Home | Computer Security | Fun | About Vikram Phatak | Contact
 


 

Firewalls: In this section we will take a look at the 3 basic types of firewalls - packet filters, proxy firewalls and the stateful inspection firewalls - and will look at the pros and cons of each.

Packet filters: These are basically screening routers that control the flow of data in and out of a network by looking at information in the packet header:
  • Source Address
  • Destination Address
  • Protocol used for transferring the data

The firewall is programmed to allow or deny the traffic based upon the protocol and source & destination addresses. A policy could look something like this:

Interface Source Interface Destination Protocol Action Comments
External 10.1.1.0/24 Internal ANY ANY DROP Anti-Spoofing rule
External ANY Internal 10.1.1.11 HTTP ACCEPT Inbound HTTP to Web server
Internal 10.1.1.11 External Any HTTP ACCEPT Outbound HTTP
Internal 10.1.1.0/24 External ANY Telnet ACCEPT Outbound Telnet
ANY External ANY Internal ANY DROP Drop all not explicity allowed


Packet filters are very efficient and cost effective since a single screening router can protect an entire network by acting as a choke point. They are considered to be the most effective against certain types of attacks such as the IP Spoofing attack. (For example: A rule to deny all inbound traffic that has source address from the internal network will take care of hackers trying to spoof IP addresses from the internal network.)

Another advantage is the ease of availability, since most routers come with basic packet filtering capacity. However their filtering capacity is limited to the information they get from the network layer which is the source and destination address and the protocol information. As a result they are not able to analyze the data within the packet. It is easy for a packet with a malicious data to pass through. Another disadvantage is that it is not possible do to partial filtering. Meaning you cannot set a rule to allow only a specific user to connect to the ftp server or to transfer only specific files. There is also a possibility of incorrectly configuring a packet filter thereby generating security holes in the network.

Proxy Firewalls: These types of firewalls work as transfer agents between the internal host and the external server. The idea is to protect the internal host from being directly exposed to the outside world. The proxy firewall accepts requests from the internal hosts for connections to the outside world, changes their IP addresses and sends the request with the changed IP to the outside server. It maintains a table for relating the internal IP with the translated IP so that when it receives a response from the outside server it can direct that to the appropriate internal host.

        There are two types of proxy firewalls; Circuit-level proxies and Application-level proxies.

Circuit-level proxies: It creates a circuit (connection) between the internal host and the outside server by acting as an agent without interpreting the application level information. It is more like a packet filter with the ability to hide the client. The advantage of circuit-level proxies is that they can be implemented with a large number of protocols as they don’t have to comprehend the information at the protocol level. The disadvantage is that once a connection is established it is always possible to send malicious data in the packets.

Application-level proxies: Also known as Application Gateway or Application Firewall, it performs all the basic functions of the circuit-level proxy with better traffic monitoring. The application gateway is able to comprehend information at the higher levels in the TCP/IP stack up to the application layer. The features of an Application-level proxy can be summarized in the following points:

Does not allow direct connections between an internal host and an external server under any circumstances.
  • It can understand and interpret commands in the payload portion of the packets. (Which even stateful inspection firewalls are not able to do.)
  • It provides a robust authentication and logging mechanism.

Although considered to be the most secured and advanced firewalls they still have some limitations.
  • You may need a different proxy for each of the protocols.
  • Certain type of protocols may not be supported.
  • Large amount of information from a large number of packets have to be analyzed, which may lead to high processing time and overheads.

In general proxy firewalls provide reliable security with good logging mechanisms. They however suffer from the following disadvantages:
  • Not all applications are designed to use a proxy
  • The proxy setup can be complicated
  • They usually require modified clients and/or modified procedures
Stateful Inspection Firewalls: Traffic decisions are made by not only looking at the packet contents but also by correlating the incoming traffic to the earlier outgoing requests. It does so with the help of a dynamic state table. The state table keeps a record of past communications such as a request made for a particular file by the internal host along with the source and destination address, port numbers and so on. This record is called a state. When the external server responds with a file the firewall does a state table look up to decide whether such a request had been made and if it has been, the packet is allowed in or else is discarded by the firewall. Of course this is subject to all the other security criteria being met.

For example, we can say that only outgoing traffic is enabled whereas the incoming traffic is disabled unless specifically requested. Most basic attacks such as port scanning are immediately taken care of at the firewall.

Disadvantages:
  • No application level security is provided.
  • Stateful inspection is possible only for connection oriented-protocols such as the TCP.
  • Stateful Inspection firewalls do not look at the packets as closely as an application gateway firewall and it also does not provide any verification of protocols.


 



Computer Security Home

The OSI and the TCP/IP Layers

TCP

IP

Network & Application Layer Attacks
    Network Layer DoS
        Syn Flood
        Ack Flood
        RESET Attack
        FIN Attack
        Teardrop Attack

    IP Spoofing
        Predicting TCP Sequence Numbers

    Application Layer Attacks
        Buffer Overflows
        Trojans
        Backdoors
        Cross-site Scripting
        CGI abuses

Firewalls
    Packet Filters
    Proxy Firewalls
        Circuit Level Proxies
        Application Level Proxies
    Stateful Inspection Firewalls
  Limitations of Firewalls

Intrusion Detection and Prevention Systems
    Signature Based
    Anomaly Based
        Statistical Anomaly Based
        Protocol Anomaly Based
    Host Based IDS (HIDS)
    Network Based IDS (NIDS)
        Protocol Anomaly Based NIDS
        Signature Based NIDS

Web Application Firewalls

Vulnerability Assesment
    Host Based Scanner
    Network Based Scanner
    Web Application Vulnerability Scanner

Content Filters

Encryption

Conclusion


Copyright © 2006 Vikram Phatak. All rights reserved.