Network firewall

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
(Screening Router)
(Dual-Hoed Host)
Line 151: Line 151:
====Dual-Hoed Host====
====Dual-Hoed Host====
 +
A dual-host host architecture is built around the dual-homed host computer -- a computer that has at lease two network interfaces. Such a hos could act as a router between the networks interfaces are attached to, as it shows in Figure 5.
 +
====Multiple-Purpose Boxes====
====Multiple-Purpose Boxes====

Revision as of 21:00, 11 April 2009

Network Firewall is now considered as a first line of defense in the form of a barrier against outside attacks, which is installed on computers connect to internet. In general, Firewall prevents the dangers of Internet from spreading to your internal network. It more like a moat of a medieval castle that a firewall in a modern building. It serves multiple purposes [1:21]:
Figure 1 - A simple firewall diagram
  • It restricts people to entering at a carefully controlled point.
  • It prevents attackers from getting close to your other defenses.
  • It restricts people to leaving at a carefully controlled point.[1:21]

In practice,a firewall is a collection of hosts, routers, and other hardware that designed to prevent unauthorized electronic access between two parts of a network. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.[3]

Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.[3]

Contents

Why Firewall

The Internet is marvelous technological advance that provides access to information, and the ability to publish information, in revolutionary ways. But it's also a major danger that provides the ability to pollute and destroy information in revolutionary ways. For this reason, no matter what kind of information you put on Internet, you may always try to protect:

  • Your Data?
    • Secrecy: accessibility for a certain group of people
    • Integrity: no data change by others
    • Availability: always able to use it by you or by a group of people who have the permit.
  • Your Resources? Your computer cycle and storage space.
  • Your Reputation? No one should appear on the Internet with your identity. [1:7]

if you answer YES to any of above, then Network Firewall is the solution you needed.

What is Firewall

As figure 1 shows, a Firewall is a box/device between two connected networks, it has the following definitions:

  • A Firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.[3]
  • A Firewall is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.[3]
  • A Firewall is a device that divide a network into parts, when some parts have distinct security needs.[1:23]
  • A Firewall is a separator, a restricter, an analyzer.[1:22]

Benefits of Firewall

Generally, Firewalls are configured to protect against unauthenticated interactive logins for the outside world, most of the time, it acts like a choke point. All traffic in and out must pass through this single, narrow choke point, which provided a very easy mechanism to monitor, trace, and control information flow. Hence, Firewall is an efficient network security tool to block Intrusion, Denial of service, and Information theft. The following are the primary benefits of using a firewall:

  • Protection from vulnerable service that are running on the server that may increase its vulnerability to attack
  • Controlled access to site systems
  • Concentrated Security
  • Enhanced privacy
  • Logging and statistics on network use, misuse
  • Policy enforcement
  • VPN
  • DMZ

[2:12]

Limitations of Firewall

In general, a Network Firewall has the following limitations:

  • Network Firewall cannot protect against attacks that don't go through the Firewall.
    • example: a dial-up modem connection that allow users to dial-in to access the internal systems behind the firewall. The firewall has absolutely no way of preventing an intruder from getting in through such a modem.
  • Network Firewall cannot protect against malicious insiders.
    • Internal users may be blocked from sending information out by Firewall block service, but they can still download, copy the data onto disks or flash drives.
  • Network Firewall cannot protect against viruses.
    • Detecting a virus in a random packet of data passing through a Firewall is very difficult, as it requires:
      1. recognizing that the packet is part of a program
      2. Determine what the program should look like and its behavior.
      3. Determine that a change in the program is a threats to system
  • Network Firewall cannot protect against completely new threats.
    • Firewall is designed to protect against known threats. People continuously discover new ways to attack, using previously trustworthy services, or using attacks that simply has not occurred to anyone before.
  • Network Firewall cannot set itself up correctly.
    • Every Firewall need some amount of configuration, as every site/private network is different, so it is impossible to use a universal firewall which will set itself up automatically. Correct configuration is absolutely essential.

[1:24]

Firewall Types

There are three types of Firewalls, as:

  • Simple packet filtering: IP or filtering firewalls -- Block all but selected network traffic
  • Application-layer firewall: Proxy server -- act as intermediary to make requested network connections for the user
  • Stateful multilayer-inspection firewalls -- extract the relevant communication and application state information and analyze all packet communication layers.

Simple packet filtering: IP packet filtering Firewall

An IP filtering firewall works at the simple IP packet level. It is designed to control the flow of data packets based on their header information, which can be:
Figure 2 - Typical Ipv4 Packet Header
  • IP source address
  • IP destination address
  • Protocol (TCP, UDP, ICMP)
  • TCP or UDP source port
  • TCP or UDP destination port
  • ICMP message type
  • Packet size[1:105]
Figure 3 - Using a screening router to do packet filtering

A traditional firewall, like a simple router, is generally make their decision based on the source, destination addresses, and port in individual IP packets. Modern simple packet-filtering firewalls have become increasingly sophisticated and maintain internal information about the state of connections passing through them, the contents of some of the data steam, and so on. For instance, modern routers can also look past the packet headers at data further on in the packet, this will allows firewall to filter packet based on more detailed information, like the name of the web page that someone is requesting and if the packet is valid (means if the packet size is the same as it claims to be and legal), which helps catch a number of denial of service attacks based on malformed packets. In addition, modern firewalls know things about the packet that are not reflected in the packet itself, such as:

  • The interface the packet arrives on
  • The interface the packet will go out on

And finally, a IP packet filtering firewall will keeps track of packets that it has seen knows some useful historical fact, such as:

  • Whether this packet appears to be a response to another packet, which means its source was the destination of a recent packet and it destination is the source of that other packet.
  • How many other packet have recently been seen to or from the same host.
  • Whether this packet is identical to a recently seen packet
  • If this packet is part of a larger packet that has been seen broken into parts (fragmented).

Base on these information, firewall filtering rules (packets routing conditions) can be applied, for example, a screened router may have rules like:

  • Block all incoming connections from systems outside the internal network, except for incoming SMTP connections
  • Block all connections to or from certain system you distrust
  • Allow mail and FTP services, but bock dangerous service like TFTP, RPC, etc.[1:106]

(see [Linux/Unix Command: iptables] for detail iptable example)

Once the IP packet filtering firewall completed the packet audit, it may perform one of the following action:

  • Send packet to its intend destination.
  • Drop packet.
  • Reject the packet.
  • Log information about the packet.
  • Notify somebody about the packet immediately. [1:107]

and more sophisticated firewalls might also be able to do one or more of these things:

  • Modify the packet
  • Send the packet to a different destination, for instance, re-direct the packet to a Proxy server.
  • Modify the filtering rule accordingly. [1:107]

Advantages of IP packet filtering firewall

Simple IP packet filtering firewall tends to be very fast and very transparent to users. [2:51] It has a number of advantages:

  • One screening router can help protect an entire network
  • Simple packet filtering is extremely efficient -- only need to pay attention to a few packet headers, and contents only if needed.
  • Widely available in many hardware and software routing products. [1:108}

Disadvantage of IP packet filtering firewall

Although IP packet filtering firewall provides many advantages, there are some disadvantage to using packet filtering firewall as well.

  • Current filtering tools are not perfect.
    • Filtering rules are hard to configure.
    • Once configures, filtering rules are tend to be hard to test.
    • bugs.
  • Performance of the screening router is reduced.
  • Some policies cannot be implemented/enforced by IP packet filtering firewall. [1:109]

Application Firewalls: proxy servers

Figure 4 - Using proxy service with a dual-homed host

In general, a Proxy is something or someone who does something on somebody else's behalf. For instance, you may give somebody the authority to vote for you in an election.[1:110] It is called application-level firewall is because the proxies provide replacement connections and act as gateways to service. In addition, proxies are usually called connection bridges, since an virtual "air gap" is exists in the firewall between inside and outside, and proxy server is the only way to exchange information. As figure 4 shows, a "Dual-Homed Host" is act as a proxy server, proxy clients make request directly to this proxy server rather than the real service provider. It is the proxy server's duty to decide whether or not to forward the clients' service request to the real server, and it is also the proxy server's duty to decide whether or not to release the response to the service requesting clients. Most proxy systems are used to control and optimize outbound connections; they are normally controlled by a site administrator. It is also possible to use proxy servers to control and optimize inbound connections. For instance, to balance connections among multiple servers or to apply extra security. This is sometimes called reverse proxying.

Advantage of using Proxy Server

Compare to simple IP packet filtering firewall, using Proxy Server has the following advantages:

  • Proxy server can be good at logging -- as proxy server understand the application protocols.
  • Proxy server can provide caching -- keeping local copy of frequently requested data.
  • Proxy server can do intelligent filtering -- by looking at specific connection, filtering criteria can on applies to that connection.
  • Proxy server can perform user level authentication -- as it is the Proxies duty to validate the user
  • Proxy server automatically provide protection for weak or fault IP implementation -- as Proxies sit between a clients and the Internet, it generates completely new IP packet for the client. [1:113]

Disadvantage of using Proxy Server

There are also some disadvantages to use a Proxy Server:

  • Proxy Server lag behind Non-proxy Server -- as new Internet service does have a matched Proxy.
  • Proxy services may require different proxy server for each service -- as you may need a different proxy server for each protocol due to the proxy server may need to understand the protocol in order to determine what to allow and dis-allow.
  • Proxy server usually require modification to clients, applications, or procedures to suit a specific Internet service. [1:114]

Stateful multilayer-inspection Firewalls

Firewall Architectures

There are many Firewall Architectures exist within different Computer Networks, but three basic ones are:

  • Single-Box
  • Screened host
  • Screened subnet

This section will expose those architectures' structure and their appropriate uses.

Single-Box

Single-Box firewall architecture is the simplest one as it only has a single object acts as firewall. Compare to other firewall architectures, it has the following advantages:

  • A single place you can concentrate on and be sure that you have correctly configured.
  • Cheaper
  • Easier to understand and explain to management
  • Easier to get from an external vendor
  • Configured once then forget about

In practice, Screening Router, Dual-Homed Host, and Multiple-Purpose Boxes are considered to be Single-Box Firewalls.

Screening Router

As illustrated in Figure 3, it is possible to use a screening router to do IP packet filtering and act like a firewall. Screening routers are most useful for internal firewalls and for networks that are dedicated to providing services to the Internet. The appropriate uses are:

  • The network being protected already has a high level of host security.
  • The number of protocols being used is limited, and he protocols themselves is straightforward.
  • You require maximum performance and redundancy.[1:122]

Dual-Hoed Host

A dual-host host architecture is built around the dual-homed host computer -- a computer that has at lease two network interfaces. Such a hos could act as a router between the networks interfaces are attached to, as it shows in Figure 5.

Multiple-Purpose Boxes

Screened host

Screened subnet

Firewall Software

References

  1. Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman;Building internet Firewalls, Second Edition; Published by O'Reilly & Associates, Inc. @2000; ISBN:1-56592-871-7, McMaster Thode Library: TK 5105.59.Z85 2000
  2. John R. Vacca, Scott R. Ellis; Firewalls, Jumpstart for Network and Systems Administrators; Elsevier digital press @2005; ISBN: 1-55558-297-4, McMaster Thode Library: TK 5105.59.V32 2005
  3. Firewall, Wikipedia, Accessed on April 3rd 2009 21:35.
  4. IPv4 Packet Header, Engineering, University of Aberdeen, Accessed on April 10th 2009 21:10
  5. Multi-Layer Inspection, StoneSoft, Stonesoft.com

See also

External links

  1. Firewalls and Internet Security by Frederic Avolio, Avolio Consulting, Cisco Systems.
  2. History of Firewall Technologies A text file by Rik Farrow and Richard Power, Spirit.com
  3. Linux/Unix Command: iptables,by Juergen Haas, about.com
  4. Firewall Q & A, vicomsoft, vicomsoft.com
  5. Understanding Windows Firewall, Windows Firewall, Microsoft.com
  6. Firewall Test, HackerWatch.org
  7. How To Set Up A Debian Linux Firewall, aboutdebian.com

Time-stamped Signature

Fulx 21:16, 10 April 2009 (EDT)

Personal tools