Intro to Firewalls

Outline
What is a Port?
What is a firewall?
Who needs a firewall?
What are the OSI and TCP/IP
Network models?
What different types of firewalls are
there?
What are pros and cons of a firewall?
What is iptables?

What is a Port
When referring to a computer or device, a hardware
port resembles a plug-in or connection commonly
found on the back of a computer. Hardware ports
allow computers to have access to external
devices such as computer printers. Below is a
short listing of the different types of computer
ports you may find on a computer.
Old Keyboard Port)
Firewire port
LPT Port (Printer Port)
PS/2 Port (Keyboard Port / Mouse Port)
Serial Port
USB Port

What is a Port
When referring to a network or to the Internet, a software
port is a location where information is sent through. A
commonly used and accessed port is port 80, which
is the http port. A listing of commonly known and
used ports can also be found on the below listing.
Users running Microsoft Windows can utilize the
netstat command to view currently active connections
that include ports currently being used.
Users who wish to block ports on their computer or
network can use a software or hardware firewall. If
you are unable to get access to a particular port it's
likely that a firewall is already present on the Network
or other network settings set by the administrators
have been setup.

What is a Port
Port

Protocol

0
1

Description
Reserved

TCP

TCP Port Service

Multiplexer

Remote Job
Entry

TCP, UDP

ECHO

TCP, UDP

Discard

13

TCP, UDP

Daytime - RFC
867

17

TCP, UDP

Quote of the Day

What is a Port

(last updated 21 September 2005)

The port numbers are divided into three ranges: the Well Known
Ports, the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151.

The Dynamic and/or Private Ports are those from 49152 through
65535.

Source: Assigned Number Authority (IANA)

http://www.iana.org/assignments/port-numbers

What is a Port

(last updated 6 March 2006)

PLEASE NOTE THE FOLLOWING: * * * *

1. UNASSIGNED PORT NUMBERS SHOULD NOT BE USED. THE IANA

WILL ASSIGN THE NUMBER FOR THE PORT AFTER YOUR
APPLICATION HAS BEEN APPROVED

2. ASSIGNMENT OF A PORT NUMBER DOES NOT IN ANY WAY IMPLY

AN ENDORSEMENT OF AN APPLICATION OR PRODUCT, AND THE
FACT THAT NETWORK TRAFFIC IS FLOWING TO OR FROM A
REGISTERED PORT DOES NOT MEAN THAT IT IS "GOOD" TRAFFIC.
FIREWALL AND SYSTEM ADMINISTRATORS SHOULD CHOOSE HOW
TO CONFIGURE THEIR SYSTEMS BASED ON THEIR KNOWLEDGE OF
THE TRAFFIC IN QUESTION, NOT WHETHER THERE IS A PORT
N U M B E R
R E G I S T E R E D
O R
N O T .

Source: Assigned Number Authority (IANA)

http://www.iana.org/assignments/port-numbers

WELL KNOWN PORT NUMBERS

(last updated 21 September 2005)

The Well Known Ports are assigned by the IANA and on most systems can
only be used by system (or root) processes or by programs executed by
p
r
i
v
i
l
e
g
e
d
u
s
e
r
s
.

Ports are used in the TCP [RFC793] to name the ends of logical
connections which carry long term conversations. For the purpose of
providing services to unknown callers, a service contact port is defined. This
list specifies the port used by the server process as its contact port. The
contact port is sometimes called the "well-known port".

To the extent possible, these same port assignments are used with the UDP
[RFC768]. The range for assigned ports managed by the IANA is 0-1023.

Source: Assigned Number Authority (IANA)

http://www.iana.org/assignments/port-numbers

Port Assignments

Keyword

Decimal

Description

ftp-data

20/tcp

File Transfer
[Default]

26/tcp

Unassigned

smtp

25/udp

Simple Mail
Transfer

References

What is a firewall?
Protects networked computers from
intentional hostile intrusion.
Junction point between two networks. A
private and a public network.
Earliest were simple routers.
The term come from the concept of firewalls
and firedoors in buildings. They limit damage
that could spread from one subnet to
another.

What is a firewall? Reading

Slide

A firewall examines all traffic routed between the two networks to

see if it meets certain criteria. If it does, it is routed between the
networks, otherwise it is stopped. A firewall filters both inbound
and outbound traffic. It can also manage public access to private
networked resources such as host applications. It can be used to
log all attempts to enter the private network and trigger alarms
when hostile or unauthorized entry is attempted. Firewalls can
filter packets based on their source and destination addresses
and port numbers. This is known as address filtering. Firewalls
can also filter specific types of network traffic. This is also known
as protocol filtering because the decision to forward or reject
traffic is dependant upon the protocol used, for example HTTP,
ftp or telnet. Firewalls can also filter traffic by packet attribute or
state.

Hardware Firewall

Software Firewall

A Firewall
Can filter traffic based on their source
and destination addresses, port
numbers, protocol used, and packet
state.
Cannot prevent individual users with
modems from dialing in and out of the
network.
Cannot protect against social
engineering and dumpster diving.

A Firewall, Reading Slide

A firewall cannot prevent individual users with
modems from dialing into or out of the network,
bypassing the firewall altogether. Employee
misco ndu ct o r carel essne ss ca nn ot b e
controlled by firewalls. Policies involving the
use and misuse of passwords and user
accounts must be strictly enforced. These are
management issues that should be raised
during the planning of any security policy but
that cannot be solved with firewalls alone.

Who needs a firewall?

Anyone who is responsible for a
private network that is connected to a
public network.
Anyone who connects so much as a
single computer to the internet via
modem.

Who needs a firewall?

Reading Slide
Anyone who is responsible for a private network that
is connected to a public network needs firewall
protection. Furthermore, anyone who connects so
much as a single computer to the Internet via modem
should have personal firewall software. Many dial-up
Internet users believe that anonymity will protect
them. They feel that no malicious intruder would be
motivated to break into their computer. Dial up users
who have been victims of malicious attacks and who
have lost entire days of work, perhaps having to
reinstall their operating system, know that this is not
true. Irresponsible pranksters can use automated
robots to scan random IP addresses and attack
whenever the opportunity presents itself.

Basic Firewall Operation

Basic Firewall Operation

There are two access denial methodologies used by firewalls. A firewall
may allow all traffic through unless it meets certain criteria, or it may deny
all traffic unless it meets certain criteria. The type of criteria used to
determine whether traffic should be allowed through varies from one type
of firewall to another. Firewalls may be concerned with the type of traffic,
or with source or destination addresses and ports. They may also use
complex rule bases that analyze the application data to determine if the
traffic should be allowed through. How a firewall determines what traffic to
l e t thro ugh de pend s o n w hich n e tw o rk la yer i t opera tes at .

The OSI and TCP/IP Models

Professional Firewall Model

Professional Firewall Model

It would appear then, that firewalls functioning at a
higher level in the stack must be superior in every
respect. This is not necessarily the case. The lower in
the stack the packet is intercepted, the more secure the
firewall. If the intruder cannot get past level three, it is
impossible to gain control of the operating system.
Professional firewall products catch each network
packet before the operating system does, thus, there is
no direct path from the Internet to the operating
system's TCP/IP stack. It is therefore very difficult for
an intruder to gain control of the firewall host computer
then "open the doors" from the inside.

Types of Firewalls
Packet Filter
Circuit Level Gateways
Application Level Gateways
Stateful Multilayer Inspection

Packet Filtering Firewall

Packet Filtering Firewall

Packet filtering firewalls work at the network level of the OSI model, or the IP
layer of TCP/IP. They are usually part of a router. A router is a device that
receives packets from one network and forwards them to another network.
In a packet filtering firewall each packet is compared to a set of criteria
before it is forwarded. Depending on the packet and the criteria, the firewall
can drop the packet, forward it or send a message to the originator. Rules
can include source and destination IP address, source and destination port
number and protocol used. The advantage of packet filtering firewalls is
their low cost and low impact on network performance. Most routers support
packet filtering. Even if other firewalls are used, implementing packet
filtering at the router level affords an initial degree of security at a low
network layer. This type of firewall only works at the network layer however
and does not support sophisticated rule based models. Network Address
Translation (NAT) routers offer the advantages of packet filtering firewalls
but can also hide the IP addresses of computers behind the firewall, and
o f f e r a l e v e l o f c i r c u i t - b a s e d f i l t e r i n g .
Difficult to maintain, dont examine the payload,

Packet Filtering Firewall

Circuit Level Gateway

Application Level Gateway

Application Level Gateway

Application level gateways, also called proxies, are similar to circuitlevel gateways except that they are application specific. They can filter
packets at the application layer of the OSI model. Incoming or
outgoing packets cannot access services for which there is no proxy.
In plain terms, an application level gateway that is configured to be a
web proxy will not allow any ftp, gopher, telnet or other traffic through.
Because they examine packets at application layer, they can filter
application specific commands such as http:post and get, etc. This
cannot be accomplished with either packet filtering firewalls or circuit
level neither of which know anything about the application level
information. Application level gateways can also be used to log user
activity and logins. They offer a high level of security, but have a
significant impact on network performance. This is because of context
switches that slow down network access dramatically. They are not
transparent to end users and require manual configuration of each
c
l
i
e
n
t
c
o
m
p
u
t
e
r
.

Application Layer Gateways

Stateful Multilayer Inspection

Stateful Multilayer Inspection

Stateful multilayer inspection firewalls combine the aspects of the other
three types of firewalls. They filter packets at the network layer,
determine whether session packets are legitimate and evaluate contents
of packets at the application layer. They allow direct connection between
client and host, alleviating the problem caused by the lack of
transparency of application level gateways. They rely on algorithms to
recognize and process application layer data instead of running
application specific proxies. Stateful multilayer inspection firewalls offer
a high level of security, good performance and transparency to end
users. They are expensive however, and due to their complexity are
potentially less secure than simpler types of firewalls if not administered
b y
h i g h l y
c o m p e t e n t
p e r s o n n e l .

Stateful inspection technologies

Implementing your firewall

Choose the access denial
methodology.
Determine inbound access policy.
Determine outbound access policy.
Determine if dial-in or dial-out access
is required. (VPN)
Decide whether to buy a complete
firewall product or implement one
yourself.

Access denial methodology

Deny access by default

Inbound Access Policy

May be simple NO ACCESS
NAT (Network Address Translation)
NAT + protocol filtering
Complex stateful multilayer inspection

Outbound Access Policy

Open Access
Per User outbound policy (Proxy)

Other Considerations
Dial-in/out
Buy a solution

Hardware -- PIX, Sonicwall, WatchGuard

Software -- CheckPoint, ISA, Boarder
Manager

Build a solution

Linux -- IPTables