08-10-2016, 04:26 PM
1458491981-project.pptx (Size: 713.61 KB / Downloads: 7)
Distributed Firewalls
A central management node sets the security policy enforced by individual hosts
Combination of high-level policy specification with file distribution mechanism
Advantages:
Lack of central point of failure
Ability to protect machines outside topologically isolated space
Great for laptops
Disadvantage:
Harder to allow in certain services, whereas it’s easy to block
Distributed Firewalls Drawback
Allowing in certain services works if and only if you’re sure the address can’t be spoofed
Requires anti-spoofing protection
Must maintain ability to roam safely
Solution: IPsec
A machine is trusted if and only if it can perform proper cryptographic authentication
Firewalls – Packet Filters
Simplest of components
Uses transport-layer information only
IP Source Address, Destination Address
Protocol/Next Header (TCP, UDP, ICMP, etc)
TCP or UDP source & destination ports
TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
ICMP message type
Examples
DNS uses port 53
No incoming port 53 packets except known trusted servers
Firewalls – Packet Filters
Application-Level Filtering
Has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
Need separate proxies for each service
E.g., SMTP (E-Mail)
NNTP (Net news)
DNS (Domain Name System)
NTP (Network Time Protocol)
custom services generally not supported
Firewalls - Circuit Level Gateway
Relays two TCP connections
Imposes security by limiting which such connections are allowed
Once created usually relays traffic without examining contents
Typically used when trust internal users by allowing general outbound connections
SOCKS commonly used for this
Uses of packet filtering
During network communication, a node transmits a packet that is filtered and matched with predefined rules and policies. Once matched, a packet is either accepted or denied. Packet filtering checks source and destination IP addresses. If both IP addresses match, the packet is considered secure and verified. Because the sender may use different applications and programs, packet filtering also checks source and destination protocols, such as User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). Packet filters also verify source and destination port addresses.Some packet filters are not intelligent and unable to memorize used packets. However, other packet filters can memorize previously used packet items, such as source and destination IP addresses.Packet filtering is usually an effective defense against attacks from computers outside a local area network (LAN). As most routing devices have integrated filtering capabilities, packet filtering is considered a standard and cost-effective means of security.
Usage of Packet Filters
Filtering with incoming or outgoing interfaces
E.g., Ingress filtering of spoofed IP addresses
Egress filtering
Permits or denies certain services
Requires intimate knowledge of TCP and UDP port utilization on a number of operating systems
Firewalls – Stateful Packet Filters
Traditional packet filters do not examine higher layer context
ie matching return packets with outgoing flow
Stateful packet filters address this need
They examine each IP packet in context
Keep track of client-server sessions
Check each packet validly belongs to one
Hence are better able to detect bogus packets out of context
Stateful Filtering
TYPES OF PACKET FILTERING
firewall policy Packet filtering firewall allows only those packets to pass, which are allowed as per your. Each packet passing through is inspected and then the firewall decides to pass it or not. The packet filtering can be divided into two parts:
Stateless packet filtering.
Stateful packet filtering.
The data travels through the internet in the form of packets. Each packet has a header which provides the information about the packet, its source and destination etc. The packet filtering firewalls inpects these packets to allow or deny them. The information may or may not be remembered by the firewall.
Stateless Packet Filtering
If the information about the passing packets is not remembered by the firewall, then this type of filtering is called stateless packet filtering. This type of firewalls are not smart enough and can be fooled very easily by the hackers. These are especially dangerous for UDP type of data packets. The reason is that, the allow/deny decisions are taken on packet by packet basis and these are not related to the previous allowed/denied packets.
Stateful Packet Filtering
If the firewall remembers the information about the previously passed packets, then that type of filering is stateful packet filtering. These can be termed as smart firewalls. This type of filtering is also known as Dynamic packet filtering.
Advantage and disadvantage of packet filtering
Advantage:
The Biggest Advantage of Packet Filtering Firewalls is Cost and Lower Resource Usage and best suited for Smaller Networks.
Disadvantage:
Packet Filtering Firewalls can work only on the Network Layer and these Firewalls do not support Complex rule based models.
How packet filtering works
As packet filters work with individual packets a decision is needed for each and every packet whether that specific packet can pass or should undergo some other action. Packet filters can work with incoming and outgoing packets as well, but the basic decision making procedure is the same. The basic steps of packet filtering are the following.
The filter system inspects the packet. It usually checks the following information in the packet header:
source/destination IP addresses,
IP options,
TOS/TTL fields,
source/destination port numbers,
TCP flags,
data part of packet,
and others.
Stateful packet filters can check the state of the given packet related to the known connections (whether this packet belongs to an already seen connection or it is a new packet or it is a packet related to an already established connection, like an ICMP control packet), or to other stateful information (whether this packet fits in the TCP window of the connection). This information provide the basis for the decision. Of course, the firewall can check whether the packets checksum and packets in general are adequate.
After inspecting the packet and collecting stateful information, the packet filter evaluates the policy for the given packet. The policy and the representation of the policy might be different between various implementations, but usually Access Control Lists (ACL) are used. ACLs are checked from the top of the list to the bottom. The list entries are usually called rules and these rules are evaluated after one another.
A rule usually contains a match and a verdict part. The match part is evaluated based on the information gathered from the packet before the policy check. If a packet matches the rule the rule's verdict is taken for that packet. The various implementations differ in how they run through the list. One stops evaluating at the first match, while others might take the last match's verdict.
After evaluating the ACL the packet filter can work with that packet according to the verdict. Usually, every ACL has a default verdict which controls what should happen with the packet if no match occurs. Based on the main security rule a default deny or default drop approach is a good choice, but as usual it depends on the implementation and on the administrator.
There are numerous verdicts, but usually all implementations support the following basic verdicts. The meaning of the verdicts, though, might differ slightly.
Accept,
allowing the packet to pass.
Deny/Drop,
denying the packet silently meaning that no error packet is sent back to the sender.
Reject,
denying the packet with sending back some kind of error packet (ICMP error message or TCP reset packet depending on the situation).
To understand, successfully deploy and easily troubleshoot any packet filter firewall you have to understand how the specific implementation handles the packets and how it evaluates its policy. It is also necessary to learn how the policy is represented and how the configuration is constructed. Knowing the deeper details of implementation helps in configuration.