FIREWALL

INTRODUCTION :

The Internet is a network of computer networks. It has evolved from the interconnection of networks
around the globe. Interconnection is a good thing; it allows the free exchange of information via the Web,
e-mail and file transfer. But it also carries a price, namely the risk that your Internet connection may be
used by “hackers” (or as some would rather call them “crackers”) to gain unauthorised access to your local
network.

A firewall is a system that implements and enforces an access control (or security) policy between two
networks; it usually guards an internal private network from an external public one, isolating an intranet
from the Internet. Essentially a firewall connects two or more networks but only allows specified forms of
traffic to flow between them. The firewall is a means by which a security policy can be enforced. A
security policy defines general security principles for a site. In general, it will state what standards,
guidelines and practices should be adhered to. It need not go into specific detail, but may specify policies
such as “e-mail may only be delivered into the site to e-mail servers maintained by authorised systems
support staff”. The trick is choosing the right policy for the right environment. Some degree of flexibility
is required such that a site’s users can continue to work and exchange information with remote site

WHY DO WE NEED FIREWALL?

The large number of benefits of Internet connectivity also comes with risks. All businesses
connecTed to the Internet need to make sure they have a firewall security solution in place to
allow employees to access the Internet, email and FTP services while at the same time limiting the
risk of unauthorized access to your network.
The amount of information collected, stored, and available on computer servers, as well as the
volume and types of business activities conducted on-line, makes sensitive corporate information
vulnerable to being stolen or corrupted from both internal and external sources.

DEFENSE FROM EXTERNAL RISKS

Today's Internet security threats range from curious prowlers to well organized, technically
knowledgeable intruders that could gain access to your site's private information or interfere with
your (or your clients') use of your own systems. The number and sophistication of these threats
grow each year, just like the Internet itself.

DEFENSE FROM INTERNAL RISKS

To prevent employees, temporary workers, consultants and others with legal access to your
network from accessing data they are not authorized to access, a firewall can also be set up to
regulate access to particular servers within the organization’s network. For example, a firewall can
be placed in front of a server containing sensitive legal, financial or human resources information,
thus providing a way to authenticate those wanting to access data on that server.

1
IMPACT OF AN ATTACK
there are three areas of impact:

FINANCIAL LOSS
This may be via lost income, or possibly from fines/compensation imposed by a court.

LOSS OF REPUTATION.
If embarrassing material is revealed, or perhaps from a forged e-mail.

DENIAL OF ACCESSTO RESOURCE.

If a key piece of network or server equipment has been rendered unusable.

In each case, assessing the exact cost is very difficult. We live in an Internet-driven academicenvironment
where resources need to be accessed 24 hours a day, seven days a week.

SITUATING FIREWALLS
The ideal location for a firewall would be a place exactly where the internal network meets the
outside world. It can be taken as the only way to the inside network which needs protection from
illegal passage. These days,firewalls are placed inside the networks as well to provide security
from the internal users. There are many good reasons to erect internal firewalls in large
companies. In such companies most of the employees should not be allowed to play with private
information, like the cash business in any company has to be made accessible to developers and
support personals, but not the general people. Even the authorized users should pass through
firewall otherwise if their home machine are compromised the company may land up in a critical
position as it won’t be able to secure privacy.

The figure above shows a firewall placed in between the internal and external network

2
PACKETS IN IP NETWORKS
In IP networks, data is transmitted using packets. This means that the data stream (e-mail, web
page or anything else) is broken up into pieces, and those pieces are passed between machines.
Different tasks employ different protocols and different packets, a short overview of which can be
found below..

1 : IP

The acronym 'IP' stands for 'Internet Protocol' (the word 'Internet' appearing in the name is used in
a sense different from 'Internet' as the name of the 'Information Superhighway' -- it's about
communication over connected networks). IP is responsible for transmitting the packet mentioned
above. The IP layer attempts to transmit each packet of the data stream to its destination. It is very
important to note that it simply attempts to deliver packets, there is no guarantee: if the packet
cannot be delivered for some reason (e.g. because of a network congestion), it is simply discarded.
The program implementing IP will not try to re-transmit it. It does not keep track of the delivery
of each and every packet from the stream, what's more, it does not even ensure that packets are
received in the order they were sent: that's all the responsibility of upper layers, such as TCP (to
be honest, IP doesn't even know about data streams: it's concerned with individual packets, not
streams). This property of IP is usually referred to as 'packet-switched', 'datagram-based', 'non-
reliable'.

IP only knows the minimal information required to carry out the task described in the previous
paragraph. Therefore, its packets are quite simple. The most important data stored in them are as
follows:

Header

Source address

Destination address

These addresses identify the source and destination hosts belonging to the packet (or, to be more
exact, the logical interfaces of those hosts -- each host may have more than one interface, and
several addresses may be assigned to the same physical interface (this is called aliasing)). For
packet filtering firewalls (such as the one provided by TCP/IP v4.1+), these addresses are among
the most important information.

Protocol identifier

As mentioned above, different kinds of traffic use different protocols. The protocol identifier
found in the header of IP packets defines the upper-layer protocol that is to receive the
information carried in the data part of the packet.
Fragmentation information
During its journey, the packet passes several network segments. Each of those segments may
impose a different limit to the maximal size of packets that may be transmitted (these limits are
determined by the hardware the segment uses, as a Token-Ring, an Ethernet and an ATM network
may each have its own maximal packet size). If some device, located at the boundary of two
segments, cannot transmit a packet in one piece (because it would be over-sized on the segment

3
ahead), it must break it into smaller fragments. As fragmented packets have to be re-assembled at
the destination site before they can be passed on to the higher level protocols, the IP header must
carry whatever information is necessary to do so.
Several kinds of attacks (e.g. 'tiny fragment attack', 'overlapping fragment attack') use fragmented
packets, so it's best to discard them altogether.

TTL (Time To Live)

The TTL field holds a counter, whose value is decremented each time the packet passes a router.
When its value reaches zero, the packet is discarded, and the router sends an ICMP message
(Time Exceeded), letting the source of the packet know of its ill fate. This mechanism is required
so no packet can haunt the network forever in case of a network failure.

Data

The data payload of IP packets contains the packet of a higher-layer protocol, together with its
own header and data segment

2: ICMP

ICMP is the short for 'Internet Control Message Protocol' (and is not related to spotting
membersof the parliament in any way ;-). Like packets of all other higher-layer protocols, ICMP
packets are transmitted in the data section of IP packets. They carry information related to low-
level operation and behaviour of the network (such as error notifications), and also serve
diagnostic purposes.

ICMP messages

ICMP messages are characterised by their type and code, code being the differentiating element
between packets of the same type.

Echo and Echo Reply

Everyone has already met these messages: the ping utility relies on them, among others. The
Echo message (type = 8) asks the destination to send an Echo Reply (message type = 0) to the
address indicated by the IP address found in the IP header. Since they may be used to discover the
basic structure of the network ('What IP addresses do belong to hosts that are up and running?'), it
may be desirable to have the firewall discard Echo and Echo Reply messages arriving from and
heading to Internet, respectively. Traffic in the opposite direction poses no risks, and therefore
may be allowed.

Destination Unreachable

These messages (type = 3) may be sent to the source of the original IP packet by any element of
the transmission chain, telling them that the delivery of the packet failed. The cause of failure is
indicated by the code field (e.g. a code of 0 means the network, 1 means the host, 3 means the
port is unreachable). It's best to allow these messages in the inward direction, otherwise
applications may stall for elongated periods, until a timeout tells them the connection cannot be

4
established. However, it's advisable to discard them in the outward direction, as tools designed to
map services and hosts on a network (known as port scanners) also rely on ICMP messages to
determine the lack of available machines and services (to be more exact, they can also deduce
there is no host/service available from timeouts, but that slows them down considerably, reducing
their efficiency and threat potential). The only exception to that rule is the message with code 4,
'Fragmentation Needed and DF Set', which is used by the algorithm responsible for determining
the maximal packet size that may be used on the transmission chain without being fragmented
(this size is called PMTU, Path Maximal Transmission Unit)) and also by IPSec virtual networks.
Such messages impose no threats, so it's recommended that they be allowed in both directions.

Source Quench

Source Quench messages (type = 4) ask their recipient to reduce the rate of data transmission (for
example to lessen network congestion or ease an overloaded host). It may be allowed in both
directions, but incoming packets are best logged, as they may be used for denial-of-service type
attacks: a host bombarded by such messages may reduce its rate of transmission to a point when it
becomes practically unusable.

Redirect

The redirect message is of type 5. It may be sent by a router to the source of an IP packet, telling
them that the packet could have been forwarded on a more direct route. Its purpose is to have the
host update its routing table, based on information found in the message. As a consequence, it
may also be used to attack a host, directing its traffic somewhere where the attacker can observe
it, or manipulate it in some other way. It's only allowed on local networks, and should not pass
routers. It's best to discard such redirect packets arriving from the Internet.

Time Exceeded

Time Exceeded messages (type = 11) may be sent for any of two reasons. One of the reasons is
that the value of the TTL field (see the discussion on IP packets) reached zero, and the router
discarded the packet in question (code = 0). The other reason is that the re-assembly of a
fragmented packet failed, because some fragments did not allow within a reasonable amount of
time (code = 1). Incoming packets may be allowed regardless of the code value, as well as
outgoing packets of code 1. However, outgoing packets with the code value set to 0 should be
discarded: they are used by the traceroute utility to determine the list of devices on the
transmission chain between two hosts -- and as a result, to determine the internal structure of the
protected network.

Parameter Problem

These messages (type = 12) are sent whenever a host processing an IP packet discard that packet,
because it encounters a parameter problem in its header. In a direct way, it may cause no harm,
and IBM recommends passing it in both directions (however, it might be possible to use it as an
alternative to ping, by deliberately sending malformed packets to a host.

Time Stamp and Time Stamp Reply

5
The Time Stamp message (type = 13) asks its destination host about the number of milliseconds
elapsed since midnight. As an answer, a Time Stamp Reply message (type = 14) is sent. Its legal
use is very unlikely, but it may be used as an alternative to ping to discover the structure of a
network, so incoming Time Stamp and outgoing Time Stamp Reply packets are best discarded.

Information Request and Information Reply

Hosts booting from the network may use these messages to discover what IP network they are
located on (the query is in messages of type 15, answers are returned in messages of type 16). Its
use is no longer recommended (see RFC 1122), it's been superseded by the protocols RARP,
BOOTP and DHCP. Even when used in legitimate ways, it should only appear on LAN's, so
there's no sense in allowing it to pass a firewall from any direction.

Address Mask Request and Address Mask Reply

The Address Mask Request (type = 17) may be used to query an interface about the netmask it
uses; the reply message is of type 18. As they may be used to determine the topology of the
network, it's advisable to drop incoming requests and outgoing replies. Certain network
management tools rely on these messages.

Router Advertisement and Router Solicitation

Router Solicitation (type = 10) and Advertisement (type = 9) messages are used on local area
networks. There's no reason to allow them at the firewall.

Domain Name Request and Domain Name Reply

As of the year 1999, and according to RFC 1788, this pair of messages is experimental. Requests
have a type of 37, replies 38. Being experimental, they should not appear in normal every-day
traffic, so may be discarded without risking anything.

Traceroute

This (reply) message (with type 30) is the basis for a new, more modern implementation of the
traceroute tool. It is experimental, and relies on a new IP option. Incoming messages may be
allowed to pass, outgoing ones should be discarded.

UDP

UDP (User Datagram Protocol) is similar to IP in the aspect that it's also non-reliable, packet
switched and datagram-oriented. However, it operates in a higher layer (the so-called transport
layer). It's used by relatively few applications, and its typical use is to transfer small amounts of
data. Its applications include DNS query and reply, SNMP messages and TFTP file transfers. In
those cases, it makes sense to use a non-reliable protocol, as when no 'permanent' connection is
established, packets that would be needed to build and tear down the connection are not necessary,
so efficiency is higher than it would be with TCP.

6
In the transport layer, all data flows are identified by a 4-tuple: <source address;destination
address;source port;destination port>. Addresses are IP addresses, and needless to say,
they come from the IP layer; therefore, the header of a UDP (or TCP) packet does not contain all
the data of the 4-tuple, only port numbers.

Programs responsible for specific services listen on pre-determined ports. Technically, there is
nothing to stop you from picking your own port numbers, however, many services have 'default'
ports. In the case of UDP, a typical service session goes like this:

The client formulates a request, puts it in a UDP packet, and sends it to the address and port where
the server process is known to be listening.

The server gets the request, compiles the reply, and returns it to the address and port it received
the request from.

As by simply examining the header of a UDP packet, it's impossible to determine whether the
packet

7
8
contains a request or a reply, it is the first one in a series of packets that are part of the
communication, or it's in the middle (remember: in UDP, there is no permanent connection
between the communicating parties, all that happens is an exchange of packets!), defence of UDP-
based applications (and servers) is difficult -- all you can rely on is the 4-tuple of data found in the
header

TCP

TCP (Transmission Control Protocol) resembles UDP in that it also operates at the transport layer,
so data flow is identified by the <source address;destination address;source
port;destination port> 4-tuple (assignment and use of TCP and UDP ports is independent).
However, there is a substantial difference: the header of TCP packets contains the information that
make TCP a datastream-based, reliable protocol. This means that the application does not

9
have to break the data stream down into packets (and then reassemble them on the other side), that
retransmission of lost packets and re-ordering of packets arriving out-of-order don't burden the
application programmer: the code implementing TCP takes care about all that.

TCP connections are built up in three steps (ignoring details that are not relevant to the OS/2
packet filter):

1: The TCP protocol code running on the host of the process initiating the connection (it's mostly
the client, but see active- (port-) mode FTP) runs on sends a TCP packet to the receiver, and turns
on the SYN bit in the header of that packet.

The other party replies with a packet, whose header has both the SYN and ACK bits set.

All further packets have the ACK bit set, but SYN cleared.

It is important to note that ACK is active in all but the very first packet. Since the packet filter
makes it possible to watch that flag, it's easy to prevent incoming connections by only allowing
incoming packets that have the ACK flag set. This is something we cannot do for UDP packets, as
they carry no connection-related information

10
FIREWALL TYPES :

There have historically been two main types of firewall; network layer and an application layer:

NETWORK LAYER FIREWALLS (PACKET FILTER)

The packet filter contained in 32-bit TCP/IP stacks performs filtering using a rule base. The first
matching rule of the rule set determines the fate of the packet (so order of rules is of crucial
importance). The last rule of any rule set is the implicit 'deny all', which means that packets that
don't match any rule are discarded.

Rules are made up of sever comparisons (address range, protocol, port etc.). A packet has to
match all conditions determined by those comparisons in order for the rule to match (in other
words, the logical AND operation is carried out on the results of individual comparisons to
determine whether the rule matches a packet or not).

PACKET FILTERING RULES :

Filtering most TCP applications is relatively easy. Typically, we have a client that uses a port
above 1023, and wants to connect to the server running on a specific port (as noted above, the
server may use a port either below or above 1023). If you want to provide access to the service,
you'll need four rules:

Let the incoming request to enter the firewal

Let the request leave the firewall

Let the reply enter the firewall

Let the reply leave the firewall

11
 The same type of rule set is needed, regardless of whether you want to provide the public access
to a service that you run, or you want hosts on your protected networks to be able to use an
outside service

EXAMPLE SHOWING A PACKET FILTERING PROCESS :

Let us consider the following situation: A client (or requestor) wishes to communicate through a
firewall to another host that is running a service the client wishes to access (e.g. Telnet, HTTP
etc). The client will send packets using a so-called “High” port. High ports are in the range 1024-
65535. These packets need to indicate the service that they are destined for so that the destination
host can deal appropriately with the packet. Common services utilities “well-known” ports. For
example HTTP uses port 80,Telnet uses port 23.The figure
Thus, for communications to occur, the firewall needs to allow packets from the client with a high
source port and a destination port of 80 in the case of HTTP ,and port 23 in the case of Telnet.

Figure showing the client connecting to the servers HTTP port…

The above rules or say the procedure applied between client and server can be easily represented
in tabular form. And that representation would give a simple and easy approach to understand
the packet filtering process

12
 Actio Src IP Src Port Des IP Des Port Flag Comment

Allow * 1025 * 80 http conec.

Allow * 80 * * Ack reply
Allow 80 * 1025 data

SOME TABLES
1: SHOWING A DEFAULT VALUE

Actio Src IP Src Port Des IP Des Flag Comment

Port

Block * * * * * Default

In this case we can say that all that is not expressly permitted is prohibited..

2 : BLOCKING A PARTICULAR HOST :

Action Src IP Src Port Des IP Des Port Flag Comment

Block * ABC * * HARMFUL.

Here a particular host is being blocked. The procedure above is fairly simple and straight
forward..

Action Src IP Src Port Des IP Des Port Flag Comment

13
 Allow * * * 25 SMTP
Allow * 25 * * ACK Reply

Here the first entry in the table shows a simple SMTP request from a client. The server or say the
service provider would accept the request by passing the acknowledgement back

STATIC PACKET FILTERING

The earlier versions of BorderManager relied on static packet filters and the previous example is,
in effect, referring to static packet filtering. In this approach the firewall does not keep track of the
“state” of traffic passing through it. Thus, the firewall is not able to determine if an incoming
packet is actually the first packet in an externally-initiated session or if it is a response to an
internal client-initiated session. In order for responses to propagate through the firewall, a
response filter exception must be permanently enabled. In the HTTP
example, above, this means that high ports to an internal host(s) remain continually open.
Obviously, the level of protection such filters provide is limited. Firewalls that implement network
address translation (NAT) go some way to offsetting the negative effects of these filters in the
specific case where the client makes requests via a “dynamic” NAT interface. Via this mechanism,
externally-initiated traffic that attempts to utilise the open high ports will fail as the dynamic NAT
table will not contain an entry for this traffic and so will drop the packet. It is not the intention of
this AppNote to discuss NAT in any detail and interested readers should consult the
documentation on the Novell web site
.
DYNAMIC PACKET FILTERING

Also known as “stateful” packet filtering, this approach provides a higher level of security than
static packet filtering. Here, the firewall keeps track of the outgoing packets that it allows to pass
and allows only corresponding the packets to return. A single outgoing stateful filter will
automatically allow the creation of a temporary (time-limited) inbound filter exception for the
connection. Thistemporary exception will only allow packets from the host and port to which the
outbound packet was sent. Thus, internal clients can access remote services without leaving
permanent incoming channels open. Using the HTTP example from the previous section, only a
single filtering exception is required for a client wishing to communicate with an external web
server. The stateful filter exception would have a high source port and a destination port of 80
involved, thus stateful packet filtering is slower than static packet filtering.

14
 Here a firewall is shown blocking the same data to enter a network once again. This may not
appear as an actual filter since there is not a blockage of the unwanted data.

HANDLING IP FRAGMENTS

The existence of IP fragmentation makes life difficult for packet filters. Except fo the first one,
fragments do not contain port numbers there is thus little information on which to base a filtering
decision .The proper response on the goals you have chosen for your firewall..
If the main threat is the penetration attempts from the outside, fragments can be passes without
further ado. The initial fragments will have the port number information and can be processed
appropriately. If it is rejected, the packets will be incomplete, and the remaining fragment will be
eventually be discarded by the destination host.

If however information leakage is a significant concern ,fragments must be discarded .Nothing

prevents someone intent on exporting data from building bogus non initial fragments and
converting them back to proper packets on some outside machine.

PACKET FILTERING PERFORMANCE :

We do pay the performance penalty for packet filtering. Routers are generally optimized to shuffle
packets quickly. The packet filters take time and can defeat the optimization effort.
Routers are connected to the internet and generally CPU in router has plenty of time to check a
few tables. This may become a bigger problem as faster communication arrives..

Although the biggest performance hit may come from doing any filtering at all, the total
Degradation depends on the number the number of rules applied at any point. It is better to have
one rule specifying a network than to have several rules enumerating different hosts on that
network. Choosing that optimization requires that they all accept the same restriction; whether or
not that is feasible depends on the configuration of various gateways hosts. Or we
May be able to speed things up by ordering the rules so that the most common types of traffic
Are processed first

15
APPLICATION GATEWAY

The proxy server (Application Level Firewall) actually stops the information and inspects it
before letting it access the internal network. In this case, there is no direct connection between the
internal network and the “outside” world. A proxy server does not look at the information on a
network level. It does things differently because most users need to authenticate to the proxy in
order to be able to pass information. When a client on the network makes a request to the Internet,
the proxy receives that request. The originating IP address, of the request, is changed to the same
IP address as that of the proxy server. It then forwards this request to the intended destination or
Internet site. Any response that is received gets sent to the proxy server which in turn forwards the
response to the client on the network. This is a major boost in security for the network because
there is no direct route to the network machines. All communication must be made with the proxy
server, who will then
inspect and forward all the information to the proper host. Proxy servers are setup with one of two
different types of architectures. The first one is referred to as a single-homed host. There is only
one network card in the proxy server in this type of architecture. It is then the responsibility of the
Internet router to forward requests to the proxy server and block all other information to the
network. The second type of architecture, a dual-homed or multi-homed host, contains two
network cards which alone can not route information. The combination of the two network cards
and the proxy server allow information from the internal network to communicate with the
Internet and vice versa. Requests that come from the internal network are sent to one network
card. The information that comes from the Internet is sent to the other
network card. Since there is no routing setup between the network cards, neither connection has a
direct route to each other. The proxy server decides what to send and where to send it at this time.
The added bonus that the proxy server provides for a firewall is connection logging when the
information passes through the firewall they alone do not do their own logging. The connections
first access the proxy which logs everything that is going to and from the Internet. The
connections from the “outside” world are logged because they need to be authenticated before
being granted entrance. The internal traffic is also logged to insure that staff are completing their

16
job duties. It can alleviate people slowing down the speed of the network by visiting “useless”
sites. This is accomplished by tracking which sites they have been to and verbally tell them to
stop or restricting their access. A proxy server also provides convenience to the network. A major
role of a proxy server is that it caches Internet web sites just like a web browser caches HTML
pages and images. It can speed up the network in two ways. The first way is traffic is reduced on
the internal network’s Internet connection because users have the opportunity to utilize the cached
copy of a web site instead of direct Internet connections. The next time someone else visits the
web site the proxy server does not need to use the Internet connection because the information is
already available on the internal network. It also saves the time it takes the information to reach
your machine because the Internet site A financial benefit of a proxy server is that it provides
Internet access to many clients under one account. The machines on the internal network do not
have any direct
connection to the Internet so they only need to maintain one Internet IP address which
makes DNS configuration easier to manage. A proxy server uses something called Network
Address Translation (NAT). This is how users on the internal network can be hidden from the
outside. The way NAT works is when a machine behind the firewall attempts a connection
somewhere, the proxy receives the request. The proxy then changes the source address of the
packet to that of the proxy. The destination is kept the same and the request is made. When a
response is received back it is done in the reverse manner. The source address of the response is
kept the same and the destination address is changed to that of the internal requesting machine.
This is how the internal machines are hidden from the outside. NAT also helps organizations with
growth planning for their network. Multiple users and IP addresses can be hidden behind one
single IP Address or multiple addresses using NAT. A packet level firewall does not use this setup.
If we had a network using a packet filter with 100 users, then we would need at least 100 IP
Addresses. Every machine on the network will have its own public IP address. This becomes
costly to a company of only 100 people. This can also be an inconvenience for the system
administrators. If you are leasing these 100 IP Addresses from an ISP and they decide to renumber
your network, you now have to change 100 machines. If
you decide to grow your network then you will need to purchase additional IP Addresses. This
could put you on a different network as well. The proxy server alleviates all of these concerns.
Continuing with our same example of the 100-user network, we only need a minimum of one IP
Address. These IP Addresses are not used on the Internet. They are reserved for internal networks.
We can setup our network with 10.20.20.* network. This means that we have at least 253 IP
Addresses for the internal network. We can assign whatever IP Addresses that we like. All the
users that would contact the Internet from this network would be hidden behind one single IP
Address that is the proxy server. We no longer have concerns about renumbering. If our site is
renumbered for some reason, it only affects one IP Address. Only the proxy server itself is
renumbered. The other machines on the internal network use their same IP Addresses as before. If
the network continues to grow we can still use one public IP and renumber the internal machines
to be on a larger network. We can have as much as one entire class A network behind one public
IP. Another good ability that a firewall has is separating your networks. You do not have to put all
of your internal machines on the same network behind the firewall. An application level gateway
represents the opposite extreme in firewall design. Rather than using a general purpose
mechanism to allow different kinds of traffic to flow, special purpose code can be used for each
design application. Although this seems wasteful, it is likely to be far more secure than any of the
alternatives. One need not worry about interaction among different sets of filter rules, nor about
holes in thousands of hosts offering nominally secure services to the outside. Only a chosen new

17
program need be scrutinized. Application gateways have another advantage that in some
environments is quiet critical: it is easy to log and control all incoming and outgoing traffic.

PROCESS

User at A sends an HTTP request. It is not sent to the final destination but to the application layer
gateway. This results from the configuration at the client. The gateway checks whether the
transaction is authorized. Encryption may be performed. Then the HTTP request is issued again
from the gateway to B as though it would be originating from A. A response comes from B,
probably under the form of a MIME header and data. The gateway may also check the data,
possibly decrypt, or reject the data. If it accepts to pass it further, it is sent to A as though coming from
B.Application layer gateways can be made for all application level protocols.

TYPES OF PROXY SERVERS.:

APPLICATION PROXIES .

SOCKS PROXIES

APPLICATION PROXY
The best example would be a person telneting to another computer and then telneting from there to the
outside world. With a application proxy server,the process is automated. As we telnet to the outside world
the client send us to the proxy first. The proxy then connects to the server we requested (the outside world)
and returns the data to us. Because proxy servers are handling all the communications, they can log
everything they (we) do. For HTTP (web) proxies this includes very URL we see. For FTP proxies this
includes every file you download. They can even filter out "inappropriate" words from the sites we visit or
scan for viruses. Application proxy servers can authenticate users. Before a connection to the outside is
made, the server can ask the user to login first. To a web user this would make every site look like it
required a login.

18
SOCKS PROXY
A SOCKS server is like an old switch board. It cross wires our connection through the system to outside
connection. Most SOCKS server only work with TCP type connections. And like filtering firewalls they
don't provide for user authentication. They can however record where each user connected to.

ADVANTAGES (PROXY SERVER):

By not permitting application traffic directly to internal hosts

Information hiding: names of internal systems are not known to outside systems

– Can limit capabilities within an application

– Robust authentication and logging: application traffic can be pre-authenticated before reaching
host and can be logged
– Cost effective: third-party software and hardware for authentication and logging only on
gateway

– Less-complex filtering rules for packet filtering routers: need to check only destination

– More secure..

DISADVANTAGES

The proxy server is, above all, a security device. Using it to increase internet access with limited
IP addresses will have many drawbacks. A proxy server will allow greater access from inside the
protected network to the outside, but will keep the inside completely inaccessible from the
outside. This means no servers, talk or archive connections, or direct mailing to the inside
computers. These drawbacks might seem slight, but think of it this way: You have left a report
you are doing on your computer inside a firewall protected network. You are at home, and decide
that you would like to go over it. You can not. You can not reach your computer because it is
behind the firewall. You try to log into firewall first, but since everyone has proxy server
access, no one has set up an account for you on it.
Your daughter goes to college. You want to email her. You have some private things to talk about,
and would rather have your mail sent directly to your machine. You trust your systems
administrator completely, but still, this is private mail. The inability to use UDP packets represents
a big drawback with the proxy servers. I imagine UDP capabilities will be coming shortly. FTP
causes another problem with a proxy server. When getting or doing an ls , the FTP server opens
a socket on the client machine and sends the information through it. A proxy server will not allow
this, so FTP doesn't particularly work. And, proxy servers run slow. Because of the greater overhead,
almost any other means of getting this access will be faster.
Basically, if you have the IP addresses, and you are not worried about security, do not use a firewall and/or
proxy servers. If you do not have the IP addresses, but you are also not worried about security, you might
also want to look into using an IP emulator, like Term, Slirp or TIA. Term is available from

19
 CIRCUIT LEVEL GATEWAY

Circuit level gateways relay TCP connections. The caller connects to a TCP port on the gateway,
which connects to some destination on the other side of the gateway. During the call the gateway’s
relay program copy the bytes back and forth: gateway acts as wire. In some cases the connection
is made automatically. For example, we have a host outside our gateway that needs to use an
internal printer. We’ve told that host to connect to the print Service on the gateway. Our gateway
is configured to relay that particular connection to the printer port on an internal machine. We use
an access control mechanism to ensure that only that one external host can connect to the
gateway’s printer service. We are also confident that this particular connection will not provide a

20
useful entry hole. It is almost same as the application gateway but the former being more
application specific..

METHODS OF ATTACK

It is important to understand the nature of potential attacks on computer security. We'll briefly
describe the most important types of attacks so that it will be better to understand precisely what a
firewall will protect you against.

UNAUTHORIZED ACCESS

This simply means that people who shouldn't use your computer services are able to connect and
use them. For example, people outside the company might try to connect to the private server.
There are various ways to avoid this attack by carefully specifying who can gain access through
these services. We can prevent network access to all except the intended users.

Exploitation of known weaknesses in programs

Some programs and network services were not originally designed with strong security in mind
and are inherently vulnerable to attack. The BSD remote services (rlogin, rexec, etc.) are an
example. The best way to protect against this type of attack is to disable any vulnerable services
or find alternatives. With Open Source, it is sometimes possible to repair the weaknesses in the
software.

DENIAL OF SERVICE

Denial of service attacks cause the service or program to cease functioning or prevent others from
making use of the service or program. These may be performed at the network layer by sending
carefully crafted and malicious datagrams that cause network connections to fail. They may also

21
be performed at the application layer, where carefully crafted application commands are given to
a program that cause it to become extremely busy or stop functioning.

Preventing suspicious network traffic from reaching your hosts and preventing suspicious
program commands and requests are the best ways of minimizing the risk of a denial of service
attack. It's useful to know the details of the attack method, so you should educate yourself about
each new attack as it gets publicized.

SPOOFING

This type of attack causes a host or application to mimic the actions of another. Typically the
attacker pretends to be an innocent host by following IP addresses in network packets.

To protect against this type of attack, verify the authenticity of datagrams and commands. Prevent
datagram routing with invalid source addresses. Introduce unpredictablility into connection
control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.

FUTURE FIREWALLS AND IPv6

There are a number of challenges facing firewall designers either now or in the near future.
These include:

1. Speed of operation. As networks run faster, the processing requirements grow.

This may imply firewalls running in silicon not software.

2. More application layer processing. Rather than IP-layer filtering, more application
layer filtering will be required, beyond the current HTTP, FTP and SMTP. Firewalls
will need to understand and handle new protocols that may have special requirements,
e.g. new multimedia streaming applications.

3. Co-operative firewalls. As performance issues become more important, it is likely that

we will see co-operating firewall “farms” deployed. Firewalls may share the “proxying”
load for applications where such an approach is required, or where stateful handling of
communications is beneficial (e.g. application layer virus scanning).

4. The always-on Internet. More Internet devices will become “always-on”, be they
mobile IP-based devices or devices in the home. Staff and students on campus will wish
to communicate securely but freely with these devices. Firewall technology is improving rapidly,
but at the same time the goalposts are moving…

IPv6
The next generation Internet Protocol, IPv6 [V6F], is primarily aimed at offering a bigger address
space to enable new IP-based applications, such as IP-based cellular phone devices. IPv6 offers

22
128-bit addresses instead of IPv4’s 32-bit addresses. The onset of pervasive computing, bringing
new innovative IP devices both at work and in the home, will demand the address space that IPv6
offers. The use of Network Address Translation (NAT) is a stopgap measure that will offer sites
with more hosts than IP addresses a method to get connected, but NAT won’t scale beyond the
immediate future. IPv6 will make backbone IP routing more efficient through hierarchical
aggregated addressing principles. It will make IP device management simpler through advanced
auto-configuration options. IPv6 is in experimental use today on the majority of the major
academic networks in the
world (e.g. Internet 2, Renater, DFN, WIDE, ACOnet, SURFnet), and has support in products
from the major router and OS vendors, including Cisco (IOS), Microsoft (Windows 2000) and
While production use of IPv6 may be a few years away, it is prudent to start
preparing now by running test networks and developing trial applications..IPv6 is a technology
that will be used in production networks in the near future; firewall
manufacturers have as yet been slow to react to the recent acceleration in IPv6 support from the
router and OS developers.

CONCLUSION
The firewall is an integral part of any security program, but it is not a security program in and of
itself. Security involves data integrity (has it been modified?), service or application integrity (is
the service available, and is it performing to spec?), data confidentiality (has anyone seen it?) and
authentication (are they really who they say they are?). Firewalls only address the issues of data
integrity, confidentiality and authentication of data that is behind the firewall. Any data that
transits outside the firewall is subject to factors out of the control of the firewall. It is therefore
necessary for an organization to have a well planned and strictly implemented security program
that includes but is not limited to firewall protection.

23
 Seminar report
On

Bluetooth

Guided by
Prof. arpit patel

Submitted by
Dishank shah(120460116045)
5th I.T..

UNIVERSAL COLLEGE OF ENGINEERING & TECH.

24
 UNIVERSAL COLLEGE OF ENGINEERING & TECH.

CERTIFICATE

This is to certify that SHAH DISHANK

is studying in Sem – V of B.E. Information Technology having Roll No. 45 has
completed his seminar on the following topic successfully.

Topic Name : FIREWALL

Staff – Incharge Head of Dept.

Date : ___________

25
 UNIVERSAL COLLEGE OF ENGINEERING & TECH.

ACKNOWLEDGEMENT
I hereby take the opportunity to express my gratitude towards all faculty members
and our seniors who have guided and directed me at every moment to fulfill my task and
produce this work in front of you. I sincerely thank Mr. Pratik patel(H.O.D of Information
technology) for her wholehearted support and cooperation of Mr. Arpit patel in producing
the subject matter. I hope you would undoubtedly find the matter interesting and
informative as well.

I hereby take this opportunity to thank everyone who has directly or indirectly
helped us in preparing my seminar on FIREWALL.

At last thanks to all readers for there keen interest in my work.

Mr. Shah Dishank j. (Roll no 45)

(5TH SEM Information technology)

26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Today's Internet security threats range from curious prowlers to well organized, technically
knowledgeable intruders that could gain access to your site's private information or interfere with
your (or your clients') use of your own systems. The number and sophistication of these threats
grow each year, just like the Internet itself.

51