““Firewall”Firewall”

OutlineOutline

1. Introduction to Firewall1. Introduction to Firewall 2.why firewalls are needed ?2.why firewalls are needed ? 3. Types of Firewall3. Types of Firewall 4. Hardware vs. Software firewalls4. Hardware vs. Software firewalls 5. what it protects you from ?5. what it protects you from ? 6. Making Firewall Fit6. Making Firewall Fit 5. Appropriate Use Of Firewall5. Appropriate Use Of Firewall 6. Personal Firewall6. Personal Firewall 7.Firewall Security Policy 7.Firewall Security Policy

characteristicscharacteristics 8. Issues and problems with firewalls8. Issues and problems with firewalls 9. Conclusion9. Conclusion

IntroductionIntroduction

A firewall is simply a program A firewall is simply a program or hardware device that filters the or hardware device that filters the information coming through the information coming through the Internet connection into your Internet connection into your private network or computer private network or computer system. If an incoming packet of system. If an incoming packet of information is flagged by the information is flagged by the filters, it is not allowed through. filters, it is not allowed through.

What is a Firewall ?What is a Firewall ?

Why Firewalls are Needed Prevent attacks from untrusted Prevent attacks from untrusted

networksnetworks Protect data integrity of critical Protect data integrity of critical

informationinformation Preserve customer and partner Preserve customer and partner

confidenceconfidence

There are three There are three common types of common types of firewallsfirewalls

Packet-Filtering RouterPacket-Filtering Router Application Level GatewayApplication Level Gateway Circuit Level GatewayCircuit Level Gateway

Packets examined at the network layerPackets examined at the network layer Useful “first line” of defense - commonly Useful “first line” of defense - commonly

deployed on routersdeployed on routers Simple accept or reject decision modelSimple accept or reject decision model No awareness of higher protocol layersNo awareness of higher protocol layers

Packet Filtering RouterPacket Filtering RouterPacket Filtering RouterPacket Filtering Router

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network

Presentations

Sessions

Transport

Applications

Network Network

Firewall – Packet Firewall – Packet FilteringFiltering Set of rules that either allow or disallow Set of rules that either allow or disallow

traffic to flow through the firewalltraffic to flow through the firewall Can filter based on any information in the Can filter based on any information in the

Packet HeaderPacket Header– IP Source AddressIP Source Address– IP destination addressIP destination address– ProtocolProtocol– Source PortSource Port– Destination PortDestination Port– Message typeMessage type– Interface the packets arrive on and leaveInterface the packets arrive on and leave

Figure:Figure: Packet Filtering Packet Filtering routerrouter

AdvantagesAdvantages

Application independent - only examines Application independent - only examines packet at the network layerpacket at the network layer

High performance - simple rules that require High performance - simple rules that require little processing and decision making beyond little processing and decision making beyond what is normally done for routing decisionswhat is normally done for routing decisions

Scalable - low overhead of filtering means Scalable - low overhead of filtering means that large amounts of traffic can be handledthat large amounts of traffic can be handled

Transparent - user’s don’t need to provide Transparent - user’s don’t need to provide additional passwords or use special additional passwords or use special commands to initiate connectionscommands to initiate connections

DisadvantagesDisadvantages

Examines and filters only at the Examines and filters only at the network layer - no application level network layer - no application level awareness or state context is awareness or state context is maintainedmaintained

Security is weak - the state of a Security is weak - the state of a given connection is not maintained given connection is not maintained making it easier to exploit making it easier to exploit networking protocols and networking protocols and applicationsapplications

Application Gateway or Application Gateway or ProxyProxyApplication Gateway or Application Gateway or ProxyProxy

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network NetworkNetwork

Presentations

Sessions

Transport

Applications

Packets examined at the application Packets examined at the application layerlayer

Application/Content filtering possible - Application/Content filtering possible - prevent FTP “put” commands, for prevent FTP “put” commands, for exampleexample

Modest performanceModest performance Scalability limitedScalability limited

Firewalls - Firewalls - Application Application Level Gateway (or Proxy)Level Gateway (or Proxy)

Application Level Application Level GatewayGateway

AdvantagesAdvantages Provide good security - connections Provide good security - connections

are terminated and re-initiated, ensuring are terminated and re-initiated, ensuring that all data payloads are inspected at that all data payloads are inspected at the application layerthe application layer

Full application layer awareness - Full application layer awareness - inspecting the data payload at the inspecting the data payload at the application layer provides for thorough application layer provides for thorough translation of the contents of the payloadtranslation of the contents of the payload

DisadvantagesDisadvantages

Screens limited number of applications Screens limited number of applications - requires separate proxy for each new - requires separate proxy for each new service service (slow to respond to new and (slow to respond to new and emerging protocols) - emerging protocols) - proxy mustproxy must be be compiled for each platform supportedcompiled for each platform supported

Connectivity and transparency are Connectivity and transparency are brokenbroken

Poor performance - many data copies & Poor performance - many data copies & context switches must occur for the packet context switches must occur for the packet to be processedto be processed

Circuit Level GatewayCircuit Level GatewayCircuit Level GatewayCircuit Level Gateway

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network Network

Network

Presentations

Sessions

Transport

INSPECT Engine

Applications

Dynamic State Dynamic State TablesTablesDynamic State Dynamic State

TablesTablesDynamic State Tables

It. is also known as stateful inspectionIt. is also known as stateful inspection Packets Inspected between data link layer and network layer in Packets Inspected between data link layer and network layer in

the OS kernelthe OS kernel State tables are created to maintain connection contextState tables are created to maintain connection context Invented by Check PointInvented by Check Point

Firewalls - Firewalls - Circuit Level Circuit Level GatewayGateway

Hardware vs. Software Hardware vs. Software FirewallsFirewalls Hardware FirewallsHardware Firewalls

– Protect an entire networkProtect an entire network– Implemented on the router levelImplemented on the router level– Usually more expensive, harder to Usually more expensive, harder to

configureconfigure Software FirewallsSoftware Firewalls

– Protect a single computerProtect a single computer– Usually less expensive, easier to Usually less expensive, easier to

configureconfigure

What it Protects you What it Protects you fromfrom Application backdoorsApplication backdoors SMTP session hijackingSMTP session hijacking Operating system bugsOperating system bugs Denial of serviceDenial of service Remote LoginRemote Login E-mail bombsE-mail bombs MacrosMacros VirusesViruses SpamSpam

Making Firewall FitMaking Firewall Fit

Firewalls are customizable. This Firewalls are customizable. This means that you can add or means that you can add or remove filters based on several remove filters based on several conditions. Some of these are: conditions. Some of these are:

IP addressesIP addresses Domain namesDomain names ProtocolsProtocols PortsPorts

Appropriate use of Appropriate use of firewallfirewall

Firewalls are applicable when – – When there is two networks that have a

distinct trust factor (friend/foe). – When network topology is designed to flow

all traffic thru a single interface which connects to the firewall (i.e. protected networks connection must terminate behind firewall).

– When there is need for extra layer of protection for certain applications.

What What a personal firewall can do a personal firewall can do ??

Stop hackers from accessing your Stop hackers from accessing your computercomputer

Protects your personal informationProtects your personal information Blocks “pop up” ads and certain Blocks “pop up” ads and certain

cookiescookies Determines which programs can Determines which programs can

access the Internetaccess the Internet

What a personal What a personal firewall cannot do ?firewall cannot do ? Cannot prevent e-mail virusesCannot prevent e-mail viruses

– Only an antivirus product with Only an antivirus product with updated definitions can prevent e-updated definitions can prevent e-mail virusesmail viruses

After setting it initially, you can After setting it initially, you can forget about itforget about it– The firewall will require periodic The firewall will require periodic

updates to the rulesets and the updates to the rulesets and the software itselfsoftware itself

Windows XP FirewallWindows XP Firewall

Currently *not* enabled by Currently *not* enabled by defaultdefault

Enable under Start -> Settings -> Enable under Start -> Settings -> Control PanelControl Panel

Select Local Area ConnectionSelect Local Area Connection Select the Properties buttonSelect the Properties button Click the “Advanced” tabClick the “Advanced” tab

Windows XP firewallWindows XP firewall

Firewall Security Firewall Security Policy characteristicsPolicy characteristics

Defines network use and responsibilities for: Defines network use and responsibilities for: – Users Users – Management Management – Network administrators Network administrators

Identifies who is allowed use of network Identifies who is allowed use of network resources resources

Defines who is authorized to grant/deny Defines who is authorized to grant/deny access access

Defines auditing requirements Defines auditing requirements Defines recovery plan Defines recovery plan

Issues and problems Issues and problems with firewallswith firewalls Restricted access to desirable Restricted access to desirable

servicesservices Large potential for back doorsLarge potential for back doors Little protection for insider Little protection for insider

attack and other issues.attack and other issues.

ConclusionsConclusions

Now a days firewalls comes Now a days firewalls comes with built in virus scanning with built in virus scanning facilities, the disadvantage is they facilities, the disadvantage is they can not scan attach application or can not scan attach application or files so still the computer systems files so still the computer systems are vulnerable to virus those comes are vulnerable to virus those comes with them. The new invention need with them. The new invention need to over come this problem.to over come this problem.

Thank You!Thank You!