Fire Walls

Fire Walls

All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls.

A firewall is-a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet.

It is designed to forward some packets and filter (not forward) others.

Figure shows a firewall

For example, a firewall may filter all incoming packets destined for a specific host or a specific server such as HTIP.

A firewall can be used to deny access to a specific host or a specific service in the organization.

A firewall is usually classified as a packet-filter firewall or a proxy-based firewall.

Packet-Filter Firewall

A firewall can be used as a packet filter.

It can forward or block packets based on the information in the network layer and transport layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or IP).

A packet-filter firewall is a router that uses a filtering table to decide which packet must be discarded (not forwarded).

Proxy Firewall

The packet-filter firewall is based on the information available in the network layer and transport layer headers (IP and TCP/UDP).

However, sometimes we need to filter a message based on the information available in the message itself (at the application layer).

As an example, assume that an organization wants to implement the following policies regarding its Web pages: Only those Internet users who have previously established business relations with the company can have access; access to other users must be blocked.

In this case, a packet-filter firewall is not feasible because it cannot distinguish between different packets arriving at TCP port 80 (HTTP). Testing must be done at the application level (using URLs).

One solution is to install a proxy computer (sometimes called an application gateway), which stands between the customer computer and the corporation computer.

When the user client process sends a message, the proxy firewall runs a server process to receive the request.

The server opens the packet at the application level and finds out if the request is legitimate.

If it is, the server acts as a client process and sends the message to the real server in the corporation.

If it is not, the message is dropped and an error message is sent to the external user. In this way, the requests of the external users are filtered based on the contents at the application layer.

Figure shows a proxy firewall implementation.

Whenever proxy firewalls receive data packets from the external world it activated itself and process all HTTP packets (in case of HTTP proxy server) by sending them to HTTP proxy.

Now proxy server check the whole packet minutely and send it to the proxy firewall, if contain errors.