K-12 School Computer Networking/Chapter 12

What's a Firewall?
A firewall isolates your computer from the Internet using a "wall of code" that inspects each individual "packet" of data as it arrives at either side of the firewall (inbound to or outbound from your computer) to determine whether it should be allowed to pass or be blocked But today, firewalls need to be added where needed — which is pretty much everywhere.

A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.

A firewall is a device or set of devices configured to permit, deny, encrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.

A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security  criteria.

There are several types of firewall techniques:

Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.

Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation.

Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

How does a Firewall Work?
All internet communication is accomplished by the exchange of individual "packets" of data. Each packet is transmitted from the source machine toward its destination machine. Packets are the units of information that flow across the Internet.

When two computers connect they are sending individual packets of data back and forth such as “acknowledgement packets” to let the sending computer know the data (packet) was received.

In order for a packet to properly reach its destination whether it's another computer five or on the other side of the world every Internet packet must contain an IP address (destination address) and port number so that the receiving computer knows who sent the packet.

In other words, any Internet packet traveling the Internet contains its complete source and destination addresses. An IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine.

What does this mean ?
Since a firewall inspects each and every packet of data as it arrives at your computer the firewall has total the power to stop anything from entering into your computer from the Internet.

A TCP/IP port is only "open" on your computer if the first arriving data packet which is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it!

In other words, if an unwanted visitor goes to access a computer via the internet and the firewall does not recognize that visitor it basically slams the port (door) shut on the unwanted guest and all other that try to enter.

If you were running a web server and needed to allow remote machines to connect to your machine on port 80 the firewall could inspect every arriving packet and only permit connection initiation on your port 80. Connections to any other ports would be denied.

Or suppose that you wish to allow your home and office computers to share their files without any danger of unauthorized intrusion a firewall make this possible. You would instruct the firewall running on your office computer to permit connections sharing ports 125-129 only from the IP address of your home computer. The firewall running on your home machine would be instructed to permit connections on ports 125-129 only from your office machine's IP address. Either machine can "see the other's ports, but others on the Internet can access these machines.

Firewalls are like security guards at the entrance of a building (Internet etc.) who check ID cards of individuals, allowing access to various parts of the facility only to those with the proper credentials. Access to these various parts of the facility is dependent upon the authorization privileges of the security level of the identification shown.

Also the more security guards (firewalls) a company has posted around its property the better chance it has of stopping unwelcome guests.

The first generation of security guards (firewalls) was simple, but as technology advanced it has becomes easier to produce fake identification cards etc. to get passed the guards (firewall). This is why security guards (firewalls) are constantly being trained and tested (upgraded) in order to be properly prepared to stop the next generation of impending threats (illegal entry).

Testing a firewall
A firewall test is a type of penetration test. A firewall test (penetration test) uses different techniques to try to bypass the security guards (firewalls) using the same techniques that firewall intruders would use in order to find any weaknesses in its security system and then upgrade them accordingly to make them more secure (training the security guards) to keep up with the advancement of technology.

A firewall that passes a firewall test will show that the Company can withstand a real attack thus showing the level of security it provides and controls, but should the security test fail it can show the weakness of a Company’s security infrastructure.

Penetration testing procedures of a firewall must be carefully performed or things can go drastically wrong such as an incident where a site was brought down because of careless testing procedures. This resulted in computer down time and significant financial loss to the company.

Effective firewall testing is like unleashing a barrage of attacks on the firewall (security guards) and then determine whether or not the security guards prevented the area (computer) from being penetrated.

To properly test a firewall involves as much planning as the actual testing itself.

Firewall testing if not done properly, can backfire and cause disruption within a Company.

The main reason for testing a firewall is to determine, the firewall's ability to prevent the kind of attacks that intruders are most likely to perpetrate.

Management Approval
Firewall testing that occurs without management approval or involvement is likely to end in catastrophe. A person trying to penetrate a firewall using a password cracking tool or hacking into the system during a firewall test without management approval can face multiple felony charges shows the importance of having written management approval prior to proceeding with testing a firewall.

Network Disruption
Firewall testing can disrupt network operations. Scripts used in firewall testing can overload a network and tie up machines. Rules concerning tolerable levels of disruption should be set before any testing firewall testing begins.

Safeguarding Results
The results of a firewall test if not adequately protected could end up in the hands of a disgruntled employee or could even be posted on the Internet or used by political organizations.

Designating which employees and consultants will be allowed to possess copies of the firewall testing results ensures that safeguarding the results exists.

Testing procedures
Detailed procedures that everyone firewall (security guard) can follow is important in every area of information security. These procedures help ensure that each step of firewall testing is performed correctly.

Who should perform the firewall test?
Many people choose the vendor who sold and installed the firewall in the first place. This can turn out to be one of the worst choices. The tests that firewall vendors perform are often not very complete. Many firewall developers are not good firewall testers. Vendors of firewall products are not aware of the vulnerabilities in their own products.

Choosing someone who installed the firewall to be tested is not a good idea. Another tempting possibility is to hire a network attacker (hacker). After all, who knows best about defeating a firewall? This solution however, puts an organization in the hands of the hacker.

Allowing someone to perform firewall testing allows that person to attack the firewall which requires a great amount of trust and therefore must be honest and trustworthy.

Which firewall software is best?
Reviewers have not done the best job with reviewing firewall software, because several companies have merged or gone out of business, and because firewalls software are frequently updated. The major U.S. computer magazines and consumer magazines, such as PC Magazine and Consumer Reports, have provided only minimal coverage of firewall software in the past couple of years.

Matousec.com completed tests on 42 firewall software. Matousec is highly respected by professionals who understand the complex operation of firewalls and how to test their efficacy. Matousec does not evaluate usage considerations, just effectiveness.

Two veteran computer journalists, Scot Finnie and Scott May, have been independently conducting searches for the best firewall program. Finnie has narrowed the competition to two firewall software programs.

May conducts his testing also using a leak test. A "leak test" is a program that tries to connect to an outside server from a computer to give a hijacker access. Reviewers also try to disable the firewall software, as some leak test  programs try to do.

While features and ease of use are important, technical performance is the most important buying consideration for firewall software.

ZoneAlarm Pro 6.5 was the highest rated program in 2006, but ZoneAlarm Pro 7.0 produced very good results in the Matousec leak tests, where it ranked sixth of 42 programs. ZoneAlarm Pro also includes anti-spyware software. ZoneAlarm Pro is not compatible with Vista, but the free version is. Users also report conflicts with other security software, and some complain that ZoneAlarm slows down their computers.

Scot Finnie tested the free version of ZoneAlarm 7.0, the firewall software program only passed only 5 of 16, the free version performed very poorly in Matousec's tests (though the paid version performed quite well).

The firewall software that comes with Windows XP Service Pack 2 produced the worst results of the 42 firewalls tested by Matousec (Vista's firewall was not tested).

Many firewalls provide no leak protection, and some well known products provide very poor protection against leak tests. Those include the firewalls in Norton Internet Security 2008, McAfee Internet Security Suite 2006 and 2008 and the free ZoneAlarm firewall.

The commercial and free versions of ZoneAlarm were reviewer favorites. However, failing test results and other issues are now causing reviewers to look for better alternatives. Even though it's free, reviewers chose Comodo Firewall Pro Version 3.0 as the best all-around firewall software program.

Two other programs, Online Armor Personal Firewall 2.1 (free, but not compatible with Vista) and Outpost Firewall Pro 2008 6.0 (commercial version), were attack-proof in the most respected tests conducted by Matousec.com.

Comodo Firewall Pro v3.0 (free) and Jetico Personal Firewall 2.0 were the only two other programs to produce excellent test results.

Software vs Hardware Firewalls
Software firewalls work differently than hardware firewalls, but the two can be used together to create a powerful level of security. Hardware firewalls are devices that sit between the Internet and your computer. If you own a router (wired or wireless), for example, it probably includes a hardware firewall. A main advantage of hardware firewalls is that they use no system resources, because they work independently from your computer. They can also protect multiple computers on a network at once. They can be more difficult to customize, especially for beginners, but hardware firewalls are usually effective even without configuration. Since a router has its own IP address, potential hackers can't see your computer -- they can only see the router.

Software firewalls provide some of the best protection against viruses, worms, Trojans etc. One disadvantage of software firewalls is that they can slow down system performance, especially if you have an older computer. Software firewalls monitor both incoming and outgoing traffic. A flaw of a software firewall is that it doesn't totally hide your IP address from the outside world. It closes unused ports and monitors traffic to and from open ports.

Hacking Firewalls
Denial of Service - probably the most commonly used hacking procedure targeting large companies over the net, also being nearly impossible to counter. Almost all big www companies have experienced these kinds of DoS attacks. The hacker sends a request to the server to connect to it. The server acknowledges the request and tries to establish a session, but it cannot find the system that made the request, by inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually crash.

Remote Login - Most operating systems have a remote login procedure. Finding a backdoor to this protocol, a hacker or virus is able to take full control of your computer, infecting it, deleting files and basically running your computer from a remote distance. One of these programs is called “Back Orifice”.

SMTP (Simple Mail Transfer Protocol) session hijacking - SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to trace.

What is SMTP? Reference http://www.washington.edu/computing/email/smtp.html

Simple Mail Transport Protocol (SMTP) is the network protocol used to send email across the Internet. When you send email, its first stop is a server running SMTP.

Viruses - A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data or even changing the power output of you mother-board which will eventually burn it.

Macros - Macros are programs that repeat the same procedure over and over again, following a script that is set first. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your PC.

These are just a few of the most commonly used methods of breaking into your PC. Most of them can be stopped by a perfectly-configured firewall and a good anti-virus program (although some firewalls have built-in anti-viruses, it’s best if you install an additional reliable one too).

What some people don’t seem to understand is that you didn’t have to offend or bother someone to get hacked. Viruses and other malicious programs choose their targets randomly. The combination of good firewalls and anti-virus programs is the only way to feel safe.

Additional references
Cheswick, William R., Bellovin, Steven M., and Rubin, Aviel D.                                                                         Firewalls and Internet Security: Repelling the Wily Hacker  2nd Edition Publisher Addison-Wesley Professional. Published:2003                                                                                                                                                                             ISBN: 020163466X

Welch-Abernathy, Dameon D.                                                                                             Title:Essential Check Point FireWall-1 NG: An Installation, Configuration, and Troubleshooting Guide Publisher: Addison-Wesley Professional. Published:2004                                                                                 ISBN:0321180615

Shinder, Thomas W                                                                                              Title:The Best Damn Firewall Book Period                                                                                         Publisher:Syngress                                                                              Published:2003                                                                                  ISBN:1931836906

QUESTIONS
1. A Firewall does the following?

A. Keeps your house from burning down if your computer over heats. B. Speeds up the transfer of data between two hard drives. C. Isolates your computer from the Internet using a “wall of code”. D. Saves money on the heating bills.

2. All Internet Communication is accomplished by?

A. The exchange of individual “packets of data”. B. Dialing the correct phone number. C. Resetting your wireless router. D. Sending an email to the recipient.

3. Who is the best choice for performing a Firewall Test?

A. The vendor who sold you the Firewall software B. Someone who is Honest and Trustworthy C. Computer Hacker D. Person who installed the Firewall

4. Who publicly released the program Back Orifice on August 3, 1998?

A. Blue Oyster Cult B. Microsoft Corporation C. Norton Utilities D. Cult of the Dead Cow

5. When choosing a Firewall be sure to check the system requirements and choose the correct version for your operating system.

A. True B. False

6. A Firewall test is a type of penetration test.

A. True B. False

7. Scripts used in Firewall testing can overload a network and tie up machines.

A. True B. False

8. Proxy Server is not a type of Firewall technique.

A. True B. False

Answers: 1:C, 2:A, 3:B, 4:D, 5:A, 6:A, 7:A and 8:B.