’Firewalls’

1
 Introduction
3

 Is hardware, software, or a combination of both

 used to prevent unauthorized programs or Internet

users from accessing a private network and/or a
single computer.
 Hardware vs. Software Firewalls
4

Hardware Firewalls
 Protect an entire network
 Implemented on the router level
 Usually more expensive, harder to configure

Software Firewalls
 Protect a single computer
 Usually less expensive, easier to configure
 How does a software firewall work?
5

 Inspects each individual “packet” of data as it arrives

at either side of the firewall

 Determines whether it should be allowed to pass

through or if it should be blocked
 Firewall Rules
6

 Allow – traffic that flows automatically because it

has been deemed

 Block – traffic that is blocked because it has been

deemed dangerous to your computer
 Policy Actions

 Packets flowing through a firewall can have one of three outcomes:

 Accepted: permitted through the firewall
 Dropped: not allowed through with no indication of failure
 Rejected: not allowed through, accompanied by an attempt to
inform the source that the packet was rejected
 Policies used by the firewall to handle packets are based on several
properties of the packets being inspected, including the protocol
used, such as:
 TCP or UDP

 the source and destination IP addresses

 the source and destination ports

 the application-level payload of the packet (e.g., whether it

contains a virus).
 Blacklists and White Lists

 Two fundamental approaches to creating firewall policies (or rulesets)

 Blacklist approach (default-allow)
 All packets are allowed through except those that fit the rules

defined specifically in a blacklist.

 Pros: flexible in ensuring that service to the internal network is not

disrupted by the firewall

 Cons: unexpected forms of malicious traffic could go through

 Whitelist approach (default-deny)

 Packets are dropped or rejected unless they are specifically

allowed by the firewall

 Pros: A safer approach to defining a firewall ruleset

 Cons: must consider all possible legitimate traffic in rulesets

 What Can a Firewall
Do?
7

 Focus for security decisions

 Stop hackers from accessing your computer

 Can enforce security policy

 Protects your personal information

 Limits your exposure

 Blocks “pop up” ads and certain cookies

 Can log Internet activity efficiently

 Determines which programs can access the Internet
 What Can't a Firewall
Do?
8

 Can't protect you against malicious insiders

 Can't protect against completely new threats

 Can't protect against viruses

 Types of
Firewalls
9

1. Packet Filtering Firewall

- packet filters (stateless) -If a packet matches the packet filter's set
of rules, the packet filter will drop or accept it.
- stateful filters - it maintains records of all connections passing
through it and can determine if a packet is either the start of a new
connection, a part of an existing connection, or is an invalid packet.
2. Application level Gateway - It works like a proxy it can
“understand” certain applications and protocols.
–It may inspect the contents of the traffic, blocking what it views as
inappropriate content (i.e. websites, viruses, vulnerabilities, ...)
3. Circuit level gateway
 Stateless Firewalls
 A stateless firewall doesn’t maintain any remembered
context (or “state”) with respect to the packets it is
processing. Instead, it treats each packet attempting to
travel through it in isolation without considering packets
that it has processed previously.
SYN
Seq = x
Port=80

SYN-ACK
Client Seq = y
Ack = x + 1

ACK
Seq = x + 1
Ack = y + 1

Trusted internal Server

network
Firewall

Allow outbound SYN packets, destination port=80

Allow inbound SYN-ACK packets, source port=80
 Stateful firewalls

 Stateful firewalls can tell when packets are part of

legitimate sessions originating within a trusted network.

 Stateful firewalls maintain tables containing information

on each active connection, including the IP addresses,
ports, and sequence numbers of packets.

 Using these tables, stateful firewalls can allow only

inbound TCP packets that are in response to a connection
initiated from within the internal network.
 Statefull Firewall Example
 Allow only requested TCP connections:
76.120.54.101

SYN
Seq = x Server
Port=80
128.34.78.55

SYN-ACK
Client Seq = y
Ack = x + 1

ACK
Seq = x + 1
Ack = y + 1
Trusted internal SYN-ACK
network (blocked) Seq = y
Attacker
Port=80

Allow outbound TCP sessions,

destination port=80
Firewall

Established TCP session:

(128.34.78.55, 76.120.54.101)
Firewall state table
 Application Firewall

Application firewall (AF) devices perform a stateful protocol

analysis of the application layer.
They support numerous common protocols, such as http, sql, e-mail
service (SMTP, POP3 and IMAP), voip and xml.
Stateful protocol analysis relies on predefined profiles of acceptable
operating modes for the selected protocol, enabling the
identification of potential deviations and irregularities in the
message flow of the protocol through the device.
Problems may arise if there is a conflict between the operating
mode of a specific protocol, which is defined on the AF device, and
the way in which the protocol is implemented in the specific version
of the application or of the operating systems used in the network.
 Application Firewall

The stateful protocol analysis can:

Determine whether an e-mail message contains a type of attachment that is not
allowed (e.g. Exec files);
Determine whether instant messaging is used via an HTTP port;
Block the connection through which an unwanted command is executed (e.g. An
FTP put command on the FTP server);
Block access to a page with unwanted active content (e.g., Java);
Identify an irregular sequence of commands exchanged in the communication
between two hosts (e.g., An unusually large number of repetitions of the same
command or the use of a command before using the command it depends on);
 Application Firewall

•Two types
- Network based (Web Application Firewall)
- Host based
 Web Application Firewall (WAF)

Web application firewalls are built to provide web applications

security by applying a set of rules to an HTTP conversation.
Because applications are online, they have to keep certain ports
open to the internet.
This means attackers can try specific website attacks against the
application and the associated database, such as cross-site scripting
(XSS) and SQL injection.
While proxy firewalls generally protect clients, WAFs protect
servers.
Another great feature of WAFs is that they detect distributed denial
of service (DDoS) attacks in their early stages, absorb the volume of
traffic and identify the source of the attack.
Web application firewall
 Application Proxy Gateway

Application Proxy Gateway (APG) devices also perform an analysis of the traffic flow
on the application layer.
Compared to AF devices, APG devices provide a higher level of security for
individual applications since they never allow a direct connection between two hosts,
and they can perform an inspection of the content of application-layer messages.
APG devices contain so-called proxy agents or “intermediaries” in the communication
between two end hosts.
Each successful connection between the end hosts consists of two connections – one
between the client and the proxy server and the other between the proxy server and the
destination device.
 Application Proxy Gateway

Based on the filtering rules defined on the APG device, proxy agents decide whether
network traffic will be allowed or not.
Traffic-filtering decisions can also be made based on the information contained in the
header of an application-layer message or even based on the content conveyed by that
message. In addition, proxy agents can require user authentication.
There are also APG devices with the capability of packet decryption, analysis and re-
encryption, before a packet is forwarded to the destination host.
Packets that cannot be decrypted are simply forwarded through the device.
Application Proxy Gateway
 APG ( DEFICIENCIES)

Require more memory and greater utilization of processor time for analyzing and
interpreting each packet passing through the device.
As a result, APG devices are not suitable for filtering applications that are more
demanding in terms of bandwidth or applications that are sensitive to time delays.
 18

Conclusion