FirewallsSlide 2Network layer firewallsSlide 4Stateless FirewallsSlide 6Slide 7Slide 8Stateful FirewallsSlide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Network Address TranslationNat FlavorsNATPFirewall SummaryFirewallsFirewallsNetwork layer firewall works as a packet filterDecides what packets will pass the firewallaccording to rulesdefined by the administratorFiltering rules can act on the basis of:source addressdestination addressportshigher-level network protocols the packet containsNetwork layer firewalls tend to operate very fast, and transparently to users.Network layer firewallsGenerally fall into two sub-categoriesStatefulHold some information on the state of connections as part of their rules for example: established or not, initiation, handshaking, data or breaking down the connectiononly hosts inside the firewall can establish connections on a certain portNon-stateful (stateless)Have packet-filtering capabilitiesCannot make more complex decisions on what stage communications between hosts have reachedoffer less security.Somewhat resemble a router in their ability to filter packetsFirewallsSoftwareExtra software on the hostAny normal computer running an operating system which supports packet filtering and routing can function as a network layer firewall. Appropriate operating systems for such a configuration include Linux, Solaris, BSDs or Windows Server HardwareAn external computer with special softwareCombination of BothStateless FirewallsStateless FirewallsA firewall that treats each network frame (or packet) in isolationIt has no way of knowing if any given packet ispart of an existing connection, trying to establish a new connectionjust a rogue packet.Typical behavior of firewalls before the advent of stateful firewalls Modern firewalls are connection-aware (or state-aware)Allows network administrators finer-grained control of network traffic.Stateless FirewallsProblem:The classic example is the File Transfer ProtocolBy design it opens new connections to random portsSuppose you are the firewall of company X, protecting the company from unauthorized traffic from the Internet You notice a TCP packet coming from some host across the globe, destined for a machine of your internal network, TCP port number 4970. This port number does not correspond to any well-known service that your protected network is supposed to provide (like Web, FTP or SSH),you discard the packet. you just broke a legitimate FTP connection!.Stateless FirewallsFTP, among other protocolsNeeds to be able to open connections to arbitrary high ports to function properly. Since the firewall has no way of knowing that the packet destined to the protected network, to some host's port 4970, is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problemmaintaining a table of open connectionsintelligently associating new connection requests with existing, legitimate connections.Stateful FirewallsStateful FirewallsA firewall that keeps track of the state of network connections traveling across itsuch as TCP streamsPerforms stateful packet inspection or stateful inspectionProgrammed to distinguish legitimate packets for different types of connectionsOnly packets which match a known connection state will be allowed by the firewallOthers will be rejected.Stateful FirewallsEarly attempts at producing firewalls operated at the application level of the seven-layer OSI modelRequired too much CPU power Packet filters operate at the network layer (layer-3)Function more efficiently because they only look at the header part of a packetHowever, pure packet filters Have no concept of state Subject to spoofing attacks and other exploitsStateful FirewallsHow It WorksHolds in memory significant attributes of each connectionfrom start to finishThese attributes, collectively known as the state of the connection, may include such details as:The IP addresses and ports involved in the connectionThe sequence numbers of the packets traversing the connectionThe most CPU intensive checking is performed at the time of setup of the connectionAll packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened sessionOnce the session has ended, its entry in the state-table is discarded.Stateful FirewallsHow It WorksDepends on the three-way handshake of the TCP protocolWhen a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the serverthe service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. The firewall built-in to Windows XP will, for instancepass all outgoing packets throughwill only allow incoming packets if they are part of an ESTABLISHED connectionensuring that hackers cannot start unsolicited connections with the protected machineStateful FirewallsHow it Works (cont)In order to prevent the state table from filling upSessions will time out if no traffic has passed for a certain period These stale connections are removed from the state table Many applications therefore send keepalive messages periodicallyKeeps a firewall from dropping the connection during periods of no user-activitySome firewalls can be instructed to send these messages for applicationsIt is worth noting that the most common Denial of Service attack on the internet these days is the SYN floodA malicious user intentionally sends large amounts of SYN packets to the server in order to overflow its state tableBlocks the server from accepting other connectionsStateful FirewallsHow it Works (cont)Many stateful firewalls are able to track the state of connections in connectionless protocols, like UDPSuch connections usually enter the ESTABLISHED state immediately after the first packet is seen by the firewallSessions in connectionless protocols can only end by time-outBy