Firewalls Part (3)

Posts : 85 أهمية العضو : 0 Join date : 18/11/2008

Conceptual Firewall Types :

Most people think of "a firewall" as a single box. Actually, it can be a whole group of systems working to defend your network. But we'll concentrate on the "single box" concept.

There are still multiple types of "single-box" firewalls:
1. proxy firewall
2. NAT firewall
3. transparent firewall

Generally speaking, though, all single-box firewalls have a separate "outside" and "inside" physical network interface. Some may have more than one of each.

1. Proxy firewall :

A proxy firewall runs special software written to allow specific programs to function. For example, an http proxy is written to specifically allow http access, and only http access, through it.
It also requires special action to be taken at the user level. For example, in netscape, you have to specifically Edit the Properties dialog, go into "Advanced", then "Proxies", and make the appropriate entries there.

Advantages:

• The proxy is usually highly aware of the data format it handles, and can look for many "naughty" things, and protect you from them.

• You are guaranteed of only allowing specific protocols that you wish to support.

Disadvantages:

• For any new protocol that you want to allow, you need a proxy that is specifically aware of that protocol.

• If an existing protocol is extended, you will probably need updated proxy software.

2. NAT firewall, AKA "Masquerading" :

"NAT" stands for Network Address Translation. The idea is that you have a special range of addresses for your internal machines that is not normally reachable via the internet. The firewall will translate those addresses into a different, globally reachable IP address if the internal machine wants to make an outbound connection. This global address may be the firewall's own IP address, or it may be a "virtual" address that does not have a physical machine behind it at all.

Usually, home firewalls will use their own IP address, since there is only one IP address available for use. Business firewalls, on the other hand, should normally use a virtual address. This way, the address of the actual firewall is not shown to third parties out on the net.

A NAT firewall may have filters to only allow outbound packets on certain ports, or it may simply choose to allow all outbound connections.

Advantages:

• Requires no special configuration on the client side, except for normal routing configuration. Clients just have to know their default gateway, and that's about it.

The disadvantages of this sort of mechanism are:

There is no additional security beyond "allow this type of traffic". Once an internal client connects via an allowed protocol, anything can happen within the bounds of that protocol .

There is no way to allow for special protocols that require a return connection to be made.

If you wish to restrict certain types of protocols, you can only limit access to certain ports. On the one hand, this is too restrictive, because internal folks may not be able to accesss webservers on non-standard ports. And at the same time, this is too permissive, because there may be a disallowed service running on a non-standard port on the outside, and your internal folks will be able to access it in this case.

3. Transparent firewall :

A "transparent" firewall is an amalgam of a proxy firewall and a NAT firewall. An internal machine only has to know where to send packets to reach the outside, similar to a NAT firewall. However, the firewall may "transparently" invoke proxy-like mechanisms on certain traffic, for security purposes, rather than just blindly forwarding it through. The internal machines may or may not have a private IP address range.

Advantages:

No special configuration on the client side, just like a NAT firewall.
Allows for finer control and protection for well-known services

Disadvantages:

Shares most of the disadvantages of a NAT firewall. If a particular application protocol is being used on a non-standard port, you will lose all "special" protections. Depending on your allow rules, it may not even happen at all.

Types of Firewalls :

There are two types of firewalls.
1. Filtering Firewalls - that block selected network packets.
2. Proxy Servers (sometimes called firewalls) - that make network connections for you.

Packet Filtering Firewalls :

Packet Filtering is the type of firewall built into the Linux kernel.
A filtering firewall works at the network level. Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet.
Many network routers have the ability to perform some firewall services. Filtering firewalls can be thought of as a type of router. Because of this you need a deep understanding of IP packet structure to work with one.

Because very little data is analyzed and logged, filtering firewalls take less CPU and create less latency in your network.

Filtering firewalls do not provide for password controls. User can not identify themselves. The only identity a user has is the IP number assigned to their workstation. This can be a problem if you are going to use DHCP (Dynamic IP assignments). This is because rules are based on IP numbers you will have to adjust the rules as new IP numbers are assigned. I don't know how to automate this process.

Filtering firewalls are more transparent to the user. The user does not have to setup rules in their applications to use the Internet. With most proxy servers this is not true.

Proxy Servers :

Proxies are mostly used to control, or monitor, outbound traffic. Some application proxies cache the requested data. This lowers bandwidth requirements and decreases the access the same data for the next user. It also gives unquestionable evidence of what was transferred.

There are two types of proxy servers :

1. Application Proxies - that do the work for you.
2. SOCKS Proxies - that cross wire ports.

Application Proxy :

The best example is a person telneting to another computer and then telneting from there to the outside world. With a application proxy server the process is automated. As you telnet to the outside world the client send you to the proxy first. The proxy then connects to the server you requested (the outside world) and returns the data to you.

Because proxy servers are handling all the communications, they can log everything they (you) do. For HTTP (web) proxies this includes very URL they you see. For FTP proxies this includes every file you download. They can even filter out "inappropriate" words from the sites you visit or scan for viruses.

Application proxy servers can authenticate users. Before a connection to the outside is made, the server can ask the user to login first. To a web user this would make every site look like it required a login.

SOCKS Proxy :

A SOCKS server is a lot like an old switch board. It simply cross wires your connection through the system to another outside connection.
Most SOCKS server only work with TCP type connections. And like filtering firewalls they don't provide for user authentication. They can however record where each user connected

Firewall Features :

Depending on the features that a firewall supports, traffic is allowed or blocked using a variety of techniques. These techniques offer different degrees of protection based on the capabilities of the firewall. The following firewall features are listed in increasing order of complexity:

1. Network adapter input filters
2. Static packet filters
3. Network address translation (NAT)
4. Stateful inspection
5. Circuit-level inspection
6. Application layer filtering

In general, firewalls that provide complex features will also support simpler features. However, you should read vendor information carefully when choosing a firewall because there can be subtle differences between the implied and the actual capability of a firewall. Selection of a firewall typically involves inquiring about the features as well as testing to ensure that the product can indeed perform according to specifications.

1. Network Adapter Input Filters :

Network adapter input filtering examines source or destination addresses and other information in the incoming packet and either blocks the packet or allows it through. It applies only to incoming traffic and cannot control outgoing traffic. It matches IP addresses and port numbers for UDP and TCP, as well as the protocol of the traffic, TCP, UDP, and generic routing encapsulation (GRE). Network adapter input filtering allows a quick and efficient denial of standard incoming packets that meet the rule criteria configured in the firewall. However, it can easily be evaded, as it only matches headers of the IP traffic and works on the basic assumption that the traffic being filtered follows IP standards and is not crafted to evade the filtering.

2. Static Packet Filters :

Static packet filters are similar to network adapter input filters in the sense that they simply match IP headers to determine whether or not to allow the traffic to pass through the interface. However, static packet filters allow control over inbound as well as outbound communications to an interface. In addition, static packet filters typically allow an additional function over the network adapter filtering, which is to check if the Acknowledged (ACK) bit is set on the IP header. The ACK bit gives information on whether the packet is a new request or a return request from an original request. It does not verify that the packet was originally sent by the interface receiving it; it merely checks if the traffic coming into the interface appears to be return traffic based on the conventions of the IP headers.

This technique only applies to the TCP protocol and not the UDP protocol. Like network adapter input filtering, static packet filtering is very fast but its capabilities are limited and it can be evaded by specifically crafted traffic.

3. Network Address Translation :

In the worldwide IP address range, certain address ranges are designated as private addresses. These address ranges are intended to be used in your organization and have no meaning in the Internet. Traffic destined for any of these IP addresses cannot be routed through the Internet, so assigning a private address to your internal devices gives them some protection against intrusion. However these internal devices often need to access the Internet themselves and so Network Address Translation (NAT) converts the private address into an Internet address.

Although NAT is not strictly a firewall technology, concealing the real IP address of a server prevents attackers from gaining valuable information about the server.

4. Stateful Inspection :

In stateful inspection, all outgoing traffic is logged in a state table. When the connection traffic returns to the interface, the state table is checked to ensure that the traffic originated from this interface. Stateful inspection is slightly slower than static packet filtering. However, it ensures that traffic is only allowed to pass if it matches the outgoing traffic requests. The state table contains items such as destination IP address, source IP address, port being called, and originating host.

Certain firewalls may store more information (such as IP fragments sent and received) in the state table while others store less. The firewall can verify that the traffic is processed when all or just some of the fragmented information returns. Different vendors' firewalls implement the stateful inspection feature differently so you must read the firewall documentation carefully. The stateful inspection feature typically assists in mitigating the risk posed by network reconnaissance and IP spoofing.

5. Circuit-level Inspection :

With circuit-level filtering it is possible to inspect sessions, as opposed to connections or packets. A session may include multiple connections. Like dynamic packet filtering, sessions are established only in response to a user request. Circuit-level filtering provides built-in support for protocols with secondary connections, such as FTP and streaming media. It typically assists in mitigating the risk posed by network reconnaissance, DoS, and IP spoofing attacks.

6. Application Layer Filtering :

The most sophisticated level of firewall traffic inspection is application-level filtering. Good application filters allow you to analyze a data stream for a particular application and provide application-specific processing. This processing includes inspecting, screening or blocking, redirecting, and modifying the data as it passes through the firewall. This mechanism is used to protect against things like unsafe SMTP commands or attacks against internal Domain Name System (DNS). Typically, third-party tools for content screening such as virus detection, lexical analysis, and site categorization can be added to your firewall

.

موضوع: رد: Firewalls Part (3) الجمعة ديسمبر 05, 2008 2:50 pm

موضوع: رد: Firewalls Part (3) السبت سبتمبر 19, 2009 7:24 pm

يـــعـــطـــيـــك الـــعـــافـــيـــة

» Firewalls Part (2)
» Firewalls Part (4)
» Firewalls Part "1"