A firewall is any device used to prevent outsiders from gaining access to your network. This device is usually a combination of software and hardware. Firewalls commonly implement exclusionary schemes or rules that sort out wanted and unwanted addresses.
 

12. 1 Types of Firewalls

• Network-level Firewall
  
  
• the most common type
  
  
• usually router based
  
  
• uses a technique called packet filtering
  
  
the source address of each incoming connection is examined. After each IP source address has been identified, whatever rules the architect has instituted will be enforced. For example, the router may reject any packets forwarded from microsoft.com. These packets never reach the internal server or the network beneath it.


• advantages and disadvantages
  
  
• router-based firewalls are fast
• packets sent from forged source addresses can gain at least some level of access to your server
• In fairness, many packet-filtering techniques can be employed with router-based firewalls that shore up this weakness. One can now even apply rules related to state information within packets, using indexes such as time, protocol, ports, and so forth.
• Another problem is that a number of RPC (Remote Procedure Call) services are very difficult to filter effectively because the associated servers listen at ports that are assigned randomly at system startup.

 
• packet filtering tools
  
  
• TCP_Wrappers
• NetGate (commercial)
• Internet Packet Filter: allows Unix workstation routers to apply packet filtering.

• application-proxy firewalls/application gateways
  
  
Application gateways are software-based. When a remote user from the void contacts a network running an application gateway, the gateway blocks the remote connection. Instead of passing the connection along, the gateway examines various fields in the request. If these meet a set of predefined rules, the gateway creates a bridge between the remote host and the internal host. Bridge refers to a patch between two protocols. For example, in a typical application gateway scheme, IP packets are not forwarded to the internal network. Instead, a type of translation occurs, with the gateway as the conduit and interpreter. This is sometimes referred to as the man-in-the-middle configuration.

• advantages
  
  
• lack of IP forwarding
• more controls can be placed on the patched connection
• very sophisticated logging facilities are offered
  
  
• disadvantages
  
  
• slow
• a proxy application must be created for each networked service
• non-transparent to the users
  
  
• Circuit Gateway: SOCKS (SOCKetS)

  SOCKS is a proxy protocol for client/server environments. SOCKS includes two primary components:

  the SOCKS server
  SOCKS client library
  The SOCKS server implementation is at the application layer and the SOCKS client library is between the client's application and transport layers.
  • What is a Proxy

    A proxy server makes a connection to the application server for the client. The proxy server relays data between the client and the applications server. From the application server's perspective, the proxy server is the client.

    When a client wants to make a connection to an application server, the client connects to the proxy server. The application server's address and port number are passed to the proxy server via a proxy protocol. The proxy server then connects to the application server.

    Once the connection to the application server is established, the proxy server relays data between the client and the applications server.

    Currently, there are two versions of the SOCKS protocol, version 4 and version 5.

  • Typical use

    Because of its simplicity, SOCKS has been widely used as a circuit-level firewall. Because the SOCKS server appears as the client to the application server, the clients are hidden. The SOCKS server provides a single point of access for external traffic.

  • SOCKS Model
    • SOCKS V4: connection request, proxy circuit setup, and application data relay
    • SOCKS V5 connection request, authentication, proxy circuit setup, and application data relay

  • advantages
    
    
  • lack of IP forwarding
  • Easy deployment of authentication/encryption methods
  • Flexible network traffic screening and filtering
    
  • disadvantages
    
    
  • slow
  • a socksified client must be created for each networked service
  • non-transparent to the users
    
    

• Hybrid Gateways

  Combination of multiple types of firewalls

  
  

12.2 Firewalls Generally

One of the main ideas behind a firewall is that your network will remain theoretically invisible (or at least unreachable) to anyone not authorized to connect. This process works through the exclusionary schemes that one can apply using a firewall.

Theoretically, a firewall is the most stringent security measure you can implement. Nevertheless, issues regarding this stringent security environment remain.
 

• Security with a firewall can be configured so stringently that it can actually impair the process of networking.
• A breach in a firewall can cause your internal network to be easily compromised.
• No firewall can effectively prevent attacks from the inside.
• Firewalls can often be misconfigured.

* sacrificial hosts: Web servers or decoys. Decoys are traps, places where an inexperienced cracker's activities are captured and logged.

12.3 TIS FWTK (Trusted Information Systems FireWall Tool Kit)
 

TIS FWTK, early versions of which are free for noncommercial use, contains many separate components. The majority of these components are proxy applications. It includes proxies for the following services:

• Telnet
• FTP
• rlogin
• sendmail
• HTTP
• The X Window system


It also includes authentication-related components: authentication server and clients, some library routines.

 
Supported Configurations
 
• dual-homed gateway
  
  
• the toolkit is installed on a host (bastion host) with two network interfaces
• no router is needed: outside----B----protected
• the bastion host works as the firewall
• Routing functionality on the host is disabled so that no traffic is transferred directly between the outside network and the protected network behind the bastion host.
  
  
• screened host gateway
  
  
• relies on a router with some form of packet filtering capability to block off some access
• one router is used: outside----R----B+protected
• network traffic is permitted only to the bastion host (?), which may or may not have two network interfaces
• this is more flexible, since this offers the opportunity to selectively permit traffic through the screening router for trustworthy applications, or between mutually trusted networks
• the disadvantage is that there are now two security critical components: the bastion host and the router
  
  
• screened subnet gateway
  
  
• a small isolated network is placed between the outside network and the protected network
• two screening routers are used: outside----R----isolated(B+)----R----protected
• the isolated network is often called demilitarized zone, which might have multiple hosts
• routes to the internal network can be hidden


Setup
 

• compile and install
• update /etc/inetd.conf and /etc/rc2.d/* so that the following services are disabled:
gated, cgd, mountd, named, nfsd, nfsiod, pcnfsd, portmap, printer, rstatd, rwhod, sendmail, tftpd, timed, xntpd, ...
• disable IP forwarding
• netacl: a kind of TCP wrapper for network access control
  
  
• configuring gateways
  
  
• telnet proxy (tn-gw)
• /etc/inetd.conf
telnet   stream  tcp  nowait root /usr/local/fwtk/tn-gw tn-gw
telnet-a stream  tcp  nowait root /usr/local/fwtk/netacl in.telnetd
• /etc/services
telnet   23/tcp
telnet-a 2023/tcp  # 2023 can be any unused port
• /usr/local/fwtk/netperm-table
tn-gw: hosts 204.191.3.* *.sookmyung.ac.kr
tn-gw: deny-hosts 204.191.3.111


• proxies for ftp, rlogin, http, sendmail, plug (generic TCP server proxy)


telnet connection example
 

outside> telnet bastion-host
Trying 192.33.112.117 ...
Connected to bastion-host.
Escape character is '^]'.
bastion-host telnet proxy (Version V1.0) ready:
tn-gw-> help
Valid commands are:
    connect hostname [port]
    x-gw [display]
    help/?
    quit/exit
tn-gw-> connect hilo

HP-UX hilo A.09.01 A 9000/710 (ttys1)

login: