Web Technologies, Assignment 2

FIREWALLS
To

Dr. Ahmed Elfatatry

Web Technologies Assignment 2 First Term 2011-2012

By Yasser M M Gharib

Page 1 of 15

Yasser Gharib

Web Technologies, Assignment 2

FIREWALL
Contents 1. Introduction 2. Definition 3. FIREWALL TYPES
a. b.

3 5 5 5 5 6 7 8 9 10 11 11 11 11 13 15

Hardware Firewalls Software Firewalls

4. Firewall Techniques
a. b. c.

Packet Filtering Circuit Relay Application Gateway

5. Conclusion 6. References 7. Appendix Firewall Products

a. b. c. d.

Packet Filtering & Stateful Inspection Firewalls Application Firewalls Multifunction Firewalls Other Types Of Firewalls

Page 2 of 15

Yasser Gharib

Web Technologies, Assignment 2 1. Introduction(1)

There are many creative ways that unscrupulous people use to access or abuse unprotected computers:

Remote login Ability to someone to connect to your computer and control it in some form. This can range from being able to view or access your files to actually running programs on your computer.

Application backdoors - Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor, or hidden access, that provides some level of control of the program. SMTP session hijacking Simple Mail Transport Protocol (SMTP) is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to trace.

Operating system bugs - Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of.

Denial of service - You have probably heard this phrase used in news reports on the attacks on major Web sites. This type of attack is nearly impossible to counter. What happens is that the hacker sends a request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually crash.

E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages.

Page 3 of 15

Yasser Gharib

Web Technologies, Assignment 2

Macros - To simplify complicated procedures, many applications allow you to create a script of commands that the application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your computer.

Viruses - Probably the most well-known threat is computer viruses. A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data.

Spam - Typically harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a cookie that provides a backdoor to your computer.

Redirect bombs - Hackers can use the Internet Control Message Protocol (ICMP) to change (redirect) the path information takes by sending it to a different router. This is one of the ways that a denial of service attack is set up.

Source routing - In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network.

To determine and stop these threats we use firewall, So What is Firewall and its type, location of this type, advantage and disadvantage of each type.

Page 4 of 15

Yasser Gharib

Web Technologies, Assignment 2 2-Definition

Firewall is simply a software or hardware device that handles or mediates traffic flow between one network and others, performing security checks on that traffic in accordance with a predetermined security policy. If traffic fails to match the security policy, then it is not allowed through the firewall. The security policy is usually enforced by a firewall rule set, against which traffic is checked.(1)
Firewall checks for specified content, malformed or abnormal traffic at some layer of the protocol hierarchy or checks that help determine that the traffic comes from the claimed source.
(1)

The purpose of the firewall is to protect entities in one network from threats originating in another network.(2)

3-FIREWALL TYPES (4)

Firewalls can be either hardware or software. a. Hardware Firewalls Hardware firewalls can be purchased as a stand-alone product but more recently hardware firewalls are typically found in broadband routers, and should be considered an important part of the system and network set-up, especially for anyone on a broadband connection. Hardware firewalls can be effective with little or no configuration, and they can protect every machine on a local network.
b.

Software Firewalls For individual home users, the most popular firewall choice is a software firewall. Software firewalls are installed on computer (like any software) and can customize; allowing you some control over its function and protection features. A software firewall will protect computer from outside attempts to control or gain access computer, and, depending on choice of software firewall Advantages of a software firewall(3)
Page 5 of 15

Yasser Gharib

Web Technologies, Assignment 2

Free of charge or low-priced to install Easy to install Professional skills not required for configuration Levels of admission can be locate

Advantages of a hardware firewall(3)

Centralized management achievable Secure Speedy Fewer interference; can be maintained with no affecting other regions of network and does not make the applications to be time-consuming.

Disadvantages of a software firewall(3)

Might make the applications slow Might be intense on computer system resources Can be hard to eliminate Every host wants to be updated repeatedly No centralized administration

Disadvantages of a hardware firewall(3)

Costly to buy Specialist knowledge may be necessary to install and configure Takes up substantial space Difficult to upgrade

4. Firewall Techniques:

The most basic type firewall performs Packet Filtering. A second type of firewall, which provides additional security, is called a Circuit Relay.

Another and still more involved approach is the Application Level Gateway.

Page 6 of 15

Yasser Gharib

Web Technologies, Assignment 2

a. Packet Filtering(6)
All Internet traffic travels in the form of packets. A packet is a quantity of data of limited size, kept small for easy handling. When larger amounts of continuous data must be sent, it is broken up into numbered packets for transmission and reassembled at the receiving end. All your file downloads, Web page retrievals, emails -- all these Internet communications always occur in packets. A packet is a series of digital numbers basically, which conveys these things:

The data, acknowledgment, request or command from the originating system

The source IP address and port The destination IP address and port Information about the protocol (set of rules) by which the packet is to be handled

Error checking information Usually, some sort of information about the type and status of the data being sent

Page 7 of 15

Yasser Gharib

Web Technologies, Assignment 2

Often, a few other things too.

In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored. The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data. Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies. Packet filtering policies may be based upon any of the following:

Allowing or disallowing packets on the basis of the source IP address Allowing or disallowing packets on the basis of their destination port Allowing or disallowing packets according to protocol.

This is the original and most basic type of firewall. Packet filtering alone is very effective as far as it goes but it is not foolproof security. It can potentially block all traffic, which in a sense is absolute security. But for any useful networking to occur, it must of course allow some packets to pass. Its weaknesses are:

Address information in a packet can potentially be falsified or "spoofed" by the sender

The data or requests contained in allowed packets may ultimately cause unwanted things to happen, as where a hacker may exploit a known bug in a targeted Web server program to make it do his bidding, or use an ill-gotten password to gain control or access.

Advantage of packet filtering is its relative simplicity and ease of implementation. Disadvantage: The challenge with packet-filtering firewalls is that ACLs are static, and packet filtering has no visibility into the data portion of the IP packet.(7)
Page 8 of 15

Yasser Gharib

Web Technologies, Assignment 2 b. Circuit Relay(6)

Also called a "Circuit Level Gateway," this is a firewall approach that validates connections before allowing data to be exchanged. What this means is that the firewall doesn't simply allow or disallow packets but also determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time. Whether a connection is valid may for examples be based upon:

destination IP address and/or port source IP address and/or port time of day protocol user password

Every session of data exchange is validated and monitored and all traffic is disallowed unless a session is open. Circuit Level Filtering takes control a step further than a Packet Filter. Advantages of a circuit relay is that it can make up for the shortcomings of the ultra-simple and exploitable UDP protocol, wherein the source address is never validated as a function of the protocol. IP spoofing can be rendered much more difficult. Disadvantage is that Circuit Level Filtering operates at the Transport Layer and may require substantial modification of the programming which normally provides transport functions (e.g. Winsock).

c. Application Gateway(6)
In this approach, the firewall goes still further in its regulation of traffic.

Page 9 of 15

Yasser Gharib

Web Technologies, Assignment 2

The Application Level Gateway acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. This can render a computer behind the firewall all but invisible to the remote system. It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others, limiting file access to certain types, varying rules according to authenticated users and so forth. This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system, and can often be instructed to sound alarms or notify an operator under defined conditions. Advantage: Application-level gateways are generally regarded as the most secure type of firewall. They certainly have the most sophisticated capabilities. Disadvantage is that setup may be very complex, requiring detailed attention to the individual applications that use the gateway. An application gateway is normally implemented on a separate computer on the network whose primary function is to provide proxy service.

5. Conclusion:
All firewalls regardless of type have one very important thing in common: they receive, inspect and make decisions about all incoming data before it reaches other parts of the system or network. That means they handle packets and they are strategically placed at the entry point to the system or network the firewall is intended to protect. They usually regulate outgoing data as well. The types and capabilities of firewalls are defined essentially by:

Where they reside in the network hierarchy (stack); how they analyze and how they regulate the flow of data (packets); and additional security-related and utilitarian functions they may perform. Some of those additional functions:
o

data

may

be

encrypted/decrypted

by

the

firewall

for

secure

communication with a distant network

Page 10 of 15

Yasser Gharib

Web Technologies, Assignment 2

o

Scripting may allow the operator to program-in any number of specialized capabilities

The

firewall

may

facilitate

communications

between

otherwise

incompatible networks. 6- Reference:

1. http://computer.howstuffworks.com/firewall3.htm 2. http://www.cpni.gov.uk/Documents/Publications/2005/2005007_TN1004_Understanding_fire walls.pdf 3. http://forums.techarena.in/networking-security/1376397.htm 4. http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp 5. iac.dtic.mil/iatac/download/firewalls.pdf 6. http://www.pc-help.org/www.nwinternet.com/pchelp/security/firewalls.htm 7. http://www.networkworld.com/subnets/cisco/060109-ch1-cisco-secure-firewalls.html 8.

Appendix Firewall Products(5)

For more details see (iac.dtic.mil/iatac/download/firewalls.pdf)
a. Packet Filtering & Stateful Inspection Firewalls Deerfield.com VisNetic Firewall for Servers eSoft InstaGate Firewall GCIS Firewall Sentinel and Proxy Sentinel Intertex SurfinBird IX FW Series IPFIREWALL (IPFW) Mac OS X Server ipfw and Application Firewalls Netfilter NetSib NetworkShield Firewall NuFirewall Packet Filter Qbik WinGate Proxy Server ReaSoft Network Firewall Soft in Engines Bandwidth Management and Firewall Sphinx Software Windows Firewall Control Plus Server Edition TRENDnet -Port Gigabit Firewall Router Windows Firewall Untangle Firewall b. Application Firewalls Alcatel-Lucent OmniAccess Web Services Gateway

Page 11 of 15

Yasser Gharib

Web Technologies, Assignment 2

Alt-N SecurityGateway for Exchange/SMTP Servers Anchiva Secure Web Gateway A Series and Web Application Firewall S Series Applicure dotDefender Armorlogic Profense art of defence hyperguard Axway MailGate BalaBit IT Security Zorp Barracuda Spam & Virus Firewall Barracuda Web Application Firewalls Bee Ware i-Suite BugSec WebSniper Cisco ACE Web Application Firewall Cisco ACE XML Gateways Cisco IOS Firewall Cisco IronPort Email Security Appliances Citrix NetScaler Application Firewall CloudShield DNS Defender Deny All rWeb Deny All rFTP Deny All sProxy DigiPortal ChoiceMail Enterprise and ChoiceMail Small Business eEye SecureIIS Excelerate SpamGate F BIG-IP Application Security Manager Fortinet FortiWeb Web Application and XML Firewalls Forum Sentry XML Gateway GreenSQL Express, Light, Pro, and Database Firewall Horizon Network Security SPAM Cracker IBM WebSphere DataPower XML Security Gateway XS Igaware Web Filtering Appliance IMGate Mail Firewall Imperva SecureSphere Database Firewall Imperva SecureSphere File Firewall Imperva SecureSphere Web Application Firewall Intel SOA Expressway Service Gateway Korsmeyer Extensible Messaging Platform Layer SecureSpan XML Firewall ModSecurity MONITORAPP DB INSIGHT SG.

Page 12 of 15

Yasser Gharib

Web Technologies, Assignment 2

MONITORAPP Web INSIGHT SG Netop NetFilter Oracle Database Firewall Phantom Technologies iBoss Enterprise Web Filter Phantom Technologies iBoss Home Internet Parental Control Phantom Technologies iBoss Pro Internet Content iFilter PrismTech Xtradyne I-DBC IIOP Firewall PrismTech Xtradyne WS-DBC Privacyware ThreatSentry Proofpoint Email Firewall Qualys IronBee Radware AppWall RedCondor Message Assurance Gateways Retell Sense Voice Firewall SafeNet eSafe Mail Security Gateway SafeNet eSafe Web Security Gateway seaan.net MXtruder SPAMINA Email Service Firewall and Email Service Firewall for MSP/ISPs SpamTitan SpamWall Antispam Firewall Trustwave WebDefend Vicomsoft InterGate Policy Manager webScurity WebApp.secure c. Multifunction Firewalls Aker Firewall Alcatel-Lucent VPN Firewall Brick Arkoon Security FAST Network Processor Appliances Astaro Security Gateways Barracuda NG Firewall BluegrassNet Voice SP Firewall/SIP Proxy Check Point Power- Appliances Check Point IP Appliances Check Point Safe@Office UTM Appliances Check Point Series Appliance Check Point UTM- Appliances Cisco ASA Series Adaptive Security Appliances Cyberoam UTM Appliances Clavister Enterprise Security Gateway Series D-Link NetDefend Firewall/VPN UTM Appliances

Page 13 of 15

Yasser Gharib

Web Technologies, Assignment 2

EdenWall Security Appliances EGG Network Security Appliance Endian UTM Software, Hardware, and Virtual Appliances . Entensys UserGate Proxy & Firewall Fortinet FortiGate Appliances GajShield Unified Performance & Threat Management Appliances GeNUGate Two-Tier Firewall GeNUScreen Firewall & VPN Appliance Gibraltar Security Gateways Global Technology Associates Firewall/VPN Appliances Global Technology Associates GB-Ware HC SecPath and SecBlade Halon SX Series Firewalls Hitec Fyrewall HP ProCurve Threat Management Services (TMS) zl Module Huawei Quidway Eudemon Firewall Series IBM Security Server Protection and Virtual Server Protection for VMware Ideco Gateway Igaware Network Protector Ingate Firewall InJoy Firewall Professional and Enterprise iPolicy Intrusion Prevention Firewalls IPCop Juniper Networks ISG Series Integrated Security Gateways. Juniper Networks NetScreen Juniper Networks SRX Services Gateways Juniper Networks SSG Series Appliances Kerio Control McAfee Firewall Enterprise Microsoft Forefront Threat Management Gateway Microsoft Internet Security and Acceleration Server mnwall NETASQ U-Series and NG-Series Appliances NetCop NETGEAR ProSafe Wired and Wireless VPN Firewalls NETGEAR ProSecure Unified Threat Management (UTM) Gateway Security Appliances NetSentron NS Lite and NS Pro Novell BorderManager

Page 14 of 15

Yasser Gharib

Web Technologies, Assignment 2

OSecurity SifoWorks Firewall/IPsec VPN Appliances Paisley Systems Frontdoor Firewall Appliance Palo Alto Networks Enterprise Firewalls Panda GateDefender Integra SB pfSense PLANET Security Gateways Schweitzer Engineering Laboratories SEL- Ethernet Security Gateway SECUI.com eXshield and NXG Firewalls SECUI.com eXshield and NXG UTM Appliances Secure Crossing ZenwallSecureLogix ETM System with TeleWall and Voice Firewall Securepoint Firewall UTM Gateways SmoothWall Advanced Firewall and SmoothWall UTM SmoothWall Express SOHOware BroadScan UTM Internet Security Appliance SonicWALL NSA and TZ Series Network Security Appliances StoneSoft StoneGate Firewall/VPN Appliances and Virtual Firewall/VPN Appliances TeamF SecureFrst Security Gateway Solution Trlokom OmniVPN and Katana Gateway Tutus Frist Firewall Ubiq-Freedom Untangle Server with Lite, Standard, or Premium Package Vordel Gateway Vyatta Core WatchGuard Extensible Threat Management Series XRoads EdgeWAN Cloud Firewall Appliances Zentyal Gateway Zentyal UTM ZyXEL ZyWALL Unified Security Gateways and Internet Security Appliances d. Other Types Of Firewalls EdenWall Virtual Security Appliance

Page 15 of 15

Yasser Gharib