Introduction
A firewall is a hardware device or a software program that prevents a home P/C network of PC’s connected to the net from intentional external intruders which may be in the form of a Trojan horse, a hacker, a mistaken program, etc. If not employed may result in the loss of confidentiality, service denial, or a complete loss of data, which of course none would like.
A firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks. (The term also implies the security policy that is used with the programs.) An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to.
Evolution of the Firewall
In today’s world, most businesses, regardless of size, believe that access to the Internet is Imperative if they are going to compete effectively. Even though the benefit of connecting to the Internet is considerable, so are the risks. When a business connects its private network to the Internet, it is not just providing its employees access to external information and Internet
Services; it is also providing external users with a means to access the company’s own private Information. Horror stories abound in the media regarding companies that have had proprietary
Information stolen, modified, or otherwise compromised by attackers who gained access via the
Internet. For this reason, any business that has ever contemplated connecting to the Internet has been forced to deal with the issue of network security.
In response to these risks, a whole industry has formed during the last several years to meet the needs of businesses wanting to take advantage of the benefits of being connected to the
Internet while still maintaining the confidentiality, integrity, and availability of their own private information and network resources. This industry revolves around firewall technology.
A firewall provides a single point of defense between two networks--it protects one network from the other. Usually, a firewall protects the company’s private network from the public or shared networks to which it is connected. A firewall can be as simple as a router that filters packets or as complex as a multi-computer, multi-router solution that combines packet filtering and application-level proxy services.
Firewall technology is a young but quickly maturing industry. The first generation of firewall architectures has been around almost as long as routers, first appearing around 1985 and coming out of Cisco’s IOS software division. These firewalls are called packet filter firewalls. However, the first paper describing the screening process used by packet filter firewalls did not appear until 1988, when Jeff Mogul from Digital Equipment Corporation published his studies.
During the 1989-1990 timeframe, Dave Presotto and Howard Trickey of AT&T Bell Laboratories pioneered the second generation of firewall architectures with their research in circuit relays, which are also known as circuit level firewalls. They also implemented the first working model of the third generation of firewall architectures, known as application layer firewalls. However, they neither published any papers describing this architecture nor released a product based upon their work.
The firewall industry’s initial innovations resulted from Department of Defense research and funding projects. However, the demand from the public sector for Internet-based security solutions has new and old security companies researching new architectures to meet the ever expanding requirements for high-speed security solutions that are extensible, flexible, and
maintainable.
What is a Firewall?
A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one, which exists to block traffic, and the other, which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don’t have a good idea what kind of access you want to permit or deny, or you simply permit someone or some product to configure a firewall based on what they or it think it should do, then they are making policy for your organization as a whole.
The term “Firewall” originally means a wall meant to prevent a fire from spreading from one block to another of the same building. In this rapidly expanding world of the Internet the potential threat of misdemeanor has also increased if not at a faster rate than the actual progress of the net itself. So thus arises the need to protect your network from these.
Location
This firewall as described earlier can be a software program or a hardware device. Thus, the way to look at it as shown in the figures that follow. Basically a firewall has to be present at all the entry points of the network for which it is designed. It has to sit at the gateway points between the two networks i.e. a private network and a public one as an internet.Thus what happens as result is that a firewall is the first component that reads the incoming data and the last one that reads the outgoing data.
Computer with software firewall
Hardware firewall
What does a firewall do?
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering.
Who needs a firewall?
Anyone who is responsible for a private network that is connected to a public network needs firewall protection. Furthermore, anyone who connects so much as a single computer to the Internet via modem should have personal firewall software.
Why we need a firewall?
The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic
equivalent of writing on other people’s walls with spray paint, tearing their mailboxes off, or just sitting in the street blowing their car horns. Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall’s purpose is to keep the jerks out of your network while still letting you get your job done.
Many traditional-style corporations and data centers have computing security policies and practices that must be adhered to. In a case where a company’s policies dictate how data must be protected, a firewall is very important, since it is the embodiment of the corporate policy. Frequently, the hardest part of hooking to the Internet, if you’re a large company, is not justifying the expense or effort, but convincing management that it’s safe to do so. A firewall provides not only real security--it often plays an important role as a security blanket for management.
Design & Working of firewall
Here we must go into a little detail regarding networking and the various layers it is made of and the different firewalls are hence placed in these layers according to the type of application and the level of protection required. The lowest layer at which the firewall can operate is the protocol layer. At this layer only routing of data can take place on the basis of the source address that is provided to the firewall. At this layer the firewall cannot determine the contents of the packets or judge them acc. to that. Firewalls that operate at the transport layer know a little more about a packet, and are able to grant or deny access depending on more sophisticated criteria. At the application level, firewalls know a great deal about what is going on and can be very selective in granting access.
| 5 | Application |
| 4 | Transport Control Protocol,User Datagram Protocol |
| 3 | Internet Protocol |
| 2 | Data Link |
| 1 | Physical |
It would appear then, that firewalls functioning at a higher level in the stack must be superior in every respect. This is not necessarily the case. The lower in the stack the packet is intercepted, the more secure the firewall. If the intruder cannot get past level three, it is impossible to gain control of the operating system.
Some of the basic design decisions in a firewall
The first and most important decision reflects the policy of how your company or organization wants to operate the system: is the firewall in place to explicitly deny all services except those critical to the mission of connecting to the net.
what level of monitoring, redundancy, and control do you want? Having established the acceptable risk level (e.g.: how paranoid you are) by resolving the first issue, you can form a checklist of what should be monitored, permitted, and denied.
The third issue is financial. We can’t address this one here in anything but vague terms, but it’s
important to try to quantify any proposed solutions in terms of how much it will cost either to buy or to implement. For example, a complete firewall product may cost between $100,000 at the high end, and free at the low end.
Basic types of firewall
Basically there exists three types of firewalls at three different network layers progressively increased security one may say.
Packet Filtering Firewall
Circuit Level Firewall
Application Layer Firewall (Proxy Server)
Dynamic Packet Filtering
Packet Filtering Firewall
First let me tell you what a packet is. In the most general case when we send an email to someone it gets divided into small packets of data by means of IP and travels through to the destination through various routes that are available. When it reaches its destination these packets of data are reassembled and rearranged by a TCP. So here comes in the work of a packet filtering firewall that it checks for the rules and the criteria before these packets are allowed in the secured network. This process is also done during the process of sending the information.
Packet filtering policies may be based upon any of the following:
Allowing or disallowing packets on the basis of the source IP address
Allowing or disallowing packets on the basis of their destination port
Allowing or disallowing packets according to protocol.
A packet filter firewall is a first-generation firewall technology that analyzes network traffic at the transport protocol layer. Each IP network packet is examined to see if it matches one of a set of rules defining what data flows are allowed. These rules identify whether communication is allowed based upon information contained within the internet and transport layer headers and the direction in which the packet is headed (internal to external network or vice-versa).
Working of Packet Filter Firewall
Packet filters typically enable you to manipulate (that is, permit or prohibit) the transfer of data
based on the following controls:
The physical network interface that the packet arrives on
The address the data is (supposedly) coming from (source IP address)
The address the data is going to (destination IP address)
The type of transport layer (TCP, UDP, ICMP)
The transport layer source port
The transport layer destination port
Packet filters generally do not understand the application layer protocols used in the communication packets. Instead, they work by applying a rule set that is maintained in the TCP/IP kernel. This rule set contains an associated action that will be applied to any packets matching the criteria mentioned above.
Because packet filters are implemented in the network layer, they generally do not understand how to process state information in the high-level protocols, such as FTP. The more sophisticated packet filters are able to detect IP, TCP, UDP, and ICMP. Using a packet filter that includes the TCP/UDP port filtering capability, you can permit certain types of connections to be made to specific computers while prohibiting other types of connections to those computers and
similar connections to other computers.
The complete network packet inspection adheres to the following general algorithm:
If no matching rule is found, then drop the network packet.
If a matching rule is found that permits the communication, then allow peer-to-peer
communication.
Because this type of firewall does not inspect the network packet’s application layer data and
does not track the state of connections, this solution is the least secure of the firewall technologies . It allows access through the firewall with a minimal amount of scrutiny. In other words, if the checks succeed, the network packet is allowed to be routed through the firewall as defined by the rules in the firewall’s routing table. However, because it does less processing than
the other technologies, it is the fastest firewall technology available and is often implemented in
hardware solutions, such as IP routers.
To summarize, firewalls based on the packet filtering technologies have the following
advantages:
Packet filters are generally faster than other firewall technologies because they perform fewer evaluations. Also, they can easily be implemented as hardware solutions.
A single rule can help protect an entire network by prohibiting connections between specific Internet sources and internal computers.
Packet filters do not require client computers to be specifically configured; the packet filters do all of the work.
In conjunction with network address translation, you can use packet filter firewalls to shield internal IP addresses from external users.
Firewalls based on the packet filtering technologies have the following disadvantages:
Packet filters do not understand application layer protocols. They cannot restrict access to Protocol subsets for even the most basic services, such as the PUT or GET commands in FTP. For this reason, they are less secure than application layer and circuit level firewalls.
Packet filters are stateless in that they do not keep information about a session or application-derived information.
Packet filters have very limited abilities to manipulate information within a packet.
Packet filters do not offer value-added features, such as HTTP object caching, URL Filtering, and authentication because they do not understand the protocols being used and cannot discern one from another.
Packet filters cannot restrict what information is passed from internal computers to services on the firewall server. Packet filters only restrict what information can go to it. Thus, intruders can potentially access the services on the firewall server.
Packet filters have little or no audit event generation and alerting mechanisms.
Because of the complexity of supporting most non-trivial network services, it can be difficult to test "accept" and "deny" rules.
Circuit Level Firewall
Also called a "Circuit Level Gateway," this is a firewall approach that validates connections before allowing data to be exchanged.
What this means is that the firewall doesn't simply allow or disallow packets but also determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time. Whether a connection is valid may for examples be based upon:
destination IP address and/or port
source IP address and/or port
time of day
protocol
user
password
Circuit Level Filtering takes control a step further than a Packet Filter. Among the advantages of a circuit relay is that it can make up for the shortcomings of the ultra-simple and exploitable UDP protocol, wherein the source address is never validated as a function of the protocol. IP spoofing can be rendered much more difficult.
Working of Circuit Level Firewall
When a connection is set up, the circuit level firewall typically stores the following information about the connection:
A unique session identifier for the connection, which is used for tracking purposes
The state of the connection: handshake, established, or closing
The sequencing information
The source IP address, which is the address from which the data is being delivered
The destination IP address, which is the address to which the data is being delivered
The physical network interface through with the packet arrives
The physical network interface through which the packet goes out
Circuit level firewalls have only limited understanding of the protocols used in the network
packets. They can only detect one transport layer protocol, TCP. Like packet filters, circuit level firewalls work by applying a rule set that is maintained in the TCP/IP kernel.
Circuit level firewalls allow access through the firewall with a minimal amount of scrutiny by building a limited form of
further security checks. This method is very fast and provides a limited amount of state checking.
Circuit level firewalls often readdress network packets so that outgoing traffic appears to have originated from the firewall rather than an internal host. As stated previously, this process of readdressing network packets is called network address translation, and because circuit level firewalls maintain information about each session, they can properly map external responses back to the appropriate internal host.
To summarize, circuit level firewalls have the following advantages:
Circuit level firewalls are generally faster than application layer firewalls because they perform fewer evaluations.
A circuit level firewall can help protect an entire network by prohibiting connections between specific Internet sources and internal computers.
In conjunction with network address translation, you can use circuit level firewalls to shield internal IP addresses from external users.
Circuit level firewalls have the following disadvantages:
Circuit level firewalls cannot restrict access to protocol subsets other than TCP.
Circuit level firewalls cannot perform strict security checks on a higher-level protocol should the need arise.
Circuit level firewalls have limited audit event generation abilities but can typically tie a network data packet to an application layer protocol by building limited forms of session state.
Circuit level firewalls do not offer value-added features, such as HTTP object caching, URL filtering, and authentication because they do not understand the protocols being used and cannot discern one from another.
It can be difficult to test "accept" and "deny" rules.
3) Application Layer Firewall (Proxy Server)
Proxy servers are machines which have had the normal system daemons (telnetd, ftpd, etc) replaced with special servers. These servers are called proxy servers as they normally only allow onward connections to be made. This enables you to run (for example) a proxy telnet server on your firewall host, and people can telnet in to your firewall from the outside, go through some authentication mechanism, and then gain access to the internal network (alternatively, proxy servers can be used for signals coming from the internal network and heading out.
Proxy servers are normally more secure than normal servers, and often have a wider variety of authentication mechanisms available, including ``one-shot'' password systems so that even if someone manages to discover what password you used, they will not be able to use it to gain access to your systems as the password instantly expires. As they do not actually give users access to the host machine, it becomes a lot more difficult for someone to install backdoors around your security system.
Proxy servers often have ways of restricting access further, so that only certain hosts can gain access to the servers, and often they can be set up so that you can limit which users can talk to which destination machine. Again, what facilities are available depends largely on what proxy software you choose.
The flow of communications between a real client and a network server when the communications pass through a proxy service.
A proxy client is part of a user application that talks to the real server on the external network on behalf of the real client. When a real client requests a service, the proxy server evaluates that request against the policy rules defined for that proxy and determines whether to approve it. If it approves the request, the proxy server forwards that request to the proxy client.
The proxy client then contacts the real server on behalf of the client (thus the term "proxy") and proceeds to relay requests from the proxy server to the real server and to relay responses from the real server to the proxy server. Likewise, the proxy server relays requests and responses between the proxy client and the real client.
Proxy services never allow direct connections, and they force all network packets to be examined and filtered for suitability. Instead of communicating directly with the real service, a user communicates to the proxy server (because the user’s default gateway is set to point to the proxy server on the firewall). The same is true from the perspective of the real service
communicating with a user. The proxies handle all communications between the user and a real service.
To summarize, proxy services have several key advantages:
Proxy services understand and enforce high-level protocols, such as HTTP and FTP.
Proxy services maintain information about the communications passing through the firewall server. They provide partial communication-derived sate information, full application-derived state information, and partial session information.
Proxy services can be used to deny access to certain network services, while permitting access to others.
Proxy services are also capable of processing and manipulating packet data.
Proxy services do not allow direct communications between external servers and internal computers, so the names of internal computers do not have to be made known to external computers.
In other words, proxy services shield internal IP addresses from the external world.
By providing transparency, proxies provide users with the appearance that they are communicating directly with external servers.
Proxy services can route internal services, as well as external-to-internal requests, elsewhere (for example, they can route services to an HTTP server on another computer).
Proxy services can provide value-added features, such as HTTP object caching, URL filtering, and user authentication.
Proxy services are good at generating audit records, allowing administrators to monitor
attempts to violate the firewall’s security policies.
Proxy services also have some disadvantages. These disadvantages include the following:
Proxy services require you to replace the native network stack on the firewall server.
Application level firewalls cannot provide proxies for UDP, RPC, and other services from common protocol families.
Proxy services often require modifications to clients or client procedures, thus adding a task to the configuration process.
Because the proxy servers listen on the same port as network servers, you cannot run network servers on the firewall server.
Proxy services introduce performance delays. Inbound data has to be processed twice, by
the application and by its proxy (for example, the Internet e-mail application talks to the proxy e-mail agent, which in-turn talks to a LAN e-mail application).
4) Dynamic Packet Filtering
A dynamic packet filter firewall is a fourth-generation firewall technology that allows modification of the security rule base on the fly. This type of technology is most useful for providing limited support for the UDP transport protocol. The UDP transport protocol is typically used for limited information requests and queries in application layer protocol
exchanges.
Dynamic packet filter firewalls have the same advantages and disadvantages associated
with first-generation packet filter firewalls with one notable exception: the advantage of not allowing unsolicited UDP packets onto your internal network. As long as a UDP request packet originated on your internal network and is delivered to an untrusted host, the firewall server allows what appears to be a response packet to be delivered to the originating host. The response packet that is allowed back must contain a destination address that matches the original source
address, a transport layer destination port that matches the original source port, and the same
transport layer protocol type.
This feature is useful for allowing application layer protocols, such as the Domain Name System (DNS), to operate across your security perimeter. An internal DNS server must originate requests to other DNS servers running on the Internet to retrieve address information for unknown hosts. DNS servers may make these requests using a TCP connection or UDP virtual connection.
A dynamic packet filter firewall may also be used to provide support for a limited subset of the ICMP transport protocol. ICMP is often used to test network connectivity by sending a pair of network packets between two cooperating hosts. Because the firewall server can allow a response to cross the firewall at the request of an internal host, the internal host is able to deduce that a host exists on an untrusted network.
Critical resources in a firewall
It’s important to understand the critical resources of your firewall architecture, so when you do
capacity planning, performance optimizations, etc., you know exactly what you need to do, and how much you need to do it in order to get the desired result.
What exactly the firewall’s critical resources are tends to vary from site to site, depending on the
sort of traffic that loads the system. Some people think they’ll automatically be able to increase the data throughput of their firewall by putting in a box with a faster CPU, or another CPU, when this isn’t necessarily the case. Potentially, this could be a large waste of money that doesn’t doanything to solve the problem at hand or provide the expected scalability.
On busy systems, memory is extremely important. You have to have enough RAM to support every instance of every program necessary to service the load placed on that machine. Otherwise, the swapping will start and the productivity will stop. Light swapping isn’t usually much of a problem, but if a system’s swap space begins to get busy, then it’s usually time for more RAM. A system that’s heavily swapping is often relatively easy to push over the edge in a denial-ofservice attack, or simply fall behind in processing the load placed on it. This is where long email delays start.
Service Critical Resource
Email Disk I/O
Netnews Disk I/O
Web Host OS Socket
IP Routing Host OS Socket
Web Cache Host OS Socket
Future scope
Many administrators mistakenly assume that once their firewall is online and shown to be effective, their security problem is gone. That’s simply not the case. For example, let’s say the only thing you allow through your firewall is e-mail. An employee gets a message from a branch office asking him to email a CAD file to them. So the employee looks at the From address, verifies that its correct, clicks reply, attaches the file and unknowingly sends the CAD file to the hackers that forged the email request because the Reply to address isn’t the same as the From Address. Your firewall cant realistically do anything about this type of exploitations because many typical users have different From and Reply-to addresses for very valid reasons, like they send mail from multiple email addresses but only want to receive mail at one.
There is another serious threat to the security of your network: hidden border crossing. Modems provide the ability for any user on your network to dial out to their own Internet service provider and completely circumvent your firewall. Modems are cheap and they come in most computers sold these days. All modern client operating systems come with the software requited for setting up modems to connect to a dial-up Internet service provider. And it’s a good bet that most your computer-savvy employees have their own dialup networking accounts they could use from work.
Most users don’t understand that all IP connections are a security risk. Modem PPP connections to the Internet are bi-directional just like leased lines. And there is a good chance that their client has file sharing turned on, so their computer can be exploited directly from the Internet!!!
Research area
A firewall cannot prevent individual users with modems from dialling into or out of the network, bypassing the firewall altogether. Employee misconduct or carelessness cannot be controlled by firewalls. Policies involving the use and misuse of passwords and user accounts must be strictly enforced. These are management issues that should be raised during the planning of any security policy but that cannot be solved with firewalls alone. The arrest of the Phonemasters cracker ring brought these security issues to light. Although they were accused of breaking into information systems run by AT&T Corp.,
British Telecommunications Inc., GTE Corp., MCI WorldCom,
either of these techniques.
