Firewalls (Protects internal network from the external network)

• A firewall is a software running on a dedicated host computer on which no other application is run,to prevent someone from changing the firewall rules by exploiting the vulnerabilities of the other applications that may be run on the host.

• A firewall is as good as it is configured with, depending on the needs of the admin.

• Allowable or non-allowable traffic are typically identified with source/destination IP/network addresses and ports.

• Filtering: Egress filtering (filter outgoing traffic); Ingress filtering (filter incoming traffic)

Typical Firewall designs:

• Default-deny approach (white-list): Have a list of allowable traffic and block the rest.

• Default-allow approach (black-list): Have a list of nonallowable traffic and allow the rest. – A good design needs to have a hybrid of these two approaches

There are two types of Firewall

• Packet filter
• Application Gateway

1] Packet filter:-

A packet filter firewall is a stateless firewall that looks at only the packet headers to decide whether or not to drop a packet.

Stateless means it does not keep track of the decisions taken on any packet.The decision taken on a packet is independent of the decision taken on the preceding packets.

The code for packet filters will become lengthy as we want to block traffic belonging to specific networks, IP addresses and transport layer protocols.

Thus, need efficient filtering algorithms.

• The packet filter firewall applies a set of rules to each & every packet & based on the rule it will decide whether to accept the packet or reject the packet.
• It receives each packet & checks with the rule.
• Suppose the rule is to block all the packets coming from a port other than 80 then the firewall will block all the packets entering the internal system.

Attacks Detected by Packet Filters

• IP Spoofing Attacks:

Have the packet filter configured not to let in packets having a source address that corresponds to the internal network. For example, the attacker has spoofed the source IP address to be the IP address of a machine belonging to the network being protected by the firewall.

• Source routing attacks: where source specifies the route that a packet should take to bypass security measures, should discard all source routed packets

• Tiny fragment attacks: Intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into fewer separate fragments to circumvent filtering rules needing full header info; can enforce minimum fragment size to include full header.

2] Application gateway:-

• Application Gateway firewall is also called as 'Proxy Server'
• The internal user first requests the application gateway such as HTTP, FTP, telnet Etc.
• The application gateway will track the IP address of the user & provide access to the remote host on behalf of the user.