Booknotes06.

doc

Prof. J. Liefert Book Notes CSC-116 FALL 2019

Test #2: Chapters 5, 6, 7, and 8

Chapter 6 - Firewalls

1. Firewalls
It prevents specific types of information from moving between the outside world, known
as the untrusted network (Internet), and the inside world, known as the trusted network
(intranet)

Firewall Categorization Methods

Processing mode
Packet filtering
Examine header information of data packets
Functions at the IP level, network layer 3
Filters on destination address, source address, packet type
Address restrictions
Rules designed to prohibit packets with certain addresses or
partial addresses from passing through the device
Static filtering
It requires that the filtering rules governing how the firewall
decides which packets are allowed and which are denied are
developed and installed
Dynamic filtering
It allows the firewall to react to an emergency event and
update or create rules to deal with the event
Stateful inspection
Keeps track of each network connection between internal
and external systems by using a state table. They can block
incoming packets that are not responses to internal requests
Application gateways, application firewall, proxy server
It acts as a proxy for a service request, which is like a middle-man,
so that the requests never really get to the actual machine. It adds
an extra layer of security protection
Circuit gateways
It prevents direct connections between 2 networks. It creates
tunnels connecting specific traffic processes or systems on each side
of the firewall, and then only allows authorized traffic in the tunnel
Operates at the transport layer 4
MAC layer
It checks the specific host computer’s identity via the MAC address
and can use these addresses in the ACL rules
Operates at the data link or media access control layer 2
Hybrids
Simply combines the elements of other types of firewalls
 Development era generation
First generation
Static packet filtering, simple, inspect packet header
Second generation
Application-level, provide intermediate services to requestors
Third generation
Stateful inspection, monitor network connections between internal
and external systems using state tables
Fourth generation
Dynamic packet filtering, only allow particular packets
Fifth generation
Kernel proxy, evaluates packets at multiple layers of the protocol
stack by checking security in the kernel as data is passed up and
down the stack
Structure
Commercial-grade appliances
Stand-alone, self contained combinations of computing hardware
and software
Commercial-grade systems
Application software that is configured for the requirements of the
firewall application and running on a general-purpose computer
Small office / small business (SOHO) resident-grade appliances
Broadband gateways or DSL / cable modem routers
Stateful firewall that enable inside to outside access
Can be configured to allow limited TCP / IP port forwarding and /
or screened subnet capabilities
Packet filtering and WAPs and LAN switches
Network address translation (NAT) capable
Residential-grade software
These are the Zone Alarm types of software based firewalls
Software vs. Hardware the SOHO firewall debate
Author of book believes Hardware based NAT solution is better
than Software based solution

Firewall Architectures
3 factors
1. the objectives of the network
2. the organization’s ability to develop and implement the architectures
3. the budget available for the function
4 common architectural implementations
Packet filtering routers
Normally a router between the organization’s internal network and
the external network provider
Rejects packets that the organization does not want
Screened host firewalls
Bastion host or sacrificial host
A separate machine dedicated as the firewall
Better security because break in requires 2 machines

2
 Dual-homed firewalls
Host contains 2 Network Interface Cards (NIC) interfaces
One is connected to the internal network and one to the external
network
Uses NAT most of the time
Translation between many different protocols
Ethernet
Token Ring
Fiber Distributed Data Interface (FDDI)
Asynchronous Transfer Method (ATM)
Screened subnet firewalls (with DMZ)
It provides a filtering router that protects the DMZ which contains
a bunch of proxy servers which are behind another filtering router
which protects the trusted network. This way the DMZ becomes
one level of protection and then the proxy server serves as another
SOCKS Servers
SOCKS is the protocol for handling TCP traffic through a proxy
server
It is a proprietary circuit-level proxy server that places special
SOCKS client-side agents on each workstation
This places the filtering device on the workstation instead of having
a single point of defense and single point of failure
Selecting the right firewall
Factors and questions to consider
1. What type of firewall technology offers the right balance between
protection and cost for the needs of the organization?
2. What features are included in the base price? What features are
available at extra cost? Are all costs factors known?
3. How easy is it to set up and configure the firewall? How accessible are
the staff technicians who can competently configure the firewall?
4. Can the candidate firewall adapt to the growing network in the target
organization?
Cost is the second most important issue
Configuring and managing firewalls
Each device should have its own set of rules that regulate its actions
Best practices for firewalls
All traffic from trusted network is allowed out
Firewall is never directly accessible from the public network for configuration and
management purposes
Simple Mail Transport Protocol (SMTP) data is allowed through
All Internet Control Message Protocol (ICMP) data is denied (ping)
Telnet access to internal network from public is denied
HTTP traffic should use some form of proxy or DMZ architecture

Firewall rules
SA SP DA DP Action
Rule set 1
Any Any 10.10.10.0 >1023 Allow

3
 Any packet headed for internal network with port 1024 or greater can
come in. Reponses to internal request are allowed
Rule set 2
Any Any 10.10.10.1 Any Deny
Any Any 10.10.10.2 Any Deny
10.10.10.1 Any Any Any Deny
10.10.10.2 Any Any Any Deny
Stops all traffic to the firewall from internal or external networks. This
means you must sit at the console to access the firewall itself. Firewall
device itself is never accessible directly from the public network
Rule set 3
10.10.10.0 Any Any Any Allow
All traffic from the trusted network is allowed out
Rule set 4
Any Any 10.10.10.6 25 Allow
All Simple Mail Transfer Protocol (SMTP) packets are allowed in but are
routed to a well-configured SMTP gateway who is 10.10.10.6
Rule set 5
10.10.10.0 Any Any 7 Allow
Any Any 10.10.10.0 7 Deny
All Internet Control Message Protocol (ICMP) data is denied these are
ping requests
Rule set 6
10.10.10.0 Any 10.10.10.0 23 Allow
Any Any 10.10.10.0 23 Deny
Telnet access to all internal servers from public network should be blocked.
Note telnet is sometimes allowed from internal for OA&M
Rule set 7a
Any Any 10.10.10.4 80 Allow
Allows all HTTP traffic to get to the Web server 10.10.10.4
Rule set 7b
Any Any 10.10.10.5 80 Allow
Allows all HTTP traffic to go to proxy server
Rule set 7c
10.10.10.5 80 192.168.2.4 80 Allow
Allows all HTTP traffic to go from the proxy server to the internal Web
server
Rule set 8
Any Any Any Any Deny
The cleanup rule. Deny everything that does not fit one of the rules above

Content filters
It is a software filter, technically not a firewall, which allows administrators to
restrict access to content from within a network
Also known as Reverse firewalls because their primary focus is to restrict internal
access to external material

2. Protecting Remote Connections

4
 Dial-Up
This is networking that uses a regular phone line
War dialer
It is an automatic phone dialing program that dials every phone number
with a range 732.566.1000 to 732.566.5000. It basically checks for a
modem to answer and when it does it makes a note of it
RADIUS and TACACS
These are systems that authenticate the credentials of users who are trying to
access an organization’s network via a dial-up connection

Remote Authentication Dial-In User Service (RADIUS)

Uses a central RADIUS server for central management
Terminal Access Controller Access Control System (TACACS)
Uses a client / server configuration but contains a central database

Securing authentication with Kerberos

It uses symmetric key encryption to validate an individual user to various network
resources. Private keys are stored in the Kerberos database and the user’s
encrypted password is just sent to the server
It has 3 main systems
Authentication Server (AS)
Key Distribution Center (KDC)
Kerberos ticket granting service (TGS)
Ticket
It is an identification card for a particular client that verifies
to the server that the client is requesting services and that
the client is a valid member of the Kerberos system and
therefore authorized to receive services
4 basic principles
 KDC knows all secret keys of all clients and servers
 KDC initially exchanges information with the client and server by using
these keys
 Kerberos authenticates a client to a requested service on a server
through TGS and by issuing temporary session keys for
communications between the client and KDC, the server and KDC, and
the client and server
 Communications then take place between the client and server using
these temporary session keys

Sesame
It is the same as Kerberos except the user receives a token
The token is presented to gain access to the systems via Privilege Attribute
Certificate (PAC)

3. Virtual Private Networks (VPNs)

It is a private and secure network connection between systems that use data
communication capability of an unsecured and public network
Trusted VPN

5
 Uses leased circuits form a service provider and conducts packet switching over
these circuits. Must trust the service provider
Secure VPN
Uses security protocols and encrypts traffic transmitted across unsecured public
networks like the Internet
Hybrid VPN
Combines the two above
Encapsulation
One packet is put in the frames of another during transmission
Encryption
Keeps contents private while transmitting over public network
Authentication
Must check that the user is really who they claim to be
Transport mode
The data part of the IP packet is encrypted but not the header
2 main uses
End-to-end transport of encrypted data
Remote access worker gets on to company network and is allowed to work
as if they were part of the LAN at work
Tunnel mode
Entire packet is encrypted between the 2 tunnel servers which are sending the
packet over the unsecured part of the network. Tunnel servers are not really the
final destination so if packet is captured the true destination is never known