 firewalls. What's a firewall? I'm sure you've heard of it. You may even use one. What do you use them for? Has anyone used one on their computer? Yes. No. Anyone used a computer before? You're trying to think whether the answer is yes or no. And use antivirus maybe? Some people may have used antivirus. Yeah? Well you can block different things whether it's the teacher or blocking other students. Sometimes antivirus software comes with some firewall features and you may have noticed sometimes you try to access a website or a piece of software is installed and you may get a warning or a message saying your computer is trying to access the internet. Do you want to allow or block it? Sometimes messages pop up saying do you want to accept this traffic in or out of your computer? And that's the firewall functionality of that software taking effect. The general role of a firewall is to control traffic, control packets coming into or out of a computer or a computer network for security purposes to control what can happen on a computer or on a particular network. We'll look at the general concepts of firewalls and go through some examples of how we could set one up to control what goes in and out of a network. Firewall is a form of access control. We want to control who can access our resources. If a firewall is for a particular computer we want to control who can access my computer. Who on another computer can access my computer from a network. So say on my laptop I may have some servers running, a web server, I have my own network connection. Other computers can potentially log into my laptop but I don't want other people to log into my laptop. I don't want them to access my website or I don't want them to get remote access to my computer. One role of a firewall would be to control and block others from accessing my laptop via a network. More useful in larger organizations is that let's say for SIT we have all our internal computers. Let's say all the office computers, the staff computers, even the lab computers inside SIT, they belong to SIT. We don't want people outside of SIT to access those computers. We don't want them to access our database servers, the lab computers. Even though those computers have network connections, network access, we don't want outsiders to be able to log into my lab computer and do things. So a firewall may be used to control who can access from outside of our network in and we may even use it the other way. I don't want students in my lab to access Facebook. I want the students to be doing work so I could use a firewall to control what those inside the network can access in the outside. So the firewall will control what comes in and what goes out, either into a computer or into an entire network. So what are some characteristics of a firewall? Well the needs for firewalls, well let's see. We know with most organizations the internet is a key resource. Most organizations need network access to achieve their goals. But of course having internet connectivity for an organization creates a threat because those malicious users outside may be able to try and access our resources when they shouldn't be able to or they may be able to try and do a denial of service attack or install viruses on our computers and then do further damage. And a lot of that, those potential attacks come from outside. So a firewall can be a useful means for protecting a local area network or an internal network we generally say. In the picture we say in the cloud on the left the internal network, let's say the network inside SIT and the cloud on the right is the rest of the world, the internet. We want to have a device, hardware or software that controls what comes into the internal network and sometimes controls what goes out from the internal out to the external and that's the role of the firewall. We'll see that we can implement that on different network devices like a router or dedicated hardware and usually using some specialized software to control what comes in and out. So in large organizations usually a firewall is a separate device that runs some software which controls what comes in and out of the network. In a smaller organization or even in your home the firewall may be some software running on your computer. So on my laptop I may run a firewall which controls what goes in and out. The idea of having one for the entire organization is it's much simpler to control and configure. Let's say for SIT we have one device that controls what comes in and out as opposed to having a firewall software installed on every computer inside SIT. That would be much harder to manage to keep that software up to date to get it configured. So what we commonly do for large organizations is have a single device maybe multiple firewalls that control the entire network. So the firewall is commonly inserted between the internal network and the external network. So on some network device that connects internal to outside. Where would we put it in a network? What's a good location for a firewall? What network device could we put it on? If we think a firewall is a piece of software and we want to run it on an existing network device what's a good place to put it? At the front but give me an example of a device. Well start simple maybe for your home network where you have five or six computers at home where would you run the firewall at home? Where? Where would you run your firewall if you want to run a firewall for your home network again? Computer all right so if you want to run it on your computer let's say at home you have what three or four phones two laptops a desktop you have six or seven computers. If you want to run the firewall on the computer at home you need to run the firewall software on every computer to protect them all. You need a firewall software on your tablet on your phone on your laptop and on the desktop. That's possible but as soon as the number of computers grows that becomes quite inconvenient. So not a good solution as the network gets larger. So what's an alternative? Run the firewall functionality on the router that connects your home network to outside. You have a Wi-Fi router or an an ADSL or cable modem which is actually a router. That can have a firewall software on it that controls what comes in and out and therefore controls and protects all devices inside not just the single device. In an organization like SIT we have a router that connects our campus out to actually we have from Bunker D out to Runxit we could have a firewall there or where we connect to our external internet service provider. So we connect to the internet via an ISP that device where the ISP's cable comes into we could run the firewall on there. So that's more common to protect the entire network have it on a router as opposed on the individual computers. What do we want to protect? What do we want to stop with the firewall? What do you want to protect? The data in your computer so you have some files on your computer you don't want someone to remotely log into your computer and copy the files off. Yes? What are the things that you may want to do? Malware, malicious software. If someone sends you a packet or an email or some message which contains a virus maybe the firewall can have some control that says okay don't allow this message in because if this message comes in malicious software may be installed on one of your internal computers. So protect from malware, protect people accessing your computers, protect people inside or stop people inside from doing things that they shouldn't be doing outside the network and the example stop all students from accessing Facebook. So that could be implemented in a firewall so this is not just controlling external to internal but prevent internal users from doing some things so maybe in both directions. So we say it's a perimeter defense that protects the from the outside of the network it doesn't protect individual computers directly it protects the entire network. For this to work for our firewall to be effective we have a few goals in setting up the firewall and the network. First we must ensure that all the traffic into our network passes through the firewall. Simple example let's say we consider a network for an organization like SIT here's our network and we have a gateway or router this router connects to our internet service provider our internet service provider which then connects out to the broader internet. So this is the rest of the world over here. So in this scenario that maybe the obvious location for the firewall is on that router what we would do is set the router up to act as also as a firewall and as a firewall it can control what comes in and out and what goes out. So install the firewall on this router and that will control what's coming out of SIT and what's coming into SIT network. Now the problem arises in that sometimes organizations have more than one connection to the outside world. We may have a second router that connects to another ISP maybe our backup internet connection or parallel one. So the idea here is the internal network has multiple connections to the outside world. Well our firewall must be implemented on all of those entry points on all of those routers. If we implement the firewall just on this router but then we start sending traffic out of this link and it starts coming into this link then the firewall cannot control that traffic and the result may be that the malware comes in via ISP2 into our network. So we need a firewall on every entry or exit point to our internal network FW for firewall and that can be quite complex for large organizations because they have more than just two, they may have multiple points of entry. The next thing is that we must have some rules or some policies that specify what can come in and what can come out. Can someone suggest some policies for SIT? What's a suggested policy for SIT for what should come in and what should go out? Say when you're accessing the internet what should you be able to do and what should you not be able to do? Maybe we'd like to block students or people from playing games, online games for example. So what the firewall may do is be configured so the policy may be students are not allowed to play online games. It may be more specific and list what type of games but that's the aim so then we need to implement that policy in the firewall. So we must specify some policy what are our aims and then we must implement that policy such that we only allow authorized traffic through the firewall and with respect to games maybe we identify the IP addresses of the game servers and then we set up the firewall such that any packet that's going to one of those IP addresses is blocked is not allowed out. As a result your computer inside cannot access the game servers outside effectively stopping you from playing those games. We'll look at some other ways later. So we need to have some policies that will define what we want to achieve and an important thing is that the firewall cannot be compromised. The firewall is a security device it controls what goes in what goes out if some attacker can compromise the firewall then they can control what goes in and what goes out and maybe they can set up the firewall to allow them to get into the network. So it's important for the firewall to be protected from penetration and we'll look at some techniques toward the end of the slides. So how do we implement different policies? If the policy is stop students from playing games how can we implement that with a firewall? Well there are general techniques, four general approaches, service control, direction control, user control and behavior control. The example was here we'll make them a bit clearer. Well first direction control is easy. We make decisions depending upon where the packets are coming from. If it's coming from outside and going in we may have different rules than if it's coming from inside and going out. So if we want to block students from playing games then we'd set a policy that is implemented using the direction from going internal to out maybe block the packets going out. But if we want to stop malware from coming in to SIT then the direction of interest is coming in. We want to stop maybe packets or emails coming in containing a virus. So we consider the direction so we may have different rules depending upon the direction. Service control, service here really refers to servers, network servers and we commonly use addresses to identify different services. So based upon IP address or even port number we can control and filter packets depending upon our policy. So here the example of the games. I know the IP address of the most popular game service so I set up a rule that says if any packet is going to one of those IP addresses it is not allowed out so that's based upon service control. Or I don't want people to access external secure shell servers. I have a number of secure shell servers inside so I could use port numbers to identify that it's a secure shell server. We'll see examples of those. User control depending upon which user is generating those packets. I don't want to allow students to play games but I want to set up the firewall that allows faculty members to play games. So we could have specific rules that try to identify the users. So the packets which come to the firewall, the firewall needs to make a decision. Do I allow this packet out or not? Then that firewall can look at not just the addresses, the direction but also who's the user that generated that packet and make different decisions. And the other thing that the firewall may do is look at the content of the data. For example an email comes into our internal network via the firewall. The firewall looks at that email. It's destined to Steve at SIT but before it gets to my email inbox the firewall looks at it and does a scan for spam messages or viruses and if it detects them either blocks that email or removes it from the email before it's forwarded on to me. So that's based upon the behavior or the content we may make decisions. What are firewalls capable of? What capabilities do we need? We need to have a single point where all our traffic goes via. That's like this case. Here we have two firewalls but we must make sure all of our traffic passes through the firewall. As soon as the internal users have a way to access the external networks that bypasses the firewall, our security fails. We must ensure all traffic goes via the firewall or the firewalls if we have multiple. Firewalls not just control what comes in and what goes out but they can monitor different things. They can keep track and keep a log of the emails which have been received with viruses or with spam. They can keep a track of how many packets come into a particular user or which student is accessing or downloading the most. So the firewall because all the traffic goes through there, it's a good location to do other recording like recording the amount of traffic going in, recording the websites that students have accessed and recording other information that can be used not just for security purposes. So an example may be that for SIT we set up a system so that students have a quota for their internet access. They can only download 10 megabytes per day. So with such a policy it could be implemented using the firewall. The firewall would keep track of how many megabytes you've downloaded today. Once it reaches the upper limit the firewall starts blocking your traffic so you can't download anymore. Maybe this will come up in later topics when we talk about virtual private networks but it turns out a firewall is also a good location to act as a virtual private network endpoint. But that will become clearer when we spend some details of what is a virtual private network. What are the limitations of using firewalls? They cannot protect if someone bypasses the firewall. And there are different ways to bypass the firewall. For example, if the firewall is configured to allow all of the traffic from faculty members to go out then any attack or any malicious activity from a faculty member going out cannot be protected by that firewall. The firewall does not protect against internal threats. That is we have some computers inside. If one of these computers tries to attack another computer the firewall has no role in controlling that. The firewall is only controlling the data that's going out and coming in. It's not controlling anything that's happening internally only. So this may be a student trying to access Steve's laptop. The firewall of our network firewall has no control over what happens there. So that's the limitation of firewalls. It's only for internal to external or vice versa. It's not for internal only traffic. Then there may be other means for data to get in that effectively bypasses the firewall. And a couple of them listed here a very common one mobile phones. I use my mobile phone. I'm inside SIT but I use my mobile phone to access the internet. If I'm using the Wi-Fi of SIT then the data will go through the firewall but if I use my telecom company my mobile phone provider then the data goes via the wireless link to the AIS or whoever I'm subscribed to. So if I'm using a mobile device 3G 4G then that data and the access to the internet is not flowing through the firewall and therefore the firewall cannot control that. And that's a big problem for organizations because nowadays many people use their phones for their work purposes. It's hard for the organization to control what's coming in and out. So maybe policies on the use of mobile phones is necessary to cover that. And the last one is especially regarding malicious software. How do you get malicious software into our network? If the firewalls block the malicious software coming in there's still the opportunity someone brings in a USB disk from home which is infected with malicious software. They bring it in from home and they plug it into the lecture room computer and now that malicious software is loaded onto the internal computer effectively bypassing the firewall. So laptops, phones, portable devices which can be brought from outside in still allow malicious software to come into the internal network. And other network devices like personal wireless LAN devices or mobile phone connections allow people to access outside and also from outside in. So there are some limitations of firewalls. There are different types of firewalls and we're going to spend a lot of time on the first type called packet filtering and we'll get to some examples to illustrate them. But packet filtering the simple concept is that we look at the packet headers as they packets come into the firewall and make a decision whether to allow this packet in or not. So we'll look at some examples to illustrate that packet filtering firewalls. First let's remind ourselves about packet headers and in particular the common ones we'll see. This is a picture of the packet headers. The top one is for TCP and the bottom one is for IP. I think you have print out somewhere in your handouts. Let's look at them. This is an example for a TCP packet and the bottom one we'll see in a moment is for IP. So what a packet filtering firewall will do, packets come into the firewall. The firewall will be configured to make a decision whether to allow that packet or not. So there's two outcomes normally. In the simplest case we allow it or we reject it. So we accept or block the packet. If we allow it it means the packet keeps going to the normal destination. If we reject the packet the packet is discarded and it will not get to the normal destination. So that's what the firewall will do with the packet filtering firewall. The question then is how does the firewall make this decision to allow or reject the packet? And what a packet filtering firewall does is looks at the fields in the headers in that packet to make a decision. And which fields are of importance for the TCP packet? What fields tell us something about what's happening in terms of communications? Can you find this page? Yes, someone else has found it. Which fields are useful for identifying what's being communicated between users in these TCP and IP headers? Again, the data may be one that's useful. The data, so we have the header at the top, the 20 bytes of default header for TCP, maybe some optional fields and then the data. So the structure is that we have a set of header fields. The first 20 bytes are mandatory. They're always there. Source port, destination port, sequence numbers and so on. And then some data. So the data may be useful for determining whether this packet can come in or not. The problem with looking at the data is that many different applications will have many different formats of data and it's very hard to detect what's acceptable and what's not. It's also very time consuming. So focus on the header fields. Which ones tell us something about who's communicating or what applications are being used? Look at both TCP and IP. Which fields tell us who's communicating and what applications are being used? What tells us who's communicating? Who, source and destination what? Who's communicating? Again, source and destination IP address tells us who's communicating. When I say who, think of which computers are communicating. So we'll go down to IP. The source IP address is a field of interest and so is the destination IP address. This really tells us who is sending and who is receiving because IP addresses in theory identify computers in the internet. So if we look at the source IP address that tells us something about which computer in the internet sent this and the destination tells us who is going to receive it. So we can use the IP addresses to identify who is communicating. So those two fields are of importance. For example, my laptop has a fixed IP address. Every time I connect to the SIT network I get that IP address. So if the firewall is configured to allow Steve to play games but blocks students from playing games, then what the firewall can do is look and see if the packet is coming from my source IP address. If it is, let it go through. If it's not, then don't let it go through. So we can use the IP addresses to try and identify people or users in that network. What else? Let's focus on TCP. What identifies applications in the TCP header? By applications, let's say I was accessing a website, a web server. How would we know from the packet that I was accessing a web server? What identifies web servers? Again, what identifies that I'm from just from the TCP header, what tells us that I'm accessing a website? The port number. If I'm sending a packet to a web server, what will the destination port be? 80. Web servers use port number 80. Therefore, if I send a packet to a web server, the destination port should be 80. If I'm sending a packet to a secure shell server, what will the port number be? Can anyone remember secure shell? Not 44, 22. We may not remember them all, but over time we'll start to remember different application servers use different port numbers. Web servers use port 80. Secure web servers, 443. Secure shell, 22. Email, 25. So they're quite well defined. So the port numbers are useful for telling us what applications are being used, the source and destination, what application is being used. That can tell us something about that. The other one which is of interest and maybe less so is the protocol number, which tells us the transport protocol being used. Some examples, the protocol number, 6 means TCP, 17 means UDP, and there are others. But we'll commonly distinguish. We want to take different actions depending whether it's TCP or UDP. So the protocol number will tell us that. With port numbers, source and destination, web server uses port 80 or a secure web server. I'll just list some of them, 443. Secure shell, 22. Email servers, 25, but they also use some others as well. And other applications have well defined port numbers. So the idea for our packet fielding firewall is it will look at these five fields in particular. And it will look at the values and when we set up our firewall we'll configure some rules to say whether packets with those matching values should be accepted or not. So let's look at an example for a simple network to finish for today. Here's a simple network. And we'll start with the simplest case where we want to have a firewall on an individual computer just to explain the picture. And you have these in your handouts. This is just my simplified internet and the way to read it. We have a number of subnets, 1.1.1.0. Here's one subnet and here's a second subnet and there's some others. And the squares are some computers on those subnets. And the circles are the routers connecting subnets. So we have router RA, RB, C, D and E. And we have computer, 1.1.1.11, 1.1.1.12 on the first subnet and so on. So our simple internet for the very first case let's assume that the firewall is running on a computer not on a router. Like your home setup you have a firewall on every computer. So for a simple case to illustrate a rule let's say that the firewall is running on computer 12. Computer 12 is my laptop. It's running some firewall software. So there's my firewall in the network. That's my computer. My aim, my aim just to illustrate a rule. I want to stop, so I am computer 12 and I'm actually running the firewall on my computer. We're not running it on the router just yet. I want to stop computer 35, this one up the top here from pinging me, from sending me a ping request. Ping is an application and protocol where we send a request from a source to a destination computer and that computer responds. The protocol used, the transport protocol used by ping is ICMP. So to configure my firewall I write a rule and the rule states if we focus on those five packet fields it states what values those packet fields should match such that the firewall will take some action for the incoming packet and it specifies what action to take. So let's first write the rule and the conditions. So there were five fields of interest, source IP, destination IP and we had the source and destination port and the protocol number. So I want to create a rule where it specifies these five values such that if computer 35 tries to ping computer 12 that the packet that comes in will match the rule and then will take the action to block that packet. Think of the request, the ping request coming from 35 into computer 12. What would the source IP be? If computer 35 pings computer 12 what's the source IP address? Fill it in. What do we get? Source IP, computer 35 pinging computer 11. Who's the source? Computer 35 is a source, 3.3.3.35 is the source. So the source IP field would set to 3335. We're creating a set of conditions and if these conditions match our packet we'll take some action and the destination. Well it's our computer which we know, 11.1.12. Now let's go to the protocol number. What protocol number does ping use? What transport protocol does ping use? ICMP and that's a special case. ICMP is protocol number one. TCP is six, UDP is 17, ICMP is one. And another special case about ICMP there are no protocol, no port numbers used. We don't care about port numbers. So I'll say we don't care here. It could be any value and for any value what character can I use? Sometimes we use star to mean any value. I don't care what the port numbers are. If the packet is coming from 3335 and it's going to 11.1.12 and it's using protocol number one ICMP then we want to take some action. So the packet if computer 35 tries to ping will come in, it will get here. The firewall looks at that packet and it checks if the header fields match these five values. It matches the source 35, it matches the destination, computer 12. We don't care about the port numbers it matches anything and the protocol if we're using ping it's an ICMP request, a ping request. So it matches the protocol number. So the firewall takes some action and the action we can specify I'll say drop. Drop or block or reject. The action is don't allow this packet to come in. So what I'm trying to arrive at is that when we configure a firewall so the firewall is running in my laptop I need to set it up and when I set it up I think about my policy, my aim. Okay, I want to stop computer 35 from pinging me. So when I set up the firewall the common way is I set a set of conditions. The conditions containing these five protocol fields. I want to set the source IP, destination, port numbers and protocol number and I set an action when I set up the firewall so that when computer 35 does ping me it sends the ICMP request into my computer the firewall looks at the packet. When it looks at the packet it compares the values in the packet header against my conditions. If they match then the action is taken on that packet and that packet is dropped and if the packet's dropped then it's not processed and there will be no response coming back. Effectively ping doesn't work. If it doesn't match these conditions then some action is also taken. Usually there's some default action like accept the packet. So in this case if computer 35 tries to ping computer 12 that request packet will be dropped. If computer 36 tries to ping 12 what's the action or the default action will take place. If computer 36 tries to ping 12 the source IP address would be 33336 it doesn't match this field. It doesn't match this condition therefore this entire what we call rule does not match. So we don't drop it we'll take some default action which would also be specified. So another part of our firewall setup would be say the default action let's say is accept. We either accept packets or drop them. If computer 35 pings computer 12 this rule says drop that packet. If computer 36 pings computer 12 this rule does not match the conditions do not match therefore we take the default action of accepting the packet. Achieving our aim of stopping computer 35 from pinging me but still allowing others to ping me. So what we're going to do with some examples is to go through some other aims some other policies and define a set of rules using these five fields and specifying the action and those fields and that action set up in our firewall and we build up a set of rules which are used to configure the firewall. We're out of time for today so what we'll do next lecture tomorrow is go through some other examples and write some more rules using this format and build up more complex firewalls.