FIREWALL

A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. Firewall itself is immune to penetration
It is a device or set of devices that is configured to permit or deny network transmissions based upon a set of rules and other criteria. Also Hide internal addresses from Internet hackers. This is called NAT. Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. Also can implement alarms for abnormal behavior. All messages entering or leaving the intranet pass through the firewall, which inspects each message and blocks those that do not meet the specified security criteria.

Limitations of FIREWALL
Cannot protect from attacks bypassing it Cannot protect against internal threats - E.g. disgruntled employee Cannot protect against transfer of all virus infected programs or files because of huge range of O/S & file types

Packet Filter Firewall

Filters individual packets based (only) on information contained in the packet header itself by commonly using a combination of the packet's source and destination address, Its protocol, and, for TCP and UDP traffic using the port number Packet filtering firewalls are configured with rules, and when a packet originates from the sender and filters through the firewall, the device checks for packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no information on connection "state"). And also do not inspect the content (payload) of the packet.

Packet Filter Firewall

Attacks On Packet Filter Firewall

IP address spoofing - Fake source address to be a trusted one
Countermeasure: Discard packets with inside source address arriving on an external interface

Source routing attacks - Source routing is a method that can be used to

specify the route that a packet should take through the network. In source routing the path through the network is set by the source (or a device) that tells the network the desired path. It is assumed that the source of the packet knows about the layout of the network and can specify the best path for the packet. Source routing can be used for hacking purposes by allowing an attacker to get data to a machine that would not normally be reachable.

Countermeasure: Block source routed packets Tiny fragment attacks - Split header info over several tiny packets to
circumvent rules that depend on TCP header information Countermeasure: Either discard or reassemble before check

Stateful Packet Firewall

E.g. permit Http data connection from outside the firewall to inside, provided the corresponding control connection from inside to outside is still open between same machines and on expected ports.

Stateful Packet Firewall

Pure packet filters are stateless - they have no memory of previous packets which makes them vulnerable to spoofing attacks. A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected (Packets out of context). Examine each IP packet in context keeps tracks of client-server sessions checks each packet validly belongs to one Better able to detect bogus packets out of context

Application Level Gateway

Application Level Gateway

Application Level Gateway

Application level Gateway (ALG or proxy), operates in the Application layer of the OSI model and actively inspects the contents of packets that are passed through to the gateway. An applicationlevel gateway acts as an intermediate system between the Internet and the application server that understands have full access to the relevant application protocol ( ie, FTP, SMTP etc.) This application-level gateway's system appears to the outside world as the end point application server, but in reality, the gateway interprets each incoming request, formats the request to the application server's own internal commands, then builds a new request from scratch in-order to discards and prevents any malicious, malformed content from getting through. The gateway then sends a new request to the actual application server and processes the servers reply in the same fashion, thereby preventing any direct connection between a trusted server or client and an un-trusted host. ALG also return the result back to the outside host.

Application Level Gateway

Recognizing application-specific commands and provide granular-level security controls over them

Deep packet-inspection of all the packets handled by ALGs over a given network.. An ALG understands the protocol used by the specific applications that it supports.
Note that a separate ALG must be installed for each application-level service/protocol.

Circuit-Level Gateway

Circuit-Level Gateway
Typically this firewall type trusts internal users by allowing outbound connections They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to a remote computer through a circuit level gateway appears to have originated from the Circuit level gateway. This is useful for hiding information about protected internal networks and they uses (relays) two TCP connections.

On the other hand, they do not filter individual packets and once a session is created, usually transmit traffic without examining contents A major advantage to using this method is that non-requested data from outside the firewall is not allowed in.

DMZ

a DMZ or Demilitarized Zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services (For example, a company that hosts a Web site or sells its products or services over the Internet) to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network.