Chapter 5 Firewall Planning and Design

nullpitΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 4 χρόνια και 8 μήνες)

103 εμφανίσεις

Chapter 5

Firewall Planning and Design


After reading this chapter and completing the exercises

you will be able to:

Identify common misconceptions about firewalls

Explain why a firewall is dependent on an effective security policy

what a firewall does

Describe the types of firewall protection

Identify the limitations of firewalls

Evaluate and recommend suitable hardware and software for a firewall application

Misconceptions about Firewalls

Some business managers who have heard of

a firewall in relation to Internet security have the notion that it is designed to
prevent all hackers, viruses, and would
be intruders from entering a computer or computer network. Their notion is not true

however, because firewalls are designed to enab
le authorized traffic to pass through and block unauthorized traffic.

It is often thought that

once a firewall is deployed, you only need

to let it operate on its own.
The fact is that firewalls are not
perfect and work best when they are part of a multi
pronged approach to network security known as Defense in Depth (DiD).

Firewalls Explained

In general, a
is anything, whether hardware or software (or a combination of hardware and software), that can filter
the transmission of packets of digi
tal information as they attempt to pass through a boundary of a network. Firewalls perform
two basic security functions:

Packet filtering: First and foremost, a firewall must be able to determine whether to allow or deny the passage of

packets of digital

information, based on established security policy rules.

Application proxy: In some cases, a firewall may provide network services to users while shielding individual host

computers. This is done by breaking the IP flow (which is the traffic into and o
ut of the network) between the

network being protected and the network outside.

Firewall Security Features


Logging unauthorized access

Providing a


Shielding hosts inside the network

Caching data

ing content

Firewall User Protection

For a single home user who regularly surfs the Web and uses e
mail and instant messaging, a firewall’s primary job is to keep
viruses from infecting files and prevent Trojan horses from entering the system and inst
alling hidden openings called
which can be used for access at a later time.

Quick Quiz


True or False: An effective security policy should state how the company would respond to breaches of security.




A(n) _____ that
tells employ
ees what constitutes acceptable use of company resources should be part of an effective
security policy.




Firewalls are designed to enable authorized traffic to pass through and _____ unauthorized traffic.

Answer: block


alls work best when they are part of a multi
pronged approach to network security called _____.

Answer: Defense in Depth (DiD)

Firewall Network Perimeter Security

A firewall is often said to provide “perimeter security” because it sits on the outer boun
dary, or perimeter, of a network. The
network boundary is the point at which one network connects to another.

If you have an extranet, an extended network that combines two or more LANs, the location of the “perimeter” becomes
unclear. If you maintain a

VPN with a supplier or business partner, the VPN should have its own perimeter firewall because
your network boundary technically
extends to the end of the VPN.
Note that locating the firewall at the perimeter has one
obvious benefit: it enables you to se
t up a checkpoint where you can block “bad things” like viruses and infected e
essages before they get inside.

Another benefit is that a firewall enables you to log passing traffic, protecting the whole
network a
t the same time.
If an attack does occ
ur, having a security subnet at the perimeter can minimize the damage.


A firewall can contain many components, including:


Packet filter

Proxy server

Authentication system

Software that performs
anslation (NAT)

Many firewalls make use of a bastion host, a machine tha
t has no unnecessary services.
A network that needs to connect to
the Internet might have been a bastion host and a service network. Together

they are the only part of the organiza
exposed to the Internet.


Security Tasks

A firewall that does packet filtering addresses the tendency of hackers to open an attack by scanning for net
work addresses
and open ports.
(A port is a virtual gateway on a computer through which a

particular ty
pe of data is allowed to pass.
port is assigned a

number between 0 and 65,535).
Initially, a hacker uses special software to scan a series of addresses,
attempting to connect to a computer on each
If any computer answers, it gives t
he hacker a target. Any gateway or router
acting as a packet filter on your network or in your firewall should be configured to reject connection requests from
computers that are not on your network.

Note that a port number combined with a computer’s IP a
ddress constitutes a netwo
rk connection called a socket.
hat is commonly used by hackers


to identify sockets that
respond to connection requests.


that respond
can be targeted to see if they have been left open or if they have

security vulnerab
ilities that can be exploited.
Some examples


Simple Mail Transport Protocol (SMTP) listens on port 25

Post Office Protocol, version 3 (POP3) listens for incoming mail on port 110

Hypertext Transport Protocol (HTTP)
Web services use port 80

Restricting Access from Outside the Network

The most obvious goal of a firewall is to regulate which packets of information can enter the network. To do so, a firewall
examines each packet to determine whether it meets the nece
ssary “authorized” criteria. The criteria might be protocols or IP
addresses on an “approved” list. Anything not on the list is excluded.

Restricting Unauthorized Access from Inside the Network

In some ways, it is relatively easy to protect a network fro
m the Internet but more difficult to protect it from an inside attack.
You should be aware of the following possibilities:


Staff who bring floppy disks that are virus

Staff who access their office computers from home using remot
e access software that

the perimeter firewall

Social engineering

Poorly trained firewall administrators

Employees who receive e
mail messages with executable attachments


Limiting Access to External Hosts

Firewalls can selectively permit t
raffic to go from inside the network to the Internet or other networks to provide more

precise control of how employees inside the network use external resources. In other words, the firewall can

act as a
that makes high
level application conn
ections on behalf of inte
rnal hosts and other machines.
A single firewall product
can provide both outbound packet filtering and outbound proxy services.

Protecting Critical Resources

Attacks on critical resources are becoming all too common
. Worms are
one type of attack.
They “worm” their way into a
computer in an e
mail attachment or a downloaded file, where t
hey then replicate themselves.
They are only slightly different

viruses, which also worm their way into a computer but then do much more des
tructive behavior than just replication.
Trojan horses are similar to viruses; they contain malicious code that is hidden inside supposed harmless programs.
Distributed Denial of Service (DDoS) attacks are

just as harmful.
They are caused when a hacker f
loods a server with
requests, shutting down the server and making Web sites and networks that depend on that server unreachable.

Protecting Against Hacking

Hacking, in general, is the practice of infiltrating computers or networks to steal data, cause h
arm, or simply claim credit for
getting inside. The impact
s of this type of attack include

Impacts of

Loss of data

Loss of time

Loss of staff resources

Loss of confidentiality

Quick Quiz


A secure mini
network created by combining firewalls
with routers and positioned between the internal network and
the outside world is called a(n) ______.

demilitarized zone (DMZ)


A(n) ______ is a virtual gateway on a computer through which a particular type of data is allowed to pass.

Answer: port


The firewall can act as a ______, which is software that makes high
level application connections on behalf of
internal hosts and other machines.

Answer: proxy server


______ attacks are caused when a hacker floods a server with requests, shutting down th
e server and making Web
sites and networks that depend on that server unreachable.

Answer: Distributed Denial of Service (DDoS)


The process of logging in to a server with a username and a password to access protected information is called


Providing Centralization

A firewall centralizes security for the organization it protects. It simplifies the security
related activities of the
administrator, who typically has many other responsibilities. Having a firewall on the
perimeter gives the
administrator a single location from which to configure security policies and monitor arriving and departing


Enabling Documentation

Every firewall should be configured to provide information to the network administrat
or in the form of log files. These log
files record attempted intrusions and other suspicious activity, as well as
mundane events like legitimate
file accesses,
unsuccessful connection attempts, and the like

Providing for Authentication

is t
he process of logging in to a server with a username and a password before being allowed access to
protected information. Only users who have registered their username and password are recognized by the server and allowed
to enter. The authentication p
rocess can also be performed at the firewall and
make use of encryption to protect the
usernames and passwords transmitted from client to server (or client to firewall).

Contributing to a VPN

A firewall is an ideal endpoint for a VPN, which connects
two companies’ networks over the Internet. A VPN is one of the
safest ways to exchange information online

Types of Firewall Protection

Some examples of firewall functions and the corresponding layers at which they operate include:

Layer Number

erence Model Layer

Firewall Technology



level gateway






SOCKS proxy server



Packet filtering








Data Link


Packet Filtering

Packet filters are a
n effective element in

any perimeter security setup.
In addition, they have the advantage of not taking up
bandwidth, or the capacity of network cables to convey information, the way proxy servers do.

A packet, which is sometimes called a datagram, conta
ins two types of informa
tion: the header and the data.
Packet filters use
packet headers to decide whether to block the packet or allow
it to pass through a firewall.
Note that your job as a system
administrator would be to configure the firewall to deny a
ll packets that arrive from outside but contain a source IP address
that seems to be coming from within the network.

Stateless Packet
Filtering Firewalls

Stateless inspection, also called stateless packet filtering, is firewall packet inspection that ign
ores the state of the connection
between the internal computer and the external computer. A firewall that conducts stateless packet filtering simply blocks or

allows a packet based on the information in the header.

Stateful Packet
Filtering Firewalls

teful inspection, also called stateful packet filtering, is an examination of the data contained in a packet as well as the s
of the connection between internal and external computers. This information, known as the state table, is kept in a memory
ation called the cache. Stateful inspection is superior to stateless inspection because it uses the connection state to make
decisions on whether to allow the traffic.

Filtering Rules

Some of the most general packet
filtering rules include:


Any outbound packet must have a source address that is in your internal network.

Any outbound packet must not have a destination address that is in your internal

Any inbound packet must not have a source address that is in your internal netw

Any inbound packet must have a destination address that is in your internal network.

Any packet that enters or leaves your network mus
t have a source or destination
address that falls within the range of addresses in your network.

Filter rules can
ct the transmission of packets.

These rules include the use of the following:

Internet Control Message Protocol (ICMP)

User Datagram Protocol (UDP)

TCP filtering

IP filtering

PAT and

Each computer on the network is a
ssigned an IP address.
If that

address is static, it is relatively easy for a hacker to find it and
gain access
to the computer more than once.

With a static, reliable IP address, a hacker can use a computer as a staging area
for launching long, sustained attacks.

Port Address Transla
tion (PAT) and Network Address Translation (NAT) are addressing methods that make internal network
addresses invisible to outside computers. PAT and NAT hide the TCP/IP information of hosts in the network being protected
to prevent attackers from getting t
he address of an actual host on your internal network.

PAT and NAT function
as a
level proxy;
the proxy


a single host that makes requests on behalf of all
hosts on the network.
NAT hides the identity of hosts from anyone outside
the network by converting the IP address of
internal hosts to the IP address of the firewall. To someone on the Internet or outside network, it seems like all informatio
n is
coming from a single computer.

Application Layer Gateways

Another type of fir
ewall protection is the
pplication layer gateway,

also known as a proxy server.
This type of gateway
works at the Application layer, the top layer of the OSI model of network communications.

A complete overview of firewalls and what they do would not be
complete without mentioning the following security



IP address mapping

Filtering content

URL filtering

Quick Quiz


______ packet filtering examines the data contained in a packet and keeps a memory of t
he state of the connection
between client and server in disk cache.




The protocol used by utilities like Ping and Traceroute to report any errors that occurred in the transmission is

Answer: Internet Control Message Protocol (ICMP)


True or False: A NAT functions as a
level proxy; it acts as a single host that makes requests on behalf of
all the internal hosts on the network.

Answer: True


The security technique used to block a site’s Domain Name System (DNS) name is called


Answer: URL filtering

Firewall Categories

Firewalls can be categorized by processing mode, generation, or structure. Firewalls categorized by level of technology are
identified by generation, with the later generations being more complex and mo
re recently developed. Firewalls categorized
by intended structure are typically divided into categories including residential

or commercial
grade, hardware
based, or appliance
based devices

Processing Mode

The processing modes are: pa
cket filtering, application gateways, circuit gateways, MAC layer firewalls, and hybrids.

Filtering Firewalls

filtering firewalls examine the header information of data packets that come into a network. The restrictions most
commonly implem
ented are based on a combination of:

Internet Protocol (IP) source and destination address

Direction (inbound or outbound)

Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests

Simple firewall models exam
ine one aspect of the packet header: the destination and source address. They enforce address
restrictions, rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.

They accomplish this through acces
s control lists (ACLs), which are created and modified by the firewall administrators.
There are three subsets of packet
filtering firewalls:

Static filtering

Dynamic filtering

Stateful inspection

Static filtering requires that the filtering rules govern
ing how the firewall decides which packets are allowed and which are
denied are developed and installed.

Dynamic filtering allows the firewall to react to an emergent event and update or create rules to deal with the event.

While static filtering firew
alls allow entire sets of one type of packet to enter in response to authorized requests, the dynamic
filtering firewall allows only a particular packet with a particular source, destination, and port address to enter through
the firewall.


inspection firewalls, or stateful firewalls, keep track of each network connection between internal and external
systems using a state table, which tracks the state and context of each packet in the conversation by recording which station

sent which packe
t and when.

Whereas simple packet
filtering firewalls only allow or deny certain packets based on their address, a stateful firewall can
block incoming packets that are not responses to internal requests.

The primary disadvantage of this type of firewa
ll is the additional processing required to manage and verify packets against
the state table, which can leave the system vulnerable to a DoS or DDoS attack.

Application Gateways

The application gateway, also known as an application
level firewall or a
pplication firewall, is frequently installed on a
dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router.

application firewall is also known as a proxy server, since it runs special software
that acts as a proxy for a service request.

Since the proxy server is often placed in an unsecured area of the network or in the DMZ, it

rather than the Web server

exposed to the higher levels of risk from the less trusted networks.

Additional filter
ing routers can be implemented behind the proxy server, limiting access to the more secure internal system
and thereby further protecting internal systems.

Circuit Gateways

The circuit gateway firewall operates at the transport layer. Connections are aut
horized based on addresses. Like filtering
firewalls, circuit gateway firewalls do not usually look at data traffic flowing between one network and another, but they do

prevent direct connections between one network and another.

They accomplish this by c
reating tunnels that connect specific processes or systems on each side of the firewall and then
allowing only authorized traffic, such as a specific type of TCP connection for only authorized users, in these tunnels.

MAC Layer Firewalls

While not as we
ll known or widely referenced as the firewall approaches above, MAC layer firewalls are designed to operate
at the media access control layer of the OSI network model. This gives these firewalls the ability to consider the specific h
computer’s identity

in its filtering decisions.

Using this approach, the MAC addresses of specific host computers are linked to ACL entries that identify the specific types
of packets that can be sent to each host, and all other traffic is blocked.

Hybrid Firewalls

id firewalls combine the elements of other types of firewalls

that is, the elements of pack
et filtering and proxy services

or of packet filtering and circuit gateways.

Alternately, a hybrid firewall system can consist of two separate firewall devices; ea
ch is a separate firewall system, but they
are connected so that they work in tandem.

Firewalls Categorized by Generation

generation firewalls are static packet
filtering firewalls;
that is,
they are
simple networking devices that filter packets
according to their headers as the packets travel to and from the organization’s networks.

generation firewalls are application
level firewalls or proxy servers
that is,
they are
dedicated systems that are
separate from the filtering router and tha
t provide intermediate services for requestors.

generation firewalls are stateful inspection firewalls, which monitor network connections between internal and external
systems using state tables.

generation firewalls are dynamic packet
ering firewalls and allow only a particular packet with a particular source,
destination, and port address to enter.

generation firewalls are the kernel proxy, a specialized form that works under the Windows NT Executive, which is the
kernel of Win
dows NT.

Firewalls Structures

Firewall appliances are stand
alone, self
contained systems that frequently have many of the features of a general
computer with the addition of firmware
based instructions that increase their reliability and perfor
mance and minimize the
likelihood of their being compromised.

A commercial
grade firewall system consists of firewall application software running on a general
purpose computer.
Organizations can install firewall software on an existing general
purpose com
puter system, or they can purchase hardware
that has been configured to the specifications that yield optimum performance for the firewall software.

SOHO and residential
grade firewall devices, also known as broadband gateways or DSL/cable modem routers,
connect the
user’s local area network or a specific computer system to the Internetworking device. The SOHO firewall serves first as a
stateful firewall to enable inside
outside access, and it can be configured to allow limited TCP/IP port forwarding an
screened subnet capabilities.

grade firewall software is installed directly on the user’s system. Some of these applications combine firewall
services with other protections such as antivirus or intrusion detection. There are limits to t
he level of configurability and
protection that software firewalls can provide.

Software vs. Hardware: The SOHO Firewall Debate

So which type of firewall should the residential user implement? Where would you rather defend against a hacker?

With the sof
tware option, the hacker is inside your computer, battling with a piece of software that may not have been
correctly installed, configured, patched, upgraded, or designed. If the software happens to have a known vulnerability, the
hacker could bypass it an
d then have unrestricted access to your system.

With the hardware device, even if the hacker manages to crash the firewall system, your computer and information are still
safely behind the now disabled connection, which is assigned a nonroutable IP addre
ss, making it virtually impossible to
reach from the outside.

Firewall Architectures

Each of the firewall devices noted earlier can be configured in a number of network connection architectures. The firewall
configuration that works best for a particu
lar organization depends on three factors: the objectives of the network, the
organization’s ability to develop and implement the architectures, and the budget available for the function.

Although literally hundreds of variations exist, there are four co
mmon architectural implementations of firewalls:

filtering routers

Screened host firewalls

homed host firewalls

Screened subnet firewalls

Filtering Routers

Most organizations with an Internet connection have a router as the interface t
o the Internet at the perimeter between the
organization’s internal networks and the external service provider. Many of these routers can be configured to reject packets

that the organization does not allow into the network.

The drawbacks to this type of

system include a lack of auditing and strong authentication and the
fact that the
complexity of
the access control lists used to filter the packets can grow and degrade network performance.

Screened Host Firewalls

This architecture combines the packet
filtering router with a separate, dedicated firewall, such as an application proxy server,
allowing the router to prescreen packets to minimize the network traffic and load on the internal proxy.

The application proxy examines an application layer protoc
ol and performs the proxy services. This separate host is often
referred to as a bastion host or sacrificial host; it can be a rich target for external attacks and should be thoroughly secu

Homed Host Firewalls

With this approach, the bastion ho
st contains two NICs. One NIC is connected to the external network, and one is connected
to the internal network, providing an additional layer of protection. With two NICs, all traffic must go through the firewall

order to move between the internal and

external networks.

Implementation of this architecture often makes use of NAT. NAT is a method of mapping assigned IP addresses to special
ranges of nonroutable internal IP addresses, thereby creating yet another barrier to intrusion from external attac

Screened Subnet Firewalls (with DMZ)

The dominant architecture used today, the screened subnet firewall provides a DMZ. The DMZ can be a dedicated port on the
firewall device linking a single bastion host, or it can be connected to a screened subn

A common arrangement finds the subnet firewall consisting of two or more internal bastion hosts behind a packet
router, with each host protecting the trusted network:

Connections from the outside or untrusted network are routed through an ex
ternal filtering router.

Connections from the outside or untrusted network are routed into

and then out of

a routing firewall to
the separate network segment known as the DMZ.

Connections into the trusted internal network are allowed only from the DMZ bast
ion host servers.

The screened subnet is an entire network segment that performs two functions:

It protects the DMZ systems and information from outside threats by providing a network of intermediate

It protects the internal networks by limitin
g how external connections can gain access to internal systems.

DMZs can also create extranets, segments of the DMZ where additional authentication and authorization controls are put into
place to provide services that are not available to the general pu

Limitations of Firewalls

Firewalls should not be the only fo
rm of protection for a network.

They should be part of an overall security plan and should
be used in conjunction with other forms of protection, including ID cards, passwords, and employ
ee rules of conduct.

Class Discussion Topics


What are the primary security features that a firewall performs?


Ask students to do some research on low
cost firewalls suited for home and small businesses. Identify which of
these have NAT functions.


uss the kind

of tactics
hackers might use to gain access to a site.

Additional Case Projects


Provide definitions for the following terms:






Identify some of the limitations of packet filtering.

Further Readings or Resources


r a summary of how firewalls work, see: m

For product comparisons, see: