Scribd
Upload
11 views5 pages

Firewall 1

This document provides an overview of firewalls as security mechanisms that control access between an organization's internal network and the external internet. It discusses various firewall mechanisms, security lapses, authentication methods, packet filtering, and the different types of firewalls, including packet filtering firewalls, dual home gateways, and screened host firewalls. Additionally, it addresses challenges such as complacency, encapsulated packets, and throughput issues, along with the use of proxies and NAT for enhanced security.

Uploaded by

sarfaraztabish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views5 pages

Firewall 1

This document provides an overview of firewalls as security mechanisms that control access between an organization's internal network and the external internet. It discusses various firewall mechanisms, security lapses, authentication methods, packet filtering, and the different types of firewalls, including packet filtering firewalls, dual home gateways, and screened host firewalls. Additionally, it addresses challenges such as complacency, encapsulated packets, and throughput issues, along with the use of proxies and NAT for enhanced security.

Uploaded by

sarfaraztabish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Firewalls

Introduction
This lecture discusses about security mechanisms in the Internet namely Firewall . In brief, It's a
configuration of routers and networks placed between an organization's internal internet and a
connection to an external internet to provide security. In other words, Firewall is a mechanism to
provide limited access to machines either from the outside world to internal internet or from internal
world to outside world. By, providing these security mechanisms, we are increasing the processing time
before one can access a machine. So, there is a trade-off between security and ease of use. A firewall
partitions an internet into two regions, referred to informally as the inside and outside.

__
| | _________ Firewall
______________________ | | ____________________
| | | | | |
| | | | | |
| Rest of Internet |________ | |_____ | Intranet |
| | | | | |
|_____________________ | | | |___________________|
|_|
Outside Inside

Security Lapses

Vulnerable Services - NFS : A user should not be allowed to export certain files to the outside
world and from the outside world also, someone should not be allowed to export our files.
Routing based attacks : Some kind of ICMP message should not be allowed to enter my
network. e.g.. Source routing and change route ICMP's.
Controlled access to our systems : e.g.. Mail server and web pages should be accessible from
outside but our individual PC's should not be accessible from the outside world.
Authentication : Encryption can be used between hosts on different networks.
Enhanced Privacy : Some applications should be blocked. e.g.. finger ...
PING & SYN attack : Since these messages are send very frequently, therefore you won't be able
to do anything except reply to these messages. So, I should not allow these messages to enter
my network.

So. whatever I provide for my security is called Firewall. It is a mechanism and not just a
hardware or software.

Firewall Mechanisms
1. Network Policy : Here, we take into consideration, what services are allowed for outside and inside
users and the services which are allowed can have additional restrictions. e.g.. I might be allowed to
download things from the net but not upload i.e.. some outside users cannot download the things from
our net. Some exceptional cases might be there which have to be handled separately. And if some new
application comes up then , we choose an appropriate network policy.

Compiled by Sudeep Basu for CSE/IT Dept, SIT Page 1


2. Authentication mechanism : An application can be designed which ask for a password for
authentication.

3. Packet Filtering : Router have information about some particular packets which should not be
allowed.

4. Application gateways : or proxy servers.

Certain Problems with Firewall

1. Complacency : There are lots of attacks on the firewall from internal users and therefore, it's
limitations should be understood.

2. Encapsulated packets : An encapsulated packet is an IP packet within another IP packet. If we


ask the router to drop encapsulated packets then, it will drop the multicast packets also.

3. Throughput :So, in order to check which packets are allowed and which are not, we are doing
some processing which can be an overhead and thus affects throughput.

Authentication:

We can use the following mechanisms:

One time passwords: passwords are used only once and then it changes. But only the user and
the machine knows the changing passwords.
password aging : User are forced to change passwords after some time on regular intervals.
smart cards : swipe through the PC.
biometrics : eyes or finger prints are used.

Packet Filtering :

Terms associated:

Source IP address
Destination IP address
Source port #
Destination port #
protocol
interface

Many commercial routers offer a mechanism that augments normal routing and permits a
manager to further control packet processing. Informally called a packet filter, the mechanism
requires the manager to specify how the router should dispose of each datagram. For example,
the manager might choose to filter (i.e.. block) all datagrams that come from a particular source

Compiled by Sudeep Basu for CSE/IT Dept, SIT Page 2


or those used by a particular application, while choosing to route other datagrams to their
destination.

The term packet filter arises because the filtering mechanism does not keep a record of
interaction or a history of previous datagrams. Instead, the filter considers each datagrams
separately. When a datagram first arrives, the router passes the datagram through its packet filter
before performing any other processing. If the filter rejects the datagram, the router drops it
immediately.

For example, normally I won't allow TFTP, openwin, RPC, rlogin, rsh packets to pass through
the router whether from inside or outside and router just discard these packets. But I might put
some restrictions on telnet, ftp, http, and smtp packets in order to pass through the router and
therefore some processing is to be done before discarding or allowing these packets.

Because TCP/IP does not dictate a standard for packet filters, each router vendor is free to
choose the capabilities of their packet filter as well as the interface the manager uses to configure
the filter. Some routers permit a manager to configure separate filter actions for each interface,
while others have a single configuration for all interfaces. Usually, when specifying datagrams
that the filter should block, a manager can list any combination of source IP address, destination
IP address, protocol, source protocol port number, and destination protocol port number.
So, these filtering rules may become more tricky with complex network policies.

Since, Filtering rules are based on port numbers, there is a problem with RPC applications.
First, the number of well-known ports is large and growing. Thus, a manager would need to
update such a list continually because a simple error of omission could leave the firewall
vulnerable. Second, much of the traffic on an internet does not travel to or from a well-known
port. In addition to programmers who can choose port numbers for their private client-server
applications, services like Remote Procedure Call (RPC) assigns port dynamically. Third, listing
ports of well-known services leaves the firewall vulnerable to tunneling, a technique in which
one datagram is temporarily encapsulated in another for transfer across part of an internet.

Relay Software (proxies) :

I can run multiple proxy on same machine. They may detect misuse by keeping loops. For
example, some machine give login to Ph.D.. students. So, in this case it's better to keep proxy
servers than to give login on those machines. But the disadvantage with this is that there are two
connections for each process.

_________ __________
| | | |
| User |_______________| Proxy |___________ Outside
| ________| 1. |_________ | 2.

Compiled by Sudeep Basu for CSE/IT Dept, SIT Page 3


Various Firewall Considerations

1. Packet Filtering Firewall


This is the simplest design and it is considered when the network is small and user don't run
many Intranet applications.
__________
| |
Intranet __________| Router |__________ Internet
|________ _ |
|
|
Filter

2. Dual home gateway


This gives least amount of flexibility. Instead of router, we have application gateways.
______________
| Application |
Inside ________ _ | level |___________ Outside
| gateway |
|____________ |
proxy

3. Sreened host Firewall


It's the combination of the above two schemes. Some applications are allowed uninterrupted
while some have to be screened. For any reasonable size network, Screened host firewall can get
loaded.

_________ ___________
| | | |
Inside _________| Router 1 |_______________________ | Router 2 |______ Outside
|_________| | |__________ |
____|______
| |
| Proxy |
|__________|

The problem with this is that there is only one proxy and thus, it may get overloaded. Therefore,
to reduce load, we can use multiple screened host firewalls. And this is what normally used.

_________ __________
| | | |
Inside _____ | Router 1 |______________________________ | Router 2 |_____Outside
|_________| | |__________ |
____|____
| |
| Proxy 1 | Proxy2 .......
|________ |

Compiled by Sudeep Basu for CSE/IT Dept, SIT Page 4


Modem pool
User can dial and open only a terminal server but he has to give a password. But TELNET and FTP client
does not understand proxy. Therefore, people come out with Transparent proxy which means that I
have some memory which keeps track of whether this packet was allowed earlier or not and therefore, I
need not check this time. Client does not know that there is somebody who is checking my
authentication.
So, transparent proxy is used only for checking the IP packets whereas proxy is used when many IP
addresses are not available.

Private IP (PIP address)


It is an extension of transparent proxy. Here we also change the IP address (source address) to
one of the allocated IP address and send it. So, the client does not know that the IP address has
been changed, only the proxy server knows it. The machine that changes the IP address is
Network address translator (NAT) . NAT also changes other things like CRC, TCP header
checksum ( this is calculated using pseudo IP header). NAT can also change the port number.

e.g.. Port address translation

____________
X -------| |
| NAT |
Y -------|___________ |

X1 , P1 ----> G1 , Pa (IP address, port #)


X1 , P2 ----> G1 , Pb
Y , P3 ----> G1, Pc

I may not like to have global IP address because then, anybody can contact me inspite of these
security measures. So, I work with Private IP. In that case, there has to be a one-to-one mapping
between private IP and global IP.

Compiled by Sudeep Basu for CSE/IT Dept, SIT Page 5

You might also like