firewall doc

8/2/2019 Firewall Doc

1/23

ABSTRACT

The primary method for protecting networks today is to use a firewall: aboundary separating the protected network from the untrusted Internet.

However, these firewalls offer no protection from internal attacks, scale

poorly due to limited firewall processing capacity, and do not support

mobile computing. Distributing a firewall to each network host avoids

many of these problems, but weakens the security guarantees of the

network since it places the firewall under the control of the host OS.Leveraging the increasing capability of embedded-VLSI, including

network-specific processors, we propose a Network Interface Card (NIC)

based distributed firewall. Supporting the same (and more) functions as a

centralized firewall, NIC-based firewalls provide significant benefits

including: scalability, easier client customization, sharing application/OS

state to enable application-level filtering, and the ability to block

misbehaving hosts at the source, the host itself. We describe the

architecture of a Network Interface Card-based distributed firewall and our

implementation, which uses an i960-based NIC and IPsec for

management and policy distribution. The firewall currently supports basic

packet filtering and some application policies as well as secure policy

distribution.


2/23

CHAPTER - 1

INTRODUCTION

Information systems in corporations, government agencies and other

organizations have undergone a steady evolution:

Centralized data processing systems, with a central mainframe supporting

a number of directly connected terminals.

Local Area networks (LANs) interconnecting PCs and terminals to each

other and the mainframe. Premises network, consisting of a number of LANs, interconnecting PCs

servers, and perhaps a mainframe or two.

Enterprises wide network, consisting of multiple, geographically

distributes premises networks interconnects by a private wide area

networks (WAN).

Interconnectivity is no longer an option for most organizations.

The information and services available are essential to the organizations.

Moreover, individual users within the organization want and need

Internet access, and if this is not provided via LAN, they will use dial-up

capability from their PC to an Internet service provider (ISP). However,

while Internet access provides benefits to the organization, it enables the

outside world to reach and interact with local network assets. This creates

a threat to the organization. While it is possible to equip each workstation

and server in the premises network with strong security features, such as

intrusion protection, this is not a practical approach. Consider a network

with hundreds or even thousands of systems, running a mix of various

versions of UNIX, plus Windows. When a security flaw is discovered,

each potentially affected system must be upgraded to fix this flaw. The


3/23

alternative, increasingly accepted, is the firewall. The firewall is inserted

between the premises network and the Internet to establish a controlled

link and to erect an outer security wall or perimeter. The aim of this

perimeter is to protect the premises network from Internet-based attacks

and to provide a single choke point where security and audit can be

imposed. The firewall may be a single computer system or a set of two or

more systems that cooperate to perform the firewall function.

If you have a fast Internet connection into your home (either a DSLconnection or a cablemodem), you may have found yourself hearing about

firewalls for your home network as well. It turns out that a small home networkhas many of the same security issues that a large corporate network does. Youcan use a firewall to protect your home network and family from offensive Websites and potential hackers.

Basically, a firewall is a barrier to keep destructive forces away fromyour property. In fact, that's why its called a firewall. Its job is similar to aphysical firewall that keeps a fire from spreading from one area to the next. Asyou read through this article, you will learn more about firewalls, how they

work and what kinds of threats they can protect you from.


4/23

CHAPTER - 2

HOW FIREWALL WORKS

2.1 What are Firewalls?

A Firewall is basically a protective device. When one connects to the Internet,there are three things that are put to risk

Local Datao Secrecy

o Integrityo Availability to Self

Computer Resources

Ones ReputationFirewalls are essentially designed to protect against attacks that hamper

local resources including data, not the communication over the Internet. Theyact as a barrier between the internal network and the Internet so as to screenthrough only the information that is considered safe by the NetworkAdministrator.

In theory, a Firewall serves multiple purposes It restricts entering into the Network at carefully controlled points

It prevents attacks from getting close to interior defenses

It restricts leaving the Network at carefully controlled pointsLogically, a Firewall is a separator, restrictor and an analyzer.

2.2 Where are Firewalls needed and Why?

Firewalls are one of the most indispensable components of the System for

Security Conscious Users, Networks offering Services to a group of users or theWorld Wide Web, Corporations involved in e-commerce as well as EducationalInstitutions.

This is because any machine connected to the Internet is subject to severalattacks: Some of them can be enumerated asIntrusion: Penetrating into the Local System to utilize resources pretending tobe a legitimate user. This is the most common attack on a machine connected tothe Internet.Denial of Service: This class of attacks is aimed purely at disrupting theservices offered by the machine so that the users of the service are unable to useit at all.


5/23

.Information Theft: This type of attack deals with compromising the Secrecyof Data by simply acquiring a copy of the information serviced by a computerwith the only difference that the information is handed over into the wronghands.

Firewalls are primarily needed to prevent, or at least, rarify theoccurrence of such attacks. Besides, if and when they do occur, the firewall ismeant to help in tracing down the origin of the crime.

2.3 What Can a Firewall Do?

Firewalls can do a lot for your site's security. In fact, some advantages of usingfirewalls extend even beyond security, as described below.

2.3.1 A firewall is a focus for security decisions:

Think of a firewall as a choke point. All traffic in and out must pass through thissingle, narrow checkpoint. A firewall gives you an enormous amount ofleverage for network security because it lets you concentrate your securitymeasures on this checkpoint: the point where your network connects to theInternet.

Focusing your security in this way is far more efficient than spreading

security decisions and technologies around, trying to cover all the bases in apiecemeal fashion. Although firewalls can cost tens of thousands of dollars toimplement, most sites find that concentrating the most effective securityhardware and software at the firewall is less expensive and more effective thanother security measures - and certainly less expensive than having inadequatesecurity.

2.3.2 A firewall can enforce security policy:

Many of the services that people want from the Internet are inherently insecure.

The firewall is the traffic cop for these services. It enforces the site's securitypolicy, allowing only "approved" services to pass through and those only withinthe rules set up for them.

For example, one site's management may decide that certain services suchas Sun's Network File System (NFS) and Network Information Services(formerly known as Yellow Pages) (NIS/YP) are simply too risky to be usedacross the firewall. It doesn't matter what system tries to run them or what userwants them. The firewall will keep potentially dangerous services strictly inside

the firewall. (There, they can still be used for insiders to attack each other, butthat's outside of the firewall's control.) Another site might decide that only one


6/23

internal system can communicate with the outside world. Still another site mightdecide to allow access from all systems of a certain type, or belonging to acertain group; the variations in site security policies are endless.

A firewall may be called upon to help enforce more complicated policies.For example, perhaps only certain systems within the firewall are allowed totransfer files to and from the Internet; by using other mechanisms to controlwhich users have access to those systems, you can control which users havethese capabilities. Depending on the technologies you choose to implement yourfirewall, a firewall may have a greater or lesser ability to enforce such policies.

2.3.3 A firewall can log Internet activity efficiently:

Because all traffic passes through the firewall, the firewall provides a good

place to collect information about system and network use - and misuse. As asingle point of access, the firewall can record what occurs between the protectednetwork and the external network.

2.3.4 A firewall limits your exposure:

Although this point is most relevant to the use of internal firewalls, it's worthmentioning here. Sometimes, a firewall will be used to keep one section of yoursite's network separate from another section. By doing this, you keep problems

that impact one section from spreading through the entire network. In somecases, you'll do this because one section of your network may be more trustedthan another; in other cases, because one section is more sensitive than another.Whatever the reason, the existence of the firewall limits the damage that anetwork security problem can do to the overall network.

2.4 What Can't a Firewall Do?

Firewalls offer excellent protection against network threats, but they aren't acomplete security solution. Certain threats are outside the control of the

firewall. You need to figure out other ways to protect against these threats byincorporating physical security, host security, and user education into youroverall security plan. Some of the weaknesses of firewalls are discussed below.

2.4.1 A firewall can't protect you against malicious insiders:

A firewall might keep a system user from being able to send proprietaryinformation out of an organization over a network connection; so would simplynot having a network connection. But that same user could copy the data onto

disk, tape, or paper and carry it out of the building in his or her briefcase.


7/23

If the attacker is already inside the firewall - if the fox is inside thehenhouse - a firewall can do virtually nothing for you. Inside users can stealdata, damage hardware and software, and subtly modify programs without evercoming near the firewall. Insider threats require internal security measures, such

as host security and user education. Such topics are beyond the scope of thisbook.

2.4.2 A firewall can't protect you against connections that don't go through

it:

A firewall can effectively control the traffic that passes through it; however,there is nothing a firewall can do about traffic that doesn't pass through it. Forexample, what if the site allows dial-in access to internal systems behind thefirewall? The firewall has absolutely no way of preventing an intruder from

getting in through such a modem.

Sometimes, technically expert users or system administrators set up theirown "back doors" into the network (such as a dial-up modem connection), eithertemporarily or permanently, because they chafe at the restrictions that thefirewall places upon them and their systems. The firewall can do nothing aboutthis. It's really a people-management problem, not a technical problem.

2.4.3 A firewall can't protect against completely new threats

A firewall is designed to protect against known threats. A well-designed onemay also protect against new threats. (For example, by denying any but a fewtrusted services, a firewall will prevent people from setting up new and insecureservices. However, no firewall can automatically defend against every newthreat that arises. Periodically people discover new ways to attack, usingpreviously trustworthy services, or using attacks that simply hadn't occurred toanyone before. You can't set up a firewall once, and expect it to protect youforever.

2.4.4 A firewall can't protect against viruses

Firewalls can't keep PC and Macintosh viruses out of a network. Althoughmany firewalls scan all incoming traffic to determine whether it is allowed topass through to the internal network, the scanning is mostly for source anddestination addresses and port numbers, not for the details of the data. Evenwith sophisticated packet filtering or proxying software, virus protection in afirewall is not very practical. There are simply too many types of viruses andtoo many ways a virus can hide within data.


8/23

Detecting a virus in a random packet of data passing through a firewall isvery difficult; it requires:

Recognizing that the packet is part of a program

Determining what the program should look like Determining that the change is because of a virus

Even the first of these is a challenge. Most firewalls are protectingmachines of multiple types with different executable formats. A program maybe a compiled executable or a script (e.g., a UNIX shell script, or a HyperCardstack), and many machines support multiple, compiled executable types.Furthermore, most programs are packaged for transport, and are oftencompressed as well. Packages being transferred via email or Usenet news willalso have been encoded into ASCII in different ways.

For all of these reasons, users may end up bringing viruses behind thefirewall, no matter how secure that firewall is. Even if you could do a perfect

job of blocking viruses at the firewall, however, you still haven't addressed thevirus problem. You've done nothing about the far more common sources ofviruses: software downloaded from dial-up bulletin-board systems, softwarebrought in on floppies from home or other sites, and even software that comespre-infected from manufacturers are more common than virus-infected softwareon the Internet. Whatever you do to address those threats will also address the

problem of software transferred through the firewall.

The most practical way to address the virus problem is through host-basedvirus protection software, and user education concerning the dangers of virusesand precautions to take against them.


9/23

CHAPTER - 3

TYPES OF FIREWALLS

There are basically three types of firewall: Packet filters, application-levelgateways, and circuit level gateways, as shown in the following figure.

3.1 Packet Filtering Firewall:

A packet filtering firewall applies a set of rule to each IP packet and thenforward or discards the packet. The router is typically configured to filterpackets going in both directions (from and to the internal networks).Filtering

rules are based on information contained in a network packet:

Source IP address: The IP address of the system that originated the IPpacket.

Destination IP address: The IP address of the system the IP packet istrying to reach.

Source and destination transport level address: The transport level(e.g. TCP or UDP)port number, which defined applications such asSNMP or TELNET.

IP protocol field: Defines the transport field. Interface: for a router with three or more ports, which interface of the

router the packet came from or which interface of the router the packet isdestined for.

Because very little data is analyzed and logged, filtering firewallstake less CPU and create less latency in your network. Filtering firewallsdo not provide for password controls. Users cant identify themselves.The only identity a user has is the IP number assigned to their

workstation.

InternetPrivate

Network

Packet

FilteringFirewall


10/23

3.2 Application level Gateway:

An application level gateway, also called a proxy server, acts as a relay ofapplication level traffic. The user contacts the gateway using a TCP/IP

application, such as Telnet or FTP, and the gateway asks the user for the nameof the remote host to be accessed. When the user responds and provides a validuser ID and authentication information, the gateway contacts the application onthe remote host and relays TCP segments containing the application databetween the two endpoints.

Further, the gateway can be configured to support only specific featuresof an application that the network administrator considers acceptable whiledenying all other features.

Application level gateways tend to be more secure than packet filters.

Rather than trying to deal with the numerous possible combinations that are tobe allowed and forbidden at the TCP and IP level, the application level gatewayneed only scrutinize a few allowable applications. In addition, it is easy to logand audit all incoming traffic at the application level.

A prime disadvantage of this type of gateway is the additional processingover-head in each connection. In effect, there are two spliced connectionsbetween the end users, with the gateway at the splice point, and the gatewaymust examine and forward all traffic in both directions.

TELNET

FTP

SMTP

Insideconnection

Outsideconnection


11/23

3.3 Circuit level gateway:

A third type of firewall is the circuit-level gateway. This can be a stand-alonesystem or it can be a specialized function performed by an application level

gateway for certain applications. A circuit level function gateway does notpermit end-to-end TCP connections; rather, the gateway sets up two TCPconnections, one between itself and a TCP user on an inner host and onebetween itself and a TCP user on an outside host.

Once the two connections are established, the gateway typically relaysTCP segments from one connection to the other without examining the contents.The security functions consist of determining which connections will beallowed.

A typical use of circuit level gateways is a situation in which the systemadministrator trusts the internal users. The gateway can be configured to supportapplication level or proxy service on inbound connections and circuit-levelfunctions for outbound connections.

In this configuration, the gateway can incur the processing overhead ofexamining incoming application data for forbidden functions but does not incurthat overhead on outbound data.

One of the best things about a firewall from a security standpoint is that itstops anyone on the outside from logging onto a computer in your privatenetwork. While this is a big deal for businesses, most home networks will

probably not be threatened in this manner. Still, putting a firewall in placeprovides some peace of mind.

OutIn

OutOutsideconnection

Inside

connection


12/23

3.4 Typical Architectures for Firewall Implementation:

3.4.1 Single-Box Architecture

These are the simplest Firewall Architectures and have a single object that actsas a Firewall. The only advantage they have to offer is that theyre easy toimplement, test and maintain.

They do not offer defense in depth and hence are not very secure. All thesecurity is concentrated at a single point. If that fails, the entire securityframework collapses.

Screening Routers and Dual-Homed Hosts are classic examples of SingleBox Architectures. These are low cost implementations of Firewalls on anetwork.

The most appropriate places to setup such architectures are:

When the Network to be protected is small No Services are being provided to the Internet


13/23

3.4.2 Screened Host Architecture

Such architecture comprises of a router configured to permit or deny trafficbased on a set of permission rules installed by the administrator and a host on a

network behind the screening router. The degree to which a screened host maybe accessed depends on the screening rules in the router.The screened host is connected to the internal network using a separate

router. The primary security is provided by packet filtering.

The most appropriate places to setup such architectures are:

There are few connections to and from the Internet

The Network being protected has a high level of host security

3.4.3 Screened Subnet Architecture

This architecture comprises of a subnet behind a screening router. This adds anextra layer of security to the Screened host architecture that provides defense indepth. Breaking into the host doesnt make the internal hosts completely

vulnerable. The degree to which the subnet may be accessed depends on thescreening rules in the router.


14/23

The level of security you establish will determine how many of thesethreats can be stopped by your firewall. The highest level of security wouldbe to simply block everything. Obviously that defeats the purpose ofhaving an Internet connection. But a common rule of thumb is to block

everything, then begin to select what types of traffic you will allow.You can also restrict traffic that travels through the firewall so thatonly certain types of information, such as e-mail, can get through

This and multiple variants of this architecture are suitable for most uses.


15/23

CHAPTER - 4

MAKING THE FIREWALL FIT

Firewalls are customizable. This means that you can add or remove filters basedon several conditions. Some of these are:

IP address: Each machine on the Internet is assigned a unique addresscalled an IP address. IP addresses are 32-bit numbers, normallyexpressed as four "octets" in a "dotted decimal number." A typical IPaddress looks like this: 216.27.61.137.

Domain names: Because it is hard to remember the string of numbers that

make up an IP address, and because IP addresses sometimes need tochange, all servers on the Internet also have human-readable names,called domain names. For example, it is easier for most of us toremember www.howstuffworks.com than it is to remember216.27.61.137. A company might block all access to certain domainnames, or allow access only to specific domain names.

Protocols: The protocol is the pre-defined way that someone who wantsto use a service talks with that service. The "someone" could be a person,but more often it is a computer program like a Web browser. Protocolsare often text, and simply describe how the client and server will havetheir conversation. The http in the Web's protocol. Some commonprotocols that you can set firewall filters for include:

IP (Internet Protocol) - the main delivery system for informationover the Internet

TCP (Transmission Control Protocol) - used to break apart andrebuild information that travels over the Internet

HTTP (Hyper Text Transfer Protocol) - used for Web pages FTP (File Transfer Protocol) - used to download and upload files UDP (User Datagram Protocol) - used for information that requires

no response, such as streaming audio and video ICMP (Internet Control Message Protocol) - used by a router to

exchange the information with other routers SMTP (Simple Mail Transport Protocol) - used to send text-based

information (e-mail) SNMP (Simple Network Management Protocol) - used to collect

system information from a remote computer Telnet - used to perform commands on a remote computer


16/23

A company might set up only one or two machines to handle a specific protocoland ban that protocol on all other machines.

Ports: Any server machine makes its services available to the Internet

using numbered ports, one for each service that is available on the server.For example, if a server machine is running a Web (HTTP) server and anFTP server, the Web server would typically be available on port 80, andthe FTP server would be available on port 21. A company might blockport 21 access on all machines but one inside the company.

Specific words and phrases: This can be anything. The firewall will sniff(search through) each packet of information for an exact match of the textlisted in the filter. For example, you could instruct the firewall to blockany packet with the word "X-rated" in it. The key here is that it has to bean exact match some operating systems come with a firewall built in.Otherwise, a software firewall can be installed on the computer in yourhome that has an Internet connection. This computer is considered agateway because it provides the only point of access between your homenetwork and the Internet.

With a hardware firewall, the firewall unit itself is normally the gateway.A good example is the Link sys Cable/DSL router. It has a built-in Ethernetcard and hub. Computers in your home network connect to the router, which inturn is connected to either a cable or DSL modem. You configure the router via

a Web-based interface that you reach through the browser on your computer.You can then set any filters or additional information.

Hardware firewalls are incredibly secure and not very expensive. Homeversions that include a router, firewall and Ethernet hub for broadbandconnections can be found for well under $100

4.2 What It Protects You From

There are many creative ways that unscrupulous people use to access or abuseunprotected computers:

Remote login - When someone is able to connect to your computer andcontrol it in some form. This can range from being able to view or accessyour files to actually running programs on your computer.

Application backdoors - Some programs have special features that allowfor remote access. Others contain bugs that provide a backdoor or hidden

access that provides some level of control of the program.


17/23

SMTP session hijacking - SMTP is the most common method ofsending e-mail over the Internet. By gaining access to a list of e-mailaddresses, a person can send unsolicited junk e-mail (spam) to thousandsof users. This is done quite often by redirecting the e-mail through the

SMTP server of an unsuspecting host, making the actual sender of thespam difficult to trace. Operating system bugs - Like applications, some operating systems

have backdoors. Others provide remote access with insufficient securitycontrols or have bugs that an experienced hacker can take advantage of.

Denial of service - You have probably heard this phrase used in newsreports on the attacks on major Web sites. This type of attack is nearlyimpossible to counter. What happens is that the hacker sends a request tothe server to connect to it. When the server responds with anacknowledgement and tries to establish a session, it cannot find thesystem that made the request. By inundating a server with theseunanswerable session requests, a hacker causes the server to slow to acrawl or eventually crash.

E-mail bombs - An e-mail bomb is usually a personal attack. Someonesends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages.

Macros - To simplify complicated procedures, many applications allowyou to create a script of commands that the application can run. Thisscript is known as a macro. Hackers have taken advantage of this to

create their own macros that, depending on the application, can destroyyour data or crash your computer.

Viruses - Probably the most well-known threat is computer viruses. Avirus is a small program that can copy itself to other computers. This wayit can spread quickly from one system to the next. Viruses range fromharmless messages to erasing all of your data.

Spam - Typically harmless but always annoying, spam is the electronicequivalent of junk mail. Spam can be dangerous though. Quite often itcontains links to Web sites. Be careful of clicking on these because you

may accidentally accept a cookie that provides a backdoor to yourcomputer.

Redirect bombs - Hackers can use ICMP to change (redirect) the pathinformation takes by sending it to a different router. This is one of theways that a denial of service attack is set up.

Source routing - In most cases, the path a packet travels over the Internet(or any other network) is determined by the routers along that path. Butthe source providing the packet can arbitrarily specify the route that thepacket should travel. Hackers sometimes take advantage of this to make

information appear to come from a trusted source or even from inside thenetwork! Most firewall products disable source routing by default.


18/23

Some of the items in the list above are hard, if not impossible, to filterusing a firewall. While some firewalls offer virus protection, it is worth theinvestment to install anti-virus software on each computer. And, even though itis annoying, some spam is going to get through your firewall as long as you

accept e-mail.

4.3 Security Strategies implemented using Firewalls:

After satisfying the hardware requirements for the firewall desired, someconfigurations need to be put into place to make the firewall do its work. Afirewall is able to screen out communication based on the policy defined by theNetwork Administrator. There are two basic approaches/stances that can betaken depending on the needs of the network.

Default DenyProhibit all communication that is not expressly permitted. This kind ofstance makes sense from a security point of view and is an obvious choicefor administrators. However, the implications of such a strategy is not veryhelpful to the users of the network.

Default Permit

Permit all communication that is not explicitly prohibited. This stance ismore appealing to users but is extremely risky and takes into considerationonly things that the Network Administrator can predict beforehand to be

capable of compromising the security of the network.Besides these, there are several simple strategies that can be employed to

enhance the security of the network using Firewalls:

Least Privilege

This involves designing operational aspects of a system to operate with aminimum amount of system privilege. This reduces the authorization levelat which various actions are performed and decreases the chance that aprocess or user with high privileges may be caused to perform

unauthorized activity resulting in a security breach.Defense in Depth

It is a security approach whereby each system on the network is securedto the greatest possible degree. This approach is usually used inconjunction with firewalls.


19/23

CHAPTER - 5

TESTING A FIREWALL CONFIGURATION

After you've designed an appropriate firewall configuration, it's important tovalidate that it does in fact do what you want it to do. One way to do this is touse a test host outside your network to attempt to pierce your firewall: this canbe quite clumsy and slow, though, and is limited to testing only those addressesthat you can actually use.

A faster and easier method is available with the Linux firewallimplementation. It allows you to manually generate tests and run them throughthe firewall configuration just as if you were testing with actual datagrams. Allvarieties of the Linux kernel firewall software, ipfwadm, ipchains, and

iptables, provide support for this style of testing. The implementationinvolves use of the relevant checkcommand.

The general test procedure is as follows:

1. Design and configure your firewall using ipfwadm, ipchains,

or iptables.

2. Design a series of tests that will determine whether your firewall isactually working as you intend. For these tests you may use anysource or destination address, so choose some addresscombinations that should be accepted and some others that shouldbe dropped. If you're allowing or disallowing only certain ranges ofaddresses, it is a good idea to test addresses on either side of theboundary of the range -- one address just inside the boundary andone address just outside the boundary. This will help ensure thatyou have the correct boundaries configured, because it is

sometimes easy to specify netmasks incorrectly in yourconfiguration. If you're filtering by protocol and port number, yourtests should also check all important combinations of theseparameters. For example, if you intend to accept only TCP undercertain circumstances, check that UDP datagrams are dropped.

3. Develop ipfwadm, ipchains, or iptables rules toimplement each test. It is probably worthwhile to write all the rulesinto a script so you can test and re-test easily as you correctmistakes or change your design. Tests use almost the same syntax

as rule specifications, but the arguments take on slightly differingmeanings. For example, the source address argument in a rule


20/23

specification specifies the source address that datagrams matchingthis rule should have. The source address argument in test syntax,in contrast, specifies the source address of the test datagram thatwill be generated. For ipfwadm, you must use the -c option to

specify that this command is a test, while for ipchains andiptables, you must use the -C option. In all cases you mustalways specify the source address, destination address, protocol,and interface to be used for the test. Other arguments, such as portnumbers or TOS bit settings, are optional.

4. Execute each test command and note the output. The output ofeach test will be a single word indicating the final target of thedatagram after running it through the firewall configuration -- that

is, where the processing ended. For ipchains and iptables,

user-specified chains will be tested in addition to the built-in ones.5. Compare the output of each test against the desired result. If there

are any discrepancies, you will need to analyse your ruleset todetermine where you've made the error. If you've written your testcommands into a script file, you can easily rerun the test aftercorrecting any errors in your firewall configuration. It's a goodpractice to flush your rulesets completely and rebuild them fromscratch, rather than to make changes dynamically. This helpsensure that the active configuration you are testing actually reflects

the set of commands in your configuration script.

Let's take a quick look at what a manual test transcript would look like

for our nave example with ipchains. You will remember that our localnetwork in the example was 172.16.1.0 with a netmask of 255.255.255.0, andwe were to allow TCP connections out to web servers on the net. Nothing elsewas to pass our forward chain. Start with a transmission that we know shouldwork, a connection from a local host to a web server outside:

# ipchains -C forward -p tcp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0

accepted

Note the arguments had to be supplied and the way they've been used todescribe a datagram. The output of the command indicates that that thedatagram was accepted for forwarding, which is what we hoped for.

Now try another test, this time with a source address that doesn't belongto our network. This one should be denied:

#ipchains -C forward -p tcp -s 172.16.2.0 1025 -d 44.136.8.2 80 -i eth0

denied


21/23


22/23

CHAPTER- 6

CONCLUSION

To conclude, Firewalls can be an effective means of protecting a local systemon network of systems from network based security threats while at the sametime affording access to the outside world via wide area networks and theInternet.

The following capabilities are within the scope of a firewall:1. A firewall defines a single choke point that keeps unauthorized users out ofthe protected network, prohibits potentially vulnerable services from entering or

leaving the network, and provides protection from various kinds of IP spoofingand routing attacks.2. A firewall provides a location for monitoring security related events, Auditsand alarms can be implemented on the firewall system.3. A firewall is a convenient platform foe several internet functions that are notsecurity related. These include a network address translator which maps localaddress to Internet addresses, and a network management function that auditsand logs Internet usage.4. A firewall can serve as the platform for IP Sec.

However firewalls have their own limitations:1. It cannot protect against attacks that bypass the firewall.2. The firewall does not protect against internal threats such as a disgruntledemployee or an employee who unwittingly cooperates with an external attacker.3. The firewall cannot protect against the transfer of virus infected programs orfiles.


23/23

firewall doc

Documents