Firewalls

Firewalls are typically used to isolate an organisation’s internal network from the larger internet, allowing some packets to pass whilst blocking others.

  • Firewalls can prevent many types of denial of service attacks such as by blocking specific packet types (SYN)
  • Firewalls can prevent access of internal data
  • Firewalls can prevent external access to an internal network without authorization

There are three types of Firewalls

  • stateless packet filters
  • stateful packet filters
  • application gateways

Stateless Packet Filtering

Self-explanatory, filters on a packet-by-packet basis making a decision whether to forward or drop packets based on only the information stored in the packet itself.
These can be used to block individual ports in a particular direction or block TCP segments with ACK=0, etc

an access control list is a table of rules applied from the top to the bottom to incoming packets, often with action/condition pairs.

Stateful Packet Filtering

Stateless packet filters don’t effectively block DoS attacks as they can still allow bogus TCP packets through, for example.

Stateful packet filters can track the status of every TCP connection.

  • connection setup (SYN) and teardown (FIN) is tracked, incoming and outgoing packets are checked to be valid within a session
  • inactive connections can be timed out at the firewall level, which no longer admits packets for that session

The ACL also stores whether or not the connection state needs to be checked.

Application Gateways

Application gatewyas can filter packets based on application data longside IP/TCP/UDP fields.

Limitations of Firewalls

  • IP Spoofing mean routers can’t know for sure if data really comes from a claimed source
  • Client software must know how to contact the gateway
  • Filter often use all or nothing policies for UDP
  • Some gatewyas may require specialised software or configurations such as setting a proxy in a web browser

Intrusion Detection Systems

  • IDSs can run DPI (deep packet inspection) which allows the system to inspect packet content
  • It can also examine correlation among multiple packets and detect port scanning, network mapping and DoS attacks
  • there are generally multiple IDSs from a client’s PC to a web server implemented both by their ISP, other ISPs and the web server’s operator