 We know a packet filtering firewall simply looks at the packet headers as they come into the firewall and makes a decision whether to accept or drop that packet. And we're mainly looking at things like IP addresses, source and destination, port numbers, protocol numbers. Other things we may look at is the interface. So the firewall may have multiple interfaces so we can look at from what direction does it come. And we make a decision, except or not, according to the rules that are implemented in the firewall. But we got to a point where the firewall with simple packet filtering is quite... It performs very well. It's very simple. We just write some rules and from an implementation perspective, routers are normally designed to look at that information already anyway. A router, what a router does is looks at the destination address of a packet to determine where to send it. So a firewall does that as well. It looks at the destination address as well as other addresses to determine what to do with it. So a router and a firewall are a good match because routers are designed for doing this packet classification. And it turns out that packet filtering firewalls can be implemented very fast. That is, for every packet that comes in, it doesn't take long to process and make a decision. And that's very important if we have a firewall, let's say, for an organization that is handling millions of packets per second coming through it, we don't want to slow those packets down. So packet filtering firewalls are very fast. The users, when their packet is accepted, the user has no idea that it's passing through the firewall. Of course, if the packet is blocked, they'll know, but if it's accepted, it's transparent to the users. We'll see some of the other alternatives which may not be transparent to users. The problems, and we started to see them, that we need to create rules to cover both directions and it starts to get complex to handle some special cases with protocols to block the acknowledgments or to allow the acknowledgments and so on. So it becomes complex to handle policies that require complex rules. Packet filtering firewalls generally don't look at the content of the packets, the data. So they don't make a decision based upon the data, just the header fields. And one reason for doing that is that it keeps it very simple and very fast. But it means you can't block things based upon the data. If someone can take advantage of some bugs in the protocols that the packet filtering is looking at, then they may be able to compromise the firewall. As with all firewalls, if you set up the firewall rules wrong, then it may lead to security breaches. And it's a big issue of designing a firewall. You want to make it as easy as possible for the administrator to set the rules to implement the policy. The more complex the rules, the more likely a mistake. And the more mistakes, the more likely a security breach. So making things simple is an important thing for firewalls. And that led to a stateful packet inspection. That is, not just use the packet filtering firewall, but when a rule accepts a packet, maintain a second table that keeps track of what's been accepted, and all subsequent packets related to that connection are also accepted. So we went through stateful packet inspection, usually with an example. So it's really an extension of normal packet filtering firewalls. So it's not a replacement, it extends normal packet filtering. And we'll see some more examples of that in a moment. One of the issues with stateful packet inspection is that, again, for every connection that is accepted by the firewall, there's an extra entry in the SPI table. And again, when you have millions of entries, need to be maintained in a network that has many connections, that introduces some extra overhead for storage and maintaining that state information. But most firewalls today will make use of stateful packet inspection. So let's have a look at some examples. And you've seen them in the quiz, those that have attempted. I'll give you two examples. These are... So grab one of these. It's just based upon the... Well, it's two of the quiz questions. They're very similar. Just take one. There's question one on the front, question two on the back. So just make sure you're on the right one. So we have a network, our simple internet, which identifies four specific subnets and a general internet. That is, I assume there are many subnets, but in the picture, for simplicity, I only show those four. And on each subnet, there are many hosts. But again, for simplicity, I only draw two per subnet. And we'll refer to those specific ones in the tables. And in these two questions, we're given a packet and we need to make a decision, except or not. And we want to look at the tables and determine what accepts it and what doesn't. Some other questions you would have seen is you need to write the rules to achieve some aim, let's say block someone accessing the web server on computer five, write the rule or fill in the rule entries. These questions are the other ones where you just determine whether it's accepted or not. So in this case, there are two routers shown, A and B. And we are given the firewall rules as well as the stateful packet inspection table. And we're also given a packet and we need to determine. So question one, let's have a look at it. What are we given? We're given the firewall table. So this specifies a set of rules, five rules in this case. So these already exist, indicating the source address, destination, transport protocol and the action to take if a packet matches those conditions and the default policy is dropped in this case. So if a packet doesn't match those conditions, we'll need to drop that packet. And we're also given the stateful packet inspection table, SPI table. And so you have that on your printout and the packet as well. So two tables stored in the firewall. So this assumes the administrator has set up those first five rules. Some packets have flowed through the firewall and as a result, these eight entries in the SPI table have been automatically added. So note that the stateful packet inspection table is maintained by the firewall, not by the administrator, not by the human user. And now we receive a new packet at the firewall. And it's drawn here. We're just given the header types. It's an IP packet. Inside that is a TCP data packet with some data and the address fields, the source IP address, destination IP address, 11123335. So the two computers in our network and the port numbers coming from port 23 going to port 44981. What does the firewall do when it gets this packet? It checks the packet addresses against the SPI table. And we're going row by row. The SPI table, because what we first do is we check does this packet belong to any previously accepted connections? When I say a connection, I mean, especially with TCP, we set up a connection, the SIN-SINAC, the three-way handshake to set up a TCP connection, and then we have exchange of packets that belong to that connection. So the SPI table keeps track of the connections which have been set up in the past. And we should accept all packets which belong to any previously accepted connections. So what we do is we check row by row. Does it match any of those rows in the SPI table? Yes, no. Any other choices? Does it match row one? So we just simply need to check, OK, a quick check for us. The addresses must contain 1, 1, 1, 2, and 3, 3, 3, 5. So row one obviously doesn't. Row, because it's 2, 2, 2, 4, and 3, 3, 3, 6. It doesn't match that. This one doesn't match. We need the exact IP addresses. No, we don't have 2, 2, 2, 4. What about this one? Row four. Do the IP addresses match? Yes. The IP addresses match. Do the port numbers match? Why don't they? I'm looking at the wrong one. OK, this one, obviously, why don't they? Because it's a different number. OK, so first, rule four, or entry four. Note that even though this packet has a source address of 1, 1, 1, 2, and a destination address of 3, 3, 3, 5, what we store in the SPI table, when I say source and destination, any packet which has that combination of source and destination or the reverse will be accepted. So this one matches in terms of IP addresses, because for simplicity in the SPI table, we just keep track of the first packet in the connection. Let's say the connection was from 3, 3, 3, 5 to 1, 1, 1, 2. So we should also allow response packets. We don't explicitly state that in the SPI table. So anything that comes from 1, 1, 1, 2 and is going to 3, 3, 3, 5 should also be accepted, ignoring the port numbers so far. So when you check the source and destination address of the packet versus the entry in the SPI table, check them in both orderings. Not just the one that's noted there. That is, here we have source 1, 1, 1, 2, destination 3, 3, 3, 5. So these entries are okay. That is, that packet matches these two conditions, because any packet that's from 3, 3, 3, 5 to 1, 1, 1, 2 or from 1, 1, 1, 2 to 3, 3, 3, 5 match the IP addresses. But of course I think everyone's already noticed that the port number here is wrong. Okay, in this case 4, 7, 2, 3 does not match our port number. The destination port is okay, but the source port's not. And we need all four conditions to match for the rule to match. So again, entry 4 doesn't match. What about 5? Right, check 5. 3, 3, 3, 5. Source IP, source port 4, 4, 9, 8, 1. So the entry says anything coming from 3, 3, 3, 5, 4, 4, 9, 8, 1 going to this combination should be accepted and anything in the reverse also should be accepted. Anything from 1, 1, 1, 2, port 23 going to 3, 3, 3, 5, 4, 4, 9, 8, 1 should be accepted. And is that what we have in the packet? Yes, in this case. So this packet would be accepted by the fifth row in the SPI table. 3, 3, 3, 5, 4, 4, 9, 8, 1. So the same application and these would match. So the packet would be accepted in this case. If we find a match in the SPI table then that's automatic accept. We don't check the subsequent rules we've got an accept, we take that action and the packet goes through. So just be careful to consider the combination of addresses in both orders for the SPI table. That's not the case for the firewall rules just for the SPI table. Try question 2 then. Given that on the other side of the page a slight variant of that. Again, given some rules given the SPI table and a packet check what happens. So packet arrives at the firewall check on the stateful packet inspection table first. We need a combination of IP addresses of 2, 2, 2, 3 and 4, 4, 4, 7. So quickly we can rule out this entry no, no. This one the port number here is wrong. This one still the port number is wrong. We're looking for 4, 4, 9, 8, 1. Yes or no? Yes or no? No. This packet is coming from 4, 4, 4, 7 port 4, 4, 9, 8, 1. This rule 6 says coming from 2, 2, 2, 3 port 4, 9, 8, 1. So a bit of a trick there. The source IP and port must stay together. So no, 6 doesn't match. If it was from 4 if the ports were swapped here it would be a match but in this case it's not. Similar this one will not match nor will the last one. So none of the entries in the SPI table match what do we do? Now we go back to our original firewall rules. So we go row by row checking and now we do it in the order. So the source IP must be 4, 4, 4, 7 or some condition that 4, 4, 4, 7 matches. Rule 1 which rule matches if any? Rule 1 does not. Rule 2 does not. Rule 3, 4 do not match because they say from network 2 where source address network 4, 4, 4, 7 or computer 4, 4, 4, 7 Rule 5 someone on network 4, 4, 4 yes we are 4, 4, 4, 7 is on that subnet from any source port yes we've got any source port going to 2, 2, 2, 3 yes we're going to there going to the web server on 2, 2, 2, 3 yes TCP is the protocol so yes so our 5 conditions match therefore we take the action accept all our conditions match so we take the action of accepting this packet and then what happens and then and then we accept according to rule 5 and then you wrote to the SPI table the firewall would because again we've accepted a new connection in this case so we'd get another entry in the SPI table saying source 4, 4, 4, 7 destination IP 2, 2, 2, 3 and the port numbers would be there such that the response packet that comes will be automatically accepted by the SPI table that's not in the question that's what would happen the direction of the addresses in the packet must be exact matches in the firewall rules so we specified the direction in the firewall rules but in the SPI table we allow any direction in your quiz you've got some questions like this one there's another type of question where you fill in the firewall rules so you're given the policy like stop someone from accessing the web server on this computer or allow everyone to access the QR shell server given that policy you need to write the rule so you only need to fill in the entries any questions on packet filtering firewalls and stateful packet inspection so you should be able to get 8 out of 8 for the quiz given that I know there are bugs in the quiz so I'll go manually check them this evening so let's look at some very quickly some alternative types of firewalls and then we'll look at the locations and we'll finish today with one or two final examples what are these pictures represent here we can think from a protocol stack perspective a packet comes in so this is the firewall and usually in the examples we're considering we're out of so we have interfaces to two different directions we think a packet comes in and we're mainly inspecting the packet at the transport level and including the IP header so that's what we inspect the headers of the IP packet and the transport layer packet nothing is modified by the firewall so a packet if it's accepted passes through as is and that's why we say it's transparent to the users because the fields in the header and the data nothing is modified it's similar for stateful packet inspection but in addition the firewall has some database the SPI table that stores some state information about what's been previously accepted what else have we missed just going back and forth examples of firewalls firewalls can be implemented usually in software or you may get a dedicated hardware device for example you can install software on your computer which acts as a firewall or you can go out and buy a device which has a the dedicated role is to act as a firewall so maybe the hardware of the device is tailored to be fast for firewall purposes and this just lists some of the names of some software firewalls if we have time today I'll show you an example using IP tables in Linux is a common firewall software you've already used it for not for a firewall you've used IP tables to change an IP address to a fake IP address in your NTP denial of service attack we'll also use it for a firewall which is its main purpose and other operating systems have other firewalls usually built in like come with the operating system or you can get standalone software outside of the operating system and there are what we call firewall appliances basically a box that you buy that comes with the hardware and software to operate as a firewall and here's the names of some of them let's look at two other approaches and they're both proxies or gateways so an application proxy sometimes called an application level gateway and a circuit level gateway so they have some similarities about them both of them they act as well they act as a proxy what's a proxy in terms of networking a proxy is a device that will accept a connection from one end point and create a new connection to the potential to the intended destination acting on behalf of one end point to communicate with the other end point an example that you may have heard of is a web proxy a proxy for a web server and an application proxy when it's used as a firewall acts as a relay for the application level traffic so before going through the general concepts give an example for a web browser a web server so normally when we have our web browser our application is web browsing we have a web server and they communicate using what protocol HTTP so that's the application level protocol send a HTTP request and send back a reply so the simple mode of web browsing response so an application proxy with respect to a web browsing will act as an intermediate device between the browser and server receiving the request from the browser potentially modifying it or checking the content in the request forwarding onto the server and similar for the response coming back so that's the normal mode if we introduce a proxy we have a third device we have our browser still the proxy and the web server and the browser sends a request and normally it would be configured that the browser or some entity in the network before the proxy would send that request even if you're trying to access the web server say a Facebook the request would be sent to the proxy so that can be the configured inside the browser itself or maybe there's a device in the network sent to the computer of the browser that intercepts the request and forwards it to the proxy for example the HTTP request the source IP address would be that of the computer of the browser and the destination IP address would be that of the computer of the web server in the normal mode when your web browser you want to visit the website of say Facebook then the source IP address will be that of your computer the destination IP address will be that of the web server so normally you would send the packet to the web server but when we use a proxy as a firewall somehow we must get that packet to go instead to the proxy server and there are two ways to do that you can actually configure the browser you can find settings in the browser that you can specify a proxy which means when someone types in facebook.com instead of your browser sending that request to the Facebook web server it's redirected to the proxy server so you'd specify a proxy server in the browser I have an example maybe let's bring out the web browser for example in Firefox I think if you go to the preferences and under advance preferences there's network settings connect configuration configure how Firefox connects to the internet no proxy so the default don't use a proxy and some other settings for example auto-detect proxy settings from the network there are ways that your browser can learn about a proxy from other devices on the network the system proxy settings adjusts for the entire operating system manual means you specify the address of the proxy we'd say here whatever the address if we knew it so what is a proxy we're getting to that the proxy will receive the request and as a firewall inspect it make a decision whether to accept it or not and then forward if it is accepted forward onto the real web server it's this intermediate device which will the security role is to check the request check that it's allowed for example if you're allowed to send a request to facebook or if you're allowed to send a request with a particular type of fields and similar when the response comes back the proxy will check the response coming back it can check both the request and response so first in the browser we can specify to use a proxy there are different types of proxies alternatively there may be a device in the network say a switch or router here that will redirect your traffic to the proxy I think SIT uses that in some cases where you open your web browser you try to visit facebook and it redirects you the network redirects you to the local SIT login so that's although it's not used as a proxy it's a similar redirection it sends you not to the facebook web server but to the SIT login web server so that can be used here to redirect the request to the proxy so what happens your request is sent to the proxy the HTTP request the proxy in this case is the firewall so it can check the request and according to some rules or set up of the proxy it can decide whether to accept or reject the request so it may have a list of websites that you're not allowed to access or vice versa that only some that you're allowed to access the point compared to a packet filtering firewall is that the proxy is dedicated for web browsing and it can check the content of the HTTP request message because it will understand that content a packet filtering firewall simply checks the transport layer header and the IP header it doesn't check the content of the transport data packet if it's accepted the proxy or the firewall accepts it the proxy sends the request onto the server if it was accepted if it's not then it doesn't get sent server receives a request for a web page who does the server reply to right the server knows who to reply to based upon the source address will be that of the proxy of this packet the source is that of the proxy so that the server will reply to the proxy what the proxy will do is keep track of again some state information saying when it gets the response it will send the response back to the correct browser so the IP source address will be that of the proxy in this case when the server gets it it sends the response to the proxy and again the proxy can check the content of the response and determine whether the response should be allowed through can check whether there's viruses inside there or whatever it can be set up to monitor and if it is accepted then the proxy forwards that back to the correct web browser so the proxy acts as a web server in that it receives a request and sends a response to the original browser and it also acts as a client for web browsing that is it acts as a web browser that sends a request and receives a response so the proxy typically acts as both entities in the client server communications so it's special software that can receive a request then it will check and then send the request onto the the real server and similar with the response the advantage of using a proxy is that it can check the content so it can check the application specific content it will understand the structure of HTTP requests and responses and it will have some software to check what's in those so you'd specify rules specific to web browsing the disadvantage is that usually each proxy is only per application so this is a web browsing proxy it doesn't do anything say for secure shell connections or FTP connections or email connections you'd need a separate proxy if you want to monitor or control those other applications so a proxy is usually per application if you want to cover all applications you either need multiple proxies they could be running on the same computer but multiple different pieces of software to do this and it becomes quite complex to cover every type of application that someone may use a packet filtering firewall doesn't care about the application it just looks at the IP header and the transport protocol it covers all applications so that are some of the trade-offs our packet filtering firewall only will work for every application our packet filtering firewall it doesn't matter whether it's HGDP secure shell, FTP or anything else it doesn't check that information it just checks the transport layer ports and the IP addresses our proxy will usually be specific to an application we will not say too much more about proxies they are used in a number of cases maybe the one thing that is also a disadvantage is that even if our request and response is accepted it may not be transparent to the user that is the user may notice that something has changed in particular from the service perspective even though the original request comes from the browser the server thinks it comes from the proxy so something has changed by introducing the proxy and that can have any effect on the operation of those applications in some cases the proxy needs to be complex in the way that it keeps track of this response from the server must go to this particular browser say we have a proxy for SIT there are hundreds if not thousands of web browsers inside SIT accessing many web servers let's say accessing Facebook and all the responses coming from Facebook all go into our proxy server which then must determine which response is forwarded to which browser it does that by usually using special port numbers to keep track of where the response should go to that adds some complexity to the proxy and it may slow down the communication so it takes some time for the proxy to process and determine where to send it to so potential bottleneck of performance in that case and also if your proxy fails as it gets overloaded then again everything fails the packet fielding mode is generally faster because it just looks at the headers of the packets and the headers of the packets are almost always in the same positions when the device receives them so you can even create hardware to look at those headers which is very, very fast but where the proxy usually you need to look at a lot of information in every packet to make a decision and that's usually done in software and is much slower which is mainly important when you have thousands of parallel connections going through that proxy or firewall you've probably heard that countries may have a firewall what's the name of the firewall in China the Great Firewall of China okay there's the idea that in China they have a basically they have filtering of traffic from people inside China going out so it's not just one device that does it but when we talk about a firewall it's a set of devices which do things like we're talking about here that they as a request come from your browser going to some external website there's some device that intercepts that and checks should it be allowed or not and of course to allow millions of requests coming through per second you need a lot of resources in your proxy or in general in your firewall to handle that it could slow down internet access what was the other one that was the application proxy that's per application so you you would have your proxy server you may install special software to act as a web proxy and another special piece of software to access as say an FTP proxy for file downloads and others so it's per application and there's extra overhead for dealing with that it can be more secure than packet filters because you can check more content you're not just limited to making decisions on the addresses you can make decisions based upon the content a circuit level proxy or a circuit level gateway is very similar to application level but it's usually per transport connection as opposed to application see if we can draw that and it's specific to TCP usually so our proxy was we need a separate one for every type of application with a circuit level proxy it's not per application it's just for TCP connections I'll just write circuit here so this is the actual firewall similar concept we intercept the packets but we don't intercept HTTP requests we intercept the packets belonging to a TCP connection for example the SIN and SIN Act when the client sends a SIN request to the server it's intercepted by the circuit firewall so effectively they create a TCP connection TCP connection between the client and the circuit level proxy using the SIN which is intercepted the circuit level proxy forwards that SIN onto the real server if it's accepted and will establish a connection a separate connection there the end result is that the client creates a TCP connection to the firewall and the firewall creates a separate TCP connection to the server to transfer the data it doesn't matter what data web browsing data, email secure shell it's specific to TCP only and again similar to the application proxy the circuit proxy can intercept and make decisions what to allow and what not to but it may not be looking at the content in as much detail as an application level proxy so it's intended to work for multiple applications but that may be a limiting limiting feature in that it may not be able to look at the content of all applications this one we don't see as common as the others but it's in used in some special cases I think the main point to be aware that a proxy intercepts the messages from the client to the server and as it intercepts it can check the content as opposed to our packet filtering firewall which will just check the headers the source and destinations but checking the content takes more effort so it can reduce the performance of the network but can be potentially more secure and make better informed decisions let's to finish look at a couple of examples of where to put a firewall in all these cases where should the firewall be of course we could locate firewalls on the host so every PC, every laptop has firewall software running on it we could do that so on the end user computers on the office computers on all of our servers installation but that becomes unmanageable once we have a reasonable number of users because it's hard to maintain the firewall installation on every separate computer so when we have a large number of users rather than locating a firewall on every end device maybe just have one firewall on an intermediate device often that intermediate device is a router or plays a similar role as a router so that's more common when we have larger networks to have one device we don't necessarily have firewalls on the end user devices where that firewall is located on some network device that is the connection between inside to outside the internal to external network it's common to put the internal network and break it into two zones usually so our internal network will usually have two types of computers inside for SIT we have all the users for all the computers for the users like the lab computers, the lecture room PCs, the laptops and so on so these are all the end users computers and normally people from outside should not be able to initiate connections to those computers someone out on the internet should not be able to connect and log into the PC here in the lecture room this PC in the lecture room may want to access websites out on the internet initiate connections out but connections should not be allowed to be initiated in to this PC that's the typical operation but also inside our organization we may have some servers that we do want to make publicly available we have a web server an email server that we want people outside to be able to access we have two types of computers so we separate them into the ones that we want to allow the people outside to access say the public facing servers and then the other computers like our lab office lecture room computers which are internal only we may even have some internal only servers just for internal users not for external users so a common way to use a firewall is to locate those public facing servers in a demilitarized zone a DMZ so we separate our internal network into two zones and here's two different implementations of that let's look at the top one first in this picture the top picture this red box is a router that connects the internal network to the rest of the world so that connection here going to outside external this is all internal this green block here is the firewall this is the firewall here now it could be on the router but normally in this case it's a separate device the DMZ hosts the public facing web server of public facing servers including a web server maybe an email server or other servers that we would like to allow people outside so they are internal computers but we want to allow others to initiate connections to them and then we have all of our other computers like our office computers lecture room computers, lab computers which we say are internal here it's called the intranet so our internal network and we don't want to allow to allow people outside to direct connections to them so this is the example of the DMZ the zone which is sort of in between internal and external and the firewall should be set up with rules such that anything coming from outside not going to the DMZ should be blocked should not be accepted if anything comes from outside it gets to the firewall if the destination is not someone in the DMZ like the website it should not be allowed in it should only allow something in if it's going to the web servers email servers that we allow the public to access and that makes the firewall very simple to block outside users getting in and again we come back to we want to make the firewall as simple as possible to set up so that we don't make mistakes or should also have rules to for example allow the internal users to access out assuming we want to allow our internal users to access external services so we'd have rules for that and let's say here we only have a web server that's the only server we want then again the firewall would be configured not just based upon IP address but also port number anything coming from outside not going to port 80 a web server uses port 80 anything that's not going to port 80 drop so it's very easy to write a rule to do that and that makes it very simple and very unlikely that you'll make a mistake an alternative implementation is to use two firewalls so there are two separate firewalls here the DMZ again is the public facing servers our website say for SIT the email server for SIT we want to allow people outside to access them so this first firewall would be set up something coming from outside that reaches this firewall if the destination is the SIT website allow it in if it's not one of our public facing servers block it what's the advantage of two firewalls here it goes to the first one with one well it may be easier what's the disadvantage we need two different devices or two devices to maintain a cost more to set them up so we prefer to have just one firewall so why would we use two firewalls in this case more secure how is it more secure you can get a filter wrong and it still should be blocked by the second one okay so it can be more in theory the first one can be just as secure but this one is probably easier to set up and less likely to make mistakes in that case so this second firewall close to the internet here anything that's coming from outside that is coming in on this interface here should be blocked there's no response to a connection so when I say anything coming in I mean the connections initiated from outside for example our TCP SIN packet anything that arrives in here that is not related to a connection that was established from an internal computer should be blocked because there's no reason for someone out here to access anyone on the internet and there's no reason for the website to initiate a connection to someone on the internet so this one the firewall can be set up very easily anything coming in that's initiated from outside block it block or drop correct they mean the same thing anything similar to the first firewall anything coming in that is not destined to our public servers drop them and if you make a mistake on the first one maybe you do allow something in going to port to an IP address which is not here but is someone internal if you do make a mistake on the first firewall you add the wrong rule then the second firewall should still block it but the second right if you misconfigure both of them then you get fired from your job but the chance of doing it on the second one is very hard because everything that's initiated from outside drop everything there's no need to accept anything that's initiated from outside and that could be set as a default policy so there's no way for something to get past that whereas in the first firewall we need to add some rules to allow people to access our web server our email server and maybe we do that based upon IP address maybe we enter in the wrong IP address if we're using the first firewall implementation at the top if we set a rule thinking we're allowed to access the website but in fact it allows us to access someone to access someone on the internet then that can be a potential compromise of security in the second case the second firewall would block that so it's all about reducing the impact of errors the firewall examples we went through had like five rows and the firewall table in the SPI table I'm sure you'll all get them correct you will not make a mistake but real firewalls maybe have hundreds of rules in the firewall table and that becomes quite hard for the human to manage and make sure they don't make a mistake this is just another picture of the second case just with a few more details of the network devices but again two firewalls external firewall internal firewall and the DMZ we may have internal servers that only people on the inside can access but our web server, email server, DNS server should be accessible to people out on the internet the external firewall will control that so it's just the same as the previous slide the second picture so firewalls control traffic into and out of a network or a computer if we have a firewall on an individual computer they can control based upon servers or services what website or what server you're accessing the direction of traffic that's coming in or out you can control based upon users we haven't seen any examples of that but you could filter based upon which user is sending the traffic and behavior like application proxies look at the content we've spent some time on packet filtering firewalls where we write rules to accept or reject packets based upon the headers and we extended that with stateful packet inspection which keeps track of pass connections to make it a little bit easier for the firewall administrator and today we've mentioned proxy firewalls which act as a a relay server the client connects to the proxy the proxy connects to the real server and that allows the proxy to inspect the traffic in more detail it's all about making it as simple as possible so that we don't have errors when we set up firewalls because if we make errors it may allow someone to compromise the network there are issues that if we set up a firewall let's say to block everything but web browsing we don't allow secure shell we don't allow email so we just allow web browsing then there's still ways for people to use web browsing and HTTP to tunnel to carry traffic from those other applications so there are ways to bypass security policies which try to block some applications by sending that application data via accepted applications tunneling we may see examples of tunnels in a later topic when we look at VPNs virtual private networks and of course firewalls can be bypassed if people use other devices that connect to a network that doesn't go via our firewall if you're inside SIT you can bypass the SIT firewall by using your 3G connection and that can be a security concern for the organization or you can bring in a laptop or a USB device which contains a virus and the firewall cannot protect the network against that so you need other methods to do that deep packet inspection is really about we said with packet filtering firewalls we just look at the headers more advanced firewalls will look not just at the headers but the content and so we inspect the packet in detail it's referred to as deep packet inspection and it allows very fine tuned control of what comes in and out but it may have a significant impact on performance so there's a lot of work on how to do that efficiently any questions on firewalls we have one more example to go through