 So we'll use a firewall as a means for controlling who can access a network So now we're going to move into a practical aspect of security of We have a computer network an IP based network. We want to control who can access that network Who can send data into the network and also in the opposite direction who can send data out? So let's explain how firewalls work. So think of an organization All right a small one your home with your own network or a large one like SIT or large companies and In terms of their network access they want to control the data going in and out of the network Why? to stop people accessing Services available on their network for example SIT has a database Storing all the student information in terms including your grades your financial information Your contact information We don't want anyone in the world to access that Hey, we don't want them to read the information be we don't want them to modify the information So how can we control access? In different ways make sure it's password protected. Okay, make sure that to access the database you need a password Make sure there's some permissions on the database so that even with a password. You can only do certain things with it and the next thing is to make sure that Anyone on the internet has limited network access into the SIT network that stores the database And that's what we're going to focus on now the third approach of using a firewall to control To control Communications between different networks So because all organizations need some internet connectivity We can't avoid it But the problem is that it makes Potential security holes are present in our computer system and we get threats that arise That is people may try and hack in or break into the SIT network So how do we stop that? We use a firewall a Firewall is a device Either dedicated hardware or just some software running on some other computer device, but some device that controls the data going into a network and Going out of a network in the picture here. We can just separate the networks into internal and External so the internal network is the network that we want to protect So we want to stop Others in the external network from accessing resources in the internal network So if the internal network is SIT network Where we have the database server for all the student information All the salary information and grades and so on Which like to stop external users from accessing that and That's one thing we can use the firewall for for this to work. We need to We need to have our firewall device In a location Where all of the data between the networks passes via? So our internal land for SIT for example and our external internet access There's data that goes between the two networks The firewall should be in a location where the all the data between these networks passes the firewall So the firewall will then be used to control what data may go through and what is blocked with the intention that For example, if someone on the internet tries to access the SIT database the firewall should block that access So they cannot access it and cannot read your grades and student information or Another goal Someone in SIT tries to access the Facebook web server The firewall may be configured to block that access Because we don't want students to be accessing Facebook during class for example So we can use the firewall to control What external users can access inside our network and What internal users can access out on the internet? So we're gonna look at how we can use the firewall to do that So there's an internal and external and the firewall is trying to protect the internal network Let's have a look at some of the details What we need this firewall to do So Between our internal and external networks or the inside and the outside We need to make sure that all of the traffic That is all of the data between those passes via the firewall and This slide I think should say all traffic from inside to outside and From outside to inside both directions Okay, so in both directions Any packet sent should pass through the firewall and if we can ensure that then we can configure the firewall to Control what is allowed in and what's not I would like to have a firewall on the door for this room So that all students are going to talk in here and annoy me are not allowed in but that's too expensive for me to implement So maybe we'll just give you a penalty in the quiz which may be easier for me to implement We need to make sure that all the packets between the two networks go via the firewall And we'll give an example of what happens if that's not the case shortly And then the firewall will control what's authorized in and what's authorized to go out So there will be a policy that the organization sets that says Only only let Packets that are going to the internal web server in no other packets Or only let students access These websites, but no other websites. So that's the the requirements or the policy of the organization Then the firewall must implement that policy by controlling What can come in and what what is blocked what cannot come in and we'll look at how we do that That's what this topic will look at The firewall is a security mechanism It controls access to the network if the firewall doesn't work then it Limits the security of our network. So the firewall itself must Must not be easy to be attacked If someone can compromise the firewall Then that can allow them to compromise the internal computers on the network and defeat the firewall mechanisms so when we build a firewall we must make sure that It's not easy for others to compromise that firewall It cannot be penetrated easily So how do we control the traffic? The second point only authorized traffic is allowed by the firewall four different techniques We control based upon service debt direction of the traffic the Users that are communicating and the behavior of those communications We will see examples of The service control in detail today and the others a little bit Service control is controlling what services people can access inside a network think of servers SIT inside our network. We have a database server. We have different email servers different web servers We want to control what others on the internet can access with respect to our internal servers They should be able to access the public web server, but they shouldn't be able to access the finance server Okay, or we may want to allow some people to access a selection of the web servers so control which services Can be accessed in inside and also outside and to do that we will need to look at how the internet protocol works and in particular that IP packets IP datagrams have addresses and TCP and UDP use port numbers So we'll look at how we can use addresses and port numbers to control what goes in and out We'll see some detailed examples of that today the other form of control direction control You may want to do things depending upon the direction of traffic That is I want to set up the firewall such that people from outside can access Nothing no web servers internal to SIT But people inside SIT can access all web servers that web servers out on the internet So depending upon the direction Outside to in or inside to out we may have different requirements so direction control user control I May want to set it up differently for different users All students in SIT are blocked from accessing Facebook, for example or Or one particular user Dr. Tanarak is allowed to access any website he likes all other faculty members can only access some selection of websites So based upon the user control what can come in and out of the network all students Cannot access Facebook. So we need to set up some mechanism to identify students and Then block when they're trying to access Facebook so different policies for different users We'd like a firewall to support that and behavior Depending upon the content that's being sent out to the internet and in from the internet We may control the the traffic in a different way an example is that You're sending an email out to someone from inside SIT out to the internet That email If it contains some spam the email goes to the firewall and the firewall checks the contents of the email and if it Detects that there is this is a spam email. You're trying to spam people then it may block that email or A virus it may try and stop it so it doesn't spread out to others So this is filtering based upon the content of the messages We can look at who or what services we're trying to access The direction of communications which users are trying to communicate and what they're trying to do In particular looking at the content of the messages and try and set up a Set of rules that will control the traffic that can go in and out of our network Let's go to an example Or do it No, let's keep going and then we'll get to an example and spend some time So genuinely we're talking about firewalls what they should do a Firewall should define a single choke point. What's a choke point anyone? What's a choke point? Well, think of it as a single point where everything goes by Everything is directed into that single location That is for a network our firewall Well, we need to ensure that everything goes via that firewall Let's see an example We have some networks the SIT Wi-Fi Network with some access points and people can access and we have the SIT wired LAN Ethernet LAN that connects the offices and labs and Maybe the we have the rest of the world The internet so what we would like is to make sure that all of the data between At least the Wi-Fi network and the internet goes via our firewall So let's draw our firewall here some device Which ensures that? Or is set up such that all of the data being sent from someone on the SIT Wi-Fi out to the internet Goes via that firewall Similar all of the data being sent from people in the labs and offices via the wired LAN the Ethernet LAN is Sent via that firewall out to the internet So that the firewall is in a in a position to low to filter What goes out and? What comes in? So in this example external is the internet internal as the Wi-Fi in the Ethernet LAN So we need to make sure that the firewall all of the data is concentrated at that one location the firewall Because that all of the data going in and out of SIT or the Organisations network goes through the firewall it makes sense for that firewall to have other capabilities To do things that are not necessarily security related Some maybe some are not so one is to monitor things that are happening Because whenever you on the Wi-Fi or wired network access internet services your data is going through the firewall the firewall can now monitor things that are happening in the network like Monitor how much data you're sending out to the internet or how much you're downloading and if you if you if the firewall administrator finds that some students are downloading 10 gigabytes per day Then take some action So monitoring what's happening? Maybe someone out on the internet is trying to perform an attack on SIT a denial of service attack and sending many packets in to SIT Therefore the firewall as it monitors the packets coming in can detect Someone's trying to attack SIT. Let's do something about it. So by monitoring what's happening. We may use that for Supporting the network security and operation Other features which are again not security related that the firewall may do similar to what we just said it may count the packets Count the downloads by different users inside the internal network Either to stop them from downloading in the future or if it's an organisation to charge particular departments So if instead of Wi-Fi and Ethernet, this is one department of the company and this is a different department Then the firewall is a good location to count How much each department downloads and then charge each department based upon the fraction of the internet costs that they must pay for each year So some form of accounting is another location or is another Capability that a firewall may implement virtual private networks VPNs a VPN although we haven't covered and we may get to the end of the semester a virtual private network Can allow someone Out on the internet at their home to access internal network services so someone who's working at home a VPN or virtual private network allows them to effectively log in to the internal network and Giving them services as if they are sitting inside the internal network Okay, that's what a VPN may do someone at home can connect to the The internal network and it's as if they're sitting inside the internal network in terms of the services They can access so they can access all the databases that are internal which normally an external internet user cannot so that's what a virtual private network can do and it makes sense for Firewalls to provide such a service To allow someone to create a virtual private network between their home and say the organization's network via the firewall so firewalls are Usually located in locations in the network such that they are not just a firewall, but also other services are provided Firewalls have some limitations. They can't protect against someone bypassing the firewall so one of our users on the wired LAN in My office for example Is my office computer when I access the internet all my data goes via the firewall? Because it's on the wired LAN but in my office computer I plug in my or I connect to my mobile phone and use my internet access via my mobile phone to whoever from AIS to my Telecom provider So now I've connected to the internet for my internal computer But my data is no longer passing through the firewall The firewall cannot do anything about this There's no way to now control the traffic that is going out to the internet by this other other connection So this bypasses the firewall and presents a security risk for the organization because now We can't control what's being sent in and out okay, so there are mechanisms that Can bypass the firewall and of course the firewall can do nothing about it There may be the firewall may be set up such that sometimes It still doesn't protect against all types of threats and attacks on it on the internal network Related to the the one we just talked about similar to me accessing via the mobile phone If there's a insecure wireless LAN access point Then some external user Someone here on the internet who's considered an external user may get access via the Wi-Fi network By some access point here Therefore this external user which should have been blocked from accessing the internal network if we have some Wi-Fi access point that is insecure The internal the external user may get access to the internal network. So the firewall can do nothing about that We need other measures to stop that similar people bringing in devices Can not be prevented by the firewall we need other Policies in an organization or other technical measures to stop that. So let's look at Different types of firewalls and go through an example for one packet filtering firewalls will go through first essentially They have some rules to say which packets are allowed to come through the firewall and which should be blocked So we configure the firewall to implement a set of rules and as packets come in the firewall checks Is this one allowed or not? We can extend that with stateful packet inspection will see that adds ability to record what happened in the past That improves things and then we'll look at two different types of firewalls called proxies Which create intermediate connections between external and internal users normally a firewall Maybe this is not normal for you, but normally in organizations firewalls implemented on routers Who has a firewall? Who has used a firewall before on their own computer? Don't be shy if you use Windows. I suspect you've used a firewall anyone All right, who has not used a firewall Who has never installed a firewall on their computer? That's more like it. Well, some people okay on home computers Usually a firewall is recommended either on the computer itself or maybe if you've got a Cable or ADSL internet access the firewall feature may be provided on that ADSL router or modem Okay, but I think many of you may have already downloaded and installed a firewall and sometimes it comes with other software Maybe it's part of antivirus Okay, so usually that's on the end computer But in organizations the firewall is normally done on a router and That firewall is there to protect the entire internal network So instead of installing a firewall on every computer inside SIT To control what goes into each computer We have a firewall on a router that connects SIT to the outside which controls what can come in and What can go out? So normally and we'll assume in our examples of firewalls implement implemented on a router Why a router? because When we connect an internal network To an external network on the internet what device normally does that a router So it's typically a router that connects internal to external Therefore a firewall is usually just an addition to an existing router It may be its own dedicated device and as we said before it may do things other than what a firewall needs to do So some non-security features may be implemented in practice So let's look at what a packet filtering firewall is We have we start with a security policy So the policy is what the organization requires The policy may be that no student can access any service out on the internet except for web servers or No student can access The Facebook web server on the internet So that we have some policy which is set by the organization and Then we implement that policy using a set of rules So we have a set of rules that will try to implement the desired policy the rules define which packets Can go through the firewall So we'll define a set of rules that say which packets from the internet can come through this firewall into the internal networks and Similar which packets from the internal networks can come through the firewall to outside the internet to the external network So the rules will define the packets that can go through the firewall So then some rules need to be configured and Then as packets arrive at the firewall it inspects each packet and compares it against the rules which are already configured and it if any rules match it takes some action and the actions we'll consider are Accept or drop Accept a packet means it can go onto the destination drop means it cannot go on will delete it and not send it Some other names will use accept allow forward drop reject discard block So different names for the actions that may be taken so The firewall is configured by a set of rules that state some conditions under which the packets should be accepted or dropped If the packet matches those conditions The action is taken What are the conditions? Well in a simple packet filtering firewall the conditions come from the packet information and Because we're dealing with the internet it comes from the IP packet header and Other packet headers like TCP and UDP. Let's just remind you of Some aspects of the internet protocol in particular the IP packet header This is a diagram of an IP datagram We have a header and the data So everything we sending in our network has this structure The header is normally 20 bytes with some optional Fields that will ignore and then some data The header has different fields And everyone's seen this before I've taught you all this in ITS 3 2 3 The two main fields our firewall is concerned with is the source IP address and destination IP address So the packet header contains who sent this packet who's who created and is the original source and Who is going to consume the packet? Who's the final destination? That's the source and destination IP address who came from and who is going to So the firewall can use this information and a set of rules to say Let's allow packets from this source Drop packets to this destination for example. So that's those two fields will use One other commonly used field in the IP header is the protocol field The protocol field indicates what type of data is inside this IP datagram Really it indicates the transport layer being used in IP There are many transport protocol or there are multiple transport protocols that can be used The common ones are TCP UDP We'll also see ICMP, but there are others as well and The value of the protocol field in the header indicates what Transport protocols being used that is what's inside the data here if This is a TCP data Then the protocol field will indicate TCP by giving a number for TCP number six UDP is a different number So again, if we want to filter only allow TCP and UDP packets in and out of our network We can check by the protocol field or Everyone's experts with ping only block all ping packets Ping uses ICMP, which is a protocol number of one so we can check at the firewall and Block all packets which have a protocol number that indicates ICMP to block ping So packet filtering fire fire will mainly use this source and destination IP and the protocol field of the IP header and Then depending upon the transport protocol uses the header fields of the transport protocol Here's TCP for example, so this is the header for TCP. There's data and the header The two things which are most important in this case are the source port and destination port The port numbers identify Applications What's the port number when you're accessing Facebook? What port number as the server using? What port number? the web server Again 80 port number 80 for a web server. So by default all web servers use port 80 So therefore if we want to block web access We can look at the port numbers used in the TCP header If the destination is port 80 Then we can control we know that this packet is going to a web server and we can control Depending upon our policy whether we allow it or not similar for source ports so most common servers use well-known port numbers port 80 for web servers port 22 for secure shell servers and many others So these port numbers are commonly used Sometimes other features of TCP are used we'll come back to them when we need them UDP much simpler header, but also has a source and destination port so same concept so the five main fields that we look at in a firewall are source IP address destination IP source port destination port and Protocol port numbers IP addresses and the protocol field which indicates the transport protocol. So what the firewall is configured to do is Create a set of rules That will implement a policy to block or allow particular applications or users Using those five fields Let's go straight to an example Here's an example Example network We have six subnets in this simple internet One one one zero is this subnet and it has some hosts on it Dot eleven and dot twelve one one dot one dot eleven and twelve there's a router that connects that subnet to another subnet and These other subnets with assume many hosts, but I've just drawn one for some of these or one or two So this is our example network that we'll use to configure a firewall and In this example We're going to set a firewall on router RA a router connects two subnets together so our firewall is going to operate on RA the purple router and The internal network is this subnet one one one zero and the external networks is the rest okay, so from the perspective of this Subnet this is internal everyone else is external So when we when we configure the firewall for this subnet we want to control what can come in and What can go out? So let's say we want to set up our internal network so that no one else No one outside of our network Can access the secure shell server on computer 11 this green one here So we need to configure the firewall so that No one outside the ones that we see plus any up anyone else we may arrive outside of our Internal network can access the secure shell server on computer with IP address one dot one dot one dot eleven Create your firewall. There's your first task Let's see some solutions and We'll find someone to come up and write down the solution on the board And we'll use a random number generator to choose someone to do it But my random number generator is not so good sometimes sometimes it just chooses the people who are asleep Or don't who don't have an answer Try and think of what rules You could create on the firewall so that no one outside can access computer 11 In particular the secure shell server on computer 11 and the rules will check those five characteristics of the packets the five character the five features are Source IP address where did the packet come from? Destination IP who is it going to? protocol number what transport protocol was being used and I'll give you a hint secure shell uses TCP Source port and destination port using those five values Create some conditions that would detect the packet That's going to the secure shell server on computer 11 So the firewall is set with some rule that says if the packet matches these conditions Will block or allow that packet. What are the conditions? Design them you're a candidate for giving the demonstration Anyone can design these conditions Okay, here's another candidate here. Okay, you just volunteered. Okay two candidates for a presentation for a demonstration Try and think of and the answers and Not any election notes. This is a different one that I haven't given you so you have to think a little bit Here's a network. We want to stop others from accessing computer 11 in particular secure shell server on computer 11 What are the conditions of the packets? What of those five features of source IP destination IP protocol number? Source port destination port what values should they take to match packets such that It will reply to those going to the secure shell server on computer 11 anyone Anyone have an idea of the conditions? Something something. Okay. That's a good start Okay, something something TCP. What do you why did you say TCP? Secure shell is an application layer protocol Okay, you've used it You've used it to log into other computers SSH It's an application layer protocol to connect you to other computers It uses the transport like protocol called TCP Okay, there's no TCP flag that says it's SSH Something else tells us that it's SSH What what tells us and again to keep it simple You've got it on your lecture notes Given these five Values There are two addresses source IP address destination IP address source port number destination port number and protocol number five different values Creator set of conditions that would match packets Going to that secure shell server So we've mentioned TCP Protocol number should Indicate that we're dealing with TCP What else? destination The destination IP address in the packet Should be that of the server here one dot one dot one dot eleven Look, so the title here is the policy. That's our requirement Your organization's requirement is to stop anyone outside from accessing the secure shell server on computer one dot one dot one dot eleven To implement that we need to have some rule on the firewall That will block those packets so that we cannot access the secure shell server so so far we've got The protocol the transport protocol should be TCP The destination address should be one dot one dot one dot eleven Okay, so that would match Anything going to one dot one dot one dot eleven What else? What about secure shell? Secure shell is an application. Yes It has a port number. Yes. Anyone want to guess Someone knows the port number for secure shell 22 Web servers use port 80 secure shell servers use port 22 email servers port 25 Secure web browsing port 4 4 3 so many different servers have their own port number assigned so If someone sends a packet some of these red ones outside sends a packet to this server If they're trying to access the secure shell server here then that packet The destination IP address will be that of the of the this computer one dot one dot one dot eleven That's the destination IP The destination port number will be 22 Because to contact a server The port number of that server is used as the destination if you're contacting a web server the destination port will be 80 Contacting a secure shell server. It's port 22 destination IP one dot one dot one dot eleven destination port 22 transport protocol TCP If the packet arrives at the firewall and matches those conditions We should drop the packet or block it and we can write those conditions Ignore forward for the moment the word forward there The firewall should be configured so that The destination IP One dot one dot one dot eleven Transport protocol is TCP why TCP because secure shell only uses TCP and Destination port 22 why because a secure shell server uses port 22 If a packet arrives at the firewall Then it has this destination this protocol and this destination port Then the action the firewall should take is to drop that packet Do not send it on Just delete it. Do not send it at all So this is a rule and This needs to be configured in the firewall to implement our policy So come back to the concepts and we'll return to the example in a moment a packet filtering firewall Has a set of rules The rules define which packets can go through the firewall Packets which are accepted to go through or dropped they cannot go through So once we have a set of rules We when a packet arrives the firewall compares the packet against the rules if the rules match Take the action for those rules Where the actions are either accept or drop so what what are the conditions for these rules? Well, so far we've seen that we've got five different conditions five things to check for The two IP addresses source and destination the two port numbers source or destination and The protocol number the transport protocol being used So that are the five common conditions. We'll see some others later that we can use but let's start with these five So the rules Use these conditions that is I source IP equals this value Destination port equals this value. That's the condition so the rules are conditions defined using this packet information and The action is usually accept or drop and That makes up a rule and in the example we just saw one rule for our firewall So the the desired behavior block secure shell access The rule to implement that is shown here destination IP Protocol number destination port the action drop so three conditions drop is the action to take questions your tasks in quizzes and in Homeworks will be to create some rules to implement some policy so Keeping it simple look at the IP addresses the port numbers and the protocol or the product transport protocol Now for this one you needed to know that secure shell server use port 22 Okay, so now you know So now you know web browsing port 80 secure shell 22. There are others you may need to learn over time Now what happens computer 47? Tries to access The secure shell server on computer 11 So computer 47 wants to log in to the secure shell server here. So it creates a packet. What's the packet look like? Let's draw it so If we can try and draw our packet and our packet if we look at our headers is going to be an IP datagram having a header values and Inside that Because it's secure shell it would be a TCP datagram containing the TCP header fields. Sorry. This is IP This is TCP But I'm going to draw the packet. I'll get like this I'm going to draw the packet. So there's some data. There's an IP header But I'll also draw a TCP header and just list the fields which are relevant for us instead of listing them all The example is computer 47 Wants to access the secure shell server on computer 11 So it creates a packet. Let's draw the packet it creates It's going to have an IP header and a TCP header and From our perspective the rest is the secure shell message So the secure shell data, whatever that is data We're not going to look at the data. We're going to look just at the headers and just at those five fields So we have a source IP address a destination IP address in the IP header and A protocol number There are other fields, but these are the ones that are of interest to us. What are the values? source IP is the IP of the computer that creates it computer 4.4.4.47 and It's trying to contact 1.1.1.11 So that's the source and destination 47 and Your destination is 1.1.1.11 So this is the the packet created by the sending node 4.4.4.47 The protocol number identifies the transport protocol, which is TCP You don't need to remember at this stage, but that's actually a number six In the same way that port numbers map to particular servers Protocol numbers map to particular transport protocols So those are three values in the IP header In addition the TCP header has the source port and the destination port This is the packet coming from the secure shell client on 4.4.4.47 going to the secure shell server on 1.1.1.11 So the destination port is the port of the server for secure shell Which we've already said is port number 22 Meaning secure shell What's the source port? Sorry, not 22 The source port is usually Dynamically assigned by the operating system. So we don't know Let's just give it a random value. Okay, it's usually within some range, but It's not fixed. It's not predictable I've just made up a random value, which is typical in the typical range So we would not know that in advance This is the packet created by the source computer This external computer that wants to access our internal secure shell server Three fields for the IP header two fields for the TCP header. There are other fields There's data, but those are the five values that we care about with respect to our firewall The packet is sent through the internet We don't care about how it gets there, but the routing means that this one creates it It sends it to the router E which would send it to router C Eventually that packet gets the router A Okay, because the destination is This computer so it gets to the router on that subnet and that router when it receives the packet is running a firewall So when the router receives the packet it passes it to the firewall software and The firewall software checks that packet against these conditions Okay, so these this these conditions are a rule configured in the firewall already compare these with the packet This packets received source IP destination IP 1111 protocol TCP Destination port 22 and now compare it to the rule Yep Yes, the source uses a different port with client server applications Usually servers have a well-known a fixed port number Whereas clients usually get some random port number assigned by the operating system why because It's the client that initiates communications to the server So the client must know the server's port number to contact it So we use some fixed port number So if I'm using secure shell, I know it will be 22 But to get a response back The server learns the source port when it receives the request Okay, so the server doesn't need to know this value in advance because it learns it when it receives the first packet so source ports are normally some Dynamically assigned value. I just made up a random value here The next pack or the next time they connect it may be a different source port Okay. Yep. What if we use a VPN? We're not okay We may see that When we talk about ways to bypass firewalls There are ways to bypass and a VPN may assist in that that case, but not yet This is the packet sent it arrives at the firewall compare the packet details with the firewall rule compare that with This rule here these conditions Forget about forward for the moment The rule is if the packet has this destination of one one one eleven and if the protocol is TCP and If the destination port is 22 then drop this packet and As if you compare these three conditions match for that packet it matches and therefore the packet that arrives at the Came from 47 through EC arrived at the firewall router a The firewall compares the packet with the rule It matches therefore the action taken for that packet is to drop it drop. It means delete it. Do not send Therefore the packet will not arrive at computer 11 and therefore there will be no response. So we've blocked access to the secure shell server on computer 11 any questions Everyone can create the next rule for the next task We didn't get any demos that was disappointing We've still got some candidates any questions About this or about your assignment for your other course. I'll answer anything Just as long as it's a question Okay, note that the rules the source IP We don't care the value. I didn't list the source IP here I didn't list the source port in the rule Meaning doesn't matter what value that is as long as these three match destination IP Protocol destination port as long as they match then that packet matches The values I didn't list can be any value and they are they are 44447 was the source IP if computer 36 sent the packet It would have the same destination IP and port and the same protocol and therefore would be blocked Doesn't matter which of these red computers sent that packet If they're all going to the secure shell server on computer 11 These three values would all match and that packet would be dropped So now design the next rule computer 12 is that for Some some user inside the network. So this is an internal computer We want to stop them from accessing web servers on this network Try and design the rule the set of conditions for the firewall to achieve that policy Try and write down What are the conditions here in terms of source IP destination IP? source port destination port and protocol So that computer 12 cannot access any web servers on network 3 3 3 0 And we have a volunteer Welcome come to the front You can show people how to design this firewall Come on I'll let you write on the board in case you make a mistake and you can remove it And I'll get you started So we're dealing with five Five fields five conditions that we can deal with so what we need to do is Write the conditions for these five values some may have Value some we don't care about Such that this firewall router a will block access to the web servers on this network 3 So come up and write the values that the source IP destination IP Source and destination port and the protocol number should be in This rule and they some of your friends can help you or if they're not real friends, I'll laugh at you So think about who's sending and who the destinations are Source IP Let's do it. Let's do it easily. Let's just go through from top to bottom. What's the source IP? So block access to the web servers on this network from computer 12 Which has IP 1 dot 1 dot 1 dot 12? so from Computer 12 therefore the source IP must be that of computer 12 Destination IP she's on the right track. I think she knows what she's doing. That's all right This one's a bit of a trick or it's a bit different from before and the hint is that we don't have to use the address of Particular holes so we can use this network address Okay, good that is the destination doesn't have to be the address of a computer It can be the address of a network and The network address is 3 dot 3 dot 3 dot 0 that means everyone on that network So the destination IP is 3 dot 3 dot 3 dot 0 source port What value should it be? Anyone want to help what path value should the source port be? dynamically Generated meaning what value are you going to put in the firewall you're setting up the firewall All right, you set up four seven one two, but then it uses a different source port. It won't match a Random number again, it won't match Don't use it Don't don't set a value any value What character do you use for any value? Star a wild card for example star All right. Yeah, just that means any value. I Think in programming and a different computer system as a star means has the meaning of a wild card Means we don't care about the source port Doesn't matter what value it is It will they will all match so conceptually we think of a wild card or star. Okay Destination port no, what's the destination port? 80 because of web servers So destination port 80 and the last one protocol which transport protocol The name of the transport protocol It's still TCP. We know web browsing uses TCP HTTP uses TCP 6 that's great or you could just answer TCP Because you remembered 6 means It's just the number for TCP. Okay. It has a number good. So Very easy create the rules so far just using these five conditions and If we don't care of the value right here's just one way to write it down star means a wild card any value a Packet is sent by computer 12 to computer 36 web server The source will be computer 12's the destination will be 3 3 3 36 Which matches this destination IP? Really we should give the net mask Because this is a network address again. Think of it as a wild card It means any value in the range 3.3.3 3.3.3.1.2. 36.35 Source port if my application chooses port number 47215 Well the firewall rule matches that because the firewall rule says any value of source port. I don't care send it Sending it to the web server the web server port 80 destination port 80 and web browsing uses the TCP as the protocol our Packet will get to the firewall the firewall will compare the packet details with this rule It will match and therefore the action So this is the conditions the action should be dropped Don't send it out and therefore we can't contact the web server so our rule in this case is The conditions which were listed on the board so so far. We're keeping it very simple and just dealing with these five fields and Depending upon our our policy so far. We've created two rules But then we may want to do something else and make more rules So we build up a set of rules put them in a table for the firewall So when we configure the firewall think of it as a a table of rules here. I've summarized them Our first rule was from any source If the destination has IP 1.1.1.11 and the port number is 22 So this notation is IP port number If the protocol is TCP then the action to take is to drop that packet Our second rule we just created if the source is computer 12 any port number source port any value Destination is this network port 80 Protocol TCP action drop and the third rule is what we call our default action or default policy It says if there's a packet at the firewall that does not match rule one and it does not match rule two Then it will match this last one, which means any value of source any destination any protocol accept Okay, so this is just to say for all other packets. Let's accept them Block these packets drop these packets accept everything else So you can think of the rules being applied in order on the packets and When we set up a firewall we must create a table like this or conceptually like that Different software uses different notation. So what I want you to be able to given some policy design some rules So far we'll keep it simple and just use these five values But it can be more complex. We can start to use the interface that the packet arrived on Whether it's a TCP SIN or a TCP ACK the MAC address and Then eventually start to use the contents if it's a HTTP request versus a HTTP response and Tailor our rules to meet some very specific policies But for us, I think so far these five are the main ones and Any questions to finish today? This is a new topic that is more practical than some of the theory we've covered so far but quite important because a user on a regular basis and We'll give you a chance to do some hands-on things We will finish with some of the other types of firewalls and the differences on Thursday and Then you'll get a chance to play around with firewalls design some firewalls Just design some rules So let's stop there and continue on Thursday