9.

3 Types of Firewalls
Firewalls monitor network traffic at various levels, from examining individual low-level packets to
analyzing application protocol details. They enforce access policies by acting as:

• Positive filters: Allowing only packets that meet specific criteria.

• Negative filters: Rejecting packets that meet certain criteria.

Firewalls implement access policies by inspecting protocol headers, packet payloads, or patterns from a
sequence of packets. The main types of firewalls are described below:

1. Packet Filtering Firewall

A packet filtering firewall applies rules to each incoming and outgoing IP packet, deciding whether to
forward or discard the packet.

Key Filtering Criteria:

• Source IP Address: The IP address of the origin system (e.g., 192.178.1.1).

• Destination IP Address: The IP address of the target system (e.g., 192.168.1.2).

• Source/Destination Transport-Level Address: Port numbers (e.g., for SNMP or TELNET).

• IP Protocol Field: Specifies the transport protocol (e.g., TCP, UDP).

• Interface: Identifies which firewall port the packet came from or is headed to.

Rule Matching:

• Rules are applied to fields in the IP/TCP header.

• If a match is found, the rule determines the packet’s fate.

• If no match is found, a default action is taken.

Default Policies:

a) Default = Discard: Blocks everything unless expressly permitted.

o Provides higher security but is less user-friendly.

o Suitable for businesses and government organizations.

b) Default = Forward: Allows everything unless expressly prohibited.

o Easier for users but less secure.

o Commonly used by open institutions like universities.

Example Rule Set for Simple Mail Transfer Protocol (SMTP) Traffic (Simplified):
The goal is to allow email traffic (inbound and outbound) but block all other traffic.

Rule Purpose Example Configuration

1 Allow inbound email from external sources (port 25 for SMTP incoming). Source: External, Dest: 25

2 Allow responses to inbound SMTP connections. Source: 25, Dest: Internal

3 Allow outbound email to external sources. Source: Internal, Dest: 25

4 Allow responses to outbound SMTP connections. Source: 25, Dest: Internal

5 Block all other traffic (default policy). Implicitly applied.

Common Issues with Rule Sets:

a) Overly Broad Rules:

o Example: Rule 4 allows traffic to any port above 1023, which attackers could exploit to
target internal servers.

o Solution: Use specific source ports (e.g., for rules 1 and 3: Source Port > 1023; for rules 2
and 4: Source Port = 25).

b) Default Port Vulnerability:

o Attackers can misuse default ports like 25 to gain unauthorized access.

o Solution: Add an acknowledgment (ACK flag) field to rules, ensuring packets must have
the appropriate acknowledgment flag set (e.g., for rule 4).
Advantages of Packet Filtering Firewalls
a) Simplicity:

o Easy to configure and manage.

o Transparent to users, ensuring seamless operations.

b) Speed:

o Operates efficiently with minimal impact on network performance.

Weaknesses of Packet Filtering Firewalls

a) Limited Upper-Layer Analysis:

o Cannot inspect or block application-specific vulnerabilities or commands.

o Allows all functions of an approved application.

b) Restricted Logging Capability:

o Logs contain basic details like source address, destination address, and traffic type.

o Insufficient for detailed forensic analysis.

c) Lack of Advanced Authentication:

o Does not support advanced user authentication schemes.

d) Vulnerability to TCP/IP Exploits:

o Susceptible to network layer address spoofing and other TCP/IP stack issues.

o Cannot detect altered OSI Layer 3 addressing information.

e) Configuration Challenges:

o Risk of improper configurations that may inadvertently allow unauthorized traffic.

o Misconfigured firewalls can undermine an organization’s security policies.

Common Attacks on Packet Filtering Firewalls

a) IP Address Spoofing:

o Attack: Intruders send packets with a fake internal source IP address to bypass security
measures.

o Countermeasure: Discard packets with internal source addresses arriving at external

interfaces.

b) Source Routing Attacks:

 o Attack: Packets are sent with a specific route to bypass security filters that ignore source
routing information.

o Countermeasure: Reject all packets that include source routing options.

c) Tiny Fragment Attacks:

o Attack: Uses IP fragmentation to split TCP header information across multiple small
fragments, bypassing filtering rules.

o Countermeasure:

▪ Enforce a rule that the first fragment of a packet must include a minimum
amount of the transport header.

▪ Track rejected fragments and discard all subsequent ones.

TCP Connection ACK Flag Rule Explanation

• Packet filtering firewalls use the ACK flag in TCP connections for enhanced security.

• How It Works:

o Once a TCP connection is established, the ACK flag acknowledges segments from the
other side.

o A rule is implemented to allow incoming packets with a source port of 25 (SMTP) only if

2. Stateful Inspection Firewalls

a. Definition and Purpose

• A stateful inspection firewall tracks the state of active connections and uses this context to
make filtering decisions.

• Unlike a traditional packet filter, it considers higher-layer context, such as the state of a TCP
connection, to enhance security.

b. Context in Network Traffic

• Many standardized applications running on TCP use a client/server model:

o Client: Initiates communication and generates data (e.g., sending an email).

o Server: Receives data and performs specific functions (e.g., storing email in
mailboxes).

Example: SMTP Protocol

• SMTP (Simple Mail Transfer Protocol) operates by creating a TCP connection:

o Server Port Number: Always 25 (well-known port for SMTP servers).

 o Client Port Number: Randomly chosen between 1024 and 65535.

c. Traditional Packet Filter Limitation

• Traditional packet filters make decisions based only on individual packets, without
considering the full context of connections.

• Example:

o To allow TCP-based traffic, a traditional packet filter must permit inbound traffic on all
high-numbered ports (1024–65535).

o This creates vulnerabilities, as unauthorized users can exploit these open ports.

d. Stateful Packet Inspection Firewalls

• These firewalls enhance security by maintaining a directory of outbound TCP connections.

• Example:

o The directory contains an entry for every active TCP connection.

o Incoming traffic to high-numbered ports is allowed only if it matches an entry in this

directory.

Key Features of Stateful Inspection Firewalls

• Tracking Connection States:

o Monitors active TCP connections and allows packets only if they belong to a valid
connection.

• TCP Sequence Number Tracking:

o Keeps track of TCP sequence numbers to prevent attacks like session hijacking.

• Application Data Inspection (for some protocols):

o Inspects application-level data for protocols like FTP, IM, and SIPS to identify related
connections.

Advantages Over Traditional Packet Filters

• Better Security:
 o Only allows packets that are part of legitimate connections, reducing the risk of
unauthorized access.

• Context Awareness:

o Adds intelligence by using connection states and sequence numbers to make

decisions.

• Application Support:

o Can handle some application-specific data, improving security for specific protocols.

3. Application-Level Gateway
a) Definition and Purpose

• An Application-Level Gateway (ALG), also called an application proxy, acts as a relay for
application-level traffic.

• It facilitates secure communication between a user and a remote host by acting as an

intermediary.

b) Functionality

i. Initial Connection:

o The user contacts the gateway using a TCP/IP application like Telnet or FTP.

o The gateway prompts the user for the name of the remote host to be accessed.

ii. Authentication:

o The user provides a valid user ID and authentication information.

 o The gateway verifies these credentials.

iii. Relay Process:

o The gateway establishes a connection with the application on the remote host.

o It relays TCP segments containing the application data between the two endpoints.

iv. Proxy Code Dependency:

o The gateway supports only applications for which it implements the proxy code.

o If a specific application is not supported, its traffic cannot be forwarded across the
firewall.

v. Feature-Specific Configuration:

o The gateway can be configured to permit only specific features of an application

deemed acceptable by the network administrator.

o All other features are denied.

Security Features
• Higher Security Compared to Packet Filters:

o Unlike packet filters, which operate at the TCP and IP level, ALGs operate at the
application level, scrutinizing only a few allowable applications.

• Feature-Specific Control:

o Only approved features of an application are supported, enhancing security.

• Traffic Monitoring:

o Easy to log and audit all incoming traffic at the application level, providing detailed
records of activity.

Limitations
• Processing Overhead:

o Each connection involves two spliced connections:

▪ One between the user and the gateway.

▪ Another between the gateway and the remote host.

o The gateway examines and forwards all traffic in both directions, adding significant
processing overhead.
4. Circuit-Level Gateway
Definition

• A Circuit-Level Gateway (also known as a circuit-level proxy) can function as a stand-alone

system or as a specialized function within an application-level gateway for specific
applications.

• It does not allow end-to-end TCP connections.

Functionality

i. Connection Setup:

o The gateway establishes two TCP connections:

▪ One between itself and a TCP user on an inner host.

▪ Another between itself and a TCP user on an outside host.

ii. Relaying TCP Segments:

• Once connections are established, the gateway relays TCP segments between the two
connections without examining the contents.

iii. Security Function:

• The gateway's primary security function is to determine which connections are allowed.

Typical Use

• Trust in Internal Users:

• Circuit-level gateways are commonly used when the system administrator trusts internal users.

• Inbound vs. Outbound Data Handling:

o The gateway can be configured to:

• Support application-level or proxy service for inbound connections (scrutinizing incoming data
for forbidden functions).
• Support circuit-level functions for outbound connections, avoiding the processing overhead of
examining outgoing data.

Example of Implementation
• SOCKS Package:

o A notable implementation of a circuit-level gateway is the SOCKS package.

o Version 5 of SOCKS is specified in RFC 1928, which defines SOCKS as follows:

 • A protocol designed to provide a framework for client-server applications in both the TCP and
UDP domains.
• Enables secure and convenient use of network firewall services.
• Acts as a conceptual shim layer between the application layer and the transport layer.
• Does not provide network-layer gateway services, such as forwarding of ICMP messages.

Overview

A Circuit-Level Gateway establishes two TCP connections to relay segments between an internal and
external host, offering a secure connection while minimizing content inspection. It is ideal in trusted
environments and efficiently handles outbound connections without examining data, making it less
resource-intensive for certain applications.

SOCKS Protocol Components and Workflow

1. Components of SOCKS

• SOCKS Server:

o Typically runs on a UNIX-based firewall but is also implemented on Windows systems.

• SOCKS Client Library:

o Operates on internal hosts that are protected by the firewall.

• SOCKS-ified Client Programs:

o Standard programs like FTP and TELNET are adapted to work with SOCKS.

o Implementation involves:

▪ Recompilation or relinking of TCP-based client applications.

▪ Alternatively, using dynamically loaded libraries for proper encapsulation

through the SOCKS library.

2. Workflow of SOCKS Protocol

i. Client Connection Request:

o A TCP-based client determines if the desired connection requires a firewall traversal.

o The client then opens a TCP connection to the SOCKS port on the SOCKS server (default:
TCP port 1080).

ii. Authentication Negotiation:

o Upon connection, the client negotiates with the SOCKS server to determine the
authentication method to be used.

o The client then authenticates using the chosen method.

iii. Relay Request:

o After authentication, the client sends a relay request to the SOCKS server.

o The server evaluates the request and:

▪ Establishes the connection to the desired destination, OR

▪ Denies the request.

iv. Handling UDP:

o UDP exchanges follow a similar process:

▪ A TCP connection is first opened for user authentication.

▪ UDP segments are sent and received as long as the TCP connection remains
active.

Overview

The SOCKS protocol enables secure client-server communication through a firewall by utilizing a
SOCKS server, a client library, and modified client programs. The protocol establishes a connection,
negotiates authentication, and handles both TCP and UDP traffic effectively. It ensures the
forwarding of packets while maintaining control over access through its structured workflow.