Uploaded by Yariq Hasan

newfirewall assigment

advertisement
Firewalls
Group members: Yariq Hasan, Thomas Holloway, Xuemei Li
List of Contents
 Definition of Firewalls
 Packet Filtering Firewalls
 Stateful Packet Filtering Firewalls
 Application Level Gateways
1. Firewall Definition
Objectives:
1. Define firewall -
2. List the limitations of firewalls.
3. Distinguish between perimeter-based firewall and host-based firewall.
Firewall is a network security device that is either a software program or a hardware or a
combination of both. Firewall monitors and controls incoming and outgoing network
traffic based on predetermined security rules. A firewall typically establishes a barrier
between a trusted, secure internal network and an untrusted outside network, such as
the internet. Firewalls are often categorized as either perimeter-based firewalls or
host-based firewalls. Perimeter-based firewalls filter traffic between two or more
networks. Host-based firewalls provide a layer of software on a host that controls
network traffic in and out of that single machine. See figures 1a and 1b. Firewall
imposes restrictions on network services as only authorized traffic is allowed. Firewalls
cannot protect against what has been authorized, internal threats and cannot fix poor
security policies. By connecting to the internet, a user is vulnerable to hackers, a firewall
is the barrier between the user and the internet as all information entering or leaving the
network passes through the firewall.
Internet firewall PC
Figure 1A: Host-based firewall
Internet firewall PC
Figure 1B: Network-based firewall
GI questions:
1. Is firewall a software or a hardware? Could it be a combination of both?
A fire wall is a combination of software and hardware, ideally using both together
will provide the most security for devices.
2. What data does the firewall monitor?
A firewall is used to monitor outgoing and incoming network traffic so all data
coming in and out from the network the firewall is on.
3. John have 5 PCs at home and he wants to protect all of them, what type of firewall
should be used?
A proxy firewall would work best so each device can still do everything on their
own but the traffic incoming and outgoing will still be monitored on each device.
4. John has a laptop and uses it in different locations such as work, hotels and home.
What type of firewall should be used?
Packet filtering should be used because it works best with one computer going
outward and if it is part of the hardware it will be able to easily travel with the
device everywhere it goes.
5. In home network environment where you have 3 PCs with Ethernet connection,
iPads and iPhones. Which of the following is best option to place the firewall: access
point, one of the PCs, router, switch?
The router would be the best spot for the firewall because that is where it can see
all outgoing traffic most efficiently as well as limit the incoming traffic to all
devices at the same time.
6. In the lab, one of the computers has been infected by a malware, do you think firewall
can protect other computers in the lab?
It depends on where the firewall is placed, if the firewall is on each individual
computer then yes it can, however if the firewall was on the router then no
because the malware already got passed the router.
2. Packet Filtering Firewall
Objectives:
1. Explain how packet filtering firewall works.
2. Write a packet filtering firewall rule.
Packet filtering firewall is the most basic firewall which examines data (TCP/UDP/IP
headers) inside a packet to determine if that packet should be allowed or blocked.
This firewall examines source and destination IP addresses and ports, it also looks at
connection status to verify whether the packet is the first of the network session or part
of live session. Please see figures 2a, 2b, 2c for IP header details.
To accept or deny a packet, Packet filtering firewall follows set of rules based on network
administrators requirements. Based on network administrator’s set of rules, packet
filtering either accepts or denies the packet. Since packet filtering firewall is stateless
which means it does not remember the state of the connection for previous packets, so
it will apply the same rules for every packet during a connection. Also note that packet
filtering firewalls do not examine the payload.
Version IHL DSCP ECN Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source IP Address
Destination IP Address
Options (if IHL>5)
Figure 2A: IPv4 Header Format
Source Port Destination Port
Sequence Number
Acknowledgment Number
Offset Reserved Code
Data
Window
Checksum Urgent Pointer
Options Padding
Optional data
Figure 2B: part of TCP Header information
Source Port Destination Port
Length Checksum
Optional data
Figure 2C: part of UDP Header information
Packet filtering firewall Rule Examples:
Suppose you want to allow mail traffic (SMTP, port 25) from/to our gateway (GW)
machine, the firewall rule is as follows (note: The “*” means “any”):
Conceptual questions:
1. What does packet filtering firewall examine in a packet?
In the OSI model's network layer (Layer 3), packet-filtering firewalls work.
Firewalls with packet filtering make processing choices depending on protocols,
ports, or network addresses. As a result, the source and destination IP addresses
as well as source and destination ports are used by the packet filtering firewall to
filter IP packets.
2. What does stateless firewall mean?
Stateless firewalls utilize the source, goal, and other data in a information parcel
to decide in the event that the information postures a risk. Directors or producers
must enter these parameters in understanding with rules they have already built
up. Thus The stateless firewall convention will recognize dangers and after that
confine or piece the information carrying them at whatever point a information
bundle goes astray from what is regarded worthy.
3. Does a packet filter examine the payload of a packet?
The packet payload isn't inspected by parcel channels. They do not examined the
truths; instep, they base their choices on what they discover. In the event that a
bundle has already passed, they don't review it. To identify whether a association
endeavor is pernicious, discussion streams cannot be recreated. As a result, it is
challenging to halt an assault based on a bundle fracture plot employing a parcel
channel alone.
4. A company has perimeter-based firewall and they authorized port #80, because they
want to tell the world about the company but the company administrator wasn’t aware
that they were using old version of webserver which has a Buffer Overflow bug. Can the
firewall protect a hacker from the internet to exploit this bug?
A buffer overflow powerlessness is generally simple to misuse. A buffer flood
helplessness exists on the off chance that a program erroneously designates
memory for client input or peruses information into that memory region in an
hazardous way. A hacker can take advantage of this shortcoming by essentially
giving the application more input than the designated buffer can handle. A
division blame or other programming botch is most likely to result from flooding a
buffer with irregular or futile information. In any case, since of the way the stack is
set up, a intelligent buffer flood misuse can finish much more, giving the assailant
control over the system's execution and the capacity to execute pernicious code.
Application questions:
1. Write a rule to allow inbound mail (SMTP, port25) but only to our email server with
IP address 192.168.0.25.
action
ourhost
port
theirhost
port
comment
allow
192.168.0.2
5
25
*
25
Inbounded
mail
2. Write a rule to block all traffic from IP address ranges from 123.45.67.1 to
123.45.67.255.
action
ourhost
port
theirhost
port
comment
deny
*
*
123.45.67.1
*
Block all
traffic
3. Write a rule that any inside host can visit all secure webservers (note: The port
number for secure web server is 443).
action
ourhost
port
theirhost
port
comment
allow
*
433
*
433
All secure
web server
3. Stateful Packet-Filtering Firewall
Objectives:
1. Describe a stateful firewall.
2. Compare stateful and stateless firewalls.
A stateful firewall keeps track of the state of the connection and remembers previous
packets. When a packet arrives the firewall checks if it belongs to previous connections
the it will be allowed immediately; or if it is a new connection then the firewall matches it
with administrator set of rules and decide whether to allow or deny the packet then
saves some of its details such as IP address and port numbers. Figure 3 shows an
example of stateful firewall.
Figure 3: Stateful firewall example
1. What are the IP addresses of the client and server?
Client - 192.168.51.50
Server- 172.16.3.4
2. What are the source IP, source port, destination IP and destination port of the
first packet?
Source Port: 3264
Source IP: 192.168.51.50
Destination Port: 1525
Destination IP: 172.16.3.4
3. Who sent the first packet? Client or server? Did the packet pass?
To establish the connection with a server the client needs to first send a
packet to the server. And yes the packet has passed there for the server
responses is to send a response packet letting the client know its listening.
4. What are the source IP, source port, destination IP and destination port of the second
packet? Find the matching numbers between packet 1 and packet 2.
Source Port: 1525
Source IP: 172.16.3.4
Destination Port: 3254
Destination IP: 192.168.51.50
5. What are the source IP, source port, destination IP and destination port of the third
packet? Find the matching and mismatching numbers between packet 1 and packet 3.
Source Port: 1525
Source IP: 172.16.3.4
Destination Port: 2049
Destination IP: 192.168.51.50
6. Why was the last packet blocked? How did the firewall make this decision? Did the
firewall have to remember the first packet?
Because the firewall saw that the Destination port was different from the client
port number hence the firewall was able to see this and able to block the new
response.
7. Explain why stateful firewall require more resources compared to stateless.
Stateful firewalls are adept at spotting illegal activity or faked communications.
Key characteristics of network connections are retained by the strong memory.
For proper communication, these firewalls only need a small number of ports
open. Stateful firewalls provide extensive logging features and effective attack
defense. Stateful firewalls are sophisticated systems that rely future filter
decisions on the whole of previous and present discoveries. Hence it really needs
a lot of resources to be able to make sure that it maintains a strong
communication and safety.
4. Application Level Gateway
Objectives:
1. Explain the concepts of application level gateway, DMZ, Bastion Host, and
Honey pots. 2. Compare application level firewall and packet filtering firewall.
Application-level gateway or proxy is a type of firewall that is capable of performing
filtering at the application layer. It performs filtering based on the type of service (i.e
TELNET, FTP, SMTP, HTTP, etc.). Figure 5 shows an application-level gateway
connecting a host with computers in an organization. User requests service from
application-level gateway, the gateway validates the request according to the
application level protocol, if the request is validated then the application gateway
processes the request and returns the results to the user.
Figure 5: Application-level gateway
1. Can ICMP traffic go through the application-level gateway depicted in Figure 5?
ICMP (Web Control Message Convention) (Web Control Message
Convention) On an IP organize, ICMP may be a convention that conveys
message control and educational messages from removed frameworks or
doors. For occasion, the program PING utilizes ICMP parcels to check
whether a far off have at a particular IP address is reachable (or "seen")
from the neighborhood have.
2. Can HTTPS traffic go through the application-level gateway depicted in Figure 5? If
no, how can you make it go through the firewall.
I believe it cant because HTTPS are secure webpages hence it being secure
its already monitored and certified that of being a safe website hence it will
not be able to bring any malicious attack to the application gateway level.
3. Discuss the advantages and disadvantages of application-level proxy compared
with packet filtering firewall.
The application layer firewall takes into consideration the nature of the
applications being run (the type, timing of the network connection
requests, the type and nature of the traffic generated) whereas the
packet filtering firewall simply looks at the packets as they are
transferred. - The application firewall is also known as a proxy server,
since it runs special software that acts as a proxy for a request.
Bastion Host is a highly-secured system that is potentially exposed to hostile elements.
It is secured to withstand attacks. Bastion Host may support two or more network
connections and may be trusted to enforce separation between network connections. A
bastion host runs circuit / application level gateways, or provides externally accessible
services.
What is DMZ (demilitarized zone): A physical or logical subnetwork that contains and
exposes an organization's external-facing services to an untrusted network. The
purpose of a DMZ is to add an additional layer of security to an organization's local
area network (LAN); an external network node can access only what is exposed in the
DMZ, while the rest of the organization's network is firewalled.
Honeypots are baiting systems designed to lure potential attackers away from critical
systems. They can be connected to form a honey net. A h oneypot consists of data that
appears to be a legitimate part of the critical system, but is actually isolated and
monitored.
Figures 6-A, 6-B, and 6-C show different configurations of firewall systems.
DMZ
Figure 6-A: Single-homed firewall system
Figure 6-B: Dual-homed firewall system
Figure 6-C: Screened-subnet firewall system
1. Figure 6-A shows the computers included in DMZ. Follow this example, and draw
a circle in dash line in Figure 6-B and Figure 6-C that includes all computers in the
DMZ.
Per DMZ definition, the area highlighted has direct access to networks or
through Bastion host. So they are in DMZ.
2. Which of the computers in Figure 6-B should install application-level gateway?
Explain your answer.
The bastion host should install an application-level gateway. It is a system
identified by the firewall administrator as a critical strong point in the network’s
security. It operates at the application level. Multiple application gateways can run
on the same host, but each gateway is a separate server with its own processes.
3. Explain why Figure 6-C is more secure than Figure 6-B.
It created an isolated subnet networks with below advantages:
–
Three levels of defense to thwart intruders
–
The outside router advertises only the existence of the screened subnet to
the Internet (internal network is invisible to the Internet)
–
The inside router advertises only the existence of the screened subnet to the
internal network (the systems on the inside network cannot construct direct
routes to the Internet).
4. What is the purpose of honeypots?
Honeypots are used to capture information from unauthorized intruders that are
tricked into accessing them because they appear to be a legitimate part of the
network.
5. If we want to put Honey-pot in Figure 6-C, where should it be put?
Honey-pot is a fake network. After each packet filter, we added a honey-pot to lure
the intruder.
6. Explain why bastion host needs to be highly secured by system administrators
compared to other computers in the private networks.
A bastion host is a computer on a network specifically built to withstand attacks.
It usually has a single application on it (like a proxy server) to minimize the threat
of an attack. The Bastion hosts are used in cloud environments as a server to
provide access to a private network from an external network such as the Internet.
Since it is exposed to potential attack, a Bastion host must be protected against
the chances of penetration and needs to be highly secured by system
administrators.
Download