Information Security

Lecture 09A
Firewalls
Taseer Suleman
taseersuleman@lgu.edu.pk
 Outline
 Firewall
 Type of Firewalls
 Simple Packet Filter
 Firewalls: Motivation

 Due to Internet, any computer can be connected to any

other computer in the world, a great advantage to
individuals and corporate as well.
 The protection of corporate network becomes a
challenge. At a broad level, there are two kinds of
attacks (Fig. Next Slide):
 Leakage of critical information from corporate network
to competitors-a great setback
 Malicious attacks (viruses, worms, etc) on corporate
network from the outsiders to create havoc
Firewalls: Motivation
 Firewall

 A firewall is a device used to secure the connection between

one computer or network and another computer or network.
It can be implemented in software or hardware or a
combination of both.
 Firewall is installed between the internal network of an
organization and the rest of the Internet (Fig. Next Slide)
 All traffic between the network and the internet in either
direction must pass through the firewall
 The firewall decides if the traffic can be allowed to flow or
whether it must be stopped from proceeding further
Firewall
Firewall: Hardware
 Types of Firewall

 Simple Packet Filters

 Stateful Packet Filtering
 Application Layer Proxies
Simple Packet Filters
 Simple Packet Filter Firewall

 As the name suggests, packet filter firewall refers to filter

out all packets passing through the firewall. Packet filter
applies a set of rules to each packet and based on the
outcome, decides to either forward or discard the packet. It
is also called as screening router or screening filter
 A firewall can be used as a packet filter
 Simple Packet Filter Firewall

 A packet-filter firewall is simply a router that uses a

filtering table to decide which packets must be
discarded (not forwarded). The filtering rules are based
on number of fields at the network or transport level
 It can forward or block packets based on the
information in the network layer : source and
destination IP addresses
 It can forward or block packets based on the
information in the transport layer : source and
destination port addresses and type of protocol (TCP
or UDP)
 Configuration of a Packet
Filter Firewall
 Packet filters usually permit or deny network traffic
based on:
 Source and destination IP addresses
 Protocols, such as TCP, UDP, or ICMP
 Source and destination ports and ICMP types and codes
 Flags in the TCP header, such as whether the packet is a
connect request
 Direction (inbound or outbound)
 Which physical interface the packet is traversing
 Configuration of a Packet Filter Firewall
 The rules specified in the packet filter work as follows:

 A: Incoming packets from network 131.34.0.0 are blocked (security

precaution). Note that the * (asterisk) means “any”
 B: Incoming packets destined for any internal TELNET server (port
23) are blocked.
 C: Incoming packets destined for internal host 194.78.20.8 are
blocked. The organization wants this host for internal use only
 D: Outgoing packets from/to an HTTP server (port 80) are blocked.
The organization does not want employees to browse the Internet
 Packet Filter Firewall:
Advantages & Disadvantages
 Advantages:
 Fast, simple, transparent

 Disadvantages:
 Cannot prevent attacks on specific application
weaknesses
 Limiting logging capabilities
 Typically no support for user authentication
 Easy to make mistakes when creating rules
 Packet Filter Firewall:
Vulnerabilities
 Packet filter firewalls are vulnerable to following
attacks :
 IP spoofing
 Source address routing
 Tiny fragment attacks
Packet Filter Firewall: IP Spoofing
 An intruder outside the network sends packets to internal
corporate network by using one of the internal IP address
as the source address. The attacker hopes that the use of
spoofed address will allow penetration of systems that
employ simple source address security, packets from
specific trusted internal hosts are accepted

 Countermeasure?
 Discard all packets coming with source addresses equal to
one of the internal addresses
 Packet Filter Firewall: Source
Address Routing
 Source routing has two variations:
 Loose: The attacker specifies a list of IP addresses
through which a packet must travel. However the
packet could also travel through additional routers
that interconnect IP addresses specified in the list
 Strict: The IP addresses in the list specified by the
attacker are the only IP addresses through which a
packet is allowed to travel
 Packet Filter Firewall: Source Address Routing
 Loose Source Record Route
 An intruder specifies the route, the packet should take as it
crosses the internet, in the hopes that this will bypass security
measures that do not analyze source routing information

 Normal traffic flow from the attacker to the server goes via "router
a", "router b", "router c", a firewall and finally to the victim we
have our standard scenario for routing traffic over the Internet
 Packet Filter Firewall: Source Address Routing
 Strict Source Record Route
 By exploiting, the routing could be made to go via "router a",
"router b", "trusted host", the firewall and finally to the
victim using the source IP of the trusted host

 Countermeasure?
The countermeasure
is to discard all
packets that use this
option

 If the external trusted host is allowed through the firewall ruleset

based on source IP address, the attacker could bounce off this
host in order to gain access to the internal network. This attack
works as the Trusted host retransmits the packet using its own IP
address as the source address.
 Packet Filter Firewall: Tiny Fragment Attacks
 Fragmentation of packets is required when IP packet is
greater than the maximum frame size of the network (called
as Maximum Transmission Unit or MTU)
 The tiny fragment attack is staged by sending an IP packet
with first segment so small that it contains only the source
and destination port information for TCP, not the TCP
flags. These are sent in the next fragment
 Therefore, if access list is based on TCP flags such as
SYN=0 or 1 or ACK=1 or 0, they cannot test the first packet
 If first packet passes, most network devices do not check
remaining packets
 An intruder can exploit this feature of TCP/IP protocol
suite to intentionally create tiny fragments, in this hope that
only the first fragment is examined and not the remaining
packets
 Countermeasure?
 Discard all those packets where the upper layer protocol type
is TCP and packet is fragmented