What are firewalls?
Network access control system that verifies all the packets flowing through it
What are the main functions of firewall?
IP packet filtering
Network address translation (NAT)
What is the relationship between security policies and firewall rules?
A firewall is a stupid bouncer at the door, it just applied rules, therefore, bad rules means no protection
How are firewalls classified?
They are classified based on their packets inspection capability
What are the different firewall types?
Network layer firewalls, and application layer firewalls
What is packet filtering ?
Packet filters are a type of firewall technology used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on predetermined security rules. These rules are typically based on the packet’s source and destination IP addresses, ports, and the protocol being used. Packet filtering can be implemented on routers, switches, or dedicated firewall devices.
What are the packet filtering rules and what are their components
Rules for packet filtering are typically written using Access Control Lists (ACLs). These lists contain a series of statements or rules that define the criteria for allowing or blocking network traffic.
Components of a Packet Filtering Rule
1. Source IP Address: Specifies the IP address of the origin of the packet. This can be a single IP address, a range of addresses, or a subnet. 2. Destination IP Address: Specifies the IP address of the destination of the packet. Similar to the source IP, it can be a single address, range, or subnet. 3. Source Port: Specifies the port number from which the packet is sent. This is relevant for TCP and UDP protocols. 4. Destination Port: Specifies the port number to which the packet is destined. This helps in filtering traffic based on services (e.g., HTTP, FTP). 5. Protocol: Specifies the protocol type, such as TCP, UDP, or ICMP. 6. Action: Defines what action to take if the packet matches the rule. Common actions are “allow” (permit) or “deny” (block).
How is the command for the iptables Syntax packet filtering made
On Linux systems using iptables, rules are defined differently:
iptables -A INPUT -p tcp –dport 80 -s 0.0.0.0/0 -d 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -j DROP
• -A INPUT appends the rule to the INPUT chain. • -p tcp specifies the protocol (TCP). • --dport 80 specifies the destination port (80). • -s 0.0.0.0/0 specifies any source IP address. • -d 192.168.1.0/24 specifies the destination subnet. • -j ACCEPT allows matching packets. • -j DROP drops all other packets.
What are state full packet filters?
Stateful packet filtering, also known as stateful inspection or dynamic packet filtering, is a more advanced method of network traffic management compared to traditional stateless packet filtering. It tracks the state of active connections and makes decisions based on the context of the traffic, rather than just the individual packets.
What are the functionalities of a state full package filter?
Include network packet filters, plus:
- keep track of the TCP state machine
- We can track connections without adding a response rule
- make deny rule safer
See the picture 7 in the Comp Sec album.
Define rules to allow access to internet statically
See the picture 7S in the Comp Sec album
See the picture 7 in the Comp Sec album
Create a rule to allow incoming connection to the WS on port 80 dynamically
See the picture 8S in the Comp Sec album
How Stateful Packet Filtering Works?
- Initial Connection Setup: When a new connection attempt is made, the firewall inspects the initial packets (e.g., TCP SYN packet) and checks it against its security rules.
- State Table Entry: If the initial packet is allowed, an entry is created in the state table. This entry contains information about the connection, including IP addresses, port numbers, and the state of the connection.
- Subsequent Packets: For subsequent packets in the same connection, the firewall refers to the state table to determine if they are part of an established connection. If they match an entry in the state table, they are allowed through.
- Connection Termination: When a connection is terminated (e.g., TCP FIN packet), the firewall removes the corresponding entry from the state table.
- Timeouts and Cleanup: To handle connections that are not properly terminated, stateful firewalls often include timeout mechanisms to remove stale entries from the state table.
What are the disadvantages of a dynamic packet filter?
Performance bounded on a per-connection basis, not on a per-packet basis.
● The number of simultaneous connections are just as important as packets per second.
What is session handling?
A session is an atomic, transport-layer
exchange of application data between 2 hosts.
What are the main protocols responsible for session handling
Main transport protocols:
● TCP (Transmission Control Protocol) ○ session =~ TCP connection
● UDP (User Datagram Protocol)
○ session = this concept does not exist
What is a NAT session handling using TCP
Key Concepts
- State Table: The stateful firewall maintains a state table that keeps track of all active connections, including the source and destination IP addresses and port numbers, the connection state (e.g., established, initiating), and the NAT mappings.
- NAT Table: This table maps private IP addresses and port numbers to public IP addresses and port numbers. The mapping ensures that return traffic can be correctly directed back to the originating internal host.
How does a NAR session initialization occurs using TCP?
- Initial TCP Connection Setup• Outgoing Request: When a device on the internal network initiates a TCP connection (e.g., to a web server), it sends a TCP SYN packet to the destination IP address and port.
• State and NAT Table Update:
• The stateful firewall records the connection details in the state table, marking the connection as initiating.
• The firewall also creates a NAT entry, mapping the internal IP address and port to an external IP address and port (if using Port Address Translation, or PAT). - Forwarding the SYN Packet• The firewall modifies the source IP address and port of the outgoing packet to the assigned public IP address and port.
• The modified packet is then forwarded to the external server. - Receiving the SYN-ACK Response• Incoming Response: The external server responds with a SYN-ACK packet, addressing it to the public IP address and port assigned by the firewall.
• State and NAT Table Lookup:
• The firewall receives the SYN-ACK packet and checks the NAT table to find the corresponding internal IP address and port.
• It also verifies the connection state in the state table to ensure the SYN-ACK is part of an ongoing connection. - Forwarding the SYN-ACK Packet• The firewall modifies the destination IP address and port of the incoming SYN-ACK packet to the internal device’s IP address and port.
• The modified packet is then forwarded to the internal device.
How does a NAT initialization occurs using UDP
- Creating NAT Entries: When a UDP packet from an internal host (e.g., 192.168.1.2:12345) is sent to an external server (e.g., 8.8.8.8:53 for DNS), the NAT device creates a mapping entry. This entry typically includes:
• Internal IP and port (192.168.1.2:12345)
• External IP and port (8.8.8.8:53)
• Translated IP and port (e.g., 203.0.113.5:54321) - Maintaining State: The firewall maintains a state table entry for the UDP “session.” This entry records the source and destination addresses and ports and the translation details.
- Timeout Mechanism: Since UDP does not have built-in mechanisms to indicate the end of a session, stateful firewalls use timeout values to manage UDP state entries. If no packets are seen for a certain period, the session is considered inactive, and the state table entry is removed.
• Default UDP timeout values vary by device but are typically shorter than TCP timeouts (e.g., 30 seconds to a few minutes). - Handling Response Packets: When a response packet arrives from the external server (e.g., 8.8.8.8:53 to 203.0.113.5:54321), the firewall checks the state table. If a matching entry exists, it translates the destination address and port back to the internal address and port (e.g., 192.168.1.2:12345) and forwards the packet to the internal host.
