subset of the standard application’s command set
• Each proxy is configured to allow access only to specific host systems
• Each proxy maintains detailed audit information by logging all traffic, each connection, and
the duration of each connection
• Each proxy module is a very small software package specifically designed for network
security
• Each proxy is independent of other proxies on the bastion host
• A proxy generally performs no disk access other than to read its initial configuration file
• Each proxy runs as a nonprivileged user in a private and secured directory on the bastion host

14 4/17/2022
 Host-Based Firewall
• A software module used to secure an individual host
• Is available in many operating systems or can be
provided as an add-on package
• Filters and restricts the flow of packets
• Common location is a server
• Advantages:
• Filtering rules can be tailored to the host environment
• Protection is provided independent of topology
• Used in conjunction with stand-alone firewalls, provides
an additional layer of protection
15 4/17/2022
 Personal Firewall
• Controls the traffic between a personal computer or workstation
on one side and the Internet or enterprise network on the other
side
• Can be used in the home environment and on corporate intranets
• Typically is a software module on the personal computer
• Can also be housed in a router that connects all of the home
computers to a DSL, cable modem, or other Internet interface
• Primary role is to deny unauthorized remote access to the
computer
• Can also monitor outgoing activity in an attempt to detect and
block worms and other malware

16 4/17/2022
 Figure 12.2
17 Example Personal Firewall Interface 4/17/2022
18 4/17/2022
19 4/17/2022
 4/17/2022
20
 Summary of Firewall Locations
and Topologies
• Host-resident firewall • Single bastion T
• This category includes personal firewall • Similar to single bastion inline
but has a third network
software and firewall software on servers interface on bastion to a DMZ
• Can be used alone or as part of an in-depth where externally visible
firewall deployment servers are placed

• Screening router • Double bastion inline

• DMZ is sandwiched between
• A single router between internal and external bastion firewalls
networks with stateless or full packet filtering
• This arrangement is typical for small • Double bastion T
office/home office (SOHO) applications • DMZ is on a separate network
interface on the bastion
• Single bastion inline firewall
• A single firewall device between an internal • Distributed firewall
and external router configuration
• This is the typical firewall appliance • Used by some large businesses
configuration for small-to-medium sized and government organizations
organizations
21 4/17/2022
 Summary
• The need for firewalls • Firewall basing
• Firewall characteristics • Bastion host
• Types of firewalls • Host based firewalls
• Packet filtering firewall • Personal firewall
• Stateful inspection
• Firewall locations and
firewalls
configurations
• Application level gateway
• Circuit level gateway • DMZ networks
• Virtual private networks
• Distributed firewalls
• Firewall location and topologies
22
summary 4/17/2022