CSCE 201CSCE 201Windows XPWindows XP

Firewalls Firewalls Fall 2010Fall 2010

ReadingReading

Windows XP help and Support: search on “Firewall”

Tony Bradley, CISSP-ISSAP , Windows XP SP2 Firewall, Is It Sufficient To Replace 3rd-party Personal Firewalls?, About.com

CSCE 201 - Farkas 2

CSCE 201 - Farkas 3

Traffic Control – FirewallTraffic Control – FirewallBrick wall placed between apartments to

prevent the spread of fire from one apartment to the next

Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it

CSCE 201 - Farkas 4

FirewallFirewall

Hardware device or a software application and generally is placed at the perimeter of the network

Private Network

External Network

Firewall

CSCE 201 - Farkas 5

Firewall ObjectivesFirewall Objectives

Act as the gatekeeper for all incoming and outgoing traffic

Private NetworkPrivate Network

External Network

Proprietary data

External attacks

Firewall RulesFirewall RulesRestrict access to certain IP addresses or domain

namesBlock certain types of traffic by blocking the

TCP/IP ports they useFour basic approaches:

– packet-filtering – circuit-level gateway– proxy server – application gateway

CSCE 201 - Farkas 6

Packet FilterPacket Filter

Intercepts all traffic to and from the network

Evaluates it against the firewall rules Rules use: source IP address, source port,

destination IP address and destination port

CSCE 201 - Farkas 7

Circuit-level GatewayCircuit-level Gateway

Blocks all incoming traffic to any host but itself

Internally: the client machines establish a connection with the circuit-level gateway

Outside world: all communication from your internal network seems to originate from the circuit-level gateway

CSCE 201 - Farkas 8

Proxy ServerProxy Server Boosts the performance of the network Hide the internal network topology (all

communications appear to originate from the proxy server itself)

Caches pages that have been requested to improve speed

Filters traffic based on traffic info, ports and content Application Gateways: application specific proxy

server

CSCE 201 - Farkas 9

Comparing FirewallsComparing FirewallsFiltering capability:

– Packet filters: packet header information only– Application gateways: packet header and data content, application

specific info

Speed of detection– Packet filters: generally fast and uses limited resources– Application gateways: slower and uses more resources

Use of traffic history– Packet filters: generally stateless (New systems: stateful packet filters)– Application gateways: generally stateful

CSCE 201 - Farkas 10

Home UsersHome Users Home routers:

– Come with built-in firewall– Generally simple packet filters

Can block all incoming connections on all ports if desired Open connections as needed Examples:

– Publish a web page from your computer: allow incoming traffic on Port 80

– Download files from outside using FTP: allow incoming connections on Port 21

CSCE 201 - Farkas 11

Windows FirewallsWindows Firewalls

Microsoft Windows XP Service Pack 2 (SP2), Windows Firewall is turned on by default

You can install and run any firewall that you choose

If you choose to install and run another firewall, turn off Windows Firewall

CSCE 201 - Farkas 12

FunctionalityFunctionality

Help block computer viruses and worms from reaching your computer

Ask for your permission to block or unblock certain connection requests

Allow to create a record (a security log), if you want one, that records successful and unsuccessful attempts to connect to your computer

CSCE 201 - Farkas 13

Not SupportedNot Supported

Detect or disable computer viruses and worms if they are already on your computer

Stop you from opening e-mail with dangerous attachments

Block spam or unsolicited e-mail from appearing in your inbox

CSCE 201 - Farkas 14

To turn Windows Firewall on To turn Windows Firewall on or offor off

Must be logged on as an administrator To open Windows Firewall: click Start, click

Control Panel, click Network and Internet Connections, and then click Windows Firewall

On the General tab, click one of the following: – On (recommended) – Exceptions tab – Off (not recommended)

CSCE 201 - Farkas 15

Firewall SettingsFirewall Settings Exception Tab: when the firewall is turned on, some

features of some types of programs are blocked– Unblock features: list the program on the

Exceptions tab in Windows Firewall Advanced Options:

– Set Windows Firewall settings for individual connections

– Advanced tab, and then, under Network Connection Settings, click Settings

CSCE 201 - Farkas 16

Risk of ExceptionsRisk of Exceptions

Exceptions make your computer is made more vulnerable

Intruders often use software that scans the Internet looking for computers with unprotected connections

Best Practices:– Only allow an exception when you really need it– Never allow an exception for a program that you

don't recognize – Remove an exception when you no longer need it

CSCE 201 - Farkas 17

Add an ExceptionAdd an Exception Open Windows Firewall. On the Exceptions tab, under Programs and Services,

select the check box for the program or service that you want to allow, and then click OK.

If the program (or service) that you want to allow is not listed:– Click Add Program. – In the Add a Program dialog box, click the program that you

want to add, and then click OK. The program will appear, selected, on the Exceptions tab, under Programs and Services.

Click OK.

CSCE 201 - Farkas 18

Open a PortOpen a PortEach port has a number. Many programs and

services have predefined port numbers they useOpen Windows Firewall. On the Exceptions tab, choose one of the

following options: – To open a port for a program or service, select the

check box for the program or service – To close a port for a program or service, clear the

check box for the program or service

CSCE 201 - Farkas 19

Exception vs. Opening PortException vs. Opening Port

Adding an exception is preferable to opening a port– It is easier to do– You do not need to know which port number to

use– Adding an exception helps provide security,

because the firewall is only open while the program is waiting to receive the connection

CSCE 201 - Farkas 20

When to Block a Program?When to Block a Program?

Firewall is turned on: a program on your computer attempts to accept connections from the Internet or a network the firewall blocks the program from doing this and displays a message giving you the option to unblock the program

Options:– Keep Blocking– Unblock– Ask Me Later

CSCE 201 - Farkas 21

Firewall SettingsFirewall Settings

Apply to every user who logs on to the computer The message might be hidden behind the program

minimize or close the program Messages can be disabled by using Windows

Firewall: Exceptions tab, clear the Display a notification when Windows Firewall blocks a program check box (not recommended)

If Don't allow exceptions is selected on the General tab, you will not receive this message

CSCE 201 - Farkas 22

33rdrd party firewalls party firewalls

From: Tony Bradley, CISSP-ISSAP , Windows XP SP2 Firewall, Is It Sufficient To Replace 3rd-party Personal Firewalls?

Windows Firewall is much better than its Internet Connection Firewall (ICF) predecessor

Still no match for a 3rd-party personal firewall solution

CSCE 201 - Farkas 23

Shortcomings of Windows Shortcomings of Windows FirewallFirewall

Windows: does not monitor or block outbound traffic

3rd party: monitors which programs attempt to initiate outbound communications and either alert the user or block the traffic when suspicious activity occurs

Windows: relies on API's which can be disabled 3rd party: Cannot be disabled without uninstalling

CSCE 201 - Farkas 24

Windows or 3Windows or 3rdrd party? party?

Use Windows and 3rd party firewalls together? – No– Complicates setting and may create additional

vulnerabilities

Is SP2 of Windows sufficient? – For most home users: yes– For advanced home users: may not be enough

CSCE 201 - Farkas 25

Top 3Top 3rdrd Party Firewalls Party Firewalls

Ranging in price between FREE and $50 on average – ZoneAlarm Pro 5– PC-Cillin 2004 Internet Security– Norton Personal Firewall 2005– McAfee Personal Firewall 6.0 2005

CSCE 201 - Farkas 26

CSCE 201 - Farkas 27

Without firewalls, nodes:Without firewalls, nodes:– Are exposed to insecure services – Are exposed to probes and attacks from outside– Can be defenseless against new attacks– Network security totally relies on host security

and all hosts must communicate to achieve high level of security – almost impossible

CSCE 201 - Farkas 28

Firewall AdvantagesFirewall AdvantagesProtection for vulnerable servicesControlled access to site systemsConcentrated securityEnhanced PrivacyLogging and statistics on network use,

misusePolicy enforcement

CSCE 201 - Farkas 29

Firewall DisadvantagesFirewall DisadvantagesRestricted access to desirable servicesLarge potential for back doorsNo protection from insider attacksNo protection against data-driven attacksCannot protect against newly discovered

attacks – policy/situation dependentLarge learning curve

CSCE 201 - Farkas 30

Firewall EvaluationFirewall Evaluation Level of protection on the private network ?

– Prevented attacks– Missed attacks– Amount of damage to the network

How well the firewall is protected?– Possibility of compromise– Detection of the compromise– Effect of compromise on the protected network

Ease of use Efficiency, scalability, redundancy Expense