 We introduced packet filtering firewalls. So very simple. They they look at the packets which Pass through the firewall they look at in particular the headers And if you're browsing through your lecture notes, you won't find this here This was in the the extra notes just for this week, but you'll follow a Packet filtering firewall as packets go come to it it looks at IP address of The source and destination who sent it who are they sending it to port numbers Which identify applications so which client application is sending to which server application? protocol number which identifies the transport protocol being used TCP UDP and others and Use that information to determine ship shall we allow this packet or not? Accept or drop There may be other information used as well. We'll see We could potentially use other Information about which interface that arrives on other packet information. So it's looking at the packet headers to determine which one to accept and the packet Filtering firewall is made up of a set of rules that the Administrator of the network creates. So the rules are really conditions based upon this packet information where we can have wild cards or ranges and When a packet arrives the firewall map compares the packet information against the rule if it matches it takes some action So that's what we got to on Tuesday Let's go through some examples to demonstrate those concepts Here's our simple network So Let's go through a different example where we have a firewall in the middle So running on a router that connects an internal network and an external network The internal network has many computers One of them is computer one With IP address one one one one and the other is computer two, but the outside network There are also many computers there. I just draw one computer two So Here's your task set up a firewall such that for the first case Let's say our firewall has a default policy to accept everything We have set up that so that will accept all packets through Let's write down the default policy by default that is if no rules match We will accept the packets So it's a rather open firewall So we want to accept everything but we want to block some things So for an example, let's say you want to block block computer to From accessing the web server on computer one Create the rule rule or rule. So try Computer to needs the We should block computer to from accessing the web server on computer one anyone What are you going to do? This is going to be your task In the quiz in the online quiz and some of you will have the task in labs as well Block computer to from accessing web server on computer one. How? What are you going to do firewall? Yes, but what's the rule for the firewall? Filter the IP and protocol what IP? So here let's let's create the rule here So I've drawn the think of the firewall table contains a set of rules a set of rows Where we look at the source the destination the transport protocol being used and if our packet matches our rule will take some action So we need to specify the rule to block computer to from accessing computer one What's the source IP address? Computer to from accessing computer one This network is an internal network. This is outside Computer one is our web server. We want to allow everyone to access except computer to we don't like them Well, we think they're malicious. So we want to set up the firewall so that they cannot access the web server Source IP would be Compute that of computer to so we'll write the rule should say that if the source IP is Two dot two dot Two dot two in fact, I've just listed the column source here. Remember, there are two things that identify the source the source IP identifies the source computer and The source port number identifies the source application So we'll try and list both of them under this source column and the way that I'll do that is We'll write the IP address followed by a colon followed by the port number We'll come back to the port number Destination address We want to Stop to from accessing the web server on one so the source address match must match that of computer to The destination must match that of computer one What protocol? TCP is the transport protocol because we said to stop access to the web server What protocol do we use for the web? Browsing HTTP, but we're looking at the transport protocol not the application protocol HTTP But the transport protocol that it uses and HTTP Uses TCP so the protocol must be TCP But we're missing some things The source port number we want to write here and the destination port number the easy one first Destination port should be 80 Again stop computer to from accessing web server on computer one Destination port will be that of the web server Which is 80? source port what port number does the Web browser on computer to use Anyone have a computer open your browser and find the port number that it uses Open your browser connect to a website and type in netstat on your terminal easy now open your terminal and you don't need Open a terminal and type in netstat and you'll probably see the list of net, S T A T network statistics, but what And you'll see, to make it easier for you to see, net stat minus t. And he sees a list of values and scroll up, look at the local address, your address, 10.10.10.102.81. Read out those five digit numbers, five one, five one, I'll read them to everyone, five eight, four, four, four, five, eight, four, four, one, these are the port numbers of his web browser. Five, eight, four, three, eight, five, eight, four, two, four, any structure? No, then the browser doesn't use a fixed port number. Okay, the web server uses port 80. We know that. But a browser, the operating system, when you start the browser and it tries to connect, the operating system will assign a port number from some range. It's not random, but it's assigned dynamically. So when user on computer two opens their browser, it will get a port number and try and connect to our web server with port at destination port 80. But we need to configure the firewall rule before they connect. So we won't know the port number used by computer two in advance. There's no way to know that, because today it uses 50481, tomorrow it uses a different number. So the source port number, what will we use here? Any value, star. Okay, so in the firewall rule, when we configure it, we say, if it comes from computer two from any port and going to computer one specifically to port 80 and using TCP, then we'll take some action. So we don't specify a specific port number. We say any value, or I'll write as star, I mean anything matches. We, which is just a range, all possible port numbers. If the packet matches those conditions, what do we do with that packet? We take the action of dropping it easy. User on computer two opens their web browser. It gets some port number 50481. They send a packet to the destination port 80 on computer one. It will get to the firewall. The firewall will look at the packet information, compare it against this preconfigured rule and see that it matches. And therefore the firewall will drop that packet, not allowing it to go to computer one. Computer two wants to connect to the web server, the web browser starts. Let's say it gets port number similar to his laptop, that's assigned by the operating system to the browser, sends a packet, goes across the network, gets to the firewall. The source port is 50481. The source IP is 2222. He's sending to 1111 destination port 80 using TCP as the protocol. Therefore the packet information will match this rule and the firewall will drop that packet, delete it. It doesn't send it through to the destination, achieving our aim that computer two cannot access the web server. Any questions on that, the simplest of firewall rules that you'll see. Okay, let's create a new one then. Let's try a different scenario. Let's go back to our start. Let's try it where we have a different default policy and have a different aim. In that first example we said the default policy was accept. That meant if a packet did not match the rules, we would allow it through, we would accept. Let's try the opposite. Default policy is drop, which is more secure. It's recommended. Meaning let's set up this firewall to drop everything. No one can communicate via the firewall unless we add a rule to allow them. Let's try a different aim. We want to drop everything, that is block everything in the network but let's say we want to allow the person on computer one to access the web server on computer two. Block everything in the network, no internet access at all except computer one can access the web server on computer two. Try, just set up the rule. Computer one access the server on computer two. So look at if computer one tries to access the server on computer two, think about the packet. What would the source IP be? What would the destination be? Protocol, we're still using web browsing, HTTP which is used as the protocol, the transport protocol TCP so that's easy. So just write the rule to stop, no to it, sorry, what did I say? To allow computer one to access the server on computer two. We want to stop everything except computer one accessing the server. What do we do? What are you going to do? You go get a job next year okay or maybe in summer training in the next month or so you go work at a company and they ask you to set up their firewall. If you don't set it up correct and someone attacks their network they fire you. What are you going to do to set up this firewall? Quit the job, nice life you're going to have, just quit the job, give up. Think of the source, who's the source? We want to allow computer one to access computer two web server. Sources, okay so one one one one, okay good. This is what we want to allow to happen. We want one to be able to communicate with the web server on two, okay so web browsing, very simple. So yes, source IP, source port number, port number of your web browser. How about a different challenge? This is you in the lab or in SIT and you have control over the firewall. SIT set it up to block all your internet access but now you want to access your favorite website so what do you do to allow yourself on computer one to have access? What port number is your web browser using? What port number is your web browser using? What's this, sign language? What sign? Star, okay. Star meaning your port number of your browser may be any value. The firewall or the administrator of the firewall doesn't know what it will be in advance so let's set it to be any value. Destination two, this is easy. Destination port 18. Protocol, action, accept, okay. If a packet arrives at the firewall and it's from computer one, any port number, any application and it's going to computer two specifically to the web server on computer two using TCP then let's let it through. Let's accept that packet meaning it can go through the firewall to destination two. Default, if a packet doesn't match that, drop. Easy. What's the problem? We need to allow the response to go back. We need a second rule for the response to come back, okay. So it's not as easy as the first case because this allows my request to go to computer two but of course web browsing is not much fun if you don't receive a response. Computer two sends back some response. Source computer two, does it match the first rule? No, the response. So the first rule doesn't match. There are no other rules therefore the action to take for the packet is to drop that packet. So although we allow the request to go out, we don't allow the response to come back so we need to add a new rule to allow that. In fact it's not the HTTP request and response, it's the TCP send. I have a picture just to remind everyone somewhere. It's just a reminder, a quick reminder of how web browsing works. So computer one wants to connect to server on computer two. They want to send a request. We don't immediately send the request. We first set up a TCP connection. So we computer one sends a TCP SIN segment to computer two. Computer two responds with a SIN act and then computer one responds with the final act. This is this three-way handshake, set up the TCP connection. Once that connection is established then they can transfer data and the data is computer one sending a HTTP request saying I want this web page and hopefully computer two sending back a reply saying here is the web page. So there may be some further acts that come as well. But remember we actually set up a connection first. So to allow our web browsing we actually allowed that first SIN packet out but we need a new rule to allow the response to come back. So we'll add that second rule now to allow the response. What's the second rule? What do we do? Allow the response. The response is coming from computer two. Port number it's coming from the web server. If I send a request or a web server the response is going to come from that web server. Come from port 80. Destination should be coming to computer one. Destination port don't know star. Remember this is to cover the response to the client from the server to the client and we don't know that the client's the browser's port number still using TCP and we need to accept that. Okay so we need to be careful that we need to allow the request or the packet out and of course all most applications are request response based so we need to allow the response back. Anything that comes from the web server on computer two going to computer one will be accepted anything going from computer one to the web server on computer two will be accepted everything else will be dropped will be blocked and that should allow all of those packets through the firewall. The first seen packet coming from computer one to the web server on computer two. The seen act coming from the web server on two going to computer one that will be accepted and so will the act and the request and the final HTTP response because they all have those same addresses anything hard so far no so a small extension to allow the response what's the problem you've just failed because someone you you configure your firewall and the company fires you because someone hacks into your network what have you done you've opened up a hole somewhere how it's not not an easy one to take advantage of but it's possible if someone sends to two or one so these are the rules everything will be dropped except packets that meet the meet these conditions so what's what have we done wrong or what can we allow there can be a response without a request or there can be a packet there can be a packet from who okay let's say now the user on computer two is some malicious user they want to get a packet through your firewall how do they do it well if they send a packet if their application uses port number 80 this second rule will allow the packet through so let's say the user on computer two is malicious they want to get a packet through the firewall the firewall should only allow web browsing from one to two they shouldn't allow computer two to send arbitrary packets to computer one but it can because what the user on computer two does is they create their application that uses port 80 and they send a packet to computer one and that will be accepted by the second rule so if the user on computer two can create an application that uses port 80 they can get their packet through the firewall defeating our original intentions okay so it assumes that the user can use port 80 I can can you use port 80 on your computer those with computers open do you know how to use port 80 how about this you can do anything you like on your computer okay if you've got control of the computer you can program it to send with an address whatever you like remember this is a packet that is created at computer two and sent out the source address the source ip will be two dot two dot two dot two the source port whatever computer two wants it to be okay because it's under control of the computer two so yes we can send a packet with source port 80 either create an application that uses that port or use a fake port address it's not hard to to use fake addresses so we opened a hole where some unintended consequences of computer two is now allowed to send packets into the network even if it doesn't get a request from the web browser how do you close that hole so you can keep your job how are you going to close the hole before your boss finds out about it delete the rule but then you block web access and your boss will certainly notice then okay we needed this second rule to allow the web server to send a response back computer one is the boss's computer you need to set it up so he can access the website if you delete the second rule he will never get a response and he'll fire you in five minutes but you've got a bit more time now because he doesn't know there's a hole in the the firewall so how are you going to fix it any ideas sorry use authentication well no uh let's say all we have available is looking at the packets okay that's all we have available set the destination port uh okay but what are you going to set it to set the destination port here what value uh but remember this is the configuration of this firewall some device on the network the port number is chosen by this computer so when the boss starts his browser it gets a port number he starts it tomorrow he gets a different port number which one are you going to set it to here well it's going to take many possible values that's why we use star any value but maybe you're on the right track there are different ways set the port again force his browser to use the same port i don't think it will work very well because usually a browser when you open multiple tabs it may use multiple ports okay yep okay we need some other condition that says only accept this packet if it is a response to a previous packet okay that was the intention of this second rule to say if we set send a packet out this is to accept the response coming back it shouldn't it shouldn't match if it's the original packet if it's the first packet so that's the idea and we'll go straight to that is that if we can keep track of what's happened in the past then we can effectively add more conditions to this to say okay if we if we sent a request out then we should allow the response to come back that makes sense because i think most applications need that so keep track of what's happened so that we don't have to we don't allow any packet to match this condition actually two ways one is if you look at the tcp connection setup we could use those values the first packet is a tcp sin segment the packet coming back is a sin ac so that second rule should only match that sin ac or packets that if we can identify our responses to previous ones so somehow we need to identify a response and attach that condition to rule two so it gets a bit harder than we originally thought of allowing web browsing let's go to the easy way to do it we add a new feature to the firewall we add what's called stateful packet inspection and it will simplify our task and make your job much easier when you set up the firewall so far our firewall is what we call stateless in that it doesn't keep track of what happens to the packets in the past but that doesn't work so well especially when we have connections so we'll introduce this new piece of information to keep track of past packets especially past packets that have been accepted so let's use our example to explain how spi stateful packet inspection works the idea is that if we allow this first packet out from computer one to the web server on computer two then we should allow all of these other packets through the firewall we should automatically allow them and that's what stateful packet inspection allows us to do it keeps track if we accept the first one according to the firewall rule then all of the others which are related to that one let's accept them as well let's see how it works let's attach just our first rule and return to that one which was if the source is so this is the same first rule as we had before the source is one one one one any port going to two computer two port 80 protocol tcp accept and our default policy same as before is drop now before we add this second rule but we saw it allowed packets in it gave us a hole so let's not add this second rule and use just the first one but now let's introduce another piece of information or another table of information called our stateful packet inspection table spi table where we'll keep track of packets allowed we'll keep track in some spi table similar source original source original destination protocol and we'll add another column state so this is a second table that we store in the firewall we have our rules but we have this other information stored and let's see how we use it computer one tries to establish the connection and i'm going to flick through but computer one in this case establishes the connection again ip is one dot one and the ip of computer two in this example computer two is a web server running port 80 what port number is our client running well when we start our client it gets a side one let's give it one just a random port number in some range so the first thing we do then when the computer one tries to contact the web server is it sends this tcp sin segment where the source address is 1111 and port 40163 this is just a random one i've chosen the destination ip is 2222 destination port 80 protocol tcp that's the packet information this sin segment goes from computer one and gets to the firewall is it accepted or not so go back to our firewall does that packet get accepted yes or no the first packet in our web browsing from computer one to server on computer two is it accepted the first packet yes because it's from computer one to computer two port number i think i what did i choose 40631 going to a server this rule that matches the packet and therefore we accept that packet so that's normal the normal behavior of our firewall compare our packets against our rules we accept it we allow it to go through to computer two but also because we accepted it we add an entry to this spi table we keep track of the packets we've accepted so let's add an entry that keeps track of that information and let's just remind us so sorry a packet from computer one with source port 40163 was allowed to go through to computer two with destination port 80 that's the sin packet the first one so let's record those addresses and let's write them down here from one one one one four oh what was it 163 destination two dot two dot two dot two port 80 protocol we're still using tcp so that was the packet accepted it has these values in the addresses and we record this information along with what what this packet is related to and that's what this state is this is related to setting up the connection i will not write it here because we'll run out of space and i'll change it quite shortly but the state at this stage is we're trying to set up the connection this one packet was to set up the tcp connection so we record this in this table now the second packet comes back that was for the sin it was accepted through the firewall firewall that got to computer two computer two the web server sends back this sin act source ip is computer two source port is 80 destination computer one destination port 40163 still using tcp it gets to the firewall it gets to the firewall and now what the firewall does is before it looks in the the firewall table it actually compares to the values in the spi table we've recorded these values in the table the packet that came back was from 2222 port 80 and it was destined to 1111 port 40163 and because the values match in its spi stateful packet inspection table the firewall automatically accepts it okay now note that they don't match the source destination it's the opposite because it's the response those values are the opposite that is the source was 2222 port 80 destination was computer one but it still is considered a match with respect to stateful packet inspection because the the response packet belongs to the connection identified by these values so that packet is automatically accepted so the idea is that once we allow a connection using our firewall all subsequent packets related to that that connection are also allowed so our responses are allowed the the sin act the act and so on are allowed without having specific rules in the firewall what does the state do the state is used to indicate or what part of the tcp connection set up are we in so the first one we were setting it up eventually it would become established and it would store some values saying the connection is established tcp connections go through different states but the the one that once we've set up the connection and we can send data is called established so once we have this value or entry in the spi table any packet that matches these conditions is accepted automatically we don't check the rules if it doesn't match these conditions we go back to checking the rules if it doesn't match any of them we go to the default policy of dropping this greatly simplifies our firewall rules we just need our original one rule we don't need to deal with the response spi automatically does that for us so actually we now have two tables of information the rules and the connections questions on stateful packet inspection so you can impress your boss when you go get that job so think of it as an extension of the basic firewall the basic firewall we just have the rules but with stateful packet inspection we can simplify the rules by keeping track of the connections that we've already allowed note that a connection in the internet is uniquely identified by these five values when your browser talks to a web server then there should be in the internet no other browser using the same source ip and the same port number talking to the same web server those addresses identify that unique connection in the internet therefore if we ever see a packet that matches these either the source matches this and the destination this or the opposite way if it's coming from two and going to one then we can accept it because we accepted it from here so in practice stateful packet inspection is commonly used one way to think of it is now we have two tables a packet arrives at the firewall first check in the spi table doesn't match if so except if not let's go to our rules in the firewall and take the action if it matches if it doesn't match take our default action drop so you can think there's sort of three steps spi table first the rules otherwise the default action any questions all easy quiet means easy correct let's go back to our lecture notes then and see what we've missed so we said just going back that we've got packet filtering firewalls this basic concept of look at the packet header information we can extend that with stateful packet inspection there are some other type of firewalls called proxies but we're not going to introduce them okay we're going to keep it simple and stay with the basic ones but they're still important but we'll just stick with packet filtering firewalls so that you can be experts on that we saw that the most common information that's used to filter packets is IP address port number protocol number but you can use other information you can use what interface did it come in on the firewall you can use MAC addresses you can use TCP flags is it a sin segment is it a sin act so you can use other information but these are the five common ones which are important rules are processed in order in our firewall so always think of them as a packet comes in compare against the first rule if it matches take the action and you're done if it doesn't match move to the second rule and keep going and there's usually some either some rule down the bottom that captures everything or just a default rule default action to take where do you find firewalls in software most operating systems have inbuilt firewall software we'll use IP tables so you'll get some experience with IP tables in Linux for firewall setup you can install your own software so you can download some software to install firewall on your computer but that's more so well that's for say firewalls on the end computer but in large networks usually the firewalls are installed on network devices with the aim of protecting the entire network rather than having to have a firewall on every computer so most routers most large routers when you buy them may include some firewall capabilities or you can buy dedicated hardware that acts as a firewall if you need to have a fast processing speed packet filtering firewalls are quite simple we just set up the rules transparent to users meaning the firewall doesn't modify anything it either blocks or accepts the simplest terms it doesn't change anything so the user right if it's blocked the users will know but if it's accepted the users won't know the other types of firewalls that we go through using proxies may change the data as it passes through the firewall so it's not transparent it may modify the data they're very fast because they the functionality is not much different from a typical network device like a switch or a router so they can do things process packets very quickly and they don't delay packets much some attacks some malicious software for example firewalls cannot prevent a simple packet filtering firewalls cannot prevent so if they're just looking at the header fields they don't look at the data if this packet contains a virus or spam our simple packet filtering firewalls won't detect that they're just looking at who's sent it who's coming to a few other things how do we use our packet filtering firewall to allow one user to access a website but allow other stop other users from accessing the same website how can we do that allow me to access a website but stop all the students from accessing the website from sit how could we set that up the port that is in sit from my office computer i need to be able to access some website facebook but no students in sit can access facebook what would we do at the sit firewall okay we need some way to identify the user but packet filtering firewalls generally don't consider that okay yes you're right we could do that what's a simpler way maybe not as bad good but ip address configure the firewall if it knows my office computer's ip address say everything from steve's computer with this ip address let it go from all our ip addresses block it okay so in simple firewalls we can use ip addresses but more advanced features of today i'm using one ip address but in my laptop i have a different ip address so how do i allow that that's when we need some more advanced way to identify the user simple packet filtering firewalls don't do that normally we need more advanced features as with any firewall if you set it up wrong you could have a compromise in the security of your network if you add the wrong rules you make a typo when adding those rules then maybe something is allowed in that shouldn't be and stateful packet inspection keep track of the connections except everything relating to those connections that have already been accepted the problem with packet stateful packet inspection is that we need to keep track of many connections sometimes let's to close on those to let's show an example it's hard to see here's one computer and we'll look at the firewall i have to zoom out a bit we're not explain all of it but you'll see these are rules in a firewall so if you look at a particular line you see this firewall says accept packets which are using tcp coming from this source address and this is a special value meaning any source all zeros coming from anywhere so think of a star going to computer 192 168 122 dot 10 so that's the destination ip address and destination port dpt the destination port is 80 so this is saying this firewall is set up to say anyone who contacts the web server on this computer 10 the packet will be accepted okay and there are some other rules to allow access to secure shell servers 22 email servers 25 secure web browsing HTTPS port 443 okay so just an example of some rules in this software or this firewall stateful packet inspection is enabled using this special rule to say record the established connections so remember there are two tables the list of rules and another sbi table that keeps track of all the connections that's stored separately it's hard to see because it's hard to see because it's quite large but we'll try the software keeps track of connections called nf contract connection tracker again it's wrapped across lines but let's just highlight some values this is so every line is one connection that it's tracking this firewall at this point in time and we see some values that this connection is established that's the state the source is computer 192 168 1 2 2 dot 11 destination 150 address source port 80 destination port 539 68 so this is the sbi table any packet that comes into the firewall that matches those values where the source and destination can be in either order will be automatically accepted that's the idea here and there are many different values if we scroll through okay so just an example that we keep track of many connections over a period of time the way the state of those connections may change the idea is that if there's no packet sent along those connections for some period of time delete it from this table so timeout value so we have two tables the firewall rules that you the administrator creates someone has to set this up and the sbi table or the the the list of connections that is automatically created by the firewall you don't have to manage that add blockers add blockers software that what do they do they do filtering yes so yeah they use similar concepts filtering based on they look at addresses and domains I think but they also look at content more than a packet filtering firewall that in this firewall we don't really look at content whether the the web page contains this text or not add blockers will look at content any other questions on firewalls that's we're going to stop there on firewalls what we will not go through the proxies there's only a few slides on the proxies firewall locations where do you put them well in practice in large organizations you you don't put them on the end user computers or they may be on the end user computers but the firewalls are usually located on network devices routers and switches or special network devices so that they cover all traffic for the network and we don't need to set up a firewall on every computer in the organization we can do it on one central location it's common to separate the internal network into zones two zones the internal network for all the the workers or the computers and the internal network that has servers which should be accessed from outside like web servers email servers so we can think inside sit there's a sit web server which is inside our network but people from outside should be able to access it but then there's my computer which is inside the network people from outside should not be able to access it so we separate them out and the concept or the terminology you may hear is that we put the those public facing servers the ones that people from outside need to access in a demilitarized zone a DMZ some part of the network which is separated from the rest of the internal network for example is our internal network office computers and so on no one from outside needs to be able to access them so here's outside the router is this red one out here is the rest of the internet no one outside should be should be able to access our internet our internal network but in this DMZ is our web server for sit our email server and again they are part of our internal network but they need to be able to be accessed from people outside so we actually separate them into two zones this zone which is separate from internal and external the DMZ and this green box is the firewall it should be set up to say if someone sends in to one of our servers send it into that zone if someone sends in to one of our something that's not a server block it so it's easy to set that up and if you want to be extra secure you can use two firewalls if someone sends in the first file will direct it into the DMZ nothing will go from the first firewall to the second firewall to the internal network unless it's a response to what came out and having two firewalls adds extra security because if there's a an attack on one of them and it's compromised or it's misconfigured someone sets it up wrong then we have the second one as a backup so if there's an attack on the first firewall and that an attacker can get their packets through it then the second one if it's configured correctly will block those packets to the internal then similarly if there's a misconfiguration in the second one the first one should block and not allow anything through let's stop on firewalls just a quick