2.  A firewall forms a barrier through which the traffic going in each direction
must pass. A firewall security policy dictates which traffic is authorized to
pass in each direction.
 Firewall is an effective means of protecting a local system or network of
systems from network based security threats while at the same time
affording access to outside world via WAN or Internet.

3. ◦ All traffic from inside to outside and vice versa, must pass
through the firewall (physically blocking all access to the
local network except via the firewall).
◦ Only authorized traffic (defined by the local security policy)
will be allowed to pass.

4.  Service control
◦ Determines the types of Internet services that can be accessed,
inbound or outbound.
 Direction control
◦ Determines the direction in which particular service requests
are allowed to flow through the firewall.
 User control
◦ Controls access to a service according to which user is
attempting to access it.
 Behavior control
◦ Controls how particular services are used (e.g. filter e-mail).

5.  cannot protect against attacks bypassing it.
◦ eg sneaker net, utility modems.
 cannot protect against internal threats.
◦ eg disgruntled employee
 cannot protect against transfer of all virus
infected programs or files.
◦ because of huge range of O/S & file types

7.  What Is Firewall?
 Name The Techniques Involved In Firewall?
 Explain any two techniques?
 Any Two Limitations Of Firewall?

8.  Three common types of Firewalls:
◦ Packet-filtering routers
◦ Application-level gateways
◦ Circuit-level gateways
◦ Bastion host

10. ◦ Applies a set of rules to each incoming IP packet
and then forwards or discards the packet.
◦ Filter packets going in both directions.
◦ The packet filter is typically set up as a list of rules
based on matches to fields in the IP or TCP header.
◦ Two default policies (discard or forward).

13.  Advantages:
◦ Simplicity
◦ Transparency to users
◦ High speed
 Disadvantages:
◦ Difficulty of setting up packet filter rules
◦ Lack of Authentication

14.  Possible attacks and appropriate countermeasures
◦ IP address spoofing
◦ Source routing attacks
◦ Tiny fragment attacks

15.  examine each IP packet in context
– keeps tracks of client-server sessions
– checks each packet validly belongs to one
 better able to detect bogus packets out of context

18.  Application-level Gateway
◦ Also called proxy server.
◦ Acts as a relay of application-level traffic.
 Advantages:
◦ Higher security than packet filters.
◦ Easy to log and audit all incoming traffic.
 Disadvantages:
◦ Additional processing overhead on each
connection (gateway as splice point).

20.  Circuit-level Gateway
◦ Stand-alone system or
◦ Specialized function performed by an The
gateway typically Application-level Gateway
◦ Sets up two TCP connections
◦ relays TCP segments from one connection to
the other without examining the contents

22. ◦ A system identified by the firewall
administrator as a critical strong point in the
network´s security.
◦ The bastion host serves as a platform for an
application-level or circuit-level gateway.

23. What are the types of firewall?

24.  What is packet filter?
 Name the possible attacks involved in packet
filter?
 What is Application level gateway?
 what is circiut level gateway?
 Difference between application and circiut level
gateway?

25.  In addition to the use of simple configuration of a
single system (single packet filtering router or single
gateway), more complex configurations are possible.

26.  Screened host firewall system (single-homed bastion
host)
 Screened host firewall syste (dual-homed bastion host)
 Screened-subnet firewall system

28. Screened host firewall, single-homed bastion
configuration
 Firewall consists of two systems:
◦ A packet-filtering router.
◦ A bastion host.
 Configuration for the packet-filtering router:
◦ Only packets from and to the bastion host are
allowed to pass through the router.
 The bastion host performs authentication and proxy
functions.

30. Screened host firewall, dual-homed
bastion configuration
◦ The packet-filtering router is not completely
compromised.
◦ Traffic between the Internet and other hosts
on the private network has to flow through
the bastion host.

32.  Screened subnet firewall configuration
◦ Most secure configuration of the three.
◦ Two packet-filtering routers are used.
◦ Creation of an isolated sub-network.

33.  Advantages:
◦ Three levels of defense to thwart intruders.
◦ The outside router advertises only the existence
of the screened subnet to the Internet (internal
network is invisible to the Internet).
◦ The inside router advertises only the existence
of the screened sub-net to the internal network (
the systems on the inside cannot construct direct
routes to the internet.

34. • given system has identified a user
• determine what resources they can access
• general model is that of access matrix with
– subject - active entity (user, process)
– object - passive entity (file or resource)
– access right – way object can be accessed

36. • information security is increasingly important
• have varying degrees of sensitivity of information
– cf military info classifications: confidential, secret
etc
• subjects (people or programs) have varying
rights of access to objects (information)
• want to consider ways of increasing confidence
in systems to enforce these rights
• known as multilevel security
– subjects have maximum & current security level
– objects have a fixed security level classification