Hardware Firewalls

By
Deepak Jacob
&
Pratheek Suresh

Mar Athanasius College of Engineering

Contents

Introduction
Data Security
Firewalls
Hardware Firewall
Basic Operation
Filtering Techniques
Pros & Cons
Life cycle
Hardware Firewall Solutions
Benefits of hardware firewalls
Implementation of hardware firewalls
FPGA
Hardware programming
VHDL
Pros and cons

2
Introduction
The Scope of the Problem

Just as police and fire fighting are among the essential services provided by
local governments, security has become a critical and necessary component of local
area networks—regardless of their size. With the proliferation of always-on
broadband Internet access, web commerce, wireless LANs, and network-enabled
business processes such as customer relationship management (CRM) and electronic
document handling, network vulnerability has increased, and with it the potential for
significant financial losses and serious damage to the business itself. The Computer
Security Institute's 2003 CSI/FBI Computer Crime and Security Survey (The survey
included organizations ranging from large corporations and government agencies to
small businesses.) Eighteen percent of the respondents represented enterprises with
fewer than 99 employees identify Internet connections as the part of the network that
is most frequently attacked. Seventy-eight percent of the survey respondents
reported that Internet connections were their weakest points, up from 57% in 1999.
Though viruses were named as the source of the majority of the attacks, the two
most often cited causes of financial losses were theft of proprietary information
(total reported loss: $70 million; average loss: $2.7 million) and denial of service
(total loss: $65 million).
However, it's difficult for organizations to know the full extent of the damage.
Seventy-five percent of the survey takers acknowledged losses from Internet attacks,
but just 47% were able to quantify them. But financial losses aren't the only
problem. Unauthorized use or misuse of networks can also undermine employee
morale and diminish the public's trust and confidence in the organization. If
information theft leads to criminal activity such as credit card fraud, there may also
be legal repercussions for the compromised organization. And in the case of
hospitals, public safety agencies, and other critical facilities, people's health and well
being may also be at risk. The number of security incidents—one incident may occur
over time and involve multiple sites—reported to the Carnegie Mellon Software
Engineering Institute's CERT Coordination Centre (CERT/CC) has grown from
52,658 in all of 2001 to 76,404 in just the first two quarters of 2003. The CERT/CC
Overview of Incident and Vulnerability Trends (May 2003) lists the following as
key characteristics of today's security threats:

Intruders are well prepared and organized, able to freely exchange information
and hacker-related tools.

Internet attacks are relatively easy, low risk, and hard to trace; source code
isn't required to find vulnerabilities.

Intruder tools and toolkits are more sophisticated and designed to support
large-scale attacks.

3

As business infrastructures increasingly rely on the Internet, and the
complexity of protocols and applications keeps growing, many network
administrators lack the resources, time, and training to counter threats.

Intruders are increasingly leveraging the availability of broadband
connections. Experiments conducted by various publications and security
organizations have shown that virtually all persistent Internet links are
periodically scanned for vulnerabilities, often beginning a few hours after the
connection is established. All these statistics, trends, and observations point to
one unavoidable fact: No network that is connected to the Internet can afford
to remain unprotected.

Nowadays data is stored & transported electronically, requiring equivalent

“electronic security” to protect its confidentiality, integrity & availability. Unlike
hardcopy, unprotected electronic data can be intercepted & interpreted, amended,
delayed or reproduced with no physical evidence of tampering. At this point comes
the significance of protecting our data from unexpected and unauthorized assail.

Data can be protected in the following three ways.

Encryption - protection of data against unauthorized access

-protected data is modified so as to be unintelligible to unauthorized recipients, the
process being fully reversible only by the intended recipient
Authentication - protection for data against unauthorized tampering and verification
of identity of sender
-protected data has content and sender dependent signature appended to permit
verification by recipient that the received message has not been changed en route
and is from expected party
Firewall - protection for private infrastructure from access by unauthorized parties.
-protection is given where safe private networks meet publicly accessible networks
providing a filter aimed at stopping unauthorized parties from gaining access whilst
permitting authorized users to make full use of the available services.

We are focusing on the need of firewalls and their application here.

Firewalls
It is a program or hardware device that filters the inward bound information through
the Internet connection into private network or computer system. If an incoming
packet of information is flagged by the filters, it is not allowed.

4
Two types of fire walls-

Hardware fire wall

Hardware firewalls, or gateway products that include firewalls, are

generally simpler to install and maintain than software-only solutions. This makes
them more suitable for small to midsize enterprises with limited security expertise
on site. Routers can also be equipped with firewalls. However, high-end enterprise
routers may not be ideal for this purpose. Not only are they more expensive and
management intensive than dedicated firewalls, gateways, and gateway routers, their
performance may suffer as a result of the additional firewall functionality. It is used
to stop incoming data that is not requested by your computer.

Software firewalls

Software firewall is an application running on your system that controls network

traffic. The simplest firewall is one that limits inbound connections to specific ports
(a web server with only port 80 open). More complex firewalls control outbound
connections, an important feature which can prevent a compromised system from
attempting to spread its compromise to other systems. Most software firewalls allow
the designation of a “trusted” zone to apply less stringent rules than to systems on
the internet. Eg: Windows XP service pack 2 enables a software firewall of medium
functionality.
It is safe to keep your computer from sending or receiving information
without your permission. Dedicated software security is usually a complex
application that requires a Linux- or UNIX-based server or a Microsoft Windows
Server. These applications are best suited for organizations that already have such
servers in their inventory, and also have the technical support required to configure
and maintain them.

5
 FIGURE 2: Basic Firewall Operation
Hardware firewalls

Hardware firewalls also known as Firewall Appliances or Internet Security

Appliances are external devices that act as a guard post between your network (your
home or office) and external networks (the internet). It provides a strong protective
barrier between the outside world and your home or office network.They are very
effective at protecting against most forms of attack from the internet. It requires very
little configuration and once set up, requires very little maintenance except for
updating its firmware periodically.

In short hardware firewalls are:-

-Stateful (as they track TCP sessions)

-Configurable
-Fail-safe (idiot-proof)
-Access lists, NAT, port-forwarding/blocking

6
NAT and SPI

There is a significant difference in the level of security offered by Network

Address Translation (NAT) and Stateful Packet Inspection (SPI). NAT is an Internet
Engineering Task Force (IETF) standard that allows a network to present itself to the
Internet with one address. NAT converts the address of each LAN node into one
public IP address, and reverses the conversion in the other direction. It serves a
firewall function by hiding the IP addresses within the network, making it look from
the outside like all data is emanating from one device.
SPI monitors every packet entering or leaving the network and applies a series
of firewall rules to decide whether to allow the packet to enter the network. It is
termed "stateful" because it examines the contents of the packet to determine the
state of the transaction, verifying that the destination computer has previously
requested the communication. In other words, the destination of an inbound packet
must match the source of a previous outbound request, or the packet is rejected. This
ensures that all communications are initiated by the recipient computer and are
taking place only with sources that are known and trusted from previous
interactions. SPI is capable of examining multiple layers of the protocol stack.
Besides being more rigorous in their packet inspections than NAT-only firewalls,
SPI firewalls also close off ports until connection to a specific port is requested. This
provides an added layer of protection from port scanning. Prevents unauthorized
access and thwarts DoS and other common hacker attacks.
Some of the hardware manufacturers are: LinkSys, D-Link, Netgear, etc

Pros
• Low overhead/high throughput. The stateful-inspection provides enhanced security
over the packet filtering model without sacrificing notable performance degradation.
• Like the packet filter, it also works at the network and transport layers, thus no
special client configuration or client software is required.
• Only temporarily opens holes in the Network Perimeter. Since the time a hole in
the perimeter is open is greatly reduced, many types of attacks that work against
static packet filters are more difficult or perhaps impossible to use against a dynamic
packet filter. Again, because there is very little work done outside of routing traffic,
the overhead is relatively low. Therefore, similar hardware platforms will often
produce higher throughput when using dynamic packet filtering techniques than
when using application gateways.
• Supports almost any service (e.g., back-channel services (life File Transport
Protocol (FTP) have to be handled as a special case). Since packet filters are
application-unaware, they can be set up to allow any type of IP traffic to pass thru
the firewall.

7
Cons
• Allows direct IP connections to internal hosts by external clients. While dynamic
packet filtering does well in reducing the amount of exposure, external systems—
under the control of the firewall—still are able to make an IP connection with an
internal machine as the endpoint. The primary disadvantage of any packet filtering
gateway is that once access has been granted by the device to a host on the internal
network, the attacker has direct access to any exploitable weaknesses in either the
software or the configuration of that host. The ability to jump off to other internal
hosts from that point is restrained only by the security present on those hosts.
• Offers no user authentication (if supported, it is supported via an application
gateway).
• This type of firewall requires more administrative setup than packet filtering. (The
connection table has to be built to track individual packet flows. These flows are
then checked against preset policies to determine access or denial action to be
taken.)

Benefits of hardware firewalls.

Hardware firewalls are more expensive than personal firewalls, but considering you
only need one to protect an entire network, hardware firewalls are the most cost
effective method for internet security protection if you have more than one computer
to protect. Unlike software firewalls, which have to be reinstalled and reconfigured
after a computer crash or upgrade to a newer computer, a hardware firewall
continues protecting without any computer configuration necessary - no matter what
computers are on the network.

Realization of hardware firewalls.

Now we discuss a different approach for realizing digital systems, called embedded
system design. It leverages the advanced capabilities of today's IC technology by
implementing many of the components of the system within a single chip, such as a
field programmable gate array (FPGA). Embedded security systems are required as
purely software defences are unable to cope with packet rates on high-speed
networks. Reconfigurable logic is well suited to the changing nature of the threat
The design has been accomplished through hardware compilation on a platform
FPGA, a method appropriate to quickly matching changing threats.

8
 An overview of the development steps.

FPGA or Field Programmable Gate Arrays

They are:
 Semiconductor device
 Contains programmable logic components
 Contains programmable interconnects
The programmable logic components can be programmed to duplicate the
functionality of basic logic gates such as AND, OR, XOR, NOT or more complex
combinational functions such as decoders or simple math functions.

They also include memory elements, which may be simple flip-flops or more
complete blocks of memories. A hierarchy of programmable interconnects allows
the logic blocks of an FPGA to be interconnected as needed by the system designer,
somewhat like a one-chip programmable breadboard. These logic blocks and
interconnects can be programmed after the manufacturing process by the
customer/designer (hence the term "field programmable") so that the FPGA can
perform whatever logical function is needed.

9
Why do we recommend FPGAs?

 presence of higher-level embedded functions (such as adders and multipliers)

 Presence of embedded memories.
 support full or partial in-system reconfiguration
 capability of partial re-configuration

Technical reasons to use FPGAs in embedded system design…

They offer large logic capacity, exceeding several million equivalent logic gates, and
include dedicated memory resources. It includes special hardware circuitry that is
often needed in digital systems, such as digital signal processing (DSP) blocks (with
multiply and accumulate functionality) and phase-locked loops (PLLs) (or delay-
locked loops (DLLs)) that support complex clocking schemes. They also support a
wide range of interconnection standards, such as double data rate (DDR SRAM)
memory, PCI and high-speed serial protocols.
In addition FPGAs provide a significant benefit as “off-the-shelf” chips that are
programmed by the end user. This user-programmability avoids the need for long
manufacturing times and high non-recurring engineering (NRE) costs that would be
required if a custom IC were manufactured. Also, the FPGA can be reprogrammed
as many times as needed to make changes or fix errors.
So how do we program a FPGA…?

There are two main aspects to the software tools for embedded system design:
1) the creation of the system hardware, and
2) the development of software that runs on the processors included in the system.
FPGA manufacturers provide automated tools to facilitate both parts of this
design flow. For creating the hardware circuitry, the tools allow the user to build a
system by making use of pre-designed building blocks for processors, memory
controllers, digital signal processing circuits and various communication modules
(such as UARTs ). The software allows easy initiation of these sub-circuits and can
automatically interconnect them on the FPGA chip. Design of these components
seamlessly integrates with the tool set used to create the custom logic circuits, which
are also implemented in the FPGA. The Electronic Design Automation tools
generate memory maps for the system, allowing the processor(s) to access the
system’s hardware resources. Application software development is supported with
the typical toolsets expected by software programmers, including compilers,
debuggers and operating system support.
The commonly used language for hardware designing is

10
  VHDL or VHSIC Hardware Description Language, is commonly used as a
design-entry language for field-programmable gate arrays and application-
specific integrated circuits in electronic design automation of digital circuits

Scope of FPGAs implemented using VHDL

 a shorter time to market

 ability to re-program in the field to fix bugs
 non-recurring engineering costs

Limitations

 generally slower than their application-specific integrated circuit (ASIC)

counterparts
 can't handle as complex a design
 draw more power

Recent trends

A recent trend has been to take the coarse-grained architectural approach a step
further by combining the logic blocks and interconnects of traditional FPGAs with
embedded microprocessors and related peripherals to form a complete "system on a
programmable chip".

What future holds?

An example of an interesting area for future research is the use of soft processors on
FPGAs to create multiprocessor systems. Although such systems are already in use,
further research may discover better ways of interconnecting soft processors such
that faster program execution, and improved techniques for implementing memory
hierarchy to enable more efficient sharing of data. A more advanced topic is the
study of FPGA architecture features that best support multiprocessing with soft
processors without sacrificing chip area or speed performance for other types of
applications.

11