What is a Firewall?

A firewall is hardware, software, or a combination of both that is used to prevent

unauthorized programs or Internet users from accessing a private network and/or a single
computer.
Hardware Vs Software Firewalls
Hardware Firewalls
Protect an entire network
Implemented on the gateway/router level
Usually more expensive, harder to configure
Software Firewalls
Protect a single computer
Usually less expensive, easier to configure
How Does a Software Firewall Work?
Inspects each individual packet of data as it arrives at either side of the firewall.
Inbound to or outbound from your computer.
Determines whether it should be allowed to pass through or if it should be blocked.

Firewall Rules
Allow traffic that flows automatically because it has been deemed as safe (Eg: Yahoo,
Eudora, etc.).
Block traffic that is blocked because it has been deemed dangerous to your computer.
Ask asks the user whether or not the traffic is allowed to pass through.

What a Personal Firewall Can Do?
Stop hackers from accessing your cmpter.
Protects your personal information.
Blocks pop up ads and certain cookies.
Determines which programs can access the Internet.
What a Personal Firewall Cannot Do?
Cannot prevent e-mail viruses
Only an antivirus product with updated definitions can prevent e-mail viruses.
After setting it initially, you cannot forget about it
The firewall will require periodic updates to the rulesets and the software itself.
Examples of Personal Firewall Software
ZoneAlarm <www.zonelabs.com>
BlackICE Defender <http://blackice.iss.net>
Tiny Personal Firewall <www.tinysoftware.com>
Norton Personal Firewall <www.symantec.com>
Examples of NW Firewall
CISCO PIXs
Check Point
Sonic Wall
Net Screen
Limitations of a Firewall
The firewall can not protect against any attacks that bypass the firewall.
The firewall does not protect against internal threats.
The firewall cannot protect against the transfer of virus-infected programs or files.
Types of Firewalls Techniques
Packet Filters
packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it
stores no information on connection "state"). Instead, it filters each packet based only on information
contained in the packet itself (most commonly using a combination of the packet's source and
destination address, its protocol, and, for TCP and UDP traffic, the port number).
Packet Filtering router applies set of rules to each incoming IP packet and then forwards or
discards the packet.
Packet filter is typically set up as a list of rules based on matches to fields in IP or TCP header.
When a packet originates from the sender and filters through a firewall, the device checks for
matches to any of the packet filtering rules that are configured in the firewall and drops or rejects
the packet accordingly. When the packet passes through the firewall, it filters the packet on a
protocol/port number basis (GSS). For example, if a rule in the firewall exists to block telnet
access, then the firewall will block the IP protocol for port number 23.
[7]

Disadvantage :
Our defined restriction is based solely on the outside hosts port number,
which we have no way of controlling
Now an enemy can access any internal machines and port by originating
his call from port 25 on the outside machine.

Firewall runs set of proxy programs
Proxies filter incoming, outgoing packets
All incoming traffic directed to firewall
All outgoing traffic appears to come from firewall
Policy embedded in proxy programs
Two kinds of proxies
Application-level gateways/proxies
Tailored to http, ftp, smtp, etc.
Circuit-level gateways/proxies
Working on TCP level

Firewalls - Application Level Gateway (or proxy server)


Has full access to protocol
o user requests service from proxy
o proxy validates request as legal
then actions request and returns result to user
Application Level also called a Proxy Server acts as relay of application
level traffic.The Application Level Gateway is service specific.
Need separate proxies for each service :- SMTP,TELNET etc

Circuit Level Gateway

It does not permit an end-to-end TCP connection; rather the gateway sets up two TCP
connections.
Once the TCP connections are established, the Gateway relays TCP segments from one
connection to the other without examining the contents.
The security function consists of determining which connections will be allowed.
Once created usually relays traffic without examining contents
Stateful Packet Inspection Firewall
This technology is generally referred to as a stateful packet inspection as it maintains records of
all connections passing through the firewall and is able to determine whether a packet is the start
of a new connection, a part of an existing connection, or is aninvalid packet. Though there is still
a set of static rules in such a firewall, the state of a connection can itself be one of the criteria
which trigger specific rules.
This type of firewall can actually be exploited by certain Denial-of-service attacks which can fill
the connection tables with illegitimate connections.
Speed & flexibility of packet filters.
Application-level security of application proxies.
Main record of pending comn.
Can look into data of certain packet types.
Can reject incorrectly formatted commands or requests.
Can only look for specific strings within data portion of a packet.
Examine Packet
against ruleset
Drop or
Reject packet,
log
Forward packet toward final
destination, update session
table, log
Packet Arrives on
Firewall interface
Examine contents
Of packet for
specific content
Is packet permitted
By ruleset?
Is packet part of an
Existing flow?
Are packet contents
Permitted by policy?
Yes
Yes
Yes
Yes
No
No
SPI Algorithm




Stations
All components that can connect into a wireless medium in a network are referred to as
stations.
All stations are equipped with wireless network interface controllers (WNICs).
Wireless stations fall into one of two categories: access points, and clients.
Access points (APs), normally routers, are base stations for the wireless network. They
transmit and receive radio frequencies for wireless enabled devices to communicate
with.
Wireless clients can be mobile devices such as laptops, personal digital assistants, IP
phones and other smartphones, or fixed devices such
as desktops and workstations that are equipped with a wireless network interface.

Basic service set
The basic service set (BSS) is a set of all stations that can communicate with each
other.
There are two types of BSS: Independent BSS (also referred to as IBSS), and
infrastructure BSS.
Every BSS has an identification (ID) called the BSSID, which is the MAC address of the
access point servicing the BSS.
An independent BSS (IBSS) is an ad-hoc network that contains no access points, which
means they can not connect to any other basic service set.
An infrastructure can communicate with other stations not in the same basic service set
by communicating through access points.

Extended service set
An extended service set (ESS) is a set of connected BSSs. Access points in an ESS
are connected by a distribution system. Each ESS has an ID called the SSID which is a
32-byte (maximum) character string.
Distribution system
A distribution system (DS) connects access points in an extended service set. The
concept of a DS can be used to increase network coverage through roaming between
cells.
DS can be wired or wireless. Current wireless distribution systems are mostly based on
WDS or MESH protocols, though other systems are in use.

Wireless distribution system
A Wireless Distribution System is a system that enables the wireless interconnection of
access points in an IEEE 802.11 network. It allows a wireless network to be expanded
using multiple access points without the need for a wired backbone to link them, as is
traditionally required. The notable advantage of WDS over other solutions is that it
preserves the MAC addresses of client packets across links between access points.
[5]

An access point can be either a main, relay or remote base station. A main base station
is typically connected to the wired Ethernet. A relay base station relays data between
remote base stations, wireless clients or other relay stations to either a main or another
relay base station. A remote base station accepts connections from wireless clients and
passes them to relay or main stations. Connections between "clients" are made using
MAC addresses rather than by specifying IP assignments.
All base stations in a Wireless Distribution System must be configured to use the same
radio channel, and share WEP keys or WPA keys if they are used. They can be
configured to different service set identifiers. WDS also requires that every base station
be configured to forward to others in the system.
WDS may also be referred to as repeater mode because it appears to bridge and
accept wireless clients at the same time (unlike traditional bridging). It should be noted,
however, that throughput in this method is halved for all clients connected wirelessly.
When it is difficult to connect all of the access points in a network by wires, it is also
possible to put up access points as repeaters.