Firewall and Internet AccessMechanism that control (1) Internet access,(2) Handle the problem of screening a

particular network or an organization from unwanted communication

It helps in preventing outsiders from:(1) Obtaining Information(2) Changing Information(3) Disrupting communication on an

organization’s internet.

Firewall Construction

• Organization’s internet can have multiple external connection.

• It must form a security perimeter by installing a firewall at each external connection.

• All firewalls must configured to use exactly the same access restrictions to make the perimeter effective.

Firewall Implementation and Packet Filters

• A firewall simply blocks all unauthorized communication between computers in an organization and computers outside the organization.

• It depends on the network technology, capacity of the connection, traffic load, organization’s policies.

• No single solution works for all organization.• Firewall systems are designed to be configured.• Called Packet Filter – mechanism requires the

manager to specify how the router should dispose each datagram.

• Router vendors are free to choose the capabilities of their packet filter and the interface.

Example• Block Incoming datagram destined for :

• FTP (TCP port 21)

• TELNET (TCP port 23)

• TFTP (UDP port 69)

• Block Outgoing datagram:

• Originated from any host address like 128.5.0.0 and destined for mail server (TCP port 25)

Three reasons why Packet filter is not effective firewall

• (1) The number of well known ports is large and growing rapidly. Manager requires to update the list frequently.

• (2) Much of the traffic does not travel to or from a well known port. Eg. RPC assigns a port no. dynamically.

• (3) Tunneling can circumvent security if a host or a router on the inside agrees to accept encapsulated datagram from an outsiders.

How can a firewall use a packet filter effectively?

• Instead of specifying the datagram that should be filtered, a firewall should be configured to block all datagram except those destined for specific networks, hosts, and protocol ports for which external communication has been approved.

• Many packet filters allow a manager to specify a set of datagram to admit instead of a set of datagram to block,

Stateful Firewalls• Firewall prevents an arbitrary computer inside the firewall

from becoming a client that accesses a service outside the firewall.

• When a client program begins execution, it requests the o.s. to select a protocol port no. that is neither among the well-known ports nor currently in use on the client’s computer.

• The firewall will not block such datagram as they leave. When it generates a response, the server reverses the protocol port. The client’s port becomes the destination port and server’s port becomes the source port. When the datagram carrying the response reaches the firewall, however it will be blocked because the destination port is not approved.

• Solution to this problem lies in the stateful firewall.

Cont…• The firewall watches outgoing connections and

adapts the filter rules according to accommodate reply packet.

• Eg. Client has source IP add I1 and TCP Port P1 and connects to a web server at port 80 with IP address I2, the outgoing SYN segment that initiates the connection will pass through the firewall, which records the tuple : (I1, P1, I2, P2)

• When the server returns SYN + ACK, the firewall match the two end points to the tuple that was stored, and the incoming segment will be admitted.

How should state be managed in a stateful firewall?

• Two broad approaches:

• 1. Firewall can use Soft State by setting a timer that removes inactive state information after a timeout period.

• 2. Connection Monitoring in which the firewall watches packets on the flow and removes the state information when the flow terminates. (means : connection closed)

• Note: Soft state is usually a backup to handle cases such as UDP flow that does not have explicit termination.

Monitoring and Logging

• Monitoring is one of the most important aspects of a firewall design.

• Unless a firewall reports incidents, a manager may be unaware of problems.

• Monitoring is of 2 types : Active and Passive

(1) Active Monitoring : A firewall notifies a manager when ever a incident occures.

• Advantage: Speed – A manager finds out about a potential problem immediately.

• Disadvantage : Too much information – manager can not comprehend it.

• (2) Passive Monitoring: A firewall logs a record of each incident in a file on disk.

• Usually records information about normal traffic as well as the datagram that are filtered.

• A manager can access the log at any time.

• Advantage : Record of events – a manager can consult the log to observe trends and when security problem occur, review the history of events that led to the problem.

• A manager can analyze the log periodically to determine whether attempts to access the organization increase or decrease over time.