Understanding Firewalls
COSC541 Networks Final Paper
Instructor: Dr.Mort Anvari
Name: Jiang Long
Student ID: 123017
Date: Spring 2002
1
I hereby sincerely thank Dr.Mort Anvari for
his great work in teaching cosc541
2
Content:
1. Introduction
2. What’s a network firewall
3. Why need a firewall
4. Weakness of firewalls
5. Several types of firewall techniques
6. Policy considerations
7. Making firewalls fit
8. Firewall Configurations
9. Conclusion
10. References
3
1. Introduction
With the rapid growth of Internet, network security has become the most important thing.
The Internet has made large amounts of information available to the average computer
user at home, in business and in education. For many people, having access to this
information is no longer just an advantage, it is essential. Yet connecting a private
network to the Internet can expose critical or confidential data to malicious attack from
anywhere in the world. Users who connect their computers to the Internet must be aware
of these dangers, their implications and how to protect their data and their critical
systems.
The most important tool for protecting a corporate network from Internet intrusions is a
firewall -- an intelligent device that controls traffic between two or more networks for
security purposes.
The term "fire wall" originally meant, and still means, a fireproof wall intended to
prevent the spread of fire from one room or area of a building to another. In a car a
firewall is the metal wall separating the engine and passenger compartments. The Internet
is a volatile and unsafe environment when viewed from a computer-security perspective,
therefore "firewall" is an excellent metaphor for network security.
In computer networking, the term firewall is not merely descriptive of a general idea. It
has come to mean some very precise things.
2. What’s a network firewall
Figure 2.1 Firewall
A network firewall is a system or group of systems that enforces an access control policy
between two networks. The actual means by which is accomplished varies widely, but in
principle, the firewall can be thought of as a pair of mechanisms: one of which exists to
4
block traffic, and the other which exists to permit traffic. Some firewalls place a greater
emphasis on blocking traffic, while others emphasize permitting traffic.
Generally, A network firewall system is designed to prevent unauthorized access to or
from a private network and can be implemented in both hardware and software, or a
combination of both. Firewalls are frequently used to prevent unauthorized Internet users
from accessing private networks connected to the Internet, especially intranets.
3. Why need a firewall
The Internet, like any other society, is plagued with the kind of jerks who enjoy the
electronic equivalent of writing on other people's walls with spray-paint, tearing their
mailboxes off, or just sitting in the street blowing their car horns. Some people try to get
real work done over the Internet, and others have sensitive or proprietary data they must
protect. Usually, a firewall's purpose is to keep the jerks out of your network while still
letting you get your job done.
Some firewalls permit only email traffic through them, thereby protecting the network
against any attacks other than attacks against the email service. Other firewalls provide
less strict protections, and block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated interactive logins
from the ``outside'' world. This, more than anything, helps prevent vandals from logging
into machines on your network. More elaborate firewalls block traffic from the outside to
the inside, but permit users on the inside to communicate freely with the outside. The
firewall can protect you against any type of network-borne attack if you unplug it.
Firewalls are also important since they can provide a single ``choke point'' where security
and audit can be imposed. Unlike in a situation where a computer system is being
attacked by someone dialing in with a modem, the firewall can act as an effective ``phone
tap'' and tracing tool. Firewalls provide an important logging and auditing function; often
they provide summaries to the administrator about what kinds and amount of traffic
passed through it, how many attempts there were to break into it, etc.
This is an important point: providing this ``choke point'' can serve the same purpose on
your network as a guarded gate can for your site's physical premises. That means anytime
you have a change in ``zones'' or levels of sensitivity, such a checkpoint is appropriate. A
company rarely has only an outside gate and no receptionist or security staff to check
5
badges on the way in. If there are layers of security on your site, it's reasonable to expect
layers of security on your network.
Lastly, a firewall can act as your corporate ``ambassador'' to the Internet. Many
corporations use their firewall systems as a place to store public information about
corporate products and services, files to download, bug-fixes, and so forth. Several of
these systems have become important parts of the Internet service structure (e.g.:
UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and have reflected well on their
organizational sponsors.
4. Weakness of Firewalls
Firewalls are often regarded as the only line of defense needed to secure our information
systems. A firewall is a device that controls what gets in and comes out of our network.
Unfortunately, a firewall has also its weaknesses if not installed properly and if we don't
implement an appropriate security policy.
Firewalls can't protect against attacks that don't go through the firewall.
Many corporations that connect to the Internet are very concerned about proprietary data
leaking out of the company through that route. Unfortunately for those concerned, a
magnetic tape can just as effectively be used to export data. Many organizations that are
terrified (at a management level) of Internet connections have no coherent policy about
how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel
door when you live in a wooden house, but there are a lot of organizations out there
buying expensive firewalls and neglecting the numerous other back-doors into their
network. For a firewall to work, it must be a part of a consistent overall organizational
security architecture. Firewall policies must be realistic and reflect the level of security in
the entire network. For example, a site with top secret or classified data doesn't need a
firewall at all: they shouldn't be hooking up to the Internet in the first place, or the
6
systems with the really secret data should be isolated from the rest of the corporate
network.
A firewall can't really protect you against is traitors or idiots inside your network.
While an industrial spy might export information through your firewall, he's just as likely
to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far
more likely means for information to leak from your organization than a firewall!
Firewalls also cannot protect you against stupidity. Users who reveal sensitive
information over the telephone are good targets for social engineering; an attacker may
be able to break into your network by completely bypassing your firewall, if he can find a
``helpful'' employee inside who can be fooled into giving access to a modem pool. Before
deciding this isn't a problem in your organization, ask yourself how much trouble a
contractor has getting logged into the network or how much difficulty a user who forgot
his password has getting it reset. If the people on the help desk believe that every call is
internal, you have a problem.
Firewalls can't protect against tunneling over most application protocols to trojaned or
poorly written clients. There are no magic bullets and a firewall is not an excuse to not
implement software controls on internal networks or ignore host security on servers.
Tunneling ``bad'' things over HTTP, SMTP, and other protocols is quite simple and
trivially demonstrated. Security isn't ``fire and forget''.
Lately, firewalls can't protect very well against things like viruses. There are too many
ways of encoding binary files for transfer over networks, and too many different
architectures and viruses to try to search for them all. In other words, a firewall cannot
replace security-consciousness on the part of your users. In general, a firewall cannot
protect against a data-driven attack--attacks in which something is mailed or copied to an
internal host where it is then executed. This form of attack has occurred in the past
against various versions of sendmail, ghostscript, and scripting mail user agents like
OutLook.
5. Several types of firewall techniques:
Packet Filtering:
All Internet traffic travels in the form of packets. A packet is a quantity of data of limited
size, kept small for easy handling. When larger amounts of continuous data must be sent,
it is broken up into numbered packets for transmission and reassembled at the receiving
7
end. All your file downloads, Web page retrievals, emails -- all these Internet
communications always occur in packets.
A packet is a series of digital numbers basically, which conveys these things:







The data, acknowledgment, request or command from the originating system
The source IP address and port
The destination IP address and port
Information about the protocol (set of rules) by which the packet is to be handled
Error checking information
Usually, some sort of information about the type and status of the data being sent
Often, a few other things too - which don't matter for our purposes here.
In packet filtering, only the protocol and the address information of each packet is
examined. Its contents and context (its relation to other packets and to the intended
application) are ignored. The firewall pays no attention to applications on the host or
local network and it "knows" nothing about the sources of incoming data.
Filtering consists of examining incoming or outgoing packets and allowing or
disallowing their transmission or acceptance on the basis of a set of configurable rules,
called policies.
Packet filtering policies may be based upon any of the following:



Allowing or disallowing packets on the basis of the source IP address
Allowing or disallowing packets on the basis of their destination port
Allowing or disallowing packets according to protocol
This is the original and most basic type of firewall.
Packet filtering alone is very effective as far as it goes but it is not foolproof security. It
can potentially block all traffic, which in a sense is absolute security. But for any useful
networking to occur, it must of course allow some packets to pass. Its weaknesses are:


Address information in a packet can potentially be falsified or "spoofed" by the
sender
The data or requests contained in allowed packets may ultimately cause unwanted
things to happen, as where a hacker may exploit a known bug in a targeted Web
server program to make it do his bidding, or use an ill-gotten password to gain
control or access.
8
An advantage of packet filtering is its relative simplicity and ease of implementation.
Application-level gateway:
In this approach, the firewall goes still further in its regulation of traffic.
The Application Level Gateway acts as a proxy for applications, performing all data
exchanges with the remote system in their behalf. This can render a computer behind the
firewall all but invisible to the remote system.
It can allow or disallow traffic according to very specific rules, for instance permitting
some commands to a server but not others, limiting file access to certain types, varying
rules according to authenticated users and so forth. This type of firewall may also
perform very detailed logging of traffic and monitoring of events on the host system, and
can often be instructed to sound alarms or notify an operator under defined conditions.
Application-level gateways are generally regarded as the most secure type of firewall.
They certainly have the most sophisticated capabilities.
A disadvantage is that setup may be very complex, requiring detailed attention to the
individual applications that use the gateway.
An application gateway is normally implemented on a separate computer on the network
whose primary function is to provide proxy service.
Circuit-level gateway:
This type of firewall has also been called a "Stateful Inspection" firewall or a " Circuit
Relay," It applies security mechanisms when a TCP or UDP connection is established.
Once the connection has been made, packets can flow between the hosts without further
checking.
This firewall approach validates connections before allowing data to be exchanged. What
this means is that the firewall doesn't simply allow or disallow packets but also
determines whether the connection between both ends is valid according to configurable
rules, then opens a session and permits traffic only from the allowed source and possibly
only for a limited period of time. Whether a connection is valid may for examples be
based upon:

destination IP address and/or port
9





source IP address and/or port
time of day
protocol
user
password
Every session of data exchange is validated and monitored and all traffic is disallowed
unless a session is open.
Circuit Level Filtering takes control a step further than a Packet Filter. Among the
advantages of a circuit relay is that it can make up for the shortcomings of the ultrasimple and exploitable UDP protocol, wherein the source address is never validated as a
function of the protocol. IP spoofing can be rendered much more difficult.
A disadvantage is that Circuit Level Filtering operates at the Transport Layer and may
require substantial modification of the programming which normally provides transport
functions (e.g. Winsock).
Proxy server:
A program (possibly running on a separate proxy server computer) which accepts
information transfer requests on behalf of one or more other computers, and sends
appropriate responses to those requests.
A typical use of the proxy server is a caching proxy for web browsers which is used by
Internet Service Providers (ISP). This type of proxy server accepts requests for web
pages, gets a copy from the target computer, makes a temporary copy for itself, and then
sends the information back to the web browser that made the original request. The next
time anyone makes a request for this web page, it can use the temporary copy it made
earlier in order to save time and reduce the load on it's internet connection. This same
proxy server could also be used to block access to undesirable sites, or remove
undesirable information contained on a web page, such as an obnoxious java-script
program, or a reference to an advertising site, or even a competitors web site.
Many other types of proxy servers and services are also possible. Generally, a Proxy
server intercepts all messages entering and leaving the network. The proxy server
effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert. A firewall is
considered a first line of defense in protecting private information.
10
As you can see, all firewalls regardless of type have one very important thing in common:
they receive, inspect and make decisions about all incoming data before it reaches other
parts of the system or network. That means they handle packets and they are strategically
placed at the entry point to the system or network the firewall is intended to protect.
They usually regulate outgoing data as well. The types and capabilities of firewalls are
defined essentially by:



Where they reside in the network hierarchy (stack);
How they analyze and how they regulate the flow of data (packets);
And additional security-related and utilitarian functions they may perform.
Some of those additional functions:
o Data may be encrypted/decrypted by the firewall for secure
communication with a distant network
o Scripting may allow the operator to program-in any number of specialized
capabilities
o The firewall may facilitate communications between otherwise
incompatible networks.
6. Policy Considerations
Your organization's networked systems security policy should include:

the risks you intend to manage with the firewall

the services you intend to offer to untrusted networks from your protected
network. These could be offerings to the Internet or to other internal
networks.

the services you intend to request from untrusted networks via your
protected network. These could be requests to the Internet or to other
internal networks.

the objective that all incoming and outgoing network traffic must go
through the firewall (i.e., that no traffic which bypasses the firewall is
permitted, for example, by using modems) — or conversely, that specific
loopholes are permitted and under what conditions (e.g., modems, tunnels,
connections to ISPs)
In the offering and requesting of services, your policy should ensure that you only
allow network traffic
11


that is determined to be safe and in your interests
that minimizes the exposure of information about your protected
network’s information infrastructure
7. Making firewalls fit
Firewalls are customizable. This means that you can add or remove filters based on
several conditions. Some of these are:



IP addresses: Each machine on the Internet is assigned a unique address called an
IP address. IP addresses are 32-bit numbers, normally expressed as four "octets"
in a "dotted decimal number." A typical IP address looks like this: 216.27.61.137.
For example, if a certain IP address outside the company is reading too many files
from a server, the firewall can block all traffic to or from that IP address.
Domain names: Because it is hard to remember the string of numbers that make
up an IP address, and because IP addresses sometimes need to change, all servers
on the Internet also have human-readable names, called domain names. For
example, it is easier for most of us to remember www.howstuffworks.com than it
is to remember 216.27.61.137. A company might block all access to certain
domain names, or allow access only to specific domain names.
Protocols: The protocol is the pre-defined way that someone who wants to use a
service talks with that service. The "someone" could be a person, but more often it
is a computer program like a Web browser. Protocols are often text, and simply
describe how the client and server will have their conversation. The http in the
Web's protocol. Some common protocols that you can set firewall filters for
include:
o IP (Internet Protocol) - the main delivery system for information over the
Internet
o TCP (Transport Control Protocol) - used to break apart and rebuild
information that travels over the Internet
o HTTP (Hyper Text Transfer Protocol) - used for Web pages
o FTP (File Transfer Protocol) - used to download and upload files
o UDP (User Datagram Protocol) - used for information that requires no
response, such as streaming audio and video
o ICMP (Internet Control Message Protocol) - used by a router to exchange
the information with other routers
o SMTP (Simple Mail Transport Protocol) - used to send text-based
information (e-mail)
12
o
o
SNMP (Simple Network Management Protocol) - used to collect system
information from a remote computer
Telnet - used to perform commands on a remote computer
A company might set up only one or two machines to handle a specific protocol
and ban that protocol on all other machines.


Ports: Any server machine makes its services available to the Internet using
numbered ports, one for each service that is available on the server. For example,
if a server machine is running a Web (HTTP) server and an FTP server, the Web
server would typically be available on port 80, and the FTP server would be
available on port 21. A company might block port 21 access on all machines but
one inside the company.
Specific words and phrases: This can be anything. The firewall will sniff (search
through) each packet of information for an exact match of the text listed in the
filter. For example, you could instruct the firewall to block any packet with the
word "X-rated" in it. The key here is that it has to be an exact match. The "Xrated" filter would not catch "X rated" (no hyphen). But you can include as many
words, phrases and variations of them as you need.
A software firewall, such as Zonealarm, can be installed on the computer in your home
that has an Internet connection. This computer is considered a gateway because it
provides the only point of access between your home network and the Internet.
With a hardware firewall, the firewall unit itself is normally the gateway. A good
example is the Linksys Cable/DSL router. It has a built-in Ethernet card and hub.
Computers in your home network connect to the router, which in turn is connected to
either a cable or DSL modem. You configure the router via a Web-based interface that
you reach through the browser on your computer. You can then set any filters or
additional information.
Hardware firewalls are incredibly secure and not very expensive. Home versions that
include a router, firewall and Ethernet hub for broadband connections can be found for
well under $100.
8. Firewall Configurations
13
No traffic directly between networks
Figure 8.1: A typical Dual Homed Gateway
Dual Homed Gateway: In figure 8.1, an application layer firewall called a ``dual homed
gateway'' is represented. A dual homed gateway is a highly secured host that runs proxy
software. It has two network interfaces, one on each network, and blocks all traffic
passing through it.
Some firewalls are implemented without a screening router, by placing a system on both
the private network and the Internet, and disabling TCP/IP forwarding. Hosts on the
private network can communicate with the gateway, as can hosts on the Internet, but
direct traffic between the networks is blocked. A dual homed gateway is, by definition, a
bastion host. It often the least-expensive option for many sites and, if used mainly as an
application gateway, can be quite secure.
Bastion Host
Figure 8.2: A typical Screened Host Gateway
Screened Host Gateway -- Possibly the most common firewall configuration is a
screened host gateway. This is implemented using a screening router and a bastion host.
Usually, the bastion host is on the private network, and the screening router is configured
such that the bastion host is the only system on the private network that is reachable from
the Internet. Often the screening router is configured to block traffic to the bastion host
on specific ports, permitting only a small number of services to communicate with it.
14
Bastion Host
Figure 8.3: A typical Screened Subnet
Screened Subnet -- In some firewall configurations, an isolated subnet is created,
situated between the Internet and the private network. Typically, this network is isolated
using screening routers, which may implement varying levels of filtering. Generally, a
screened subnet is configured such that both the Internet and the private network have
access to hosts on the screened subnet, but traffic across the screened subnet is blocked.
Some configurations of screened subnets will have a bastion host on the screened
network, either to support interactive terminal sessions or application level gateways.
9. Conclusion:
Firewalls are a very effective way to protect your system from most Internet security
threats and are a critical component of today's computer networks. Firewalls in networks
keep damage on one part of the network (e.g., eavesdropping, a worm program, file
damage) from spreading to the rest of the network. Without firewalls, network security
problems can rage out of control, dragging more and more systems down.
From web site: http://www.sygate.com/swat/free/default.php you can freely download
some firewall software such as Sygate Personal Firewall PRO and Sygate Office Network
for Windows 95/98/ME/NT/2000/XP.
10. References:
http://searchsecurity.techtarget.com/sDefinition
http://www.deatech.com/deatech/articles/FirewallWhyTo.html
15
http://search.win2000mag.net/security/query.html?qt=firewall&qp=keywords:%22securit
y%22
http://www.guest.seas.gwu.edu/~reto/firewall/
http://www.vicomsoft.com/index.html?page=http://www.vicomsoft.com/knowledge/refer
ence/firewalls1.html*track=internal
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212125,00.html
16