Firewall fundas
Networking :: Security :: Firewall
Page 1 of 1
Firewall fundas
by sinchuz Fri Jan 04, 2008 9:46 pm
What's a firewall?
A firewall is a component or set of components located at a network, that protects the resources of a private network from users of other networks.A firewall's function within a network is similar to firewalls with fire door in building construction. In former case, it is used to prevent network intrusion to the private network. In latter case, it is intended to contain and delay structural fire from spreading to adjacent structures.In general we can say firewall as a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The original idea was formed in response to a number of major internet security breaches, which occurred in the late 1980s. In 1988 an employee at the NASA in California sent a memo by email to his colleagues that read,
The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.
First generation - packet filters
The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture.
Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).
This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number).
Because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.A packet filter looks at each packet entering the network and, based on its policies, permits or denies these packets. A Cisco IOS Access Control List (ACL) is a basic firewall that works in this way.
Second generation - "stateful" filters
From 1980-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls.
Second Generation firewalls do not simply examine the contents of each packet on an individual basis without regard to their placement within the packet series as their predecessors had done, rather they compare some key parts of the trusted database packets. This technology is generally referred to as a 'stateful firewall' as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection or part of an existing connection. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.
This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.
Third generation - application layer
Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third generation firewall known as an application layer firewall, also known as a proxy-based firewall. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.
The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in a known harmful way.
Subsequent developments
In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS).Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.
Types
There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.
Network layer and packet filters
Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established ruleset. The firewall administrator may define the rules; or default rules may apply. The term packet filter originated in the context of BSD operating systems.
Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed up packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.
Stateless firewalls have packet-filtering capabilities, but cannot make more complex decisions on what stage communications between hosts have reached.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.
Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).
Application-layer
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.
On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans.The XML firewall exemplifies a more recent kind of application-layer firewall.
Proxies
A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.
Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.
Introduction
There are many variations of firewalls. Each has a slightly different application. When looking to install a firewall, it is not a simple answer to give when asked which one to select. Does your needs assessment determine why you need a firewall? Take a look below to determine the type of firewall that will meet your need. After you determine the type of firewall you need, the hardest step will be selecting a vendor.
Free Firewall
Many software and desktop firewalls are free. Many of these firewalls are Linux or BSD based and can be quickly set up to protect a small to medium size company quickly.
Desktop Firewall
Any software installed on an operating system to protect a single computer, like the one included with Windows XP, is called a desktop or personal firewall. This type of firewall is designed to protect a single desktop computer. This is a great protection mechanism if the network firewall is compromised.
Software Firewall
This type of firewall is a software package installed on a server operating system which turns the server into a full fledged firewall. Many people do not consider this the most secure type of firewall as you have the inherit security issues of the underlying operating system. This type of firewall is often used as an application firewall. This means the firewall is optimized to protect applications such as web application and email servers. Software firewalls have complex filters to inspect the content of the network traffic to insure that type of traffic is properly formatted.
Hardware Firewall
A hardware firewall is a dedicated hardware device with a proprietary operating system or a stripped down operating system core. These firewalls include network routers with additional firewall capabilities. These firewalls are designed to handle large amounts of network traffic. Hardware firewalls are often placed on the perimeter of the network to filter the internet noise and only allow pre-determined traffic into the network. Sometimes hardware firewalls are used in conjunction with software firewalls so the hardware firewall filters out the traffic and the software firewall inspects the network traffic. When hardware firewalls are bombarded with bogus network traffic they drop the unwanted traffic only letting in the right traffic. This not only protects the software firewall but allows the software firewall only has to inspect proper network traffic thus the combination optimizes the network throughput.
Host
A computer system attached to a network.
Bastion host
A computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. It gets its name from the highly fortified projections on the outer walls of medieval castles.
Marcus Ranum, who is generally held responsible for the popularity of this term in the firewalls professional community, says, "Bastions...overlook critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers."
Dual-homed host
A general-purpose computer system that has at least two network interfaces (or homes)
Packet
The fundamental unit of communication on the Internet.
Packet filtering
The action a device takes to selectively control the flow of data to and from a network. It filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice versa. To accomplish packet filtering, you set up a set of rules that specify what types of packets (e.g., those to or from a particular IP address or port) are to be allowed and what types are to be blocked. Packet filtering may occur in a router, in a bridge, or on an individual host. It is sometimes known as screening.
Some networking literature (in particular, the BSD UNIX release from Berkeley) uses the term "packet filtering" to refer to something else entirely (selecting certain packets off a network for analysis, as is done by the etherfind or tcpdump programs).
Perimeter network
A network added between a protected network and an external network, in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ, which stands for De-Militarized Zone (named after the zone separating North and South Korea).
Proxy server
A program that deals with external servers on behalf of internal clients. Proxy clients talk to proxy servers, which relay approved client requests on to real servers, and relay answers back to clients.
The next few sections briefly describe packet filtering and proxy services, two major approaches used to build firewalls today.
Is proxy server a firewall?
A proxy server is a form of a firewall. In legal terms, a proxy is someone who goes and performs some action on your behalf. A proxy server performs network transactions on your behalf. The most common use for this is a Web-proxy server. A Web-proxy will take requests from users’ Web browsers, get the Web pages from the Internet, and return them to the user’s browser. Many times, a proxy server also performs authentication to see who is requesting the Web pages and also logs the pages that are requested and the user they are from.
What is NAT?
NAT is Network Address Translation. NAT is usually used to translate from real/global/public Internet addresses to inside/local/private addresses. These private addresses are usually RFC1918 IP addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).
NAT provides some security for your network as you do not have a real Internet IP address and your network, usually, cannot be accessed from the Internet without some outbound connection first being created from your private/inside network.
However, you still need a firewall to protect your network as NAT only hides your network but doesn’t really stop any packets from entering your network.
A firewall is a component or set of components located at a network, that protects the resources of a private network from users of other networks.A firewall's function within a network is similar to firewalls with fire door in building construction. In former case, it is used to prevent network intrusion to the private network. In latter case, it is intended to contain and delay structural fire from spreading to adjacent structures.In general we can say firewall as a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The original idea was formed in response to a number of major internet security breaches, which occurred in the late 1980s. In 1988 an employee at the NASA in California sent a memo by email to his colleagues that read,
The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.
First generation - packet filters
The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture.
Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).
This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number).
Because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.A packet filter looks at each packet entering the network and, based on its policies, permits or denies these packets. A Cisco IOS Access Control List (ACL) is a basic firewall that works in this way.
Second generation - "stateful" filters
From 1980-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam developed the second generation of firewalls, calling them circuit level firewalls.
Second Generation firewalls do not simply examine the contents of each packet on an individual basis without regard to their placement within the packet series as their predecessors had done, rather they compare some key parts of the trusted database packets. This technology is generally referred to as a 'stateful firewall' as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection or part of an existing connection. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.
This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.
Third generation - application layer
Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories, and Marcus Ranum described a third generation firewall known as an application layer firewall, also known as a proxy-based firewall. Marcus Ranum's work on the technology spearheaded the creation of the first commercial product. The product was released by DEC who named it the SEAL product. DEC’s first major sale was on June 13, 1991 to a chemical company based on the East Coast of the USA.
The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in a known harmful way.
Subsequent developments
In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS).Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.
Types
There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.
Network layer and packet filters
Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established ruleset. The firewall administrator may define the rules; or default rules may apply. The term packet filter originated in the context of BSD operating systems.
Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed up packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.
Stateless firewalls have packet-filtering capabilities, but cannot make more complex decisions on what stage communications between hosts have reached.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.
Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).
Application-layer
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.
On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans.The XML firewall exemplifies a more recent kind of application-layer firewall.
Proxies
A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.
Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.
Introduction
There are many variations of firewalls. Each has a slightly different application. When looking to install a firewall, it is not a simple answer to give when asked which one to select. Does your needs assessment determine why you need a firewall? Take a look below to determine the type of firewall that will meet your need. After you determine the type of firewall you need, the hardest step will be selecting a vendor.
Free Firewall
Many software and desktop firewalls are free. Many of these firewalls are Linux or BSD based and can be quickly set up to protect a small to medium size company quickly.
Desktop Firewall
Any software installed on an operating system to protect a single computer, like the one included with Windows XP, is called a desktop or personal firewall. This type of firewall is designed to protect a single desktop computer. This is a great protection mechanism if the network firewall is compromised.
Software Firewall
This type of firewall is a software package installed on a server operating system which turns the server into a full fledged firewall. Many people do not consider this the most secure type of firewall as you have the inherit security issues of the underlying operating system. This type of firewall is often used as an application firewall. This means the firewall is optimized to protect applications such as web application and email servers. Software firewalls have complex filters to inspect the content of the network traffic to insure that type of traffic is properly formatted.
Hardware Firewall
A hardware firewall is a dedicated hardware device with a proprietary operating system or a stripped down operating system core. These firewalls include network routers with additional firewall capabilities. These firewalls are designed to handle large amounts of network traffic. Hardware firewalls are often placed on the perimeter of the network to filter the internet noise and only allow pre-determined traffic into the network. Sometimes hardware firewalls are used in conjunction with software firewalls so the hardware firewall filters out the traffic and the software firewall inspects the network traffic. When hardware firewalls are bombarded with bogus network traffic they drop the unwanted traffic only letting in the right traffic. This not only protects the software firewall but allows the software firewall only has to inspect proper network traffic thus the combination optimizes the network throughput.
Host
A computer system attached to a network.
Bastion host
A computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. It gets its name from the highly fortified projections on the outer walls of medieval castles.
Marcus Ranum, who is generally held responsible for the popularity of this term in the firewalls professional community, says, "Bastions...overlook critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers."
Dual-homed host
A general-purpose computer system that has at least two network interfaces (or homes)
Packet
The fundamental unit of communication on the Internet.
Packet filtering
The action a device takes to selectively control the flow of data to and from a network. It filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice versa. To accomplish packet filtering, you set up a set of rules that specify what types of packets (e.g., those to or from a particular IP address or port) are to be allowed and what types are to be blocked. Packet filtering may occur in a router, in a bridge, or on an individual host. It is sometimes known as screening.
Some networking literature (in particular, the BSD UNIX release from Berkeley) uses the term "packet filtering" to refer to something else entirely (selecting certain packets off a network for analysis, as is done by the etherfind or tcpdump programs).
Perimeter network
A network added between a protected network and an external network, in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ, which stands for De-Militarized Zone (named after the zone separating North and South Korea).
Proxy server
A program that deals with external servers on behalf of internal clients. Proxy clients talk to proxy servers, which relay approved client requests on to real servers, and relay answers back to clients.
The next few sections briefly describe packet filtering and proxy services, two major approaches used to build firewalls today.
Is proxy server a firewall?
A proxy server is a form of a firewall. In legal terms, a proxy is someone who goes and performs some action on your behalf. A proxy server performs network transactions on your behalf. The most common use for this is a Web-proxy server. A Web-proxy will take requests from users’ Web browsers, get the Web pages from the Internet, and return them to the user’s browser. Many times, a proxy server also performs authentication to see who is requesting the Web pages and also logs the pages that are requested and the user they are from.
What is NAT?
NAT is Network Address Translation. NAT is usually used to translate from real/global/public Internet addresses to inside/local/private addresses. These private addresses are usually RFC1918 IP addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).
NAT provides some security for your network as you do not have a real Internet IP address and your network, usually, cannot be accessed from the Internet without some outbound connection first being created from your private/inside network.
However, you still need a firewall to protect your network as NAT only hides your network but doesn’t really stop any packets from entering your network.
sinchuz- Number of posts : 5
Registration date : 2007-12-21
Networking :: Security :: Firewall
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|