1

FIREWALLS IN VIRTUAL PRIVATE NETWORK-

A NEW APPROACH

ABSTRACT

Internet is one of the frequently used essential tools in business. Basically for
sake of providing secured data transaction, business concerns used to own a private
dedicated network. But, if it is a global company then, it cannot establish and maintain a
costly leased network over large graphical areas. Hence there comes a need to connect
the private intranet with internet, provided enough privacy and security. This could be
enabled by means of Virtual Private Networks (VPN). Firewalls, Encryption and
Antivirus are the three different methods commonly used in internet security. Among
them, firewalls follow a mechanism called “packet filtering” for securing VPN. But,
there are lots of pot holes which pave way for unsafe network traffic. Thus firewalls
face a variety of problems in VPN, today. This paper contains the diagrammatic
analysis of a typical case; it provides a new approach, algorithm and fine solution
containing a simulation program. The typical case of problem is considered, examined
and an innovative solution is provided which offers reliable security.
 2

CONTENTS

(Basics: 1 to 4; Firewall approach: 5 to 10)

1) Introduction
a) Internet security
b) Fire walls
2) Concepts of networking protocols and internet
3) How does firewall control hostile attackers
4) Virtual Private Networks
5) Problem Definition-Problems in fire walls
a) Consideration of the case
6) Solution Provided
a) Database model
7) Firewall Design
a) Flag attacher
b) Blocker
c) Encryptor
8) Conclusion
9) Bibliography
10) Appendix- Blocker Simulation program

(Some of the basics regarding the network and firewalls are given in chapters 1- 4.
Remaining chapters 5 – 10 contains the core of the paper)
 3

INTRODUCTION:

INTERNET SECURITY:

It is quite commonly known that –As quantity increases quality decreases. This
is true in case of internet. Since internet is a network of networks a lot of problems are
faced, nowadays. In day-to-day life we came across some people who stick bills or
write unwanted words on our house walls, or even damage our home mail box. This
could be seen in internet too. Some hostile attackers may intentionally or
unintentionally retrieve or cause damage to our private data. During earlier days
internet security was not considered as a main factor. Nowadays, hackers are to be
concerned in framing Cyber crime laws.

FIREWALLS:

Firewalls, cryptography and antivirus (different from each other) are three major
methods consigned for internet security. Firewall denotes to a system or group of
systems (either hardware or software or even hardware & software) that prevent our
network/server from the attack of hostile users over the internet. In other words, they
are the devices that allow users at a protected site to use internet services in a relatively
safe manner and restricting incoming access by potential attackers.

There are two approaches to control a site’s internet access-

 Permissive access: This permits everything except risky traffic.
 Restrict access: This restricts everything except limited allowed traffic.

CONCEPTS OF NETWORK PROTOCOLS & PACKETS:

Generally a node (or system) in a network is called host system. There may be servers,
routers in the same network itself. In a network while message is passed from source
host to destination host there are certain rules devised for the communication to take
place in the network, called protocols. TCP/IP, FTP, IPX/SPX, SNA are some of the
examples. Based on these protocols these messages are basically converted into
packets.
 4

www.abc.com F
i
r
e L
w
a
l
Internet l

End users: 1 2 3

Hacker

Fig.: Representation of a firewall protecting a network from hacker while providing

outbound access to internet.

These packets contain the address of the destination; they travel in the network,
locate the address and reach the destination. Whatever the data may be, everything is
converted into packet before getting traversed in a network. Any packet in the internet
contains protocol headers included with data being sent. The common format of a
header is as follows.

Data link Internet Transport Application Data being sent

header header header header

Fig.: Format of packet in internet protocol

The protocols use port numbers in the headers to indicate the behavior or
property of the packet. For example TCP/IP uses a specific port number in the
Transport header to indicate which software or service (e-mail) is to handle the packet
when it is received and put server host’s address in the Internet header.
 5

How does firewall control hostile attacker?

As far as firewall is concerned, the familiar method used is packet filtering.

Packet filtering is based on a set of rules that identify the properties of individual
packets that are to be blocked or passed through. All access control decisions are based
on information available after analyzing the packets. By this method, if any
unauthenticated user (hacker) wishes to enter our protected area the firewall detects
those packets without authentication and blocks them at the gateway itself. This
authentication information is given in the specific header of the packets, which vary
upon the application. Sometimes, traffic from only a set of websites is allowed. In this
case, the firewall allows only those packets with appropriate port number in the header
corresponding to the websites. Packet filtering follows permissive access type
(explained in the beginning of the paper).

There is another mechanism called Circuit filtering used in few fire walls. In this
method, the firewall passes a connection from a client on one side of the firewall to a
server on the other. For example, if the firewall is set to allow the Telnet connections,
then the circuit filter will accept connection requests to port 23, the Telnet connection
port. This circuit filtering follows restrictive access.

VIRTUAL PRIVATE NETWORK:

A company establishes a fast, secure and reliable intranet to maintain

transactions of information between its branches. Intranet could be made use in case of
local or regional markets. If the company establishes global markets the cost of laying
leased private networks will be more. Hence to avoid that, the Virtual Private Network
(VPN) is introduced. VPN is a network that connects a public network, namely internet
to a private intranet. In other words, many intranets are connected via internet with
privacy and security. Here, firewalls play an important role in VPN to provide security.
It is high time to protect our intranet from the attack of hackers to pursue a growing
business.
 6

PROBLEM DEFINITION:
-Problems in Firewalls:

It is known that packet filtering is commonly used in firewalls; there are some
problems faced with this method. Packets contain some information along with the
data. Usually the firewalls analyze the behavior of these packets with the information
provided in the headers and act accordingly i.e. either permit or block them. Password
authentication is commonly used to provide a secured communication in internet/VPN.
But, hackers use some of the ‘pot holes’ in the way how packet filtering supports the
password authentication.

A global company with numerous branches is assumed to have established a

VPN. It has given provision for the employee at any of its branches to access the head
quarter’s database (server) by means of password authentication. Password
authenticated packet will be coded in such way that if the password information gets
matched then, firewall should allow a fixed number of packets following the password
packet. This method is followed to reduce the size of the packets instead of carrying
password in all the packets, sent by the particular user.

The hacker will replace some of the packets of an authenticated user with packets
containing unwanted information and firewalls check the first packet, if password gets
matched then, it allows all the following packets including the unauthenticated packet
or traffic.
 7

Until now, many firewall builders concentrate on analyzing the behavior of the
incoming packets and these hackers too keep up their way to make packets that break
the restricted rules.

Consideration of the case:

There are two cases of effect produced due to the hacker’s arrival into our VPN.
Case-1: In this case the hacker makes changes in our database i.e. crashing our data.
Case-2: In this case the hacker feels more profited by stealing our data instead of
crashing our data.
Here in this paper, case-2 is considered.

SOLUTION PROVIDED:
In this paper a new approach of solution is presented innovatively for the case of
problem dealt by us. Before going to solution, the analyzing and understanding of the
problem is required.

One of the practical examples for the case-2 problem is hacking the account
keeper’s password in a bank’s database; in this case instead of crashing the password he
is benefited more by knowing it. So, this kind of problem is faced in database of
criminals in Police.
DATABASE MODEL:

Fire Mobile
worker

Internet
Local
branches(intranets)
Head Quarter (Database)

Fig.: A VPN of company with a headquarter, various intranets and mobile users.
 8

Fig.: Head Quarter Database(Embedded LANS )

Shaded area- High priority data
White area- Low priority data

The inner shaded circle of network contains highly confidential database that can be
handled only by higher officials who are given administrator rights, where as outside of
the circle contains low priority data that can be handled by other branches via internet.

The high priority database is embedded within the low priority database because
there may be conditions due to which some data or information should be passed to
white area network based on the high priority database i.e. the higher officials
sometimes adopt new policies in inner circle and according to that, certain data vary in
the white area network, which are to be told to its branches/intranets or mobile workers.

Any employee (mobile user) or branch can enter the head quarter’s network via
internet only by some authentication means. But, at the same time that authenticated
user is not eligible to enter the shaded area. Suppose a hacker or even a spy in the
company enters the head quarter’s outer white area bypassing the ‘pot holes’ in packet
filtering of the firewalls. In our case, he is considered to be more potential to enter the
inner database to steal a data. Under these circumstances the firewalls cannot prevent
this stealing rather some firewalls can provide that the data has been taken by some
unauthenticated user. Anyhow, our data taken is taken and he can make use of the data
before we know that it has been copied and taken.

Fig.: High priority data

being copied away from the
secured network of database.
 9

Mostly the firewall builders waste their time on finding new secured methods of
analyzing the behavior of the various hacker designed packets in our case of problem.
Here, we give a different way of approach to find solution to the problem. According to
the case of problem the data should not be known to the hacker and prevent him from
making use of it. So, even if he tries to enter our safe area we can make our data not
known to him. That is the data could be known to him only if the copied packets go
away of our firewall.

So, why can’t the fire wall be designed to prevent the high priority data from getting
away instead of focusing over finding the packets sent by hacker?

FIREWALL DESIGN:
All the high priority data kept inside shaded area should be given a flag along
with the data. These data after conversion into packets, contains headers, data along
with the flag (See fig. below). The fire wall is designed in such a way that it wont allow
the packets with flag as it is very easy to find the flag attached packet rather hacker’s
packets. So, even if the hacker enters safe network, he cant know the data in that
network.. Hence, the problem of hacking our data (case-2) is solved by our algorithm
in the design of firewall.

Data link Internet Transport Application Data being sent

header header header header

Fig.: Ordinary packet

Data link Internet Transport Application Data being sent F

header header header header

Fig.:Flag attached packet

The flag attacher attaches the flag with the high priority data; the blocker identifies
those data and blocks the packets. This kind of design offers reliable security when
 10

compared with the former. Even, we have given an additional provision called
encrypting system.

Fire wall

To internet

Blocker Encryptor
Flag attacher packets

Fig.: Flag attached packets getting blocked by firewall

In future, even if the hacker were potential enough to get the flag attached
packets across the blocker in the firewall there is another system called encryptor ,
which encrypts those packets of messages and give wrong information to the hacker,
thus given protection logically. Hence we could obtain a 99.99% secured network.

Flag Attacher:
When the file packets from the inner circle are transferred to outer white area,
i.e. when they get copied to outer area, a flag, indicating its high priority is attached.
This flag attacher may be either a software or hardware; but here this flag attaching job
is implemented only by means of a program and not by hardware because the database
model is an embedded one (one within other) and hence we cannot separate them and
have a hardware- flag attacher.
Suppose, an ordinary packet is of 50 bytes out of which 10 bytes are for headers
and remaining 40 bytes for user data. Usually, all the 40 bytes of the user data area will
not be used. It contains at least more than 2 bytes for null values, which are unused.
Our flag is going to capture one of the unused null bytes. Then, the flag byte is moved
at the beginning of the data area.
Ordinary Packet:
Headers Data Data NULL Data Null Data

Flag attached packet:

Headers FLAG Data Data Data Null Data
 11

|-----------10B---------|---------------------------------40B------------------------------|

The program neither affects the actual data in the packet nor performs any encryption.
Since it is a simple program the cost and performance of the database will not have any
drastic changes.
Blocker:
After flag attached packets get mingled with the other packets in the outer area it
is the job of blocker to block the high priority packets that are copied by the hacker.
The blocker is a program located with in already existing Firewall. The blocker scans
all the data going out of the firewall, identifies the flag attached data packet alone and
finally blocks them from being hacked out.
The simulation of the Blocker in firewall is shown with a CPP program considering
that transferring data is just copying data from one file to other, in the appendix.

Encryptor:
Encryption is commonly done while sending data in networks. Usually anyone
of cryptographic algorithms, which depends upon the data, is used for encrypting them.
A ‘crypto key’ is also developed which is known to both sender and receiver. Unless the
key is known, the actual data cannot be retrieved.
Here, our encryptor is kept after the blocker (refer fig in fire wall design
section). It changes the data of the packet coming out of the blocker. No need for
developing common crypto key as we are not at all going to use the data. This
encryptor is added in the firewall for additional security as the blocker does major part.
Only if the blocker gets failed, this gets activated and acts being loyal to us.

The most important thing to be noted is that firewall keeps on doing its actual
routine and doesn’t get diverted by the addition of two components – blocker &
encryptor. These two components work only if the high secured data is being
transferred out. Hence firewall’s performance is not affected.

CONCLUSION:
Thus, analyzing any problem in same view may not bring the solution to it
rather wastes our time. If we approach in slightly different view we can solve it. That is
what we‘ve analyzed in our problem of firewalls. Even it may not bring solution to all
 12

the problems faced by firewall it can solve at least the problem dealt in virtual private
networks.

BIBLIOGRAPHY:

• Richard E.Smith, “Internet Cryptography” , Pearson Education Asia

Publications.
• Jean gray, “Basics of Networks”, Hennesyson publications
• www.howstuffworks.com

APPENDIX:

BLOCKER SIMULATION:

Two text files are taken into consideration.

1.Source.txt
2.Dest.txt

Source file contains both high priority as well as low priority data. The destination file
is an empty file. The input to the blocker is just the output of the blocker. The flag
attacher attaches a flag ‘~’ (tilde symbol) in the beginning of data string to indicate that
it should be blocked.

The program has 3 phases.

Phase-1: Getting values from the source file

Phase-2: Filtering
Phase-3: Copying file.

In phase-1 all the data string from the source file are copied to an array. In phase-2 the
flag attached strings are filtered and in the phase-3 the remaining low prior data are
copied to destination file.

Suppose the source file contains following message.

“Account name is ~FIFA and the passwd is ~01krs”- Source.txt

After transferring this through the blocker the resultant file contains

“Account name is and the passwd is |” –Dest.txt

Here the secured data ‘FIFA’ and ‘01krs’ are prefixed with ~ and hence not transferred.

Thus, this simulation could be implemented in terms of network protocols.

The program is as follows.

 13

///////////////////////////////////////////BLOCKER SIMULATION///////////////////////////////////////////
////////////////////////////////////////
#include<stdio.h>
#include<conio.h>
#include<iostream.h>
#include<stdlib.h>
void main( )
{
FILE *fs,*fd; /////declaring pointers for files////
char ch;int i=0;char ch1[50], ch2[50];
fs =fopen("source.txt","r");
fd =fopen("dest.txt","w");

//////////////exiting out if the files are empty////////////

if (fs==NULL)
{
puts("cannot open the file");
exit('0');
}
if (fd==NULL)
{puts("cannot open the file");
exit('0');
}
/////////////////initializing both arrays ch1[],ch2[] as null///////////
for (int j=0;j<=50;j++)
{
ch1[j]='\n';
ch2[j]='\n';
}

/////////////////////////////////////////////////////////////////////////////////////////////////////////////
///////////////PHASE-1:GETTING VALUES FROM SOURCE FILE/////////////
/////////////////////////////////////////////////////////////////////////////////////////////////////////////

while(1)
{
ch=fgetc(fs);////////Getting and moving to ch//////////
ch1[i]=ch;///////////moving 'ch'-values to 'ch1[]' array////////
i++;
//////////////Getting exit from while loop after end of source file/////
if (ch==EOF)
{
break;
}
}
 14

////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////PHASE-2:FILTERING ///////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////////////////////////

int flag=0;/////////intializing 'flag' as 0/////////////

int m=0;
for(int k=0;k<=i-1;k++)
{
///////filtering the `~'attached string///////////////////
if (ch1[k]=='~')
flag=1;
if (ch1[k]==' ')
flag=0;
if(flag==0)
{
ch2[m]=ch1[k];
m++;
}
}

//////////////////////////////////////////////////////////////////////////////////////////////////////////
/////////////////////PHASE-3:COPYING FILE ////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////////

for ( i=0;i<m-1;i++)
{
fputc(ch2[i],fd);
}
fclose(fs);
fclose(fd);
}