MUHAMMAD ALI

JINNAH UNIVERSITY
KARACHI PAKISTAN

INTRODUCTION TO I.T
AHMER UMER
GROUP MEMBERS:
ABDUL MATEEN

JUNAID ALVI

MUHAMMAD ADIL

FAIZAN

(GROUP LEADER) WAJAHAT ALI

Project Title:

The Various Modes of Firewall Protection for a

Computer or a Network
Date of Submission:
1 Abstract:

The Various Modes of Firewall Protection

for a Computer or a Network
Firewall is the way for protecting a personal computer or the network of computers from the
malicious attacks as are tried over such systems by public internet. In the report I will be
presenting you I will mention the meaning and understanding of the firewall as to what firewall
is and how it works for protecting a system or a network of systems from invading malicious
software. For a succinct prologue to the firewall, it actually is a set of related programs, located
at a network gateway server that protects the resources of a private network from users from
other networks.

In addition to the meaning and the working of the firewall my report will consists the issues as
encountered by the firewall. By bringing the issues in to the lime light the various modes of the
firewall protect as utilized will be discussed in my report regarding the topic “the various modes
of firewall protection for a computer or a network”. These modes are actually the solutions and
applications as put forward by the grid community for the better working of the firewall and
keeping the given system or the network of the systems safe from the attackers.
Table Contents
Abstract ............................................................................................................................. 1

Introduction ............................................................................................................... 1.1

History of firewall ................................................................................................................. 1.5

Definitions ............................................................................................................................ 2

Firewall ..............................................................................................................2.1(a)

Different types of firewall ............................................................... 2.1(b)

Classification of firewalls .................................................................................................... 2.1.1

Firewall (global definition) ..................................................................................................... 2.2

Network Address translators .............................................................................................. 2.3

Application level gateways ................................................................................................... 2.4

VPN gateways ...................................................................................................................... 2.5

Classifications of Firewall Issues .................................................................... 3

Issues caused by the application having difficulties to be aware of network needs ........... 3.1

Software and port numbers ............................................................................................. 3.1.1

Hardware ................................................................................................................... 3.1.2

Network ................................................................................................................ 3.1.3

Security Policy .................................................................................................... 3.1.4

Issues caused by the network being unable to be aware of the application ........................ 3.2

Applications that use only well–known TCP/UDP ports ................................................ 3.2.1

Detectable dynamic data transfer ports .......................................................................... 3.2.2

Obscured dynamic data transfer ports ............................................................................ 3.2.3

Arbitrarily dynamic data transfer ports ............................................................................ 3.2.4

High throughput data pipes with nonstandard traffic patterns ...................................... 3.2.5

Future Directions ..................................................................................................... 4

Benefits of Using Firewalls .........................................................................4.1

Disadvantages of Using Firewalls .......................................................................... 4.2

Conclusion ....................................................................................................................... 5
1.1 Introduction of a Firewall

A firewall is designed to help protect your computer from attack by malicious users or by
malicious software such as viruses that use unsolicited incoming network traffic to attack your
computer. Before you disable your firewall, you must disconnect your computer from all
networks, including the Internet.

A firewall is a system that is designed to prevent unauthorized access to or from a private

network. You can implement firewalls in hardware, software, or both. Firewalls are frequently
used to prevent unauthorized Internet users from accessing private networks that are connected
to the Internet.

Communication relationships between external and internal computer systems often requiring
special configurations at firewall systems. These
configurations include:

• allowing access for communication sessions (ports)

• allowing access to single systems or whole sub networks

1.5 History of firewall

The earliest firewalls were based on routers. Routers are very flexible directors of network
traffic, and adding commands which permitted filtering out packets based on information in the
packets' headers seemed a natural direction. Cisco had added the filtering capability to their
routers very early on. Ben Segal, of CERN, writes of buying Cisco routers for this very purpose
in 1987, (http://wwwcn.cern.ch/pdp/ns/ben/TCPHIST.html).

Routers function by examining the destination address of every packet received, and forwarding
each packet to the next hop toward its destination. Routers can do more than merely a
forwarding, and this is where packet filtering comes in. When packet filtering rules, called
access control lists in Cisco routers, are applied to a network interface, the headers are copied
into the memory accessible to the routers' CPU and checked against the access control list rules.
If the packet is permitted, it is routed on to the next hop. If the packet is denied by the rules, the
packet is dropped, and an ICMP message may be sent back to the sending system so more
packets will not be sent. Routers have serious limitations when used for packet filtering. The
router's CPU handles the filtering operation instead of dedicated hardware, which means the
filtering operation is much slower than simply routing packets. Early routers whould lose as
much as 75% of their peak performance when an access control list containing a single rule was
applied. Cisco's current documentation states that adding an access control list results
in a 30% hit on performance on packets using that interface.

Routers manifest another problem based on their very design. Routers maintain state
information, used to make decisions about how to deal with packets, in the form of routing
tables. The router deals with each packet that arrives as if the packet was unique, not part of a
stream, or flow, of packets as is generally the case. Filtering decisions are also made as if each
packet which arrived was unique, and no other similar packets had ever or would ever arrive
with similar headers.

The way routers deal with packets affects their security capabilities in several ways. Router
performance is reduced because the same filtering decision must be made over and over again.
Logging information is less detailed, because there is no notion of a transaction, for example, a
telnet session or transfer of Web files. Instead, a count of packets between a source and
destination can be recorded, an operation which adds another performance hit (30% according to
Cisco documentation). Finally, there is no memory of past events, which could be used to
influence how future events, the arrival of other packets, will be dealt with.

>Another Approach

System vendors took a different approach to TCP/IP security. IBM and DEC, for example,
designed application gateways to control traffic entering of leaving their networks. You can
imagine how natural this was for an organization whose stock in trade was operating systems and
supporting software. An application gateway, once called a proxy server, acts as a server to the
client, and a client for the remote server. To do this, the programmers writing the application
gateway had to implement the application protocol within their code.

For example, an FTP client communicates with an FTP server using simple, English, commands,
such as USER or PASS. The server communicates back to the client by sending three digit result
codes, for example, 200, indicating a successful operation. Programmers wrote application
gateways so they would recognize the client's commands and the server's result codes, the
application protocol, and behave appropriately. This approach has both pluses and minuses.

On the plus side, application gateways have very fine grained control over what a client, working
on behalf of a user, can do. DEC's early, in-house firewall permitted internal users to fetch files
from the Internet unfettered. But when a user attempted to send a file, transmission speed was
limited to 9600 bits-per-second, the same speed of modems of the day. The configuration file for
an application gateway could also be designed to have fine-grained control over the users who
had access, which applications they could use, and when the applications could be used.

Application gateways are excellent for logging, as they recognize the activities of the user, and
can log commands, filenames, number of bytes transferred in or out. Unlike the router, which
recognizes patterns in headers, application gateways understand the application protocols, and
can easily capture detailed information.

Application gateways are programs, running outside of the operating system, which is both
positive and negative. The operating system provides security, preventing the application
gateway from affecting other programs or accessing other parts of the system. Application
gateways open a new network connection to the remote server, so to an external viewer, it
appears that a single system represents all clients. No internal source addresses are seen, as the
firewall system appears as the source for all client requests.
There are two downsides to application gateways. First, because they are programs, each
involves the overhead of starting and running an independent program. Network data must be
copied from the operating system memory to the program memory, then back again. Firewall
vendors can deal with the first problem by prestarting copies of the application gateway, much
the way multi-threaded Web servers function. Copying data between the operating system and
program memory cannot be dealt with as easily, outside using a high performance operating
system, or rewriting those portions of the operating system which deal with TCP/IP. Some
vendors have replaced the TCP/IP code used by NT 4.0 with optimized versions to improve the
performance of their solutions.

The other problem with application gateways can be considered a plus. Each application
gateway firewall product comes with a limited selection of applications supported (see
http://www.gocsi.com/firewall.htm for a matrix of firewall products). As long as the product
you have chosen supports the applications you require, there is no problem. But if you need
other applications, getting these through the firewall becomes problematical.

Many application gateway firewalls provide a configurable "application gateway", sometimes

called a "plug gateway". These are not application gateways at all, but really circuit relays,
programs which provide access control based on header information, but no fine-grained
application protocol control or logging. The SOCKS program is a circuit relay, and SOCKS or
SOCKS-like programs are common in firewall products.

The plus side of a limited list of application gateways is that it is difficult to support dangerous
protocols with the firewall. No application gateway vendor wastes time developing application
gateways for dangerous protocols. You cannot accidentily enable a dangerous protocol, or be
forced into enabling one because of user or management pressure. It is simply impossible to
enable an application gateway which does not exist.

Some of the firewall products on the market today are descendants of the internal firewalls used
by system vendors. The firewall developed by IBM's Watson Research labs was licensed to
ANS and Livermore Labs. Raptor's firewall was licensed from Dupont (who had developed it
for internal use). DEC sold their early designs as a consulting service. And several employees
left DEC and went to Trusted Information Systems where they designed new application
gateway designs based on what they had learned at DEC.

>The Middle Road

The firewall vendor with the greatest market share today, Check Point Technologies, based their
firewall on different approach. A pair of Israeli programmers developed a technique for packet
filtering which overcomes many of the weaknesses inherent in using routers. They called their
technique stateful inspection, and based the first version of it on a feature of Sun UNIX systems
which permitted adding new modules to the operating system.

The stateful inspection module gets loaded into the operating system at a point in the IP stack
where it can preview packets before they reach the Internet layer where routing takes place. At
this point, the product resembles packet filtering, but this is where one big difference comes in.
Instead of examining each packet independently of previous traffic, stateful inspection keeps
track of past history. The rule base is used when the first packet representing a new transaction
is received, and the decision, to permit or deny the packet, is stored as state information.
Subsequent packets can then be permitted or denied based upon the state, instead of the
rule-based decision making process.

Check Point added another twist by permitting rules to examine the data within packets, peeking
at the application protocol. The best example of this is FTP, which in active mode requires a
connection back from the server to the client. Permitting these server to client connections opens
gaping holes in the router-based packet filters. But this technology can generated new state
based on the contents of packets, for example, a request from a client to a server to open an FTP
data connection. In other words, the state for each transaction can change dynamically, affecting
this transaction's or other transactions' state.

Stateful inspection added increased performance, security, and flexibility to packet filtering, and
stateful inspection forms its own category of firewall technologies. Stateful inspection still
shares some of the problems of packet filtering, though. For example, logging is based on
changes to the state information, and detailed logging, such as filenames or the volume of date
exchanged, is not included in stateful inspection logfiles. Stateful inspection does not perform
address translation by default, although this capability has been added to both routers and
stateful inspection firewalls.

Also like packet filters, stateful inspection firewalls can be fooled into permitting protocol
tunneling. This penetration technique requires cooperation, either intentional or subverted, from
an internal user to exchange data through the firewall by using a permitted protocol to transmit
another, not permitted, protocol. While this technique is not impossible using an application
gateway, an application gateway will at least log the volume of data exchanged, which could
point to abuse of the protocol, for example, using the DNS port to transfer file data.

Stateful inspection firewalls offer great flexibility. Most of these firewalls come with a long list
of applications which can easily be supported. Again, this is both positive and negative, as
dangerous protocols, those which have weak or non-existent authentication, are trivial to enable.
This flexibility means the correct configuration of a stateful inspection firewall is critical, and
misconfiguration can open a network to attack.

Check Point Technology was also a market leader in configuration when it first appeared.
Firewall products of the day (early nineties) had abysmal configuration interfaces, involving
entering long and arcane command sequences (routers) or editing multiple configuration files
using a UNIX-style editor. Check Point's approach was to provide a point-and-click
configuration interface, an application program based originally on Sun's Openview, and later
ported to Motif and Windows. This application program communicates with the operating
system module
to modify the rules base and control operation. Other application programs handle logging and
user authentication.
Choosing Firewalls

Using routers as firewalls has become rare today. Routers can still function as part of internal
security, for example, by permitting limited access between different portions of a wide
Area network. But weak performance and logging of routers makes them generally undesirable
for Internet or Intranet firewalls.

The decision between application gateways and stateful inspection firewalls must be based on
policy and requirements. Application gateways provide better control and logging, while stateful
inspection provides an edge in performance and much greater flexibility at the risk of
misconfiguration. You must provide your own risk analysis and policy review, and decide which
approach is best for you.

Resources:

http://www.gosci.com/firewall.htm -- the CSI firewall matrix,

with the latest firewall vendor survey and pointers to each
vendors' own Web sites.

http://www.greatcircle.com/ -- home of the Firewalls mailing

list, and another list of firewall vendors

2 Definitions

The goal is to provide an overview of the types of devices and software components that are used
to protect grid applications and infrastructures from malicious attacks from the Internet.

2.1(b) Firewall

A firewall is a logical object (hardware and/or software) within a network infrastructure which
prevents communications forbidden by the security policy of an organization from taking place,
analogous to the function of firewalls in building construction. Often a firewall is also referred to
as a packet filter.

The basic task of a firewall is to control traffic between different zones of trust and/or
administrative authorities. Typical zones of trust include the Internet (a zone with no trust) and
an internal network (a zone with high trust). The ultimate goal is to provide controlled
connectivity between zones of differing trust levels through the enforcement of a security policy
and a connectivity model based on the least privilege principle.

Proper configuration of firewalls demands skill from the administrator. It requires considerable
understanding of network protocols and of computer security. Small mistakes can lead to a
firewall configuration worthless as a security tool and, in extreme situations, fake security where
no security at all is left.

2.1(b) Different Types of Firewalls

Different firewalls use different techniques. Most firewalls use two or more of the following
techniques:

• Packet filters: A packet filter looks at each packet

that enters or leaves the network and accepts or rejects the
packet based on user-defined rules. Packet filtering is fairly
effective and transparent, but it is difficult to configure. In
addition, it is susceptible to IP spoofing.
• Application gateway: An application gateway
applies security mechanisms to specific programs, such as
FTP and Telnet. This technique is very effective, but can
cause performance degradation.
• Circuit-layer gateway: This technique applies
security mechanisms when a Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP)
connection is established. After the connection has been
established, packets can flow between the hosts without
further checking.
•
• Proxy server: A proxy server intercepts all
messages that enter and leave the network. The proxy
server effectively hides the true network addresses.
• Application proxies: Application proxies have
access to the whole range of information in the network
stack. This permits the proxies to make decisions based on
basic authorization (the source, the destination, and the
protocol), and also to filter offensive or disallowed
commands in the data stream. Application proxies are
"stateful," meaning that they keep the "state" of
connections inherently. The Internet Connection Firewall
feature that is included in Windows XP is a "stateful"
firewall, as well as Windows Firewall. Windows Firewall
is included in Windows XP Service Pack 2 (SP2).

For additional information about the Windows XP Internet Connection Firewall feature, click the
article number below to view the article in the Microsoft Knowledge Base:
320855 (http://support.microsoft.com/kb/320855/EN-US/ ) Description of the Windows XP
Internet Connection Firewall
2.1.1 Classification of firewalls
There are three basic criteria to categorize firewalls:
1. Whether the communication occurs between a single host and a network, or between two
or more networks;
2. Whether the communication is intercepted at the network layer or at the application layer;
3. Whether the communication status is tracked at the firewall or not.

With regard to the position of a firewall in the network layout there are:
• host firewalls, i.e. software applications which filter traffic entering or leaving a single
Computer;
• network firewalls, i.e. software normally running on a dedicated network device or
Computer positioned on the boundary between two or more networks or DMZs
(Demilitarized zones). Such a firewall filters all traffic entering or leaving the connected
Networks. The latter definition corresponds to the conventional, traditional meaning of "firewall"
in Networking. Additionally, firewalls may be located between administrative domains of an
Organization (e.g. between production, research, administration and finance departments).
In reference to the software layer where the traffic is intercepted, three main types of firewalls
Exist:
• network layer firewalls
• application layer firewalls
• application firewalls
The network-layer and application-layer types of firewalls may partially overlap. Indeed there
are examples of single systems that implement both of them together.

Application firewalls are sometimes used in wide area networks (WAN) to govern the access to
the system software. An extended description would place them at a lower level than application
layer firewalls, actually at the operating system layer, and thus they could otherwise be called
operating system firewalls. Lastly, depending on whether the firewalls track communication
status, two categories of firewalls exist:
• stateful firewalls
• stateless firewalls

2.1.1.1 Network layer firewalls

Network layer firewalls operate at a (relatively low) level of the TCP/IP protocol stack as IP-
packet filters, denying packets to pass through the firewall unless they match one positive
filtering rule. The firewall administrator defines the rules or default built-in rules are applied (as
in some inflexible firewall systems). A more permissive setup could allow packets to pass the
filter as long as they do not match one "negative rule" or "deny rule". Today network firewalls
are included into most computer operating systems and network appliances.

2.1.1.2 Application-layer firewalls

Application-layer firewalls work at the application level of the TCP/IP stack and intercept all
packets traveling to or from an application (HTTP traffic, telnet traffic, ftp traffic, etc.). They
block packets, which do not conform to the application’s network protocol, usually dropping
them without acknowledgement to the sender. In principle, application-layer firewalls can stop
all unwanted incoming traffic from reaching protected machines. By inspecting all packets for
improper content, these firewalls can even prevent the spread of viruses. In practice, however,
this task becomes so complex and so difficult to attempt (given the variety of applications and
the diversity of content each of them may allow in its packet traffic) that comprehensive firewall
design does not generally attempt this approach. The XML Firewall exemplifies a recent kind of
application-layer firewall.

2.1.1.3 Application firewalls

The term application firewalls is often used to describe security tools that control access to
special services that run on an operating system. They are composed of software components
securing the local system by checking which external (remote) hosts may access the services
running on this node. Often these firewalls are called operating system firewalls.
A well-known implementation of application firewalls is TCP wrapper.

2.1.1.4 Stateful/stateless firewalls

Modern network-layer firewalls can filter traffic based on many packet attributes like source IP,
source port, destination IP or port, destination service like WWW or FTP. They can filter based
on protocols, TTL values, net block of originator, domain name of the source, and many other
attributes. Having the ability to look into the packets in more detail, allows monitoring the status
of the transmission (based on TCP options or simulated status for stateless protocols) and
implementing more complex filtering rules. A stateful firewall usually allows incoming TCP
packets only when they belong to a connection started by a host in the protected network.
Connection requests coming from untrusted networks are rejected. In contrast to this behavior a
stateless firewall does not monitor the status of connections. Every packet has to be checked and
mapped to a rule that either allows or denies it.

2.2 Firewall (global definition)

In a broader sense a firewall is the implementation of an institution’s security policy concerning

traffic exchange between different security domains. It is not only a black box or a single
hardware component. It can be much more. It is the set of all rules to be enforced for secure
communication. It is the way to check the compliance with these rules and it is the whole
collection of software and hardware used to implement this mission.

2.3 Network Address translators

Network Address Translation (NAT) [RFC 1631] provides a way to map IP addresses from one
IP network to another IP network allowing transparent routing between client and server hosts in
distinct networks. Transparent in this context describes the possibility of mapping IP addresses
without explicit interaction or knowledge of the user. In this sense NAT is transparent to the
user.In the simplest case, a user behind a NAT initiating a single simple message, this translation
within the IP header does not lead to any problems within the transaction. But often IP addresses
are overloaded with security issues, e.g. access rights, user authentication and last but not least
authorization. In this scenario NAT may become a problem, especially as often configured, when
mapping is done dynamically. NAT in general is not a security mechanism, but nevertheless
introduced additional barriers against intruders. It hides the internal network to external hackers.
NAT is often applied to connect private networks, using private address spaces, to the external
Internet with officially registered addresses. Using this technique it is possible to temporarily
solve the current shortage of official IP addresses by recycling them for different hosts until new
IP addresses (IPv6) become available and commonly deployed. Address translation is normally
done at the borders of private domains; this particular modus operandi makes this technique
appealing also for security reason. The main advantage of NAT is that it can be enabled without
any changes to routers or hosts. Unfortunately NAT cannot be used in conjunction with all
existing applications since some services encode IP addresses in the packet payload. In these
cases NAT must co-exist with application level gateways (ALGs, see below).
Allowing transparent routing, NAT devices modify host addresses in the packets on the fly and
maintain state information of communication flows. Packets belonging to the same
communication stream have to be translated in the same manner, i.e. to the same IP address.
Port Address Translation (PAT) or Network Address Port Translation (NAPT) [RFC 2663]
enhances this technique. Here different hosts are mapped to the same IP address, using port
information (source and destination port) to differentiate between different streams of
communication (e.g. TCP and UDP port numbers, ICMP query identifiers). Many internal
private IP addresses can be translated to one single official external IP address. Often NAT and
PAT are used as a security mechanism. Internal hosts are allowed to setup communication paths
to external hosts, but connections from external hosts to internal hosts can be setup only if a
translation is currently active (i.e. an internal host has already setup a connection). Here NAT is
done dynamically, making it harder for an attacker to target any specific host in the NAT
domain. NAT routers may be used in conjunction with firewalls to filter unwanted traffic. Often
the firewall itself offers the NAT functionality. Problems arise with end-to-end IPsec, because
this protocol does not allow the presence of NAT devices in the communication path. IPsec
encodes the source and destination addresses of the end-to-end communication. If NAT changes
one of these addresses the IPsec module will detect
it and the communication will fail. A possible solution is to use NAT devices as end-points of the
IPsec tunnel. “NAT devices, when combined with ALGs, can ensure that the datagrams injected
into Internet have no private addresses in headers or payload. Applications that do not meet these
requirements may be dropped using firewall filters. For this reason, it is not uncommon to find
NAT, ALG and firewall functions co-exist to provide security at the borders of a private
network. NAT gateways can be used as tunnel end points to provide secure VPN transport of
packet data across an external network domain. (RFC 2663)”

2.4 Application level gateways

Not all applications lend themselves easily to translation by NAT devices, especially those
applications that encode IP addresses and port numbers in the payload. In these cases,
Application Level Gateways (ALGs) play a very important role. ALGs are application-specific
translation agents that transparently allow an application running on a host in one address realm
to connect to its counterpart running on a host in a different realm. ALGs may interact with NAT
to set up state, use NAT state information, modify application specific payload and perform
whatever else is necessary to get the application running across disparate address realms.
ALGs may not always utilize NAT state information. They may glean application payloads and
simply notify NAT to add additional state information in some cases. ALGs are similar to
proxies, in that both ALGs and proxies facilitate application specific communication between
clients and servers. Proxies use a special protocol to communicate with proxy clients and relay
client data to servers and vice versa. Unlike proxies, ALGs do not use a special protocol to
communicate with application clients and do not require changes to application clients.
In the context of firewalls application level gateways are used to open up pinholes into the
firewall. Both kinds of usage introduce some major problems into the organizations security
policy. First of all by rewriting payload, the message content will be changed which breaks
message authentication. The receiver cannot check anymore if the real message (data) part has
been modified by a third party. Additionally they force firewall vendors to support a bunch of
application protocol stacks on their firewalls, which is expensive, time consuming (processing
and throughput) and increases exposure to implementation errors. Nevertheless there are grid
scenarios, in which ALG cannot be avoided to establish the required communication paths of
particularly projects.

2.5 VPN gateways

A Virtual Private Network (VPN) gateway can be considered as the "employee entrance" into a
corporate network, whereas a firewall could be considered as the "public entrance". A corporate
network is typically classified as a private network, created to support the business of an
Enterprise, SMB, or any other organization with a need to protect its networked resources from
public access. A VPN gateway uses credentials issued by the Corporate Network Administrator
to create a security association between the corporate VPN gateway and a remote VPN site.
Remote sites can either be individual PC clients or other VPN gateways. A remote VPN gateway
allows the corporate network to be securely extended into a branch office via an insecure
network. This setup is called a site-to-site VPN. A PC VPN client allows an individual employee
to access the corporate network from the Internet when at home or traveling. Protocols, such as
IPsec, L2TP, PP2P and SOCKS ensure authenticated and encrypted communication between
VPN sites by creating a tunnel. On such connections, packets are constructed in a specific VPN
protocol format and are encapsulated within some other base or carrier protocol, then transmitted
between VPN client and server, and finally de-encapsulated on the receiving side. The base
protocol for Internet is IP. Other cases, which typically rely on point-to-point connections, may
use layer 2 protocols.
Most VPN gateways offer functionalities similar to firewalls; packet filtering and packet
inspection are examples. It is therefore important to consider these types of devices within the
scope of this document.

3 Classification of Firewall Issues

Given that:
 • Presented several kinds of grid applications, showing the issues arising when
firewalls are located within the communication path.
• Its describes the issues of each specific application in a more structured way,
defining the following classes of problems:

o Software
o Hardware
o Network
o Security policy

It will recognize two categories of firewall issues and further subdivide them
accordingly. Issues are either caused by:

1. The fact that the application is unaware of the network.

2. The fact that the network is unaware of the application.

The classification is made based on the assumption that both the network and the application
may not be aware of each other in terms of requirements. Typically, the application assumes
network transparency. However, the application also expects secure and reliability operation and
therefore expects to be protected against malicious intends. Both expectations require some
understanding between the application and the network. We therefore approach the classification
from the above listed observations. At this point we do not seek solutions for these issues, we
sometimes only hint towards them. Presenting existing and new solutions will be covered in (a)
separate document(s).

3.1 Issues caused by the application having difficulties to be aware of network

needs

This is an issue were applications try to adapt towards the needs of the network. This paragraph
tries to map each firewall issue and one of the following four categories: software, hardware,
network, security policy.

3.1.1 Software and port numbers

Port numbers and number of ports are unknown until the application starts. The consequence is
that firewall administrators need to create big holes (up to 10.000 ports) if the application is not
capable of determining the amount of ports to be used and/or the port numbers are unknown.
Trying to push all traffic though a single hole (e.g. HTTP port 80) causes referral problems. In
general, only specific, predetermined applications that use a low number of very well-defined
ports (or “well-known ports”) can be supported adequately.

3.1.2 Hardware
Applications that want to be aware of the underlying network have difficulties with:
 • Understanding the number and kind of firewalls located within the routing path.
• Pushing high performance data streams across long connections that need enough buffer
space and switching capacity. If applications were aware of buffer sizes and delays, they

could adjust their transmission rates more effectively to avoid packet drops in any kind of
forwarding device, including firewalls.
• Opening multiple high performance channels (wavelengths) over a single fiber. There are
no
firewalls that are able to deal with multiple wavelengths on a single fiber. If these wavelengths
have been divided into individual fibers by DWDM equipment, firewalls are not able to deal
with 16, 32 or 64 links of 10 Gb/s each currently. Current firewalls can deal with up to 5 Gb/s
links, and, if they act as packet filters only, may handle multiple 10 Gb/s links, but they are not
able to deal with several hundred Gb/s coming in through multiple 10 Gb/s interfaces. Though
load balancing firewalls are available since some time, these cannot handle such high
communication streams.

3.1.3 Network

Applications are typically unaware of their position within the network. This may cause issues
like:
• Certain grid applications cannot be placed inside the DMZ. This, as the data contained
within
such application may be too sensitive to allow it to be compromised and therefore can only be
placed within the enterprise network. The application will need to be changed such that it
temporally publishes relevant pieces of the information from its location on the enterprise side
of the firewall to a server reachable via the DMZ.
• Grid applications are more and more developed using a SOA. Such architecture is
inherently
distributed. If a workflow orchestrates components located at various places, the interfaces
may need to cross multiple firewalls and DMZs, each with their own security and firewall
policies. The more a workflow is allowed to be flexible, the more security policy issues are
likely.
• Applications are built independently of their network addresses, but rather have things
like
URLs to identify them. Applications with a need for special network resources, that bypass
the regular Internet, must somehow indicate this. Therefore, firewalls involved in bypass
connections also may need to perform elaborate routing functions,

3.1.4 Security Policy

In terms of security the application may need to communicate certain needs to the network. This
causes typically issues like:
• Firewalls may not have enough information to authorize complex grid applications.
• Firewalls must not only protect against attacks from the public network, but also prevent
the
public network from being abused where the application does not provide enough information
to distinguish between “good” and “bad”.
• Applications need to trust each other and firewalls may not be able to extend the security
context between two applications.
• Applications cannot provide firewalls with enough information so that firewalls may
therefore
not be aware if a host connecting is actually trusted.

3.2 Issues caused by the network being unable to be aware of the application

These issues are cause by problems where the network tries to adapt towards the need of an
application. This is the traditional approach where the application expects the network to be
transparent and the issue is therefore the network.
One may subdivide these issues into 5 kinds, with an increasing amount of difficulty to be
resolved:

3.2.1 Applications that use only well–known TCP/UDP ports

These specific ports could be easily opened within a firewall and they should not represent any
problem for a firewall administrator. Nevertheless, each of these applications has to be examined
in detail, to verify whether the communication protocol complies with the security policy of the
local organization. For example, ssh should be no problem, because users will always be
authenticated and authorized by the local ssh server. The same would be true for telnet, but
telnet uses an unencrypted authentication scheme, sending use rids and passwords in clear text
over the communication path. If a telnet session is recorded by an unauthorized person (hacker),
he has now gained access to sensitive information that may afterwards be used to get
unauthorized access to resources that shouldn’t be publicly available. So each grid application,
although using only single and fixed ports, has to be checked for compliance with the
organizational security policies.
Some applications extend the use of single well-known ports by tunneling messages through
them e.g. port 80 (http). These implementations have been developed to circumvent institutional
security policies exploiting the fact most organizations allow the use of the http protocol. Though
this method would allow any kind of firewall traversal, it has been shown that, as a general
concept, would also allow hackers and especially viruses to overcome firewall barriers. Firewall
developers have taken application tunneling into account and have developed countermeasures
against these bad-practices. They have implemented software that is familiar with a set of
standard protocols, e.g. http, making a trivial port tunneling to be recognized and stopped. This
remedy does not completely solve the problem, because the tunneling application can be
programmed to behave like a standard protocol stream, but it helps in recognizing most of the
trivial tunnel-attacks from the outside. Taking into account these considerations, application
programmers should avoid making use of these kinds of tunneling techniques.

3.2.2 Detectable dynamic data transfer ports

Applications that use a single well-known port for a control channel and a set of dynamic ports
for
the data transfer. The control channel (typically in clear-text) is used to synchronize the
communication behavior between client and server applications, e.g. to exchange information
about the dynamic ports that will be allocated for file transfers (data stream of an ftp session).
The control streams can be constantly monitored by special firewall plug-ins that extracts the set
of ports dynamically allocated for the data streams. These ports are then automatically opened in
the firewall. Such a mechanism has been already developed for the FTP, H.323 and SIP
protocols.

3.2.3 Obscured dynamic data transfer ports

Applications similar to those described in bullet 2, but where the information exchanged in the
control channel is not sufficient to determine the set of dynamic ports that will be used for data
transfer. This may happen because the control channel is encrypted (thus the firewall plug-in
cannot access its content) or because the set of dynamic ports is generated internally by the
application after the control channel has been closed (e.g. GridFTP 3rd party transfer). In both
cases the applications require a complete range of ephemeral ports to be permanently allowed
for traversing through the firewall. Most likely, firewall administrators do not like such a
configuration.

3.2.4 Arbitrarily dynamic data transfer ports

Applications that change on-the-fly the total amount of dynamic ports they use. These
applications may start a data transfer using one ephemeral port or a set of ephemeral ports, then
they may add or remove sockets arbitrarily at any time (i.e. GridFTP 3rd party transfer).
The difficulty in determining the complete communication setup at starting time implies that a
complete range of ephemeral ports need to be permanently allowed for traversing through the
firewall. Most likely, firewall administrators do not like such a configuration.

3.2.5 High throughput data pipes with non standard traffic patterns

Applications that require high throughput data pipes. These data streams often have special
SLAs (Service Level Agreements) that make them unsuitable to share communication links with
normal traffic. These SLAs could result in unfair behavior of the streams, leading to reduced
throughput for normal traffic. In some cases normal traffic could drop to zero because of the
excessive use of these grid applications. As a solution it should be feasible to route the special
traffic on dedicated connections, bypassing the normal institutional firewall, while yet ensuring
full compliance with the security policies (high throughput traffic has to be secured in a different
manner).

4 Future directions

Firewalls aim at securing and controlling the traffic flowing in and out of an organizational
domain. The importance of their role in the enforcement of security policies is not under
discussion. On the other hand, free research and information exchange between organizational
entities is required as well. Application programmers did not deal with firewalls in the past.
Applications were often developed, debugged and validated in a local environment without
interaction with firewalls. After successful implementation they have been thought to be
deployed in a more global environment, often extending over different organizational entities. In
this way applications and firewalls came to interact with each other, establishing a relationship
not always easy and flawless. The examples gathered in this document have the purpose to give
programmers useful insights for developing firewall-aware applications, increasing their
awareness of the distributed nature of resources of a grid environment. Another line of
investigation should pave the way for firewall developers to produce new kinds of firewalls,
which can cope with new types of applications and network infrastructures. Constantly growing
bandwidth demands require reconsideration of the underlying technologies. Firewalls cannot be
faster than network interfaces since they are based on these interfaces; there will always be a
delay in implementing faster firewalls. New concepts have to be developed: for example instead
of inspecting single packets streams could be checked. This is already offered by current
firewalls through the port concept. Many connections will be allowed without checking their
actual content. The connections will be allowed because another entity, the destination system,
already verified the authorization credentials. Firewall vendors should also get involved in
accomplishing strategic and long-term objectives, as the definition of a standardized
authentication/authorization mechanism to be implemented in their systems. Such a protocol
would allow grid-enabled firewalls to become a reality.

4.1Benefits Of Using Firewalls

Firewalls are filters that filter any information passing from and into your computer when you
are surfing the Internet. It is up to you to set a filtration level where you can say what
information gets in and what gets out. Many people believe that the firewalls are the first level of
security and they are not far from the truth. There are many benefits of using firewalls.

If you are using a computer at home or office, it is important to have a firewall. The thing is that
most large organizations have very complex firewalls which are relatively impenetrable. These
firewalls prevent employees from sending out sensitive company data through emails. They also
prevent employees from accessing sites which could be harmful to the organization's network or
stop the employees from being productive. In addition, firewalls prevent other computers from
accessing the company's network.

The benefits of using a firewall are immense for an organization and that is why it is in such
great demand. There are many different levels of configuration possible with firewalls and any
organization using them would require trained IT employees to oversee and maintain them.

When we talk about computers at home, the firewall used is not as complex as that used in an
organization. Here the firewall just has to protect your home PC and network from malicious
software like viruses and spyware. A firewall on your home computer does not allow traffic to
enter or go out other than what has been programmed. So, if a program entering your computer is
infected with virus and does not conform to the preset criteria stipulated on your firewall, it will
block it.

4.2Disadvantages Of Using Firewalls

Firewalls evolve due to cracker's ability to circumvent them increases.

"Always on" connections created by Cable and DSL connections create major problems for
firewalls. This can be compared to leaving you car running with the keys in it and the doors
unlocked which a thief may interpret as an invitation to "Please steal me".
Firewalls cannot protect you from internal sabotage within a network or from allowing other
users access to your PC.
Firewalls cannot edit indecent material like pornography, violence, drugs and bad language. This
would require you to adjust your browser security options or purchase special software to
monitor your children's Internet activity. Firewalls offer weak defense from viruses so antiviral
software and an IDS (intrusion detection system) which protects against Trojans and port scans
should also complement your firewall in the layering defense. Some firewalls claim full firewall
capability when it's not the case. Not all firewalls are created equally or offer the same protection
so it's up to the user to do their homework. Cost varies. There are some great free firewalls
available to the PC User but there are also a few highly recommended products, which can only
be purchased. The difference may be just the amount of support or features that a User can get
from a free product as opposed to a paid one and how much support that user thinks he or she
will require. A firewall protection is limited once you have an allowable connection open. This is
where another program should be in place to catch Trojan horse viruses trying to enter your
computer as unassuming normal traffic. There have been claims made by IDS (Intrusion
Detection System) companies where Trojan's were detected such as the RuX FireCracker v 2.0
which disabled certain Firewalls programs thus leaving the PC vulnerable to malicious actions.

5 Conclusion

In conclusion, the Internet has become a dangerous place. Thirteen-year-old kids on dial-up
accounts can crash a site supported by two T-1 connections by using hundreds of zombies (PCs
hacked and uploaded with a Trojan) to flood with UDP and ICMP traffic. This is simply a
malicious attack meant to consume all of the bandwidth of a connection to the Internet. Yahoo
was recently crashed by what is called a 'smurf' attack. In this attack, ping requests are sent to
several Internet broadcast addresses with a spoofed return address aimed at the victim (yahoo in
this case). The resulting storm of packets consumes all bandwidth and disconnects or makes the
site unusable for normal traffic. Hackers attack networks to destroy and/or steal information.
They attack PCs so they can use them in zombie attacks, to hide their identity when trying to
gain illegal entry to secured networks, or for nothing more than malicious purposes. While on the
internet my firewall typically gets 1 to 3 hits an hour, primarily port scanners looking for a
specific Trojan or a vulnerability to exploit. No one should be on the Internet without a firewall.
All networks are protected by firewalls. However, it is always a trade-off. The whole point of the
Internet is communication and exchange of information. The question is how much do we
restrict access without losing all the advantages of speed and openness.