Many organizations have connected to or want to connect their private LAN’s to the Internet so that their users can have convenient access to Internet services. Since the Internet as a whole is not trustworthy, their private systems are vulnerable to misuse and attack. A firewall is a safeguard one can use to control access between a trusted network and a less trusted one.
A firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks. Basically, a firewall, working closely with a router program, filters all network packets to determine whether to forward them toward their destination. A firewall is often installed away from the rest of the network so that no incoming request can get directly at private network resources.
As with any safeguard, firewalls also need to have a trade-offs between convenience and security. In order to be convenient firewalls are typically configured to be transparent to internal network users on the other hand, they are configured to be non-transparent for outside network users coming through the firewall. This generally provides the highest level of security without placing an undue burden on internal users. Firewalls provide several types of protection, some of which are as under:
A firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks. Basically, a firewall, working closely with a router program, filters all network packets to determine whether to forward them toward their destination. A firewall is often installed away from the rest of the network so that no incoming request can get directly at private network resources.
As with any safeguard, firewalls also need to have a trade-offs between convenience and security. In order to be convenient firewalls are typically configured to be transparent to internal network users on the other hand, they are configured to be non-transparent for outside network users coming through the firewall. This generally provides the highest level of security without placing an undue burden on internal users. Firewalls provide several types of protection, some of which are as under:
• They can block unwanted traffic.
• They can direct incoming traffic to more trustworthy internal systems.
• They hide vulnerable systems, which can’t easily be secured from the Internet.
• They can log traffic to and from the private network.
• They can hide information like system names, network topology, network device types, and internal user ID’s from the Internet.
• They can provide more robust authentication than standard applications might be able to do.
Role of Firewalls
The firewall imposes restrictions on packets entering or leaving the private network. All traffic from inside to outside, and vice versa, must pass through the firewall, but only authorised traffic will be allowed to pass. Packets are not allowed through unless they conform to a filtering specification, or unless there is negotiation involving some sort of authentication. The firewall itself must be immune to penetration.
Firewalls create checkpoints (or choke points) between internal private network and the Internet. Once the choke points have been clearly established, firewall can monitor, filter and verify all inbound and outbound traffic.
Firewall may filter on the basis of IP source and destination addresses and TCP port number. Firewalls may block packets from the Internet that claim a source address of a system on the intranet, or they may require the use of an access negotiation and encapsulation protocol like SOCKS to gain access to the intranet. SOCKS is a security protocol used to communicate through a firewall or proxy server.
The firewall also enforces logging, and provides alarm capacities as well. By placing logging services at firewalls, security administrators can monitor all access to and from the Internet. Good logging strategies are one of the most effective tools for proper network security.
Firewalls may block TELNET or RLOGIN connections from the Internet to the intranet. They also block SMTP and FTP connections to the Internet from internal systems not authorised to send e-mail or to move files. The firewall provides protection from various kinds of IP spoofing and routing attacks.
The firewall certainly has some negative aspects as well for example it cannot protect against internal threats such as an employee who cooperates with an external attacker; it is also unable to protect against the transfer of virus-infected programs or files because it is impossible for it to scan all incoming files, e-mail and messages for viruses. However, since a firewall acts as a protocol endpoint, it may use an implementation methodology designed to minimize the likelihood of bugs.
Firewall-Related Terminology
To understand the concept of firewall, some familiarity with the basic terminology is required. It is useful to understand the following important terms commonly applicable to firewall technologies.
1. Bastion Host
A bastion host is a publicly accessible device for the network’s security, which has a direct connection to a public network such as the Internet. The bastion host serves as a platform for any one of the four types of firewalls: packet filter, circuit-level gateway, application-level gateway and hybrid or complex gateways. Bastion hosts must check all incoming and outgoing traffic and enforce the rules specified in the security policy. They must be prepared for attacks from external and possibly internal sources. They should be built with the least amount of hardware and software in order for a potential hacker to have less opportunity to overcome the firewall.
Bastion hosts are armed with logging and alarm features to prevent attacks. The bastion host’s role falls into the following three common types:
• They can direct incoming traffic to more trustworthy internal systems.
• They hide vulnerable systems, which can’t easily be secured from the Internet.
• They can log traffic to and from the private network.
• They can hide information like system names, network topology, network device types, and internal user ID’s from the Internet.
• They can provide more robust authentication than standard applications might be able to do.
Role of Firewalls
The firewall imposes restrictions on packets entering or leaving the private network. All traffic from inside to outside, and vice versa, must pass through the firewall, but only authorised traffic will be allowed to pass. Packets are not allowed through unless they conform to a filtering specification, or unless there is negotiation involving some sort of authentication. The firewall itself must be immune to penetration.
Firewalls create checkpoints (or choke points) between internal private network and the Internet. Once the choke points have been clearly established, firewall can monitor, filter and verify all inbound and outbound traffic.
Firewall may filter on the basis of IP source and destination addresses and TCP port number. Firewalls may block packets from the Internet that claim a source address of a system on the intranet, or they may require the use of an access negotiation and encapsulation protocol like SOCKS to gain access to the intranet. SOCKS is a security protocol used to communicate through a firewall or proxy server.
The firewall also enforces logging, and provides alarm capacities as well. By placing logging services at firewalls, security administrators can monitor all access to and from the Internet. Good logging strategies are one of the most effective tools for proper network security.
Firewalls may block TELNET or RLOGIN connections from the Internet to the intranet. They also block SMTP and FTP connections to the Internet from internal systems not authorised to send e-mail or to move files. The firewall provides protection from various kinds of IP spoofing and routing attacks.
The firewall certainly has some negative aspects as well for example it cannot protect against internal threats such as an employee who cooperates with an external attacker; it is also unable to protect against the transfer of virus-infected programs or files because it is impossible for it to scan all incoming files, e-mail and messages for viruses. However, since a firewall acts as a protocol endpoint, it may use an implementation methodology designed to minimize the likelihood of bugs.
Firewall-Related Terminology
To understand the concept of firewall, some familiarity with the basic terminology is required. It is useful to understand the following important terms commonly applicable to firewall technologies.
1. Bastion Host
A bastion host is a publicly accessible device for the network’s security, which has a direct connection to a public network such as the Internet. The bastion host serves as a platform for any one of the four types of firewalls: packet filter, circuit-level gateway, application-level gateway and hybrid or complex gateways. Bastion hosts must check all incoming and outgoing traffic and enforce the rules specified in the security policy. They must be prepared for attacks from external and possibly internal sources. They should be built with the least amount of hardware and software in order for a potential hacker to have less opportunity to overcome the firewall.
Bastion hosts are armed with logging and alarm features to prevent attacks. The bastion host’s role falls into the following three common types:
• Single-homed bastion host: This is a device with only one network interface, normally used for an application-level gateway. The external router is configured to send all incoming data to the bastion host, and all internal clients are configured to send all outgoing data to the host. Accordingly, the host will test the data according to security guidelines.
• Dual-homed bastion host: This is a firewall device with at least two network interfaces. Dual-homed bastion hosts serve as application-level gateways, as packet filters and circuit-level gateways as well. The advantage of using such hosts is that they create a complete break between the external network and the internal network. This break forces all incoming and outgoing traffic to pass through the host. The dual-homed bastion host will prevent a security break-in when a hacker tries to access internal devices.
• Multi-homed bastion host: Single-purpose or internal bastion hosts can be classified as either single-homed or multi-homed bastion hosts. The latter are used to allow the user to enforce strict security mechanisms. When the security policy requires all inbound and outbound traffic to be sent through a proxy server, a new proxy server should be created for the new streaming application. On the new proxy server, it is necessary to implement strict security mechanisms such as authentication. When multi-homed bastion hosts are used as internal bastion hosts, they must reside inside the organisation’s internal network, normally as application gateways that receive all incoming traffic from external bastion hosts. They provide an additional level of security in case the external firewall devices are compromised. All the internal network devices are configured to communicate only with the internal bastion host.
• A tri-homed firewall: It connects three network segments with different network addresses. This firewall may offer some security advantages over firewalls with two interfaces. An attacker on the unprotected Internet may compromise hosts on the DMZ (De-militarised Zone) but still not reach any hosts on the protected internal network.
2. Proxy Server
Proxy servers are used to communicate with external servers on behalf of internal clients. A proxy service is set up and torn down in response to a client request, rather than existing on a static basis. The term proxy server typically refers to an application-level gateway, although a circuit-level gateway is also a form of proxy server. The gateway can be configured to support an application-level proxy on inbound connections and a circuit-level proxy on outbound connections. Application proxies forward packets only when a connection has been established using some known protocol. When the connection closes, a firewall using application proxies rejects individual packets, even if they contain port numbers allowed by a rule set.
In contrast, circuit proxies always forward packets containing a given port number if that port number is permitted by the rule set. Thus, the key difference between application and circuit proxies is that the latter are static and will always set up a connection if the rule set allows it. Each proxy is configured to allow access only to specific host systems.
The audit log is an essential tool for detecting and terminating intruder attacks. Therefore, each proxy maintains detailed audit information by logging all traffic, each connection and the duration of each connection.
Since a proxy module is a relatively small software package specifically designed for network security, it is easier to check such modules for security laws. Each proxy is independent of other proxies on the bastion host. If there is a problem with the operation of any proxy, or if future vulnerability is discovered, it is easy to replace the proxy without affecting the operation of the proxy’s applications. If the support of a new service is required, the network administrator can easily install the required proxy on the bastion host. A proxy generally performs no disk access other than to read its initial configuration file. This makes it difficult for an intruder to install Trojan horse, sniffers or other dangerous files on the bastion host.
3. SOCKS
The SOCKS protocol version 4 provides for unsecured firewall traversal for TCP-based client/server applications, including HTTP (Hypertext Transfer Protocol), TELNET (Telnet is a protocol for remote computing on the Internet. It allows a computer to act as a remote terminal on another machine, anywhere on the Internet) and FTP (File Transfer Protocol). The new protocol extends the SOCKS version 4 model to include UDP (User Datagram Protocol), and allows the framework to include provision for generalised strong authentication schemes, and extends the addressing scheme to encompass domain name and IPv6 addresses. The implementation of the SOCKS protocol typically involves the recompilation or relinking of TCP-based client applications so that they can use the appropriate encapsulation routines in the SOCKS library.
When a TCP-based client wishes to establish a connection to an object that is reachable only via a firewall, it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system. The SOCKS service is conventionally located at TCP port 1080. If the connection request succeeds, the client enters negotiation for the authentication method to be used, authenticates with the chosen method, and then sends a relay request. The SOCKS server evaluates the request, and either establishes the appropriate connection or denies it. In fact, SOCKS defines how to establish authenticated connections, but currently it does not provide a clear-cut solution to the problem of encrypting the data traffic. Since the Internet at large is considered a hostile medium, encryption by using ESP (Encapsulated Security Payload, the IPSEC protocol, which provides encryption. It can also provide authentication service.) is also assumed in this scenario.
4. Choke Point
The most important aspect of firewall placement is to create choke points. A choke point is the point at which a public internet can access the internal network. The most comprehensive and extensive monitoring tools should be configured on the choke points. Proper implementation requires that all traffic be funnelled through these choke points. Since all traffic is flowing through the firewalls, security administrators, as a firewall strategy, need to create choke points to limit external access to their networks. Once these choke points have been clearly established, the firewall devices can monitor, filter and verify all inbound and outbound traffic.
Since a choke point is installed at the firewall, a prospective hacker will go through the choke point. If the most comprehensive logging devices are installed in the firewall itself, all hacker activities can be captured. Hence, this will detect exactly what a hacker is doing.
5. De-militarised Zone (DMZ)
The DMZ is an expression that originates from the Korean War. It meant a strip of land forcibly kept clear of enemy soldiers. In terms of a firewall, the DMZ is a network that lies between an internal private network and the external public network. DMZ networks are sometimes called perimeter networks. A DMZ is used as an additional buffer to further separate the public network from the internal network.
6. VPN
Some firewalls are now providing VPN services. VPNs are appropriate for any organisation requiring secure external access to internal resources. All VPNs are tunneling protocols in the sense that their information packets or payloads are encapsulated or tunneled into the network packets. All data transmitted over a VPN is usually encrypted
because an opponent with access to the Internet could eavesdrop on the data as it travels over the public network.
The VPN encapsulates all the encrypted data within an IP packet. Authentication, message integrity and encryption are very important fundamentals for implementing a VPN. Without such authentication procedures, a hacker could impersonate anyone and then gain access to the network. Message integrity is required because the packets can be altered as they travel through the Internet. Without encryption, the information may become truly public.
Several methods exist to implement a VPN. Windows NT or later versions support a standard RSA (A public key cryptographic algorithm named after its inventors namely Rivest, Shamir, and Adelman. It is used for encryption and digital signatures. RSA was developed in 1977 and is today the most commonly used encryption and authentication algorithm.) connection through a VPN. Specialised firewalls or routers can be configured to establish a VPN over the Internet. New protocols such as IPsec are expected to standardise on a specific VPN solution. Several VPN protocols exist, but the Point-to-Point Tunnelling Protocol (PPTP) and IPsec are the most popular.
2. Proxy Server
Proxy servers are used to communicate with external servers on behalf of internal clients. A proxy service is set up and torn down in response to a client request, rather than existing on a static basis. The term proxy server typically refers to an application-level gateway, although a circuit-level gateway is also a form of proxy server. The gateway can be configured to support an application-level proxy on inbound connections and a circuit-level proxy on outbound connections. Application proxies forward packets only when a connection has been established using some known protocol. When the connection closes, a firewall using application proxies rejects individual packets, even if they contain port numbers allowed by a rule set.
In contrast, circuit proxies always forward packets containing a given port number if that port number is permitted by the rule set. Thus, the key difference between application and circuit proxies is that the latter are static and will always set up a connection if the rule set allows it. Each proxy is configured to allow access only to specific host systems.
The audit log is an essential tool for detecting and terminating intruder attacks. Therefore, each proxy maintains detailed audit information by logging all traffic, each connection and the duration of each connection.
Since a proxy module is a relatively small software package specifically designed for network security, it is easier to check such modules for security laws. Each proxy is independent of other proxies on the bastion host. If there is a problem with the operation of any proxy, or if future vulnerability is discovered, it is easy to replace the proxy without affecting the operation of the proxy’s applications. If the support of a new service is required, the network administrator can easily install the required proxy on the bastion host. A proxy generally performs no disk access other than to read its initial configuration file. This makes it difficult for an intruder to install Trojan horse, sniffers or other dangerous files on the bastion host.
3. SOCKS
The SOCKS protocol version 4 provides for unsecured firewall traversal for TCP-based client/server applications, including HTTP (Hypertext Transfer Protocol), TELNET (Telnet is a protocol for remote computing on the Internet. It allows a computer to act as a remote terminal on another machine, anywhere on the Internet) and FTP (File Transfer Protocol). The new protocol extends the SOCKS version 4 model to include UDP (User Datagram Protocol), and allows the framework to include provision for generalised strong authentication schemes, and extends the addressing scheme to encompass domain name and IPv6 addresses. The implementation of the SOCKS protocol typically involves the recompilation or relinking of TCP-based client applications so that they can use the appropriate encapsulation routines in the SOCKS library.
When a TCP-based client wishes to establish a connection to an object that is reachable only via a firewall, it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system. The SOCKS service is conventionally located at TCP port 1080. If the connection request succeeds, the client enters negotiation for the authentication method to be used, authenticates with the chosen method, and then sends a relay request. The SOCKS server evaluates the request, and either establishes the appropriate connection or denies it. In fact, SOCKS defines how to establish authenticated connections, but currently it does not provide a clear-cut solution to the problem of encrypting the data traffic. Since the Internet at large is considered a hostile medium, encryption by using ESP (Encapsulated Security Payload, the IPSEC protocol, which provides encryption. It can also provide authentication service.) is also assumed in this scenario.
4. Choke Point
The most important aspect of firewall placement is to create choke points. A choke point is the point at which a public internet can access the internal network. The most comprehensive and extensive monitoring tools should be configured on the choke points. Proper implementation requires that all traffic be funnelled through these choke points. Since all traffic is flowing through the firewalls, security administrators, as a firewall strategy, need to create choke points to limit external access to their networks. Once these choke points have been clearly established, the firewall devices can monitor, filter and verify all inbound and outbound traffic.
Since a choke point is installed at the firewall, a prospective hacker will go through the choke point. If the most comprehensive logging devices are installed in the firewall itself, all hacker activities can be captured. Hence, this will detect exactly what a hacker is doing.
5. De-militarised Zone (DMZ)
The DMZ is an expression that originates from the Korean War. It meant a strip of land forcibly kept clear of enemy soldiers. In terms of a firewall, the DMZ is a network that lies between an internal private network and the external public network. DMZ networks are sometimes called perimeter networks. A DMZ is used as an additional buffer to further separate the public network from the internal network.
6. VPN
Some firewalls are now providing VPN services. VPNs are appropriate for any organisation requiring secure external access to internal resources. All VPNs are tunneling protocols in the sense that their information packets or payloads are encapsulated or tunneled into the network packets. All data transmitted over a VPN is usually encrypted
because an opponent with access to the Internet could eavesdrop on the data as it travels over the public network.
The VPN encapsulates all the encrypted data within an IP packet. Authentication, message integrity and encryption are very important fundamentals for implementing a VPN. Without such authentication procedures, a hacker could impersonate anyone and then gain access to the network. Message integrity is required because the packets can be altered as they travel through the Internet. Without encryption, the information may become truly public.
Several methods exist to implement a VPN. Windows NT or later versions support a standard RSA (A public key cryptographic algorithm named after its inventors namely Rivest, Shamir, and Adelman. It is used for encryption and digital signatures. RSA was developed in 1977 and is today the most commonly used encryption and authentication algorithm.) connection through a VPN. Specialised firewalls or routers can be configured to establish a VPN over the Internet. New protocols such as IPsec are expected to standardise on a specific VPN solution. Several VPN protocols exist, but the Point-to-Point Tunnelling Protocol (PPTP) and IPsec are the most popular.
Types of Firewalls
Firewall constitutes a network configuration, usually both hardware and software, that forms a fortress between networked computers within an organization and those outside the organization. It is commonly used to protect information such as a network's e-mail and data files within a physical building or organization site. Firewalls act as an intermediate server in handling SMTP and HTTP connections in either direction. Firewalls also require the use of an access negotiation and encapsulation protocol such as SOCKS to gain access to the Internet, the intranet, or both. Many firewalls support tri-homing, allowing use of a DMZ network. It is possible for a firewall to accommodate more than three interfaces, each attached to a different network segment. Firewalls can be classified into four main categories: packet filters, circuit-level gateways, application-level gateways and hybrid or complex gateways.
1. Packet Filtering Firewalls
Packet filtering firewalls use routers with packet filtering rules to grant or deny access based on source address, destination address and port. They offer minimum security but at a very low cost, and can be an appropriate choice for a low risk environment. They are fast, flexible, and transparent. Filtering rules are not often easily maintained on a router, but there are tools available to simplify the tasks of creating and maintaining the rules.
Firewall constitutes a network configuration, usually both hardware and software, that forms a fortress between networked computers within an organization and those outside the organization. It is commonly used to protect information such as a network's e-mail and data files within a physical building or organization site. Firewalls act as an intermediate server in handling SMTP and HTTP connections in either direction. Firewalls also require the use of an access negotiation and encapsulation protocol such as SOCKS to gain access to the Internet, the intranet, or both. Many firewalls support tri-homing, allowing use of a DMZ network. It is possible for a firewall to accommodate more than three interfaces, each attached to a different network segment. Firewalls can be classified into four main categories: packet filters, circuit-level gateways, application-level gateways and hybrid or complex gateways.
1. Packet Filtering Firewalls
Packet filtering firewalls use routers with packet filtering rules to grant or deny access based on source address, destination address and port. They offer minimum security but at a very low cost, and can be an appropriate choice for a low risk environment. They are fast, flexible, and transparent. Filtering rules are not often easily maintained on a router, but there are tools available to simplify the tasks of creating and maintaining the rules.
The type of router used in a packet-filtering firewall is known as a screening router. The screening router is configured to filter packets from entering or leaving the internal network. The routers can easily compare each IP address to a filter or a series of filters.
Packet filters typically set up a list of rules that are sequentially read line by line. Filtering rules can be applied based on source and destination IP addresses or network addresses. A packet filter will provide two actions, forward and discard. If the action is in the forward process, the action takes place to route the packet as normal if all conditions within the rule are met. The discard action will block all packets if the conditions in the rule are not met. Thus, a packet filter is a device that inspects each packet for predefined content. Although it does not provide an error-correcting ability, it is almost always the first line of defence.
Since a packet filter can restrict all inbound traffic to a specific host, this restriction may prevent a hacker from being able to contact any other host within the internal network. However, the significant weakness with packet filters is that they cannot discriminate between good and bad packets. Even if a packet passes all the rules and is routed to the destination, packet filters cannot tell whether the routed packet contains good or malicious data. Another weakness of packet filters is their susceptibility to spoofing. In IP spoofing, an attacker sends packets with an incorrect source address. When this happen, replies will be sent to the apparent source address, not to the attacker. This might seem to be a problem.
Filtering gateways do have inherent risks including:
• The source and destination addresses and ports contained in the IP packet header are the only information that is available to the router in making decision whether or not to permit traffic access to an internal network.
• They don’t protect against IP or DNS address spoofing.
• An attacker will have a direct access to any host on the internal network once access has been granted by the firewall.
• Strong user authentication isn’t supported with some packet filtering gateways.
• They provide little or no useful logging.
2. Circuit-Level Gateways
The circuit-level gateway represents a proxy server that statically defines what traffic will be forwarded. Circuit proxies always forward packets containing a given port number if that port number is permitted by the rule set. A circuit-level gateway operates at the network level of the OSI model. This gateway acts as an IP address translator between the Internet and the internal system. The main advantage of a proxy server is its ability to provide Network Address Translation (NAT). NAT hides the internal IP address from the Internet. NAT is the primary advantage of circuit-level gateways and provides security administrators with great flexibility when developing an address scheme internally.
Circuit-level gateways are based on the same principles as packet filter firewalls. When the internal system sends out a series of packets, these packets appear at the circuit-level gateway where they are checked against the predetermined rules set. If the packets do not violate any rules, the gateway sends out the same packets on behalf of the internal system. The packets that appear on the Internet originate from the IP address of the gateway’s external port, which is also the address that receives any replies. This process efficiently shields all internal information from the Internet.
3. Application Gateways
An application gateway uses server programs (called proxies) that run on the firewall. These proxies take external requests, examine them, and forward legitimate requests to the internal host that provides the appropriate service. Application gateways can support functions such as user authentication and logging.
Packet filters typically set up a list of rules that are sequentially read line by line. Filtering rules can be applied based on source and destination IP addresses or network addresses. A packet filter will provide two actions, forward and discard. If the action is in the forward process, the action takes place to route the packet as normal if all conditions within the rule are met. The discard action will block all packets if the conditions in the rule are not met. Thus, a packet filter is a device that inspects each packet for predefined content. Although it does not provide an error-correcting ability, it is almost always the first line of defence.
Since a packet filter can restrict all inbound traffic to a specific host, this restriction may prevent a hacker from being able to contact any other host within the internal network. However, the significant weakness with packet filters is that they cannot discriminate between good and bad packets. Even if a packet passes all the rules and is routed to the destination, packet filters cannot tell whether the routed packet contains good or malicious data. Another weakness of packet filters is their susceptibility to spoofing. In IP spoofing, an attacker sends packets with an incorrect source address. When this happen, replies will be sent to the apparent source address, not to the attacker. This might seem to be a problem.
Filtering gateways do have inherent risks including:
• The source and destination addresses and ports contained in the IP packet header are the only information that is available to the router in making decision whether or not to permit traffic access to an internal network.
• They don’t protect against IP or DNS address spoofing.
• An attacker will have a direct access to any host on the internal network once access has been granted by the firewall.
• Strong user authentication isn’t supported with some packet filtering gateways.
• They provide little or no useful logging.
2. Circuit-Level Gateways
The circuit-level gateway represents a proxy server that statically defines what traffic will be forwarded. Circuit proxies always forward packets containing a given port number if that port number is permitted by the rule set. A circuit-level gateway operates at the network level of the OSI model. This gateway acts as an IP address translator between the Internet and the internal system. The main advantage of a proxy server is its ability to provide Network Address Translation (NAT). NAT hides the internal IP address from the Internet. NAT is the primary advantage of circuit-level gateways and provides security administrators with great flexibility when developing an address scheme internally.
Circuit-level gateways are based on the same principles as packet filter firewalls. When the internal system sends out a series of packets, these packets appear at the circuit-level gateway where they are checked against the predetermined rules set. If the packets do not violate any rules, the gateway sends out the same packets on behalf of the internal system. The packets that appear on the Internet originate from the IP address of the gateway’s external port, which is also the address that receives any replies. This process efficiently shields all internal information from the Internet.
3. Application Gateways
An application gateway uses server programs (called proxies) that run on the firewall. These proxies take external requests, examine them, and forward legitimate requests to the internal host that provides the appropriate service. Application gateways can support functions such as user authentication and logging.
The application-level gateway represents a proxy server, performing at the TCP/IP application level, that is set up and torn down in response to a client request, rather than existing on a static basis. Application proxies forward packets only when a connection has been established using some known protocol. When the connection closes, a firewall using application proxies rejects individual packets, even if the packets contain port numbers allowed by a rule set.
The application gateway analyses the entire message instead of individual packets when sending or receiving data. When an inside host initiates a TCP/IP connection, the application gateway receives the request and checks it against a set of rules or filters. The application gateway (or proxy server) will then initiate a TCP/IP connection with the remote server. The server will generate TCP/IP responses based on the request from the proxy server. The responses will be sent to the proxy server (application gateway) where the responses are again checked against the proxy server’s filters. If the remote server’s response is permitted, the proxy server will then forward the response to the inside host.
Application gateways (proxy servers) are used as intermediate devices when routing SMTP traffic to and from the internal network and the Internet. The main advantage of a proxy server is its ability to provide NAT for shielding the internal network from the Internet.
Since an application gateway is considered as the most secure type of firewall, this configuration provides a number of advantages to the medium-high risk site:
• The firewall can be configured as the only host address that is visible to the outside network, requiring all connections to and from the internal network to go through the firewall.
• The use of proxies for different services prevents direct access to services on the internal network, protecting the enterprise against insecure or misconfigured internal hosts.
• Strong user authentication can be enforced with application gateways.
• Proxies can provide detailed logging at the application level.
The application gateway analyses the entire message instead of individual packets when sending or receiving data. When an inside host initiates a TCP/IP connection, the application gateway receives the request and checks it against a set of rules or filters. The application gateway (or proxy server) will then initiate a TCP/IP connection with the remote server. The server will generate TCP/IP responses based on the request from the proxy server. The responses will be sent to the proxy server (application gateway) where the responses are again checked against the proxy server’s filters. If the remote server’s response is permitted, the proxy server will then forward the response to the inside host.
Application gateways (proxy servers) are used as intermediate devices when routing SMTP traffic to and from the internal network and the Internet. The main advantage of a proxy server is its ability to provide NAT for shielding the internal network from the Internet.
Since an application gateway is considered as the most secure type of firewall, this configuration provides a number of advantages to the medium-high risk site:
• The firewall can be configured as the only host address that is visible to the outside network, requiring all connections to and from the internal network to go through the firewall.
• The use of proxies for different services prevents direct access to services on the internal network, protecting the enterprise against insecure or misconfigured internal hosts.
• Strong user authentication can be enforced with application gateways.
• Proxies can provide detailed logging at the application level.
4. Hybrid or Complex Gateways
Hybrid gateways combine the above types of firewalls and implement them in series rather than in parallel. If they are connected in series, then the overall security is enhanced; on the other hand, if they are connected in parallel, then the network security perimeter will be only as secure as the least secure of all methods used. In medium to high-risk environments, a hybrid gateway may be the ideal firewall implementation.
Hybrid gateways combine the above types of firewalls and implement them in series rather than in parallel. If they are connected in series, then the overall security is enhanced; on the other hand, if they are connected in parallel, then the network security perimeter will be only as secure as the least secure of all methods used. In medium to high-risk environments, a hybrid gateway may be the ideal firewall implementation.
Limitations of Firewalls
Firewalls have some limitations as well. Some of them are discussed as under:
Firewalls have some limitations as well. Some of them are discussed as under:
1. Firewalls offer excellent protection against network threats, but they aren't a complete security solution. Certain threats are outside the control of the firewall. Other ways to protect against these threats can be figured out by incorporating physical security, host security, and user education into the overall security plan.
2. A firewall might keep a system user from being able to send proprietary information out of an organization over a network connection. But that same user could copy the data onto disk, tape, or paper and carry it out.
3. If the attacker is already inside the firewall, a firewall can do virtually nothing. Inside users can steal data, damage hardware and software, and subtly modify programs without ever coming near the firewall. Insider threats require internal security measures, such as host security and user education.
4. A firewall can effectively control the traffic that passes through it. However, there is nothing a firewall can do about traffic that doesn't pass through it. Sometimes, technically expert users or system administrators set up their own "back doors" into the network (such as a dial-up modem connection), either temporarily or permanently, because they chafe at the restrictions that the firewall places upon them and their systems.
5. A firewall is designed to protect against known threats. A well-designed one may also protect against new threats. However, no firewall can automatically defend against every new threat that arises. Periodically people discover new ways to attack, using previously trustworthy services, or using attacks that simply hadn't occurred to anyone before. A firewall can't protect against viruses
6. Detecting a virus in a random packet of data passing through a firewall is very difficult; it requires:
• Recognizing that the packet is part of a program
• Determining what the program should look like
• Determining that the change is because of a virus
• Recognizing that the packet is part of a program
• Determining what the program should look like
• Determining that the change is because of a virus
Conclusion
No doubt, firewalls have become an important part of a security mechanism today still it is equally essential to have a reliable, up-to-date anti-virus program on computers.
No doubt, firewalls have become an important part of a security mechanism today still it is equally essential to have a reliable, up-to-date anti-virus program on computers.
