Computer Networking – Firewalls

Course material is attached for your convenience and as well as questions.

The below are simply in reference to the Questions material.

Thank you,

Lesson 1: TCP/IP Model and Internet Services

Lesson 2: Introduction to Firewalls

Lesson 3: Packet Filtering

Lesson 4: Proxying Firewalls

Lesson 5: Firewall Architecture

Consider a firewall that protects the network shown in the figure below.

2.1 Explain the meaning of each field of the following packet filtering rule. (13 points)

Firewall rule

Packet direction

Source address

Dest address

Packet type

Source port

Dest port

ACK

action

Incoming

ext

132.28.

TCP

deny

2.2 If a packet is permitted by the following packet filtering rule, that is, the packet matches the rule:

Firewall rule

Packet direction

Source address

Dest address

Packet type

Source port

Dest port

ACK

action

Outgoing

int

ext

TCP

permit

2.2.1: Who is the sender program (of the packet) and where is the sender (inside the firewall or outside the firewall)? (7 points)

2.2.2: Who is the receiver program (of the packet) and where is the receiver (inside the firewall or outside the firewall)? (7 points)

2.2.3: What are the IP address and port number of the receiver program? (7 points)

2.2.4: Could computer 168.3.144.1 be the machine on which the receiver program is running? Why? (8 points

2.2.5: Could this packet be the second sub-step packet (or signal) of the 3-way handshake process of the TCP session (or connection)? Why? (8 points)

2.2.6: Could this packet be the third sub-step packet (or signal) of the 3-way handshake process of the TCP session (or connection)? Why? (8 points)

2.2.7: After the receiver program receives this packet, if the receiver wants to send a packet back to the sender, the above rule (rule D) does not authorize this packet to go through the firewall.

10.

2.2.7.1: Why rule D does not authorize this packet to go through the firewall? (8 points)

11.

2.2.7.2: A TCP connection has 3 steps (or phases): establish the connection, messages back and forth, terminate the connection. Is this packet part of Step 1, Step 2, or Step 3? (8 points)

12.

2.2.7.3: Give a rule which authorizes this new packet to go through the firewall. (8 points)

13.

2.2.7.4: Give a rule which can block this new packet from going through the firewall. (8 points)

Published on IST 554 (https://online.ist.psu.edu/ist554)

Topic 3: Firewalls

The Internet is revolutionary in its ability to publish information and to provide access to information.
However, like any other society, the Internet is plagued with bad guys who enjoy the electronic
equivalent of spying on other people, stealing their valuables, destroying their property, or simply
disturbing the peace. This poses a great danger to those who try to get real work done over the
Internet or who have sensitive or proprietary data and resources on the Internet to protect.

Connecting a network to the Internet, while maintaining a certain degree of security, has become a
major task for many corporations. It is therefore natural to think about how to develop a system that
can act as a protective boundary between a private network and the outside world. Like a guard in
front of a securely controlled building, a firewall is a security system that restricts access between
the outside (i.e., the Internet) and the inside (your private network).

Many corporations now have security policies and practices to protect their networks. A firewall is a
very important component of those policies and practices. The existence of a firewall has been
proven to greatly reduce the chances of internal systems and networks getting penetrated and
compromised.

Topic objectives:

Explain the TCP/IP model and common Internet services.
Define a firewall and describe its capabilities.
Define packet filtering technology, describe how the technology works, and identify the
capabilities of the technology when building a firewall.
Define stateful packet filtering technology and describe how the technology works.
Define proxying firewall technology, describe how proxy servers and clients work and their
capabilities when building a firewall.
Describe different firewall architectures.

Contact Webmaster

Page 1 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Each lesson under topic 3 will have its own lecture slides.

Lesson 1: TCP/IP Model and Internet Services
The Internet is the world’s largest computer network. This lesson describes how different computer
systems communicate via TCP/IP and how different services such as Web service, e-mail service,
etc., are provided on the Internet. It further describes several common Internet services as well as
major security implications of each of these services.

Lesson objectives:

Define TCP/IP and explain how TCP/IP works.
Describe TCP ports.
Explain how Internet services work and communicate.
Discuss common types of Internet services and security implications for distinct services.

Transport Control Protocol/Internet Protocol (TCP/IP)
The Internet is made up of a wide variety of computers, from supercomputers to personal
computers. Each of these computers on the Internet has every imaginable type of software and
applications running. How do all of these computers understand each other and work together?

When computers communicate, there are sets of rules to govern the communications so that each
computer understands how to act and how to interpret the actions of others. In data
communications, these sets of rules are called protocols. Transport Control Protocol/Internet Protocol
(TCP/IP) is the basic communication protocol that each computer uses to talk with others for data
transmission. Anything that can speak TCP/IP can play on the Internet.

When transferring information across a network, TCP breaks the information into small pieces, called
packets, each of which are transmitted separately. While data can be lost in the course of
transmission, TCP is capable of guaranteeing the correct delivery of these data packets. TCP is able
to detect errors or lost data and to trigger retransmission until the data is correctly and completely
received.

IP is responsible for carrying TCP packets from one computer to another computer based on a four
byte destination address called the IP address. Each computer, or host, is uniquely identified by a
specific IP address on the Internet. The IP address ensures that each packet gets to the right
destination.

TCP/IP uses the client-server model to communicate. In this model, a computer (client) sends a
request and is provided with a service (i.e., sending a Web page) by another computer (server) in
the network. When a client requests a service from a server, a TCP connection is built with the
server.

A TCP connection consists of three actions:

connection establishment
data exchange
connection termination

When all three actions occur, creating a complete process of connection, this is called a session.

Contact Webmaster
© Copyright 2013 College of IST

Page 2 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

TCP addtitionally includes rules for formatting messages, establishing and terminating connections
between two hosts, sequencing, flow control, and error correction.

Example

When a user wants to get a Telnet service, he/she interacts with a Telnet client process running on
his/her computer, which initiates a connection with a Telnet server. When the server receives the
connection request, it sends back its response. The client reads the response and reports back to the
user. Thus, the bidirectional connection is built and can be used for sending and receiving data.

Internet Services
Internet services usually refer to those higher-layer applications and processes designed for end-
users that reside in the end-communicating system.

Such applications include:

electronic mail using Simple Mail Transfer Protocol (SMTP);
World Wide Web using Hyper Text Transfer Protocol (HTTP);
file transfer service using File Transfer Protocol (FTP); and
Telnet service using TELNET protocol.

In TCP/IP, in addition to the data sent by a host process, a port number is used to distinguish among
various applications (services) running. In other words, the port is the means for identifying a specific
service program on a computer in a network.

Example
Port 80 is the standard port used by HTTP to send and retrieve Web pages. Most application level
protocols are associated with one or more port numbers in TCP/IP.

Port numbers are specified by a 16-bit number and are numbered from 0 to 65535. By convention,
port numbers within the range of 0-1023 are assigned to the well-known applications mostly on the
server side and are called well-known ports. Ports within the range of 1024-65535 are usually called
dynamic ports (i.e., open dynamically when you attempt to connect to a server port) and can be
used by any client or server.

During a TCP/IP session, on the server side, a server application would “listen” on a port for users’
connections to request some “well-known services,” e.g., HTTP (TCP port 80), Telnet (TCP port 21),
DNS (UDP and sometimes TCP port 53). On the client side, a client application needs to “open” a
dynamic port in order to connect to a server application. This is done by choosing a port above 1023
on the client machine that is not currently in use by another application and using it as the “sender”
in the new connection.

In a TCP connection, both sides need to be identified by IP addresses and port numbers. Therefore,
an end-to-end communication between two applications can be uniquely identified on the Internet by
the four-tuple: source port, source address, destination port, and destination address.

** Note that when two applications run on the same host, the source address is the same as the
destination address, but the source port is different from the destination port to distinguish these

Contact Webmaster
© Copyright 2013 College of IST

Page 3 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

two applications.**

Applications open ports and communicate to each other via these port numbers. TCP allows clients
to run concurrent applications using different port numbers. For example, a Telnet server with IP
address 1.2.3.4 listens for requests on port number 23. If two client programs running on the host
with IP address 5.6.7.8 send a request to the Telnet server, the server needs to distinguish between
the two conversations. This is achieved by the clients randomly picking two port numbers above
1023, say 1024 and 1025. The client connection is defined as the IP address plus the port number.
Ultimately, the conversations with the Telnet server from two client programs would be Telnet server
1.2.3.4 TCP 23 with 5.6.7.8 TCP 1024, and 1.2.3.4 TCP 23 with 5.6.7.8 TCP 1025. This is how TCP
multiplexes different connections.

Port Connection Example

Here is what happens in a basic connection when a server application on host 1.2.3.4 listens at port
80 (HTTP) for new connections, and client 5.6.7.8 wants to surf to 1.2.3.4, port 80.

First, the client browser issues a connect call. The connect call goes to find an unused dynamic port,
usually somewhere above 1023, in this example, 1029. The local port number is necessary so that
when the replies come back later from the server, the client host will know to which client
application to pass the reply. The client host does this by remembering what application uses which
local port number. The first packet is then sent from local IP 5.6.7.8, port 1029, to 1.2.3.4, port 80.
The server responds with a packet from 1.2.3.4, port 80, to 5.6.7.8, port 1029. Thus a connection is
built between 5.6.7.8 1029 and 1.2.3.4 80.

Table 2.1 lists some basic TCP applications and their corresponding port numbers.

Table 2.1

TCP Application Port Number

FTP 20 (Data), 21 (Control, or Program)

Telnet 23

SMTP 25

HTTP 80

UDP Application Port Number

DNS 53

Bootp 67/ 68

TFTP 69

NTP 123

SNMP 161

Contact Webmaster
© Copyright 2013 College of IST

Page 4 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Common Internet Services
Many types of services are available on the Internet, and there would be little reason to be
connected to the Internet without all of those services. However, every network service out there
carries the threat of potential security problems. Most network attacks take place via these Internet
services.

We will now discuss six basic services through which most users are able to access most Internet
resources.

Electronic Mail (SMTP)

Electronic mail is one of the most basic network services. Most systems on the Internet use Simple
Mail Transfer Protocol (SMTP) to send messages from a mail client to a mail server and from one
server to another server. The messages can be retrieved from a server with an e-mail client on each
user’s machine. With this service, mail can be delivered to individual users, and distributed to many
users (mailing lists) on different machines. Mail can include simple text messages, file attachments,
images, video/audio files, or Web site links.

SMTP is an Internet standard for sending and receiving e-mail between computers. SMTP server uses
port 25 to communicate. SMTP protocol is not usually a security problem, but the SMTP server can
be.

!WARNING!

Common assaults associated with e-mail service are spamming or unsolicited mails. An e-mail can
appear to be from a legitimate source (e.g., your bank) and ask you to provide sensitive information
(e.g., your account information). A system that is open to receive e-mails is vulnerable for DoS
attack. Additionally, electronic mails can contain malicious programs, such as a Trojan horses or
computer viruses.

Remote Terminal Access (Telnet)

Remote Terminal Access provides users with the capability to use a remote system over the Internet
as if it were a directly connected terminal. Telnet is the Internet standard that offers such an
effective access mechanism for a user to remotely connect to a system. To use Telnet, the user
types in the name of the command followed by the name of the computer to which he or she wishes
to connect. At the prompt, the user then simply logs in as if logging into a local system. Telnet uses
port 23 to communicate.

!WARNING!

Though Telnet requires users to authenticate before accessing the remote system, it sends
all of its information unencrypted. This poses a greater security risk than simply dialing into
the computer because Telnet session packets are vulnerable to attacks using packet sniffers
during their journey to the destination. It is possible to program a computer to listen to and
record every packet transmitted. Special programs can capture the first hundred characters
(or more) sent in both directions on a Telnet connection and thereby capture the username
and password.
A second danger of Telnet is that an attacker can hijack a Telnet session that is in progress.
For instance, after the user logs in using his/her password, the attacker can seize control of
the session and type whatever commands he or she wishes. The use of encryption can
eliminate the possibility of Telnet hijacking.

Contact Webmaster
© Copyright 2013 College of IST

Page 5 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Related Links
Hijack [1] – An example of how an attacker can hijack a telnet session

File Transfer Protocol (FTP)

File Transfer Protocol (FTP) is the Internet standard protocol used to transfer files between systems.
It allows users to bring files in to their system, rather than waiting for a file to be sent as an
electronic mail, for example. To use FTP to contact a remote machine, the remote computer requires
that the user log in with username and password; FTP logins are usually recorded on the remote
machine. FTP uses port 21 and 20 (for data) to communicate.

FTP can be set up for anonymous access, which allows people on the network who do not have an
account on a specific machine to deposit or retrieve files from a special directory. Many institutions
use anonymous FTP as a low-cost method to distribute software and general information to the
public.

!WARNING!

As with the Telnet command, the passwords typed to FTP are transmitted unencrypted over
the network. Therefore, some sites may wish to disable the FTP service, or modify it to use
alternative authentication protocols.
Another problem associated with FTP is that files that are brought in to a computer may
contain undesirable programs and data. For example, users may bring in games and pirated
software which can occupy huge amounts of CPU time and disk space. Users may even bring
in Trojan horse software. By the same token, if outside users are allowed to use FTP to
transfer files from your site, these files should be placed in a separate, public area of the
system to ensure that users cannot gain access to other areas or files that should be
protected or private.

World Wide Web Access (HTTP)

The World Wide Web is a collection of Internet resources in the form of electronic documents, called
Web pages, which can be viewed on the computer through a Web browser, such as Netscape
Navigator, Microsoft Internet Explorer, Mozilla Firefox, or Apple Safari. Providing information on the
World Wide Web involves two parts: writing the World Wide Web pages, and storing them on a World
Wide Web server connected to the Internet that distributes the Web pages upon request.

Web pages include files that are in different formats such as text, graphics, audio, video, etc., and
hypertext links to other documents or information systems. Users can navigate from one document
to another on the Internet regardless of where the documents are located. The most common format
for creating Web pages is HyperText Markup Language (HTML), which is a standardized page
description language.

HyperText Transfer Protocol (HTTP) is the primary application protocol that underlies the World Wide
Web to provide users access to the Web pages that make up the Web. HTTP uses port 80 to
communicate.

!WARNING!

The WWW provides a powerful medium of communication; however, it is hard to secure. There are
security risks that affect Web servers, the local area networks that host Web sites, and even
innocent users of Web browsers. Installing a Web server opens a window through which the entire
Internet can peek into the local network. It is also possible that users could transfer and execute
malicious programs (e.g., malicious applets) from a Web browser.

Contact Webmaster
© Copyright 2013 College of IST

Page 6 of 34

http://staff.washington.edu/dittrich/talks/qsm-sec/script.html

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Hostname/Address Lookup (DNS)

Hosts are identified using IP addresses. In the real world, each host in a network is typically assigned
a unique name because IP addresses are not user-friendly. Hostname/address lookup provides a
naming service to map user-friendly host names to IP addresses. The Internet has a particular
naming system called the domain name system (DNS). Most Internet services rely on DNS to work. If
DNS fails, Web sites cannot be located and e-mails cannot be delivered. It is an essential Internet
application, but users generally only indirectly interact with it. DNS works on port 53.

!WARNING!

DNS servers that don’t have security systems built in are vulnerable to spoofing attacks. For
instance, a DNS server could accept and use incorrect information from an unauthorized host. Such
spoofing attacks can mislead users to wrong Web sites or redirect e-mail to non-authorized mail
servers.

Related Links
Librenix [2] – An article that illustrates the nature of DNS attacks, and proposes security measures to
counter such attacks

DNS Documentation [3] – This site collects a variety of DNS documentation, which addresses several
DNS security scenarios.

Bitpipe [4] – A short summary on DNS attacks, in addition to a listing of attacks and associated
software products.

Simple Network Management Protocol (SNMP)

SNMP is a protocol to centrally manage network equipment such as routers, hosts, etc. SNMP can
configure or control certain functions of network equipment, request information from network
equipment, or report the status of network equipment, such as when a connection is down.

!WARNING!

The major risk with SNMP is the takeover or control of network equipment. An attacker may
reconfigure network equipment for malicious purposes. For example, an attacker can change
routings defined in a router and steal important information.

Lesson Wrap-Up
TCP and IP are two of the most important communication protocols for linking different computer
systems together over the Internet. In this lesson, we discussed how the Internet services are
provided in a client-server model via TCP/IP, as well as reviewed six basic services available on the
Internet. We have learned that every network service carries potential security problems; therefore,
it is essential to protect the services you are going to use or provide over the network.

Now that you have completed this lesson, you should be able to:

Define TCP/IP and explain how TCP/IP works.
Describe TCP ports.
Explain how Internet services work and communicate.
Discuss common types of Internet services and their security implications.

Contact Webmaster
© Copyright 2013 College of IST

Page 7 of 34

http://librenix.com/?inode=4569

http://www.l0t3k.org/security/docs/dns/

http://www.bitpipe.com/tlist/Denial-of-Service-Attacks.html

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Lesson 2: Introduction to Firewalls
In the past, many organizations opted for a network physically isolated from the outside world to
avoid the problems of network-borne attacks. This way, no one from the outside could attack the
computers without first entering the physical premises. The growth of the Internet, however, has
made physical isolation almost impossible. Employees in an organization need access to the World
Wide Web, send and receive e-mail, and use remote login to contact a network located in a different
area. To offer such services, the Internet has to be accessible within an organization.

A firewall gives organizations a way to create a middle ground between internal networks and
external networks, such as the Internet. It provides controlled access between the inside and the
outside as it retains some level of isolation. Firewalls are the most basic defense systems in an
overall organizational security plan. This lesson introduces Internet firewalls and summarizes what
they can and cannot do for a site’s overall security.

Lesson objectives:

Define a firewall and discuss its capabilities.
Describe three basic firewall technologies.
Discuss the benefits and limitations of a firewall.

What is a Firewall?
Similar to a firewall in building construction that is used to prevent a fire from spreading, a firewall in
computer networking protects the internal network against the dangers of external connections. It is
generally defined as a type of mechanism that implements access control between two or more
networks.

Firewalls are a very effective type of network security solution and are frequently used to prevent
unauthorized Internet users from accessing private networks connected to the Internet. All traffic
entering or leaving the private network must pass through the firewall, which examines each
message and blocks those that do not meet the specified security criteria.

A firewall is usually a special computer running appropriate security software. A router, a host
computer, or some combination of routers and computers can work as a firewall with the appropriate
software installed.

A firewall is most often installed at the point where the internal network connects to an external
network, for example, the Internet. It is a separator between an organization’s internal network and
external network and provides a simple way to control the traffic passing between the two networks.

Firewall Capabilities
A firewall is a main gate that the outside world enters to access the internal site. Based on the need
of the organization, a firewall can be configured to work in different ways.

Example
A firewall can be configured to permit only e-mail traffic to pass through it and thus protect the

Contact Webmaster
© Copyright 2013 College of IST

Page 8 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

internal network against all attacks except for those that are specific to the e-mail service. A firewall
can also be configured to block only inbound traffic while permitting users on the inside to
communicate freely with the outside. Or to be less strict, the firewall can be set to block services
that are known to be problematic.

Although the areas in which a firewall is designed to focus vary from organization to organization,
generally the firewall serves the following three main functions:

keeps outsiders from breaking in;
keeps insiders from exposing valuable data or services; and
enables secure communications between two networks, thus each individual host can
communicate as it would normally do without worrying about security methods, such as
encryption/decryption and key negotiation.

Scenario
Volume II of the Riptech Internet Security Threat Report was published by Riptech, Inc. in July 2002.
Riptech’s aim was to devise a set of quantitative security measures that could categorize a variety of
Internet-based security threats targeted at hundreds of organizations from January 1 through June
30, 2002. Due to the large number and wide variety of the organizations studied, the trends and
other findings in this report provided a good overall indicator of threats faced by the entire Internet
community.

A few highlights:

Overall attack activity for this six-month period was 28% higher than for the six-month period
just prior. On average, companies experienced 32 attacks per company per week (up from 25
attacks).
Attack severity ranged from Informational (scans against vulnerable services, connection
attempts refused by firewall) through Warning (attack succeeds in bypassing the firewall, yet
target system uncompromised) through Critical (attack demonstrated an exploit or other
vulnerability, countermeasures required) through Emergency (a security breach has
occurred, recovery measures are now required).
23% of the companies studied suffered at least one severe (Critical or Emergency) attack
during these six months.
More than 99% of all attacks detected by Riptech were non-severe (Informational or
Warning).
Highly aggressive attacks (persistent, determined) were 26 times more likely to result in a
severe attack than moderately aggressive attacks.
Attack activity continues to be a 24/7 phenomenon, but is higher on weekdays than
weekends.

Please see the complete Riptech Internet Security Threat Report [5] for details and additional
findings of interest.

Firewall Technologies
Firewall operations are based on the three technologies: packet filtering, proxying, and stateful
packet filtering.

Contact Webmaster
© Copyright 2013 College of IST

Page 9 of 34

http://www.securitystats.com/reports/Riptech-Internet_Security_Threat_Report_vII.20020708

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Packet Filtering

Packet filtering determines whether a packet should be accepted or rejected purely based upon
some basic information in the packet’s header (e.g., source IP, destination IP, in or out interface,
protocol type, port number).

If the header’s information matches the rule set defined in the firewall, the packet is allowed to pass;
otherwise the packet is denied.

!WARNING!

Packet filtering does not have detailed knowledge about what a packet is actually talking to or where
it is actually coming from; therefore, it is susceptible to an IP or a port spoofing attack because the
decision to block is based on the IP and port. However, packet filtering tends to be faster than other
firewall technologies and is very transparent to users.

Proxying

Proxying handles all the communications between users and Internet services and performs logging
and access control. It takes users’ requests for Internet services (i.e., FTP and Telnet) and forwards
them to the actual services or drops them as directed by the site’s security policy. Instead of talking
to each other directly, users and services each talk to the server offering proxying–the proxy server.

Proxy servers permit no direct traffic between networks, thus effectively hiding true network
addresses and better protecting the internal network. They are able to provide more detailed audit
reports and tend to enforce more conservative security models than packet filtering.

Stateful Packet Filtering

Stateful packet filtering attempts to track the state of each network connection and makes the
forwarding decision on both the packet content and the connection state when filtering packets.
When the first packet of a connection is inspected and permitted, the firewall adds an entry to a
state table. A subsequent packet is allowed to pass through the firewall when the packet matches an
established connection which has satisfied the implemented rules on the firewall. This means that
only the initial connection needs to be specified; the return packets are authorized because there is
a state associated with them (the connection has already been authorized).

The capabilities of stateful packet filtering are a cross between the functions of packet filtering and
proxying.

Each technology has its merits and flaws, and each performs best under different circumstances.
Generally speaking, the lower the level at which the firewall works, the less examination it performs.
Lower-level firewalls are faster, but are easier for an attacker to fool into doing the wrong thing.
Packet filtering works at the network layer. It is also faster but does less inspection. Application layer
proxying offers more security but runs relatively slower. In practice, the majority of firewalls use a
combination of functions. We will discuss these technologies in detail later.

Firewall Benefits and Limitations

Firewall Benefits

A firewall:

functions as a checkpoint.
All traffic in and out must pass through this single checkpoint. A firewall is like a
guarded gate that protects the physical premises, examining all traffic on the internal

Contact Webmaster
© Copyright 2013 College of IST

Page 10 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

network. It is simple, efficient, and economically inexpensive to implement.

separates the site’s network from other networks, or one section of the internal network from
another section.

A firewall limits the exposure of the protected parts of the network and helps to
contain security problems.

helps to enforce unified security policies for an organization, allowing only “approved” traffic
to pass through.

A firewall can limit Telnet requests to internal use and block external Telnet
applications.

performs important logging and auditing functions.
A firewall summarizes and logs the type and amount of traffic that passes through it
and how many attempts were made to break into it. Firewall logs are critical and can
be analyzed to trace daily activities.

Firewall Limitations

A firewall:

is not the solution for every security problem.
A firewall provides effective protection against network threats; however, certain
threats are beyond the control of the firewall.

cannot protect against malicious inside attacks.
A firewall cannot stop an insider from copying the company’s proprietary data onto a
magnetic tape, compact disc, or USB flash drive and using it maliciously.

cannot handle attacks using connections that bypass it.
A firewall cannot prevent hackers from accessing internal systems via such a modem
connection if a dial-up modem connection is allowed in a network. Also, if any internal
system is allowed to connect to any external system, then the firewall will provide no
protection from external attack via this connection.

cannot handle bogus connections, i.e., IP spoofing.
Attackers can spoof an authorized IP address and send out traffics that are
considered valid by a firewall that uses source and destination addresses and port
numbers to determine whether incoming traffic is allowed to pass through to the
internal network.

cannot protect well against attacks such as Trojan horses, viruses or malicious software.
A firewall is not the best mechanism to protect against data-driven attacks in which
something is mailed or copied to an internal host where it is then executed. This is
because firewalls cannot scan the details of all incoming data traffic. A more effective
anti-virus solution is to make sure every vulnerable host has virus scanning software
that runs each time the machine is rebooted.

cannot adequately handle attacks exploiting the inherent vulnerability of Internet protocols.
For instance, if a site allows e-mail service, a firewall cannot block e-mail traffic,
which can lead to a denial-of-service attack.

Related Links
Securing your site [6] – This is a collection of links to white papers discussing strategies for keeping
your site secure, including many links specifically about firewalls.

Contact Webmaster
© Copyright 2013 College of IST

Page 11 of 34

http://www.windowsecurity.com/whitepaper/firewalls_and_VPN/Keeping_Your_Site_Comfortably_Secure/Keeping_Your_Site_Comfortably_Secure__Introduction_to_Firewalls.html

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Lesson Wrap-Up
A firewall protects the local area network of an organization from outside attack. It limits the amount
of damage by preventing a hostile attacker who has gained control of an outside network from
stepping inside. For Internet-enabled businesses, firewalls are considered to greatly enhance the
level of security when interacting with the Internet.

Firewall technologies available in today’s products include packet filtering, proxy server, and stateful
packet filtering. Each of these technologies implies a certain range of possible choices for deploying
firewall architectures. In the next two lessons, we will explore these technologies in more detail.

Now that you have completed this lesson, you should be able to:
Define a firewall and discuss its capabilities.
Describe three basic firewall technologies.
Discuss the benefits and limitations of a firewall.

Lesson 3: Packet Filtering
There are different technologies to use when implementing firewall systems. The packet filtering
firewall is the most common and easiest to employ for small, uncomplicated networks. Basically, a
packet filtering router is installed at the point where the internal network connects to the Internet
and the packet filtering rules are configured in the router to block or filter traffic to and from the
internal network.

This lesson describes the concept and techniques involved in building and configuring a packet
filtering firewall. It also discusses an advanced packet filtering technology–stateful packet filtering,
and the advantages and disadvantages of packet filtering.

Lesson objectives:

Define packet filtering.
Define TCP/IP header, TCP 3-way handshake, and UDP.
Discuss how to configure a packet filtering firewall.
Describe stateful packet filtering.
Identify the advantages and disadvantages of packet filtering.

What is Packet Filtering?
Packet filtering is a firewall technology that selectively routes packets between internal and external
hosts. Based on the criteria defined in a security policy, packet filtering determines if incoming and
outgoing packets should be allowed to pass through the firewall or should be dropped.

Figure 3.1: A Packet Filtering Firewall Using a Screening Router

Contact Webmaster
© Copyright 2013 College of IST

Page 12 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

The most basic setup of packet filtering uses filtering rules on a machine that contains two network
interface cards and can be used as a router. As shown in Figure 3.1, the firewall is the router that
uses packet filtering to filter incoming and outgoing packets passing between the Internet and the
internal network. Such a router is known as a screening router.

The packet filtering firewall operates strictly on the network layer and uses rules to determine which
packets are forwarded from one interface to another. It accepts or blocks data transfer based on the
information at the header of each packet including the source address of the packet, the destination
address of the packet, the protocol type of the packet (TCP, UDP, ICMP, etc.), the source port of the
packet, the destination port of the packet and flags set on the packet (e.g., ACK). Packet filtering
controls the flow of packets by looking at the information and determining whether they match the
rule set.

The TCP and IP Header

Figure 3.2: The TCP and IP header

To better understand how the packet filtering rule set works, let’s take a look at the TCP and IP
header of a packet.

As shown in Figure 3.2, an IP header in a packet contains the following main information:

Protocol (8 bits, whether the packet is TCP, UDP, or ICMP packet)
Source IP address (32 bits) (e.g., 192.123.121.2)
Destination IP address (32 bits)

A TCP header contains the following main information:

Source Port (16 bits)
Destination Port
ACK flag (1 bit)
SYN flag

Generally, an IP address indicates a host, and a TCP port indicates a service (application) running on
the host. ACK and SYN are used when establishing a connection between two applications.

Contact Webmaster
© Copyright 2013 College of IST

Page 13 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

TCP 3-Way Handshake
TCP is the protocol most commonly used for services on the Internet. For example, Telnet, FTP,
SMTP, and HTTP are all TCP-based services. TCP provides a reliable, bidirectional connection
between two endpoints. Each endpoint is identified by a pair (IP address, port). Once a connection is
established, a server can reply to a client over the same connection.

TCP uses a 3-way handshake to initiate a connection. When opening a new connection, three
segments are exchanged and the TCP 3-way handshake proceeds as follows:

Figure 3.3: TCP 3-Way Handshake

Example
If a client program A (IP 5.6.7.8) wants to open a connection with a server program B (IP 1.2.3.4) for
Web service (on port 80), program A begins the connection attempt by dynamically opening a port,
for example, 1078, and sends the request:

5.6.7.8: 1078 -> 1.2.3.4: 80 SYN=1

Program B receives the packet and understands that a client wants to form a new connection.

A response is sent:

1.2.3.4: 80 -> 5.6.7.8:1078 SYN=1 ACK=1

The client program A receives the response, and informs that the response is received:

5.6.7.8: 1049 -> 1.2.3.4: 80 ACK=1

Here, the connection is opened and real data will begin transferral. Note that the first packet in each
direction has the SYN flag set, and all subsequent packets following the first packet from a client
have the ACK flag set.

Flag ACK: “Acknowledges” the receipt of a previous packet.

Flag SYN: Initiates a new TCP connection.

A packet containing only the SYN flag is the first part of the 3-way handshake of TCP connection
initiation. The purpose is to verify that both hosts A and B have a working connection. If the client
sends out the initial SYN without receiving a SYN+ACK within a few seconds, it will resend the SYN. If
the server sends out the SYN+ACK without receiving an ACK in a few seconds, it will resend the
SYN+ACK packet.

If someone attempts to open a TCP connection from the outside, the very first packet that is sent will
not have the ACK flag setl; however, every other packet in the connection, regardless of which
direction it is going, will have the ACK flag set. If the very first packet is blocked, the whole TCP
connection is blocked. Without certain information in the headers of the first packet–in particular,
the TCP sequence numbers–the connection will never be established. Therefore, if the goal is to
block a TCP connection, it is sufficient to simply block the very first packet which can be identified by
the ACK flag.

Contact Webmaster
© Copyright 2013 College of IST

Page 14 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

User Datagram Protocol (UDP)
User Datagram Protocol (UDP) on top of IP offers only a minimal transport service. It does not
conduct any end-to-end reliability checking or resending of packets. It is mainly used for providing
services that do not require reliable packet delivery, or communications services (e.g., broadcasting
messages over a network) not available from TCP. UDP is described as a connectionless service (as
opposed to TCP).

UDP packets are similar to TCP packets in structure. A UDP header contains UDP source and
destination port numbers, just like TCP source and destination port numbers. However, a UDP packet
DOES NOT contain anything resembling an ACK flag. The ACK flag is how the TCP mechanism
ensures its reliable delivery of data. UDP makes no such guarantees; therefore, there is no way for a
packet filtering router to determine, simply by examining the header of an incoming UDP packet,
whether that packet is a first packet from an external client to an internal server, or a response from
an external server back to an internal client. Thus all packets must be blocked if the goal is to block
a UDP session.

Configuring a Packet Filtering Firewall
The fundamental function of a firewall is to restrict the flow of information between two networks. To
set up a firewall using packet filtering technology, it is necessary to define the types of data to pass
or block. This is called defining the firewall’s policy. After a policy is defined, then the actual packet
filtering rule set must be created on the firewall that reflects this policy.

Example
Packet filtering implementations can enforce a policy that allows internal clients to connect to
external servers, but prevents external clients from connecting to internal servers.

The packet filtering rule is set by allowing the first TCP packets (those without the ACK flag set) to go
outbound, but not inbound. The start connection packets would be allowed out from internal clients
to external servers, but would not be allowed in from external clients to internal servers. Attackers
cannot subvert this approach simply by turning on the ACK flag in their first packets to build
connections because the absence of the ACK flag is what identifies these packets as start of
connection packets to request services.

Let’s examine two examples of packet filtering policies to learn how to develop an effective filtering
rule set.

Effective Packet Filtering: Example 1
As shown in Figure 3.4, a security policy is defined by the following rules:

1. No incoming Telnet service should be processed.
2. Outgoing Telnet requests are permitted.
3. UDP packets are not allowed.
4. Computer 132.28.6.4 is restricted from Telnet.

Contact Webmaster
© Copyright 2013 College of IST

Page 15 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Figure 3.4: Example of Packet Filtering Firewall

A firewall using packet filtering can be programmed with the following rules:

For each packet, the packet filtering firewall looks at the rules in order. It starts at the top until it
finds a rule that matches the packet, and then it takes the action specified.

Rule A: denies any incoming TCP packets that attempt to open a connection (ACK=0) with an
internal server listening on port 23 (Telnet server). In short, Rule A denies any inbound Telnet
connections as required by Rule 1 in the security policy. Consequently, the firewall drops those
packets attempting to come into the internal network for Telnet service.

Rule B: denies any outgoing Telnet packets from internal client 132.28.6.4 to external Telnet server.
Therefore, host 132.28.6.4 cannot request Telnet service from a system outside the firewall as

Contact Webmaster
© Copyright 2013 College of IST

Page 16 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

required by Rule 3.

Rule C: denies any incoming packets from external Telnet servers (port 23) to internal host
132.28.6.4. Note, that if rule B is enforced, Rule C is not useful. Rule C is redundant because
132.28.6.4 will not be able to establish a connection with an outside Telnet server, according to Rule
B. So we can remove Rule C from the firewall configuration.

Rule 2: is implemented by Rules D and E combined.

Rule D: allows any outbound Telnet connections.

Rule E: allows any incoming Telnet packets from external Telnet servers to internal clients. Because
of this, internal clients are permitted to send a request to the outside for Telnet service and the
response from external servers will pass through the firewall.

**Note that we must have a priority order for Rule B, Rule D and Rule E because they are not
consistent. Rule B needs to be placed before Rule D and E in this case. So if host 132.28.6.4 sends
out a Telnet request, the packet will pass Rule A, but will be denied by Rule B. However, if another
internal host 5.6.7.8 sends out a Telnet request, it will not match Rule A, B, and C, but it will pass
Rule D. When the external server responds to the Telnet request from client 5.6.7.8, the response
packets will pass Rule E. If we put Rules D and E before B and C, Telnet packets from 132.28.6.4 will
pass Rule D, and therefore are allowed to go out through the firewall which will disobey Rule 3.**

Rule F: denies any incoming UDP packets.

Effective Packet Filtering: Example 2
When the security policy restricts connections to e-mail only, a firewall can be programmed as
follows:

Firewall
Rule

Source
Address

Dest.
Address

Source
Port

Dest.
Port

Protocol ACK Action

A External Internal * 25 TCP * Permit

B Internal External 25 * TCP 1 Permit

C Internal External * 25 TCP * Permit

D External Internal 25 * TCP 1 Permit

E * * * * * * Deny

Rule A: permits any incoming packets from an external client to an internal SMTP server.

Rule B: permits any response packets from an internal SMTP server to an external client. The ACK
flag is set (ACK=1) to ensure the outbound traffic is part of an existing connection. This ensures that
the outbound traffic cannot be the first packet attempting to open a connection with the external
machines. Therefore, an internal user cannot spoof a packet from port 25 and send out requests for
services other than e-mail.

Rule C: permits any outgoing packets from an internal client to an external SMTP server.

Rule D: permits any response packets from an external SMTP server to an internal client.

Rule E: denies any packets. Therefore, if an internal user wants a Telnet service from the Internet,

Contact Webmaster
© Copyright 2013 College of IST

Page 17 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

the firewall examines all these rules in sequence and drops the packet according to Rule E.

In summary, Rule A allows any external client to communicate with an internal SMTP server for e-
mail service and Rule B allows responses from the internal SMTP server to pass through to the
external client. Rules A and B are paired to allow communications between external clients and
internal servers. Similarly, Rule C allows any internal client to communicate with an external SMTP
server for e-mail service, and Rule D allows responses from an external SMTP server to pass through
to the internal client. Rules C and D are paired to allow communications between an external client
and an internal server.

Let’s now consider some sample packets to see how the firewall works in this example. As shown in
Figure 3.5, let’s say that the host IP address is 1.2.3.4, in which an SMTP server runs on port 25 and
an Oracle database server runs on port 1080 (there are some services using ports above 1023 for
servers). A remote host with IP address 5.6.7.8 tries to send an e-mail from port 1234 to your SMTP
server.

Figure 3.5: Example of Packet Filtering for Inbound and Outbound SMTP Service

Here are the sample packets, filtered by the packet filtering firewall:

Packet Source
Address

Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action

1 5.6.7.8 1.2.3.4 1234 25 TCP 0 Permit
(A)

2 1.2.3.4 5.6.7.8 25 1234 TCP 1 Permit
(B)

As we can see from the above table, the packet filtering rules permit your incoming e-mail. Rule A
permits incoming packets from the sender’s SMTP client to your SMTP server as represented in
Packet 1. Rule B permits the responses from your server back to the sender’s client as represented
in Packet 2.

What about outgoing e-mail? Let’s say an SMTP client with IP 11.2.3.4 wants to send out an e-mail.

Contact Webmaster
© Copyright 2013 College of IST

Page 18 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

The client uses port 1356.

Packet Source
Address
Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action

3 11.2.3.4 15.6.7.8 1356 25 TCP 0 Permit
(C)

4 15.6.7.8 11.2.3.4 25 1356 TCP 1 Permit
(D)

Again, the packet filtering rules permit your outgoing e-mail. Rule C permits outgoing packets from
your SMTP client to an outside SMTP server (Packet 3), and rule D permits responses from the server
back to your client (Packet 4).

What if the external client tries to open a connection from a port 5550 on his end to your Oracle
database server on port 1080?

Packet Source
Address
Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action

5 5.6.7.8 1.2.3.4 5550 1080 TCP 0 Deny (E)

We can see that Packet 5 ends up being denied by the last rule.

Now, let’s say a smart attacker controls this remote client, uses port 25 by spoofing as the client port
on his end, and then attempts to open a connection to your Oracle server.

Packet Source
Address
Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action

6 5.6.7.8 1.2.3.4 25 1080 TCP 0 Deny (E)

This connection won’t succeed as Packet 6 will end up being denied by the last rule, too. Note,
however, that Packet 6 will pass Rule D if we don’t set the ACK flag (ACK=1) in Rule D.

1. When we design the packet filtering rule set, we need to consider several factors. Because
someone who is in control of the source machine can run any client or server he or she
chooses to on a “source port” that the firewall allows through, the local port numbers should
be restricted as much as possible. Rule A allows only inbound connections to the SMTP server
on port 25. It doesn’t matter whether the program that sends the incoming request is a
genuine SMTP client or not. The concern is to limit inbound connections to only ports running
trustworthy servers, and to be sure internal servers are genuinely trustworthy.

Firewall
Rule
Source
Address
Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action
A External Internal * 25 TCP * Permit
B Internal External 25 * TCP 1 Permit
C Internal External * 25 TCP * Permit
Contact Webmaster
© Copyright 2013 College of IST

Page 19 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)
Firewall
Rule
Source
Address
Dest.
Address
Source
Port
Dest.
Port
Protocol ACK Action
D External Internal 25 * TCP 1 Permit
E * * * * * * Deny

2. Because many clients use random ports above 1023 to communicate, inbound packets for
ports above 1023 will frequently need to be accepted. Because there are also some services
using ports above 1023 for servers, accepted inbound packets might include those from ports
that might have untrustworthy servers on them. In TCP, inbound packets can be accepted
without accepting inbound connections by requiring the ACK flag to be set.

In this example, Rule B applies to outgoing connections from the site, while Rule D controls incoming
connections to the private network. Rule D is more important because private networks generally
want to have more control on incoming connections than outgoing connections. Additionally,
because Rule D cannot specify an exact destination port because the client uses a random port
above 1023, it is safer to have the ACK flag set. Thus, Rule D accepts incoming packets from SMTP
servers as specified by port 25, only if the packets are part of a connection started from the inside
(your client to a remote server).

3. Because the attacker can spoof a port number (port 25 in this case), Rules C and D enable
the attacker to talk to any port inside the protected network. A better idea is to change “*” to
“> 1023”, which means that the host outside can only communicate with the host inside on
ports greater than 1023, so the well-known service offered by the internal network (ports
below 1023) will be better protected.

Question: If in Rule D, what will happen if ACK is set as “*”?

Both Examples 1 and 2 are samples of static packet filtering, where the firewall does not
“remember” any outgoing packet it has seen. We will now discuss stateful packet filtering, where the
firewall “remembers” the packets passing through.

To better understand this example, we have provided an animation which will make the information
from the preceding screens much clearer and easier to follow.

Stateful Packet Filtering
Stateful packet filtering limits information coming into a network based, not only on the packet
header content, such as the destination and source address, but also on the packet data content and
connection state. This technology maintains a complete session state table and provides more
security checks. Each time a TCP or UDP session is established for inbound or outbound connection,
the stateful packet filtering intercepts incoming packets from one interface and builds relevant
information, such as TCP sequence numbers, or connection start time, in a session state table. It
collects information from every packet passing through and updates the session state table until it
has enough information about each connection. Packets are inspected according to the table to
determine the “state” of the connection of a packet. Those considered to be a part of a valid,
established session are forwarded on to the other interface of the proxy server without further
inspection.

Contact Webmaster
© Copyright 2013 College of IST

Page 20 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

The session state table holds entries for each individual communication session. It normally contains
the source and destination addresses, port numbers, TCP sequencing information, and addition flags
for each TCP or UDC session associated with that particular connection. The firewall uses these
tables to keep track of the connections that go through the firewall. All inbound and outbound
packets are compared against the table.

Stateful packet filtering operates at a higher performance level than static packet filtering.
Information for every connection or connectionless (e.g., UDP) transaction is recorded in a session
table and serves as a reference to determine if packets belong to an existing connection or come
from an unauthorized source.

Example 1
Assume there are three outgoing UDP packets; if the firewall can remember the packet, the firewall
can pass only the incoming UDP packets that:

have been directed to the hosts and ports that sent the outbound packets; and
are from the hosts and ports that the outbound packets were sent to.

Example 2
Stateful packet filtering can be configured to drop packets if the packets belong to a connection that
has lasted too long, for example, three hours. Stateful packet filtering can maintain statistics
information such as the duration of the session. The filtering rule can be set to drop packets if they
are part of a connection that has lasted longer than a specified time period.

The biggest difference between static packet filtering and stateful packet filtering is that static
packet filtering examines only the header of a packet and allows packets to pass if the information in
their headers meets the filtering rule sets. Every packet is handled on an individual basis. Previously
forwarded packets belonging to a connection have no bearing on the filter’s decision to forward or
drop a new packet. Stateful packet filtering examines not just the header information but also the
contents of the packet and passes only those packets which meet the filtering rule sets and are part
of a valid, established connection.

Advantages and Disadvantages of Packet Filtering

Advantages

Packet filtering firewalls are available in many hardware and software routing products. They are
popular because they tend to be inexpensive, fast, relatively easy to configure and maintain, and are
most often free to use. Most companies already have a router on which they can easily set up a rule
set. Packet filtering firewalls run faster because the examination of the packet is done on the
network layer.

Another advantage of packet filtering is that one strategically placed packet filtering router can help
protect an entire network. It performs both traffic filtering and routing and is very good for traffic
management.

Compared with proxying firewalls (which will be discussed in the next lesson), packet filtering
doesn’t require any custom software or configuration of client machines, nor does it require any
special training or procedures for users. It is transparent to the user, meaning packet filtering can be

Contact Webmaster
© Copyright 2013 College of IST

Page 21 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

done without the cooperation and often without the knowledge of users.

Disadvantages

Packet filtering is simple and efficient, but not very powerful. In other words, as long as the rule set
is passed, a connection is made directly from outside the firewall to inside the firewall, which results
in reduced security. For example, an attack on the SMTP service would pass through the firewall
without a problem if packet filtering were set to allow incoming e-mail from the Internet. Because of
this, it cannot hide information on internal networks (e.g., the IP addresses of internal clients can be
revealed).

Packet filtering rules tend to be hard to configure and maintain. There are usually several hundred
rules (e.g., 600-1000 rules) to be set in packet filtering router. Creating a rule set that correctly
reflects the security needs of a protected site, and managing it can be very difficult. Packet filtering
rules are also often difficult to test thoroughly, which may leave a site open to vulnerabilities. When
the security needs of a protected site become more complicated and stringent, the packet filtering
rules also become more complicated and may become unmanageable.

Additionally, some security policies are difficult to enforce by packet filtering because it works on the
network layer. For example, security policies based on user identities (e.g., allow Tom, but not Jason,
to use FTP); and security policies based on protocols (e.g., allow some files to be downloaded via
FTP, but not others).

Lastly, a packet filtering firewall has little or no logging capability. It may not be easy to determine
whether the router has been compromised or is under attack.

Stateful packet filtering provides enhanced security over static packet filtering. For example, static
packet filtering is limited for security policies based on connection context (e.g., how long a
connection lasts), while stateful packet filtering has the capabilities to address this. Also, static
packet filtering is vulnerable to IP spoofing attacks, unless it has been specifically configured to
prevent this.

Lesson Wrap-Up
Packet filtering is the simplest type of firewall and almost the easiest to employ for small,
uncomplicated sites. With a packet filtering firewall, direct connections are allowed from the external
network to hosts on the internal network. Thus, a number of disadvantages are introduced. Stateful
packet filtering adds more security, but does not necessarily address all of the problems of static
packet filtering. It is, nonetheless, more desirable in practice.

In our next lesson, we will take a closer look at another firewall technology–the proxying
firewall–and see how it works.

Now that you have completed this lesson, you should be able to:
Define packet filtering.
Define TCP/IP header, TCP 3-way handshake, and UDP.
Discuss how to configure a packet filtering firewall.
Describe stateful packet filtering.
Identify the advantages and disadvantages of packet filtering.

Lesson 4: Proxying Firewalls
Contact Webmaster

Page 22 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

A packet filtering firewall allows a connection directly from the outside to the inside. It is not very
secure when there is free access to the Internet from every host at a network. One solution is to
provide a single host with Internet access and then allow all other users to communicate with this
host, rather than directly linking to the outside. A proxy is a software agent that acts on behalf of the
user(s). The fundamental difference between a packet filtering firewall and proxy firewall lies in the
fact that proxy firewalls do not route and can keep the internal and external systems separate. All
information directed through machines inside the firewall comes from the firewall host.

Lesson objectives:

Describe a proxy firewall.
Describe how a proxy firewall works.
Discuss two different types of proxy servers.
Describe the commercial proxy firewall package: SOCKS.
Identify the advantages and disadvantages of a proxy firewall.

What is a Proxy Firewall?
Before a typical proxy server accepts a connection from a user, it first determines if the requested
connection between a computer on the internal network and one on the outside is permitted. If the
connection is authorized, it then completes the connection on behalf of the requesting software and
sets up the necessary communication links between the two computers.

Proxy firewall technology runs a special proxy server program on a firewall host to deal with external
servers on behalf of internal clients or vice versa. It provides a single host with secured and
controlled Internet access, while giving users the illusion that the interactions are directly linked to
the machines on the Internet with which they want to communicate.

Figure 4.1 shows a proxy firewall that sits between a user (client) on the internal network and a
service (server) on the external network (i.e., the Internet). The proxy server program handles all the
communication between the user and the server on the Internet. It takes users’ requests for Internet
services (e.g., FTP and Telnet) and, if allowed by the site’s security policy, forwards them to the real
servers that offer the services and relays answers back to users. Both the server and the client talk
to the proxy. The existence of the proxy server is transparent. It is as if the client is dealing directly
with the real server and the real server is dealing directly with a client on the proxy host.

Page 23 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Figure 4.1: A Proxy Firewall Protecting a

Client

A Proxy Firewall Protecting a Server
In contrast, a proxy firewall, as shown in Figure 4.2, can also sit between a server on the internal
network and a client out on the external network (i.e., the Internet) and handle the communications
between the internal server and the external client.

Figure 4.2: A Proxy Firewall Protecting a

Real Server

A proxy firewall program generally runs either on a dual-homed host with one interface on the
internal network and one on the external network, or some bastion host that has access to the
Internet and is accessible from internal machines.

A dual-homed host is a computer system with two network interfaces. The IP forwarding
capability of the dual-homed host is disabled so that the host can no longer route packets
between the two connected networks.
A bastion host is a gateway between an inside network and an outside network. A bastion
host needs to have strong security to resist attacks aimed at the internal network because it
is installed on a network in such a way that it is exposed to the Internet and is a main point of
contact for users of the internal network.

A proxy firewall is simple, yet very secure. A proxy firewall has the following features:

The proxy server works on the clients’ behalf.
The proxy server is the real server, in the client’s eyes. From the standpoint of the servers,
the proxy server is the real client (illusion).
The IP address of the internal client is hidden.
The proxy server is a piece of software.
The existence of the proxy server is transparent to both the client and the server.

Page 24 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

How a Proxy Firewall Works
A proxy service involves a proxy server, a client, and a real server. When a client sends a request to
a proxy server, the client is a proxy client. When the proxy server forwards the request to the real
server, the proxy server becomes a proxy client. A proxy server running on the firewall can protect
either a client on the internal network or a real server on the internal network.

Figure 4.3:

Example
Client

Let us take a closer look at the proxy firewall that protects a client, as shown in Figure 4.1, and
imagine that the internal host sends a request for Telnet service directly to the proxy server rather
than to the “real” server on the Internet.

The proxy server evaluates the request from the proxy client and decides what to approve and what
to deny.

If a request is approved, the proxy server contacts the real server on behalf of the client and
proceeds to relay requests from the proxy client to the real server and responses from the real
server to the proxy client.

Page 25 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

A similar process happens for the proxy firewall that protects a real server as shown in Figure 4.2.
When a host (proxy client) on the Internet sends a request for Telnet, the proxy server receives the
request first.

Rather than passing the request directly to the “real” server on the internal network, the proxy
server evaluates the request from the proxy client, and decides what to approve or deny.

In both situations, proper configuration of the proxy client needs to be performed so that requests
for services to the proxy server may be sent. There are generally two approaches to this
configuration:

Custom Client Software: The proxy client is a special version of a normal client program. When a
user makes a request (e.g., for Telnet), the special client program knows how to contact the proxy
server instead of the real server and tells the proxy server with what real server to connect.

Custom User Procedures: The user uses a standard client program to talk to the proxy server and
tells it to connect to the real server, instead of connecting to the real server directly.

Sample Proxy Firewall Solutions
Figure 4.4 shows an example of a Telnet proxy server. In this example, the proxy server is used to
protect two Telnet servers in the internal network.

Figure 4.4: A Telnet Proxy Server

Case 1

Page 26 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

When the user does Telnet, he knows that the proxy server is ts.bear.com. He takes the Telnet
request, though the real server he wants to connect to is ts1.bear.com. The user types “Telnet
ts.bear.com,” and the proxy server gets the Telnet request, but how does it know which is the real
server with which to connect?

Solution: Custom modified procedure

The user Telnets to ts.bear.com. At the user name prompt, the user specifies the name he/she wants
to use and also specifies the name of the real server he wants to Telnet to, in this case,
ts1.bear.com.

Case 2
The user knows the real Telnet server and types in “Telnet ts1.bear.com,” however, only ts.bear.com
can accept Telnet requests.

Solution Custom client software

The proxy client software running on the user’s machine must know to contact the proxy server (i.e.,
ts.bear.com) instead of the real server when the user makes this request. The software will tell the
proxy server with which server to connect.

Case 3
HTTP proxy server (proxy server handling HTTP request): A user requests HTTP service. The proxy
server should forward the HTTP request to the real server on the Internet.

Solution: Custom modified procedure by configuring the browser on the client. For example, a
Netscape browser supports configuration requesting that it talks to the proxy server and tells the
proxy server to connect to the real server.

When a proxy server contacts a real server for services on behalf of a client, how the real server
works with proxy server differs from service to service. For some services, the real servers can
communicate with proxy servers easily by making configuration changes to the original server
program. However, for most services, proxying requires appropriate server software on the real
server side.

Proxy Server Types
The two types of proxy servers are application layer proxy servers and transport layer proxy servers.

Application Layer Proxy Server

An application layer proxy server provides proxy service for only one particular Internet service;
therefore, many proxy servers may be needed to run on a firewall host. A proxy firewall that
operates on the application layer knows about the particular application it is providing proxy services
for and understands and interprets the commands in the application protocol. Additionally, it
receives data from one interface, inspects it according to its defined rule set, and then passes the
data to the other interface.

In general, application layer proxy uses modified procedures. In order to make a proxy connection to
the real server, the real server location must be known. An application layer proxy can retreive that
information in the application protocol either by using design features or by reinterpreting user-

Page 27 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

supplied data.

Transport Layer Proxy Server

A transport layer proxy server provides proxy service for all Internet services. It works at the TCP
layer, knows the context of TCP connections, and uses such connection context to protect. It allows
the client to communicate with the server without interpreting the application protocol.

Transport layer proxy generally uses modified clients. It cannot interpret the application protocol and
information about the real server needs to be supplied to it through other means (e.g., using a
modified client that gives the server the destination address).

The advantage of a transport layer proxy is that it provides service for a wide variety of different
protocols. However, it provides very little control over what happens through the proxy. Like a
packet filter, it controls connections based on their source and destination and cannot easily
determine whether the commands going through it are safe or even in the expected protocol, and
servers set up at the port numbers assigned to other servers easily fool it.

SOCKS Proxy System
The SOCKS package is a very good commercial proxy system. It is an example of a proxy server that
requires custom clients. It is now freely available and has become an official Internet standard.
SOCKS is extremely generic in the way it supports a new client.

The SOCKS package includes the following components:

The SOCKS server that runs on a UNIX system
The SOCKS client library for UNIX machines
The SOCKS-modified versions of several standard UNIX client programs such as FTP and
Telnet

Many Internet client programs have already had SOCKS support built into them. Moreover, it can be
converted to a client program easily by recompiling the program with the SOCKS client library so
that it talks to the SOCKS server rather than talking directly to the real server.

Figure 4.5: Using SOCKS for Proxying

As shown in Figure 4.5, the client machine should have SOCKS-modified clients running which are
able to tell the SOCKS server what services to contact. When the client sends out the request, SOCKS
intercepts TCP packets as they start opening a connection and proxies them through the SOCKS
server. SOCKS must be started before the TCP sessions are started to be proxied. SOCKS proxies all
TCP/IP sessions, except those that should go directly to the specified host. The SOCKS server can be
configured to bypass TCP packets based on port and destination addresses. SOCKS does log
connection requests on the server, provides access control by source, destination host, and protocol,
and allows configurable responses to access denials.

Advantage

SOCKS is very popular. Because SOCKS is widely used, server implementations and SOCKS-modified
clients (i.e., versions of programs like FTP and Telnet that have already been converted to use
SOCKS) are commonly available and help is easily accessible.

Disadvantage

Page 28 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

SOCKS works only for TCP-based clients; it does not work for UDP-based clients.

Related Links
Blue Coat [7]- The source for SOCKS technology

Stay Invisible’s Anonymity Test [8]

Proxy Blind [9]- A proxy forum for free public SOCKS servers lists

Advantages and Disadvantages of Proxying

Advantages

Proxy firewalls provide better access control. They allow users to access Internet services from their
own systems without allowing packets to pass directly between the user’s system and the Internet.
Unlike packet filtering, a connection is never made from the outside to the inside because proxy
firewalls do not route. A proxy firewall forces the connection to the Internet to go through the proxy
host and truly keeps the internal and external systems separate. Thus internal IP addresses, protocol
information, and the topology of the network are shielded from the outside world.

Proxy firewalls allow all interaction to take place behind the scenes and give users the illusion that
they are interacting directly with the Internet services that they want to access.

In addition, proxy firewalls can selectively log users’ activities based on needs. Logs are performed
more effectively. For example, instead of logging all data transferred, an FTP proxy server logs only
the commands issued and the server responses received; this results in a much smaller, cleaner, and
more useful log. In addition, proxy firewalls allow configurable responses such as letting users know
why their outgoing access attempts are denied and notifying an administrator of incoming access
attempts.

Application proxy servers, when properly configured, are considered the most intelligent firewalls
available. Application proxies operate at the application layer of the OSI model. Application layer
information can be audited as it passes in and out of the network. This allows proxies to make much
more intelligent decisions about what traffic is allowed to pass.

Disadvantages

A proxy firewall provides strong security from a security standpoint. Proxy software can easily be
found for common services like FTP and Telnet, however it may not be available for all services, or
may be hard to find for newer or less widely used services. As new applications are released, new
proxies need to be written. There is often a lag between the introduction of a service and the
availability of proxy servers for it. A different proxy server may be needed for each protocol because
the proxy server has to understand the protocol in order to determine what to allow and disallow.

Proxy services do not protect from all protocol weaknesses. For example, HTTP is designed to
operate effectively with proxy servers, but it is also designed to be readily extensible by accepting
data that’s going to be executed. It is impossible for a proxy server to provide protection from this
data because it cannot understand the data being passed to determine whether it is dangerous.

Bottlenecking at the proxy server can become a single point of failure for network services. In
addition, application layer proxy firewalls inspect all traffic on the application layer and, therefore,
are significantly slower than the packet filtering alternatives at the network layer.

Page 29 of 34

http://bluecoat.com/

http://www.stayinvisible.com/

http://www.proxyblind.org/proxyblind-forum/

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Lesson Wrap-Up
Proxy firewalls are attractive to many organizations, especially application layer proxies, because
they have full visibility at the application layer and can look for far more specific pieces of
information than a packet filter can. For instance, they can tell the difference between a piece of e-
mail containing text and a piece of e-mail containing a Microsoft Word document or the difference
between a Web page using Java and a Web page not using Java. Rules can be made significantly
more specific, as they can be designed around anything the firewall can see at the application level.

A proxy firewall is one type of software solution when implementing a firewall service. Proxy firewall
technology can be used with any of the firewall architectures described in a later lesson.

Now that you have completed this lesson, you should be able to:

Describe a proxy firewall.
Describe how a proxy firewall works.
Discuss two different types of proxy server.
Describe the commercial proxy firewall package: SOCKS.
Identify the advantages and disadvantages of a proxy firewall.

Lesson 5: Firewall Architecture
Firewalls are part of an organization’s mission-critical infrastructure and need to be designed
accordingly. There are many different ways to design and build firewalls to protect the system.
Firewall architectures are difficult and expensive to change after deployment, so it is important to
choose an appropriate firewall architecture that will be able to effectively enforce the organization’s
security policies.

When creating a firewall system, deciding its basic architecture in terms of firewall hardware and
software, network connectivity, and distribution of functions among the components is imperative.
This lesson describes three common ways to blend various firewall components together to create
an effective, scalable, and manageable firewall system.

After reading this lesson, you should be able to:

Describe dual-homed host firewall architecture.
Describe screened host firewall architecture.
Describe screened subnet firewall architecture.

Dual-Homed Host Firewall Architecture
In the dual-homed host firewall architecture, as shown in Figure 5.1, the firewall is built on a dual-
homed host computer. The dual-home host computer has at least two network interface cards (NIC)
and is dedicated as the dividing line between the internal network and the external network (i.e., the
Internet). The dual-homed host firewall works by running either an application-layer or a transport-
layer proxy.

When a dual-homed host functions as a firewall, its routing capability is disabled so that IP packets
from the external network are not directly routed to the internal network. Both systems inside the
firewall and outside the firewall (on the Internet) communicate with the dual-homed host, but these
systems cannot communicate directly with each other.

Page 30 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Figure 5.1: Dual-Homed Host Architecture

An example of a dual-homed host firewall would be to provide proxy services for TELNET and FTP,
and let the firewall provide centralized e-mail service, meaning the firewall would accept all mail and
then forward it to internal systems. Because the firewall runs on a host computer, it can house
software to require users to authenticate before accepting any requests from users. The firewall can
also log access and log attempts or probes to the system that might indicate intruder activity.

A dual-homed host provides a very high level of control. It is a complete block to IP traffic between
the Internet and protected network. Service and access is provided by proxy servers on the firewall.
Any packet on the internal network that has an external source indicates a certain level of security
breach if there is no packet to be allowed to pass between external and internal networks.

!WARNING!

A dual-homed host firewall has inadequate security protection because, like a screening router, it
has only one point of access. Because of this, a network is very vulnerable to attacks from intruders.
The use of any vulnerable services or techniques on the dual-homed host used for firewall could lead
to break-ins. If the host is compromised, an intruder could potentially subvert the firewall and
perform some activity such as re-enabling IP routing. Therefore, the dual-homed host must be built
very securely and essential services should not be put on this host. This form of architecture is useful
for situations where there is moderate traffic to the Internet, where traffic to the Internet is not
critical to a business, where services are not being provided to users from the Internet, and the
network that the firewall protects does not contain data of great value.

The inflexibility of the dual-homed host could be a disadvantage to some sites. Because all services
are blocked, except those for which proxies exist, access to other services cannot be opened;
systems that require this access would need to be placed on the Internet side of the architecture. In
this case, a router could be used at the connection to the Internet to create a subnet between the
dual-homed host and the router, and the systems that require extra services could be located there.
This type of architecture is called screened subnet firewalling which will be described later in this
lesson.

Screened Host Firewall

Page 31 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

In this form of firewall architecture, as shown in Figure 5.2, the firewall has two parts: the screening
router (part I), which only performs packet filtering and the bastion host (part II), which functions as
a proxy.

The primary security in this architecture is provided by packet filtering on the screening router. The
screening router can be configured to accept only internal packets from the bastion host and pass all
incoming packets to the bastion host. Thus, it forces the connections via the bastion host and
prevents users from going around proxy servers to make direct connections between the internal
network and the Internet.

The screened host architecture provides services from a bastion host that rests on the internal
network. The bastion host is a highly defended and secured computer that resists attack and
protects an internal network from outside intrusion due to its exposure to the Internet. The bastion
host is the only system on the internal network for which hosts on the Internet can open connections
(for example, to deliver incoming e-mail). Even then, only certain types of connections are allowed.
Any external network will have to connect to the bastion host in order to connect to the internal
network. It is for this reason that a bastion host needs to maintain a high level of security.

Figure 5.2. Screened Host Architecture

The screened host architecture provides better security compared with the dual-homed host
architecture because of packet filtering via the screening router and proxy service from the bastion
host. However, there is a disadvantage associated with this architecture: the bastion host could be a
single point of failure. The bastion host is generally difficult to break through because it has no user
accounts and no other services; however, if it is broken through, or it is bypassed by the attacker,
the entire internal network is vulnerable to the security breach. The screened host architecture is
ideal when few connections are coming from the Internet and when the network being protected has
a relatively high level of host security.

Screened Subnet Firewall
This type of firewall can tolerate penetration of the bastion hosts. Compared with the previously
discussed two architectures, it offers an extra layer of security by adding a peripheral network that
further isolates the internal network form the Internet.

Figure 5.3 shows one possible way to set up the screened subnet firewall architecture. In this
example, there is one screening router and one dual-homed host, each connected to the peripheral
network. The screening router performs packet filtering and is placed between the peripheral
network and the external network (i.e., the Internet). The dual-homed host sits between the
peripheral network and the internal network. To break into the internal network with this type of
architecture, an attacker would have to get past both the screening router and the dual-homed host.

Figure 5.3. Screened Subnet Architecture

The peripheral network is an additional network between the external network and the protected
internal network. If an attacker successfully breaks into the outer reaches of the firewall, the
peripheral network offers another layer of protection between the attacker and internal systems.

The bastion hosts attached to the peripheral network are the main points of contact for incoming
connections from the outside network. All the traffic on the peripheral network should be either to or
from the bastion host, or to or from the Internet. With a peripheral network, if an intruder breaks into
a bastion host on the peripheral network, the intruder will be able to snoop only traffic on that
peripheral network. To reach the internal network, the intruder would still have to get past the dual-
homed host.

Page 32 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

**Note: All the bastion hosts should be cleaned to minimum functionality. **

Moreover, one bastion host may handle one service that is important to internal users, and another
host may handle the services that you provide to the Internet.

Example
One bastion host can deliver incoming e-mail (SMTP) sessions to the internal network, another
bastion host can work as the site’s anonymous FTP server for incoming FTP connections, another can
act as DNS server for incoming domain name service queries about the site, and another one can act
as Web Server for incoming Web service requests, etc.

The internal network can have a bastion host for e-mail forwarding. Because bastion machines open
connections with the Internet, they are the most vulnerable machines on the network. By isolating
the bastion host on a peripheral network, the impact of a break-in on the bastion host is reduced.

The exterior screening router protects both the peripheral network and the internal network from the
Internet. Generally the packet filtering rules on the exterior screening router allow almost anything
outbound from the peripheral network, but prohibit direct communications between internal hosts
and the Internet. The packet filtering rules are mainly used to protect the bastion hosts and the dual-
homed host on the peripheral network.

The dual-homed host has proxy service running and protects the internal network from both the
Internet and the peripheral network. While bastion hosts handle incoming connections from the
outside, the dual-homed host handles outbound connections from internal clients to the servers on
the Internet. When the internal host has a service request, the dual-homed host takes the request
and forwards it to the screening router if the request meets the security policy rules.

In addition, the services between the bastion host and the internal network should be limited to just
those that are actually needed, such as SMTP (so the bastion host can forward incoming mail), DNS
(so the bastion host can answer questions from internal machines), and so on. This reduces the
number of services on internal hosts that can be attacked from the bastion host should it be
compromised. The services should be further limited, to the maximum possible extent, by allowing
them only to or from particular internal hosts; for example, SMTP might be limited only to
connections between the bastion host and the internal mail server or servers. In general, all internal
hosts and services that can be contacted by the bastion host are under potential risk because they
are what the attacker goes after if the attacker manages to break into the bastion host.

Lesson Wrap-Up
The firewall architecture is the combination of the particular hardware and operating system on
which the desired firewall technologies execute. We have shown three common firewall architectures
in this lesson. In reality, a lot of variation and flexibility exists for how you can set up and combine
firewall technologies to build the architecture that best suits your corporation’s security policies and
budget.

Now that you have completed this lesson, you should be able to:
Describe dual-homed host firewall architecture.
Describe screened host firewall architecture.
Describe screened subnet firewall architecture.

Page 33 of 34

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Published on IST 554 (https://online.ist.psu.edu/ist554)

Wrap-Up: Firewalls
A firewall is considered a first line of defense in protecting a private network. A firewall is the most
effective way to connect a network to the Internet and still protect that network. The important thing
about a firewall is that it implements an access control policy. Those responsible for employing
firewall architecture should have a good idea of what kind of access to allow or deny in order to
design a firewall that really fits the needs of the organization.

When building a firewall, it is best to choose the basic architecture (i.e., the number of hosts, the
method in which they are connected, the tasks that each performs) and then select the appropriate
firewall technologies to be implemented in these hosts. The most basic firewall technologies are
packet filtering, proxying, and stateful packet filtering. These functions can be used separately or
jointly and can be implemented on the same or different firewall hosts.

Firewalling offers significant benefits, but cannot solve every security problem. To combat the
sophistication of attacks today, we need well-rounded security architecture with a combination of
various security components. In the following topics, we will discuss more security solutions.

Now that you have completed this topic, you should be able to:

Source URL: https://online.ist.psu.edu/ist554/topicfirewalls

Links:
[1] http://staff.washington.edu/dittrich/talks/qsm-sec/script.html
[2] http://librenix.com/?inode=4569
[3] http://www.l0t3k.org/security/docs/dns/
[4] http://www.bitpipe.com/tlist/Denial-of-Service-Attacks.html
[5] http://www.securitystats.com/reports/Riptech-Internet_Security_Threat_Report_vII.20020708
[6] http://www.windowsecurity.com/whitepaper/firewalls_and_VPN/Keeping_Your_Site_Comfortably_S
ecure/Keeping_Your_Site_Comfortably_Secure__Introduction_to_Firewalls.html
[7] http://bluecoat.com/
[8] http://www.stayinvisible.com/
[9] http://www.proxyblind.org/proxyblind-forum/

Page 34 of 34

https://online.ist.psu.edu/ist554/topicfirewalls

http://www.tcpdf.org

mailto:onlinelearning@ist.psu.edu

http://ist.psu.edu

Turn in your highest-quality paper
Get a qualified writer to help you with

“ Computer Networking – Firewalls ”

Get high-quality paper

NEW! AI matching with writer

Still stressed with your coursework?

Get quality coursework help from an expert!

Order now