1/7
This material was developed with funding
from the National Science Foundation
This work is licensed with a
Creative Commons Attribution 4.0 International LicenseEndFragment
Firewalls
Restart
Next
Back
Click to play
2/7
Trusted
Untrusted
A firewall is a device or program that protects boundaries between two networks, such as an internal private network and the Internet. It guards an organization’s resources from attacks and prevents untrusted parties from accessing organization resources or tampering with internal information and resources. Firewalls review request from outside parties and inspect data going into or out of the protected host or network.Firewalls use rules as part of the inspection process
Threeway Hand Shake
Rule violation!
What is a Firewall?
Host-based
Network-based
Firewalls can be installed on just about any device (smartphones, tablets, laptops, workstations and servers).Host-based firewalls are applications or programs installed on a device.
A network firewall protects an entire network from attacks coming from users outside the trusted network.
A well-designed environment uses both types of firewalls since traffic that makes it through the network firewall can be stopped by the host-based firewall.
3/7
Non-Legitimate Traffic
Legitimate Traffic
Types of Protection
Click each to see more
Click to play
Rules
Host-based firewalls can be built into the operating system to protect that device, or it can be web-based and configured to protect applications and application data. One of the greatest challenges in managing host-based firewalls is to ensure that patches and updates are performed regularly to keep the host protected.Never disable these firewalls without formal permission!Host-based firewalls automatically generate rules based on the applications and services installed on the device. They can also be centrally controlled and configured by the information security team. Host-based firewalls provide protection within the organization
SSH
Installed Application
and Services
Host-based Firewall
Allow FTP Traffic
Allow Dropbox
Allow file and print sharing
Allow Office 365
4/7
Deny all others
FTP
Network firewalls provide external or perimeter protection for the organization. Network firewalls are stand-alone appliances or integrated into network devices like routers. Network firewalls can screen all ingress (inbound) and egress (outbound) traffic. Network firewalls also use rules and/or lists of trusted URLs to monitor and control traffic. These lists can be purchased from vendors. Most modern firewalls can track established sessions to determine legitmate connections. These firewalls are know as active state firewalls.
<--
Access Rules
Click to Play
5/7
Network Firewall 1
—>
Approved URL List
Perimeter Protection
Unapproved URL List
Hmm, this will
need a response
6/7
Network Firewall 2
Network-based firewalls are usually dedicated appliances or systems with their own CPU, memory and software. These systems can monitor, log, and filter traffic. They can have two or more network interface cards (NICs). All inbound and outbound traffic must be approved to pass through the firewall. Network firewalls must have high processing power so that they will not impact network performance.
Technical Methodology
Application Proxy Filter
Over the years, firewalls have evolved and become much more powerful as the threats have become more sophisticated.Early firewalls were based on simple access control lists to filter packets from known villains or unknown and untrusted sources. These firewalls are called Stateless or Packet-Filtering. Stateless refers to the fact that they are based on rules not authorized connections.
Stateful Firewalls inspect traffic leaving the network and monitor the establishment of a stateful connection. Traffic associated with the established (stateful) connection are then permitted.
Advanced firewalls address the issue of preventing outside untrusted users from directly accessing sensitive and high value resources inside the organization. A Proxy Firewall takes requests from outside the private network and relays (or proxies) the message to the inside resource.
The most advanced type of firewall is known as a Deep Packet Inspection Firewall. These firewalls examine the data within each packet.
Learn which firewall works best for a particular scenario.
Firewall
Choices
7/7
Stateless Packet-Filtering
Deep Packet Inspection
Stateful Packet Inpection
106.23.0.0
NETWORK
190.200.20.0
NETWORK
Packet entering network
190.200.20.45:80
HOST
Stateless Packet-Filtering Firewall 1
Forwards to
destination
IP=190.100.100.90
ANY
HOST
IP=160.23.23.90
A packet-filtering firewall is the simplest type of firewall. These firewalls examine each packet entering or leaving the protected network. The firewall captures each packet and then examines the basic addressing information (IP addresses and/or TCP/UDP port). The packet is forwarded or dropped based on the inspection rule. The last rule is either a Permit or Deny all.Packets are compared starting with the first rule. If there is a match, the packet is permitted or dropped according to the rule. If the packet does not match the first rule, it is compared to the next rule in the list. If the packet does not match any rule, it will be dropped or forwarded based on the last rule.
IP=190.200.20.93
190.100.100.0
NETWORK
Protocol
Source Address
Data
Total Length
Destination Address
Version
Identification
The destination IP address of the packet
IHL
Flags
The specific network protocol being used to communicate between the
source and destination devices (type of traffic such as UDP or TCP
Type of Service
Stateless Packet-Filtering 2
Fragment Offset
A packet-filtering firewall inspects the IP and TCP headers from each packet.
The packets can be filtered by IP addresses and TCP/UDP ports.
The source and destination ports of the session (TCP:80
for a web server or UDP: 69 for tftp)
Options
The source IP address of the packet
Time to Live
Padding
Header Checksum
The source port number is either a TCP or UDP port ranging from 1-65386 or
ANY (which means all port numbers)
ANY
HOST 50.5.5.32
23
The destination port number is either a TCP or UDP port ranging from
1-65386 or ANY (which means all port numbers)
Source Port
RANGE 190.100.50.16-31
Destination Port
NETWORK 50.5.5.0/24
Click each button to build firewall rules
HOST 190.100.50.64
IP
DENY
All rules require an action; the action is either PERMIT or DENY
Building Firewall Rules
Action
TCP
The source IP address can be a single host address, range of IP addresses
or an entire subnet or network, and ANY (which means all addresses)
Main Menu
Source IP address
TCP
The destination IP address can be a single host address, range of IP addresses,
or a subnet or network, and ANY (which means all addresses).
PERMIT
Destination IP address
80
The protocol can be IP, TCP, UDP, or ANY (which means all ports)
Stateful means that a device keeps track of another device’s connection either temporarily or over a long period of time. The TCP three-way hadshake is an example of a stateful connection. When using TCP, the requester sends a SYN request. The receiver records the sender’s information and acknowledges the request. Finally, the original sender acknowledges the three-way handshake. With a stateless connection, no information is retained by either the sender or receiver.
State changes to
SYN-SENT
State changes to
ESTABLISHED
Stateful Firewall 1
A TCP connection-oriented session
is a stateful connection because
both systems maintain information
about the session during its life.
State changes to
SYN-RECIVED
3
Host1
4000
EndFragment
80
4
Host1 requests an outside destination originating from the trusted inside network and is allowed. The firewall inspector records the new information in the stateful tracking table.
TCP
10.10.1.2
New [if gte mso 9]>
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
Host2
TCP
EndFragment
4000
√
Host1
EndFragment
Server
90.5.5.64
EndFragment
15045
Server
8200
10.10.1.1
EndFragment
5020+53
90.5.5.64
6000
Click on each packet number
New √
10.10.1.1
NA
90.5.5.32
The destination server on the untrusted Internet responds and the inspector checks the stateful table. The addresses and port numbers match a new request from Host1. The packet is recorded and allowed.EndFragment
TCP
Packet
Host1 responds to the server acknowledgement and SYN request. The firewall inspector traces the server’s acknowledgement, records the numbers and allows the packet.EndFragment
80
√
Firewall
Check
ACK
80
EndFragment
10500
Device
4000
Server
90.5.5.64
Source
IP Address
5000
EndFragment
90.5.5.32
5
New X
Destination
IP Address
A packet from a potential hacker enters the firewall from the untrusted port. The inspector is unable to track a stateful connection and drops the packet. EndFragment
15000
90.5.5.64
6
NA
EndFragment
Protocol
Host8
8000
The server sends the requested web page content to Host1. The firewall inspector traces the stateful connection, records the new numbers and allows the packet. EndFragment
5020
EndFragment
Source
Port
10.10.1.1
Statefule Packet Inspection 1
5000+20
EndFragment
Destination
Port
90.5.5.96
1
Host2 requests an outside destination originating from the trusted inside network and is allowed. The firewall inspector records the new information in the stateful tracking table.EndFragment
SYN
2
15000+45
EndFragment
Host2
Protected Device
Request XYZ
A proxy firewall acts as an intermediary. It intercepts Internet requests for protected destination devices in the private network. The traffic is inspected for unusual content or requests. If the request is deemed legitimate, the proxy server generates the request. The request is acknowledged, and the proxy server relays the results to the device originating the request. The proxy server eliminates direct access to the protected device.
Untrusted Device
Deep Packet
Inspection 1
A deep packet inspection (DPI) firewall is the most sophisticated type of firewall. DPI firewalls examine and filter network traffic by inspecting the actual data within the packets being transmitted (most firewalls only examine the header data). Deep packet inspection firewalls can inspect the header data, but it also looks deeper into the packet data.
10.10.1.1
Viruses and Malware
Reconnaissance
VPN
Protocol
Non-Compliance
Spam/Spoofing
Deep Packet Inspection2
DPI firewalls look for: protocol non-compliance; sources and signatures of viruses and malware; sources and signatures of spam; spoofing, reconnaissance and scanning threats; intrusion attempts; incorrect time sequencing; unauthorized VPN tunnels; and many other potential threats. DPI firewalls queue streams of data to make these inspections and perform the necessary analysis.
DPI Firewalls can dramatically impact the organization’s communication bandwidth.EndFragment
Detail
Logging
Click on each scenario to see which firewall works the best
Filters by
Inspecting
Data
Reset
Deep Packet
Inspection
Firewall
Personal
Host
Firewall
Packet Filtering
or Stateful
Inspection Firewall
Stopping
Internal
Attacks
Network
Firewall
Stateful
Inspection
Firewall
Customized
Filtering
Options
Firewall Choices
Provides
Perimeter
Protection
Application
Proxy
Firewall
Speedy,
Flexibility,
Simplicity
All new connections are only allowed if originating from the trusted network
Statefule Packet Inspection 2