1

NETWORK SECURITY:

Firewalls: Definition and types of firewalls, firewall configuration, Limitations of firewall

Introduction of Firewall:
A firewallis anetwork security device, either hardware or software-based, which monitors
all incoming and outgoing trafficand based on a defined set of security rules it accepts,
rejects or drops that specific traffic.
Accept : allow the traffic
Reject : block the traffic but reply with an unreachable error"
Drop : block the traffic with no reply

A network's firewall builds a bridge between an intermal network that is assumed to be

secure and trusted, and another network, usually an external (inter)network, such as the
Internet, that is not assumed to be secure and trusted.

A firewall establishes a barrier between secured internal networks and outside untrusted
network, such as the Internet.

Firewall

WAN
LAN

me 5G
9
 2

Before Firewalls, network security was performed by Access Control Lists

(ACLs) residing
onrouters. ACLsare rules that determine whether network access should be
granted or
denied to specific IP address.
But ACLs cannot determine the nature of the packet it is blocking. Also, ACL
alone does not
have the capacity to keep threats out of the network. Hence, the Firewall was introduced.

How Firewall WorkS:

> Firewall match the network trafficagainst the rule set defined in its table. Once the

rule is matched, associate action is applied to the network traffic. For example, Rules

are defined as any employee from HR department cannot access the data from code
server and at the same time another rule is defined like system administrator can

access the data from both HR and technical department. Rules can be defined on the
firewall based on the necessity and security policies of the organization.
> From the perspective of a server, network traffic can be either outgoing or incoming.

Firewall maintains a distinct set of rules for both the cases. Mostly the outgong

traffic, originated from the server itself, allowed to pass. Still, setting arule on
outgoing traffic is always better in order to achieve more security and prevent
unwanted communication. Incoming traffic is treated differently.
> Most traffic which reaches on the firewall is one of these three major Transport Layer

protocols- TCP, UDP or ICMP. All these types have a source address and destination
address. Also, TCP and UDP have port numbers. ICMP uses type code instead of port

number which identifies purpose of that packet.

Default policy: It is very difficult to explicitly cover every possible rule on the firewall. For
this reason, the firewall must always have a default policy. Default policy only consists of
action (accept, reject or drop).

realme Shot by Anushka

realme 9 5G
 3

Suppose no rule is defined about SSH connection to the server on the firewall. So, it will
follow the default policy. If default policy on the firewall is set to accept, then any
computer
outside of your office can establish an SSH connection to the server. There fore, seting
default policy as drop (or reject) is always a good practice.

Generation of Firewall:

Firewalls can be categorized based on its generation.

1. First Generation- Packet Filtering Firewall : Packet filtering firewall is used to
control network access by monitoring outgoing and incoming packet and allowing them
to pass or stop based on source and destination IP address, protocols and ports. It
analyses traffic at the transport protocol layer (but mainly uses first 3 layers).
Packet firewalls treat each packet in isolation. They have no ability to tell whether a
packet is part of an existing stream of traffic.Only It can allow or deny the packets
based on unique packet headers.

Packet filtering firewall maintains a filtering table which decides whether the packet will be
forwarded or discarded. From the given filtering table, the packets will be Filtered according
to following rules:

Source IP Dest. IP Source Port Dest. Port Action

1 192.168.21.0 deny
2 23 deny
3 192.168.21.3 deny
4 192.168.21.0 >1023 Allow

Sample Packet Filter Firewall Rule

1. Incoming packets from network 192. 168.21.0 are blocked.

23) are blocked.
2. Incoming packets destined for internal TELNET server (port
3. Incoming packets destined for host 192.168.21.3 are
blocked.
allowed.
4. Allwell-known services to the network 192. 168.21.0 are
 Second Generation- Stateful Inspection Firewall : Stateful firewalls (performs
Stateful Packet Inspection) are able to determine the connection state of packet, unlike
Packet filtering firewall, which makes it more efficient. It keeps track of the state of
networks connection travelling across it, such as TCP streams. So the filtering decisions
would not only be based on defined rules, but also on packet's history in the state table

3. Third Generation- Application Layer Firewall : Application layer firewall can

inspect and filter the packets on any OSIlayer, up to the application layer. It has the
ability to block specific content, also recognize when certain application and protocols
(like HTTP, FTP) are being misused.
In other words, Application layer firewalls are hosts that run proxy servers. Aproxy
firewallprevents the direct connection between ether side of the firewall, cach packet
has to pass through the proxy. Itcan allow or block the traffic based on predefined rules.

4. Next Generation Firewalls (NGEW): Next Generation Firewalls are being deployed
these days to stop modern security breaches like advance malware attacks and
application-layer attacks. NGFW consists of Deep Packet Inspection, Application
Inspection, SSL/SSH inspection and many functionalities to protect the network from
these modern threats.

Types of Firewall:
Firewalls are generally of two types: Host-based and Network-based.

1. Host- based Firewalls : Host-based firewall is installed on each network node which
controls each incoming and outgoing packet. It is a software application or suite of
applications, comes as a part of the operating system. Host-based firewalls are needed
because network firewalls cannot provide protection inside atrusted network. Host
firewallprotects each host from attacks and unauthorized acce.
2. Network-based Firewalls : Network firewall function on network level. In other words,
these firewalls filter all incoming and outgoing traffic across the network. It protects the
internal network by filtering the traffic using rules defined on the firewall. ANetwork
firewall might have two or more network interface cards (NICs).Anetwork-based
firewall is usually a dedicated system with proprietary software installed.

realmeShot by Anushka
 Firewall Software:
The few of the most popular firewall software that the
organizations use to protect their
systems are mentioned below:

1)Comodo Firewall: Virtual Internet browsing. to block unwanted

pop-up ads, and
customzing DNS servers are the commnon features of this Firewall. Virtual Kiosk is used to
block some procedure and programs by absconding and penetrating the network.

Inthis firewall, apart from following the long process for defining ports and other programs
lo allow and block, any program can be allowed and blocked by just browsing for the
program and clicking on the desired output.

2) AVS Firewall: It isvery simple to implement. It guards your system against nasty registry
amendments, pop-up windows, and unwanted advertisements. We can also modify the URL's
for ads anytime and can block them also.

It's also having the feature of Parent control, which is a part of permitting access to aprecise
group of websites only. It is used in Windows 8, 7, Vista and XP.

3) Netdefender: Here we can easily outline the source and destination IP address, port
number and protocol that are permitted and not permitted in the system. We can allow and
block FTP for being deployed and restricted in any network.

It also has a port scanner, which can visualize which can be used for traffic flow.

4) PeerBlock : Despite blocking individual class ofprograms defined in the computer it

blocks the overall IP addresses class fall in particular category.

defining a set of IP
It deploys this feature by blocking both incoming and outgoing traffic by
addresses that are barred. There fore the network or computer using that set of IP's can't
to those
access the network and also the internal network can't send the outgoing traffic
blocked programs.
 5) Windows 6

Firewall:-The
It provisions the access
and
most frequent
firewall usedIby Windows 7 users is this firewal.
device by restriction
network or a of traffic and communication between networks or a
analyzing
IP address and pport number. It by
outbound traffic but allows only those default permits all
inbound traffic which is detined.
Types of firewall:
Firewall can be compared with a security guard standing at the entrance of a minister's
home. He keeps an eye
on everyone and physically checks every person who wishes to enter
the house. It won't
allow a person to enter if he/she is carrying aharmfulobject like aknife,
gun etc. Similarly, even if the person doesn't possess any banned object
but appears
suspicious, guard can stillprevent that person'sentry.
the

The firewall acts as a guard. It guards a corporate network acting as a shield between the
Inside network and the outside world. AIl the traffic in either direction must pass through the
firewall. It then decides whether the traffic is allowed to flow or not. The firewall can be
implemented as hardware and software, or acombination of both.

Public Network

Modem Internet

Firewal

Dustbin

Secure Private Local Area Network

=Specitied Traffic Allowed

=Resuicted UrknoNn Tratitis

1. Packet Filters
It works in the network ayer of the OSIModel. It applies aset of rules (based on the
contents of IP and transport header fields) on each packet and based on the outcome,
decides to either forward or discard the packet.
 For example, a rule 7

or disallow alll could specify to block all

traffic that uses UDP
rules, it will take default
incomi n g traffic from a certain IP address
protocol. If there is no match with any predefined
"accept all packets'. action. The default action can be to discard all packets" or to

Security threats to Packet Filters:

1. IP
address Spoofing:
In this kind of
attack, an intruder from the outside tries to send a packet towards
the internal corporate
network with the source IP address set equal to one of the IP
address internal users.
of
Prevention:
Frewall can defeat this attack if it discards all the packets that arrive at the
incoming side of the firewall, with source IP equal to one of the internal IPs.
2. Source Routing Attacks:
In this kind of attack, the attacker specifies the route to be taken by the packet with
a hope to fool the firewall.
Prevention:
Firewallcan defeat this attack if it discards allthe packets that use the option of
source routing aka path addressing.
3. Tiny Fragment Attacks:
Many times, the size of the IP packet is greater than the maximum size allowed by
the underlying network such as Ethernet, Token Ring etc. In such cases, the packet
needs to be fragmented, so that it can be carried further. The atacker uses this
characteristic of TCP/IP protocol. In this kind of attack, the attacker intentionally
creates fragments of the original packet and send it to fool the firewall.
Prevention:
Firewallcan defeat this attack if it discards allthe packets which use the TCP
TCP packets
protocol and is fragmented. Dynamic Packet Filters allow incoming
only if they are responses to the outgoing TCP packets.

2. Application Gateways -
It is also known as Proxy server. It works as follows:
TCP/IP application such as
I. Step-1: User contacts the application gateway using a
HTTP.
 Step-2: The application gateway asks about the remote host with which the
nser
onte fo establish a connection. It also asks for the
user id and password that is
required to access the services of the application gateway.
3. Step-3: After verifying the authenticity of the user, the application
gateway
accesses the remote host on behalfof the user to deliver the packets.

3. Stateful Inspection Firewalls -

It is also known as Dynamic Packet Filters'. Itkeeps track of the state of active
connections and uses this information to decide which packets to allow through it, ie., it
adapts itself to the current exchange of information, unlike the normal packet
filters/stateless packet filters, which have hardcoded routing rules.

4. Circuit-Level Gateways -
the advanced variation
Itworks at the session layer of the OSI Model. It is
connection between the remote host and the
of Application Gateway. It acts as a virtual
creating a new connection between itself and the remote host. It also
internalusers by
the source IP address in the packet and puts its own address at the place of
changes
end users. This way, the IP addresses
of the
source IP address of the packet from
secured from the outside world.
internal users are hidden and

Firewall Limitations:
address the
component of securing your network and is designed to
A firewall is a crucial and
integrity or traffic authentication (via stateful packet inspection)
issues of data from a
internal network (via NAT). Your network gains these benefits
confidentiality of your these
receiving all transmitted traffic through the firewall. Your network gains
firewall by
transmitted traffic through the firewall. The
benefits from a firewallby receiving all
including a firewall in your security strategy is apparent; however, firewalls do
Importance of
have the following imitations:

from dialing in to or out of

A frewall cannot prevent users or attackers with modems
the internal network, thus bypassing the firewall and its protection completely.
 Firewalls cannot enforce your password ppolicy or
password policy is crucial in this area because itprevent misuse of
the ramifications of noncompliance.
Firewalls are ineffective against nontechnical
outlines acceptable pasconductswordsand, Yoursets
security risks such as
Firewalls cannot stop internal users from:
accessing websites with ,social
making user education critical.
Firewalls cannot protect you from poor decisions.
maliciousengicode,neering
Firewalls cannot protect you when your security policy is too lax.

Afirewall also can not protect against:

malicious insiders
connections that circumvent it

completely new threats

Some Viruses

the administrator that does not correctly set it up