 So a firewall is something that we'll use to protect a computer or a network, protect it from traffic, data coming in that could be malicious. So we're going to look at different types of characteristics of firewalls, different types of firewalls and some general design concepts of where to locate a firewall. So now we're looking at internet connectivity. So every organization has some internet connection. An organization, even at home you have an internet connection, however it creates a threat. Because having an internet connection means people who are not in your organization have a means for accessing your computer systems. And we're about trying to protect our computer systems. So providing internet connectivity is essential, but it also leads to a new threat on our organization or on our computer systems. So firewalls are one way to try and protect the organization's network, local area networks usually. So provide some protection. And in large organizations the idea is that we can have a firewall that will protect or provide some protection for all of the computers inside the network. Now it's slightly different from your home firewall, maybe on Windows at home on your computer you run a firewall on that computer. That firewall protects that one computer, but in many larger networks we can use a single firewall which provides protection of all of the computers inside the network. And we'll see how we can set that up. Protection in terms of we're going to control the data that can come in and out of a network. So we'll separate the networks into what we say inside and outside or trusted and untrusted. So this diagram for example we have a firewall of some component, we'll explain what it does. But a firewall the concept is that we have external networks e.g. the larger internet and some organization has their internal network. So SIT for example our network here for SIT is the internal one which we want to protect. We use a firewall to try to protect the SIT network from external users from everyone else on the internet. So we can talk about inside and outside with respect to the firewall. So in terms of your home maybe you have a home ADSL router, ADSL modem which has a firewall on it. This is your network inside your home with your computer or laptop and this is the rest of the internet. So the firewall is trying to provide some protection for this internal network. So it's inserted between the organization's network and the rest of the internet. And it should be inserted in such a way that we can use the firewall to control what goes in to the internal network and what goes out of the internal network. So it's a perimeter defense. It's defending against attacks around the edge of the network, the perimeter of the network. It acts as a point where we can control the security mechanisms used inside the network by directing all of the data into our network through the firewall. Then we can control in terms of setting up the firewall what can come in and what can go out of our network. And we can use it not just for controlling what goes in and out but keeping track of things, auditing, keeping track of what users are doing in terms of communications between inside and outside. So it's trying to protect the internal systems from outside attackers. So if we have some database storing our financial information on the internal network, we need network connectivity to allow efficient operation in the organization. But we want to protect and make sure attackers outside cannot get access to that information. Well, how do we do that? We provide some authentication on the database server, some access control. So these are the schemes we've gone through earlier. But we can also provide a firewall as another means of protection to stop any data packets that try to come to the database server that are not allowed to come in. So we don't just use one security mechanism. We layer different security mechanisms upon each other. Authentication, logins, access control to control who can access what data. And now network access control or a firewall to control who can access the network. And in fact firewalls are sometimes referred to as means for access control. It's not access control for a file on a computer but access control to a network. Control who can access the network. So what should a firewall do? We'd like to control what can come into our network and also what can go out. We need to make sure all the data goes through the firewall. So all traffic is just the data that we send across our network. All traffic from inside to outside must pass through the firewall. Why didn't I say it? And I think also the other way. I should have said from inside to outside or outside to in. So all traffic must go through the firewall. That's our goal when we design the firewall. If we're going to use this device and we'll see it can be some computing device to control what goes in and out. Then we must make sure that all of the traffic goes through that device. If our traffic can bypass the device then it can bypass the security mechanism of our network. So an example. Let's say for the SIT network. Let's say all of the data that my computer sends while it's on the wireless LAN. So my computer which is part of the SIT network sends out and also comes into my computer. All should go through the SIT firewall. Some device in the computer center on the second floor. But what if I use my 3G modem? My mobile phone to get internet access. So from my office I connect my laptop into my mobile phone and I get internet access through AIS. Some telecom company. Bypassing SIT's internal network. But still my computer which is on the SIT network has internet access. So there's a problem with firewalls. In that case the data going into the SIT network, into my computer and out is bypassing the firewall. So that's a common problem with firewalls. We somehow must make sure all the data goes through the firewall. We'll talk about that a little bit later as well. And we control the traffic. So we don't say nothing can go through or everything can go through. We set some rules to say according to the policy of the organization what can go through the firewall. So only allowed authorized traffic as defined by some policy. The person who runs the network creates a policy, sets it up in the firewall to allow authorized traffic to pass. So we'll talk about how we can do that. A firewall is a security mechanism. If the firewall itself becomes under attack and then therefore the attacker can take control of the firewall then they can defeat the security mechanism and for example change the firewall such that it will allow their traffic. So we need a firewall that it itself is very secure. Because if someone could say log in to the computer running the firewall and make changes to the configuration of the firewall then they could make changes to allow their traffic to go through and therefore defeating the purpose of the firewall. So the firewall itself must be immune to penetration. So how do we control traffic coming in and out? Here we're going to use your knowledge of how the internet works, the internet protocol and other protocols. There are four general techniques. Service control is really looking at the packets and what servers are going to. So when we send packets in the internet we use the internet protocol. And inside an IP packet we use usually a transport protocol like TCP or UDP. And the common thing about them is that we have IP addresses, source and destination IP addresses in the IP packet and port numbers in the transport layer packets. And port numbers identify usually applications. The port number 80 indicates that this packet is going to or from a web server. So the application is web browsing. Port number 25 is used for email servers. So a packet that contains port 25 as either source or destination indicates that this packet is related to email. And IP addresses identify particular computers usually. So the SIT database server for all the financial information that has a particular IP address. So based upon the addresses and the port numbers we can control what should be allowed in and out of the network. So control what services can be accessed. For example, for SIT everyone can access websites out on the general internet but no one can access any other type of service. That is you cannot access email servers. You cannot access secure shell servers, game servers which run on different ports. So that may be one policy. So internal users can access websites out on the internet but no other type of services. So if that's the policy then we'd set up the firewall to filter all packets that go to destination ports which are not port 80. Port 80 for web servers. If it's not port 80 do not allow to go out. Block the data. So the idea is to look at the IP packet. In particular the address and the port numbers to determine what do we do with this data. Do we let it go out? Do we let it come in? According to some policy. We'll show you again shortly the structure of the IP address to remind you. Direction control. Is it coming in to our internal organization or is it going out to the broader internet? Depending upon the direction we may do different things. For example, allow all SIT internal users to access websites out on the internet but don't allow any external users to try to connect to web servers inside SIT. So that may be one policy. So depending upon the direction we can do different things. User control. Depending upon who the user is. Have different policies. So all students cannot access anything on the internet. All faculty can access whatever they like on the internet as an example. So that would be the idea. So we'd have a policy that say students can access websites but nothing else. Faculty can access websites, email servers, secure shell servers. So depending upon the user we have different policies and our firewall should be able to implement that and stop the students from accessing the services they cannot. And the last one, behavior control. Look at really the content of the data that's being sent out and control what is allowed to go out. And a common example is that you send an email out. You're allowed to send emails through the firewall but the firewall even checks the content of the message. For example, doves some spam filtering. If the firewall and the associated spam software thinks that the email contains a virus or spam, then it blocks it. So that's another form of controlling what can come in and out of the network. Based upon the addresses and port numbers, the direction, who's using or who's sending the traffic and the content of the traffic. So a firewall should be capable of what it says here define a single choke point. That is a single point where all the traffic goes through. Like my example, if I use my 3G, my phone for internet access then the traffic can go via the Wi-Fi network through the SIT Wi-Fi to through the SIT firewall or go via my 3G connection to some other ISP bypassing the firewall. That's not good and we'll see that's the limitation of firewalls. If we've got a means for bypassing it then the firewall is ineffective. So we need some other means for bypassing that. How can we do that? Well again, maybe that requires some non-technical means. That is tell all the users of your organization that we have a firewall for a reason. You should use the internal systems for access. Don't use your mobile phone for internet access for your laptop. Especially if there's important information on your laptop. So within the organization, if you're an employee of a company use the internal network. Don't use external mechanisms because if you use those external 3G modems for example then you can bypass the firewall and allow attackers to get access to the network. So we need firewalls to make sure the traffic goes through the firewall. We need to set up the network so the traffic goes through the firewall. If not then we have some limitations. A firewall not just controls what goes into the network but can also monitor what's happening. So it's not just about blocking things going in and out but also monitoring for example how many packets are coming in. Maybe in the case of a denial of service attack. Maybe the number of ICMP packets coming into SIT per second is increasing. So by monitoring what's happening we may be able to take some action and maybe inform the internet service provider beforehand to stop the traffic. So firewall is not just controlling traffic but monitoring what's happening to use it for other purposes. Monitoring for example who's accessing the SIT network at different times to then use it for intrusion detection profiles to build up statistics of typical patterns that were used in the previous topic of trying to detect intruders. Because firewalls are usually set up that all of the traffic comes in via the firewall and goes out via the firewall it can also be used for other functions, sometimes other non-security functions. Accounting services or keeping track of who's sending what. So let's say the computer sender wants to keep track of how much data or how much traffic students generate coming from internal out to the internet and maybe even control that and say that students have some quota that they cannot send data above a certain amount per day through the network or a download quota. So to monitor how much is being downloaded by particular people inside the network is something that the firewall can do. We're not trying to explain this one too much but it can be used for other security purposes. A virtual private network is a common thing that allows external users to connect to an internal network but using some form of encryption across the internet so others cannot intercept. So providing a private network from someone say in their home to the internal organisations network, the virtual private network and a firewall often serves as a good place to put the endpoint of a virtual private network. We'll return to VPNs maybe in the last topic of this course. What can firewalls not do? They can't protect against someone that bypasses the firewall. So again if you use your other means of internet access then you can bypass the firewall. They cannot protect always against internal threats. So usually the firewalls are set up to be more lenient towards internal users. Not always but that allow internal, give some trust to internal users. But if there's a threat from an internal user then firewalls are sometimes not so effective at blocking those threats. And of course a firewall cannot block me as an internal user doing some malicious on an internal server in SIT. That is communications internally don't go through the firewall and therefore the firewall cannot control that. Okay this one is related to the first one. If you can use technologies to bypass the firewall then again the firewall is not effective. So if you use say you set up your own wireless LAN access point in your office just for your convenience but someone else accesses it. So I set up an access point in my office all of these access points direct their traffic to the SIT firewall. But if I set one up in my office then effectively anyone who accesses that access point maybe if it's not secured correctly has access to the internal network. So again there are means for bypassing the firewall. If they use then the firewall is ineffective. And that's I think the last one is related as well. Even USB drives if a firewall is there to protect against malicious software coming in still it doesn't stop someone from bringing their USB drive plugging it into their computer and then becoming infected that way. So it only protects against traffic that goes through it. So how do you avoid these limitations? Any ideas? A firewall cannot stop this but what can an organisation do to stop someone using their USB drive to copy files from their home? They plug it into their internal computer and that infects their internal computer and then starts performing malicious things on all the databases inside SIT. How do you stop that? Sorry? Set a policy. Set a policy. What policy? Don't use USB. Okay? Yes, so often you need non-technical ways to control that. So inform the users about, so educate the users about what are the dangers of using a USB. Now say to all the students don't use a USB inside SIT I think it's not going to work. Okay? Even with all the staff. Even if we had a policy that said you cannot use a USB I'm sure people will bring in a USB and plug it in. So if we want even more security, what can we do? Okay, so on those computers that the people plug their USBs into have some access control, some firewall on them. Anti-virus to stop viruses is the main one in that case. So perform some monitoring locally. So that would be better. But very inconvenient because now you need to set that anti-virus up on every computer in the network. Make sure it's up to date on every computer in the network. Any other ideas? Stop. In highly secure computers they just fill up the USB ports with some... some... glue type material and then no one can plug a USB in there. Okay? So in military networks and so on or on computers they actually physically stop people from using those devices. Okay? So even if I try and bring my USB in I can't plug it in. Now again that's assuming that the computer that the user has access to is controlled by the organization. Okay? So you need to have different levels depending upon what your security requirements are. But firewalls will not help in those cases. So let's look at how firewalls work and the different types. And we'll go through four different types. Packet filtering, the simplest and the concepts of most of them are built upon packet filtering. Essentially packets come in to the network or going out to the internet and we filter which ones can come in and out based upon the characteristics of those packets, based on the headers of the packet. So we'll look at that. Then we'll look at sort of an extension of that is to keeping some record of what's happened in the past. Some states, some state of what packets have been accepted or rejected in the past to make decisions. So we'll look at that. And we'll look at two forms of proxies. In all of these cases we'll see normally a firewall for a large organization is implemented on a router. That is on a device which packets normally pass through. So a router is a device that connects multiple networks together. So normally without a firewall we need a router to connect our internal network to the external internet. So we'd normally have a router here. So it makes sense to and all the packets pass through that router. So it makes sense to put the firewall on that router because it's just a simple extension in terms of software. A firewall may be software running on an existing piece of hardware. So a router, if we have a router that we buy through our network most routers will include some firewall capability, some software to control what comes in and out. It may be a dedicated device which is built mainly as a firewall or it can be just some software you install on a general purpose computer. For a network we usually implement it on a router or a device at least that the traffic normally goes through. On your home you may implement the firewall on your computer on the end host but that only protects one computer. So if you have your firewall installed on your Windows computer it's a common thing for home networks but it's only for that one computer. If it's installed on your PC it's not going to help your laptop. You need to install a firewall on the laptop. So in networks usually it's implemented on a router so we don't have to depend upon a firewall on every single computer just one for the entire network. Because all the data is going through this router it may do other things, not just be a firewall. We have to do many other things. We've mentioned a virtual private network. Some of you probably know about network address translation so it's a good location to do that. And accounting, keeping track of who's sending what and if there's some charge involved maybe not to the end users but eventually to some department. So a large organization that whoever uses the internet the most to pay per year for that amount then that's a good place to count. So let's look at packet filtering. We have some security policy that the organization wants to apply what can come in and out. So we implement that policy by a set of rules. And the rules define what packets can go through the firewall. Assuming a firewall is a router connecting internal and external the rules define what can go through it. That is what can pass and what cannot. So packet filtering firewall looks at every packet that comes into it and checks that packet against some predefined rules. And if the rules match it takes some action. For example the rule may say if this packet is destined to the internal network and destined to a web server on the internal network then don't allow it through, block that packet. So that would be the rule as a packet comes in the firewall compares the packet against that rule and if it matches that packet is blocked that is it's not sent in, it's deleted. So we take some action based upon the matching rule. So we define a set of rules. Depending upon our policy what we require we define a set of rules and then for the case that we don't have rules we have some default actions. So all packets to this web server blocked all packets to from this student user are blocked and then for all other packets by default we take some action. And the actions are usually accept or drop. We accept the packet to go through or we drop the packet we don't allow to go through sometimes called accept, allow or forward that's positive and drop, reject or discard or block is the other one. In terms of default policies we've got two options. We have a set of rules and then anything that doesn't match those rules by default we accept, that's one default policy the other is anything that doesn't match the rules by default we drop. And dropping is the recommended approach for security. The idea is that someone who sets up the firewall the administrator must create the rules. So they program in the rules according to what they want to achieve and then they turn on the firewall and the packets can start coming in. The idea is that if they create rules wrongly that is they don't create rules to capture all the things that they want then the packets will be dropped if we use a default policy of drop and therefore those packets will not be allowed into the network. The problem with that is that it will be inconvenient for users who think those packets should come in. So let's say I create some rules that say all packets from... I try to set up the rule saying all packets from students cannot go out to the internet so students cannot communicate with the outside internet. So I create a rule but if I configure it wrongly and I set it up such that all packets from anyone cannot go out to the internet. So I make a mistake in the configuration actually I've got this backwards in that case it's going to be secure but inconvenient. If we... We'll come back to that one. I'll think of a better example in a moment. We'll come back to the default policies with an example in a moment. Let's look at some details. How do we check packets? Here's an IP packet header. Just to remind people I think many of you have seen this before if you can't remember the structure that's okay but an IP packet, every packet that comes into or out of our network has this structure and these are the header fields, this is the data. So the important parts normally are the source and destination IP address. The packet header has the address of which computer sent this and which computer is it going to. So we can use those fields as the packet comes into the firewall to make a decision. Is this packet going to the web server inside SIT? Is it going to the database server? Is it going to Facebook outside? And the firewall can be configured based upon the IP addresses to take different actions. Any packet that is destined to the IP address for Facebook is blocked, for example. So configure the firewall to block all packets to the Facebook web server. To do that, you'd need to know the IP address of the Facebook web server and configure that in the firewall. As a packet comes in, the firewall, it checks the destination address. Does the destination IP address match the Facebook IP address? If so, drop this packet. If not, let it go through. So we can filter based upon IP addresses. We can use that for identifying users sometimes. How do we distinguish between students and faculty or students and staff? We can do it with the IP address. That is, my computer in my office has an IP address assigned by the DHCP server inside SIT. So my computer has an IP address. And all the office computers of the faculty members have IP addresses. It's set up such that those IP addresses are within some range, within some subnet for the faculty members. Whereas when you log into the SIT network using Wi-Fi, you get an IP address from a different range. And that's one way that the firewall can distinguish between students and faculty. Now, when a packet goes to the firewall, the firewall looks, is the source address in the range that is assigned for students or is the source address in the range assigned for faculty members and then apply different actions depending upon the source address? So that's one trivial way for distinguishing between types of users based upon source addresses. What else do we use in the IP header? So mainly the source and destination address are useful for a firewall. The protocol number is also useful. The protocol field in an IP header tells us what transport protocol is used. It has a number 6 if TCP is used, 17 if UDP is used, 1 if ICMP is used, and the other numbers for other less common transport protocols. So now if we want to distinguish between the transport protocol being used, we can do so. Because some applications, many use TCP, some use UDP, other transport protocols are not so common. So the firewall could be configured to take actions depending upon the transport protocol, and we can know that from this field. So this is the IP header and IP packet, the header and the data. The data contains a transport layer packet. For example a TCP segment or a UDP segment. So let's look at the TCP header. This is a TCP header and the two values which are commonly used in the TCP header at the source and destination port. So this is all included inside the IP data. So again, based upon the port numbers our firewall can inspect and compare against a set of rules to determine what action to take. So if the firewall is configured to block access to web servers outside, then the firewall would have a rule. All packets with a destination port of 80 going external are blocked. So when a packet comes into the firewall it looks in the TCP header, destination port. If it's 80, it matches that rule and this packet will not be sent out. If it's not 80, then it can be sent out. What else can we use in the TCP or the TCP header? The port numbers are used because they indicate applications usually. In more complex, we'll see in stateful packet inspection firewalls the flags indicate the type of segment. Is this a TCP SIN segment? Is it a TCP ACK segment? And those flags can be used to determine what is allowed in and out. So the flags determine the type of segment and they are also used sometimes. This is UDP. The UDP header also has a source and destination port so we can use that in the same way with TCP. UDP is used a lot for gaming applications, multimedia applications like video streaming, voice calls. So we can apply the same on the ports because most game servers, streaming applications use common port numbers. So if we know the port number we can block or allow based upon what we want to achieve. So that was just a reminder of the packet structures which is summarized here. So what can we use in the rules? IP addresses. They identify computers or networks. Port numbers. They identify servers usually. Applications in general. So port 80 means a web server. Port 25 email and then many others. Protocol number identifies the transport protocol. TCP or UDP or something else. The other thing which is not inside the packet but from the firewall it has many interfaces. At least two usually. One cable plugged into the internal network and one plugged into the external network. So based upon which interface the packet came from we know the direction. So we can use the interface to determine where the immediate source or destination. In some cases you can use... So transport layer headers, some fields are used. In some cases like the SIN and the ACK flags are used. Sometimes Ethernet fields can be used. The MAC address. So you can filter based upon MAC address. So other fields are also used but these ones are common. So we can create rules using this information. What are the rules? Well a set of conditions. If these conditions match take some action. That's what a rule is. And the conditions are the packet information and the direction usually. If the source address equals this and the destination port equals this then take this action. We can use wildcards, the concept of if the source address equals any of these values. So not just a single value. And the actions are typically accept or drop. So if this condition is true then accept this packet to go through. If not, drop the packet. Do not allow it to go through. And often we can think of the rules being processed in order. So we come up with a table, a set of rules. A packet comes into the firewall. The rules are in some table stored in the configuration of the firewall. The packet comes in. The firewall checks the packet information against the first rule. If it doesn't match check it against the second rule. And the third rule. And keep going until you've checked against all rules. And that's when the default action comes into play. If it doesn't match any of the rules take some default action. Let's have an example. Any questions about these concepts so far? Many of you may have used or maybe seen firewalls on your own computer. Even on your maybe home ADSL router. So you may have had some experience with these concepts. An example which I don't think you have in front of you but that's okay. You'll follow along. Here's an example network. Let's just explain it first. Don't worry about copying it down. Just follow the simple example. There are different networks. So this is an example internet. There's different networks and I've given them IP addresses. 1.1.1.0 represents this network. And there are two hosts on it. Or assume there are many hosts but we'll just focus on these two. So there's 1.1.1.11 1.1.1.12 are the IP addresses of these two hosts. And there may be others. And this is a router. Router A that connects this network to this network. 1.1.0.0 slash 16. And some other hosts. And so we have what? Six subnets. And assume there are many hosts on each but I've only just drawn some of the hosts. So our example network. And for this example let's say this is our internal network. We want to protect this network against the rest of the world. So this router we set up a firewall to run on this router. And we want to configure this firewall such that we can meet some or implement some policies. So we have some policy what we want to achieve. Therefore we implement some rules on the router to try and control the traffic coming in to our network and maybe even control what goes out. So we'll just go through two simple examples of implementing some rules. There's a secure shell server running on computer 11. This one. 1.1.1.11. There's a server running on there and the server is a secure shell server SSH. Meaning someone can log into it in the same way that you can secure shell into ICT server. We want to block external users from accessing that secure shell server. How do you do that? Define the rule that we'd implement on the firewall to block external users from connecting to the secure shell server. Write down or tell me the rule that you need to apply. What should my firewall do when it checks the packets that come in or go out to make sure that external users cannot access the secure shell server here? You want to have a design or a rule? Think about one. What will you do? How will you block access to a secure shell server? It's a very good question. I want a better answer. I type the setting as the rule that... Okay, you're on the right track. Port number. The first hit, block to a secure shell server. So how do we identify to a secure shell server? What identifies a secure shell server? Well, servers are usually identified by port numbers. Anyone know the port number for secure shell? It's 22. So you don't have to remember that. You can look it up usually in some database or list of port numbers, but you would need to find out that if you set up this firewall and you want to implement this policy, then we'd need to know secure shell servers use port 22. Web servers port 80. Different servers, different ports. Secure shell servers 22. So we need to do something with a port number 22. What? So we know the port's 22. So what condition do we create? If packet information equals this, this and this, then block the packet. What are those conditions? What conditions? So think of a simple if statement. And what information can you use to make use of this information? IP addresses, port numbers, protocol numbers. So you don't necessarily need all of it, but you can make use of that information and create some conditions. If source IP address equals this and port number equals this, and then there'll be an action, say drop in this case, what conditions are you going to create here? If port number equals 22, let's consider that. Okay, and before you go on to end, if port number, in fact we have two port numbers, source and destination. Which one do you want? If destination port number equals 22, okay, and now continue, and destination IP address equals this one, 1 dot, 1 dot, 1 dot, 11. Okay? So from this router, if a packet comes into it, and we haven't said anything about direction yet, but this directional, this one, if the destination port is 22, that means this packet is to a secure shell server, because secure shell servers use port 22. So if the destination port is 22, and the destination IP address is this computer, then block the packet. Then the action is drop, or block the packet. So let's say computer 99 tries to connect to the secure shell server, and note the secure shell, like many applications, uses TCP. So before you send data, send TCP SIN segment to the secure shell server. The destination port will be 22. When this creates a packet, it needs to send to a secure shell server destination port 22. So, and the destination IP will be the IP of this server. So when that packet gets to router A, which runs the firewall, it will check that packet against the firewall rules. And what rule do we have? Ignore forward for a moment, but I've summarized the rule. If the destination IP address is 1.1.1.11, secure shell we know uses TCP, so we could also say the protocol is TCP. It may not be necessary, it could be any protocol, but secure shell only uses TCP. The transport protocol is TCP, and the destination port is 22, then the action is drop the packet. So this is the configuration of the firewall rule. Packet comes from computer 99. Source address, 99. Destination, computer 11. So it matches here. Source port was created by this computer, maybe 32,152. It's random. Destination port 22. Packet's here, matches here. TCP is used, so this condition matches. The three conditions match, so the packet information matches these three conditions, therefore the action is taken to drop this packet. That is, the router doesn't send it on, it deletes it. Therefore the packet doesn't get to the secure shell server, and therefore the secure shell server does not respond. It doesn't know anything about the packet. Hence this one cannot set up a connection to the secure shell server. So that's a simple example of using the packet information to block access to a particular server in this case. We could have blocked, so let's look at the rules here, the conditions. This is one rule, the conditions. Forget forward. Forward is just meaning this is a router when we only want to apply it on the packets that go through the router. Destination is computer 11, protocol TCP, and destination port 22, secure shell port. Where there's no other conditions, it means they can be any value. So I didn't list the source IP address here. So when I don't list the condition, it means that can take any value. So if the source address is 99, these conditions match, and this rule matches. If the source address is 47, this rule also matches, and therefore will be dropped. Now the question, what if we change the destination to not just a host IP address but a network address? We can do so. The addresses don't have to be individual hosts. The destination could be 1.1.1.0 slash 24. Meaning if the packet comes into the firewall, destination of anyone on this network, then drop. So we can generalize, rather than rules for specific hosts, we can use a network address for a rule for a specific network. In fact, you can use wildcards. More general, so think of the concept of a star, meaning any value in some range, or ranges you can use. Of course, if we use the network address here at the destination, it wouldn't implement our policy. Our policy is block access to this one, but we may want to allow access to 12. So it depends on the policy. Another one. Block access to web servers on network 3330, this one over here, for computer 12. So computer 12 can't access web servers on anyone on this network, including 35 and 36. Just think about the rule for that. So that's our policy. That's what we want to implement. How do you implement that as a set of conditions? Think about the addresses, ports, protocols, any idea? You want to block access for computer 12. Maybe it's a student's computer inside SIT, and network 3 is the Facebook network, and we want to stop this student from accessing Facebook. How do we do it? So in this router, we have a rule. The conditions are, what's the first condition? Destination IP address equals 3330. That is, the destination is this entire network, meaning anyone on this network. Destination is that. And destination port is 80 web servers, and protocol is TCP, web browsing uses TCP. If we didn't specify the protocol, it would still work, but protocol is TCP. So destination IP is this network, destination port is 80, protocol is TCP, and source IP is computer 12's address. We're only blocking for this computer. We want to allow 11 to access Facebook, but not computer 12. If the source is computer 12, and the destination is anyone on this network, the protocol is TCP because web browsing uses TCP, and the destination is port 80, because web servers use port 80, then take the action of dropping the packet. User opens up their web browser on computer 12. They type in the domain, or make it simple, the IP address 3.3.335 on their web browser. So their web browser creates a TCP SIN packet. It sends it destination 3335, and when the web browser creates a packet, it sets the destination port to be a web server. Destination port 80. Sends it. It goes to the firewall. The firewall checks the packet. The destination is 3335, which is on the network 3330, so it matches the destination address, because that network address matches any IP inside that network. Destination port is 80, because there was a web browser sending to a web server. And web browsers use TCP as a transport protocol, so the protocol matches, and it's coming from computer 12, so the source address matches. These four conditions are true, therefore the action is taken to drop this packet. It doesn't go out, and therefore it doesn't get to the website, and no response comes back, and therefore the user cannot access the website. So quite simple. We just use those addresses, ports, protocols in some cases, and create some conditions to implement our policy and take some action. In these cases the actions were dropped. We can also say action is allowed. We build up a set of rules. I'll make these slides on the internet, and I think most of you have them for your lab. If those are taking the lab, we're in the lab manual, but I'll put them on the website today. So we can think of, we build up a set of rules. We've gone through two, so we had two different policies, we implemented them each by separate rules. So the firewall really has a set of rules programmed into it, say a table of rules. Don't worry about forward, not important in this case. So we can summarize those rules in this table. Just another way to view the information. Rule number one was if the destination, and here we capture the destination IP and port. This is just a way to write it down. It doesn't, different software firewalls that will implement this differently, but just a way to present it, saying if the destination IP is 1111 port 22, the colon here separates the IP from the port number. If the destination is the secure shell server on 11, and the protocol is TCP, source is any value, then drop. That was our first rule. Our second one, block access to the web servers. If it came from source IP, computer 12, any port number, so the port number used by the web browser, we don't care what the value is. And the destination was someone on network 3330, and it was destined to a port 80, a web server, protocol TCP drop. And the default rule in this case, the default action, any other values, accept. So this is the default policy of accepting, meaning, so we program information like this into the firewall. As a packet comes in, think the packet is checked against the rules one by one. If a packet matches a rule, the action is taken, and the subsequent rules are not applied. So if a packet matches rule one, the packet's dropped, done. If a packet comes in, and it doesn't match the conditions in rule one, then it's checked against rule two. If it doesn't match that, it's checked against this last rule, which it will match. It's the default because it will match any value, and it will be accepted. So we process the rules one by one in order on the table, and if there's a match, take the action and go no further in the table. If there's no match, just keep going to the next rule. And the default policy will be the last rule. So here's a firewall table, or an example of a config of a firewall. Is it the same as a routing table? No. Even though the firewall may be on a router, a router and old computers will have a routing table. The routing table tells you where to send the packet. I receive a packet, I look at the destination address, and my routing table tells me to send it out to this direction. This is different, and they're separate. So it's doing similar things. It's inspecting the packet that comes in. The packet comes in, we compare the packet against this information, but this isn't telling us where to send, it's telling us whether to send it or not to drop or accept. But I think you notice that similar functionality, packet comes in, compare the packet against some table of information, take some action. That's why it makes sense to have a firewall on a router, because they already do that process of packet comes in, compare against table. In terms of implementation, it's not much harder. Any other questions about this? Yes. Yes, so this is an example of the default policy of accept. Which is not recommended. Let's try and come back to why it's not recommended. Let's say I make a mistake in the configuration, so someone needs to set up these rules and program them into the firewall. Here there's just two rules, but imagine there are 100,000 rules. You need to program them in and not make a mistake. Let's say I made a mistake and I didn't type 22 here. At the port I type 23. It's just a typo when I entered in the value. I was intending that I'd block access to the secure shell server, but I made it to 23, which is something else, Telnet, I think. What's the result in terms of security? A rule, if this is 23 here, a packet comes in destined to the secure shell server, destined to computer 11, port 22. But if this value is 23, then the packet wouldn't, would not match the first rule. It would not match the second rule. It would match the last rule, default, and that packet would be accepted. So a simple typo in my setup of the firewall means this packet, which we should have blocked, has been accepted. And that's the problem with the default policy of accept. If you make mistakes, you let everything in. Now, if you did the sort of the inverse and the default policy was drop, then we'd have to set it up such that we allow specific packets in. For example, we could add a rule to accept packets destined to the secure shell server on computer 12. So accept explicit packets that we want to meet our policy, everything else we drop. The result is if we make a mistake in the rules, the packet will be dropped. It won't be allowed in. And that's more secure than saying, let it in. So it's inconvenient for the users because some users may be blocked from accessing things, but it's more secure for the network. So that's why this example of using default accept is not recommended. You should use default drop and create rules to allow things explicitly. So you can implement the policies in different ways. We've just given one implementation. Any other questions about this concept? Let's go back to our slides. So this is the basics of packet filtering firewalls. We set up some rules, packets come in, and we filter packets based upon those rules. Do we allow them or not? And they can be very fast because that is the firewall, as the packet comes in, the firewall, if it's on a router, it doesn't take much time to check this information. This information is already checked for routing and for other purposes. So in terms of slowing down the packets that come through the firewall, it doesn't slow things down much. And in fact, a lot of these operations of comparing IP addresses, a packet comes in, compared to these rules, can be done in hardware even. And if you implement it in hardware, it can be very, very fast. It can come through in a process very quickly. So performance-wise, they're quite good. We'll go straight to the issues, we'll come back to the implementation. So that's simple. We just deal with a few characteristics of the packets, addresses, ports, protocol numbers. Very fast because the idea that the firewall needs to look at every packet only looks at the header fields. And those header fields are always in the same place. So you can actually create hardware that will do that processing for you. So it comes into the firewall, it quickly checks, blocks, it drops it, otherwise allows it. So there's a very small delay of the packet if it's allowed. Whereas some firewalls, they have to spend time looking at the packet before they decide to accept or not. And that can slow down the network. So they're very fast. Transparent to users means that from the end user's perspective, they don't know that the firewall is doing anything. Unless it's blocked, of course. If it's blocked, then they'll find out that it's doing something. But in the case that it was accepted, which one? The case that computer 11 accesses someone out here, the packets go through the firewall. If they're accepted, the computer 11 knows nothing. There's no change of the packets. From what's sent and what's received, the packets are not modified. We'll see other firewalls may change things. And therefore the users may notice. And that may cause problems with some applications and the performance of some applications. So it's good in terms of nothing changes in the packets. They're either dropped or not. What's the problems? They mainly look at the packet header information. To a web server, to a secure shell server. But they don't look at the content of the packets. So if there's some vulnerabilities in some application that someone can take advantage of, that depends upon the contents of the packets, the packet filtering firewall normally will not check the contents of the packets and will not be able to block them. They normally are not so useful for logging what's happening. They can log how many packets come in of particular types, but they cannot log detailed information and they usually are not used for logging which users are accessing things and so on. So they don't allow blocking and allowing traffic from particular users except based upon IP address. So they can block based upon IP address but based upon whether you've logged into the SIT login system for internet access, this firewall has no knowledge of that information and cannot take different actions based upon whether you're logged in or not. So you know when you log into SIT internet you supply your username and password but your IP address may be different. Today you're using your mobile phone, tomorrow you're using a laptop, you may get a different IP address. So in that case, the firewall may not be able to filter based upon individual users but we'll see later other firewalls can check who are you logged in as and therefore take actions depending on who you're logged in as. These don't support it. Some bugs or some problems of implementations of TCP meant that the firewalls could be attacked or could be bypassed but we will not go into that detail. If you don't configure them correctly, that means packets can may pass. So that's the recommendation of using that default drop. Even then if you make mistakes in the configuration something bad may happen and it's not simple when you have thousands of rules there to make sure they're all correct and meet your policy. Where do you find packet filtering firewalls everywhere? They're in operating systems, most operating systems have them inbuilt. So Linux, IP tables, MAC and BST use something based on PF. Windows has its own firewall. They do packet filtering. You can install standalone software that also does packet filtering. I think you've used some of the different firewall applications and you can buy devices. So this is more about on computers or you install a general purpose operating system on a router but routers and specific devices as firewalls are available. So your home router has a firewall. You can buy dedicated hardware. So different companies sell a box which is a firewall. Or you can download or you can get software and install it on some hardware for the specific purpose of acting as a firewall. There are many different implementations. Let's just mention this concept. We'll cover it next lecture. The concept of stateful packet inspection. A packet filtering firewall looks at a packet, compares against the rules, accept or not. Then the next packet comes in. It looks and compares and accepts or not. It doesn't take a record of what happened in the past. So this next packet that comes in is decision to accept or not doesn't depend upon the previous packets. That makes it very simple. So it's based upon individual packets, not on past packets. So we say it's stateless. There's no state information recorded about what happened in the past. And that makes the implementation very easy. But it makes setting up rules to do some of the things that we want very complex. Because many applications create a connection. The idea is that if you allow the connection to be created then you should allow all subsequent packets to be that connection. So if your firewall allows you to connect to a web server, all the packets sent between your browser and server as a part of that connection should also be allowed. And we shouldn't have to check them against the firewall. And that's what stateful packet inspection allows, is that once something's accepted, once a packet is accepted, the firewall may store some information saying, this packet is accepted, these two computers are communicating, they've been allowed to communicate. Any subsequent packet belonging to their connection is also automatically accepted. So store some state about past behaviour. And we get stateful packet inspection. Inspecting packets based upon some past state, what's happened in the past. And we'll see that there are very common extensions of our normal packet filtering firewall. Most firewalls today include this feature. They introduce more overhead, more storage space, and sometimes that can be a problem if there are many connections. So we'll look at that on Thursday and then look at quickly at two other types of firewalls. And we'll use, as some demos, IP tables as an example of setting up some rules for some simple tasks of a firewall. So these slides are on the website and there's some instructions on IP tables. This one I'll put on the website. But those that are doing the lab, I think have a copy of this already in their lab manual. Let's continue on Thursday.