Design and Realization of the Packet Filter Firewall Based on Linux
Design and implementation of an embedded router with packet filtering Towards Effective Trust-Based Packet Filtering in Collaborative Network Environments
Dr.RogerGibbs,United States,Researcher
Published Date:27-11-2017
Your Website URL(Optional)
Comment
Abstract
The Internet is a fun little playground and at the same times a hostile environment.
Like any other society, it's plagued with the kind of people who enjoy the electronic
equivalent of writing on other people's walls with spray paint, tearing off their
mailboxes, or just sitting in the street blowing their car horns. Some people get real
work done over the Internet, and some must protect sensitive or proprietary data.
Usually, a firewall's purpose is to keep the intruders out of the network while letting
to do the job.
Nowadays, information is one of the very important assets in almost all organizations.
Once the internal networks of those organizations are connected to the Internet, it
becomes a potential target for cyber attacks. In order to secure the systems and
information, each company or organization should conduct a self-hacking-audit,
analyze the threats and eliminate it before getting any problem.
A firewall is a system or group of systems that enforces an access control policy
between two or more networks. The means by which this control is accomplished
varies widely, but in principle, the firewall is a pair of mechanisms, one that blocks
traffic and one that permits traffic. Some firewalls emphasize blocking traffic, while
others emphasize permitting traffic. The most important thing to recognize about a
firewall is that it implements an access control policy.
In this thesis work major emphasis is on design and development of firewall script to
deny/allow the network traffic. These scripts are written using the command line tool
IP Tables, which support various features like the connection-tracking feature of IP
Tables is a very useful thing. It can be used to prevent most TCP hijackings for non-
IP Masqueraded clients that suffer from poor TCP sequence number randomization.
Similarly, it can be used to prevent UDP packet hijacking in the same way.
iChapter1
Introduction
Computer networks by their very nature are designed to allow the flow of
information. Network technology is such that, today, you can sit at a workstation in
Delhi, and have a process connected to a system in London, with files mounted from a
system in California, and be able to do work just as if all of the systems were in the
same room. Impeding the free flow of data is contrary to the basic functionality of the
network, but the free flow of information is contrary to the rules by which companies
and governments need to conduct business. Information and sensitive data must be
kept insulated from unauthorized access yet security must have a minimal impact on
the overall usage of the network.
The purpose of a firewall is to provide a point of defense and a controlled and audited
access to services, both from within and to an organizations private network. This
requires a mechanism for selectively permitting or blocking traffic between the
Internet and the network being protected. Routers can control traffic at an IP level, by
selectively permitting or denying traffic based on source/destination address or port.
Hosts can control traffic at an application level, forcing traffic to move out of the
protocol layer for more detailed examination. To implement a firewall that relies on
routing and screening, one must permit at least a degree of direct IP-level traffic
between the Internet and the protected network.
1.1 Network Security
Network Security is a branch of Information Security which deals with systems that
operate primarily at the network level. This includes the management of network
devices such as Firewalls, VPNs, Proxies, NAC solutions, IDS/IPS, as well as the
management and protection of the network infrastructure.
1.2 Network Security approaches
Security approaches are basically of following two types:
1.2.1 Proactive
Proactive approaches are measures that are taken to prevent computer or network
from various types of attack. Every modern organization realizes the value of
1dedicating some resources to the prevention of expensive damages that will likely to
occur if such preventive measures are not taken. Banks use thick steel and concrete
vaults with advanced electronic systems to prevent and detect break-ins. Some
organizations have started using Intrusion Detection and Response Systems (IDRSes)
to try to detect computer intrusions and then activate defensive measures when an
attack is detected.
1.2.2 Reactive
Reactive approaches are those procedures that organizations use once they discover
that some of their systems have been compromised by an intruder or attack program.
Reactive methods include Disaster Recovery Plans, use of private investigation
services and loss recovery specialists, reinstallation of operating systems and
applications on compromised systems, or switching to alternate systems in other
locations 1.
1.3 Network security objectives
Security objectives fall into one or more of the following categories:
1.3.1 Access Controls
Access control is a system which enables an authority to control access to areas and
resources in a given physical facility or computer-based information system. A system
needs to be able to identify and authenticate users for access to data, applications and
hardware. In a large system there may be a complex structure determining which
users and applications have access to which objects.
1.3.2 Confidentiality
Confidentiality is the term used to prevent the disclosure of information to
unauthorized individuals or systems. For example, a credit card transaction on the
Internet requires the credit card number to be transmitted from the buyer to the
merchant and from the merchant to a transaction processing network. Confidentiality
is assurance that sensitive information remains private and is not visible to an
eavesdropper. Confidentiality is critical to total data security. Encrypting data by
using digital certificates and Secure Socket Layer (SSL) or virtual private network
(VPN) connection helps ensure confidentiality when transmitting of data across the
untrusted networks. Security policy should conclude how to provide confidentiality
for information within network as well as when information leaves from network.
21.3.3 Availability
Availability is the prevention of unauthorized withholding of information.
Information should be accessible and useable upon appropriate demand by an
authorized user. Denial of service attacks are a common form of attack.
1.3.4 Integrity
Integrity is the unauthorized writing or modification of information. Integrity means
that there is an external consistency in the system - everything is as it is expected to
be. Data integrity means that the data stored on a computer is the same as the source
documents. Data is protected from unauthorized changes or tampering. Data integrity
defends against the security risk of manipulation, in which someone intercepts and
changes information to which he or she is not authorized. When data enter into the
system comes from a public network, need security methods to perform the following
tasks:
Protect the data from being sniffed and interpreted, typically by encrypting it.
Ensure that the transmission has not been altered (data integrity).
Prove that the transmission occurred (non-repudiation).
1.3.5 Non-repudiation
Non-repudiation is the prevention of either the sender or the receiver denying a
transmitted message. A system must be able to prove that certain messages were sent
and received. The use of digital certificates and public key cryptography to sign
transactions, messages, and documents supports non-repudiation. Both the sender and
the receiver agree that the exchange takes place. The digital signature on the data
provides the necessary proof.
1.3.6 Authentication
The assurance or verification that the resource (human or machine) at the other end of
the session really is what it claims to be. Solid authentication defends a system against
the security risk of impersonation, in which a sender or receiver uses a false identity
to access a system. When linking of system to a public network like the Internet, user
authentication takes on new dimensions. Consequently, consider seriously the idea of
using stronger authentication methods than traditional user name and password logon
procedures provide. Authenticated users might have different types of permissions
based on their authorization levels.
31.3.7 Authorization
Authorization is the assurance that the person or computer at the other end of the
session has permission to carry out the request. Authorization is the process of
determining who or what can access system resources or perform certain activities on
a system. Typically, authorization is performed in context of authentication.
1.3.8 Auditing security activities
Auditing is basically monitoring of security-relevant events to provide a log of both
successful and unsuccessful (denied) access. Successful access records tell who is
doing what on your systems. Unsuccessful (denied) access records tell either that
someone is attempting to break security or that someone is having difficulty accessing
system 2.
1.4 Need of Network Security
Computer security technology is still in its infancy. Technologies such as firewalls,
antivirus, and IDS have migrated from research labs into production networks, and
have become required mainstays both as essential defenses and as legally mandated
compliance systems. Computer security systems are complex devices that need to
meet a variety of conflicting goals: high performance, fault tolerance, easy
administration – and rigorous security processing. Some vendors have staked their
claim based on speed, others on cost, and still others on the defensive posture and
security of their products. Unfortunately, it is extremely difficult for the customer to
sort through marketing fluff and dubious benchmarks, to determine which products
actually work and which merely appear to work. Few customers are sufficiently
sophisticated or willing to take the time to do their own testing and most are forced to
rely on published results from trade magazines, recommendations from consultants, or
industry analysts. Sadly, few of the trade magazines or analysts have the
sophistication or time to perform adequate testing, either 3.
The network needs security against attackers and hackers. Network Security includes
two basic securities. The first is the security of data information i.e. to protect the
information from unauthorized access and loss. And the second is computer security
i.e. to protect data and to thwart hackers. Here network security not only means
security in a single network rather in any network or network of networks.
4The need of network security has broken into two needs. One is the need of
information security and other is the need of computer security.
On internet or any network of an organization, thousands of important information is
exchanged daily. This information can be misused by attackers. The information
security is needed for the following given reasons.
To protect the secret information users on the net only. No other person should
see or access it.
To protect the information from unwanted editing, accidently or intentionally
by unauthorized users.
To protect the information from loss and make it to be delivered to its
destination properly.
To manage for acknowledgement of message received by any node in order to
protect from denial by sender in specific situations. For example let a
customer orders to purchase a few shares XYZ to the broker and denies for
the order after two days as the rates go down.
To restrict a user to send some message to another user with name of a third
one. For example a user X for his own interest makes a message containing
some favorable instructions and sends it to user Y in such a manner that Y
accepts the message as coming from Z, the manager of the organization.
To protect the message from unwanted delay in the transmission lines/route in
order to deliver it to required destination in time, in case of urgency.
To protect the data from wandering the data packets or information packets in
the network for infinitely long time and thus increasing congestion in the line
in case destination machine fails to capture it because of some internal faults.
Another part of network security includes the computer security. Computer security
means to protect your computer system from unwanted damages caused due to
network. One of the major reason for such damages are the viruses and spywares that
can wipe off all the information from your hard disk or sometimes they may be
enough destructive and may cause hardware problems too. Certainly the network must
be protected from such type of damaging software’s. The people who intentionally
put such software on the network are called Hackers. As the network computers are
part of it, so the computer security from Hackers is also a part of network security.
The needs of computer security from Hackers are as follows:-
5 It should be protected from replicating and capturing viruses from infected
files.
It needs a proper protection from virus and worms.
There is a need of protection from Trojan Horses as they are enough
dangerous for your computer 4.
IPtables is a packet filtering firewall used for blocking and allowing of network traffic
on the basics of source address, destination address, port numbers, and protocols.
1.5 Packet Filtering using IP Tables
Packet filtering allows you to explicitly restrict or allow packets by machine, port, or
machine and port. For instance, you can restrict all packets destined for port 80
(WWW) on all machines on your LAN except machine X and Y.
Packet filtering is most commonly used as a first line of defense against attacks from
machines outside your LAN. Since most routing devices have built-in filtering
capabilities, packet filtering has become a common and inexpensive method of
security.
IPtables is used to set up, maintain, and inspect the tables of IP packet filter rules in
the Linux kernel. Several different tables may be defined. Each table contains a
number of built-in chains and may also contain user-defined chains.
Linux IPtables is currently the default firewall package that comes from RedHat,
CentOS, UBUNTU and Fedora, right after ipchains dominated them long time ago.
IPtables supports different types of filters. To name a few, IPtables can do filters and
firewall rules by usernames, by group IDs and user profiles, by source and destination
ports, by source host and destination hosts, by URLs, by IP addresses, by packet ID
flags, by protocols, and a lot more including filtering by MAC address.
Figure1.1: Packet filtering process 5.
6In figure 1.1 Firewall act as an intermediate between the incoming and outgoing
traffic. Packets are accepted or dropped on the basics of rules applied in the INPUT,
FORWARD, and OUTPUT chain.
The Linux kernel uses the IPtables facility to filter packets, allowing some of them to
be received by or pass through the system while stopping others.
This facility is built in to the Linux kernel, and has three built-in tables or rules lists,
as follows:
filter—the default table for handling network packets.
nat—used to alter packets that create a new connection and used for Network
Address Translation (NAT).
mangle—Used for specific types of packet alteration.
Each table has a group of built-in chains, which correspond to the actions performed
on the packet by IPtables.
Every network packet received by or sent from a Linux system is subject to at least
one table. However, a packet may be subjected to multiple rules within each table
before emerging at the end of the chain. The structure and purpose of these rules may
vary, but they usually seek to identify a packet coming from or going to a particular
IP address, or set of addresses, when using a particular protocol and network service.
Regardless of their destination, when packets match a particular rule in one of the
tables, a target or action is applied to them. If the rule specifies an ACCEPT target for
a matching packet, the packet skips the rest of the rule checks and is allowed to
continue to its destination. If a rule specifies a DROP target, that packet is refused
access to the system and nothing is sent back to the host that sent the packet. If a rule
specifies a QUEUE target, the packet is passed to user-space. If a rule specifies the
optional REJECT target, the packet is dropped, but an error packet is sent to the
packet's originator.
Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of
the rules in the chain apply to the packet, then the packet is dealt with in accordance
with the default policy 6.
7 Chapter2
Literature Survey
2.1 Security Threats
Without security measures and controls in place, data might be subjected to an attack.
Some attacks are passive, meaning information is monitored others are active,
meaning the information is altered with intent to corrupt or destroy the data or the
network itself. Networks and data are vulnerable to any of the following types of
attacks if do not have a security plan in place.
Figure 2.1: Major threats in today’s network 7.
2.1.1 Denial of Service (DoS) Attacks
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS
attack) is an attempt to make a computer resource unavailable to its intended users.
Perpetrators of DoS attacks typically target sites or services hosted on high-profile
web servers such as banks, credit card payment gateways, and even root name servers.
One common method of attack involves saturating the target (victim) machine with
external communications requests, such that it cannot respond to legitimate traffic, or
responds so slowly as to be rendered effectively unavailable. In general terms, DoS
attacks are implemented by either forcing the targeted computer(s) to reset, or
consuming its resources so that it can no longer provide its intended service or
8obstructing the communication media between the intended users and the victim so
that they can no longer communicate adequately.
2.1.2 Website Defacement
Website defacement is an attack on a website that changes the visual appearance of
the site. These are typically the work of system crackers, who break into a web server
and replace the hosted website with one of their own. Website Defacement increasing
tremendously experts no longer keep record of defaced sites. Attacker probes web
services through normal Internet connection and modifies HTML or JAVA code,
which changes website.
Website defacement is the unauthorized substitution of a web page or a part of it by a
system cracker. This is a very common form of attack that seriously damages the trust
and the reputation of a website. Detecting web page defacements is one of the main
services for the security monitoring system.
2.1.3 Viruses and Worms
Viruses and Worms are computer programs that make computer systems not to work
properly. There is a subtle difference between Virus and Worm; both can replicate
itself, but when traveling on the network. Virus can't travel on its own on the network,
where as Worms can travel on its own without anything. It doesn't actually need any
infected file to stick in. Viruses and Worms are really annoying problem for all
systems. The ultimate aim of these Viruses and Worms are making a good working
system to malfunction and sometimes worms can sniff in and steal private information
to send it to its creator. Earlier days, Viruses were spreading through floppy diskettes.
Nowadays, it spreads through Internet, which is a broad gateway for these malicious
programs. It can spread quickly and affect all systems in an organization within a
minute and can create millions of dollar loss for the organization in a minute.
2.1.4 Data Sniffing and Spoofing
Data Sniffing and Spoofing attack are those in which one person or program
successfully masquerades as another by falsifying data and thereby gaining an
illegitimate advantage.
Sniffing
It means seeing all packets passed through wires or sometimes through air for
wireless networks. Initially, this technique was being used for fixing network
problems. Because it can watch network packets, it is now being used by hackers
9for scanning login_ids and passwords over the wires. TCPdump and Wireshark
are better examples for sniffing tools. The better way to avoid sniffing attack is
encryption. If sensitive information is encrypted before sending to wires, hackers
can’t really understand what it is. They need the key to decrypt the information.
This way, the information sent over network could always be safe with
encryption. Typical services that are sniffed are: TELNET, FTP, SMTP (E-mail)
packets if unencrypted.
Spoofing
The exact meaning of spoofing is deceiving others. It is actually fooling other
computer users to think that the source of their information is coming from a
legitimate user. There are several methods of spoofing. Some of them are as
follows:
IP Spoofing
It changes the source-address of an IP packet to show that it is from a
legitimate source, but really it might be coming from a hacker. Thus, the
hacker attacks the system and at the same time hides his IP address from
the eyes of firewalls. The targeted systems for IP Spoofing are UNIX
systems and RPC services.
DNS Spoofing
This will direct the users to incorrect location. In other words, directing the
users to a different website and collecting personal information through
web forms illegally.DNS Spoofing is actually very dangerous threat,
because DNS is the one that manages domain names and creates
equivalent IP addresses. Suppose, if the domain name is www.dell.com
http://www.dell.com/ and DNS calculates an IP address that is related to
a hacker's site, the users will be directed to the hacker’s website. If the
hacker maintains his website similar to dell, then the users may think that
the hacker's website is the real dell- website and may provide all bank or
credit card information when trying to purchase something. Now, the
hacker can get that information easily without any difficulties.
ARP Spoofing
ARP is actually maintaining a table of MAC addresses of all computers
connected in a network. Any information that comes to ARP is delivered
10to respective computer based on the mappings available on the ARP's
tables. Suppose, if ARP couldn't find MAC address for a message, it
broadcasts a message to all systems to get a reply from the exact
destination-machine with its MAC address; when it gets the destination-
machine's MAC address, it updates it on MAC table. This is the stage
where ARP spoofing can happen. ARP Spoofing actually happens when a
hacker (hacker's machine) sends a reply to the ARP's broadcasted message
saying that the hacker's machine is the legitimate one. Then, ARP gets
hacker's MAC address and adds it to its table. As a result, hacker will gain
a legitimate connection to the network illegally. Once hacker is connected
to the network, he can do all sorts of things.
2.1.5 Unauthorized Access
Unauthorized Access can be accomplished by any connection to a computer or
network using most services (TELNET, FTP, HTTP, Web, E-mail, etc.). Hacker must
somehow compromise authentication (password, token, PIN, Smart card) to gain
access. Once access is gained malicious activity can occur unless internal auditing and
access control is implemented, access can be undetected for years.
2.1.6 Man-in-the-Middle Attack
Man-in-the-middle attack occurs when someone between you and the person with
whom you are communicating is actively monitoring, capturing, and controlling your
communication transparently. For example, the attacker can re-route a data exchange.
When computers are communicating at low levels of the network layer, the computers
might not be able to determine with whom they are exchanging data.
Man-in-the-middle attacks are like someone assuming identity in order to read
message. The person on the other end might believe because the attacker might be
actively replying to keep the exchange going and gain more information.
2.1.7 Trojan Horse
Hackers can use these programs to get control on their target machines and watch all
the activities. This is very dangerous than Virus and DoS for the E-commerce
businesses. The threatening issues with Trojan Horses are as follows:
It allows for data integrity attack.
It allows gaining control over the target machine and to steal private
information available on the target system. This way it affects privacy policy.
11 It can store key strokes and make it viewable for hackers. As a result, hackers
can easily get the victim's login-ids and passwords. This way, it affects
confidentiality.
Hackers can see screen shots of targeted machines using Trojan horses.
Sometimes, if websites are not secured properly, some third party companies
can collect consumer information and pass it to some other businesses. It is a
serious threat to customer privacy.
It can be installed very easily on the target machines simply by sending it as
an email attachment.
2.1.8 Port-scanning and Probing
Port-scanning and probing are techniques that identify vulnerable network ports:
Port-scanning
A port scanning is used to probe a network host for open ports. This is often used
by administrators to verify security policies of their networks and by attackers to
identify running services on a host with the view to compromising it. To port scan
a host is to scan for listening ports on a single target host. To portsweep is to scan
multiple hosts for a specific listening port. Port scanning is a technique that
identifies vulnerable network ports or services (i.e. TELNET, FTP, E-mail, Web,
etc) and its works by identifying as many targets as possible and tracking the ones
those are receptive.
Probing
Once vulnerable ports are identified, the port can be probed with malicious intent
8, 9.
2.2 Security Measures
Network Security starts for authenticating any user. Once authenticated, firewall
enforces access policies such as what services are allowed to be accessed by the
network users. Though effective to prevent unauthorized access, this component fails
to check potentially harmful contents such as computer worms being transmitted over
the network. An Intrusion Detection System (IDS) and Intrusion Prevention System
(IPS) helps detect and prevent such malware.
122.2.1 Firewall
A firewall is a hardware or software solution to enforce security policies. In a physical
security analogy, a firewall is equivalent to a door lock on a perimeter door or on a
door to a room inside of the building – it permits only authorized user such as those
with a key or access card to enter. A firewall has built-in filter that can disallow
unauthorized or potentially dangerous material from entering the system. It also logs
attempted intrusions.
2.2.2 Intrusion detection and prevention systems (IDPS)
Intrusion detection is the process of monitoring the events occurring in a computer
system or network and analyzing them for signs of possible incidents, which are
violations or imminent threats of violation of computer security policies. Intrusion
prevention is the process of performing intrusion detection and attempting to stop
detected possible incidents. Intrusion detection and prevention systems (IDPS) are
primarily focused on identifying possible incidents, logging information about them,
attempting to stop them, and reporting them to security administrators. In addition,
organizations use IDPS for other purposes, such as identifying problems with security
policies, documenting existing threats, and determining individuals from violating
security policies. IDPS have become a necessary addition to the security infrastructure
of nearly every organization. IDPS typically record information related to observed
events, notify security administrators of important observed events, and produce
reports. Many IDPS can also respond to a detected threat by attempting to prevent it
from succeeding. They use several response techniques, which involve the IDPS
stopping the attack itself, changing the security environment (e.g., reconfiguring a
firewall), or changing the attack’s content 10.
There are two main types of IDS's: network-based and host-based IDS.
Host based
The HIDS reside on a particular computer and provide protection for a specific
computer system. Host intrusion detection systems are installed locally on host
machines making it a very versatile system compared to NIDS. HIDS can be
installed on many different types of machines namely servers, workstations
and notebook computers. The model shown in Figure 2.2 allows for remote
monitoring, remote storage of events logs and ability to PUSH agents to
new or existing hosts 11.
13Figure 2.2: Host based Intrusion Detection System 12.
Network based
Network based IDS captures network traffic packets (TCP, UDP) and analyzes
the content against a set of rules or signatures to determine if a possible event
took place. NIDS monitors packets on the network wire and attempts to
discover if a hacker/cracker is attempting to break into a system (or cause a
denial of service attack). A typical example is a system that watches for large
number of TCP connection requests (SYN) to many different ports on a target
machine, thus discovering if someone is attempting a TCP port scan. A NIDS
may run either on the target machine who watches its own traffic or on an
independent machine promiscuously watching all network traffic (hub, router).
NIDS is network based they do not only deal with packets going to a specific
host – since all the machines in a network segment benefit from the protection
of the NIDS. Network-based IDS can also be installed on active network
elements, for example on routers. Typical Network Based IDS are Cisco
Secure IDS, Hogwash, Dragon, and E-Trust IDS 13.
14Figure 2.3: Network based Intrusion Detection System 12.
2.2.3 Virus Protection
Antivirus (or anti-virus) software is used to prevent, detect, and remove malware,
including computer viruses, worms, and Trojan horses. Such programs may also
prevent and remove adware, spyware, and other forms of malware.A variety of
strategies are typically employed. Signature-based detection involves searching for
known malicious patterns in executable code. However, it is possible for a user to be
infected with new malware in which no signature exists yet. Some antivirus software
can also predict what a file will do if opened/run by emulating it in a sandbox and
analyzing what it does to see if it performs any malicious actions. If it does, this could
mean the file is malicious.
2.2.4 Encryption
Encryption, which is the process of converting plaintext into some code called cipher
text. Decryption is the reverse, in other words, moving from the cipher text back to
plaintext. A cipher is a pair of algorithms which create the encryption and the
reversing decryption. The detailed operation of a cipher is controlled both by the
algorithm and in each instance by a key. This is a secret parameter ideally known only
to the communicants. Keys are important, as ciphers without variable keys are
trivially breakable and therefore less than useful for most purposes. Protects data in
15transit or stored on disk. The act of ciphering and enciphering data through the use of
shared software keys, data cannot be accessed without the appropriate software keys.
2.2.5 Data and Information Backups
Data and information backups must have for disaster recovery and business
continuity. Should include daily and periodic (weekly) backups and be stored off-site,
at least (20) miles away from geographic location, and have 24X7 access and be kept
for at least (30) days while rotating stockpile.
Will mitigate the following attacks:
Used to respond and replace information that is compromised by all the
mentioned attacks 8, 9.
A key element in the protection of a computer connected to the Internet is the
firewall. A firewall is like the door of our house; it sets a border between our private
space and public space and allows us to decide who may enter and who can not. If our
house had no door, any person could enter and search it. The same is true with our
computer (the house) and firewall (the door). Without a firewall, anyone can enter the
computer and see the files stored there, which may contain sensitive information
and/or stuff as access codes and users names.
2.3 Firewall
A firewall is a logical object (hardware and/or software) within a network
infrastructure which prevents communications forbidden by the security policy of an
organization from taking place, analogous to the function of firewalls in building
construction. Often a firewall is also referred to as a packet filter. The basic task of
a firewall is to control traffic between different zones of trust and/or
administrative authorities. Typical zones of trust include the Internet (a zone with no
trust) and an internal network (a zone with high trust). The ultimate goal is to
provide controlled connectivity between zones of differing trust levels through
the enforcement of a security policy and a connectivity model based on the least
privilege principle. Proper configuration of firewalls demands skill from the
administrator. It requires considerable understanding of network protocols and of
computer security. Small mistakes can lead to a firewall configuration worthless as a
security tool and, in extreme situations, fake security where no security at all is left
14, 16.
16
Figure 2.4: Firewall System 14.
In figure 2.4: Firewall that can protect internal network from the external network by
accept/deny the traffic according to the rules specified in the list. A firewall is a
system that protects a computer or a computer network against intrusions coming
from a third-party network (generally the Internet). A firewall is a system that filters
data packets that are exchanged over the network. Therefore, it is a filtering gateway
that comprises at least the following network interfaces:
An interface for the network being protected (internal network)
An interface for the external network
2.3.1 There are a number of components that make up a firewall
The Internet access security policy of the organization. This state, at a high
Level, what degree of security the organization expects when connecting to
the Internet. The security policy is independent of technology and techniques,
and should have a lifetime independent of the equipment used. An example of
statements from such a security policy might be: external users will not be
allowed to access the corporate network without a strong level of
authentication, any corporate information not in the public domain must be
transferred across the Internet in a confidential manner, and corporate users
will only be allowed to send electronic mail to the Internet - all other services
will be banned.
The mapping of the security policy onto technical designs and procedures that
are to be followed when connecting to the Internet. This information will be
updated as new technology is announced, and as system configurations change
etc. For example, regarding authentication, the technical design might specify
17the use of one-time passwords. Technical designs are usually based on one of
two security policies, either:
Permit any service unless it is expressly denied, or
Deny any service unless it is expressly permitted.
The latter is clearly the more secure of the two.
The firewall system, which is the hardware and software which implements
the firewall. Typical firewall systems comprise an IP packet filtering router,
and host computer (sometimes called a bastion host or application gateway)
running application filtering and authentication software 14.
2.3.2 Advantages of Firewalls
Firewalls have a number of advantages.
They can stop incoming requests to inherently insecure services, e.g. you can
disallow rlogin, or RPC services such as NFS.
They can control access to other services e.g. bar callers from certain IP
addresses, filter the service operations (both incoming and outgoing), e.g. stop
FTP writes, hide information e.g. by only allowing access to certain
directories or systems.
They are more cost effective than securing each host on the corporate
network since there are often only one or a few firewall systems to
concentrate on.
2.3.3 Disadvantages of Firewalls
Firewalls are not the be all and end all of network security. They do have some
disadvantages, such as:
They are a central point for attack, and if an intruder breaks through the
firewall they may have unlimited access to the corporate network.
They may restrict legitimate users from accessing valuable services, for
example, corporate users may not be let out onto the Web, or when working
away from home a corporate user may not have full access to the
organization’s network.
They can be a bottleneck to throughput, since all connections must go via the
firewall system.
The biggest disadvantage of a firewall is that it gives no protection against the
inside attacker. Since most corporate computer crime is perpetrated by internal
18users, a firewall offers little protection against this threat. E.g. an employee
may not be able to Email sensitive data from the site, but they may be able to
copy it onto a floppy disc and post it 15.
2.3.4 Firewalls, Layers and Models
The working of firewall in different layers and models are shown below as:
Table 2.1: Firewalls Layers and Models 14.
ISO 7 Layer Model Internet 5 Layer Model Firewalls
Application (7) Application (5) Proxy Service
Transport (4) TCP/UDP (4) Packet Filtering Router/
Network (3) IP/ICMP (3) Packet Screening Router
Stateful Inspection
Link (2) Link (2) None
Physical (1) System Interface (1)
In table 2.1 ISO uses a 7 layer model for Open Systems Interconnection, whereas the
Internet can be regarded as having a 5 layer model. Firewall systems are usually
placed at layers 3, 4 and 5 of the Internet model, (3, 4 and 7 of the ISO model). Their
purpose is to control access to and from a protected network. Firewall can be placed
between any two networks, for example between a corporate business network and its
R&D network. In general, a firewall is placed between a high security domain and a
lower security domain. A firewall system operating at layers 3 and 4 is sometimes
called a packet filtering router or a screening router. Its purpose is to filter IP and
ICMP packets and TCP/UDP ports. The router will have several ports and be able to
route and filter the packets according to the filtering rules. Packet filters can also be
built in software and run on dual homed PCs, but whilst these can filter packets they
are not able to route them to different networks. A firewall at layer 5 Internet (7 ISO)
is sometimes called a bastion host, application gateway, proxy server or guardian
system. Its purpose is to filter the service provided by the application 14.
2.3.5 Types of Firewalls
Firewalls are classified into three basic types:
2.3.5.1 Stateless Packet Filtering
A firewall system operates on the principle of simple packet filtering, or stateless
packet filtering. It analyses the header of each data packet (datagram) exchanged
19
Advise:Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.
