A firewall is hardware, software, or a combination of both that is used to prevent
unauthorized programs or Internet users from accessing a private network and/or a single computer. Hardware Vs Software Firewalls Hardware Firewalls Protect an entire network Implemented on the gateway/router level Usually more expensive, harder to configure Software Firewalls Protect a single computer Usually less expensive, easier to configure How Does a Software Firewall Work? Inspects each individual packet of data as it arrives at either side of the firewall. Inbound to or outbound from your computer. Determines whether it should be allowed to pass through or if it should be blocked.
Firewall Rules Allow traffic that flows automatically because it has been deemed as safe (Eg: Yahoo, Eudora, etc.). Block traffic that is blocked because it has been deemed dangerous to your computer. Ask asks the user whether or not the traffic is allowed to pass through.
What a Personal Firewall Can Do? Stop hackers from accessing your cmpter. Protects your personal information. Blocks pop up ads and certain cookies. Determines which programs can access the Internet. What a Personal Firewall Cannot Do? Cannot prevent e-mail viruses Only an antivirus product with updated definitions can prevent e-mail viruses. After setting it initially, you cannot forget about it The firewall will require periodic updates to the rulesets and the software itself. Examples of Personal Firewall Software ZoneAlarm <www.zonelabs.com> BlackICE Defender <http://blackice.iss.net> Tiny Personal Firewall <www.tinysoftware.com> Norton Personal Firewall <www.symantec.com> Examples of NW Firewall CISCO PIXs Check Point Sonic Wall Net Screen Limitations of a Firewall The firewall can not protect against any attacks that bypass the firewall. The firewall does not protect against internal threats. The firewall cannot protect against the transfer of virus-infected programs or files. Types of Firewalls Techniques Packet Filters packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number). Packet Filtering router applies set of rules to each incoming IP packet and then forwards or discards the packet. Packet filter is typically set up as a list of rules based on matches to fields in IP or TCP header. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. When the packet passes through the firewall, it filters the packet on a protocol/port number basis (GSS). For example, if a rule in the firewall exists to block telnet access, then the firewall will block the IP protocol for port number 23. [7]
Disadvantage : Our defined restriction is based solely on the outside hosts port number, which we have no way of controlling Now an enemy can access any internal machines and port by originating his call from port 25 on the outside machine.
Firewall runs set of proxy programs Proxies filter incoming, outgoing packets All incoming traffic directed to firewall All outgoing traffic appears to come from firewall Policy embedded in proxy programs Two kinds of proxies Application-level gateways/proxies Tailored to http, ftp, smtp, etc. Circuit-level gateways/proxies Working on TCP level
Has full access to protocol o user requests service from proxy o proxy validates request as legal then actions request and returns result to user Application Level also called a Proxy Server acts as relay of application level traffic.The Application Level Gateway is service specific. Need separate proxies for each service :- SMTP,TELNET etc
Circuit Level Gateway
It does not permit an end-to-end TCP connection; rather the gateway sets up two TCP connections. Once the TCP connections are established, the Gateway relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections will be allowed. Once created usually relays traffic without examining contents Stateful Packet Inspection Firewall This technology is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is aninvalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules. This type of firewall can actually be exploited by certain Denial-of-service attacks which can fill the connection tables with illegitimate connections. Speed & flexibility of packet filters. Application-level security of application proxies. Main record of pending comn. Can look into data of certain packet types. Can reject incorrectly formatted commands or requests. Can only look for specific strings within data portion of a packet. Examine Packet against ruleset Drop or Reject packet, log Forward packet toward final destination, update session table, log Packet Arrives on Firewall interface Examine contents Of packet for specific content Is packet permitted By ruleset? Is packet part of an Existing flow? Are packet contents Permitted by policy? Yes Yes Yes Yes No No SPI Algorithm
Stations All components that can connect into a wireless medium in a network are referred to as stations. All stations are equipped with wireless network interface controllers (WNICs). Wireless stations fall into one of two categories: access points, and clients. Access points (APs), normally routers, are base stations for the wireless network. They transmit and receive radio frequencies for wireless enabled devices to communicate with. Wireless clients can be mobile devices such as laptops, personal digital assistants, IP phones and other smartphones, or fixed devices such as desktops and workstations that are equipped with a wireless network interface.
Basic service set The basic service set (BSS) is a set of all stations that can communicate with each other. There are two types of BSS: Independent BSS (also referred to as IBSS), and infrastructure BSS. Every BSS has an identification (ID) called the BSSID, which is the MAC address of the access point servicing the BSS. An independent BSS (IBSS) is an ad-hoc network that contains no access points, which means they can not connect to any other basic service set. An infrastructure can communicate with other stations not in the same basic service set by communicating through access points.
Extended service set An extended service set (ESS) is a set of connected BSSs. Access points in an ESS are connected by a distribution system. Each ESS has an ID called the SSID which is a 32-byte (maximum) character string. Distribution system A distribution system (DS) connects access points in an extended service set. The concept of a DS can be used to increase network coverage through roaming between cells. DS can be wired or wireless. Current wireless distribution systems are mostly based on WDS or MESH protocols, though other systems are in use.
Wireless distribution system A Wireless Distribution System is a system that enables the wireless interconnection of access points in an IEEE 802.11 network. It allows a wireless network to be expanded using multiple access points without the need for a wired backbone to link them, as is traditionally required. The notable advantage of WDS over other solutions is that it preserves the MAC addresses of client packets across links between access points. [5]
An access point can be either a main, relay or remote base station. A main base station is typically connected to the wired Ethernet. A relay base station relays data between remote base stations, wireless clients or other relay stations to either a main or another relay base station. A remote base station accepts connections from wireless clients and passes them to relay or main stations. Connections between "clients" are made using MAC addresses rather than by specifying IP assignments. All base stations in a Wireless Distribution System must be configured to use the same radio channel, and share WEP keys or WPA keys if they are used. They can be configured to different service set identifiers. WDS also requires that every base station be configured to forward to others in the system. WDS may also be referred to as repeater mode because it appears to bridge and accept wireless clients at the same time (unlike traditional bridging). It should be noted, however, that throughput in this method is halved for all clients connected wirelessly. When it is difficult to connect all of the access points in a network by wires, it is also possible to put up access points as repeaters.