Java-Firewall Project by QUAKE5

Authors:

          Galip Gülsen

            Yavuz Öztürk

            Görkem Ates

            Suphi Çeviker

            Ridvan Çiçek

Group:

 

Problem Definition: What is a network firewall?

 

A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: One which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy.

 

Why there are needs for firewalls?

A firewall's purpose is to keep the jerks out of your network while still letting you get your job done. Many traditional-style corporations and data centers have computing security policies and practices that must be adhered to. In a case where a company's policies dictate how data must be protected, a firewall is very important, since it is the embodiment of the corporate policy. Frequently, the hardest part of hooking to the Internet, if you're a large company, is not justifying the expense or effort, but convincing management that it's safe to do so. A firewall provides not only real security - it often plays an important role as a security blanket for management.

Lastly, a firewall can act as your corporate "ambassador" to the Internet. Many corporations use their firewall systems as a place to store public information about corporate products and services, files to download, bug-fixes, and so forth.

What can a firewall protect against?

Some firewalls permit only Email traffic through them, thereby protecting the network against any attacks other than attacks against the Email service. Other firewalls provide less strict protections, and block services that are known to be problems. Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside" world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it.

Firewalls are also important since they can provide a single "choke point" where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap" and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.

What can NOT a firewall protect against?

Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Many organizations that are terrified of Internet connections have no coherent policy about how dial-in access via modems should be protected. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic, and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the Internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate network.

Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are a far more likely means for information to leak from your organization than a firewall! Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a "helpful" employee inside who can be fooled into giving access to a modem pool.

What are some of the basic design decisions in a firewall?

There are a number of basic design issues that should be addressed by the lucky person who has been tasked with the responsibility of designing, specifying, and implementing or overseeing the installation of a firewall.

The first and most important is reflects the policy of how your company or organization wants to operate the system: is the firewall in place to explicitly deny all services except those critical to the mission of connecting to the net, or is the firewall in place to provide a metered and audited method of "queuing" access in a non-threatening manner.

The second is: what level of monitoring, redundancy, and control do you want? Having established the acceptable risk level by resolving the first issue, you can form a checklist of what should be monitored, permitted, and denied. In other words, you start by figuring out your overall objectives, and then combine a needs analysis with a risk assessment, and sort the almost always conflicting requirements out into a laundry list that specifies what you plan to implement.


On the technical side, there are a couple of decisions to make, based on the fact that for all practical purposes what we are talking about is a static traffic routing service placed between the network service provider's router and your internal network. The traffic routing service may be implemented at an IP level via something like screening rules in a router, or at an application level via proxy gateways and services.

The decision to make is whether to place an exposed stripped-down machine on the outside network to run proxy services for telnet, ftp, news, etc., or whether to set up a screening router as a filter, permitting communication with one or more internal machines. There are pluses and minuses to both approaches, with the proxy machine providing a greater level of audit and potentially security in return for increased cost in configuration and a decrease in the level of service that may be provided.

What are the basic types of firewalls?

Conceptually, there are two types of firewalls:

  1. Network Level
  2. Application Level

Network level firewalls generally make their decisions based on the source, destination addresses and ports in individual IP packets. A simple router is the "traditional" network level firewall, since it is not able to make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from. Modern network level firewalls have become increasingly sophisticated, and now maintain internal information about the state of connections passing through them, the contents of some of the data streams, and so on. One thing that's an important distinction about many network level firewalls is that they route traffic directly though them, so to use one you usually need to have a validly assigned IP address block. Network level firewalls tend to be very fast and tend to be very transparent to users.

Example Network level firewall: In this example, a network level firewall called a "screened host firewall" is represented. In a screened host firewall, access to and from a single host is controlled by means of a router operating at a network level. The single host is a bastion host; a highly-defended and secured strong-point that can resist attacks.

 

 


Example Network level firewall: In this example, a network level firewall called a "screened subnet firewall" is represented. In a screened subnet firewall, access to and from a whole network is controlled by means of a router operating at a network level. It is similar to a screened host, except that it is, effectively, a network of screened hosts.

 
 


 



Application level firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them. Since the proxy applications are software components running on the firewall, it is a good place to do lots of logging and access control. Application level firewalls can be used as network address translators, since traffic goes in one "side" and out the other, after having passed through an application that effectively masks the origin of the initiating connection. Having an application in the way in some cases may impact performance and may make the firewall less transparent. Early application level firewalls such as those built using the TIS firewall toolkit, are not particularly transparent to end users and may require some training. Modern application level firewalls are often fully transparent. Application level firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network level firewalls.

 
 


Example Application level firewall: In this example, an application level firewall called a "dual homed gateway" is represented. A dual homed gateway is a highly secured host that runs proxy software. It has two network interfaces, one on each network, and blocks all traffic passing through it.

What are the critical resources in a firewall?

It's important to understand the critical resources of your firewall architecture, so when you do capacity planning, performance optimizations, etc., you know exactly what you need to do, and how much you need to do it in order to get the desired result.

What exactly the firewall's critical resources are tends to vary from site to site, depending on the sort of traffic that loads the system. Some people think they'll automatically be able to increase the data throughput of their firewall by putting in a box with a faster CPU, or another CPU, when this isn't necessarily the case. Potentially, this could be a large waste of money that doesn't do anything to solve the problem at hand or provide the expected scalability.

On busy systems, memory is extremely important. You have to have enough RAM to support every instance of every program necessary to service the load placed on that machine. Otherwise, the swapping will start, and the productivity will stop. Light swapping isn't usually much of a problem, but if a system's swap space begins to get busy, then it's usually time for more RAM. A system that's heavily swapping is often relatively easy to push over the edge in a denial-of-service attack, or simply fall behind in processing the load placed on it. This is where long email delays start.

Beyond the system's requirement for memory, it's useful to understand that different services use different system resources. So the configuration that you have for your system should be indicative of the kind of load you plan to service. A 700 MHz processor isn't going to do you much good if all you're doing is netnews and mail, and are trying to do it on an IDE disk with an ISA controller.

Critical Resources for Firewall Services:

 

Service Critical Resource
Email Disk I/O
NetNews Disk I/O
Web Host OS Socket Performance
IP Routing Host OS Socket Performance
Web Cache Host OS Socket Performance, Disk I/O

 

What are some common attacks, and how can we protect the system against them?

Each site is a little different from every other in terms of what attacks are likely to be used against it. Some recurring themes do arise, though.

SMTP Session Hijacking

This is where a spammer will take many thousands of copies of a message and send it to a huge list of email addresses. Because these lists are often so bad, and in order to increase the speed of operation for the spammer, many have resorted to simply sending all of their mail to an SMTP server that will take care of actually delivering the mail.

Of course, all of the bounces, spam complaints, hate mail, and bad PR come for the site that was used as a relay. There is a very real cost associated with this, mostly in paying people to clean up the mess afterward.

Exploiting Bugs in Applications

Various versions of web servers, mail servers, and other Internet service software contain bugs that allow remote (Internet) users to do things ranging from gain control of the machine to making that application crash and just about everything in between.

The exposure to this risk can be reduced by running only necessary services, keeping up to date on patches, and using products that have been around a while.

Bugs in Operating Systems

Again, these are typically initiated by users remotely. Operating systems that are relatively new to IP networking tend to be more problematic, as more mature operating systems have had time to find and eliminate their bugs. An attacker can often make the target equipment continuously reboot, crash, lose the ability to talk to the network, or replace files on the machine.

Here, running as few operating system services as possible can help. Also, having a packet filter in front of the operating system can reduce the exposure to a large number of these types of attacks.

And, of course, choosing a stable operating system will help here as well.

What is a DMZ?

"DMZ" is an abbreviation for "demilitarized zone". A DMZ can be created by putting access control lists on your access router. This minimizes the exposure of hosts on your external LAN by allowing only recognized and managed services on those hosts to be accessible by hosts on the Internet. For example, a web server running on NT might be vulnerable to a number of denial-of-service attacks against such services as NetBIOS and SMB. These services are not required for the operation of a web server, so blocking TCP connections to ports 135 and 139 on that host will reduce the exposure to a denial-of-service attack. In fact, if you block everything but HTTP traffic to that host, an attacker will only have one service to attack.

Firewall Architecture

There are lots of ways to structure your network to protect your systems using a firewall. If you have dedicated connections to the Internet through a router, you could plug the router directly into your firewall system. Or, you could go through a hub to provide for full access servers outside your firewall. You could setup some hard filtering rules in the router.

                  ________           __________

   _/\__/\_      | Router |         |          |          _______________

  |        |     |   No   |  (DMZ)  | Firewall |  (LAN)  |               |

 / Internet \----|Filters |--(HUB)--|  System  |--(HUB)--| Workstation/s |

 \_  _  _  _/    |________|    |    |__________|         |_______________|

   \/ \/ \/                    | 

                           (Outside)   

                           (Server)

 

You may be using a dialup service like an ISDN line. In this case you might use a third network card to provide a filtered DMZ. This gives you full control over your Internet services and still separates them from your regular network.

                  __________

   _/\__/\_      |          |          _______________

  |        |     | Firewall |  (LAN)  |               |

 / Internet \----|  System  |--(HUB)--| Workstation/s |

 \_  _  _  _/    |__________|         |_______________|

   \/ \/ \/           |

                    (DMZ)

                    (HUB)

 

If you are not providing Internet services yourself but you do want to monitor where your users are going, you will want to use a proxy server. This can be integrated with the firewall.

                   __________

    _/\__/\_      | Proxy /  |          _______________

   |        |     | Firewall |  (LAN)  |               |

  / Internet \----|  System  |--(HUB)--| Workstation/s |

  \_  _  _  _/    |__________|         |_______________|

    \/ \/ \/ 

 

You can put the proxy server on your LAN as will. In this case the firewall should have rules to only allow the proxy server to connect to the Internet for the services it is providing. This way the users can get to the Internet only through the proxy.

                  __________

   _/\__/\_      |          |          _______________

  |        |     | Firewall |  (LAN)  |               |

 / Internet \----|  System  |--(HUB)--| Workstation/s |

 \_  _  _  _/    |__________|    |    |_______________|

   \/ \/ \/                      |     ______________

                                 |    |              |

                                 +----| Proxy Server |

                                      |______________|

 

 

 

 

If you are going to run a service like YAHOO or maybe SlashDot you may want to make your system by using redundant routers and firewalls. By using a round-robin DNS techniques or using load-balancing application servers, you can create a 100% uptime service.

   _/\__/\_                                     _/\__/\_ 

  |        |                                   |        |

 /  ISP #1  \______                 (WAN)_____/ Partners \

 \_  _  _  _/      |                (HUB)     \_  _  _  _/

   \/ \/ \/        |               ___|____     \/ \/ \/ 

                 __|___           |_______ |

   _/\__/\_     |_____ |         |        ||          ______

  |        |   |      ||  (DMZ)  |Firewall||  (LAN)  |      |

 /  ISP #2  \--|Router||--(HUB)--| System ||--(HUB)--| WS/s |

 \_  _  _  _/  |______|     |    |________|     |    |______|

   \/ \/ \/                 |         |         |     ______

                        (Outside)  (Shared)     |    |      |

                        (Server)   (Server)     +----|Proxy |

                                                     |______|

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright 1999 "The Quake5 Group"