Computer Networks (CS425)

Instructor: Dr. Dheeraj Sanghi

Prev | Next | Index 

Firewalls

Introduction

This lecture discusses about security mechanisms in the Internet namely Firewall . In brief, It's a configuration of routers and networks placed between an organization's internal internet and a connection to an external internet to provide security. In other words, Firewall is a mechanism to provide limited access to machines either from the outside world to internal internet or from internal world to outside world. By, providing these security mechanisms, we are increasing the processing time before one can access a machine. So, there is a trade-off between security and ease of use. A firewall partitions an internet into two regions, referred to informally as the inside and outside.

                                                                                   __
                                                                                   |   | _________  Firewall
                  ______________________                     |   |             ____________________
                 |                                           |                     |   |             |                                      |
                 |                                           |                     |   |             |                                      |
                 |      Rest of Internet          |________     |   |_____   |      Intranet                   |
                 |                                           |                    |   |             |                                       |
                 |_____________________ |                    |   |             |___________________| 
                                                                                  |_|
                            Outside                                                                        Inside
 

Security Lapses

    So. whatever I provide for my security is called Firewall. It is a mechanism and not just a hardware or software.
 

Firewall Mechanisms

1. Network Policy : Here, we take into consideration, what services are allowed for outside and inside users and the services which are allowed can have additional restrictions. e.g.. I might be allowed to download things from the net but not upload i.e.. some outside users cannot download the things from our net. Some exceptional cases might be there which have to be handled separately. And if some new application comes up then , we choose an appropriate network policy.

2. Authentication mechanism  : An application can be designed which ask for a password for authentication.

3. Packet Filtering : Router have information about some particular packets which should not be allowed.

4. Application gateways : or proxy servers.
 

Certain Problems with Firewall

1. Complacency : There are lots of attacks on the firewall from internal users and therefore, it's limitations should be understood.

2. Encapsulated packets : An encapsulated packet is an IP packet within another IP packet. If we ask the router to drop encapsulated packets then, it will drop the multicast packets also.

3. Throughput :So, in order to check which packets are allowed and which are not, we are doing some processing which can be an overhead and thus affects throughput.
 

Authentication:

We can use the following mechanisms:

 

Packet Filtering :

Terms associated:

      Many commercial routers offer a mechanism that augments normal routing and permits a manager to further control packet processing. Informally called a packet filter, the mechanism requires the manager to specify how the router should dispose of each datagram. For example, the manager might choose to filter (i.e.. block) all datagrams that come from a particular source or those used by a particular application, while choosing to route other datagrams to their destination.

     The term packet filter arises because the filtering mechanism does not keep a record of interaction or a history of previous datagrams. Instead, the filter considers each datagrams separately. When a datagram first arrives, the router passes the datagram through its packet filter before performing any other processing. If the filter rejects the datagram, the router drops it immediately.

    For example, normally I won't allow TFTP, openwin, RPC, rlogin, rsh packets to pass through the router whether from inside or outside and router just discard these packets. But I might put some restrictions on telnet, ftp, http, and smtp packets in order to pass through the router and therefore some processing is to be done before discarding or allowing these packets.

    Because TCP/IP does not dictate a standard for packet filters, each router vendor is free to choose the capabilities of their packet filter as well as the interface the manager uses to configure the filter. Some routers permit a manager  to configure separate filter actions for each interface, while others have a single configuration for all interfaces. Usually, when specifying datagrams that the filter should block, a manager can list any combination of source IP address, destination IP address, protocol, source protocol port number, and destination protocol port number.
    So, these filtering rules may become more tricky with complex network policies.
 
    Since, Filtering rules are based on port numbers, there is a problem with RPC applications. First, the number of well-known ports is large and growing. Thus, a manager would need to update such a list continually because a simple error of  omission could leave the firewall vulnerable. Second, much of the traffic on an internet does not travel to or from a well-known port. In addition to programmers who can choose port numbers for their private client-server applications, services like Remote Procedure Call (RPC) assigns port dynamically. Third, listing ports of well-known services leaves the firewall vulnerable to tunneling, a technique in which one datagram is temporarily encapsulated in another for transfer across part of an internet.

 

Relay Software (proxies) :

I can run multiple proxy on same machine. They may detect misuse by keeping loops. For example, some machine give login to Ph.D.. students. So, in this case it's better to keep proxy servers than to give login on those machines. But the disadvantage with this is that there are two connections for each process.

                _________                                __________
                |                 |                               |                  |
                |    User     |_______________|  Proxy       |___________    Outside
                | ________|              1.             |_________ |            2.
 
 

Various Firewall Considerations

1. Packet Filtering Firewall
This is the simplest design and it is considered when the network is small and user don't run many Intranet applications.
                                                    __________
                                                    |                    |
                Intranet  __________|   Router      |__________   Internet
                                                    |________ _ |
                                                               |
                                                               |
                                                            Filter

2. Dual home gateway
This gives least amount of flexibility. Instead of router, we have application gateways.
                                                     ______________
                                                     | Application      |
                   Inside   ________ _ |       level            |___________   Outside
                                                     |      gateway      |
                                                     |____________  |
                                                            proxy
 
3. Sreened host Firewall
It's the combination of the above two schemes. Some applications are allowed uninterrupted while some have to be screened. For any reasonable size network, Screened host firewall can get loaded.

                                      _________                                                ___________
                                     |                  |                                               |                    |
       Inside  _________| Router 1  |_______________________ | Router 2     |______  Outside
                                     |_________|                    |                         |__________ |
                                                                    ____|______
                                                                    |                    |
                                                                    |    Proxy      |
                                                                    |__________|

The problem with this is that there is only one proxy and thus, it may get overloaded. Therefore, to reduce load, we can use multiple screened host firewalls. And this is what normally used.

                             _________                                                                __________
                            |                  |                                                              |                    |
     Inside  _____ | Router 1  |______________________________  | Router 2     |_____Outside
                            |_________|             |                                               |__________ |
                                                     ____|____
                                                    |                 |
                                                    | Proxy 1   |      Proxy2   .......
                                                    |________ |
 
 

Modem pool

User can dial and open only a terminal server but he has to give a password. But TELNET and FTP client does not understand proxy. Therefore, people come out with Transparent proxy which means that I have some memory which keeps track of whether this packet was allowed earlier or not and therefore, I need not check this time. Client does not know that there is somebody who is checking my authentication.
So, transparent proxy is used only for checking the IP packets whereas proxy is used when many IP addresses are not available.

Private IP (PIP address)
It is an extension of transparent proxy. Here we also change the IP address (source address) to one of the allocated IP address and send it. So, the client does not know that the IP address has been changed, only the proxy server knows it. The machine that changes the IP address is Network address translator (NAT) . NAT also changes other things like CRC, TCP header checksum  ( this is calculated using pseudo IP header). NAT can also change the port number.

    e.g..   Port address translation

                                                                     ____________ 
                                               X  -------|                       |
                                                                    |      NAT         |
                                               Y  -------|___________ |

                    X1 , P1   ---->     G1 , Pa   (IP address, port #)
                    X1 , P2   ---->     G1 , Pb
                     Y  , P3    ---->     G1, Pc

I may not like to have global IP address because then, anybody can contact me inspite of these security measures. So, I work with Private IP. In that case, there has to be a one-to-one mapping between private IP and global IP.



back to top
PrevNext | Index