Functional Relationship Network Architecture

A computer network, is referred to as a network, it is a harvest of computers and instruments interconnected via communication channels that enables communications among users and permits users to allocated resources. Networks may be classified according to a wide range of characteristics. A computer network permits sharing of resources and knowledge among interconnected devices.

Fig1:Block diagram of computer network

Connection method

Computer networks can be classified according to the hardware and software engineering that is accustomed to interconnect the individual devices in the network, such as optical fiber, Ethernet, wireless LAN.

Functional relationship (network architecture)

Computer networks may be classified according to the functional relationships which exist among the elements of the network, e.g., active networking, client-server and peer-to-peer architecture.

Network topology

Computer networks may be classified according to the network topology upon which the network is grounded, such as bus network, star network, ring network, mesh network. Network topology is the coordination by which tools in the network are organized in their rational family members to one another, independent of physical arrangement. Even if networked computers are physically placed in a linear arrangement and are joined combined to a hub, the network has a star topology, alternatively a bus topology. In this regard the visual and operational aspects of a network are distinct. Networks may be classified grounded on the process of knowledge adapted to carry the data; these include digital and analog networks.

Fig2. Mesh topology

Fig3. Star Topology

Fig4. Ring topology

What is a firewall?

Fig5. firewall

A firewall is a component of a computer system or network that is arranged to avoid unauthorized access where letting agent communications. It is a implement or set of tools that is configured to sanction or turn down network transmissions grounded upon a set of administers and other criteria.

Firewalls can be implemented in either hardware or software, or a combination of two. Firewalls are commonly adapted to prevent unauthorized Internet users from accessing private networks joined combined to the Internet, especially intranets. All messages entering or withdrawing the intranet surpass through the firewall, which inspects each outcome and prevents those that do not find the specified protection criteria.

There are several types of firewall techniques:

Packet filter: Packet filtering checks each packet that is passing through the network and accepts or refuses it based on particular IP addresses that is user defined. Although difficult to configure, it is effective and mostly transparent to its users. It is vulnerable to Internet Protocol spoofing.

Fig6. Packet filters

This type of packet filtering pays no heed to if a packet is part of an older stream of traffic (i.e. it stores no information on connection “state”). Instead, it filters each packet based only on information contained in the packet itself .

TCP and UDP protocols consists most communication over the net, and because TCP and UDP traffic by convention uses well known ports for some types of traffic, a “stateless” packet filter can differentiate between, and hence control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), untill the machines on each side of the packet filter are both using the same non-standard ports.

Packet filtering firewalls work mainly on the initial three layers of the OSI reference model, which means most of the work is done in between the network and physical layers, with a little bit of peeking into the transport layer to find out source and destination port numbers. When a packet originates from the sender and filters through a firewall, the device finds matches to any of the packet filtering rules that are configured in the firewall and removes or rejects the packet accordingly. When the packet goes through the firewall, it checks the packet on a protocol/port number basis (GSS).

Application gateway: Applies security mechanisms to some applications, such as FTP server. This is effective, but can degrade the performance

Fig7.OSI reference model

The benefit of application layer filtering is that it can “understand” applications and protocols and it can also detect if an unwanted protocol is sneaking through on a non-standard port or if a protocol is being used in any harmful way.

An application firewall more secure and reliable as compared to packet filter firewalls as it works on all 7 layers of the OSI reference model, from the application to the physical layer. This is similar to a packet filter firewall but here it also filters information on the basis of content.

In 2009/2010 the focus of the best comprehensive firewall security vendors turned to expanding the list of applications such firewalls are aware of now covering hundreds and in some cases thousands of applications which can be identified automatically. Many of these applications can not only be blocked or allowed but copied by the more advanced firewall products to allow only certain functionally enabling network security administrations to give users functionality without enabling unnecessary vulnerabilities. As a consequence these advanced versions of the “Second Generation” firewalls are being referred to as “Next Generation” and bypass the “Third Generation” firewall. It is expected that due to malicious communications this trend will have to continue to enable organizations to be truly secure.

Third generation: “stateful” filters

Fig8. Stateful filter

Third-generation firewalls, in addition to what first- and second-generation look for, regard placement of each packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections going through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of defined rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.

This type of firewall can actually be exploited by certain Denial-of-service attacks which can fill the connections with illegitimate connections.

Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been done, packets can go between the hosts without checking further.

Stateful filters

Fig8. Stateful filter

Third-generation firewalls, in addition to what first- and second-generation look for, regard placement of each packet within the packet series. This technology is referred to as a stateful packet inspection as it maintains records of all connections going through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.

This type of firewall can actually be abused by some Denial-of-service attacks which can fill the connection tables with false connections.

Proxy servers

Checks all messages entering and leaving the network. The proxy server hides the right network addresses.

Fig9.Proxy server

In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, asking for some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server processes the request according to its filtering rules. For example, it may filter traffic by IP address. If the request is passed by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may alter the client’s request or the server’s response, and sometimes it may pass the request without contacting the specified server. In this case, it ‘caches’ responses from the remote server, and sends back subsequent requests for the same content directly.

Types of proxy

Forward proxies

Fig10.Forward proxies

A forward proxy taking requests from an internal network and forwarding them to the Internet.

Forward proxies are proxies where the client server names the target server to connect to. Forward proxies are able to get from a wide range of sources.

The terms “forward proxy” and “forwarding proxy” are a general description of behavior (forwarding traffic) and hence ambiguous. Except for Reverse proxy, the types of proxies described on this article are more specialized sub-types of the general forward proxy concepts.

Open proxies

Fig11.Open proxies

An open proxy forwarding requests from and to anywhere on the Internet.

An open proxy is a forward proxy server that is accessible by any Internet user. Gordon Lyon estimates there are “hundreds of thousands” of open proxies on the Internet. An anonymous open proxy allows users to conceal their IP address while browsing the Web or using other Internet services.

Reverse proxies

Fig12.Reverse proxies

A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests connect to the proxy and may not be aware of the internal network.

A reverse proxy is a proxy server that appears to clients to be an ordinary server. Requests are forwarded to one or more origin servers which handle the request. The response is returned as if it came directly from the proxy server.

Reverse proxies are installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the web servers goes through the proxy server. The use of “reverse” originates in its counterpart “forward proxy” since the reverse proxy sits closer to the web server and serves only a restricted set of websites.

There are several reasons for installing reverse proxy servers:

Encryption / SSL acceleration: when secure web sites are created, the SSL encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware. See Secure Sockets Layer. Furthermore, a host can provide a single “SSL proxy” to provide SSL encryption for an arbitrary number of hosts; removing the need for a separate SSL Server Certificate for each host, with the downside that all hosts behind the SSL proxy have to share a common DNS name or IP address for SSL connections. This problem can partly be overcome by using the SubjectAltName feature of X.509 certificates.

Load balancing: the reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations).

Serve/cache static content: A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content.

Compression: the proxy server can optimize and compress the content to speed up the load time.

Spoon feeding: reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and slowly “spoon feeding” it to the client. This especially benefits dynamically generated pages.

Security: the proxy server is an additional layer of defense and can protect against some OS and Web Server specific attacks. However, it does not provide any protection to attacks against the web application or service itself, which is generally considered the larger threat.

Extranet Publishing: a reverse proxy server facing the Internet can be used to communicate to a firewalled server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is exposed to attack from the Internet.

VPN

A virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization’s network. It aims to avoid an expensive system of owned or leased lines that can be used by only one organization.

It encapsulates data transfers between two or more networked devices which are not on the same private network so as to keep the transferred data private from other devices on one or more intervening local or wide area networks. There are many different classifications, implementations, and uses for VPNs.

Fig13 VPN

Vulnerabilities:-

Unauthorized access:

This simply means that people who shouldn’t use your computer services are able to connect and use them. For example, people outside your company might try to connect to your company accounting machine or to your network file server. There are various ways to avoid this attack by carefully specifying who can gain access through these services. You can prevent network access to all except the intended users.

Exploitation of known weaknesses:

Some programs and network services were not originally designed with strong security in mind and are inherently vulnerable to attack. The BSD remote services (rlogin, rexec, etc.) are an example. The best way to protect yourself against this type of attack is to disable any vulnerable services or find alternatives. With Open Source, it is sometimes possible to repair the weaknesses in the software.

Denial of service: Denial of service attacks cause the service or program to cease functioning or prevent others from making use of the service or program. These may be performed at the network layer by sending carefully crafted and malicious datagram’s that cause network connections to fail. They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become extremely busy or stop functioning. Preventing suspicious network traffic from reaching your hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack. It’s useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.

Spoofing: This type of attack causes a host or application to mimic the actions of another. Typically the attacker pretends to be an innocent host by following IP addresses in network packets. For example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers. To protect against this type of attack, verify the authenticity of datagram’s and commands. Prevent datagram routing with invalid source addresses. Introduce unpredictability into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.

Eavesdropping: This is the simplest type of attack. A host is configured to “listen” to and capture data not belonging to it. Carefully written eavesdropping programs can take usernames and passwords from user login network connections. Broadcast networks like Ethernet are especially vulnerable to this type of attack

Here are a few examples of firewalls :-

Untangle

Fortiguard

Netnanny

Websense

ClearOS

These firewalls can be affected by the above vulnerabilities.

One way how a firewall/web filter can be bypassed is by using VPN.

As studied above we can VPN to some external network and use that network.

So we can bypass the firewall by doing VPN to a remote network and using its default gateway.

Below are the precise steps how to setup a VPN server, Client, AD and LB configurations.

Complete VPN Configuration

Below is the complete procedure on how to setup VPN server and client side

Note:- Windows XP and Windows 7 both have the capability to act as VPN servers

VPN Server Configuration

Open Network connections and follow the below :-

Click next on the welcome page

Select the options highlighted in the below snags :-

Once you have followed the steps above you are done with the server side configuration.

VPN Client Configuration

Below snags show the client side configuration

Once the above steps are followed the client side is also setup

The work is still not over

Port Forward

Port needs to be forwarded from the modem/LB etc

Follow the instructions below to get it rolling :-

Dial in Rights on AD

The final step is to give the user permissions to VPN

First RDP to the AD

Login

Open Active Directory

Find the user and go in properties

Follow the snag it once the above is done :-

The best firewall:-

According to the first hand experience we found Untangle to be the best firewall as it is free and has a host of functions too.

Below is a screenshot of the untangle dashboard:-

Fig14. Untangle dashboard

Conclusion:-

Our aim was to explain what a firewall is and expose a few vulnerabilities in it. We have studied how a firewall works, it’s architecture, types of firewalls and vulnerabilities. We have thus compared the firewalls on various parameters and have concluded that Untangle is the best firewall with reference to the features and cost of it.