Pangasinan State University Bayambang Campus Bayambang, Pangasinan S.Y.

2012-2013

A WRITTEN REPORT IN NETWORK MANAGEMENT:

FIREWALL
Submitted by: Eligio Czar P. Pacis VII Ruby Ann C. Sernadilla GroupII Submitted to: Rommel B. Ferrer, MIT Instructor

In this report:
Understanding What a Firewall Does History of Firewall Importance of Firewall How a Firewall works Type of Firewall Types of Firewall Techniques Firewall Configuration Best Firewall Software for 2011: Pros and Cons

Introduction
In the cyber age, threats to computer network are beyond any dispute. Any corporation would prioritize safety of their networked resources, availability of IT infrastructure, confidentiality, integrity and availability of information they store and or transmit. Threats come in various forms; malicious attacks, viruses, Trojan horses, spam, malware, masquerading, eavesdropping, theft, deletion, corruption, etc. Researchers and developers work around the clock to combat security risks. Firewalls are essential components in improving network security. Anti-virus developers always recommend the use of a separate firewall. Leading security companies such as Kaspersky, Symantec, Norton, McAffe as well as internetworking device manufacturers such as CISCO develop firewall solutions for this purpose. A firewall reduces risks that come from other networks which may have fatal consequences if succeeded. Firewalls restrict unwanted traffics or packets entering an enterprise network enhancing security. They allow to fit purpose and work according to policies set by administration or security specialist. Incorporating firewall into a network structure is likely to increase processing and even create bottlenecks.

Defining a Firewall
Firewall is a piece of software or hardware that filter all network traffics between your computer, home network, or company network and the internet.

 Firewall is a device or set of devices which permits or denies network communications both inbound and outbound typically between clients (desktops, laptops) and servers (web servers, database, fileservers,). Permission are based on a set of rules (a ruleset) and are utilized to protect networks from unauthorized access while allowing legitimate communications to pass through. A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users from other networks. (The term also implies the security policy that is used with the programs.) An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to.

Before the term firewall was used for a component of a computer network, it
described a wall that was designed to contain a fire. A brick and mortar firewall is designed to contain a fire in one part of a building and thus prevent it from spreading to another part of the building. Any fire that may erupt inside a building stops at the firewall and wont spread to other parts of the building. A firewall in a computer network performs a role that is very similar to that of a firewall in a building. Just as a firewall made out of concrete protects one part of a building, a firewall in a network ensures that if something bad happens on one side of the firewall, computers on the other side wont be affected. Unlike a building firewall, which protects against a very specific threat (fire), a network firewall has to protect against many different kinds of threats.

History of Firewall
The term firewall originally referred to a wall intended to confine a fire or potential fire within a building. Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment. Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s:

Clifford Stoll's discovery of German spies tampering with his system Bill Cheswick's "Evening with Berferd" 1992 in which he set up a simple electronic to observe an attacker. In 1988, an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues that read, "We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames."

The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.

Firewall as a Component of a Network

The basic components of a network, which act as the front-line gatekeepers, are the router, the firewall, and the switch. Figure 15.1 shows these core components.

Figure 15.1 Network components: router, firewall, and switch

What Firewalls Do
So what exactly does a firewall do? As network traffic passes through the firewall, the firewall decides which traffic to forward and which traffic not to forward, based on rules that you have defined. All firewalls screen traffic that comes into your network, but a good firewall should also screen outgoing traffic.

Normally a firewall is installed where your internal network connects to the Internet. Although larger organizations may also place firewalls between different parts of their own network that require different levels of security, most firewalls screen traffic passing between an internal network and the Internet. This internal network may be a single computer or it may contain thousands of computers. The following list includes the most common features of firewalls: Block incoming network traffic based on source or destination: Blocking unwanted incoming traffic is the most common feature of a firewall. Block outgoing network traffic based on source or destination: Many firewalls can also screen network traffic from your internal network to the Internet. For example, you may want to prevent employees from accessing inappropriate Web sites. Block network traffic based on content: More advanced firewalls can screen network traffic for unacceptable content. For example, a firewall that is integrated with a virus scanner can prevent files that contain viruses from entering your network. Other firewalls integrate with e-mail services to screen out unacceptable e-mail. Make internal resources available: Although the primary purpose of a firewall is to prevent unwanted network traffic from passing through it, you can also configure many firewalls to allow selective access to internal resources, such as a public Web server, while still preventing other access from the Internet to your internal network. Allow connections to internal network: A common method for employees to connect to a network is using virtual private networks (VPNs). VPNs allow secure connections from the Internet to a corporate network. For example, telecommuters and traveling salespeople can use a VPN to connect to the corporate network. VPNs are also used to connect branch offices to each other. Some firewalls include VPN functionality and make it easy to establish such connections.

Report on network traffic and firewall activities: When screening network traffic to and from the Internet, its also important to know what your firewall is doing, who tried to break into your network, and who tried to access inappropriate material on the Internet. Most firewalls include a reporting mechanism of some kind or another

Figure 2.0 Graphical comparison of a network with and without a firewall

Firewall Considerations
A firewall should exist anywhere you interact with an untrusted network, especially the Internet. It is also recommended that you separate your Web servers from downstream application and database servers with an internal firewall. After the router, with its broad filters and gatekeepers, the firewall is the next point of attack. In many (if not most) cases, you do not have administrative access to the upstream router. Many of the filters and ACLs that apply to the router can also be implemented at the firewall. The configuration categories for the firewall include:

Patches and updates Filters Auditing and logging Perimeter networks Intrusion detection

Patches and Updates Subscribe to alert services provided by the manufacturer of your firewall and operating system to stay current with both security issues and service patches. Filters Filtering published ports on a firewall can be an effective and efficient method of blocking malicious packets and payloads. Filters range from simple packet filters that restrict traffic at the network layer based on source and destination IP addresses and port numbers, to complex application filters that inspect application-specific payloads. A defense in depth approach that uses layered filters is a very effective way to block attacks. There are six common types of firewall filters: Packet filters These can filter packets based on protocol, source or destination port number and source or destination address, or computer name. IP packet filters are static, and communication through a specific port is either allowed or blocked. Blocked packets are usually logged, and a secure packet filter denies by default. At the network layer, the payload is unknown and might be dangerous. More intelligent types of filtering must be configured to inspect the payload and make decisions based on access control rules. Circuit-level filters These inspect sessions rather than payload data. An inbound or outbound client makes a request directly against the firewall/gateway, and in turn the gateway initiates a connection to the server and acts as a broker between the two connections. With knowledge of application connection rules, circuit level filters ensure valid interactions. They do not inspect the actual payload, but they do count frames to ensure packet integrity and prevent session hijacking and replaying.

 Application filters Smart application filters can analyze a data stream for an application and provide application-specific processing, including inspecting, screening or blocking, redirecting, and even modifying the data as it passes through the firewall. Application filters protect against attacks such as the following: Unsafe SMTP commands Attacks against internal DNS servers. HTTP-based attacks (for example, Code Red and Nimda, which use application-specific knowledge) For example, an application filter can block an HTTP DELETE, but allow an HTTP GET. The capabilities of content screening, including virus detection, lexical analysis, and site categorization, make application filters very effective in Web scenarios both as security measures and in enforcement of business rules. Stateful inspection Application filters are limited to knowledge of the payload of a packet and therefore make filtering decisions based only on the payload. Stateful inspection uses both the payload and its context to determine filtering rules. Using the payload and the packet contents allow stateful inspection rules to ensure session and communication integrity. The inspection of packets, their payload, and sequence limits the scalability of stateful inspection. Custom application filters These filters ensure the integrity of application server/client communication. When you use filters at multiple levels of the network stack, it helps make your environment more secure. For example, a packet filter can be used to block IP traffic destined for any port other than port 80, and an application filter might further restrict traffic based on the nature of the HTTP verb. For example, it might block HTTP DELETE verbs. Logging and Auditing Logging all incoming and outgoing requests regardless of firewall rules allows you to detect intrusion attempts or, even worse, successful attacks that were previously

undetected. Historically, network administrators sometimes had to analyze audit logs to determine how an attack succeeded. In those cases, administrators were able to apply solutions to the vulnerabilities, learn how they were compromised, and discover other vulnerabilities that existed. Apply the following policies for logging and log auditing. Log all traffic that passes through the firewall. Maintain healthy log cycling that allows quick data analysis. The more data you have, the larger the log file size. Make sure the firewall clock is synchronized with the other network hardware. A firewall should exist anywhere your servers interact with an untrusted network. If your Web servers connect to a back-end network, such as a bank of database servers or corporate network, a screen should exist to isolate the two networks. While the Web zone has the greatest degree of exposure, a compromise in the Web zone should not result in the compromise of downstream networks. By default, the perimeter network should block all outbound connections except those that are expected. Advantages of a Perimeter Network The perimeter network provides the following advantages: Hosts are not directly exposed to untrusted networks. Exposed or published services are the only point of external attack. Security rules can be enforced for access between networks. The disadvantages of a perimeter network include: Network complexity IP address allocation and management Perimeter Networks

Disadvantages of a Perimeter Network

Requirement that the application architecture accommodate the perimeter network design

A firewall that fits

Clothing salespeople want us to believe that there is a size that fits all. As a smart consumer and a fashionable dresser, you know that there is no such thing as one size that

fits all. Similarly, there is also no size firewall that works well for every organization. Firewalls usually fall into one of the categories in the following list. The type of firewall that you install depends on your exact requirements for protection and management. Personal firewall: A personal firewall is most often installed as a piece of software on a single computer and protects just that computer. Personal firewalls also come as separate hardware components, or they may be built into other network devices, but they all protect a single computer or a very small number of computers. Personal firewalls also normally have very limited reporting and management features. Departmental or small organization firewall: These firewalls are designed to protect all the computers in an office of limited size that is in a single location. Firewalls in this category have the capacity to screen network traffic for a limited number of computers, and the reporting and management capabilities are adequate for this function. Enterprise firewall: Enterprise firewalls are appropriate for larger organizations, including organizations with thousands of users that are geographically dispersed. The reporting capabilities include consolidated reports for multiple firewalls; the management tools enable you to configure multiple firewalls in a single step.

Types of Firewalls
There are three basic types of firewalls, and we'll consider each of them. Application Gateways The first firewalls were application gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server. This software runs at the Application Layer of our old friend the ISO/OSI Reference Model, hence the name. Clients behind the firewall must beproxitized (that is, must know how to use the proxy, and be configured to do so) in order to use Internet services. Traditionally, these have been the most secure, because they don't allow anything to pass by default, but need to have the programs written and turned on in order to begin passing traffic.

Figure 5: A sample application gateway

These are also typically the slowest, because more processes need to be started in order to have a request serviced. Figure 5 shows a application gateway. Packet Filtering Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. By default, a router will pass all traffic sent it, and will do so without any sort of restrictions. Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network, and vice versa. There is less overhead in packet filtering than with an application gateway, because the feature of access control is performed at a lower ISO/OSI layer (typically, the transport or session layer). Due to the lower overhead and the fact that packet filtering is done with routers, which are specialized computers optimized for tasks related to networking, a packet filtering gateway is often much faster than its application layer cousins. Figure 6 shows a packet filtering gateway.

Because we're working at a lower level, supporting new applications either comes automatically, or is a simple matter of allowing a specific packet type to pass through the gateway. (Not that the possibility of something automatically makes it a good idea; opening things up this way might very well compromise your level of security below what your policy allows.) There are problems with this method, though. Remember, TCP/IP has absolutely no means of guaranteeing that the source address is really what it claims to be. As a result, we have to use layers of packet filters in order to localize the traffic. We can't get all the way down to the actual host, but with two layers of packet filters, we can differentiate between a packet that came from the Internet and one that came from our internal network. We can identify which network the packet came from with certainty, but we can't get more specific than that. Hybrid Systems In an attempt to marry the security of the application layer gateways with the flexibility and speed of packet filtering, some vendors have created systems that use the principles of both. Figure 6: A sample packet filtering gateway

In some of these systems, new connections must be authenticated and approved at the application layer. Once this has been done, the remainder of the connection is passed down to the session layer, where packet filters watch the connection to ensure that only

packets that are part of an ongoing (already authenticated and approved) conversation are being passed. Other possibilities include using both packet filtering and application layer proxies. The benefits here include providing a measure of protection against your machines that provide services to the Internet (such as a public web server), as well as provide the security of an application layer gateway to the internal network. Additionally, using this method, an attacker, in order to get to services on the internal network, will have to break through the access router, the bastion host, and the choke router.

Top 10 Best Firewall Software: Pros and Cons

1. ZoneAlarm PRO Firewall Pros Protect yourself with the best multi-layered firewall technology around. Simple to install (step-by-step installation wizard gets you up and running in minutes). Easy to use (comes with default security settings for "out-of-the-box" protection). Cons Can be a little bit confusing for the beginner if the right options are not chosen during installation. 2. Panda Global Protection 2012 Pros Designed for home and small office settings, this suite (identity protection, anti-spam filter, etc) provides a reliable solution to intrusion prevention and a personal firewall for individual PCs. Cons In testing, Panda detected only up to 92% of threats; however, it scored best against rogue programs (adware, trojan, etc) with 100 percent detection. 3. F-Secure Internet Security Pros

The advanced firewall provides a complete and easy-to-use protection against Internet threats. Ensures good protection against all new external attacks. Clean user interface. Phone support available. Enhanced anti-spam tool. Helps you stay free from spam email. Cons Parental control and phishing protection are weak. There is room for improvement here. Supports Firefox and Internet Explorer, only 4. ESET Smart Security 5 Pros Protects you from viruses, worms, spyware, and all Internet threats; also blocks spam and includes a personal firewall. The best way to constantly monitor and defend your PC from internet attacks. Cons Anti-spam protection could be better, as compared to suites from other security product vendors. 5. Norman Personal Firewall Pros The program starts operating as soon as it is installed. It defends your computer or laptop against most intrusion techniques used by intruders. Cons Does not report Web-based exploits. Unable to detect all leak tests. Parental control module is not so good. The program may not be best for beginners. 6. Net Firewall 2012 Pros An effective solution for protecting your system or local network from external and internal threats and malicious acts without limiting network capabilities. Only the data permitted by the security policy in use are passed along. Cons As the previous versions, online documentation is weak. Links broken. 7. Rising Firewall 2011 Pros

Designed to protect your computer from online attacks, Rising firewall alerts you to all events without the hassle of being prompted to monitor your PC's traffic. It starts running in the background and provides an additional layer of security. Cons Configuring the options may take a while. Can be slightly difficult for those who do not know what to do. Administrative privileges required. 8. Outpost Firewall Pro Pros Designed specifically to monitor incoming and outgoing packets, Outpost 7.0 offers an automatic update function and stops malicious software. The version is available in both paid and freeware versions. Cons Web-based protection not as powerful as that of the full Norton suite. May erroneously identify very obscure utilities as risky. 9. Online Armor Premium Pros You can select a policy that will be applied when the program starts without your interaction. You can also start the application manually at any time. Cons The basic features should be more than adequate for personal computers. Keylogger protection is ineffective. 10. BitDefender Pros BitDefender Internet Security 2012 allows you to keep your Facebook social life safe from online threats. Each action is recorded. Works silently in the background. Cons Installation may take about 40 minutes. Upper toolbar issues.

Conclusion:
Having a good firewall you eliminate some risks with a computer on the internet and hopefully keep out the malicious people. Firewalls constantly have to be tweaked or fine-tuned to keep out the latest tricks and traps set by the hackers.

References:
http://msdn.microsoft.com/en-us/library/ff648651.aspx#c15618429_007 http://www.symantec.com/connect/blogs/importance-using-firewall-threat-protection http://www.interhack.net/pubs/network-security/network security.html#SECTION00061000000000000000 http://en.wikipedia.org/wiki/Firewall_(computing) http://www.accuwebhosting.com/