





Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Design and implementation of firewall in college
Typology: Study Guides, Projects, Research
1 / 9
This page cannot be seen from the preview
Don't miss anything!






other datagrams to their destination. When a datagram first arrives, the router passes the datagram through its packet filter before performing any processing, if the filter rejects the datagram, the router drops it immediately. The filter can be configured in two modes. In the first mode, the default action can be defined to route the datagram while the IP combinations in the laws define the datagrams that need to be blocked. The other configuration is the reverse, i.e. the default action be blocking for the datagram and only the datagrams which abide by the filter laws are routed correctly. The first mode does not work for an effective firewall for three reasons.
Content filtering is the technique whereby content is blocked or allowed based on analysis of its content, rather than its source or other criteria. It is most widely used on the internet to filter email and web access. Content filtering is commonly used by organizations such as offices and schools to prevent computer users from viewing inappropriate web sites or content, or as a pre-emptive security measure to prevent access of known malware hosts. Filtering rules are typically set by a central IT department and may be implemented via software on individual computers or at a central point on the network such as the proxy server or internet router. Depending on the sophistication of the system used, it may be possible for different computer users to have different levels of internet access. We implemented the content-based filtering by allowing the router to peep into the data section of the packet received before routing. A set of restricted words is specified each of which is a representative of the prohibited content in a message. The router looks for these words in the datagram and blocks the datagram in case it is found. Note that the content-based filtering takes place after the datagram has passed the packet level filtering.
This is a simple record that hold information associated with a specific law. The law contains the IP addresses of the source and destination that are to be matched against. Port numbers further supplement the information contained in the law. Field Description Source IP Source IP address that will match the law Dest IP Destination IP address that will match the law Source Port Source port that will match the law Dest Port Destination port that will match the law Src Mask A Flag indicating whether the Source IP in law is a network mask Dest. Mask A Flag indicating whether the Dest IP in law is a network mask Action Accept (Route and Notify), Deny (drop), Reject (Drop and Notify) Protocol Protocol which will match: TCP, UDP Table 1: Structure of law
6.2.1 A trivial data structure: Array
TCP segments are sent as internet datagrams. A TCP header follows the internet header, supplying information specific to the TCP protocol. This division allows for the existence of host level protocols other than TCP. In our implementation, we have used the struct tcphdr structure as a header for the segment following Attribute Description unsigned int ip hl:4 umber of 32^ - bit words forming the header, usually five unsigned int ip v:4 Always set to the value 4 in the current version of IP uint8 t ip tos Usually set to 0, but may indicate particular Quality of Service needs from^ the network. This helps the router in taking the right routing decisions. uint16 t ip len It includes the IP header and everything that comes after it. uint16 t ip id The source and ID field together will represent the fragments of a unique packet. So, each fragment will have a different ID. uint16 t ip off It is a 13 - bit field that represents where in the packet, the current fragment starts. uint8 t ip ttl Specifies the number of hops within which the packet should be delivered or else destroyed. uint8 t ip p Specifies the module to which we should hand over the packet (UDP (17) or TCP (6)). uint16 t ip sum The header checksum. Every time anything in the header changes, it needs to be recalculated, or the packet will be discarded by the next router. struct in addr ip src Source IP address struct in addr ip dst Destination IP address Table 2: struct ip TCP protocol. TCP segment header tcphdr is a struct (structure) in the C programming language. The tcphdr struct is used as a template to form a TCP header in a raw socket. The structure can be found in the default include files of most Unix distributions. It is most commonly located in the netinet/tcp.h header file. The tcphdr struct is unique in that it was written in two different formats, a BSD format and a Linux format. We have used the BSD format, so we add #define USE BSD and #define FAVOR BSD at the very top of our definitions. Attribute Description u short th sport the source port number u short th dport the destination port number tcp seq th seq The sequence number is used to enumerate the TCP segments. The data in a TCP connection can be contained in any number of segments (single tcp datagrams), which will be put in order and acknowledged. tcp seq th ack Every packet that is sent and a valid part of a connection is acknowledged with an empty TCP segment with the ACK flag set u int th x2:4 Variable in 4 - byte blocks. The x2 variable is deprecated, it should be set to all binary zeros th off:4 The segment offset specifies the length of the TCP header in 32bit/4byte blocks. u char th flags This field consists of six binary flags - URG, ACK, PUSH, RST, SYN, FIN
u short th win The TCP window - the number of bytes that can be sent before the data should be acknowledged with an ACK before sending more segments. u short th sum The checksum of pseudo header, tcp header and payload u short th urp Urgent pointer. Only used if the urgent flag is set, else zero. Table 3: struct tcphdr In our implementation, we have used the struct udphdr structure as a header for the segment following UDP protocol. UDP segment header udphdr is a struct (structure) in the C programming language. The udphdr struct is used as a template to form a UDP header in a raw socket. The structure can be found in the default include files of most Unix distributions. It is most commonly located in the netinet/udp.h header file. Attribute Description u short uh sport the source port number u short uh dport the destination port number short uh ulen the udp length u short uh sum checksum Table 4: struct udphdr
Consider the following set of laws specified to the router. source port destination port action src mask flag dst mask flag protocol 172.24.32.14 5000 172.24.32.15 5001 0 0 0 6 172.24.0.0 5010 172.24.32.16 5011 2 1 0 17 172.24.12.1 5000 172.24.0.0 5001 0 0 1 6 Restricted words - terrorist bomb suicide Consider a TCP source packet originating from the machine having IP address 172.24.32.14:5000 destined to the machine 172.24.32.15:5001. The datagram is first routed to the firewall. At the router (which is running the firewall), the firewall extracts the required fields from the packet header. It then traverses the Law Tree according to the source IP. On traversal, we get a match at law 1. The action demanded by the law is to accept the packet and hence, the packet is forwarded to the destination and a message is sent to the source informing that the datagram has been routed to the destination. Now consider a UDP source packet originating from the machine having IP address 172.24.32.14:5010 destined to the machine 172.24.32.16:5011. At the router, similar procedure as above is followed, with the exception that the src mask flag is set. This means while traversing the Law Tree an internal node is matched which contains a non-empty list of laws which apply to all the addresses matching the sub-tree rooted at this node. Hence, in this case the datagram is accepted and desired action needs to be taken. The action bit is set 2 which implies the packet is to be dropped and the source is informed. Now consider a TCP source packet containing the word “terrorist” and originating from the machine having IP address 172.24.12.1:5000 destined to the machine 172.24.32.15:5001. Following the above guidelines, the packet is accepted by the router after packet-level filtering. Now the packet is filtered using content-based filter in which it is dropped as it matches a restricted word “terrorist”.