Design and Realization of the Packet Filter Firewall Based on Linux

Design and implementation of an embedded router with packet filtering Towards Effective Trust-Based Packet Filtering in Collaborative Network Environments
Dr.RogerGibbs Profile Pic
Dr.RogerGibbs,United States,Researcher
Published Date:27-11-2017
Your Website URL(Optional)
Comment
Abstract The Internet is a fun little playground and at the same times a hostile environment. Like any other society, it's plagued with the kind of people who enjoy the electronic equivalent of writing on other people's walls with spray paint, tearing off their mailboxes, or just sitting in the street blowing their car horns. Some people get real work done over the Internet, and some must protect sensitive or proprietary data. Usually, a firewall's purpose is to keep the intruders out of the network while letting to do the job. Nowadays, information is one of the very important assets in almost all organizations. Once the internal networks of those organizations are connected to the Internet, it becomes a potential target for cyber attacks. In order to secure the systems and information, each company or organization should conduct a self-hacking-audit, analyze the threats and eliminate it before getting any problem. A firewall is a system or group of systems that enforces an access control policy between two or more networks. The means by which this control is accomplished varies widely, but in principle, the firewall is a pair of mechanisms, one that blocks traffic and one that permits traffic. Some firewalls emphasize blocking traffic, while others emphasize permitting traffic. The most important thing to recognize about a firewall is that it implements an access control policy. In this thesis work major emphasis is on design and development of firewall script to deny/allow the network traffic. These scripts are written using the command line tool IP Tables, which support various features like the connection-tracking feature of IP Tables is a very useful thing. It can be used to prevent most TCP hijackings for non- IP Masqueraded clients that suffer from poor TCP sequence number randomization. Similarly, it can be used to prevent UDP packet hijacking in the same way. iChapter1 Introduction Computer networks by their very nature are designed to allow the flow of information. Network technology is such that, today, you can sit at a workstation in Delhi, and have a process connected to a system in London, with files mounted from a system in California, and be able to do work just as if all of the systems were in the same room. Impeding the free flow of data is contrary to the basic functionality of the network, but the free flow of information is contrary to the rules by which companies and governments need to conduct business. Information and sensitive data must be kept insulated from unauthorized access yet security must have a minimal impact on the overall usage of the network. The purpose of a firewall is to provide a point of defense and a controlled and audited access to services, both from within and to an organizations private network. This requires a mechanism for selectively permitting or blocking traffic between the Internet and the network being protected. Routers can control traffic at an IP level, by selectively permitting or denying traffic based on source/destination address or port. Hosts can control traffic at an application level, forcing traffic to move out of the protocol layer for more detailed examination. To implement a firewall that relies on routing and screening, one must permit at least a degree of direct IP-level traffic between the Internet and the protected network. 1.1 Network Security Network Security is a branch of Information Security which deals with systems that operate primarily at the network level. This includes the management of network devices such as Firewalls, VPNs, Proxies, NAC solutions, IDS/IPS, as well as the management and protection of the network infrastructure. 1.2 Network Security approaches Security approaches are basically of following two types: 1.2.1 Proactive Proactive approaches are measures that are taken to prevent computer or network from various types of attack. Every modern organization realizes the value of 1dedicating some resources to the prevention of expensive damages that will likely to occur if such preventive measures are not taken. Banks use thick steel and concrete vaults with advanced electronic systems to prevent and detect break-ins. Some organizations have started using Intrusion Detection and Response Systems (IDRSes) to try to detect computer intrusions and then activate defensive measures when an attack is detected. 1.2.2 Reactive Reactive approaches are those procedures that organizations use once they discover that some of their systems have been compromised by an intruder or attack program. Reactive methods include Disaster Recovery Plans, use of private investigation services and loss recovery specialists, reinstallation of operating systems and applications on compromised systems, or switching to alternate systems in other locations 1. 1.3 Network security objectives Security objectives fall into one or more of the following categories: 1.3.1 Access Controls Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. A system needs to be able to identify and authenticate users for access to data, applications and hardware. In a large system there may be a complex structure determining which users and applications have access to which objects. 1.3.2 Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. Confidentiality is assurance that sensitive information remains private and is not visible to an eavesdropper. Confidentiality is critical to total data security. Encrypting data by using digital certificates and Secure Socket Layer (SSL) or virtual private network (VPN) connection helps ensure confidentiality when transmitting of data across the untrusted networks. Security policy should conclude how to provide confidentiality for information within network as well as when information leaves from network. 21.3.3 Availability Availability is the prevention of unauthorized withholding of information. Information should be accessible and useable upon appropriate demand by an authorized user. Denial of service attacks are a common form of attack. 1.3.4 Integrity Integrity is the unauthorized writing or modification of information. Integrity means that there is an external consistency in the system - everything is as it is expected to be. Data integrity means that the data stored on a computer is the same as the source documents. Data is protected from unauthorized changes or tampering. Data integrity defends against the security risk of manipulation, in which someone intercepts and changes information to which he or she is not authorized. When data enter into the system comes from a public network, need security methods to perform the following tasks:  Protect the data from being sniffed and interpreted, typically by encrypting it.  Ensure that the transmission has not been altered (data integrity).  Prove that the transmission occurred (non-repudiation). 1.3.5 Non-repudiation Non-repudiation is the prevention of either the sender or the receiver denying a transmitted message. A system must be able to prove that certain messages were sent and received. The use of digital certificates and public key cryptography to sign transactions, messages, and documents supports non-repudiation. Both the sender and the receiver agree that the exchange takes place. The digital signature on the data provides the necessary proof. 1.3.6 Authentication The assurance or verification that the resource (human or machine) at the other end of the session really is what it claims to be. Solid authentication defends a system against the security risk of impersonation, in which a sender or receiver uses a false identity to access a system. When linking of system to a public network like the Internet, user authentication takes on new dimensions. Consequently, consider seriously the idea of using stronger authentication methods than traditional user name and password logon procedures provide. Authenticated users might have different types of permissions based on their authorization levels. 31.3.7 Authorization Authorization is the assurance that the person or computer at the other end of the session has permission to carry out the request. Authorization is the process of determining who or what can access system resources or perform certain activities on a system. Typically, authorization is performed in context of authentication. 1.3.8 Auditing security activities Auditing is basically monitoring of security-relevant events to provide a log of both successful and unsuccessful (denied) access. Successful access records tell who is doing what on your systems. Unsuccessful (denied) access records tell either that someone is attempting to break security or that someone is having difficulty accessing system 2. 1.4 Need of Network Security Computer security technology is still in its infancy. Technologies such as firewalls, antivirus, and IDS have migrated from research labs into production networks, and have become required mainstays both as essential defenses and as legally mandated compliance systems. Computer security systems are complex devices that need to meet a variety of conflicting goals: high performance, fault tolerance, easy administration – and rigorous security processing. Some vendors have staked their claim based on speed, others on cost, and still others on the defensive posture and security of their products. Unfortunately, it is extremely difficult for the customer to sort through marketing fluff and dubious benchmarks, to determine which products actually work and which merely appear to work. Few customers are sufficiently sophisticated or willing to take the time to do their own testing and most are forced to rely on published results from trade magazines, recommendations from consultants, or industry analysts. Sadly, few of the trade magazines or analysts have the sophistication or time to perform adequate testing, either 3. The network needs security against attackers and hackers. Network Security includes two basic securities. The first is the security of data information i.e. to protect the information from unauthorized access and loss. And the second is computer security i.e. to protect data and to thwart hackers. Here network security not only means security in a single network rather in any network or network of networks. 4The need of network security has broken into two needs. One is the need of information security and other is the need of computer security. On internet or any network of an organization, thousands of important information is exchanged daily. This information can be misused by attackers. The information security is needed for the following given reasons.  To protect the secret information users on the net only. No other person should see or access it.  To protect the information from unwanted editing, accidently or intentionally by unauthorized users.  To protect the information from loss and make it to be delivered to its destination properly.  To manage for acknowledgement of message received by any node in order to protect from denial by sender in specific situations. For example let a customer orders to purchase a few shares XYZ to the broker and denies for the order after two days as the rates go down.  To restrict a user to send some message to another user with name of a third one. For example a user X for his own interest makes a message containing some favorable instructions and sends it to user Y in such a manner that Y accepts the message as coming from Z, the manager of the organization.  To protect the message from unwanted delay in the transmission lines/route in order to deliver it to required destination in time, in case of urgency.  To protect the data from wandering the data packets or information packets in the network for infinitely long time and thus increasing congestion in the line in case destination machine fails to capture it because of some internal faults. Another part of network security includes the computer security. Computer security means to protect your computer system from unwanted damages caused due to network. One of the major reason for such damages are the viruses and spywares that can wipe off all the information from your hard disk or sometimes they may be enough destructive and may cause hardware problems too. Certainly the network must be protected from such type of damaging software’s. The people who intentionally put such software on the network are called Hackers. As the network computers are part of it, so the computer security from Hackers is also a part of network security. The needs of computer security from Hackers are as follows:- 5 It should be protected from replicating and capturing viruses from infected files.  It needs a proper protection from virus and worms.  There is a need of protection from Trojan Horses as they are enough dangerous for your computer 4. IPtables is a packet filtering firewall used for blocking and allowing of network traffic on the basics of source address, destination address, port numbers, and protocols. 1.5 Packet Filtering using IP Tables Packet filtering allows you to explicitly restrict or allow packets by machine, port, or machine and port. For instance, you can restrict all packets destined for port 80 (WWW) on all machines on your LAN except machine X and Y. Packet filtering is most commonly used as a first line of defense against attacks from machines outside your LAN. Since most routing devices have built-in filtering capabilities, packet filtering has become a common and inexpensive method of security. IPtables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Linux IPtables is currently the default firewall package that comes from RedHat, CentOS, UBUNTU and Fedora, right after ipchains dominated them long time ago. IPtables supports different types of filters. To name a few, IPtables can do filters and firewall rules by usernames, by group IDs and user profiles, by source and destination ports, by source host and destination hosts, by URLs, by IP addresses, by packet ID flags, by protocols, and a lot more including filtering by MAC address. Figure1.1: Packet filtering process 5. 6In figure 1.1 Firewall act as an intermediate between the incoming and outgoing traffic. Packets are accepted or dropped on the basics of rules applied in the INPUT, FORWARD, and OUTPUT chain. The Linux kernel uses the IPtables facility to filter packets, allowing some of them to be received by or pass through the system while stopping others. This facility is built in to the Linux kernel, and has three built-in tables or rules lists, as follows: filter—the default table for handling network packets. nat—used to alter packets that create a new connection and used for Network Address Translation (NAT). mangle—Used for specific types of packet alteration. Each table has a group of built-in chains, which correspond to the actions performed on the packet by IPtables. Every network packet received by or sent from a Linux system is subject to at least one table. However, a packet may be subjected to multiple rules within each table before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address, or set of addresses, when using a particular protocol and network service. Regardless of their destination, when packets match a particular rule in one of the tables, a target or action is applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE target, the packet is passed to user-space. If a rule specifies the optional REJECT target, the packet is dropped, but an error packet is sent to the packet's originator. Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the default policy 6. 7 Chapter2 Literature Survey 2.1 Security Threats Without security measures and controls in place, data might be subjected to an attack. Some attacks are passive, meaning information is monitored others are active, meaning the information is altered with intent to corrupt or destroy the data or the network itself. Networks and data are vulnerable to any of the following types of attacks if do not have a security plan in place. Figure 2.1: Major threats in today’s network 7. 2.1.1 Denial of Service (DoS) Attacks A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or 8obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. 2.1.2 Website Defacement Website defacement is an attack on a website that changes the visual appearance of the site. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own. Website Defacement increasing tremendously experts no longer keep record of defaced sites. Attacker probes web services through normal Internet connection and modifies HTML or JAVA code, which changes website. Website defacement is the unauthorized substitution of a web page or a part of it by a system cracker. This is a very common form of attack that seriously damages the trust and the reputation of a website. Detecting web page defacements is one of the main services for the security monitoring system. 2.1.3 Viruses and Worms Viruses and Worms are computer programs that make computer systems not to work properly. There is a subtle difference between Virus and Worm; both can replicate itself, but when traveling on the network. Virus can't travel on its own on the network, where as Worms can travel on its own without anything. It doesn't actually need any infected file to stick in. Viruses and Worms are really annoying problem for all systems. The ultimate aim of these Viruses and Worms are making a good working system to malfunction and sometimes worms can sniff in and steal private information to send it to its creator. Earlier days, Viruses were spreading through floppy diskettes. Nowadays, it spreads through Internet, which is a broad gateway for these malicious programs. It can spread quickly and affect all systems in an organization within a minute and can create millions of dollar loss for the organization in a minute. 2.1.4 Data Sniffing and Spoofing Data Sniffing and Spoofing attack are those in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.  Sniffing It means seeing all packets passed through wires or sometimes through air for wireless networks. Initially, this technique was being used for fixing network problems. Because it can watch network packets, it is now being used by hackers 9for scanning login_ids and passwords over the wires. TCPdump and Wireshark are better examples for sniffing tools. The better way to avoid sniffing attack is encryption. If sensitive information is encrypted before sending to wires, hackers can’t really understand what it is. They need the key to decrypt the information. This way, the information sent over network could always be safe with encryption. Typical services that are sniffed are: TELNET, FTP, SMTP (E-mail) packets if unencrypted.  Spoofing The exact meaning of spoofing is deceiving others. It is actually fooling other computer users to think that the source of their information is coming from a legitimate user. There are several methods of spoofing. Some of them are as follows:  IP Spoofing It changes the source-address of an IP packet to show that it is from a legitimate source, but really it might be coming from a hacker. Thus, the hacker attacks the system and at the same time hides his IP address from the eyes of firewalls. The targeted systems for IP Spoofing are UNIX systems and RPC services.  DNS Spoofing This will direct the users to incorrect location. In other words, directing the users to a different website and collecting personal information through web forms illegally.DNS Spoofing is actually very dangerous threat, because DNS is the one that manages domain names and creates equivalent IP addresses. Suppose, if the domain name is www.dell.com http://www.dell.com/ and DNS calculates an IP address that is related to a hacker's site, the users will be directed to the hacker’s website. If the hacker maintains his website similar to dell, then the users may think that the hacker's website is the real dell- website and may provide all bank or credit card information when trying to purchase something. Now, the hacker can get that information easily without any difficulties.  ARP Spoofing ARP is actually maintaining a table of MAC addresses of all computers connected in a network. Any information that comes to ARP is delivered 10to respective computer based on the mappings available on the ARP's tables. Suppose, if ARP couldn't find MAC address for a message, it broadcasts a message to all systems to get a reply from the exact destination-machine with its MAC address; when it gets the destination- machine's MAC address, it updates it on MAC table. This is the stage where ARP spoofing can happen. ARP Spoofing actually happens when a hacker (hacker's machine) sends a reply to the ARP's broadcasted message saying that the hacker's machine is the legitimate one. Then, ARP gets hacker's MAC address and adds it to its table. As a result, hacker will gain a legitimate connection to the network illegally. Once hacker is connected to the network, he can do all sorts of things. 2.1.5 Unauthorized Access Unauthorized Access can be accomplished by any connection to a computer or network using most services (TELNET, FTP, HTTP, Web, E-mail, etc.). Hacker must somehow compromise authentication (password, token, PIN, Smart card) to gain access. Once access is gained malicious activity can occur unless internal auditing and access control is implemented, access can be undetected for years. 2.1.6 Man-in-the-Middle Attack Man-in-the-middle attack occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently. For example, the attacker can re-route a data exchange. When computers are communicating at low levels of the network layer, the computers might not be able to determine with whom they are exchanging data. Man-in-the-middle attacks are like someone assuming identity in order to read message. The person on the other end might believe because the attacker might be actively replying to keep the exchange going and gain more information. 2.1.7 Trojan Horse Hackers can use these programs to get control on their target machines and watch all the activities. This is very dangerous than Virus and DoS for the E-commerce businesses. The threatening issues with Trojan Horses are as follows:  It allows for data integrity attack.  It allows gaining control over the target machine and to steal private information available on the target system. This way it affects privacy policy. 11 It can store key strokes and make it viewable for hackers. As a result, hackers can easily get the victim's login-ids and passwords. This way, it affects confidentiality.  Hackers can see screen shots of targeted machines using Trojan horses. Sometimes, if websites are not secured properly, some third party companies can collect consumer information and pass it to some other businesses. It is a serious threat to customer privacy.  It can be installed very easily on the target machines simply by sending it as an email attachment. 2.1.8 Port-scanning and Probing Port-scanning and probing are techniques that identify vulnerable network ports:  Port-scanning A port scanning is used to probe a network host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromising it. To port scan a host is to scan for listening ports on a single target host. To portsweep is to scan multiple hosts for a specific listening port. Port scanning is a technique that identifies vulnerable network ports or services (i.e. TELNET, FTP, E-mail, Web, etc) and its works by identifying as many targets as possible and tracking the ones those are receptive.  Probing Once vulnerable ports are identified, the port can be probed with malicious intent 8, 9. 2.2 Security Measures Network Security starts for authenticating any user. Once authenticated, firewall enforces access policies such as what services are allowed to be accessed by the network users. Though effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network. An Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) helps detect and prevent such malware. 122.2.1 Firewall A firewall is a hardware or software solution to enforce security policies. In a physical security analogy, a firewall is equivalent to a door lock on a perimeter door or on a door to a room inside of the building – it permits only authorized user such as those with a key or access card to enter. A firewall has built-in filter that can disallow unauthorized or potentially dangerous material from entering the system. It also logs attempted intrusions. 2.2.2 Intrusion detection and prevention systems (IDPS) Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats, and determining individuals from violating security policies. IDPS have become a necessary addition to the security infrastructure of nearly every organization. IDPS typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPS can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content 10. There are two main types of IDS's: network-based and host-based IDS.  Host based The HIDS reside on a particular computer and provide protection for a specific computer system. Host intrusion detection systems are installed locally on host machines making it a very versatile system compared to NIDS. HIDS can be installed on many different types of machines namely servers, workstations and notebook computers. The model shown in Figure 2.2 allows for remote monitoring, remote storage of events logs and ability to PUSH agents to new or existing hosts 11. 13Figure 2.2: Host based Intrusion Detection System 12.  Network based Network based IDS captures network traffic packets (TCP, UDP) and analyzes the content against a set of rules or signatures to determine if a possible event took place. NIDS monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack). A typical example is a system that watches for large number of TCP connection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. A NIDS may run either on the target machine who watches its own traffic or on an independent machine promiscuously watching all network traffic (hub, router). NIDS is network based they do not only deal with packets going to a specific host – since all the machines in a network segment benefit from the protection of the NIDS. Network-based IDS can also be installed on active network elements, for example on routers. Typical Network Based IDS are Cisco Secure IDS, Hogwash, Dragon, and E-Trust IDS 13. 14Figure 2.3: Network based Intrusion Detection System 12. 2.2.3 Virus Protection Antivirus (or anti-virus) software is used to prevent, detect, and remove malware, including computer viruses, worms, and Trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware.A variety of strategies are typically employed. Signature-based detection involves searching for known malicious patterns in executable code. However, it is possible for a user to be infected with new malware in which no signature exists yet. Some antivirus software can also predict what a file will do if opened/run by emulating it in a sandbox and analyzing what it does to see if it performs any malicious actions. If it does, this could mean the file is malicious. 2.2.4 Encryption Encryption, which is the process of converting plaintext into some code called cipher text. Decryption is the reverse, in other words, moving from the cipher text back to plaintext. A cipher is a pair of algorithms which create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key. This is a secret parameter ideally known only to the communicants. Keys are important, as ciphers without variable keys are trivially breakable and therefore less than useful for most purposes. Protects data in 15transit or stored on disk. The act of ciphering and enciphering data through the use of shared software keys, data cannot be accessed without the appropriate software keys. 2.2.5 Data and Information Backups Data and information backups must have for disaster recovery and business continuity. Should include daily and periodic (weekly) backups and be stored off-site, at least (20) miles away from geographic location, and have 24X7 access and be kept for at least (30) days while rotating stockpile. Will mitigate the following attacks:  Used to respond and replace information that is compromised by all the mentioned attacks 8, 9. A key element in the protection of a computer connected to the Internet is the firewall. A firewall is like the door of our house; it sets a border between our private space and public space and allows us to decide who may enter and who can not. If our house had no door, any person could enter and search it. The same is true with our computer (the house) and firewall (the door). Without a firewall, anyone can enter the computer and see the files stored there, which may contain sensitive information and/or stuff as access codes and users names. 2.3 Firewall A firewall is a logical object (hardware and/or software) within a network infrastructure which prevents communications forbidden by the security policy of an organization from taking place, analogous to the function of firewalls in building construction. Often a firewall is also referred to as a packet filter. The basic task of a firewall is to control traffic between different zones of trust and/or administrative authorities. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and a connectivity model based on the least privilege principle. Proper configuration of firewalls demands skill from the administrator. It requires considerable understanding of network protocols and of computer security. Small mistakes can lead to a firewall configuration worthless as a security tool and, in extreme situations, fake security where no security at all is left 14, 16. 16 Figure 2.4: Firewall System 14. In figure 2.4: Firewall that can protect internal network from the external network by accept/deny the traffic according to the rules specified in the list. A firewall is a system that protects a computer or a computer network against intrusions coming from a third-party network (generally the Internet). A firewall is a system that filters data packets that are exchanged over the network. Therefore, it is a filtering gateway that comprises at least the following network interfaces:  An interface for the network being protected (internal network)  An interface for the external network 2.3.1 There are a number of components that make up a firewall  The Internet access security policy of the organization. This state, at a high Level, what degree of security the organization expects when connecting to the Internet. The security policy is independent of technology and techniques, and should have a lifetime independent of the equipment used. An example of statements from such a security policy might be: external users will not be allowed to access the corporate network without a strong level of authentication, any corporate information not in the public domain must be transferred across the Internet in a confidential manner, and corporate users will only be allowed to send electronic mail to the Internet - all other services will be banned.  The mapping of the security policy onto technical designs and procedures that are to be followed when connecting to the Internet. This information will be updated as new technology is announced, and as system configurations change etc. For example, regarding authentication, the technical design might specify 17the use of one-time passwords. Technical designs are usually based on one of two security policies, either:  Permit any service unless it is expressly denied, or  Deny any service unless it is expressly permitted. The latter is clearly the more secure of the two.  The firewall system, which is the hardware and software which implements the firewall. Typical firewall systems comprise an IP packet filtering router, and host computer (sometimes called a bastion host or application gateway) running application filtering and authentication software 14. 2.3.2 Advantages of Firewalls Firewalls have a number of advantages.  They can stop incoming requests to inherently insecure services, e.g. you can disallow rlogin, or RPC services such as NFS.  They can control access to other services e.g. bar callers from certain IP addresses, filter the service operations (both incoming and outgoing), e.g. stop FTP writes, hide information e.g. by only allowing access to certain directories or systems.  They are more cost effective than securing each host on the corporate network since there are often only one or a few firewall systems to concentrate on. 2.3.3 Disadvantages of Firewalls Firewalls are not the be all and end all of network security. They do have some disadvantages, such as:  They are a central point for attack, and if an intruder breaks through the firewall they may have unlimited access to the corporate network.  They may restrict legitimate users from accessing valuable services, for example, corporate users may not be let out onto the Web, or when working away from home a corporate user may not have full access to the organization’s network.  They can be a bottleneck to throughput, since all connections must go via the firewall system.  The biggest disadvantage of a firewall is that it gives no protection against the inside attacker. Since most corporate computer crime is perpetrated by internal 18users, a firewall offers little protection against this threat. E.g. an employee may not be able to Email sensitive data from the site, but they may be able to copy it onto a floppy disc and post it 15. 2.3.4 Firewalls, Layers and Models The working of firewall in different layers and models are shown below as: Table 2.1: Firewalls Layers and Models 14. ISO 7 Layer Model Internet 5 Layer Model Firewalls Application (7) Application (5) Proxy Service Transport (4) TCP/UDP (4) Packet Filtering Router/ Network (3) IP/ICMP (3) Packet Screening Router Stateful Inspection Link (2) Link (2) None Physical (1) System Interface (1) In table 2.1 ISO uses a 7 layer model for Open Systems Interconnection, whereas the Internet can be regarded as having a 5 layer model. Firewall systems are usually placed at layers 3, 4 and 5 of the Internet model, (3, 4 and 7 of the ISO model). Their purpose is to control access to and from a protected network. Firewall can be placed between any two networks, for example between a corporate business network and its R&D network. In general, a firewall is placed between a high security domain and a lower security domain. A firewall system operating at layers 3 and 4 is sometimes called a packet filtering router or a screening router. Its purpose is to filter IP and ICMP packets and TCP/UDP ports. The router will have several ports and be able to route and filter the packets according to the filtering rules. Packet filters can also be built in software and run on dual homed PCs, but whilst these can filter packets they are not able to route them to different networks. A firewall at layer 5 Internet (7 ISO) is sometimes called a bastion host, application gateway, proxy server or guardian system. Its purpose is to filter the service provided by the application 14. 2.3.5 Types of Firewalls Firewalls are classified into three basic types: 2.3.5.1 Stateless Packet Filtering A firewall system operates on the principle of simple packet filtering, or stateless packet filtering. It analyses the header of each data packet (datagram) exchanged 19

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.