Firewall and It's Types

1. FIREWALLS
E-Commerce
BBA 6th Semester,
Prime College
Hem Sagar Pokhrel
Faculty Member, Computer Science & IT department
Prime College, Kathmandu
geeksagar@prime.edu.np
9843410129

2. Firewall Design Principles
The firewall is inserted between the premises
network and the Internet
Aims:
 Establish a controlled link
 Protect the premises network from Internet-based
attacks
2

3. Firewall Characteristics
• Design goals:
• All traffic from inside to outside must pass through
the firewall (physically blocking all access to the
local network except via the firewall)
• Only authorized traffic (defined by the local
security police) will be allowed to pass.
• The firewall itself is immune to penetration (use of
trusted system with a secure operating system)
3

4. Firewall Characteristics
 Four general techniques:
1. Service control
 Determines the types of Internet services that can be
accessed, inbound or outbound
2. Direction control
 Determines the direction in which particular service requests
are allowed to flow
4

5. Firewall Characteristics
3. User control
 Controls access to a service according to which user
is attempting to access it
4. Behavior control
 Controls how particular services are used (e.g. filter
e-mail)
5

6. Types of Firewalls
Three common types of Firewalls:
1. Packet-filtering routers
2. Application-level gateways
3. Circuit-level gateways
 (Bastion host)
6

7. Types of Firewalls
Packet-filtering Router
Applies a set of rules to each incoming IP packet
and then forwards or discards the packet
Filter packets going in both directions
The packet filter is typically set up as a list of
rules based on matches to fields in the IP or TCP
header
Two default policies (discard or forward)
7

8. Types of Firewalls
 Packet-filtering Router
8

9. Types of Firewalls
Advantages:
 Simplicity
 Transparency to users
 High speed
Disadvantages:
 Difficulty of setting up packet filter rules
 Lack of Authentication
9

10. Types of Firewalls
Possible attacks and appropriate countermeasures
 IP address spoofing
 Source routing attacks
 Tiny fragment attacks
10

11. Types of Firewalls
Application-level Gateway
 Also known as application proxy or application-level proxy, an
application gateway is an application program that runs on a
firewall system between two networks.
 When a client program establishes a connection to
a destination service, it connects to an application gateway,
or proxy.
 The client then negotiates with the proxy server in order to
communicate with the destination service.
11

12. Application-level Gateway
 In effect, the proxy establishes the connection with the
destination behind the firewall and acts on behalf of the client,
hiding and protecting individual computers on the network
behind the firewall.
 This creates two connections: one between the client and the
proxy server and one between the proxy server and the
destination.
 Once connected, the proxy makes all packet-forwarding
decisions.
 Since all communication is conducted through the proxy server,
computers behind the firewall are protected.
12

13. Types of Firewalls
Application-level Gateway
13

14. Application-level Gateway
Advantages:
 Higher security than packet filters
 Only need to scrutinize a few allowable applications
 Easy to log and audit all incoming traffic
Disadvantages:
 Additional processing overhead on each connection
(gateway as splice point)
14

15. Types of Firewalls
Circuit-level Gateway
Stand-alone system or
Specialized function performed by an Application-level
Gateway
Sets up two TCP connections
The gateway typically relays TCP segments from one
connection to the other without examining the contents
15

16. Circuit-level Gateway
 The security function consists of determining which connections will be
allowed
 Typically use is a situation in which the system administrator trusts the
internal users
 Circuit-level gateways work at the session layer of the OSI model, or as a
"shim-layer" between the application layer and the transport layer of
the TCP/IP stack.
 They monitor TCP handshaking between packets to determine whether a
requested session is legitimate.
 Information passed to a remote computer through a circuit-level gateway
appears to have originated from the gateway.
16

17. Circuit-level Gateway
 Firewall technology supervises TCP handshaking among packets to
confirm a session is genuine.
 Firewall traffic is clean based on particular session rules and may
be controlled to acknowledged computers only.
 But circuit-level firewalls do not clean entity packets. This is useful
for hiding information about protected networks.
 Circuit-level gateways are relatively inexpensive and have the
advantage of hiding information about the private network they
protect. On the other hand, they do not filter individual packets
17

18. Types of Firewalls
Circuit-level Gateway
18

19. Types of Firewalls
Bastion Host
A system identified by the firewall administrator as a
critical strong point in the network´s security
The bastion host serves as a platform for an application-
level or circuit-level gateway
19