Firewalls torn Apart By Ankit Fadia ankit@bol.net.in
_____________________________________________________________________________ 

A firewall is basically something that protects the network from the Internet. 
It is derived from the concept of 
firewalls used in vehicles which is a barrier made of fire resistant material 
protecting the vehicle in case of 
fire. Anyway a firewall is best described as a software or hardware or both 
Hardware and Software packet 
filter that allows only selected packets to pass through from the Internet to 
your private internal network. 
A firewall is a system or a group of systems which guard a trusted network( The 
Internal Private Network 
from the untrusted network (the Internet.) To understand how a firewall works, 
firstly we need to understand 
how exactly data is transferred on the Internet. 

NOTE: The following is a very weird, short and incomplete description of the 
TCP\IP protocol, I have just 
given a general idea of the whole data transmission process so that everyone can 
understand firewalls. 

The TCP\IP suite is responsible for successful transfer of data across a network 
both the Internet and the 
Intranet. The TCP\IP suite is a collection of protocols which are inter-related 
and interdependent and act as a 
set of rules according to which data is transferred across the network. A protocol 
can be defined as a language 
or a standard which is followed while transfer of data takes place. Lets go 
through a brief explanation of how 
data is transferred across a network following the various components of the 
TCP\IP suite. 
The whole process of data transmission begins when a user starts up an Internet 
application like the email 
client or a FTP client. The user types an email in his client and in this way 
provides data to be 
transferred. The email client is said to be a part of the application layer of 
the TCP\IP stack. Now this 
application layer (email client) provides data (the email itself) which has to be 
transferred to the Transmission 
control protocol or TCP which constitutes the Transfer Layer of TCP\IP. TCP breaks 
down the data i.e. the 
email into smaller chunks called packets and hands over the responsibility to the 
Internet Protocol or IP 
which forms the invisible network layer. This Internet Protocol adds some various 
info to each packet to 
ensure that the packet knows for which computer it is meant for and which port 
or application it is going to 
meet and from where it has come. An IP datagram contains: 

1. A header which contains the Source and Destination IP, Time to live info and 
also the protocol 
used. There is also a header checksum present. 
2. Remaining part contains the data to be transferred. 

You do not need to understand all this in detail but just remember that TCP 
breaks data into smaller packets 
and IP adds the source and destination IP's to the packets. When the data reaches 
the other server IP hands 
the packets to TCP again which re assembles the packets. Port numbers are also 
used to ensure that the 
packets know to which application it need to go to. So, basically we can conclude 
that a successful 
transmission of data across a network relies on the source and destination IP 
and also the ports. 

A firewall too relies on the source and destination IP and also the ports to 
control the packet transfer between 
the untrusted network and the trusted network. Firewalls can be classified into 3 
types: 

1. Packet Filter Firewalls 
2. Application proxy Firewalls 
3. Packet Inspection Firewalls 

Packet Filter Firewalls 

They are the earliest and the most criticized firewalls, which nowadays are not 
easily found. They are usually 
Hardware based i.e. Router Based (a router is a piece of device which connects two 
networks together.) 
Whenever a Packet Filter Firewall receives a packet for permission to pass 
through, it compares the header 
information i.e. the source and destination IP address, and port number with a 
table of predefined access 
control rules If the header information matches, then the packet is allowed to 
pass else the packet is 
dropped or terminated. They are not popular due to the fact that they allow 
direct contact between the 
untrusted system and the trusted private system. 
To understand such firewalls lets take the example of the secretary that sits in 
your office. This kind of 
secretary allows only those people who have an appointment to pass but if you 
convince her that her boss 
wants to meet her then she would allow you to pass. 
Such Firewalls can be fooled by using techniques like IP Spoofing in which we 
can change the source 
IP such that the firewall thinks that the packet has come from a trusted system 
which is among the list of 
systems which have access through the firewall. 

Application proxy Firewalls 

The shortcomings of the packet filter firewalls are addressed by the new type of 
firewalls developed by 
the DARPA. It was widely believed that the earlier type of firewalls were not 
secure enough as they allowed 
the untrusted systems to have a direct connection with the trusted systems. This 
problem was solved with 
the use of Proxy servers as firewalls. A proxy server which is used as a 
firewall are called application proxy 
servers. 
This kind of a proxy firewall examines what application or service (running on 
ports) a packet is meant for 
and if that particular service is available only then is the packet allowed to 
pass through and if the service is 
unavailable then the packet is discarded or dropped by the firewall. Once this 
is done, the firewall extracts 
the data and delivers it to the appropriate service. There is not direct 
connection between the untrusted 
systems with the trusted systems as the original data sent by the untrusted 
system is dropped by the firewall 
and it personally delivers the data. 

Let's again take the example of a secretary. Such a secretary would take a gift 
or something else for you 
only if you are available in the office and it would not allow the visitor to 
deliver the thing but would personally 
deliver it to you. Although they are somewhat slower, they are much more 
secure as they do not allow 
a direct contact between an untrusted network and a trusted network. 

Packet Inspection Firewalls 

It can be also known as an extension of the Packet Filter Firewall. It not only 
verifies the source and 
destination IP's and ports, it also takes into consideration or verifies that 
content of the data before passing it 
through. There are two ways in which this kind of a firewall verifies the data to 
be passed: 
State and Session. 
In case of state inspection, an incoming packet is allowed to pass through only 
if there is a matching 
outward bound request for this packet. This means that the incoming packet is 
allowed to pass through only 
if the trusted server had requested for it or had sent an invitation for it. 
In case of session filtering, the data of the incoming is not verified, but 
instead the network activity is traced 
and once a trusted system ends the session, no further packets from that system 
pertaining to that session 
are allowed to pass through. This protects against IP spoofing to a certain 
extend. 
Such firewalls can also be configured beforehand to act according to pre defined 
rules when it is attacked. It 
can also be configured to disconnect from the Internet in case of an attack. 

All along you will come across many Firewalls on various systems, basically a 
firewall can be established 
or setup in two ways: 

1. Dual-homed gateway 
2. Demilitarized zone (DMZ) 

In a dual homed gateway firewall, there is a single firewall with 2 connections, 
one for the trusted network 
and the other for the untrusted network. 
In the case of a Demilitarized Firewall or a DMZ there are two firewalls, each 
with two connections, but there 
is a slight difference in the case of a DMZ setup. 
In the case of a DMZ setup, there are two firewalls, the first having two 
connections, one leading to the 
untrusted network and the other leading to the host systems like the email 
server or the FTP server etc. 
These host systems can be accessed from the untrusted network. These host systems 
are connected with the 
internal private trusted systems through another firewall. Thus there is no 
direct contact between the 
untrusted network and the trusted internal network. The area or region between 
the two firewalls is termed as 
the demilitarized zone. 
In the case of a Dual Homed Gateway the untrusted network is connected to the 
host systems (email 
and FTP servers etc) through a firewall and these host systems are connected to 
the internal private 
network. There is no second firewall between the host systems and the internal 
private trusted network. 
The basic structure of the DMZ setup declares it to be a more secure system as 
even if an attacker gets 
through the first firewall, he just reaches the host systems, while the internal 
network is protected by another 
firewall. 

Do Firewalls provide enough Security for my Network? 

The answer is a simple no. There is no such thing that a firewall is enough to 
fulfill or satisfy all your 
security concerns. Yes it does protect the trusted systems from the untrusted 
ones, but they are definitely 
not enough for all your security needs. We need to protect our systems to secure 
the company data. The 
most common methods used to break into networks are brute force password 
cracking and social 
engineering. A firewall in no way can prevent such occurrences. 

There are other ways in which attackers can steal or destroy company data. Phone 
Tapping and the use of 
spy gadgets has become a common occurance.Although providing safety to the 
network to a large extend, a 
firewall is still not able to protect the company data from Viruses and Trojans, 
although some firewalls do 
provide for scanning everything being downloaded, the rate at which new HTML, 
Java and other viruses are 
propping up, it is becoming very difficult for firewalls to detect all 
viruses. Anyway firewalls provide no 
physical protection to the networks. It also provides no protection from fire, 
tornados etc.Yet another 
shortcoming is the fact that if the attacker is able to break into a trusted 
system which is provided access by 
the firewall, then he can easily gain access to the data at your network, as the 
firewall will think that he is 
actually the trusted party. 

Ankit Fadia 
ankit@bol.net.in 

http://www.crosswinds.net/~hackingtruths 

To receive more tutorials on Hacking, Cracking (Assembly), Perl, C++ and 
Viruses/Trojans and 
more join my mailing list: 

Send an email to programmingforhackers-subscribe@egroups.com to join it. 


Visit my Site to view all tutorials written by me at: 
http://www.crosswinds.net/~hackingtruths