 So we've looked at malicious software, we've classified different types of malicious software and the previous topic we looked at denial of service attacks. Now we'll look at one form of protection, protection for a computer or more commonly a protection for an entire network of computers and that is firewalls. So we'll look at what firewalls can do for us in providing IT security and classify some different types of firewalls and give some simple examples of how we could set up a firewall to achieve some aim. What is a firewall? Everyone may have heard, I think, of a firewall. Has anyone used a firewall? Yes? What? Where did you use it? Sorry? What software did you use or what system did you use for a firewall? Windows has something built in as a firewall, okay? So in the last maybe five years ago you could download many different free software, zone alarm and many different pieces of software you install on your computer that does many things. One of them is act as a firewall. Nowadays some operating systems will have a firewall built in. What does it do for you? It protects you from what? It protects you from malicious things, people, malicious attackers, okay? But how? What do you think it does? How does it protect you? Antivirus I think we know is something that will scan files and check if there's a virus in there. That's how antivirus software works. What does firewall software do? It acts like a wall to stop fire, yeah? So it checks, right, it checks the packets coming into your computer or going out and looks at those packets, things like the addresses of those packets, the protocols being used and tries to make a decision whether that should be allowed in or not or allowed out or not, okay? So we'll see it can be more advanced than that, but we'll spend some time looking at a firewall that would monitor the traffic coming in and out of your network or computer. So a firewall is a piece of software or a device that will control the flow of packets between different points with the intention of trying to stop the packets that can cause harm. That is, if the firewall thinks some packets are going to do something bad on your computer, then the firewall will try and stop them before they get to the location where they can do something bad to the software or other computers. The picture here tries to capture the fact that with a firewall, we really separate between two sides. The internal system that we're trying to protect and the rest, the external network or users. Now, a firewall will mention can be either per computer or per network usually. That is, you can run a firewall on your computer with the aim of protecting your computer only, or you can run a firewall on some other device with the aim of protecting a bunch of computers in a network, which is more common nowadays. So generally, we can think as a firewall as some device or piece of software that's trying to protect an internal network, and protecting may mean as packets come into the internal network from the external network, the firewall will check them and see, is this packet allowed or not? If not, don't let it in. We say we'll drop the packet. If it is, let it in. And similar can happen from internal computers sending to external network. As we send packets out through the firewall, the firewall will make, look at the packet and based upon some rules, check, is this packet allowed to go out? And if so, let it go through the firewall, if not, drop it. With the intention, for example, that we have a computer in our internal network and we don't want anyone outside to be able to access that internal computer. Maybe it's just for internal use only. So the firewall could be configured such that if someone sends a packet from the external network, which is destined to that special internal computer, the firewall could block that packet. Don't let it in. And it may do more advanced things like check the content of the messages coming in. So we'll see some examples of that as we go through. What do we say here? Internet connectivity is essential for organizations. I think we can agree that, again, for an organization, we need internet connectivity. To be secure for our network, we can't just disable the internet. So we need to allow our, from an organization's perspective, the internal network, we need to allow our users to access the internet, to do their job, to do what they need to do. But we need to make sure that our network remains secure. So allowing internet connectivity creates a threat, because malicious users can try to upload malicious software or obtain confidential information, for example. So a firewall is one way for trying to protect entire networks, usually local area networks. And unlike what you may do at home where you have a firewall on your computer, in many cases a firewall will be applied for an entire network. So I could install a firewall on my laptop and set it up to try and protect my laptop. And then we install a firewall on this desktop PC and set that up to try and protect it. But what would be better for an organization's perspective is to have one firewall that covers the entire network, that is, all our computers internally. And that's a more common configuration, especially for large networks. So the idea is that, say, for an organization which has many computers internally, to try and make them more secure, we have a single firewall for the entire network which will try and control the traffic coming in and out of our network. So the firewall will be inserted at a location in the network where the traffic needs to go to the external network. For example, within SIT, we have a gateway that connects us to the Runxit campus. And that's our primary connection to the Internet. For our internal campus, to connect to the Internet, we actually connect to Runxit, which then connects out to the Internet. So we have one device that has a link going to the Runxit campus. So that device is a good point to locate a firewall because all of the data coming out of our campus goes via that device. And all of the data coming into our campus goes via that device. So if we run a firewall on that device, it can check the data coming out and in and check whether it should be allowed or not. So the firewall is usually inserted in our network at the edge of the network to some external network. So it acts as a perimeter defense. That is, it's protecting the outside of our network. If we can think we have a fence around our network to protect the internal network, the firewall is a perimeter defense. The idea is that all the data from outside coming in goes via the firewall, so the firewall can check it, and similar in the opposite direction. So we say it's a single choke point. Everything goes via that device. And that means that we can implement security policies there, what can come in and out. And also, auditing is something that's common with firewalls, which is really counting. Auditing is counting and checking that what we're doing is correct. We'll give some examples of them in the next few slides. Yes, sometimes if your traffic wants to go outside, it needs to be checked by the firewall. So normally a firewall, we think we want to protect our internal network from the external users, but sometimes we'd like to also control what the internal users can do. For example, we could set the firewall so that the internal users cannot access Facebook. So that's also a mechanism that a firewall can be used for. That's blocking or controlling the traffic going out. So it's not just about protecting the internal users from external threats. Well, that's a main security aim. So we need some device which will control what comes in and out. Some of the things that we aim to achieve when we design a firewall or use a firewall, we want to make sure that all the traffic between the inside and outside goes through the firewall. And that's an important point. If we're using a firewall for a security mechanism and we set up the firewall here, but then we allow from our internal network a second connection to the internet, which bypasses the firewall, then it allows some traffic to bypass the security mechanism. So we want to force all traffic from internal to external and the other direction as well, should be all forced to go through the firewall so the firewall can check that traffic. We shouldn't allow other connections to bypass the firewall. And that's difficult in some cases. In many cases, it's possible to bypass the firewall. And we'll give a few examples shortly. So there are goal, everything goes via the firewall. And we have a security policy, say for our organization. Our policy may state what we should allow in and out or what we should block. And the firewall should be set up so that only the authorized traffic as defined by that policy will be allowed. So the policy may say internal users cannot access Facebook. And the policy may also say no one outside can access this particular server inside. The firewall needs to be set up to implement that policy. The firewall is an important part of the security of the network and therefore should be immune to penetration. That is, if the firewall is compromised, then the whole security of the network can be compromised. If, for example, some external user manages to install some malicious software on the firewall, then they can set up the firewall so that they can bypass it. So the firewall must be strong and be difficult to compromise. And we'll talk about towards the end of this topic some different setups to make it stronger. So everything should go through the firewall. The firewall will allow traffic which is authorized to pass. What's not authorized should be blocked. And the firewall should be difficult to compromise. How do we control what goes in and out or what is allowed to pass? There are four different ways. We talk about service control, direction control, user and behavior control. Service control is really looking at the network packet information. So looking at IP addresses, which usually identify computers, looking at port numbers, which identify applications, and making a decision based upon that information whether this packet should be allowed in or not. So we'll have some sort of filter that says if the packet matches this destination address and this destination port, block that packet. Okay, so we'll define some rules that will do that. So looking at the packet addressing information. By service it usually refers to the application service. Is it accessing a web server, a secure shell server? Direction control is about the direction is it coming into our LAN or into our internal network or is it going out? So we can make different decisions depending upon the direction. User control will make decisions based upon who the traffic belongs to. So if we send a packet out, if it's a faculty member's packet and it's going to Facebook, it can be allowed. If a student's packet and it's going to Facebook, it can be dropped or blocked. That's an example of user control. We control the traffic based upon who is the user. Now of course for that to work, we need some way to identify the users. Behavior control is looking at the content of the messages going in and out and making decisions based upon that content. So for example, a message comes into the firewall from external and it's an email message. The firewall looks at it, recognizes it's an email message, looks at the content of that email and recognizes that email is spam and therefore drops that because it doesn't want spam to come into the network. So that's looking at the detail of the content to make a decision. Do we allow it or not? So in summary, service control, look at the addresses in the packets. Direction control, which direction is it going in? User control, try to identify who is the user of this data that's coming in or out of our network and behavior control, look at the content and make a better informed decision whether this content should be allowed or not. We will mainly, I'll give a number of examples about service and direction control and a few about the others. Before we get to some examples and some, the capabilities, what we would like of a firewall. You should define a single choke point. By choke point, it means there's this point where everything goes via. So all the data coming out of our network and coming into our network should go via that single point in the network. It allows a location for monitoring things that may be security events. So it's a good point by the firewall that monitors all the packets coming in and out of our network has the ability to keep track of events that maybe they were potential attacks. So maybe the firewall recognizes there are many packets coming in which it's blocking. So that may indicate that maybe someone's doing some attack on our network and that can be useful for other purposes. A firewall is a good place to do things which are not security related. Because all the traffic is going through the firewall. The firewall is then a good place to do things like count how much traffic is going through it, say per user. That is for every student, if we can identify each packet and which student it belongs to, we can say, okay, today this student transferred or downloaded 10 gigabytes. And we can do things like add quotas or give warnings to students, you've downloaded too much today, please stop it. Or even have controls on, okay, this student is downloading too much, start to drop their packets. So that's not a security function, that's another feature. But it makes sense to implement that on the firewall because it's very similar to what the firewall needs to do. The VPN endpoint we will not talk about here. We have a topic towards the end of the semester which we'll talk about a virtual private network. And you'll see that the location of a virtual private network server usually can be the same location as a firewall. If we use a firewall, we don't solve all security problems. So there are some limitations. We can't stop someone bypassing the firewall. Well, sorry, we cannot control the traffic that bypasses the firewall. So if there is some way to bypass the firewall, maybe there's another link from our internal network out to the internet. And an obvious one is that someone has their mobile phone on the internal network and they plug it into their PC and they use their mobile phone and their internet connection, their 3G connection to get internet access. That's not going to go through the organization's firewall. It's going through the user's mobile phone companies network. So that bypasses the firewall. We have no way to control that traffic. And that's a limitation of firewalls. They only work when the traffic passes through them. How do we stop that? Let's say SIT, we have our firewall and it's set up so that all the fixed computers and the LANs, all the traffic goes via that one firewall and it controls what goes in and out. But then I come along and I use my phone for my internet connection. How can we stop that from happening? We could find some device that jams all mobile phones so that you cannot use the mobile phone. Okay, that may be illegal in some places. There's no easy way to stop someone using their own device for an internet connection nowadays. So the main way to do it is via user education and policies. That is, if you're an employee of SIT, you're not allowed to use your phone for an internet connection while you're inside. Or you're not allowed to connect your phone to your internal PC for internet access. So there's no technical way or it's very hard to stop it in a technical manner. You need to use policies or rules inside the organization. So the limitations, we can't protect our network when people bypass the firewall. We may not be able to protect our network against internal threats. The firewall is really controlling the traffic going from internal to external or external to internal. But what if there's someone malicious inside and they're doing an attack on some other computer inside? Then that traffic will not go through the firewall and the firewall will have no way to provide any protection. Wireless networks, similar to the first point, wireless networks are a problem. That is, if we have our wireless network, our Wi-Fi access, then again, when I use my laptop, it goes via the wireless LAN and then via the internal network and out through the firewall. So that's okay. But some wireless networks when they're set up are not set up very securely. And what that can do is allow someone who's really an external user access to the internal network and bypassing the firewall. So wireless LAN and other wireless technologies, if they're not set up securely, mean that someone can bypass the firewall. And other things, not just network connectivity, but for example, someone can bring in a USB drive, plug it into their work computer and if that USB drive has a virus on it, now that virus is on the work computer. There's no way for the firewall to stop that. Okay, so it's, again, this is a policy or a rule-based, you need policies to try and get people not to do that if you want highly secure networks. Some organizations will make it such that you cannot plug in the USB drive. So how do you do that? You get some glue or some material and you stick it in the USB drive so that they cannot insert their USB stick. And some organizations will do that. So you physically cannot insert the USB drive into a work computer. But of course, as you know, that can be very inconvenient. So that would only be needed in very secure installations. So there are limitations of firewalls. We'll look at, we'll go through, I think, three or four types of firewalls, but today we'll focus on the first one and give a few more examples of the first one and maybe tomorrow look at the other types. So we talk about packet filtering firewalls and we'll spend some time on them. They are firewalls that really just look at the packet headers. The source addresses, the destination addresses and some other information and make a decision whether to allow this packet in or out based upon the headers. So it's a filter in that some are accepted through and some are dropped. Related to that, we'll see stateful packet inspection. So they sort of go together, packet filtering and SPI. So we'll explain SPI after packet filtering firewalls and then we'll look at two proxy type firewalls, application proxies and circuit level proxies which use a slightly different approach to control the traffic. In all cases, the firewall is normally implemented on a router for an internal network's control. That is for your home computer or maybe even inside the office, you may have a firewall running on your computer. But the problem with that is that if we want to cover an entire organization, every computer in the organization must have the firewall software running and set up correctly. That's very hard to manage. Therefore, you have one firewall which controls all the traffic coming in and out of the network and therefore you don't need the firewall on individual computers. So one for the entire network as opposed to one for every computer. And the location to implement that is usually on a router because a router is the device that connects the internal network to outside. A router normally forwards traffic from one location to another and it's a good location for the firewall and routers may do other things. We've mentioned they may act as a VPN, a virtual private network endpoint, accounting. Like I said, count how many packets are coming in and maybe even charge the people who are using the bandwidth the most. If it's a large organization then the, say the engineering department is using 90% of the internet connection and therefore they need to pay according to that. And other network related things may be implemented on the same device as the firewall but will focus just on the control of the traffic which is the role of the firewall. So again, who has a firewall? Who has used a firewall? Maybe on your computer. Who has used one on a network device? Like your home ADSL router or home Wi-Fi router. Usually they have inbuilt firewalls as well. It may or may not be disabled enabled but the home router that if you have ADSL, for example, or even Wi-Fi routers, they connect from your internal network using Wi-Fi or a LAN to some external network. And often they will become with a firewall capabilities where you can set up some rules to control what comes in and out. So you probably have used a firewall even in your home even if you haven't noticed or realized that. Let's talk about a packet filtering firewall and then give some more concrete examples. So we wanna control what comes in and out of our network. And we're gonna do that at the router and the router will install either some software, some firewall software or even some dedicated hardware. And we assume we have some security policy. Say for our organization, we have some things that we want to achieve in terms of security, e.g. students cannot access Facebook. No one outside can access Steve's laptop, which is internal. So there'll be some policy that would define and would be implemented by a set of rules. So we talk about rules that will implement some policy. And in a packet filtering firewall, the rules define which packets can pass through the firewall. So really there's two choices for a packet that comes into the firewall. Allow that packet through or block or drop that packet. Block or drop means the same thing. So what we will do in a packet filtering firewall is define a set of rules which we aim to implement our policy and those rules will look at the packets and make a decision. Allow or block or accept or drop is other notation. And the decision is made upon the packet header information. So when I'll show you the packet headers that we may be aware of, the packet headers primarily include the IP headers and the transport layer headers like TCP and UDP. The decision can also be made upon the direction which direction it's going. So what we do is the firewall, to configure the firewall, we add some rules to that firewall that says packets that match these conditions can be allowed through. And packets that match these other conditions should be dropped, not allowed through. We would talk about default policies. So instead of defining rules for every possible combination of packets, we'll start with some defaults. And there are two defaults, possible, accept everything or drop everything. The other words for accept, we'll see that comes up in different software or different explanations. Accept can be allow or even forward. For a router, we usually talk about forwarding the packet through. And for dropped, also referred to as reject, discard or even block, okay, mean the same thing. So there are two policies that we can use when setting up a firewall for the default, accept everything or drop everything. And once we have a policy, then we add rules to meet what were our aims of the organizational security. For example, accept everything means that if we don't add a rule, every packet will be allowed through. And then we may add a rule that says that it will cause the Facebook, the messages to Facebook to be dropped. So we start with accept everything, add rules to drop specific things. The other way is to drop everything. We start saying anything that comes to the firewall is dropped. Now we add rules to allow specific things through. With either we can usually achieve the same objective, that is we can achieve the same overall security policy, but it's usually recommended to start with drop everything. Why? That is, you have the task of setting up a firewall for your network. And the way that you do that, you add rules to that firewall, you state some rules. Anything that's going to the Facebook web server should be dropped. Anything coming, going to this other web server can be accepted and so on. So you add rules and I'll show you some examples of rules. But for those things that you don't define, you need a default policy. And the two options are either accept everything else or drop everything else. Drop everything else is recommended. Why? More secure. In this class that's no longer a reasonable answer because everything's about security. Everything, how is it more secure? Right, I think you're on the right track. In theory, we could do either. That is, if I have to accept everything, then I write my rules to drop the things I shouldn't allow, okay? Or I could start with drop everything and write some rules for the things that I should allow. In theory, they're both the same. But in practice, if I make a mistake, in the first case, if the default policy is accept and I make a mistake, it means I may allow something in that shouldn't. So I make a mistake and forget to add a rule to drop something. Or I miss, I type it in wrongly and it doesn't work. Then if I make a mistake, if the default policy is accept, then it gives a potential for something malicious to be accepted. But with the default policy of drop, if I make a mistake, then what's gonna happen? The packet will be dropped. And therefore, yes, it is more secure because the packets will be dropped. And what's the trade-off? What's the negative of using default drops? The right thing cannot come through and that means the users will be inconvenienced, okay? Let's say I set up my firewall and the default policy is drop. I add some rules and I want to allow my users to access Google, okay? Or internal users should be able to access Google website. I want to allow them but I forget to add the rule to allow them. I'm busy so I forget to add the rule. What's gonna happen is that when someone tries to access the Google website, the firewall will drop their packets. It'll block them from accessing Google. So that's not a security threat but it's an inconvenience for the users so the users are gonna call me up and tell me, please fix the firewall, okay? So the recommended approach is drop everything, add specific rules to allow the things that you want. But we'll see examples of both. What have we got? So what a packet filtering firewall does is we create rules to decide what should be accepted or dropped and the things that we look at are the packet headers and the information that we make a decision based upon includes the IP address of the source or destination, the port numbers used in the transport protocols because port numbers usually identify applications in use. If we see that the destination port number is 80 then that indicates that this is web browsing. It's going to a web server because all web servers by default use port 80. If it's going to port 25, then this indicates this packet is part of an email application because we know that email servers use port 25 and so on. So the port number indicates what application is in use and we can make decisions based upon different applications. Protocol number tells us whether it's TCP or UDP or some other transport protocol. So we can decide allow TCP in, don't allow UDP, for example. The other thing is about direction. And where the packet come from. So we'll see that the interface for a firewall in more complex networks can be used. That is, where did it come from coming into the firewall? So what we'll do when we create a firewall rules is we'll use this information to create a rule which is really a set of conditions. If the conditions match then we'll take some action. So the rules, a set of conditions using the packet information as well as the direction coming in or going out. We can use things like wildcards to make it simpler. That is, if packets match these conditions so we can use some syntax to make it easier to match multiple conditions, multiple values. If the packet matches the conditions that we define then we take some action and the action is typically accept or drop. Allow it through or don't allow it through. And we'll think that we'll write a set of rules and the firewall, once we write those rules we'll process them in order. So let's see some examples of packet filtering firewalls and write some rules. For the examples I'm gonna show, grab one of these and pass along, you only need one. I forgot to include this in the latest set of the handouts. It's just the pictures of the networks that I'll use in the example so you can keep note of that. Okay, there should be plenty of copies. Just need one, it's just so that you can draw on that rather than in your handouts. But there, that's fine, thanks. I'll explain that picture in a moment but before we do that while we have it here, we're going to make some rules that will look at packets and in particular the packet headers and make a decision based upon the header values. And just to remind us of the structure of the common packets that are used in the internet, this is the structure on an IP datagram or an IP packet. So when we're using the internet, we think everything follows this structure. All of our packets are IP packets. And the things of importance there, so the fields, where are we? We, what's important in this packet header with respect to the firewall? So this is what's in every IP packet. The version of IP we're using, the header length, the total length of the packet, the protocol number, check sum and other things. With respect to the firewall, the three fields really of interest are the source address, the destination address and the protocol number. They're the main things that we'll use in a packet filtering firewall. The source address, the destination. You don't need to remember the header structure but be aware that those three things are in the IP header. So as the packet comes to our firewall, the firewall will check the values of those three. The protocol number tells us what transport protocol is being used. If the number is six, it means that transport protocol is TCP. And if the number is 17, it's UDP. If it's number one, it's ICMP and there are others. Okay, so the protocol number tells us really, what's the data inside this IP packet? And that can be useful because we can have rules that we'll try and distinguish but based upon the transport protocol. And of course, the IP addresses are important. The source address tells us who sent this on the internet and the destination is who is it going to. So for example, if we're trying to control traffic coming from outside in and into a particular computer, let's say into Steve's laptop, then the firewall will be configured since the firewall, the administrator must know the IP address of my laptop. It would be configured to say, if the destination address matches Steve's laptop IP address, then take some action. Okay, so we'll use the IP address to identify computers. And in fact, we can identify not just computers but entire subnets, entire networks. So we can use a range of IP addresses. So those three are important in the IP header. And in the TCP header, this is an example of the TCP packet header. What's important? What addressing information is in the TCP header? The port numbers are important. The rest not so important for the firewall perspective. The source port and the destination port identify that applications communicating. And one of them will usually identify a server. And most servers use well-known port numbers, fixed port numbers. So if I see, say, the destination port is port 80, then the firewall knows or can make a reasonable assumption that this packet is going to a web server. If we see that the source port is port 22, what can we assume? If a source port is 22, it means this packet is coming from a secure shell server. Okay, so if we know the mappings of port numbers to different servers, and the firewall will know that, we can create rules that differs amongst the different applications. So there are really five values there that we use. Protocol number, source IP address, source IP, and source, sorry. Source IP, destination IP, source port, destination port, plus protocol number, five values. There are a couple of other things we may use, like the direction of the packet, but the five ones with respect to the protocol headers. Note that if we're using UDP, that UDP header also contains a source and destination port. Now let's look at our example network and consider some different cases, create some rules. Let me just explain what you see there. It's just a simple network, a simple internet that we can use for creating some example rules. The squares are hosts, computers on the internet. The circles are routers, and the routers and hosts are on particular subnets. So the way to read this, say this bottom left subnet here, the network address is 1.1.2.0 slash 24, which means the first three digits here, one, one, two, identify this entire subnet, and the last digit will identify a computer in the subnet. So this host, this computer here, the IP address is 1.1.2.23. This is 1.1.2.24. And note the router, which connects this subnet to this other subnet, also has an IP address, 1.1.2.1, so that's the way to read this. So just condense them to save space. So router B has interfaces to two subnets. What's the second IP address of router B? I just gave you one. What is the second IP address of router B? Right, this subnet is slash 16, meaning of the four decimal portions, the first two are the network portion, 1.1, and then the second two are for the specific device. So router B is 1.1.4.2 here, and on this interface, it has two interfaces, a router connects to two different subnets, 1.1.2.1 here. And you can follow through for the rest. So we use this to create some simple rules for a packet filtering firewall. Let's start simple. Let's say our firewall, just a special case, the firewall is running on computer 12. So this will start with a case where the firewall runs per computer, not on the router. So our firewall is here. You would know this is our firewall, computer 12. So this is the not so common case. Maybe it's common for your home computer, but not for an organization, but let's just consider it. Let's say on your computer, you wanna set up your firewall such that you cannot ping anyone in the internet. Okay, so the policy, the security policy is to say, I am not allowed to ping anyone on the internet. What can we do? We need to create a rule for our firewall that will block ping from working. And let's assume to get started, I'll just make some space. Let's assume that the default policy is to drop as to accept. We'll go through maybe three examples for this network. So you have some space for each example. We're gonna start with a default policy as accept. That is my firewall will accept everything. So I need to add rules that will implement my security policy. And my aim in this first example, stop ping from working. Computer 12 cannot ping anyone. How do I do that? What rules would I add? Drop is the action to take, correct? What are the conditions that need to be met such that it will block ping? Think, write ICMP. Think about those five header fields. Sources IP, destination IP, protocol number, source port, destination port. What values should they be? And just to be complete, let's list them all. Source IP, destination IP, protocol number, protocol, source port and destination port. We fit it in. So think of those five header fields and we will create a rule that will check those five values and if the packet matches those five values, we'll take some action. And we've already know that the action that we'll take is to drop. But let's focus on those five rules. So if we want to drop ping, we need to know that ping uses what protocol? Ping uses what protocol? ICMP, okay? And ICMP is actually considered a transport protocol from this perspective. So inside an IP packet, ICMP is carried directly in that IP packet and it has a protocol number of one. So the protocol number for ICMP is one. So we'd set the packet must have protocol number one, which really means ICMP. And we know that, we'd need to know that ping, the application sends ICMP packets. What about the source address? What should it be? Zero, maybe. Think about those other four values. What should they be? There are different ways to do it. Well, let's not do the source address. Let's look at the port numbers then. What should the port numbers be? Hint, ICMP doesn't use port numbers. Okay, with ICMP, it's just ICMP. Port numbers are not used by ICMP. It's a special protocol that we don't ping a web server. We don't ping a secure shell server. We ping an actual computer. Port numbers are not relevant here. So when we don't care what the port number is, what will we use? I don't care whether it's port number 10, 50, I don't care. I'm not gonna, from the firewall's perspective, I'm not gonna look at that value. I don't care the value. What could we use as a, some notation there? Any value, or maybe more computer science, any value often we use star, a wildcard. Just as the concept of the way to implement that may differ, but I'll write it as star, meaning the source port matches any value. I don't care. We'll give a specific notation later. Similar destination port. I don't care what it is. So just in my example, I'll say that star means any value. Destination IP, what should it be? Destination IP. I want to stop my computer pinging anyone. I want to stop my computer to ping anyone. What should the destination IP be? Star again, okay? It doesn't, I don't care whether destination is 33336 or anything on the internet, so we can set it to star in that case. And the source IP, what about the source IP address? 1.1.1.12, we could set it to be us. In this example, the firewall is on computer 12. We're saying, stop ping from working. And the way to stop ping from working would be to stop our computer from sending ping or ICMP messages out. Because ping, like many protocols, is request response. If we cannot send the request out, there will never be a response that comes back. So what we could do is say that if the source address is 1.1.1.12 and the protocol is protocol number one, then take some action that drops this packet. It's not sent out. When we say drop from the computer's perspective, it's not sent on the network, it's deleted from memory. But in fact, we don't need to even specify the IP address here. Because the only source address I have at this stage is 1.1.1.12, it could also be just set to star. Because if for some reason my computer had two IP addresses, it can. I can have a second interface. If I set it to star, it will still work. That is, I don't care who, from my computer's perspective, I don't care the IP address of the sender or the destination or the port numbers. All I care if this packet is an ICMP packet, drop it. And the last thing in our firewall rule, so what we're doing is writing the rule, is we say I can't fit them all online, but then we have some action. We have a set of conditions and the action in this case is drop. So think of this as one rule for our firewall. We specify that rule using those five conditions and one action. So I'm just trying to introduce the approach for creating a rule and some of the syntax that we use in our examples. Any questions before we look at a bigger example or more realistic? Okay, ask your friends online and see if they have any questions. Let's see another example. Of course, we could extend that. Let's say I, for some reason, I didn't want my computer to ping computer 36 out here. What do we do? I want to allow me my computer to ping everyone except 36, which would set the destination IP address to 3336. So we can block to specific destinations or block to specific networks. I don't want my computer to ping anyone on this network 3330. The destination IP doesn't have to be a computer. It can be a entire subnet or even a range of subnets. Okay, so it could be, if the destination is 3330 or 333 anything, block it. So we can have more advanced rules. Let's move to an example which is more common in organizations where the firewall is not on the host, it's on a router. Let's say our firewall is on router RA in this case. This is in my firewall. This router is trying to protect our internal network and in this example, the internal network is this 1110 network. So from the perspective of my organization and my firewall, this is internal. Everything else is external. And these two computers are internal. They're part of my organization. Everything else is outside. And let's continue with some simple examples. Try and write a rule that will block access to the secure shell server on computer 11. Okay, let's say on computer 11 inside, I have a secure shell server. And as a reminder, secure shell uses port 22. Write a rule that stops everyone outside from accessing my secure shell server on computer 11. And to keep it simple, we'll also use a default policy of accept. It's not the recommended approach, but it makes this one a simple example. One rule to block access to the secure shell server on 11 and think about those five fields again, what values they should take. So think of the conditions that need to be met for my firewall to take some action. And the firewall is on router RA in this case. Packets either come into the firewall or go out of the firewall, into our network or out of our network. Block outside people from accessing the secure shell server on computer 11. Maybe it's a secure shell server running there only for internal users to use. Someone from outside is not allowed to use it. Try and write those fill in those conditions. And if everyone have an answer, she does, okay. Try and fill in the values, make an attempt. This is your job as the firewall administrator to add the conditions. Source star, why? We want to block everyone outside. So don't care who the source is. Now, note that the firewall doesn't control internal to internal communications. If computer 12 tries to connect to computer 11, that traffic in most cases will not go through the firewall. The firewall only controls traffic usually going out of the network and coming in. But internal to internal communications is usually bypasses the firewall. So we don't have to worry about allowing computer 12 to access computer 11. So yes, the source, if it's anyone, destination IP, we want to block access to that computer 11. So we should be specific there. One dot, one dot, one dot 11. That's the computer that's running the server. Protocol, not 22. This is the protocol number. That indicates the transport protocol. Previously we had ICMP. What are the other two transport protocols? We will see SSH uses TCP and the number is six. So the packet actually contains a number, but the meaning of the number six is it's a TCP packet. Source port, so the way that most client server applications work is that the server uses a fixed well-known port number like port 22 for our secure shell server. The clients, let's say are running on computer 35, the port numbers we won't know, they're dynamic. It could be 50,123 or 49,685, we don't know. So it can be any source port. Destination port, that's the important one because 22 is the port number used by secure shell servers. And the action to take if those conditions are met, default is to accept everything so the actions here should be dropped. So now's another rule that we would add to the firewall so that with the intention of others outside cannot access our internal secure shell server on computer 11. This example was just using some common notation but sometimes the names and the notation changes. That is action, I'm using drop, it could be block, reject, discard, different software or different implementations of firewalls may use different terminology. So let's just do a quick check whether it will work. Computer 35 out here tries to connect into the secure shell server on computer 11. So what it does is it creates a packet and it's going to send via router D and eventually get to router A. The packet, the source address will be that of 35. The destination will be that of computer 11. So the first two conditions will match. That is the source is anything, 35 is anything. The destination will be computer 11. Our rule matches that. The protocol used is TCP when we use secure shell. The source port it'll choose let's say randomly 50,526 and the destination port if it's contacting a secure shell server should be 22. So those values will match those conditions. Let's just write them just to be clear. The packet that is created say by 35, that packet if we looked at the header of that packet the source IP will be 3335 and if we're sending to computer 11, the destination IP 1.1.1.11, the protocol number we're using TCP so it'll be six. The source port in the TCP header would be chosen by the operating system of computer 35, I'll just choose some random number and the destination port because we're contacting a secure shell server should be 22. Those five values are in the IP header and TCP header which is created by computer 35 and sent through the internet to router D to our router here and then up to router A. So the packet arrives at router A and router A checks the packet header fields against its rule for the firewall and you check source IP matches. It's any value, destination IP matches, protocol matches, source port matches, that is the rule says any value, all right, this is a value, any value and the destination port matches. So we say that this rule or the packet matches the rule, therefore the action is taken for that packet, that packet is dropped. So the firewall would drop that packet, the result, computer 35 sent the packet, it got to router A, the router dropped it, the firewall specifically dropped it and of course therefore it's not gonna get to computer 11 and we've achieved our goal, no one can connect to computer 11. Of course, remember that all of our applications are usually client server applications, there's one client that initiates the communications. So in this case, computer 35 initiated the communications by sending a packet to computer 11. The packet doesn't get there, it gets dropped. What happens next? There's not gonna be a response because 11 didn't get it, it will not reply. What will computer 35 do? Maybe later, eventually it will time out. It's expecting a response. Normally when we send a packet to someone, we'd expect the response to come back but it's not gonna get a response so maybe it would time out and try again but again it's never gonna get a response because the firewall will drop and eventually it will realize and give up. So there's no way for computer 35 to contact computer 11. We only need to create a rule that in this case drops the first packet in the connection. That is, we don't have to create a rule to stop 11 sending responses back to 35 because we know in most protocols there's a request and a response. There's two way direct communications but in our firewall, we normally only need to create a rule that drops that very first packet in a connection because if the first packet doesn't get through, then there'll be no second packet. It gets a little bit more complicated if we want to accept packets. How long we got? Not long. Any questions on firewall rules so far? Then we'll give you one homework question. Create the same but so is homework and we may have a look tomorrow. I've got it. Create a different one. Stop our internal computer 12. Stop computer 12 from accessing the web servers on network 3330. Again, I don't want the person using computer 12 to access any website on the subnet 3330. Maybe on 35, 36, there may be other computers here. I've only drawn two. I don't want computer 12 from accessing the websites on the network 3330. Create that rule. Write it up and we'll have a look at the answer tomorrow.