Firewall: Packet Filtering CS265 Project Report Prof: Dr. Mark Stamp

smileybloatNetworking and Communications

Nov 20, 2013 (3 years and 6 months ago)

118 views

Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

1


April 14, 2003









Firewall: Packet Filtering

CS265 Project Report

Prof: Dr. Mark Stamp


By Deepali Holankar

Date submitted: April 14, 2003.




CS265 Security Engineerin

















Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

2


April 14, 2003





Index


Introduction


Major Types of Network Attacks

Firewall

Basic Firewall

Operation

Professional Firewalls

Different Firewall Types

Packet Filtering

Features available for filtering in different Operating systems

Circuit Switching

Application Layer Gateway

References






















Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

3


April 14, 2003


Introduction


In this age of universal
electronic connectivity, of viruses and hackers, of electronic
eavesdropping and electronic fraud, there is indeed no time at which security does not
matter. The explosive growth in computer systems and their interconnections via
networks has increased the

dependency of both organizations and individuals on the
information stored and communicated using these systems. This has led to a heightened
awareness of the need to protect data and resources from disclosure, to guarantee the
authenticity of data and to

protect systems from network
-
based attacks.

Major Types of Network Attacks


TCP SYN flooding and IP spoofing attacks

Smurfing

Distributed Denial of Service attacks (DDoS)

Mail spam

DNS spoofing (Malicious Cache poisoning)

FIREWALLS

Major Networking Securi
ty Technologies include using one or more of the following
techniques: encryption, firewall, and virtual private networks.

The scope of the paper is limited to one security technology for the networked world:
Firewalls.

A computer firewall protects netw
orked computers from intentional hostile intrusion that
could compromise confidentiality or result in data corruption or denial of service. It may
be a hardware device or a software program running on a secure host computer. In either
case, it must have a
t least two network interfaces, one for the network it is intended to
protect, and one for the network it is exposed to. A network firewall sits at the junction
point or gateway between the two networks, usually a private network and a public
network such
as the Internet. The earliest computer firewalls were simple routers.

An
Internet firewall examines all traffic routed between your network and the Internet to see
if it meets certain criteria. If it does, it is routed between the networks, otherwise it is

stopped. A network firewall filters both inbound and outbound traffic. It can also manage
public access to private networked resources such as host applications. It can be used to
log all attempts to enter the private network and trigger alarms when hosti
le or
unauthorized entry is attempted. Firewalls can filter packets based on their source,
destination addresses and port numbers. This is known as address filtering. Firewalls can
also filter specific types of network traffic. This is also known as protoc
ol filtering
because the decision to forward or reject traffic is dependant upon the protocol used, for
example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.



Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

4


April 14, 2003

There are two access denial methodologies used by compute
r firewalls. A firewall may
allow all traffic through unless it meets certain criteria, or it may deny all traffic unless it
meets certain criteria. The type of criteria used to determine whether traffic should be
allowed through varies from one type of fi
rewall to another. Computer Firewalls may be
concerned with the type of traffic, or with source or destination addresses and ports. They
may also use complex rule bases that analyse the application data to determine if the
traffic should be allowed through
. How a computer firewall determines what traffic to let
through depends on which network layer it operates at. A discussion on network layers
and architecture follows.

Basic Firewall Operation






How does a network firewall interact with OSI and TCP/IP Network models?

Network Firewalls operate at different layers to use different criteria to restrict traffic.
The lowest layer at wh
ich a firewall can work is layer three. In the OSI model this is the
network layer. In TCP/IP it is the Internet Protocol layer. This layer is concerned with
routing packets to their destination. At this layer a firewall can determine whether a
packet is f
rom a trusted source, but cannot be concerned with what it contains or what
other packets it is associated with. Firewalls that operate at the transport layer know a
little more about a packet, and are able to grant or deny access depending on more
sophist
icated criteria. At the application level, firewalls know a great deal about what is
going on and can be very selective in granting access. It would appear then, that firewalls
functioning at a higher level in the stack must be superior in every respect.
This is not
necessarily the case, however. The lower in the stack the packet is intercepted, the more
Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

5


April 14, 2003

secure the firewall. If the intruder cannot get past level three, it is impossible to gain
control of the operating system.

Professional Firewalls Have Th
eir Own IP Layer






Professional firewall products catch each network packet before the operating system
does, thus, there is no d
irect path from the Internet to the operating system’s TCP/IP
stack. It is therefore very difficult for an intruder to gain control of the firewall host
computer then “open the doors” from the inside. According To
Byte Magazine
,
traditional firewall techn
ology is susceptible to misconfiguration on non
-
hardened
operating systems. More recently, however, “...firewalls have moved down the protocol
stack so far that the OS doesn’t have to do much more than act as a bootstrap loader, file
system and GUI”. The a
uthor goes on to state that newer firewall code bypasses the
operating system’s IP layer altogether, never permitting “potentially hostile traffic to
make its way up the protocol stack to applications running on the system”.


Firewall Types

Firewalls fall

into four broad categories:



Packet filters



Circuit level gateways



Application level gateways



Stateful multilayer inspection firewalls


Packet Filtering Firewall

Packet filtering firewalls work at the network level of the OSI model, or the IP layer of
TC
P/IP. They are usually part of a router firewall. A router is a device that receives
packets from one network and forwards them to another.

Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

6


April 14, 2003

In a packet filtering firewall, each packet is compared to a set of criteria before it is
forwarded. Depending on t
he packet and the criteria, the firewall can drop the packet,
forward it, or send a message to the originator. Rules can include source and destination
IP address, source and destination port number and protocol used. The advantage of
packet filtering fire
walls is their low cost and low impact on network performance. Most
routers support packet filtering. Even if other firewalls are used, implementing packet
filtering at the router level affords an initial degree of security at a low network layer.
This typ
e of firewall only works at the network layer, however, and does not support
sophisticated rule based models. Network Address Translation (NAT) routers offer the
advantages of packet filtering firewalls but can also hide the IP addresses of computers
behin
d the firewall, and offer a level of circuit
-
based filtering.









TCP protocol ensures reliable connection oriented transmiss
ion of packets between client and server.


The flow of the TCP server program can be described in following steps:




TCP server opens up a well
-
known port 8080 and listens for client requests.



TCP client opens a socket and requests connection to the serve
r.



TCP server acknowledges the request (which is the accept function system call).



TCP client sends HTTP/1.1 GET request.



TCP server sends back the response, if the client and web server address are valid.



TCP server sends HTTP/1.1 403 Forbidden response o
therwise


Simple TCP Event Diagram






Web
Browser

(TCP
Client)

HTTP Proxy

(TCP Server


Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

7


April 14, 2003











Similar event diagram occurs between the http proxy and the web server.

The proxy will valid the server port and the client port and see if it is denied in the firewall rules.

The firewall rules are described in

text format as follows


<hostname| ip address> <dir


in| out> < allow


permit | deny>


For example:

www.yahoo.com

out deny

www.goole.com

out permit


















Direction: IN Direction: OUT





Filtering features available in different operating systems:

Linux
-

iptables (origi
nally called ipchains).

http://www.linuxguruz.org/iptables/howto/maniptables.html

Man page of iptables

Windows


ISAPI (internet session application programming interface).

Circuit
level Gateway

Circuit level gateways work at the session layer of the OSI model, or the TCP layer of
TCP/IP. They monitor TCP handshaking between packets to determine whether a
requested session is legitimate. Information passed to a remote computer throug
h a circuit
level gateway appears to have originated from the gateway. This is useful for hiding
information about protected networks. Circuit level gateways are relatively inexpensive
Listen at port

Request connection

Accept connection

Send Http get
request

Send response or

Forb
idden message

Close connections

Web Client


HTTP Proxy (Firewall
rules)

<
-------------------------------
-------



Pe牭楴†


䑥ny
㐰 


We戠be牶rr

䝥琠
䡴瑰

Re獰潮獥s
䡴瑰

䝥琠
䡴瑰

Re獰潮獥s
䡴瑰

Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

8


April 14, 2003

and have the advantage of hiding information about the private network
they protect. On
the other hand, they do not filter individual packets.






Application level Gateway



Application level gateways, also called proxies, are similar to circuit
-
level gateways
except that they are application specific. They can filter packets at

the application layer of
the OSI model. Incoming or outgoing packets cannot access services for which there is
no proxy. In plain terms, an application level gateway that is configured to be a web
proxy will not allow any ftp, gopher, telnet or other traf
fic through. Because they
examine packets at application layer, they can filter application specific commands such
as http:post and get, etc. This cannot be accomplished with either packet filtering
Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

9


April 14, 2003

firewalls or circuit level neither of which know anything

about the application level
information. Application level gateways can also be used to log user activity and logins.
They offer a high level of security, but have a significant impact on network
performance. This is because of context switches that slow
down network access
dramatically. They are not transparent to end users and require manual configuration of
each client computer.

Stateful Multilayer Inspection Firewall







Stateful multilayer inspection firewalls combine the aspects of the other three types of
firewalls. They filter packets at the network layer, determine whether session packets are
legitimate and evaluate c
ontents of packets at the application layer. They allow direct
connection between client and host, alleviating the problem caused by the lack of
transparency of application level gateways. They rely on algorithms to recognize and
process application layer
data instead of running application specific proxies. Stateful
multilayer inspection firewalls offer a high level of security, good performance and
transparency to end users. They are expensive however, and due to their complexity are
potentially less secu
re than simpler types of firewalls if not administered by highly
competent personnel.

The firewall is an integral part of any security program, but it is not a security program in
and of itself. Security involves data integrity (has it been modified?), ser
vice or
application integrity, data confidentiality and authentication. Firewall security only
addresses the issues of data integrity, confidentiality and authentication of data that is
behind the firewall. Any data that transits outside the firewall is su
bject to factors out of
the control of the firewall. It is therefore necessary for an organization to have a well
-
planned and strictly implemented security program that includes, but is not limited to,
firewall protection.

Conclusion

Firewall: Packet Filtering


Prof Dr. Mark Stamp



By: Deepali Holankar


SJSU Spring 2003

10


April 14, 2003

The paper reinforces
the principle that security technology alone will not solve all
security problems. Responsible management of information is essential. One of the
Courtney’s laws sums it up: “There are management solutions to technical problems, but
no technical solution
s to management problems
”.




References

[1] Cryptography and Network Security: William Stallings

[2] Network Security: Private Communications in a Public World: Charlie Kaufman,
Radia Perlman, Mike Spencer

[3] Guidelines for the Use of Cryptography in t
he Enterprise: Wolf Halton, Jack Krichen,
Richard Costello

[4] Encryption Fundamentals: Hugo Fruehauf

[5]
www.firewall
-
software.com


[6]
www.gocsi.com

[7]
www.searchsecurity.com

[8]
www.ciac.org

[9]
www.computel.com

[10]
www.sans.org

[11]
www.3com.com

[12]
www.cisco.com

[13]
www.extremenetworks.com