Understanding Firewalls
COSC541 Networks Final Paper
Instructor: Dr.Mort Anvari
Name: Jiang Long
Student ID: 123017
Date: Spring 2002
I hereby sincerely thank Dr.Mort Anvari for
his great work in teaching cosc541
Content:
1. Introduction
2. What’s a network firewall
3. Why need a firewall
4. Weakness of firewalls
5. Several types of firewall techniques
6. Policy considerations
7. Making firewalls fit
- Firewall Configurations
9. Conclusion
10. References
1. Introduction
With the rapid growth of Internet, network security has become the most important thing.
The Internet has made large amounts of information available to the average computer user at home, in business and in education. For many people, having access to this information is no longer just an advantage, it is essential. Yet connecting a private network to the Internet can expose critical or confidential data to malicious attack from anywhere in the world. Users who connect their computers to the Internet must be aware of these dangers, their implications and how to protect their data and their critical systems.
The most important tool for protecting a corporate network from Internet intrusions is a firewall -- an intelligent device that controls traffic between two or more networks for security purposes.
The term "fire wall" originally meant, and still means, a fireproof wall intended to prevent the spread of fire from one room or area of a building to another. In a car a firewall is the metal wall separating the engine and passenger compartments. The Internet is a volatile and unsafe environment when viewed from a computer-security perspective, therefore "firewall" is an excellent metaphor for network security.
In computer networking, the term firewall is not merely descriptive of a general idea. It has come to mean some very precise things.
2. What’s a network firewall
Figure 2.1 Firewall
A network firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one of which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic.
Generally, A network firewall system is designed to prevent unauthorized access to or from a private network and can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets.
3. Why need a firewall
The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic equivalent of writing on other people's walls with spray-paint, tearing their mailboxes off, or just sitting in the street blowing their car horns. Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's purpose is to keep the jerks out of your network while still letting you get your job done.
Some firewalls permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections, and block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated interactive logins from the ``outside'' world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it.
Firewalls are also important since they can provide a single ``choke point'' where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective ``phone tap'' and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.
This is an important point: providing this ``choke point'' can serve the same purpose on your network as a guarded gate can for your site's physical premises. That means anytime you have a change in ``zones'' or levels of sensitivity, such a checkpoint is appropriate. A company rarely has only an outside gate and no receptionist or security staff to check badges on the way in. If there are layers of security on your site, it's reasonable to expect layers of security on your network.
Lastly, a firewall can act as your corporate ``ambassador'' to the Internet. Many corporations use their firewall systems as a place to store public information about corporate products and services, files to download, bug-fixes, and so forth. Several of these systems have become important parts of the Internet service structure (e.g.: UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and have reflected well on their organizational sponsors.
4. Weakness of Firewalls
Firewalls are often regarded as the only line of defense needed to secure our information systems. A firewall is a device that controls what gets in and comes out of our network. Unfortunately, a firewall has also its weaknesses if not installed properly and if we don't implement an appropriate security policy.
Firewalls can't protect against attacks that don't go through the firewall.
Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel door when you live in a wooden house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the Internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate network.
A firewall can't really protect you against is traitors or idiots inside your network.
While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall! Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a ``helpful'' employee inside who can be fooled into giving access to a modem pool. Before deciding this isn't a problem in your organization, ask yourself how much trouble a contractor has getting logged into the network or how much difficulty a user who forgot his password has getting it reset. If the people on the help desk believe that every call is internal, you have a problem.
Firewalls can't protect against tunneling over most application protocols to trojaned or poorly written clients. There are no magic bullets and a firewall is not an excuse to not implement software controls on internal networks or ignore host security on servers. Tunneling ``bad'' things over HTTP, SMTP, and other protocols is quite simple and trivially demonstrated. Security isn't ``fire and forget''.
Lately, firewalls can't protect very well against things like viruses. There are too many ways of encoding binary files for transfer over networks, and too many different architectures and viruses to try to search for them all. In other words, a firewall cannot replace security-consciousness on the part of your users. In general, a firewall cannot protect against a data-driven attack--attacks in which something is mailed or copied to an internal host where it is then executed. This form of attack has occurred in the past against various versions of sendmail, ghostscript, and scripting mail user agents like OutLook.
5. Several types of firewall techniques:
Packet Filtering:
All Internet traffic travels in the form of packets. A packet is a quantity of data of limited size, kept small for easy handling. When larger amounts of continuous data must be sent, it is broken up into numbered packets for transmission and reassembled at the receiving end. All your file downloads, Web page retrievals, emails -- all these Internet communications always occur in packets.
A packet is a series of digital numbers basically, which conveys these things:
- The data, acknowledgment, request or command from the originating system
- The source IP address and port
- The destination IP address and port
- Information about the protocol (set of rules) by which the packet is to be handled
- Error checking information
- Usually, some sort of information about the type and status of the data being sent
- Often, a few other things too - which don't matter for our purposes here.
In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored. The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data.
Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies.
Packet filtering policies may be based upon any of the following:
- Allowing or disallowing packets on the basis of the source IP address
- Allowing or disallowing packets on the basis of their destination port
- Allowing or disallowing packets according to protocol
This is the original and most basic type of firewall.
Packet filtering alone is very effective as far as it goes but it is not foolproof security. It can potentially block all traffic, which in a sense is absolute security. But for any useful networking to occur, it must of course allow some packets to pass. Its weaknesses are:
- Address information in a packet can potentially be falsified or "spoofed" by the sender
- The data or requests contained in allowed packets may ultimately cause unwanted things to happen, as where a hacker may exploit a known bug in a targeted Web server program to make it do his bidding, or use an ill-gotten password to gain control or access.
An advantage of packet filtering is its relative simplicity and ease of implementation.
Application-level gateway:
In this approach, the firewall goes still further in its regulation of traffic.
The Application Level Gateway acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. This can render a computer behind the firewall all but invisible to the remote system.
It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others, limiting file access to certain types, varying rules according to authenticated users and so forth. This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system, and can often be instructed to sound alarms or notify an operator under defined conditions.
Application-level gateways are generally regarded as the most secure type of firewall. They certainly have the most sophisticated capabilities.
A disadvantage is that setup may be very complex, requiring detailed attention to the individual applications that use the gateway.
An application gateway is normally implemented on a separate computer on the network whose primary function is to provide proxy service.
Circuit-level gateway:
This type of firewall has also been called a "Stateful Inspection" firewall or a " Circuit Relay," It applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
This firewall approach validates connections before allowing data to be exchanged. What this means is that the firewall doesn't simply allow or disallow packets but also determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time. Whether a connection is valid may for examples be based upon:
- destination IP address and/or port
- source IP address and/or port
- time of day
- protocol
- user
- password
Every session of data exchange is validated and monitored and all traffic is disallowed unless a session is open.
Circuit Level Filtering takes control a step further than a Packet Filter. Among the advantages of a circuit relay is that it can make up for the shortcomings of the ultra-simple and exploitable UDP protocol, wherein the source address is never validated as a function of the protocol. IP spoofing can be rendered much more difficult.
A disadvantage is that Circuit Level Filtering operates at the Transport Layer and may require substantial modification of the programming which normally provides transport functions (e.g. Winsock).
Proxy server:
A program (possibly running on a separate proxy server computer) which accepts information transfer requests on behalf of one or more other computers, and sends appropriate responses to those requests.
A typical use of the proxy server is a caching proxy for web browsers which is used by Internet Service Providers (ISP). This type of proxy server accepts requests for web pages, gets a copy from the target computer, makes a temporary copy for itself, and then sends the information back to the web browser that made the original request. The next time anyone makes a request for this web page, it can use the temporary copy it made earlier in order to save time and reduce the load on it's internet connection. This same proxy server could also be used to block access to undesirable sites, or remove undesirable information contained on a web page, such as an obnoxious java-script program, or a reference to an advertising site, or even a competitors web site.
Many other types of proxy servers and services are also possible. Generally, a Proxy server intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert. A firewall is considered a first line of defense in protecting private information.
As you can see, all firewalls regardless of type have one very important thing in common: they receive, inspect and make decisions about all incoming data before it reaches other parts of the system or network. That means they handle packets and they are strategically placed at the entry point to the system or network the firewall is intended to protect. They usually regulate outgoing data as well. The types and capabilities of firewalls are defined essentially by:
- Where they reside in the network hierarchy (stack);
- How they analyze and how they regulate the flow of data (packets);
- And additional security-related and utilitarian functions they may perform. Some of those additional functions:
- Data may be encrypted/decrypted by the firewall for secure communication with a distant network
- Scripting may allow the operator to program-in any number of specialized capabilities
- The firewall may facilitate communications between otherwise incompatible networks.
6. Policy Considerations
Your organization's networked systems security policy should include:
- the risks you intend to manage with the firewall
- the services you intend to offer to untrusted networks from your protected network. These could be offerings to the Internet or to other internal networks.
- the services you intend to request from untrusted networks via your protected network. These could be requests to the Internet or to other internal networks.
- the objective that all incoming and outgoing network traffic must go through the firewall (i.e., that no traffic which bypasses the firewall is permitted, for example, by using modems) — or conversely, that specific loopholes are permitted and under what conditions (e.g., modems, tunnels, connections to ISPs)
In the offering and requesting of services, your policy should ensure that you only allow network traffic