Packet Filtering Firewall

Stateful Multilayer Inspection FirewallProject Guide: Dr. Brig. S.P. GhreraTeam Members:Ankita Aggarwal 101297Vijit Singhal 101302Pranjali Jaggi 101284Ampin Gupta 101337Table of ContentsObjectiveProblem StatementIntroductionProject PlanModel UsedWork PlanInput\OutputImplementationSource Code and OutputReferences

Project DefinitionObjectiveSemester 7: Part-1(Packet Filtering Fire Wall)Learning to filter packets.Creating a packet filter firewall.Write packet filtering rules.Testing and debugging.

Problem StatementTo control the incoming and outgoing network traffic by analyzing the data packets and be able to determine whether it should be allowed through or not, based on a predetermined rule set.

IntroductionWhat is Packet Filtering??Packet filtering is a network security mechanism that works by controlling what data can flow to and from a network. The data that flows is in the form of packets.

Packet filtering firewall allows only those packets to pass, which are allowed as per your firewall policy. Each packet passing through is inspected and then the firewall decides to pass it or not. The packet filtering can be divided into two parts:Stateless packet filtering.Statefull packet filtering.

Stateless Packet Filtering

If the information about the passing packets is not remembered by the firewall, then this type of filtering is called stateless packet filtering. This type of firewalls are not smart enough and can be fooled very easily by the hackers. These are especially dangerous for UDP type of data packets. The reason is that, the allow/deny decisions are taken on packet by packet basis and these are not related to the previous allowed/denied packets.

Stateful Packet Filtering

If the firewall remembers the information about the previously passed packets, then that type of filtering is stateful packet filtering. These can be termed as smart firewalls. This type of filtering is also known as Dynamic packet filtering.

7Functions of a Packet Filtering FirewallControl: Allow only those packets that you are interested in to pass through.

Security: Reject packets from malicious outsiders

Watchfulness: Log packets to/from outside world

Advantages of Packet Filtering

Because not a lot of data is analyzed or logged, they use very little CPU resources and create less latency in a network. They tend to be more transparent in that the rules are configured by the network administrator for the whole network so the individual user doesnt have to face the rather complicated task of firewall rule sets.

It is cost effective to simply configure routers that are already a part of the network to do additional duty as firewalls.

One of the key advantages of packet filtering is that a single, strategically placed packet filtering router can help protect an entire network. If there is only one router that connects your site to the Internet, you gain tremendous leverage on network security, regardless of the size of your site, by doing packet filtering on that router.2. Unlike proxying, packet filtering doesn't require any custom software or configuration of client machines, nor does it require any special training or procedures for users. When a packet filtering router decides to let a packet through, the router is indistinguishable from a normal router. Ideally, users won't even realize it's there, unless they try to do something that is prohibited (presumably because it is a security problem) by the packet filtering router's filtering policy. This "transparency" means that packet filtering can be done without the cooperation, and often without the knowledge, of users. The point is not that you can do this subversively, behind your users' backs (while actions like that are sometimes necessary - it all depends on the circumstances - they can be highly political). The point is that you can do packet filtering without their having to learn anything new to make it work, and without your having to depend on them to do (or not do) anything to make it work.3. Packet filtering capabilities are available in many hardware and software routing products, both commercial and freely available over the Internet. Most sites already have packet filtering capabilities available in the routers they use.

9Disadvantages of Packet Filtering

Packet Filtering Firewalls can work only on the Network Layer and these Firewalls do not support complex rule based models.1. Despite the widespread availability of packet filtering in various hardware and software packages, packet filtering is still not a perfect tool. The packet filtering capabilities of many of these products share, to a greater or lesser degree, common limitations:The packet filtering rules tend to be hard to configure. Although there is a range of difficulty, it mostly runs from slightly mind-twisting to brain numbingly impossible.Once configured, the packet filtering rules tend to be hard to test.The packet filtering capabilities of many of the products are incomplete, making implementation of certain types of highly desirable filters difficult or impossible.Like anything else, packet filtering packages may have bugs in them; these bugs are more likely than proxying bugs to result in security problems.Usually, a proxy that fails simply stops passing data, while a failed packet filtering implementation may allow packets it should have denied.

Even with perfect packet filtering implementations, you will find that some protocols just aren't well suited to security via packet filtering.

The information that a packet filtering router has available to it doesn't allow you to specify some rules you might like to have10Different types of filtering mechanisms

Packet filters work at the network level. compared to a set of criteria before it is forwardedAdvantages: low cost, low impact on network performance.Disadvantages: does not support sophisticated rule based models.

Circuit level gateways work at the session layer monitor TCP handshaking between packets to determine whether a requested session is legitimateInformation passed to remote computer through a circuit level gateway appears to have originated from the gateway. Advantages: relatively inexpensive , hiding information about the private network Disadvantages: they do not filter individual packets.

Application level gateways work at the application layerIncoming or outgoing packets cannot access services for which there is no proxy filter application specific commandscan also be used to log user activity and logins. Advantages: a high level of security Disadvantages: having a significant impact on network performance, not transparent to end users and require manual configuration of each client computer.

Stateful multilayer inspection firewalls work at the application , session, network layer.They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer They allow direct connection between client and host, alleviating the problem caused by the lack of transparency of application level gateways. can also be used to log user activity and logins. They rely on algorithms to recognize and process application layer data instead of running application specific proxies. Advantages: a high level of security, good performance, transparency to end users Disadvantages: they are expensive and complex.

11Project DesignModel usedIncremental Model

Work Plan July Aug Sept Oct Nov Dec Jan Feb Mar Apr May2013 2014CompletedRemainingImplementing Rules Circuit and Application level Gateway ImplementationBuild PacketFilter Firewall Stateful Multilayer Inspection Firewall Input/outputInput:Packets coming from network

Output:List of blocked packets and their IP addresses and their port numbers.ImplementationImplementation AspectsHardware requirements:Packet filters require few hardware resources. It works efficiently on:Processor : 1 GHz RAM : 512 MbOS : Windows

Software versions used: Microsoft Visual C++ 2006 edition.

How packet filtering worksHow packet filtering rules are specified: The rules are specified as a table of conditions and actions that are applied in a certain order until a decision to route or drop the packet is reached.

Use Case Diagram:

Filter Hook Driver:A filter hook driver is a kernel-mode driver that is used to filter network packets. Filter- hook drivers extend the functionality of the system- supplied Internet Protocol(IP) filter driver.

In the Filter-hook driver, we implement a callback function and the we register this callback with the IP Filter Driver. After the filter- hook driver is registered, the IP filter driver assigns the file object for the filter hook- driver.

Implementation of Filter- hook driver:Create a Filter- Hook Driver, For this, must create a Kernel Mode Driver.Get a pointer to IP Filter Driver.Send a specific IRP. The data passed in this message includes a pointer to the filter function.Filter packets.Once filtering is finished, we must de-register the filter function.

21Working of filter:Working of the filter is implemented by an important function named as PF_FORWARD_ACTION cbFilterFunction. This function contains several parameters:Packet headerPacket LengthPacket Interface IndexRecvLinkNextHopThe callback function PF_FORWARD_ACTION is called for each packet received or sent, accordingly it performs one of the three functions:PF_FORWARDPF_PASSPF_DROPWorking of firewall is based on the following steps:Extract the packet headerCheck the protocol associatedCompare with the rulesCheck the source and destination add. If protocol is sameCheck out the port if protocol is TCPDrop or pass the packet

countrule to hold number of rules is defined.Filterlist is initialized to first rule.The packet header is extracted and assigned to ipp. Next the protocol is checked.If the protocol is numbered as 6 means it is TCP. We accept all the packets if the connection is already established. Also if we don't have the bit SYN activate then we pass the packet by using returnPF_FORWARD.Otherwise the packet is compared against the rules from the list until there is no member is in the list means till the conditionwhile(aux! =NULL)persists. Now check if the protocol is same, if it is then look for the source and destination address and each time increment the countrule. Now it the protocol is TCP check for the port.

Now the decision can be taken whether to drop or pass the packet according to the following statementsIf (aux->ipf.drop) return PF_DROP; //drop the packet else return PF_FORWARD; //forward the packet The same procedure is done for the packets of the UDP protocols. For other packet we don't look more and now we have decided what to do with the packet. After this countrule is incremented. And we accept all the packets which are not registered.

24OutputA file containing all defined rules is saved created using ADD RULE function and a list of specified rules can be seen by using the VIEW REGISTERED RULES.

Using the PORT SCANNER function, all open ports associated with an IP address can be identified.

Future WorkSemester 8:Part-2 (Circuit and Application Level Gateway Firewall)Creating circuit level gateway filtering firewall.Creating application level gateway filtering firewall.Integration. Test run.Real-time evaluation of Stateful Multilayer Inspection FirewallReferences[1]V.K. Solanki, K.P. Singh, M. Venkatesan, S. Raghuwanshi, , "Firewalls Policies Enhancement Strategies Towards Securing Network", Dept. of CSE, Anna Univ., Chennai, India, in Proceedings of 2013 IEEE Conference on Information and Communication Technologies (ICT 2013), 11-12 April 2013.

[2] Tugkan Tuglular, Fevzi Belli, "Protocol-Based Testing of Firewalls", Department of Computer Science, Dept. of Comput. Eng., Izmir Inst. of Technol., Izmir, Turkey, 2009 Fourth South-East European Workshop on Formal Methods.

[3] Khaled Salah, Khalid Elbadawi, Member, Raouf Boutaba, "Performance Modeling and Analysis of Network Firewalls", Khalifa Univ. of Sci., Sharjah, United Arab Emirates, IEEE transactions on network and service management, vol. 9, no. 1, march 2012[4] Alex X Lieu, "Change-Impact Analysis of firewall policies", ESORICS 2007, LNCA 4734,pp 155-170, Springer-Verlag Berlin Heidlberg 2007.

27[5] Ian Mothersole and Martin J. Reed, " Optimising Rule Order for a Packet Filtering Firewall", University of Essex, Wivenhoe Park, Colchester, Essex, CO4 3SQ, United Kingdom, Network and Information Systems Security (SAR-SSI), 2011 Conference18-21 May 2011

[6] Dmifty Rovniagin, Avishai Wool, " The Geometric Efficient Matching Algorithm For Firewalls", School of Electrical Engineering, Tel Aviv University, Ramat Aviv 69978, Israel, Dependable and Secure Computing, IEEE Transactions on(Volume:8 ,Issue: 1)Jan.-Feb. 2011[7] Cryptography and Network Security : Principles and Practice by William Stallings

[8] Computer Networks by Andrew S. Tanenbaum

Thank you!!