Objectives:

1. Describe firewall2. Limitations of firewall.3. Distinguish between network-based firewall and host-based firewall.

FirewallsFirewall is a network security device that is either a software program or a hardware or a combination of both. Firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between trusted, secure internal network and untrusted outside network, such as internet. Firewalls are often categorized as either network firewalls or host-based firewalls. Network-based firewalls filter traffic between two or more networks. Host-based firewalls provide a layer of software on a host that controls network traffic in and out of that single machine. See figures 1a and 1b. Firewall imposes restrictions on network services as only authorized traffic is allowed. Firewalls cannot protect against what has been authorized, internal threats and cannot fix poor security policies. By connecting to internet, a user is vulnerable to hackers, firewall is the barrier between the user and internet as all information entering or leaving network pass through firewall.

Internet firewall PCFigure 1A: Host-based firewall

Internet firewall PCFigure 1B: Network-based firewall

GI questions:1. Is firewall a software or a hardware? Could it be a combination of both?

2. What data does the firewall monitor?

3. John have 5 PCs at home and he wants to protect all them, what type of firewall should be used?

4. John have a laptop and uses it in different locations such as work, hotels and home. What type of firewall should be used?

5. In home network environment where you have 3 PCs, IPads and IPhones and a router. Which of the following is best option to install a firewall (Access point, PC, router, switch) to protect the network?

6. In the lab, one of the computers has been infected by a malware as employee brought by using his infected USB, do you think firewall can protect the PCs?

Objectives:

1. Explain how packet filtering firewall works.2. Write a packet filtering firewall rule.

Packet filtering firewall: Network firewall which would look at network address and ports, and other parts of TCP/UDP/IP headers of a packet to determine if that packet should be allowed or blocked.

This firewall examines source and destination IP addresses and ports, it also looks at connection status to verify whether the packet is the first of the network session or part of live session. Please see figures 2a, 2b, 2c for IP header details.

To accept or deny a packet, Packet filtering firewall follows set of rules based on network administrators requirements.

Based on network administrator’s set of rules, packet filtering either accepts or denies the packet. Since packet filtering firewall is stateless which means it does not remember the state of the connection for previous packets, so it will apply the same rules for every packet during a connection. Also note that packet filtering firewalls do not examine the payload.

Version IHL DSCP ECN Total Length

Identification Flags Fragment Offset

Time to Live Protocol Header Checksum

Source IP Address

Destination IP Address

Options (if IHL>5)

Figure 2A: IPv4 Header Format

Source Port Destination PortSequence Number

Acknowledgment NumberData

Offset Reserved Code Window

Checksum Urgent Pointer

Options PaddingOptional data

Figure 2B: part of TCP Header information

Source Port Destination Port

Length Checksum

Optional data

Figure 2C: part of UDP Header informationPacket filtering firewall Rule Examples:

Suppose you want to allow mail traffic (SMTP, port 25) from/to our gateway (GW) machine, the firewall rule is as follows (note: The “*” means “any”):

Conceptual questions:

1. What does packet filtering firewall examine in a packet?

2. What does stateless firewall mean?

3. Does packet filter examine the payload of a packet?

4. A company has network based firewall and they authorized port #80, because they want to tell the world about the company’s activity but the company administrator wasn’t aware that they were using old version of webserver which has a Buffer Overflow bug. Can the firewall protect a hacker from the internet to exploit this bug?

Application questions:

1. Write a rule to allow inbound mail (SMTP, port25) but only to our email server with IP address 192.168.0.25.

2. Write a rule to block all traffic from site TIMEWASTE.

3. Write a rule that any inside host can visit all secure webservers (note: The port number for secure web server is 443).

Objectives:1. Stateful firewall makes decision on whether to allow a packet to go through.

2. Compare stateful and stateless firewalls.

A stateful firewall: This firewall keeps track of the state of the connection and remembers previous packets. When a packet arrives the firewall checks if it belongs to previous connections the it will be allowed immediately; or if it is a new connection then the firewall matches it with administrator set of rules and decide whether to allow or deny the packet then saves some of its details such as IP address and port numbers. Figure 3 shows an example of stateful firewall.

Figure 3: Stateful firewall example

1. What are the IP addresses of the client and server?

2. What are the source IP, source port, destination IP and destination port or the first packet?

3. Who sent the first packet? Client or server? Did the packet pass?

4. What are the source IP, source port, destination IP and destination port or the second packet? Find the matching numbers between packet 1 and packet 2.

5. What are the source IP, source port, destination IP and destination port or the third packet? Find the matching and mismatching numbers between packet 1 and packet 3.

6. Why was the last packet blocked? How did the firewall make this decision? Did the firewall have to remember the first packet?

7. Explain why stateful firewall require more resources compared to stateless.

Objectives:1. Explain the concepts of application level gateway, DMZ, Bastion Host, and Honey pots

2. Compare application level firewall and packet filtering firewall

Application-level gateway or proxy is a type of firewall that is capable of performing filtering at the application layer. It performs filtering based on the type of service (i.e TELNET, FTP, SMTP, HTTP, etc.). Figure 5 shows an application-level gateway connecting a host with computers in an organization. User requests service from application-level gateway, the gateway validates the request according to the application level protocol, if the request is validated then the application gateway processes the request and returns the results to the user.

Figure 5: Application-level gateway

1. Can ICMP traffic go through the application-level gateway depicted in Figure 5?

2. Can HTTPS traffic go through the application-level gateway depicted in Figure 5? If no, how can you make it go through the firewall.

3. Discuss the advantages and disadvantages of application-level proxy compared with packet filtering firewall.

Bastion Host is a highly-secured system that is potentially exposed to hostile elements. It is secured to withstand attacks. Bastion Host may support two or more network connections and may be trusted to enforce separation between network connections. A bastion host runs circuit / application level gateways, or provides externally accessible services.

What is DMZ (demilitarized zone): A physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled.

Honeypots are baiting systems designed to lure potential attackers away from critical systems. They can be connected to form a honey net. A honeypot consists of data that appears to be a legitimate part of the critical system, but is actually isolated and monitored.

Figures 6-A, 6-B, and 6-C show different configurations of firewall systems.

Figure 6-A: Single-homed firewall system

Figure 6-B: Dual-homed firewall system

Figure 6-C: Screened-subnet firewall system

DMZ

1. Figure 6-A shows the computers included in DMZ. Follow this example, and draw a circle in dash line in Figure 6-B and Figure 6-C that includes all computers in the DMZ.

2. Which of the computers in Figure 6-B should install application-level gateway? Explain your answer.

3. Explain why Figure 6-C is more secure than Figure 6-B.

4. What is the purpose of honeypots?

5. If we want to put Honey-pot in Figure 6-C, where should it be put?

6. Explain why bastion host needs to be highly secured by system administrators compared to other computers in the private networks.