|
A firewall is basically something that protects the network
from the Internet. It is derived from the concept of firewalls used
in vehicles which is a barrier made of fire resistant material
protecting the vehicle in case of fire.
Anyway a firewall is best described as a software or
hardware or both Hardware and Software packet filter that allows
only selected packets to pass through from the Internet to your
private internal network.
A firewall is a system or a group of systems which guard a
trusted network( The Internal Private Network from the untrusted
network (the Internet.) To understand how a firewall works, firstly
we need to understand how exactly data is transferred on the
Internet.
NOTE: The following is a very weird, short and
incomplete description of the TCP\IP protocol, I have just given a
general idea of the whole data transmission process so that everyone
can understand firewalls.
The TCP\IP suite is responsible for successful transfer of
data across a network both the Internet and the Intranet. The TCP\IP
suite is a collection of protocols which are inter-related and
interdependent and act as a set of rules according to which data is
transferred across the network. A protocol can be defined as a
language or a standard which is followed while transfer of data
takes place. Lets go through a brief explanation of how data is
transferred across a network following the various components of the
TCP\IP suite.
The whole process of data transmission begins when a user
starts up an Internet application like the email client or a FTP
client. The user types an email in his client and in this way
provides data to be transferred. The email client is said to be a
part of the application layer f the TCP\IP stack. Now this
application layer (email client) provides data (the email itself)
which has to be transferred to the Transmission control protocol or
TCP which constitutes the Transfer Layer of TCP\IP. TCP breaks down
the data i.e. the email into smaller chunks called packets and hands
over the responsibility to the Internet Protocol or IP which forms
the invisible network layer. This Internet Protocol adds some
various info to each packet to ensure that the packet knows for
which computer it is meant for and which port or application it is
going to meet and from where it has come. An IP datagram contains:
1. A header which contains the Source and Destination IP,
Time to live info and also the protocol used. There is also a header
checksum present.
2. Remaining part contains the data to be transferred.
You do not need to understand all this in detail but just
remember that TCP breaks data into smaller packets and IP adds the
source and destination IP's to the packets. When the data reaches
the other server IP hands the packets to TCP again which re
assembles the packets. Port numbers are also used to ensure that the
packets know to which application it need to go to. So, basically we
can conclude that a successful transmission of data across a network
relies on the source and destination IP and also the ports.
A firewall too relies on the source and destination IP and
also the ports to control the packet transfer between the untrusted
network and the trusted network. Firewalls can be classified into 3
types:
1. Packet Filter Firewalls
2. Application proxy Firewalls
3. Packet Inspection Firewalls
Packet Filter
Firewalls
They are the earliest and the most criticized firewalls,
which nowadays are not easily found. They are usually Hardware based
i.e. Router Based (a router is a piece of device which connects two
networks together.) Whenever a Packet Filter Firewall receives a
packet for permission to pass through, it compares the header
information i.e. the source and destination IP address, and port
number with a table of predefined access control rules If the header
information matches, then the packet is allowed to pass else the
packet is dropped or terminated. They are not popular due to the
fact that they allow direct contact between the untrusted system and
the trusted private system.
To understand such firewalls lets take the example of the
secretary that sits in your office. This kind of secretary allows
only those people who have an appointment to pass but if you
convince her that her boss wants to meet her then she would allow
you to pass.
Such Firewalls can be fooled by using techniques like IP
Spoofing in which we can change the source IP such that the firewall
thinks that the packet has come from a trusted system which is among
the list of systems which have access through the firewall.
Application proxy
Firewalls
The shortcomings of the packet filter firewalls are
addressed by the new type of firewalls developed by the DARPA. It
was widely believed that the earlier type of firewalls were not
secure enough as they allowed the untrusted systems to have a direct
connection with the trusted systems. This problem was solved with
the use of Proxy servers as firewalls. A proxy server which is used
as a firewall are called application proxy servers.
This kind of a proxy firewall examines what application or
service (running on ports) a packet is meant for and if that
particular service is available only then is the packet allowed to
pass through and if the service is unavailable then the packet is
discarded or dropped by the firewall. Once this is done, the
firewall extracts the data and delivers it to the appropriate
service. There is not direct connection between the untrusted
systems with the trusted systems as the original data sent by the
untrusted system is dropped by the firewall and it personally
delivers the data.
Let's again take the example of a secretary. Such a
secretary would take a gift or something else for you only if you
are available in the office and it would not allow the visitor to
deliver the thing but would personally deliver it to you. Although
they are somewhat slower, they are much more secure as they do not
allow a direct contact between an untrusted network and a trusted
network.
Packet Inspection
Firewalls
It can be also known as an extension of the Packet Filter
Firewall. It not only verifies the source and destination IP's and
ports, it also takes into consideration or verifies that content of
the data before passing it through. There are two ways in which this
kind of a firewall verifies the data to be passed:
State and
Session.
In case of state inspection, an incoming packet is allowed
to pass through only if there is a matching outward bound request
for this packet. This means that the incoming packet is allowed to
pass through only if the trusted server had requested for it or had
sent an invitation for it.
In case of session filtering, the data of the incoming is
not verified, but instead the network activity is traced and once a
trusted system ends the session, no further packets from that system
pertaining to that session are allowed to pass through. This
protects against IP spoofing to a certain extend. Such firewalls can
also be configured beforehand to act according to pre defined rules
when it is attacked. It can also be configured to disconnect from
the Internet in case of an attack.
All along you will come across many Firewalls on various
systems, basically a firewall can be established or setup in two
ways:
1. Dual-homed gateway
2. Demilitarized zone (DMZ)
In a dual homed gateway firewall, there is a single
firewall with 2 connections, one for the trusted network and the
other for the untrusted network. In the case of a Demilitarized
Firewall or a DMZ there are two firewalls, each with two
connections, but there is a slight difference in the case of a DMZ
setup.
In the case of a DMZ setup, there are two firewalls, the
first having two connections, one leading to the untrusted network
and the other leading to the host systems like the email server or
the FTP server etc.
These host systems can be accessed from the untrusted
network. These host systems are connected with the internal private
trusted systems through another firewall. Thus there is no direct
contact between the untrusted network and the trusted internal
network. The area or region between the two firewalls is termed as
the demilitarized zone.
In the case of a Dual Homed Gateway the untrusted network
is connected to the host systems (email and FTP servers etc) through
a firewall and these host systems are connected to the internal
private network. There is no second firewall between the host
systems and the internal private trusted network. The basic
structure of the DMZ setup declares it to be a more secure system as
even if an attacker gets through the first firewall, he just reaches
the host systems, while the internal network is protected by another
firewall.
Do Firewalls
provide enough Security for my Network?
The answer is a simple no. There is no such thing that a
firewall is enough to fulfill or satisfy all your security concerns.
Yes it does protect the trusted systems from the untrusted ones, but
they are definitely not enough for all your security needs. We need
to protect our systems to secure the company data. The most common
methods used to break into networks are brute force password
cracking and social engineering. A firewall in no way can prevent
such occurrences.
There are other ways in which attackers can steal or
destroy company data. Phone Tapping and the use of spy gadgets has
become a common occurance.Although providing safety to the network
to a large extend, a firewall is still not able to protect the
company data from Viruses and Trojans, although some firewalls do
provide for scanning everything being downloaded, the rate at which
new HTML, Java and other viruses are propping up, it is becoming
very difficult for firewalls to detect all viruses. Anyway firewalls
provide no physical protection to the networks. It also provides no
protection from fire, tornados etc.Yet another shortcoming is the
fact that if the attacker is able to break into a trusted system
which is provided access by the firewall, then he can easily gain
access to the data at your network, as the firewall will think that
he is actually the trusted party.
Credits
written By Ankit Fadia ankit@bol.net.in
version 1.0
http://www.crosswinds.net/~hackingtruths
|