Web Technologies, Assignment 2

FIREWALLS

To

Dr. Ahmed Elfatatry

Web Technologies Assignment 2

First Term 2011-2012

By

Yasser M MGharib

FIREWALL

Contents

  1. Introduction3
  2. Definition5
  3. FIREWALL TYPES 5
  4. Hardware Firewalls5
  5. Software Firewalls5
  6. Firewall Techniques 6
  7. Packet Filtering7
  8. Circuit Relay8
  9. Application Gateway9
  10. Conclusion10
  11. References11
  12. AppendixFirewall Products11
  13. Packet Filtering & Stateful Inspection Firewalls11
  14. Application Firewalls11
  15. Multifunction Firewalls13
  16. Other Types Of Firewalls15
  1. Introduction(1)

There are many creative ways that unscrupulous people use to access or abuse unprotected computers:

  • Remote login–Ability to someone to connect to your computer and control it in some form. This can range from being able to view or access your files to actually running programs on your computer.
  • Application backdoors - Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor, or hidden access, that provides some level of control of the program.
  • SMTP session hijacking– Simple Mail Transport Protocol(SMTP) is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to trace.
  • Operating system bugs - Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of.
  • Denial of service - You have probably heard this phrase used in news reports on the attacks on major Web sites. This type of attack is nearly impossible to counter. What happens is that the hacker sends a request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually crash.
  • E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages.
  • Macros - To simplify complicated procedures, many applications allow you to create a script of commands that the application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your computer.
  • Viruses - Probably the most well-known threat is computer viruses. A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data.
  • Spam - Typically harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a cookie that provides a backdoor to your computer.
  • Redirect bombs - Hackers can use the Internet Control Message Protocol(ICMP) to change (redirect) the path information takes by sending it to a different router. This is one of the ways that a denial of service attack is set up.
  • Source routing - In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network.

To determine and stop these threats we use firewall, So What is Firewall and its type, location of this type, advantage and disadvantage of each type.

2-Definition

Firewallis simply a software or hardware devicethat handles or mediates traffic flow between one network and others,performing security checks on that traffic in accordance with a predeterminedsecurity policy. If traffic fails to match the security policy, then it is notallowed through the firewall. The security policy is usually enforced by afirewall rule set, against which traffic is checked.(1)

Firewall checks for specified content,malformed or abnormal traffic at some layer of the protocol hierarchy or checks that help determine that the traffic comesfrom the claimed source.(1)

The purpose of the firewall is to protect entities in one network from threats originating in another network.(2)

3-FIREWALL TYPES(4)

Firewalls can be either hardware or software.

  1. Hardware Firewalls

Hardware firewalls can be purchased as a stand-alone product but more recently hardware firewalls are typically found in broadband routers, and should be considered an important part of the system and network set-up, especially for anyone on a broadband connection. Hardware firewalls can be effective with little or no configuration, and they can protect every machine on a local network.

  1. Software Firewalls

For individual home users, the most popular firewall choice is a software firewall. Software firewalls are installed on computer (like any software) and can customize; allowing you some control over its function and protection features. A software firewall will protect computer from outside attempts to control or gain access computer, and, depending on choice of software firewall

Advantages of a software firewall(3)

  • Free of charge or low-priced to install
  • Easy to install
  • Professional skills not required for configuration
  • Levels of admission can be locate

Advantages of a hardware firewall(3)

  • Centralized management achievable
  • Secure
  • Speedy
  • Fewer interference; can be maintained with no affecting other regions of network and does not make the applications to be time-consuming.

Disadvantages of a software firewall(3)

  • Might make the applications slow
  • Might be intense on computer system resources
  • Can be hard to eliminate
  • Every host wants to be updated repeatedly
  • No centralized administration

Disadvantages of a hardware firewall(3)

  • Costly to buy
  • Specialist knowledge may be necessary to install and configure
  • Takes up substantial space
  • Difficult to upgrade

4. Firewall Techniques:

  • The most basic type firewall performs Packet Filtering.
  • A second type of firewall, which provides additional security, is called a Circuit Relay.
  • Another and still more involved approach is the Application Level Gateway.

  1. Packet Filtering(6)

All Internet traffic travels in the form of packets. A packet is a quantity of data of limited size, kept small for easy handling. When larger amounts of continuous data must be sent, it is broken up into numbered packets for transmission and reassembled at the receiving end. All your file downloads, Web page retrievals, emails -- all these Internet communications always occur in packets.

A packet is a series of digital numbers basically, which conveys these things:

  • The data, acknowledgment, request or command from the originating system
  • The source IP address and port
  • The destination IP address and port
  • Information about the protocol (set of rules) by which the packet is to be handled
  • Error checking information
  • Usually, some sort of information about the type and status of the data being sent
  • Often, a few other things too.

In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored. The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data.

Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies.

Packet filtering policies may be based upon any of the following:

  • Allowing or disallowing packets on the basis of the source IP address
  • Allowing or disallowing packets on the basis of their destination port
  • Allowing or disallowing packets according to protocol.

This is the original and most basic type of firewall.

Packet filtering alone is very effective as far as it goes but it is not foolproof security. It can potentially block all traffic, which in a sense is absolute security. But for any useful networking to occur, it must of course allow some packets to pass. Its weaknesses are:

  • Address information in a packet can potentially be falsified or "spoofed" by the sender
  • The data or requests contained in allowed packets may ultimately cause unwanted things to happen, as where a hacker may exploit a known bug in a targeted Web server program to make it do his bidding, or use an ill-gotten password to gain control or access.

Advantage of packet filtering is its relative simplicity and ease of implementation.

Disadvantage:

The challenge with packet-filtering firewalls is that ACLs are static, and packet filtering has no visibility into the data portion of the IP packet.(7)

  1. Circuit Relay(6)

Also called a "Circuit Level Gateway," this is a firewall approach that validates connections before allowing data to be exchanged.

What this means is that the firewall doesn't simply allow or disallow packets but also determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time. Whether a connection is valid may for examples be based upon:

  • destination IP address and/or port
  • source IP address and/or port
  • time of day
  • protocol
  • user
  • password

Every session of data exchange is validated and monitored and all traffic is disallowed unless a session is open.

Circuit Level Filtering takes control a step further than a Packet Filter.

Advantages of a circuit relay is that it can make up for the shortcomings of the ultra-simple and exploitable UDP protocol, wherein the source address is never validated as a function of the protocol. IP spoofing can be rendered much more difficult.

Disadvantage is that Circuit Level Filtering operates at the Transport Layer and may require substantial modification of the programming which normally provides transport functions (e.g. Winsock).

  1. Application Gateway(6)

In this approach, the firewall goes still further in its regulation of traffic.

The Application Level Gateway acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. This can render a computer behind the firewall all but invisible to the remote system.

It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others, limiting file access to certain types, varying rules according to authenticated users and so forth. This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system, and can often be instructed to sound alarms or notify an operator under defined conditions.

Advantage:Application-level gateways are generally regarded as the most secure type of firewall. They certainly have the most sophisticated capabilities.

Disadvantage is that setup may be very complex, requiring detailed attention to the individual applications that use the gateway.

An application gateway is normally implemented on a separate computer on the network whose primary function is to provide proxy service.

5. Conclusion:

All firewalls regardless of type have one very important thing in common: they receive, inspect and make decisions about all incoming data before it reaches other parts of the system or network. That means they handle packets and they are strategically placed at the entry point to the system or network the firewall is intended to protect. They usually regulate outgoing data as well. The types and capabilities of firewalls are defined essentially by:

  • Where they reside in the network hierarchy (stack);
  • how they analyze and how they regulate the flow of data (packets);
  • and additional security-related and utilitarian functions they may perform. Some of those additional functions:
  • data may be encrypted/decrypted by the firewall for secure communication with a distant network
  • Scripting may allow the operator to program-in any number of specialized capabilities
  • The firewall may facilitate communications between otherwise incompatible networks.

6- Reference:

  1. iac.dtic.mil/iatac/download/firewalls.pdf
  2. AppendixFirewall Products(5)

For more details see (iac.dtic.mil/iatac/download/firewalls.pdf)

  1. Packet Filtering & Stateful Inspection Firewalls

Deerfield.com VisNetic Firewall for Servers

eSoftInstaGate Firewall

GCIS Firewall Sentinel™and Proxy Sentinel™

IntertexSurfinBird IX FW Series

IPFIREWALL (IPFW)

Mac®OS X Server ipfw and Application Firewalls

Netfilter

NetSibNetworkShield Firewall

NuFirewall

Packet Filter

QbikWinGate Proxy Server

ReaSoft Network Firewall

Soft in Engines Bandwidth Managementand Firewall

Sphinx Software Windows Firewall ControlPlus Server Edition

TRENDnet -Port Gigabit Firewall Router

Windows Firewall

Untangle Firewall

  1. Application Firewalls

Alcatel-Lucent OmniAccess Web Services Gateway

Alt-N SecurityGateway for Exchange/SMTP Servers

Anchiva Secure Web Gateway A Seriesand Web Application Firewall S Series

ApplicuredotDefender

ArmorlogicProfense

art of defencehyperguard

AxwayMailGate

BalaBit IT Security Zorp

Barracuda®Spam & Virus Firewall

Barracuda®Web Application Firewalls

Bee Ware i-Suite

BugSecWebSniper

Cisco®ACE Web Application Firewall

Cisco®ACE XML Gateways

Cisco®IOS Firewall

Cisco®IronPort®Email Security Appliances

Citrix®NetScaler®Application Firewall™

CloudShield DNS Defender

Deny AllrWeb

Deny AllrFTP

Deny AllsProxy

DigiPortalChoiceMail Enterprise andChoiceMail Small Business

eEyeSecureIIS

ExcelerateSpamGate

F®BIG-IP®Application Security Manager

Fortinet®FortiWeb™Web Applicationand XML Firewalls

Forum Sentry XML Gateway

GreenSQL Express, Light, Pro, and Database Firewall

Horizon Network Security™SPAM Cracker™

IBM®WebSphere®DataPower XMLSecurity Gateway XS

Igaware Web Filtering Appliance

IMGate Mail Firewall

ImpervaSecureSphere Database Firewall

ImpervaSecureSphere File Firewall

ImpervaSecureSphere Web Application Firewall

Intel®SOA Expressway Service Gateway

Korsmeyer Extensible Messaging Platform

Layer SecureSpan™XML Firewall

ModSecurity

MONITORAPP DB INSIGHT SG™.

MONITORAPP Web INSIGHT SG™

NetopNetFilter

Oracle®Database Firewall

Phantom Technologies iBoss Enterprise Web Filter

Phantom Technologies iBoss HomeInternet Parental Control

Phantom Technologies iBoss ProInternet Content iFilter

PrismTechXtradyne I-DBC IIOP Firewall

PrismTechXtradyne WS-DBC

PrivacywareThreatSentry

Proofpoint Email Firewall™

Qualys®IronBee™

RadwareAppWall®

RedCondor Message Assurance Gateways

Retell Sense Voice Firewall

SafeNet®eSafe Mail Security Gateway

SafeNet®eSafe Web Security Gateway

seaan.netMXtruder

SPAMINA Email Service Firewall andEmail Service Firewall for MSP/ISPs

SpamTitan

SpamWallAntispam Firewall

TrustwaveWebDefend®

VicomsoftInterGate Policy Manager

webScurityWebApp.secure™

  1. Multifunction Firewalls

Aker Firewall

Alcatel-Lucent VPN Firewall Brick™

Arkoon Security FAST NetworkProcessor Appliances

Astaro™Security Gateways

Barracuda®NG Firewall

BluegrassNet Voice SP Firewall/SIP Proxy

Check Point Power-™Appliances

Check Point IP Appliances

Check Point Safe@Office UTM Appliances

Check Point Series Appliance

Check Point UTM-™Appliances

Cisco ASA Series Adaptive Security Appliances

Cyberoam®UTM Appliances

Clavister®Enterprise Security Gateway Series

D-Link NetDefend Firewall/VPN UTM Appliances

EdenWall Security Appliances

EGG Network Security Appliance

Endian UTM Software, Hardware,and Virtual Appliances .

EntensysUserGate Proxy & Firewall

Fortinet®FortiGate®Appliances

GajShield Unified Performance &Threat Management Appliances

GeNUGate Two-Tier Firewall

GeNUScreen Firewall & VPN Appliance

Gibraltar Security Gateways

Global Technology AssociatesFirewall/VPN Appliances

Global Technology Associates GB-Ware

HC SecPath and SecBlade

Halon SX Series Firewalls

HitecFyrewall

HP ProCurve Threat ManagementServices (TMS) zl Module

HuaweiQuidway Eudemon Firewall Series

IBM Security Server Protection andVirtual Server Protection for VMware

Ideco Gateway

Igaware Network Protector

Ingate Firewall®

InJoy Firewall™Professional and Enterprise

iPolicy Intrusion Prevention Firewalls

IPCop

Juniper Networks ISG SeriesIntegrated Security Gateways.

Juniper Networks NetScreen

Juniper Networks SRX Services Gateways

Juniper Networks SSG Series Appliances

Kerio®Control

McAfee Firewall Enterprise

Microsoft Forefront Threat Management

Gateway

Microsoft®Internet Security andAcceleration Server

mnwall

NETASQ U-Series and NG-Series Appliances

NetCop

NETGEAR®ProSafe Wired andWireless VPN Firewalls

NETGEAR®ProSecure®Unified ThreatManagement (UTM) Gateway Security Appliances

NetSentron®NS Lite and NS Pro

Novell BorderManager®

OSecuritySifoWorks™Firewall/IPsecVPN Appliances

Paisley Systems Frontdoor Firewall Appliance

Palo Alto Networks Enterprise Firewalls

Panda GateDefender Integra SB

pfSense

PLANET Security Gateways

Schweitzer Engineering LaboratoriesSEL- Ethernet Security Gateway

SECUI.com eXshield and NXG Firewalls

SECUI.com eXshield and NXG UTM Appliances

Secure Crossing Zenwall-

SecureLogix®ETM®System with TeleWalland Voice Firewall

Securepoint Firewall UTM Gateways

SmoothWall®Advanced Firewall andSmoothWall UTM

SmoothWall®Express

SOHOwareBroadScan™UTM InternetSecurity Appliance

SonicWALL®NSA and TZ SeriesNetwork Security Appliances

StoneSoftStoneGate™Firewall/VPN Appliancesand Virtual Firewall/VPN Appliances

TeamFSecureFrst Security Gateway Solution

TrlokomOmniVPN and Katana Gateway

Tutus Fنrist Firewall

Ubiq-Freedom

Untangle Server with Lite, Standard,or Premium Package

Vordel®Gateway

Vyatta Core

WatchGuard®Extensible ThreatManagement Series

XRoadsEdgeWAN Cloud Firewall Appliances

Zentyal Gateway

Zentyal UTM

ZyXELZyWALL Unified Security Gatewaysand Internet Security Appliances

  1. Other Types Of Firewalls

EdenWall Virtual Security Appliance

Page 1 of 15 Yasser Gharib