Text preview for : course_firewall_basics.pdf part of muk muki firwall notes



Back to : firewall.rar | Home

Firewall basics Lessons

This course provides a basic introduction to firewalls for students who lack a networking background. It is designed to help students understand what a firewall is, and why they might want or need one. The course also includes a basic introduction to the Internet protocol suite known as TCP/IP (Transmission Control Protocol/Internet Protocol) to establish key basic concepts and vocabulary for students. The lessons examine how firewalls work and the technologies behind them, define basic Internet security policies, and explore common firewall configurations and uses. It also includes a lesson on assessing firewall needs and on finding the right firewall to meet those needs. The course concludes with a review of common security hacks, and explains how much protection a firewall can really offer against hackers.

1. What a firewall can do for you In this lesson, you'll learn the three basic principles about firewalls: what a firewall is, why you need one, and how to get one. 2. TCP/IP primer In this lesson, you'll learn about TCP/IP and how firewalls work with it to keep your network secure. TCP/IP is essential to your understanding of how firewalls and related technologies work. 4. Firewall technologies In this lesson, you'll learn about different kinds of firewalls. The discussion of each firewall type will include an overview of its functionality, requirements, and its pros and cons. 5. Security policies In this lesson, you'll learn how to define the business rules that should govern how your firewall manages traffic into and out of your network. 7. Your ideal firewall In this lesson, you'll learn how to narrow your firewall needs, understand your options, and understand how much you can expect to pay for your firewalls. 6. Common firewall configurations In this lesson, you'll learn how common firewall configurations meet common security needs and policies, as well as how to test and evaluate firewall effectiveness.

3. Inside a firewall In this lesson, you'll learn how a firewall works, and find out which features and functions are typically found in most firewalls.

What's a firewall?

What a firewall can do for you


8. Planning for attacks In this lesson, you'll learn about common firewall security attacks and how you can prevent them. You'll briefly cover best security practices as well.

In this lesson, you'll learn the three basic principles about firewalls: what a firewall is, why you need one, and how to get one. When creating a link to the internet, a firewall sits between the private, or internal, side of the connection and the public, or outside, side of that same connection. The connection can contain only a single system or one or more networks, as shown in Figure 1-1. Simply put, a firewall's primary job is to examine inbound traffic -- that is, traffic coming from the public side of the link destined for the private side of that link -- to make sure it's okay before permitting that traffic to pass through to the private side of the link.
The course Message Board

Figure 1-1: A firewall.

Firewalls can be intimidating, and inevitably rope in numerous technical topics. You'll need to understand a little bit about networks and internet communications to understand how firewalls work, so this course gives you a gentle introduction to those topics. The course Message Board is your classroom and is the place you should go when you have a question about what's covered in this course, or about other firewall-related issues. Remember that your instructor and classmates are in this learning endeavor with you, so don't be afraid to speak up (virtually of course).

©2003 - 2006, Powered, Inc.

To appreciate a firewall, you must recognize that you have a system or systems, each of which contains information that's worth protecting. This course is designed to help you cultivate that appreciation and understand exactly how a firewall works to protect crucial information. This course isn't designed to teach you how to implement a particular firewall software or technology, but instead is a more concept-oriented course that will help you understand what firewalls are designed to do and how they work. If you're interested in setting up a firewall, the principles and concepts covered in this course will help you select the right firewall and understand its documentation so you can get your firewall up and running.

Like the physical barriers it's named after, no internet firewall is perfect, nor can it always defeat or deflect all malign traffic.

Common firewall forms

This lesson discusses what a firewall is and explains the functions it performs between a private system or network and the public internet. The idea is to help you appreciate the role that a firewall plays in averting or deflecting potential sources of damage or harm, and how this concept applies to managing an internet connection in particular. Firewalls come in two primary forms: Software-only firewalls: In this form, a firewall is a program that runs a computer attached to the internet (and that can also be attached to an internal, private network). The firewall software grabs all incoming traffic and inspects it before allowing it to enter the computer or the internal network (if one is available). Firewalls can also inspect outgoing traffic as well, but more about that later. Hardware firewalls: In this form, a firewall is a kind of device that's attached to the internet on one side and to an internal, private network on the other side, as shown in Figure 1-2. In some cases, this device can include other functions besides that of a firewall, such as a cable modem or DSL (Digital Subscriber Line) interface, and more. In those cases, such devices are often called internet appliances because they provide everything that's needed to attach one or more computers safely to the internet in a single box. Sometimes, a dedicated box that runs firewall software, and perhaps other security-related software, can be purchased from a vendor or supplied by a communications provider (such as the telephone or cable company); in that case, it can be called a security appliance. It's important to understand that firewall devices typically include both hardware and software, but you manage the two together as a single unit. It's also important to recognize that for the same level of functionality, a firewall device generally costs more than a software-only firewall, if only because of the extra hardware costs involved. That said, both D-Link and Linksys offer internet appliances (which include firewall capabilities) for under $100!
Dedicated to the firewall

If you're choosing to dedicate a computer to your firewall like experts recommend, think thin clients.

» HP Thin clients

Figure 1-2: A firewall device sits between the public side of an internet link and one or more computers on the private side.

Because firewalls represent the most obvious point of attack for those with less than honest intentions, most security experts recommend that you dedicate a computer or some other device (such as an internet appliance) for use as a firewall and for other related security functions. This explains the popularity of internet or security appliances -- they're normally cheaper than buying a computer and software for exclusive firewall use. Also, in many cases, internet or security appliances come preconfigured and ready to install and use, and require little or no expertise to put them to work. By contrast, installing and configuring software-only firewalls can involve some work,

©2003 - 2006, Powered, Inc.

and requires at least some knowledge about security in general, and the firewall in use in particular.

Why do you need a firewall?

Since the release of Windows XP Service Pack 2 (SP2) in 2004, however, the most recent Windows desktop software includes a built-in firewall (called Windows Firewall) that sets itself up pretty much automatically. It's an adequate firewall and may be just the thing for home or small office users with just one or two PCs to protect. Additional information about Windows XP SP 2 can be found at the HP Customer Care center. You'll find out more about the Windows Firewall in Lesson 6. The short answer to the question "Why do you need a firewall?" is pretty simple: Because it helps to protect your system or network from attack (usually from the internet). The longer answer takes a little explaining, starting with what it is you need to protect, and the type and nature of the threats against which a firewall can provide protection.
Secure desktops

What's there to protect?

Internet and other attacks come in many forms, and can threaten your computer (or network) in different ways. In general, you probably want to protect the following aspects or capabilities of your computer: If you have an internal private network, you want to protect these things on all the computers or other devices attached to that network.

HP ProtectTools Embedded Security is now available on select HP business desktop PCs to help you secure the sensitive data housed on each of your business PCs.

How firewalls protect you

When installing a firewall, make sure its capabilities are up-to-date. New attacks appear all the time, and old software often can't handle new threats. This applies equally to software-only and hardware firewalls. Visit the vendor's website to look for patches and fixes to keep your firewall current.

System integrity: Some attacks can be purely destructive, and may seek to obliterate the entire contents of any systems they encounter, rendering them inoperable. This means a total loss of system integrity. Other attacks on system integrity can be more subtle, and may seek to take control of your systems. This also compromises their integrity, but in perhaps less obvious ways. System contents: Some attacks aim to delete critical files, steal sensitive information, or change configuration files to allow outsiders to control your systems (or of strip you of such control). All such attacks involve unauthorized access to system contents. System behavior: Some attacks involve installing software on your system (or systems) to provide easy access for an attacker, or to engage in attacks against other systems. This latter attack turns systems into zombies, which means your computers may be used to attack other systems and networks, but that somebody else is lurking in the background directing that activity. Other such attacks may be less overtly destructive and simply install unwanted monitoring, reporting, remote control, or advertisement display software on your system instead (a common symptom of adware and spyware; more on these topics later). System access: Some attacks simply seek to make your system (or network) unavailable to authorized users. These are called DoS (denial of service) attacks because they block legitimate users from access to services or resources on your system(s), or network.

» HP Compaq 7000 series

» Desktop buying guide

Once a firewall is in place, it can provide numerous types of protection (the how and why of these will follow later in the course): Block unused or unwanted access requests: On the internet, requests for access come in specific forms that relate to particular services, such as web, email, file transfer, and so on. You can configure your firewall to block access requests you don't want to support or that pose a security risk. In general, it's considered wise to block all requests for services you don't plan to offer anyway, because the requests provide an avenue for attack. Block incoming traffic from known points of attack: Certain names or addresses from which traffic originates may be strongly associated with prior attacks or bad behavior. You can instruct your firewall to ignore traffic that originates from such sources. Limit or block outgoing traffic: You can prohibit some services that inside users might want to access (such as instant messaging or streaming media) or judge other services too vulnerable to attack to be used at all (such as file transfer). Many firewalls can keep such traffic from leaving your network. This prevents connections that could become subject to attack from being opened in the first place. Likewise, you might block addresses for inappropriate websites so that users can't access explicit or questionable materials through the firewall. You learn more about setting the business rules that define what traffic your firewall keeps in and out in Lesson 5. The built-in Windows Firewall included with Windows XP SP2 does not offer much by way of limiting or blocking outgoing traffic, although it does a pretty good job on inbound traffic. Many experts believe this lack of capability means that other firewalls that do support such

©2003 - 2006, Powered, Inc.

The most important reason for using a firewall, and the best explanation for why you would need one, remains your need to protect your system or network against unwanted penetration, access, or compromise. There are no perfect firewalls, and therefore, no perfect protection against attacks. However, it's relatively easy to deploy reasonable protection that keeps all but the most knowledgeable and dedicated attackers from breaching your defenses. The principle at work here is like a burglar alarm: Although it can't keep all burglars away, if it keeps most of them away at a reasonable cost, it's probably good enough for your needs.

screening offer better protection and security.

How do you obtain a firewall?

There are many potential sources for internet firewalls, be they hardware firewalls or software firewalls, appliances, or otherwise. Because there's hardware involved, you won't find hardware firewalls or appliances that are actually given away at no cost to their users -- although cable or DSL users may be loaned or leased such gear that becomes part of your monthly service costs. Lots of software-only firewalls are available at no cost, however, so it's possible to protect a single computer connected to the internet for free. There's a category of firewall software called a personal firewall that generally applies to use in SOHO (small office, home office), or strictly to personal networks. Firewalls in this category include the following: Built-in: Comes as part of the operating system, and involves no extra costs. Freeware: You don't pay anything; it's free. Shareware: You don't pay anything upfront, but you normally must provide modest compensation to the firewall's creator if you continue to use shareware software beyond a specified trial period. Commercial: You purchase the software before you can use it.

Online firewall guide

For an excellent compendium of personal firewall products, visit the Home PC Firewall Guide. This is an excellent source of information about personal firewalls, as well as about related products, tools, and technologies.

You have a few options for obtaining a firewall for personal use in a home office environment (to protect key business systems when you or your staff are working from home): If any of your PCs are running Windows XP Service Pack 2 (SP2) or newer versions, the built-in Windows Firewall software is included as part of the operating system. Although it doesn't offer outbound traffic inspection and screening -- as most other software-only firewalls do -- it does do an adequate job of protecting single systems and small networks. Visit a freeware or shareware download web page (such as the collection of Windows firewall shareware and freeware at tucows.com) and download a software-only firewall package. Read your PC's documentation carefully. Sometimes installing freeware can void your warranty. If you have a cable or DSL connection to the internet, it may have come with firewall software or possibly a modem or appliance with a hardware firewall built in (contact your service provider for more information). Purchase a shrink-wrapped software or hardware firewall product at a store, or pay to download a commercial software-only firewall from the internet (the list of Firewall software at CNET is a good place to start).

Any company or individual connected to the internet should use a firewall to protect the connection and any system(s) from unauthorized access and potential harm.

When you install a firewall to protect a network, you can still decide between software and hardware firewalls, and the same basic principles apply. But because you have a network -- and presumably, multiple systems -- to protect, there are more technical issues to address before you get your firewall set up and running.

Moving on

In this lesson, you learned that a firewall is designed to sit between the public and private sides of an internet connection and block or deflect unwanted incoming traffic (and often, outgoing traffic as well). Before you move on, do the assignment and quiz. Also, visit the Message Board to find out what other students are up to and to touch base with your instructor. In Lesson 2, you'll learn more about the protocols and services that make the internet work (and firewalls necessary) in a primer on the internet protocol suite known as TCP/IP (Transmission Control Protocol/Internet Protocol).

©2003 - 2006, Powered, Inc.

Assignment #1

Visit one or more of the following websites, and search on the term firewall. Read through the resulting materials to get a sense of how you might use these resources for future learning and research. The CMP TechWeb Encyclopedia Internet.com's Webopedia Alliance Data's Firewall Tutorial Marcus Ranum's and Matt Curtin's Internet Firewalls FAQ



Quiz: #1
B) A) B)

Now, visit your favorite search engine and look for introductory information about firewalls. (Hint: Using search strings like firewall tutorial, firewall overview, or firewall introduction will work much better than just firewall. ) Bookmark or add those websites that you find most interesting and informative to your favorites list.



Question 1: True or False: A firewall's primary job is to examine inbound traffic to make sure it's okay before permitting that traffic to pass through to the private side of the link. A)
True False

Question 2: Which of the following forms do internet firewalls take? (Check all that apply.) C) D) A) B) E) A) B) Network appliances Software-only implementations Hardware implementations Remote access services

Question 3: Which of the following aspects or capabilities of your network should you seek to protect from internet attack? (Check all that apply.) C) D) System integrity Hardware System access True False System contents System behavior



Question 4: True or False: All firewalls work only on inbound traffic; they do not limit or block outgoing traffic.

TCP/IP primer


What's TCP/IP and how does it relate to firewalls?

In this lesson, you'll learn about TCP/IP and how firewalls work with it to keep your network secure. TCP/IP is essential to your understanding of how firewalls and related technologies work. This lesson focuses on TCP/IP (Transmission Control Protocol/Internet Protocol), the collection of networking protocols and related services that make the internet work and that make firewalls and related technologies necessary for maintaining proper security. It explains the fundamental concepts of protocols and services, describes the collection of protocols and services known as TCP/IP, and explains what it is about them that makes firewalls and related technologies not just useful, but downright necessary for users who connect to the internet.
TCP/IP standards

TCP/IP can be described somewhat loosely as a collection of networking protocols and services that make the internet run. This is all well and good, but it's important to understand the two terms used

TCP/IP protocols are specified in formal documents known as RFCs (Requests for Comment). Despite the tentative sounding name, RFCs govern existing (and proposed) TCP/IP protocols and services absolutely and completely. You can review the complete collection of

©2003 - 2006, Powered, Inc.

Of protocols and services

in the preceding sentence fully -- namely, protocols and services -- to appreciate what this means. Read on for those essential details.

A protocol is a collection of rules governing the sequence and formats of messages that can pass from a sender to a receiver (or from a sender to multiple receivers). The senders and receivers are computers on the internet and the messages are data. Thus, a protocol defines what kinds of communications can occur between a sender and a receiver, in what order those messages should or must occur, and the format for such messages. A group of related protocols is often called a protocol suite, to signify their interdependencies and interrelationships. Such a group of protocols can also sometimes be called a protocol stack, to identify the layered set of software components that actually implement such protocols for some particular device or computer system. In most cases these days, protocol stacks are built into the operating system -- as is the case for all modern versions of Windows, for example.

RFCs online at the IETF (Internet Engineering Task Force) Web site, including RFC 3000, the "Internet Official Protocol Standards."
Are you doing all you can?

Or is there something you haven't thought of? Count on HP's years of expertise to help you detect vulnerability and then to protect your business from conceivable attacks.

The concept of a service, on the other hand, defines what a protocol can do. Thus, a file transfer protocol (such as FTP) supports a file transfer service, which means it enables a sender to transmit a file to a receiver, to navigate local and remote file systems, to delete local and remote files, and so forth. This means the file transfer service really works much like a two-sided file system, where local files can be copied to another location on a network (or vice-versa), and where you can move around in a local and a remote file system to list directories, manage files, make copies, and so on.

TCP/IP elements

» Accidental Damage Protection

TCP/IP is a large, complex protocol suite that's been widely used since the early 1980s. Consequently, TCP/IP embraces hundreds of protocols and services, for everything from address management to zone information transfers, and many points in between. It's not important to understand these details at the moment, only to recognize that TCP/IP supports nearly any kind of network activity you can think of -- from email, to web access, to file transfer, network addressing, and so on -- and many kinds of network activities you might not think of.

TCP/IP takes its name from two protocols that represent two of its most important components: TCP stands for Transmission Control Protocol, which provides a reliable and robust way to move information from a sender to a receiver. TCP can take big chunks of data, break them into small chunks for transmission over the network, keep track of individual chunks as they arrive on the receiving end, and make sure all chunks get delivered and reassembled in the proper sequence -- or let the recipient know that the data transfer could not be correctly affected. TCP is what supports lots of higher-level internet services, including email, file transfer, and web page access. IP stands for Internet Protocol, which provides a way to address and route data packages from a sender to a receiver. IP is a fundamental component of TCP/IP, because virtually all internet communications use IP to move and direct data.

TCP/IP and firewalls

Although there are hundreds of protocols and services within the TCP/IP protocol suite, these two protocols are so important that they give the whole suite its name.

TCP/IP was designed and implemented in a laboratory setting, where none of its original designers had any idea of the global scope, reach, and importance these protocols and services would one day assume. Put politely, TCP/IP implements an optimistic security model, which means that it trusts the good will of users and believes that they won't actively seek ways to bypass or defeat such security measures. There's not much built-in security available from TCP/IP's basic building blocks. In days of yore, when TCP/IP was the province of a clannish and small group of highly trained researchers, this model made sense. In recent times, where TCP/IP is accessible to anyone and everyone, more aggressive ways to impose security became important. Because TCP/IP's fundamental design remains unchanged, protective elements, such as firewalls, must be inserted between safe private systems or networks and unsafe public systems and networks.


Inside the TCP/IP stack

The current version of TCP/IP is called IPv4 and reflects the optimistic security model just mentioned. A new version, called IPv6, is still being refined and is used only occasionally; however, IPv6 should be widely deployed sometime between 2010 and 2015. It embodies a pessimistic model for security and should therefore require significantly fewer add-ons to maintain proper security.
DARPA

The term TCP/IP stack refers to the collection of software components and elements that

©2003 - 2006, Powered, Inc.

implement TCP/IP protocols and services on some particular computer. In this context, it's essential to understand that TCP/IP protocols (and related services) fall into various layers. Lower layers provide support for upper layers, so that protocols and services at lower layers are essential to the functioning of protocols and services at higher layers.

In a completely abstract way, this explains how TCP/IP got its name: the TCP and IP protocols (and related services) support many, if not most, of the important higher-layer protocols (and related services) that users really care about. In most cases, therefore, using TCP/IP means operating a number of interlinking and interdependent software components that correspond loosely to the actual protocols and services in use, and also incorporate software drivers that permit the computer to communicate with one or more network interfaces as needed. It helps a bit further if you understand the layers into which the TCP/IP protocol suite is divided, and the roles that each of these layers plays. This division into layers corresponds to a formal model for TCP/IP known as the DARPA (Defense Advanced Research Projects Agency) model or, more directly, as the TCP/IP networking model, which is shown in Figure 2-1.

DARPA is the arm of the U.S. Department of Defense that funded the initial research and development work that produced TCP/IP.

Figure 2-1: The TCP/IP Networking Model.

The TCP/IP Networking Model defines a layered collection of protocols and services that together support all of TCP/IP's capabilities. Higher-level layers depend on lower layers to work. The four layers of the TCP/IP networking model are: TCP/IP Network Access layer: Sometimes also known as the Network Interface layer, it's the layer where networking hardware, interface cards, and communications technologies, such as Ethernet or Token Ring, come into play. It's also the layer at which specific connectionmanagement or WAN (wide area network) protocols come into play. Essentially, this is the layer at which cables, interfaces, and low-level connections to computers operate. TCP/IP Internet layer: This layer handles addressing and routing between computers on the internet, permits multiple networks to interconnect, and provides naming and addressing schemes that make the vast public internet possible. Essentially, this is the layer at which networking concepts of here (the origination point for communication) and there (the destination) are established, and the mechanisms to get from here to there (routing) are handled. TCP/IP Transport layer: Also known as the Host-to-Host layer, this layer handles the mechanics involved in moving data from one computer to another. This means taking large chunks of data of arbitrary size, breaking them into smaller chunks suitable for network transmission, and managing delivery from sender to receiver of those chunks. Reliability and robustness come into play at this layer for TCP when delivery is tracked, failed transmissions retried, and received messages get reassembled to match their original order before sending. Essentially, this layer handles how data moves from sender to receiver. TCP/IP Application layer: Also known as the Process layer, this is where the protocol stack interfaces with applications or processes on a host machine. Thus, user interfaces and services capabilities are defined here. Recognizable TCP/IP services, such as email, web access, file transfer, terminal emulation, and so on, operate at this layer. Basically, this layer defines the kinds of functions and behaviors that TCP/IP makes available to users. Table 2-1 lists common TCP/IP protocols associated with these layers. Name Network Access Layer Point-to-Point Tunneling Protocol X.25 Serial Line Interface Protocol Acronym PPTP SLIP X.25 Explanation

Newer serial line connection protocol (used in most modern operating systems and devices).

Old-fashioned serial line connection protocol (used primarily in older Unix implementations). European ITU (International Telecommunication Union) WAN protocol widely used for low and medium bandwidth telephony-based networking outside the US.

©2003 - 2006, Powered, Inc.

Internet Layer Address Resolution Protocol Border Gateway Protocol Open Shortest Path First Packet Internetwork Groper Routing Information Protocol

ARP

Internet Control Message Protocol Internet Protocol

BGP IP

Converts from numeric IP addresses to hardware addresses on some specific network segment. Newer, exterior routing protocol used to interconnect multiple routing domains or Internet backbones. Manages IP-based routing or network activity. Routes packets from sender to receiver.

ICMP

OSPF PING RIP

Newer, interior routing protocol used inside large private networks or routing domains. Checks access to and performance in reaching specific network locations. Old fashioned, basic IP routing protocol.

Transport Layer User Datagram Protocol File Transfer Protocol

Transmission Control Protocol

Application Layer HyperText Transfer Protocol Network News Transport Protocol Simple Mail Transfer Protocol

TCP

UDP FTP

Reliable, connection-oriented transport protocol. Unreliable, connectionless transport protocol. Remote file access and transfer services. Supports Web access. Supports Internet newsgroup access.

HTTP

NNTP

Table 2-1: Protocols associated with TCP/IP Networking Model layers.

SMTP

Supports e-mail delivery from sender to receiver.

IP addresses

Basic firewalls operate primarily at the Internet and Transport layers; more advanced firewalls cover these layers, but can operate at the Application layer as well. The importance of these statements will be explained in Lesson 3 in detail, and covered in passing throughout the rest of this course. One of the most important functions of the Internet layer in the TCP/IP Networking Model relates to addressing. In general, IP addresses allow every system on the internet to be completely and uniquely identified. Although the implementation of IP in the current version of TCP/IP (IPv4) is ingenious in design and broad in scope, there's a finite limit to the number of unique addresses available, and given the increasing number of connections to the internet, we're quickly reaching that limit. Some of the impetus for the upcoming IPv6 is to increase the size of the IP address space -- the total number of unique locations that the IP protocol can identify.



IP actually uses a three-part addressing scheme, as follows: Symbolic names: Consist of so-called internet domain names that take the form www. microsoft.com or ftp.hp.com. To be valid, any domain name must correspond to at least one unique numeric IP address. Domain names point to numeric IP addresses, mediated by the TCP/IP application service known as the DNS (Domain Name System), which translates from the symbolic to the numeric form. Humans are good with symbolic names (and not so good with numeric addresses), which is why symbolic names are part of the IP addressing scheme. Logical numeric (IP) address: For IPv4, this consists of a set of four numbers, separated by

©2003 - 2006, Powered, Inc.

Most people call eight-bit numbers bytes, but TCP/IP experts like to call them octets, which means the same thing. Physical numeric (MAC) address: Network interfaces (such as the network card that attaches your computer to a local area network) are encoded with a six-byte numeric address as part of the manufacturing process. This is known as a MAC (Media Access Control) layer address, of which the first three bytes identify the manufacturer, and the second three bytes represent a unique counter value. This is designed so that no two physical interfaces can ever have the same physical address. The ARP protocol exists to translate from numeric IP addresses to MAC addresses, whereas the RARP (Reverse ARP) protocol goes the other way. This address operates at the Network Access layer because it identifies specific hardware components attached to a network. Remember IP addresses are linked to domain names for human use and to MAC addresses to identify specific network components, and you've captured the essence of this addressing scheme. The rest of this course focuses entirely on numeric IP addresses.

dots, as in 10.6.120.78. Each of these four numbers must be less than 256 in decimal value, since each represents an eight-bit number. A numeric IP address is often expressed in what's called dotted decimal notation -- meaning four decimal numbers, separated by dots or periods. IP uses this kind of address to uniquely identify all hosts and interfaces on the internet.

IP packets

As you know, each protocol defines a set of rules for information exchange, as well as a set of formats for messages to take. In many ways, rules for IP packets define the overall shape of TCP/IP communications, because most messages ultimately occupy IP packets while moving from sender to receiver. That's why understanding the basic IP packet layout and initial fields (called header fields in TCP/IP lingo) will help you understand how TCP/IP behaves in general, and much of how firewalls operate in particular.

IP packet layout

The future is wireless

Figure 2-2 shows a map of an IP header, which contains the following named fields whose lengths are denoted by their sizes in that diagram.

HP's wireless and mobility solution center provides services and partnerships that make your mobile experience smarter, simpler, and safer.

» Wireless and mobility solution center

Figure 2-2: A map of the IP header.

Each of these fields is described briefly in the following list of field names: Version: Identifies the version of IP in use. The most widely used version today is IPv4, which shows up as a 4 in this field. IPv6 (which would show up as a 6 here) is the newest version, but follows a different layout altogether. Header length: Specifies the length of the IP header in bytes, divided by 4 (because all IP headers must take lengths divisible by 4, this shortens the number of possible header lengths used). ToS (Type of Service) : Consists of two subfields. The first three bits define precedence. Routers can use this value to prioritize through traffic. The actual ToS value occurs in the next 4 bits and specifies general routing characteristics. See RFC 1349 for complete details on the different kinds of TCP/IP services. Total length: Specifies the actual length of the IP header, plus any valid data in the data portion of the packet (called the payload), not including any padding (extra unused bytes added to meet minimum length requirements). Identification: A unique packet identifier that can be used to reassemble fragments if an IP packet must be broken into smaller pieces (a process called fragmentation) en route from sender to receiver. Flags: A three-bit number used to control or describe packet fragmentation. Bit 1 is always set to 0. If bit 2 is set to 0, the packet may be fragmented; if set to 1, it may not be fragmented. If bit 3 is set to 0, it identifies the last fragment in the series; if set to 1, additional fragments are forthcoming. Fragment offset: If an IP packet must traverse a network segment that can't carry a packet as large as the original packet as sent, it has to be chopped into smaller chunks, called fragments. The fragment offset value helps the IP software reassemble all fragments upon receipt.

©2003 - 2006, Powered, Inc.

Some clever network attacks use illegal or invalid offset values to confuse IP software (this actually crashed various versions of Windows 9x until Microsoft released a fix); many firewalls track such values, do the math, and deny packets with illegal or invalid values. TTL (Time to Live): Denotes the remaining lifetime of an IP packet, counting hops through routers. Typical starting values are 32, 64, and 128; this value is decremented by 1 each time the packet passes through a router. This field is designed to make sure that IP packets will die after a certain time in transit, rather than allowing them to travel forever on the internet. Protocol: Identifies what kind of protocol occurs in the payload of the IP packet. Firewalls pay close attention to this value because they can use it to decide which packets to allow through to the internet, or to specifically block packets of a particular protocol type. Header checksum: Provides an error detection mechanism on the header contents. By calculating and writing a specific calculation on the numeric value of the entire header and writing the value before sending, then repeating the calculation and comparing it to the value as written, a receiving computer can detect even the slightest error. Used as a quality control mechanism. Source address: Contains the IP address of the packet's (putative) sender. Firewalls can use this information in several ways to block traffic. Destination address: Contains the IP address of the packet's intended recipient (or recipients, in the case of multicast or broadcast addresses). Options: Any of a variety of settings that can provide various types of additional IP routing data or controls. Seldom used except when testing and debugging.

Application layer protocols

The important takeaway from this review of IP header elements is that a firewall can inspect key header fields quickly, and block or allow transit of IP packets accordingly. The same kind of controls is also possible in Application layer packet headers, as you'll learn in the following section.

If you examined the contents of traffic moving across the internet, you'd find a collection of TCP and UDP packets used to transport all kinds of data from senders to receivers inside the IP packets that make up most such traffic. In a continuing chain of packets within packets, known as encapsulation, you'd find higher-layer application protocols related to services such as email, file transfer, remote file system access, network news, web access, and so forth, within those TCP and UDP packets. Without going into too much detail, let's just say that at the Transport layer (that is, within the TCP and UDP header fields) and at the Application layer (that is, within the headers for whichever of the hundreds of TCP/IP application protocols happens to be in use), firewalls can glean and act on all kinds of useful information. But it's also important to understand that the more headers a firewall must read, and the more kinds of information it must act on, the less quickly it works. Packets move across the internet at a furious rate; reading more deeply into packets takes more time and requires more complex software. Thus, there's a tradeoff between handling things quickly and reading deeply into packets. This explains why firewalls are more important at the edges of the internet infrastructure, where traffic rates are lower and there's more time to inspect such traffic (and where there are also more individual systems and networks that organizations or individuals need to protect). On the internet backbone, traffic rates may be tens of thousands to millions of times greater than at the edges. At extreme traffic levels, highly specialized IP routers act on IP header contents, but they don't have time to dig deeper into packet structures as they race through them. What kinds of information do firewalls look for at the Transport and Application layers? Again, without digging too deeply into packet layouts -- and remember, each Application layer protocol has its own unique packet formats and layouts much like the map you saw there -- Table 2-2 summarizes the kinds of information that firewalls use to block or allow traffic to pass through a network link. Remember also that the deeper a firewall digs into TCP/IP packet structure, and the more complex the logic it uses to block or allow traffic through, and the more it slows down. Transport Layer Source Port Destination Port TCP Sequence number TCP Data Identifies the application or process that sent the packet using UDP or TCP transports. Because they are of particular interest to firewalls, we cover port numbers in their own section next. A number that identifies each individual TCP packet, called a segment. This information is used to reassemble incoming packets at the receiving end, but can also be manipulated in an attack. As with fragmented IP packets, firewalls can sometimes examine

Learn more

TCP/IP is a huge and fascinating topic, and a must-know subject for internet and networking technical professionals. The college textbook entitled Guide to TCP/IP , 2nd Edition (Course Technology, 2004, ISBN: 061921242X) is a useful reference for those interested in learning more about TCP/IP.

Even when you take a high-level look at TCP/IP, it can be complex and more than a little intimidating. Remember that a TCP/IP expert is teaching your course, so be sure to visit the Message Board and ask any questions you might have about the material covered in this lesson.

Identifies the application or process to which the packet is sent, both for UDP and TCP transports. When attempts to access unwanted or unused port addresses occur, firewalls can block traffic based on destination port numbers as well.

©2003 - 2006, Powered, Inc.

Offset

TCP Flags

values supplied for TCP packets, to make sure the numbers add up properly and no deliberate attempts to confuse the IP software are underway. To establish a working connection, TCP goes through a deliberate initial sequence of packet exchanges between sender and receiver. Numerous clever attacks start the sequence, then leave it hanging, or simply flood a recipient with initial packets. Most Internet boundary devices, including routers and firewalls, look for and deny incoming packets that meet related attack profiles. Within most application protocols, packets are labeled as one type or another. Some firewalls look for patterns of incoming message types to identify and block potential attacks.

Application Layer Message type Source domain name

Command content

Many Application Layer protocols provide domain name data. This can be compared to the originating IP address for a packet in a maneuver called a reverse DNS lookup (which instead of translating a domain name to an IP address, translates an IP address into a domain name) to make sure both sides agree. A common attack signature is known as spoofing, which occurs when a false source address or domain name is supplied. Thus, firewalls often perform such checks on incoming traffic. Many TCP/IP application protocols use a sequence of request/reply messages to do their jobs. Some firewalls read the syntax of specific incoming application commands, and can allow or deny them based on the potential impact of the requests being made. This is as deep into TCP/IP packet structure as even the most sophisticated firewalls available today ever go.

TCP and UDP port numbers

Table 2-2: Key Packet Contents of Interest to Firewalls at Transport and Application Layers.

Port numbers are provided for senders and receivers of UDP and TCP packets, and define the sending and receiving application or process where the traffic originated (the sender) and where it is destined to arrive (the receiver). Port numbers are 16-bit integers that span values from 0 to 65,535. They fall into three ranges, as follows: Well-known Port Numbers (0 to 1,023): Assigned to various TCP/IP core services. These numbers typically identify specific well-known services, such as FTP (ports 20 and 21), telnet (port 23), SMTP (port 25), and so on. Registered Port Numbers (1,024 to 49,151): Associated with specific industry applications or processes. For instance, ports 1433 for both TCP and UDP are associated with Microsoft's SQL (Structured Query Language) Server database services. Even so, some TCP/IP implementations use port numbers 1,024 to 5,000 as dynamic port numbers, even though those ports may also be registered by existing industry applications (see the next item for an explanation of dynamic port numbers). Dynamic Port Numbers (49, 152 to 65,535): Used strictly to establish temporary connections between a sender and a receiver, and then discarded for reuse when that connection is terminated.

Summing up the firewall's job Moving on

To review a complete list of assigned port numbers and an expanded discussion of the three types of port numbers just covered, please visit the IANA (Internet Assigned Numbers Authority) Port Numbers website .

The two-word phrase packet inspection describes a firewall's job as tersely as possible. As you've seen throughout this lesson, this activity covers many types of inspection that range from the IP packet level, to the UDP and TCP transport level, all the way into the headers (and sometimes even the payloads) of Application layer packets. Basically, firewalls examine this data to look for illegal, unwanted, or potentially dangerous patterns, and attempt to block all traffic that might indicate an attack is underway, or may be about to start. That's it for TCP/IP basics. In this lesson, you learned that for a firewall to do its job, it needs to examine the contents of the traffic that seeks to pass through it. This means examining packet headers at one or more levels, starting at the Internet layer where IP headers are checked. Most

©2003 - 2006, Powered, Inc.

firewalls also inspect traffic at the Transport layer, where they look at TCP and UDP packets for port numbers; for TCP packets, they may also inspect and act on other field values. The most sophisticated firewalls even perform checks at the Application layer, where they can act on field values from Application layer packet header data (and sometimes even act on payload data as well). Before you move on, do the assignment and quiz. Also, visit the Message Board to find out what other students are up to and to touch base with your instructor. In Lesson 3, you'll learn about the inner workings of a firewall and the kinds of services a firewall most commonly performs.

Assignment #1

Visit at least one the following websites, and follow related instructions. Read through the materials referenced to get a sense of how you might use these resources for future learning and research, or to answer specific questions about TCP/IP. IANA (Internet Assigned Numbers Authority) maintains the official list of assigned IP and UDP port numbers. Visit and read the initial sections of the document entitled Port Numbers . You'll find this an invaluable reference any time you need information about TCP or UDP port numbers in the future. Ohio State operates an indexed website for Internet RFCs . Use it to look up RFCs 1918, 3000, and 959. Which RFC governs private IP addressing? Which governs FTP? Which describes current standard protocols and BCPs (best current practices)? Use Google to locate and find the 3Com article titled Understanding IP Addressing (Hint: Type the title exactly as shown inside quotation marks in the search window). If you use the same search string, what does the TechWeb Encyclopedia say? What does this tell you? Now, visit your favorite search engine and look for introductory information about TCP/IP. (Hint: Using search strings like TCP/IP tutorial, TCP/IP overview, or TCP/IP introduction work much better than just TCP/IP. ) Question 1: What does TCP/IP stand for?
B) C) D) A) B) A) B) E) A) B) E)



Quiz: #1
A)



Transport Communication Protocol/Interwork Protocol Transmission Control Protocol/Internet Protocol Transport Control Protocol/Internal Protocol

Question 2: True or False: TCP/IP is a protocol suite, but not a protocol stack. True False

Transmission Communication Protocol/Interaction Protocol

Question 3: Which of the following layers are named in the TCP/IP Networking Model? (Check all that apply.) C) D) Network Access Layer Data Link Layer Internet Layer Application Layer TCP RIP ARP Transport Layer



Question 4: Which of the following protocols are associated with the Transport layer? (Check all that apply.) C) D) SMTP UDP



Question 5:

©2003 - 2006, Powered, Inc.

B) E) F) A) B)

C) D)

Which of the following IP header fields is a firewall most likely to inspect and act upon? (Check all that apply.) A)
Version Fragment offset Protocol Options Header checksum

Question 6: Which one of the following ranges of port numbers corresponds to the well-known port numbers?

Source address 0 to 1,023 1,024 to 2,048

How a firewall works

Inside a firewall


C) D)

2,049 to 65,534

More than 65,535

In this lesson, you'll learn how a firewall works, and find out which features and functions are typically found in most firewalls. This lesson focuses on the inner workings of a firewall. It explains how firewalls block unwanted traffic, while allowing other traffic through based on defining various filters or rules to apply to that traffic. It also covers typical services and functions found in most firewalls above and beyond traffic inspection and filtering, including items such as network address translation, application proxies, logging and monitoring services, plus content filtering and encryption services.

The basics of firewall operation are incredibly simple to describe: examine traffic and apply relevant rules or filters to allow or deny its transit. However, firewalls operate differently at the various layers of the TCP/IP (Transmission Control Protocol/Internet Protocol) Networking Model, and include other functions as well. In this lesson, you'll have a chance to learn more about the relevant details involved.

Inspection leads to action

Let's jump back to the original description of a firewall: It sits between the internet (or some other public network) and a system or network that's under private control. To be more specific, what happens when traffic passes through a firewall is:

Filters and rules

When configuring a firewall to do its job, a filter defines some specific pattern for which a firewall seeks a match. An exclusionary filter blocks traffic if a match occurs; an inclusionary filter allows traffic if a match occurs. An equivalent rule to block port 80 might be stated as Block port 80 If port=80 then deny

1. The firewall inspects that traffic, and looks into various packet headers -- IP, TCP, or UDP (User Datagram Protocol) -- and perhaps even Application layer data on a perpacket basis. 2. As it looks at specific header fields or other packet content, it compares what it finds to existing filters or rules you define as part of your firewall setup, or that come predefined as built-in default settings. 3. If a related exclusionary rule or filter applies, the firewall blocks the traffic. Sometimes, if a related inclusionary rule or filter applies, the firewall allows the traffic through.

To a large extent, filters and rules are two different ways of stating the same kind of information. But whereas a filter might be stated as follows when configuring a firewall: The difference is an action specified for some specific value, versus some kind of conditional statement of the form "if pattern matches x, then take action y."

©2003 - 2006, Powered, Inc.

For many firewalls, filters or rules are set up to work together to define a general rule that establishes a basic filtering posture, and then exceptions to that rule are stated to handle special cases. A pessimistic filter configuration might read something like this: Block port all Allow port 21, 22, 25, 80, 49,152-65,535

The first filter explicitly blocks all port addresses by default, and then goes on to allow use of wellknown ports for FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol), and web services, plus the range of addresses reserved for temporary port use. By contrast, an optimistic filter configuration might read something like this: Allow port all Deny port 23, 135-139

This set of filters allows all traffic through by default, and blocks only Telnet and NetBIOS-related services. In reality, it's not a very effective security barrier because many other kinds of well-known attacks might still get through.

When configuring a firewall, it's important to understand which services you want to allow through (and thus, which well-known port addresses should be allowed). It's also important to decide which of the registered port numbers should be permitted. However, for most personal firewalls, these configuration settings are already defined (often in a pessimistic mode) so you can simply state exceptions for things you want or need. This is very much the case for the built-in Windows Firewall that's installed and enabled by default in Windows XP SP2 -- except if you install and use a different firewall that knows how to tell the Windows Security Center controls to turn the Windows Firewall off. Although it's not detrimental to a system to run two firewalls at the same time, it adds no additional protection and may slow network traffic down somewhat, so neither Microsoft nor third-party firewall vendors recommend that you leave Windows Firewall on if you decide to install some other firewall on your PC.

What to expect from your firewall

In most cases, personal firewalls (and the same goes for higher-level firewalls) arrive with a default configuration that's been designed to offer outbound access to common web services, such as file transfer, email, web access, and so on, but to block most other forms of outbound traffic. Likewise, the default configuration typically blocks inbound traffic seeking services wholesale, and requires you to make exceptions in cases where this blocks access to items you need to see or use. Unless you operate a service on your system or network, this posture works for most cases.

Mobile security

Figure 3-1 shows a typical display of firewall filters (or rules, if you prefer to see them that way) from the popular ZoneAlarm Pro personal firewall software. For any given program or service (which shows up in the left-hand column under the Program heading in the tabular data window), the Allow Connect checkbox settings control how the client (second column from the left) and server (third column from the left) sides of those programs may behave.

Security is a concern of mobile professionals working remotely, often over unsecure wireless networks. HP's notebooks come with Windows XP installed, which safeguards you against viruses and intruders.

» HP Compaq nc4010 notebook PC

» Notebook buying guide

©2003 - 2006, Powered, Inc.

Figure 3-1: The ZoneAlarm default filter settings.

For each such program, the top row governs purely local behavior (which controls whether the traffic is allowed to traverse the private side of the internet link); the bottom row governs whether the traffic is allowed to enter the private side of the network or system from the internet side. The following marks describe related behavior: Green checkmark: Indicates that the protocol can proceed as described by the row, column combination. Red X: Indicates that the traffic is blocked. Black question mark: Indicates that the user has not stated an explicit preference on this combination, so the program follows the defaults (usually, this means blocking the traffic). In Figure 3-1, read the data for Internet Explorer as follows: Internet Explorer is allowed to access web services locally (Allow connect, Local has a green checkmark) and on the internet. Server requests can also be handled locally (a green checkmark in Allow Server, Local), but is denied from the internet (a red X in Allow Server, Internet). Not all firewalls use such elegant visual displays to manage their behavior, but all have ways to state equivalent filter or rule specifications. When it comes to understanding exactly what your firewall does while it's running, you must understand which rules or filters have been defined, so you'll know how they'll be applied. For the set of filters described for Internet Explorer in ZoneAlarm Pro in the preceding lesson page, this translates into the following set of text filters: Allow Internet Explorer local client access Allow Internet Explorer Internet client access Allow Internet Explorer local server access Deny Internet Explorer Internet server access In plain English, this set of filters means that end users can access local or internet web servers and that local server traffic will be accepted. However, anybody who tries to access a web server on the private side of the firewall from the internet will have all requests for such access blocked. From the outside user's perspective, this produces an error message that says the requested web server is unavailable or that it can't be found. In some cases, firewall rules or filters may be too restrictive. When this happens, certain services won't work. If you don't notice yourself, you'll probably hear from other network users pretty soon after overly restrictive controls are put in place. Other rules or filters may apply at various levels, including outright allow or deny controls on protocols, services, and source addresses on IP headers, on port numbers in TCP or UDP headers (along with other TCP controls), and even on various Application layer header values or based on antispoofing checks.

Packet filtering



©2003 - 2006, Powered, Inc.

When traffic is not allowed through a firewall -- and remember this applies equally to outbound traffic from the inside, or to inbound traffic from the outside -- that traffic is discarded. Before senders can take additional action (or even know something isn't working), they must wait until timeouts are exceeded, acknowledgements fail to arrive, or other passive indications that requests for service or access are not working to emerge. This behavior is deliberate, because it provides little or no information to rejected senders (the best strategy when dealing with attackers) and because it requires no additional action from the firewall (the fastest response to unwanted traffic is to ignore that traffic completely, because it takes no added processing power to do so). In the following sections, you'll learn more about other functions that firewalls typically provide, above and beyond handling inbound or outbound network traffic. In most such cases, these functions are designed to extend a firewall's abilities to "get between" the private and public sides of an internet connection, and to observe or obscure what's happening on the private side.

Network address translation

IP addresses are divided into five different classes: A, B, C, D, and E. Certain ranges of addresses in Classes A, B, and C are reserved for private use, and not coincidentally, are called private IP addresses. This means anybody can use these addresses inside their networks, but that nobody can use these addresses on the public internet (otherwise, duplicate addresses would occur, and IP addressing rules don't allow them to occur). By comparison, public IP addresses make up the rest of the A, B, and C class addresses. They're unique addresses that can't be duplicated on the public internet. Private IP addresses cannot appear as either source or destination addresses in IP packets on the public internet (because they cannot be resolved to a single, unique public internet host or interface). Class D and E IP addresses are reserved for other uses, such as broadcast communications on the internet or experimental use. NAT (Network Address Translation) is a service that some firewalls provide. Basically, it removes the inside IP addresses from outgoing internet traffic, and replaces them with the firewall's own public IP address (or some number of such public IP addresses that the firewall manages). This hides the addressing details for the private side of the network. It's a useful technique even when the private side uses public IP addresses, but it's absolutely necessary when the private side uses private IP addresses (because they aren't allowed in packets that transit the public internet).



Because private IP addresses are free, and public IP addresses cost money, many SOHO (small office, home office) and home network users prefer to use private IP addresses on their internal networks. However, because attackers cannot spoof private IP addresses in incoming packets, this affords extra protection against attacks on the internal network as well (packets that claim to originate on the private side cannot show up on the public side, because those addresses are not allowed in public IP communications).

Application proxies

When pondering the use of private IP addresses on the private side of your internet connection, you'll need them only if you have two or more computers (and hence, a network) on that side.

An application proxy is also sometimes called a proxy server, because the application proxy acts on behalf of an inside, private client in making a connection to an outside, public application service. Here again, the principle of "getting in between" is what governs the firewall's behavior as it works as an application proxy. Instead of permitting a client to connect directly to an outside, public server of some kind on the internet, an application proxy service forces that client to connect to itself. Then, the proxy service establishes a connection between itself and the outside, public server to complete the application service connection on the client's behalf. All traffic that travels through the application proxy (and the firewall on which such software typically runs) can be inspected, because the proxy interrupts the flow of data between the client and the application server. Here again, this kind of service is essential when clients with private IP addresses seek to access outside, public application services. But even for clients with public IP addresses, by replacing their actual addresses with its own address (or an address under its control) the application proxy prevents internal IP addresses from becoming public knowledge. Application proxies must be defined on a per-application basis. Given the ferocious pace at which new TCP/IP Application layer protocols are introduced, this helps explain why some clients may be frustrated when they seek to access application services for which no proxy is defined. In some cases, it may be necessary to "punch a hole" through the firewall, which means setting up an allow rule or filter that simply allows all traffic related to that application to pass through the firewall unchecked. However, the potential for attack or harm for such blanket exceptions varies from application to application.



©2003 - 2006, Powered, Inc.

Most firewall software (from personal to enterprise level) is updated regularly to add new proxy services as new applications become popular. By keeping your software up to date, you can avoid most requests or requirements to bypass proxy services. For internet appliances and other dedicated firewall devices, updates are often delivered automatically, and require no effort on your part to stay current.

If you decide to allow certain TCP/IP applications to bypass proxy services, be sure that you understand (and can deal with) the potential consequences of bypassing security controls.

Logging and monitoring

As they do their jobs, firewalls routinely block all kinds of traffic. As mentioned earlier, when such traffic is blocked, it produces no discernable effect and requires no additional activity on the firewall's part. Under such circumstances, it's reasonable to ask: "How can I find out what my firewall is doing, and what kinds of traffic it's blocking?"



In fact, this information can be important, particularly if you start to detect signs that an attack may be underway. This also helps explain why most firewalls log their activity, and why they include built-in monitoring and reporting functions that notice when strange (or bad) things happen, and can proactively tell you what appears to be happening.

Nearly all firewalls ro