Firewall Implementation, Study Guides, Projects, Research of Network security

Design and implementation of firewall in college

Typology: Study Guides, Projects, Research

2019/2020

Uploaded on 01/23/2020

dhamodaran-n
dhamodaran-n 🇮🇳

1 document

1 / 9

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Firewall Implementation
By
Akshal Jasmine Y., Deno Shalu D., Dhamodaran N., Minisha
P.M., Reshma R.S., SAMUEL RAJ R.
under the guidance of
Dr. Pon. Partheeban
Department of Computer Science and Engineering
Stella Mary’s College of Engineering, Aruthenganvilai.
pf3
pf4
pf5
pf8
pf9

Partial preview of the text

Download Firewall Implementation and more Study Guides, Projects, Research Network security in PDF only on Docsity!

Firewall Implementation

By

Akshal Jasmine Y., Deno Shalu D., Dhamodaran N., Minisha

P.M., Reshma R.S., SAMUEL RAJ R.

under the guidance of

Dr. Pon. Partheeban

Department of Computer Science and Engineering

Stella Mary’s College of Engineering, Aruthenganvilai.

Contents

  • 1 Objective
  • 2 Motivation
  • 3 Introduction and Overview
  • 4 Packet Level Filters
  • 5 Content Based Filtering
  • 6 Implementation Details
  • 6.1 Law
  • 6.2 Organization of laws
  • 6.2.1 A trivial data structure: Array
  • 6.2.2 Our data structure: LawTree
  • 6.2.3 Advantages of our data structure:
  • 6.3 Headers
  • 6.4 A Working Example
  • 7 Conclusion and Future Work
  • 8 Acknowledgements

other datagrams to their destination. When a datagram first arrives, the router passes the datagram through its packet filter before performing any processing, if the filter rejects the datagram, the router drops it immediately. The filter can be configured in two modes. In the first mode, the default action can be defined to route the datagram while the IP combinations in the laws define the datagrams that need to be blocked. The other configuration is the reverse, i.e. the default action be blocking for the datagram and only the datagrams which abide by the filter laws are routed correctly. The first mode does not work for an effective firewall for three reasons.

  • The number of well-known ports is large and growing. Thus, a manager would need to update such a list of laws continuously because a simple error of omission can leave the firewall vulnerable to attacks.
  • Much of the traffic on the internet does not travel to or from a well-known port. In addition, the programmers can choose port numbers for their private client server applications in services like RPC assign port numbers dynamically.
  • Listing ports of well-known services leaves the firewall vulnerable to tunneling, a technique in which one datagram is temporarily encapsulated in another for the transfer across part of an internet. Tunneling is used to circumvent security by arranging for a host or router on the inside to accept encapsulated datagrams from an outsider, remove one layer of encapsulation, and forward the datagram on to the service that would otherwise be restricted by the firewall. It is because of these reasons that, we have configured our filter mechanism to operate in the second mode in which blocks all datagrams by default except those destined for specific networks, host and protocol ports for which external communication has been approved by the laws.

5 Content Based Filtering

Content filtering is the technique whereby content is blocked or allowed based on analysis of its content, rather than its source or other criteria. It is most widely used on the internet to filter email and web access. Content filtering is commonly used by organizations such as offices and schools to prevent computer users from viewing inappropriate web sites or content, or as a pre-emptive security measure to prevent access of known malware hosts. Filtering rules are typically set by a central IT department and may be implemented via software on individual computers or at a central point on the network such as the proxy server or internet router. Depending on the sophistication of the system used, it may be possible for different computer users to have different levels of internet access. We implemented the content-based filtering by allowing the router to peep into the data section of the packet received before routing. A set of restricted words is specified each of which is a representative of the prohibited content in a message. The router looks for these words in the datagram and blocks the datagram in case it is found. Note that the content-based filtering takes place after the datagram has passed the packet level filtering.

6 Implementation Details

6.1 Law

This is a simple record that hold information associated with a specific law. The law contains the IP addresses of the source and destination that are to be matched against. Port numbers further supplement the information contained in the law. Field Description Source IP Source IP address that will match the law Dest IP Destination IP address that will match the law Source Port Source port that will match the law Dest Port Destination port that will match the law Src Mask A Flag indicating whether the Source IP in law is a network mask Dest. Mask A Flag indicating whether the Dest IP in law is a network mask Action Accept (Route and Notify), Deny (drop), Reject (Drop and Notify) Protocol Protocol which will match: TCP, UDP Table 1: Structure of law

6.2 Organization of laws

6.2.1 A trivial data structure: Array

  • In a conventional packet filtering firewall, the laws are stored in an array.
  • Each time a packet is processed, the array has to be scanned top to bottom, regardless of the laws it contains.
  • At large, busy Internet junctions, this may cause packet losses which will require upgrading the processor. 6.2.2 Our data structure: Law Tree
  • A Law Tree is a binary tree organization of laws where each internal node Tree Node represents a prefix of an IP address. Each Tree Node extends the prefix of its parent by appending a “0” or “1” depending upon whether it is the left or right child of its parent respectively.
  • Each law is encapsulated in a Law Node and sits in the law tree indexed by its source IP address field.
  • The choice to sort by the source IP was made based on the fact that popular firewalls filter packets by source rather than by destination addresses.
  • A law consisting of an IP address and mask will be inserted at the position you reach by walking down the tree using the significant bits of the IP address. Each node contains a linked list of laws having the prefix associated with the node as the source IP address because for a single source address may exist more than one law (for example, for different network interfaces, destination address, and other options).
  • The flags src mask and dst mask are used to decide if the source address and the destination address present in the law represent IP addresses of the host machines or the subnet masks for source and destination networks respectively. In the case when these flags are set then the law is encapsulated as a Law Node into the list of that Tree Node whose prefix represents the corresponding mask.

TCP segments are sent as internet datagrams. A TCP header follows the internet header, supplying information specific to the TCP protocol. This division allows for the existence of host level protocols other than TCP. In our implementation, we have used the struct tcphdr structure as a header for the segment following Attribute Description unsigned int ip hl:4 umber of 32^ - bit words forming the header, usually five unsigned int ip v:4 Always set to the value 4 in the current version of IP uint8 t ip tos Usually set to 0, but may indicate particular Quality of Service needs from^ the network. This helps the router in taking the right routing decisions. uint16 t ip len It includes the IP header and everything that comes after it. uint16 t ip id The source and ID field together will represent the fragments of a unique packet. So, each fragment will have a different ID. uint16 t ip off It is a 13 - bit field that represents where in the packet, the current fragment starts. uint8 t ip ttl Specifies the number of hops within which the packet should be delivered or else destroyed. uint8 t ip p Specifies the module to which we should hand over the packet (UDP (17) or TCP (6)). uint16 t ip sum The header checksum. Every time anything in the header changes, it needs to be recalculated, or the packet will be discarded by the next router. struct in addr ip src Source IP address struct in addr ip dst Destination IP address Table 2: struct ip TCP protocol. TCP segment header tcphdr is a struct (structure) in the C programming language. The tcphdr struct is used as a template to form a TCP header in a raw socket. The structure can be found in the default include files of most Unix distributions. It is most commonly located in the netinet/tcp.h header file. The tcphdr struct is unique in that it was written in two different formats, a BSD format and a Linux format. We have used the BSD format, so we add #define USE BSD and #define FAVOR BSD at the very top of our definitions. Attribute Description u short th sport the source port number u short th dport the destination port number tcp seq th seq The sequence number is used to enumerate the TCP segments. The data in a TCP connection can be contained in any number of segments (single tcp datagrams), which will be put in order and acknowledged. tcp seq th ack Every packet that is sent and a valid part of a connection is acknowledged with an empty TCP segment with the ACK flag set u int th x2:4 Variable in 4 - byte blocks. The x2 variable is deprecated, it should be set to all binary zeros th off:4 The segment offset specifies the length of the TCP header in 32bit/4byte blocks. u char th flags This field consists of six binary flags - URG, ACK, PUSH, RST, SYN, FIN

u short th win The TCP window - the number of bytes that can be sent before the data should be acknowledged with an ACK before sending more segments. u short th sum The checksum of pseudo header, tcp header and payload u short th urp Urgent pointer. Only used if the urgent flag is set, else zero. Table 3: struct tcphdr In our implementation, we have used the struct udphdr structure as a header for the segment following UDP protocol. UDP segment header udphdr is a struct (structure) in the C programming language. The udphdr struct is used as a template to form a UDP header in a raw socket. The structure can be found in the default include files of most Unix distributions. It is most commonly located in the netinet/udp.h header file. Attribute Description u short uh sport the source port number u short uh dport the destination port number short uh ulen the udp length u short uh sum checksum Table 4: struct udphdr

6.4 A Working Example

Consider the following set of laws specified to the router. source port destination port action src mask flag dst mask flag protocol 172.24.32.14 5000 172.24.32.15 5001 0 0 0 6 172.24.0.0 5010 172.24.32.16 5011 2 1 0 17 172.24.12.1 5000 172.24.0.0 5001 0 0 1 6 Restricted words - terrorist bomb suicide Consider a TCP source packet originating from the machine having IP address 172.24.32.14:5000 destined to the machine 172.24.32.15:5001. The datagram is first routed to the firewall. At the router (which is running the firewall), the firewall extracts the required fields from the packet header. It then traverses the Law Tree according to the source IP. On traversal, we get a match at law 1. The action demanded by the law is to accept the packet and hence, the packet is forwarded to the destination and a message is sent to the source informing that the datagram has been routed to the destination. Now consider a UDP source packet originating from the machine having IP address 172.24.32.14:5010 destined to the machine 172.24.32.16:5011. At the router, similar procedure as above is followed, with the exception that the src mask flag is set. This means while traversing the Law Tree an internal node is matched which contains a non-empty list of laws which apply to all the addresses matching the sub-tree rooted at this node. Hence, in this case the datagram is accepted and desired action needs to be taken. The action bit is set 2 which implies the packet is to be dropped and the source is informed. Now consider a TCP source packet containing the word “terrorist” and originating from the machine having IP address 172.24.12.1:5000 destined to the machine 172.24.32.15:5001. Following the above guidelines, the packet is accepted by the router after packet-level filtering. Now the packet is filtered using content-based filter in which it is dropped as it matches a restricted word “terrorist”.