Transcript Firewall Rules

Firewalls
•Check incoming and outgoing TCP/IP messages
•Try to roughly identify abnormal traffic
Regulate Inbound and Outbound connections
- Make your machine “invisible”
- Alert you to suspicious behavior
Adjust Security Settings
- Generic “sliding bar”
- Precise rule definition
Keep Logs
- Useful for forensics after the attack
- Not so important for home user
Firewall Functions
Basic Functions:
Packet filtering - check network packet headers before admitting
traffic
Network Address Translation (NAT) - translate external IP
addresses to internal IP addresses
Application Proxy - Inspect application-specific header
information
Data Logging
Firewall Rules
•Packet filtering is performed based on a set of rules
•Rules can be pre-defined of user-defined
Default Strategy
Allow-All - Allows all network packets except those explicitly
denied by rules
Deny-All - Denies all network packets except those explicitly
allowed by rules
•Deny-All is safer but more annoying
•Allow-All may be set as the default, so check it
Firewall Rule Structure
Rules are defined based on information that the firewall has access to
1. TCP/IP header information
- source address, dest. address, port number, etc.
2. User Information - Filtering may be different for each user
3. Content - Can tell this from the application protocol
4. Time - Some activity may not be allowed at certain times
i.e. video downloads during the day
Example Firewall Rules
•Assume Deny-All
Port/Content
Port 80/except video
Port 80/video
Users
All
Trainers
Time
Always
Day
Action
Allow
Allow
Users
All
All,not Trainers
Trainers
Time
Always
Always
Night
Action
Deny
Deny
Deny
•Assume Allow-All
Port/Content
All ports, except 80
Port 80/video
Port 80/video
Weaknesses of Firewalls
•Only looks at header information, not packet contents
- Cannot see malicious code in the content
•Access control is not precise
- Close off entire ports/applications/addresses
•Mistakes can be made in defining rules
- Assume Allow-All and forget to Deny
•Good packets may be stopped
- Assume Deny-All and forget to Allow
- Many cryptic warnings may appear
- Need to understand rules to interpret warnings