This lecture is divided into hyperlinked sections
Introduction - The Need for Security
What is a Firewall?
Internet Firewalls
What an Internet Firewall
cannot do
Firewall Design
Firewall Techniques
Packet Filtering
Application Gateway
Circuit-level Gateway
Proxy Server
Who are we protecting
our systems against?
Conclusion
Appendix
Resources
Terminology
Introduction - The Need for Security
Today's computer and communication systems are interconnected by the Internet. Information may be moved around the globe with ease. Huge amounts of public and private information are held on computer systems that are connected to the Internet.
The public information is held on public FTP servers and web servers around the world and is freely available for access. The private information must be held securely so that only those with the authority to view or amend such information are given the permission to do so.
Apart from the private information, the operating systems and software needed to run the world's computers is also supposed to be kept privy only to those administrators and system programmers who need access to these system files.
Without some form of security, the data held on computers and the system files that run the systems themselves are vulnerable to being read, modified or corrupted. It can be said that the data has been compromised.
All computer systems are vulnerable to entry by unauthorised users, whether it is from within the company or from somebody external to the company accessing the system via the Internet. Regardless of the whereabouts of the unwanted intruder, all computer systems should have some form of protection.
Most security measures involve data encryption and passwords. Data encryption is the translation of data into a form that is unintelligible without a deciphering mechanism. A password is a secret word or phrase that gives a user access to a particular program or system. Another technique for protecting data is known as a Firewall.
A firewall is a system that has been designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
The firewall determines which inside services may be accessed from the outside, which outsiders are permitted access to the permitted inside services, and which outside services may be accessed by insiders. For a firewall to be effective, all traffic to and from the Internet must pass through the firewall, where it can be inspected.The firewall must permit only authorized traffic to pass, and the firewall itself must be immune to penetration.
Internet firewalls allow the network administrator to define a centralized "choke point" that keeps unauthorized users such as hackers, crackers, vandals, and spies out of the protected network; prohibits potentially vulnerable services from entering or leaving the protected network; and provides protection from various types of routing attacks. An Internet firewall simplifies security management, since network security is consolidated on the firewall systems rather than being distributed to every host in the entire private network.
An Internet firewall can also offer a central point of contact for information delivery service to customers. The Internet firewall is the ideal location for deploying World Wide Web and FTP servers. The firewall can be configured to allow Internet access to these services, while prohibiting external access to other systems on the protected network.
What an Internet Firewall cannot do
An Internet firewall cannot protect against attacks that do not go through the firewall. For example, if unrestricted dial-out is permitted from inside the protected network, internal users can make a direct SLIP or PPP connection to the Internet.
Firewalls do not prohibit traitors or corporate spies from copying sensitive data onto floppy disks or PCMCIA cards and removing them from a building. Firewalls do not protect against attacks where a hacker posesses a login/ password pair obtained from a naive user or by other means.
Internet firewalls cannot protect against the transfer of virus-infected software or files. Since there are so many different viruses, operating systems, and ways of encoding and compressing binary files, an Internet firewall cannot be expected to accurately scan each and every file for potential viruses.
Internet firewalls cannot protect against data-driven attacks. A data-driven attack occurs when seemingly harmless data is mailed or copied to an internal host and is executed to launch an attack. For example, a data-driven attack could cause a host to modify security-related files, making it easier for an intruder to gain access to the system. This type of file may be introduced to the computer system by email.
There are two completely opposing approaches to firewall design.
Everything not specifically permitted is denied.
This stance assumes that a firewall should block all traffic, and that each desired service or application should be implemented on a case-by-case basis. This is the recommended approach. It creates a very secure environment, since only carefully selected services are supported. The disadvantage is that it places security ahead of ease of use, limiting the number of options available to the user community.
Everything not specifically denied is permitted.
This stance assumes that a firewall should forward all
traffic, and that each potentially harmful service should be shut off on
a case-by-case basis. This approach creates a more flexible environment,
with more services available to the user community. The disadvantage is
that it puts ease of use ahead of difficult to provide security as the
size of the protected network grows.
There are several types of firewall techniques available:
Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert.
A packet is a piece of a message that is transmitted over a packet-switching network. One of the key features of a packet (datagram)is that it contains the destination address and the source address in addition to the data.
A packet-filtering router makes a permit/deny decision for each packet that it receives. The router examines each datagram to determine whether it matches one of its packet-filtering rules. The filtering rules are based on the packet header information that is made available to the IP forwarding process. This information consists of the IP source address, the IP destination address, the encapsulated protocol (TCP, UDP, ICMP, or IP Tunnel), the TCP/UDP source port, the TCP/UDP destination port, the ICMP message type, the incoming interface of the packet, and the outgoing interface of the packet.
If a match is found and the rule permits the packet, the packet is forwarded according to the information in the routing table. If a match is found and the rule denies the packet, the packet is discarded. If there is no matching rule, a user-configurable default parameter determines whether the packet is forwarded or discarded.
The packet-filtering rules allow a router to permit or deny traffic based on a specific service, since most service listeners reside on well-known TCP/UDP port numbers. For example, a Telnet server listens for remote connections on TCP port 23 and an SMTP server listens for incoming connections on TCP port 25. To block all incoming Telnet connections, the router simply discards all packets that contain a TCP destination port value equal to 23. To restrict incoming Telnet connections to a limited number of internal hosts, the router must deny all packets that contain a TCP destination port value equal to 23 and that do not contain the destination IP address of one of the permitted hosts.
Some typical filtering rules include:
Permit incoming Telnet sessions
only to a specific list of internal hosts
Permit incoming FTP sessions
only to specific internal hosts
Permit all outbound Telnet sessions
Permit all outbound FTP sessions
Deny all incoming traffic from
specific external networks
An application-level gateway allows the network administrator to implement a much stricter security policy than with a packet-filtering router. Rather than relying on a generic packet-filtering tool to manage the flow of Internet services through the firewall, special-purpose code (a proxy service) is installed on the gateway for each desired application. If the network administrator does not install the proxy code for a particular application, the service is not supported and cannot be forwarded across the firewall. Also, the proxy code can be configured to support only those specific features of an application that the network administrator considers acceptable while denying all other features.
This enhanced security comes with an increased cost in
terms of purchasing the gateway hardware platform, the proxy service applications,
the time and knowledge required to configure the gateway, a decrease in
the level of service that may be provided to users, and a lack of transparency
resulting in a less user-friendly system. As always, the network administrator
is required to balance the organization's need for security with the user
community's demand for ease of use.
A circuit-level gateway is a specialized function that can be performed by an application-level gateway. A circuit-level gateway simply relays TCP connections without performing any additional packet processing or filtering.
An example of use is passing a Telnet connection through a circuit-level gateway. The circuit-level gateway simply relays the Telnet connection through the firewall but does no additional examination, filtering, or management of the Telnet protocol. The circuit-level gateway acts like a wire, copying bytes back and forth between the inside connection and the outside connection. However, because the connection appears to originate from the firewall system, it conceals information about the protected network.
Circuit-level gateways are often used for outgoing connections
where the system administrator trusts the internal users. Their chief advantage
is that a bastion host can be configured as a hybrid gateway supporting
application-level or proxy services for inbound connections and circuit-level
functions for outbound connections. This makes the firewall system easier
to use for internal users who want direct access to Internet services,
while still providing the firewall functions needed to protect the organization
from external attack.
The network administrator should deploy anti-viral software
at each desktop to protect individual systems against the introduction
of a virus from floppy disks or any other source.
Who are we protecting against?
It is difficult to describe a typical hacker attack because
intruders have different levels of technical expertise and many different
motivations. Some hackers are intrigued by the challenge, some are curious
about computers and use methods and tools that were created by others (script
kiddies), others just want to make life more difficult for others, and
still others are out to steal sensitive data for profit.
Because there are many people who for a variety of reasons would wish to break into a computer system, it is necessary to build some sort of security into the network. A firewall is considered a first line of defense in protecting private information.
A firewall should be placed at the entry and exit points for data within an organisation.
Several methods of protecting a system exist from observation of the contents of packets as they arrive at a firewall, Packet Filtering, to Application Gateways in which a piece of code is run on a gateway that is specific to each application that is to be run e.g. FTP, SMTP, TELNET. Without the code running on the gateway the service will not be supported and will not cross the gateway.
A Circuit Level Gateway passes messages across, but does not reveal information concerning the system that it is protecting. This is useful at the exit points of a computer network.
For greater security, data can be encrypted, however the software infrastructure of a system is more vulnerable as this needs to be unencrypted at run time.
Whatever the firewall that is designed, it must be remembered
that a good security policy is required across the company, perhaps with
staff training sessions to warn them from making very simple mistakes that
can cost a company dearly.
Cisco Systems
Firewall Resources
http://webopedia.internet.com/TERM/f/firewall.html
Back door
A security hole in a compromised system that allows continued
access to the system by an intruder even if the original attack is discovered.
Bastion host
A designated Internet firewall system specifically armored
and protected against attacks.
Circuit-level gateway
A specialized function that relays TCP connections without
performing any additional packet processing or filtering.
Internet firewall
A system or group of systems that enforces an access
control policy between an organization's network and the Internet.
Packet filtering
A feature that allows a router to make a permit/deny
decision for each packet based on the packet header information that is
made available to the IP forwarding process.
Proxy service
Special-purpose, application-level code installed on
an Internet firewall gateway. The proxy service allows the network administrator
to permit or deny specific applications or specific features of an application.
Trojan horse
A packet sniffer that hides its sniffing activity. These
packet sniffers can collect account names and passwords for Internet services,
allowing a hacker to gain unauthorized access to other machines.