Firewalls Group members: Yariq Hasan, Thomas Holloway, Xuemei Li List of Contents Definition of Firewalls Packet Filtering Firewalls Stateful Packet Filtering Firewalls Application Level Gateways 1. Firewall Definition Objectives: 1. Define firewall - 2. List the limitations of firewalls. 3. Distinguish between perimeter-based firewall and host-based firewall. Firewall is a network security device that is either a software program or a hardware or a combination of both. Firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and an untrusted outside network, such as the internet. Firewalls are often categorized as either perimeter-based firewalls or host-based firewalls. Perimeter-based firewalls filter traffic between two or more networks. Host-based firewalls provide a layer of software on a host that controls network traffic in and out of that single machine. See figures 1a and 1b. Firewall imposes restrictions on network services as only authorized traffic is allowed. Firewalls cannot protect against what has been authorized, internal threats and cannot fix poor security policies. By connecting to the internet, a user is vulnerable to hackers, a firewall is the barrier between the user and the internet as all information entering or leaving the network passes through the firewall. Internet firewall PC Figure 1A: Host-based firewall Internet firewall PC Figure 1B: Network-based firewall GI questions: 1. Is firewall a software or a hardware? Could it be a combination of both? A fire wall is a combination of software and hardware, ideally using both together will provide the most security for devices. 2. What data does the firewall monitor? A firewall is used to monitor outgoing and incoming network traffic so all data coming in and out from the network the firewall is on. 3. John have 5 PCs at home and he wants to protect all of them, what type of firewall should be used? A proxy firewall would work best so each device can still do everything on their own but the traffic incoming and outgoing will still be monitored on each device. 4. John has a laptop and uses it in different locations such as work, hotels and home. What type of firewall should be used? Packet filtering should be used because it works best with one computer going outward and if it is part of the hardware it will be able to easily travel with the device everywhere it goes. 5. In home network environment where you have 3 PCs with Ethernet connection, iPads and iPhones. Which of the following is best option to place the firewall: access point, one of the PCs, router, switch? The router would be the best spot for the firewall because that is where it can see all outgoing traffic most efficiently as well as limit the incoming traffic to all devices at the same time. 6. In the lab, one of the computers has been infected by a malware, do you think firewall can protect other computers in the lab? It depends on where the firewall is placed, if the firewall is on each individual computer then yes it can, however if the firewall was on the router then no because the malware already got passed the router. 2. Packet Filtering Firewall Objectives: 1. Explain how packet filtering firewall works. 2. Write a packet filtering firewall rule. Packet filtering firewall is the most basic firewall which examines data (TCP/UDP/IP headers) inside a packet to determine if that packet should be allowed or blocked. This firewall examines source and destination IP addresses and ports, it also looks at connection status to verify whether the packet is the first of the network session or part of live session. Please see figures 2a, 2b, 2c for IP header details. To accept or deny a packet, Packet filtering firewall follows set of rules based on network administrators requirements. Based on network administrator’s set of rules, packet filtering either accepts or denies the packet. Since packet filtering firewall is stateless which means it does not remember the state of the connection for previous packets, so it will apply the same rules for every packet during a connection. Also note that packet filtering firewalls do not examine the payload. Version IHL DSCP ECN Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Address Destination IP Address Options (if IHL>5) Figure 2A: IPv4 Header Format Source Port Destination Port Sequence Number Acknowledgment Number Offset Reserved Code Data Window Checksum Urgent Pointer Options Padding Optional data Figure 2B: part of TCP Header information Source Port Destination Port Length Checksum Optional data Figure 2C: part of UDP Header information Packet filtering firewall Rule Examples: Suppose you want to allow mail traffic (SMTP, port 25) from/to our gateway (GW) machine, the firewall rule is as follows (note: The “*” means “any”): Conceptual questions: 1. What does packet filtering firewall examine in a packet? In the OSI model's network layer (Layer 3), packet-filtering firewalls work. Firewalls with packet filtering make processing choices depending on protocols, ports, or network addresses. As a result, the source and destination IP addresses as well as source and destination ports are used by the packet filtering firewall to filter IP packets. 2. What does stateless firewall mean? Stateless firewalls utilize the source, goal, and other data in a information parcel to decide in the event that the information postures a risk. Directors or producers must enter these parameters in understanding with rules they have already built up. Thus The stateless firewall convention will recognize dangers and after that confine or piece the information carrying them at whatever point a information bundle goes astray from what is regarded worthy. 3. Does a packet filter examine the payload of a packet? The packet payload isn't inspected by parcel channels. They do not examined the truths; instep, they base their choices on what they discover. In the event that a bundle has already passed, they don't review it. To identify whether a association endeavor is pernicious, discussion streams cannot be recreated. As a result, it is challenging to halt an assault based on a bundle fracture plot employing a parcel channel alone. 4. A company has perimeter-based firewall and they authorized port #80, because they want to tell the world about the company but the company administrator wasn’t aware that they were using old version of webserver which has a Buffer Overflow bug. Can the firewall protect a hacker from the internet to exploit this bug? A buffer overflow powerlessness is generally simple to misuse. A buffer flood helplessness exists on the off chance that a program erroneously designates memory for client input or peruses information into that memory region in an hazardous way. A hacker can take advantage of this shortcoming by essentially giving the application more input than the designated buffer can handle. A division blame or other programming botch is most likely to result from flooding a buffer with irregular or futile information. In any case, since of the way the stack is set up, a intelligent buffer flood misuse can finish much more, giving the assailant control over the system's execution and the capacity to execute pernicious code. Application questions: 1. Write a rule to allow inbound mail (SMTP, port25) but only to our email server with IP address 192.168.0.25. action ourhost port theirhost port comment allow 192.168.0.2 5 25 * 25 Inbounded mail 2. Write a rule to block all traffic from IP address ranges from 123.45.67.1 to 123.45.67.255. action ourhost port theirhost port comment deny * * 123.45.67.1 * Block all traffic 3. Write a rule that any inside host can visit all secure webservers (note: The port number for secure web server is 443). action ourhost port theirhost port comment allow * 433 * 433 All secure web server 3. Stateful Packet-Filtering Firewall Objectives: 1. Describe a stateful firewall. 2. Compare stateful and stateless firewalls. A stateful firewall keeps track of the state of the connection and remembers previous packets. When a packet arrives the firewall checks if it belongs to previous connections the it will be allowed immediately; or if it is a new connection then the firewall matches it with administrator set of rules and decide whether to allow or deny the packet then saves some of its details such as IP address and port numbers. Figure 3 shows an example of stateful firewall. Figure 3: Stateful firewall example 1. What are the IP addresses of the client and server? Client - 192.168.51.50 Server- 172.16.3.4 2. What are the source IP, source port, destination IP and destination port of the first packet? Source Port: 3264 Source IP: 192.168.51.50 Destination Port: 1525 Destination IP: 172.16.3.4 3. Who sent the first packet? Client or server? Did the packet pass? To establish the connection with a server the client needs to first send a packet to the server. And yes the packet has passed there for the server responses is to send a response packet letting the client know its listening. 4. What are the source IP, source port, destination IP and destination port of the second packet? Find the matching numbers between packet 1 and packet 2. Source Port: 1525 Source IP: 172.16.3.4 Destination Port: 3254 Destination IP: 192.168.51.50 5. What are the source IP, source port, destination IP and destination port of the third packet? Find the matching and mismatching numbers between packet 1 and packet 3. Source Port: 1525 Source IP: 172.16.3.4 Destination Port: 2049 Destination IP: 192.168.51.50 6. Why was the last packet blocked? How did the firewall make this decision? Did the firewall have to remember the first packet? Because the firewall saw that the Destination port was different from the client port number hence the firewall was able to see this and able to block the new response. 7. Explain why stateful firewall require more resources compared to stateless. Stateful firewalls are adept at spotting illegal activity or faked communications. Key characteristics of network connections are retained by the strong memory. For proper communication, these firewalls only need a small number of ports open. Stateful firewalls provide extensive logging features and effective attack defense. Stateful firewalls are sophisticated systems that rely future filter decisions on the whole of previous and present discoveries. Hence it really needs a lot of resources to be able to make sure that it maintains a strong communication and safety. 4. Application Level Gateway Objectives: 1. Explain the concepts of application level gateway, DMZ, Bastion Host, and Honey pots. 2. Compare application level firewall and packet filtering firewall. Application-level gateway or proxy is a type of firewall that is capable of performing filtering at the application layer. It performs filtering based on the type of service (i.e TELNET, FTP, SMTP, HTTP, etc.). Figure 5 shows an application-level gateway connecting a host with computers in an organization. User requests service from application-level gateway, the gateway validates the request according to the application level protocol, if the request is validated then the application gateway processes the request and returns the results to the user. Figure 5: Application-level gateway 1. Can ICMP traffic go through the application-level gateway depicted in Figure 5? ICMP (Web Control Message Convention) (Web Control Message Convention) On an IP organize, ICMP may be a convention that conveys message control and educational messages from removed frameworks or doors. For occasion, the program PING utilizes ICMP parcels to check whether a far off have at a particular IP address is reachable (or "seen") from the neighborhood have. 2. Can HTTPS traffic go through the application-level gateway depicted in Figure 5? If no, how can you make it go through the firewall. I believe it cant because HTTPS are secure webpages hence it being secure its already monitored and certified that of being a safe website hence it will not be able to bring any malicious attack to the application gateway level. 3. Discuss the advantages and disadvantages of application-level proxy compared with packet filtering firewall. The application layer firewall takes into consideration the nature of the applications being run (the type, timing of the network connection requests, the type and nature of the traffic generated) whereas the packet filtering firewall simply looks at the packets as they are transferred. - The application firewall is also known as a proxy server, since it runs special software that acts as a proxy for a request. Bastion Host is a highly-secured system that is potentially exposed to hostile elements. It is secured to withstand attacks. Bastion Host may support two or more network connections and may be trusted to enforce separation between network connections. A bastion host runs circuit / application level gateways, or provides externally accessible services. What is DMZ (demilitarized zone): A physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled. Honeypots are baiting systems designed to lure potential attackers away from critical systems. They can be connected to form a honey net. A h oneypot consists of data that appears to be a legitimate part of the critical system, but is actually isolated and monitored. Figures 6-A, 6-B, and 6-C show different configurations of firewall systems. DMZ Figure 6-A: Single-homed firewall system Figure 6-B: Dual-homed firewall system Figure 6-C: Screened-subnet firewall system 1. Figure 6-A shows the computers included in DMZ. Follow this example, and draw a circle in dash line in Figure 6-B and Figure 6-C that includes all computers in the DMZ. Per DMZ definition, the area highlighted has direct access to networks or through Bastion host. So they are in DMZ. 2. Which of the computers in Figure 6-B should install application-level gateway? Explain your answer. The bastion host should install an application-level gateway. It is a system identified by the firewall administrator as a critical strong point in the network’s security. It operates at the application level. Multiple application gateways can run on the same host, but each gateway is a separate server with its own processes. 3. Explain why Figure 6-C is more secure than Figure 6-B. It created an isolated subnet networks with below advantages: – Three levels of defense to thwart intruders – The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) – The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet). 4. What is the purpose of honeypots? Honeypots are used to capture information from unauthorized intruders that are tricked into accessing them because they appear to be a legitimate part of the network. 5. If we want to put Honey-pot in Figure 6-C, where should it be put? Honey-pot is a fake network. After each packet filter, we added a honey-pot to lure the intruder. 6. Explain why bastion host needs to be highly secured by system administrators compared to other computers in the private networks. A bastion host is a computer on a network specifically built to withstand attacks. It usually has a single application on it (like a proxy server) to minimize the threat of an attack. The Bastion hosts are used in cloud environments as a server to provide access to a private network from an external network such as the Internet. Since it is exposed to potential attack, a Bastion host must be protected against the chances of penetration and needs to be highly secured by system administrators.
