How can firewalls secure a network?

Firewalls in computer systems are either software based or hardware based. But they have the same purpose of keeping a control over the incoming as well as the outgoing traffic. 

In this article we discuss about how the network is secured by the firewalls. 

- This control is maintained through the analyzation of the data packets. 

- After analyzation, the firewall’s work is to determine whether to allow these packets to pass or not. 

- This decision is taken based up on some set of rules.

- With this set of rules, a barrier is established by the firewall between the external network that is not considered as secure and trusted and the internal network which is secure and trusted. 

- Most of the personal computer’s operating systems come with a built-in software based firewall for providing protection against the threats from external networks. 

- Some firewall components might also be installed in the intermediate routers in the network. 

- Also some firewalls have been designed to perform routing as well.

There are different types of firewalls which function differently.This classification of the firewalls is based up on the place where the communication is taking place i.e., whether at the network layer or the application layer.

Packet filters or network layer: 

- Firewalls used at the network layer are often termed as the packet filters. 

- This firewall operates at low level of the protocol stack of the TCP/ IP and so does not allow the packets to pass through it unless they satisfy all the rules. 

- These rules might be defined by the administrator of the firewall. 

- These firewalls can also be classified in to two categories namely the stateless firewalls and the state-ful firewall. 

- The former kind use less memory and operates faster in the simple filters, thus taking less time for filtering. 

- These firewalls are used for filtering the stateless network protocols i.e., the protocols which do not follow the session concept. 

- These firewalls are not capable of making complex decisions based up on the state of the communication. 

- The latter kind maintains the context of the active sessions. 

- This state info is used by these firewalls for speeding up the packet processing. 

- A connection is described using any of the properties such as the UDP or TCP ports, IP addresses and so on. 

- If a match is found between an existing connection and the packet, it is allowed to pass. 

- Today firewalls have capabilities of filtering the packets based up on attributes like IP addresses of source and destination hosts, protocols, originator’s netblock, TTL values and so on.

Application layer Firewalls: 

- Firewalls of this type work on the TCP/ IP stack’s application level. 

- All the packets traveling in and out of the application are intercepted by this firewall. 

- This leads to blocking of the other packets also. 

- Firstly, all the packets are inspected for any malicious content for preventing the outspread of the Trojans and worms. 

- Some additional inspection criteria might be used for adding some extra latency to the packet forwarding. 

- This firewall determines whether a given connection should be accepted by a process. 

- This function is established by the firewalls by hooking themselves in to the socket calls for filtering the connections. 

- These application layer firewalls are then termed as the socket filters.

- There way of working is somewhat similar to the packet filters except that the rules are applied to every process rather than connections. 

- Also, the rules are defined using the prompts for those processes that have not been provided with a connection. 

- These firewalls are implemented in combination with the packet filters.

What is the difference between leaky bucket algorithm and token bucket algorithm?

- Telecommunications networks and the packet switched computer networks make use of the leaky bucket algorithm for checking the data transmissions. 

- This check is carried out in the form of packets. 

About Leaky Bucket Algorithm

- This algorithm is used for determining whether the data transmissions confirm to the limits that have been defined for the burstiness and bandwidth. 

- Leaky bucket counters also use the leaky bucket algorithm for detecting the peak or the average rate of the stochastic or random events and processes and if they are exceeding the predefined limits. 

We shall take analogy of a bucket for explaining this algorithm.

- Consider a bucket having a hole in its bottom through which the water it has will leak away. 

- The rate of leakage is constant if it is not empty. 

- We can intermittently add water to it that is in short bursts. 

- But if a large amount of water is added to it in one go, the water will exceed the bucket’s capacity and overflow will occur. 

- Hence, it is determined using this leaky bucket algorithm that whether or not adding water to it will make up the average rate or will exceed it. 

- Leak rate sets the average rate of adding the water and depth of the bucket decides the amount of water to be added. 

- Asynchronous transfer mode networks use the generic cell rate algorithm which is one of the versions of the leaky bucket algorithms. 

- At the user network interfaces, these algorithms are used in the usage/ network parameter control. 

- The algorithm is also used in network-network interfaces and inter-network interfaces for protecting networks from the overwhelming traffic levels through the connections in the network. 

- A network interface card can be used on a network using ATM for shaping the transmissions. 

- This network interface card might use an equivalent of the generic cell rate algorithm or this algorithm itself.

- The leaky bucket algorithm can be implemented in two different ways both of which are mentioned in the literature. 

- It appears as if there are two distinct algorithms that are together known as the leaky bucket algorithm.

About Token Bucket Algorithm

- At an interval of every 1/r seconds the token bucket algorithm adds a token to a bucket. 

- The maximum number of tokens that can be handled by a bucket are b. 

- Any token above this limit is rejected by the bucket. 

- When the bucket receives a packet from the network layer consisting of n bytes, the n numbers of tokens are taken out from the bucket and then the packet is transmitted in to the network. 

- If number of tokens available is less than n, the packet is treated as being non-conformant. 

- A bucket with a fixed capacity is associated with some virtual user and the rate at which it leaks is fixed. 

- No leakage occurs if there is nothing in the bucket. 

- Some water has to be added to the bucket in order to make the packet conform-ant. 

- No water is added to the bucket if adding this amount of water will cause the bucket to exceed its capacity. 

- Therefore, we can see that one algorithm adds something constantly to the bucket and removes also for conforming packets. 

- The other algorithm removes something constantly and adds something for confirming packets. 

- Both the algorithms are same in effectiveness and this is why the two see each the same packet as non-confirming or confirming. 

- The leaky bucket algorithm is often used as meter. 

What are network layer design issues?

- The network layer i.e., the third layer of the OSI model is responsible for facilitating the exchange of the individual information or data pieces between hosts over the network. 

- This exchange only takes place between the end devices that are identified. 

- For accomplishing this task, 4 processes are used by the network layer and these are:

Ø  Addressing

Ø  Encapsulation

Ø  Routing

Ø  Decapsulation

In this article we focus up on the design issues of the network layer. 

- For accomplishing this task, the network layer also need s to have knowledge about the communication subnet’s topology and select the appropriate routes through it. 

- Another thing that the network layer needs to take care of is to select only those routers that do not overload the other routers and the communication lines while leaving the other lines and router in an idle state.

Below mentioned are some of the major issues with the network layer design:

1. Services provided to the layer 4 i.e., the transport layer.
2. Implementation of the services that are connection oriented.
3. Store – and  - forward packet switching
4. Implementation of the services that are not connection oriented.
5. Comparison of the data-gram sub-nets and the virtual circuits.

- The sender host sends the packet to the router that is nearest to it either over a point-to-point carrier link or LAN. 

- The packet is stored until its complete arrival for the verification of the check sum. 

- Once verified, the packet is then transmitted to the next intermediate router. 

- This process continues till the packet has reached its destination. 

- This mechanism is termed as the store and forward packet switching.

The services that are provided to the transport layer are designed based up on the following goals:

1. They should be independent of the router technology.
2. Shielding from the type, number and topology of the routers must be provided to the transport layer.
3. The network addresses that are provided to the transport layer must exhibit a uniform numbering plan irrespective of whether it’s a LAN or a WAN.

Now based up on the type of services that are offered, there is a possibility for two different organizations.

Offered service is Connection-less: 

- The packets are individually introduced in to the sub-net and the routing of the packets is done independently of each other. 

- It does not require any advance set up. 

- The sub-net is referred to as the data gram sub-net and the packets are called data-grams.

Offered service is connection-oriented: 

- In this case the router between the source and the destination must be established prior to the beginning of the transmission of the packets. 

- Here, the connection is termed as the virtual circuit and subnet as the “virtual circuit subnet” or simply VC subnet.

- Choosing a new router every time is a thing to be avoided and this is the basic idea behind the use of the virtual circuits. 

- Whenever we establish a connection, a route has to be selected from source to destination. 

- This is counted as a part of the connection setup only. 

- This route is saved in the routers tables that are managed by the routers and is then used by the flowing traffic. 

- On the release of connection, the VC is automatically terminated. 

- In case of the connection oriented service, an identifier is contained in each packet which tells the virtual circuit to which it belongs.

- In data-gram sub-net circuit setup is not required whereas it is required in the VC circuit. 

- The state info is not held by the routers in the data gram subnet whereas router table space is required for each VC for each connection. 

What are the characteristics of network layer?

- The network layer comes at number three in the OSI model of networking. 

- The duty of this layer is to forward and route the packets via the intermediate routers. 

- It comes with functional as well as procedural means for the transfer of data sequences with variable length from a source host to a destination host and across one or more networks. 

- During the transfer it also takes the responsibility for the maintenance of the services functions’ quality. 

There are many other functions of this layer such as:

Ø Connection-less communication: In IP, a datagram can be transmitted from one host to another without any need for the receiving host to send an acknowledgement. Protocols that are connection oriented are used on the higher levels of the OSI model.

Ø  Host addressing: Every host in the network is assigned a unique address that determines its location. A hierarchical system is what that assigns this address. These are the addresses that are known as the IP (internet protocol) addresses.

Ø  Message forwarding: The networks are sometimes divided in to a number of sub – networks which are then connected to other networks for facilitating wide – area communication. Here specialized hosts called routers or gateways are used for forwarding the packets from one host to another.

Characteristics of Network Layer

Encapsulation:

- One of the characteristics of the network layer is encapsulation. 

- Network layer ought to provide encapsulation facilities. 

- It is necessary that the devices must be identified with the addresses. 

- Not only the devices but the network layer PDUs must be assigned such addresses. 

- The layer 4 PDU is supplied to the layer 3 during the process of encapsulation. 

- For creating the layer 3 PDU, a layer 3 label or header is added to it. 

- In reference to the network layer, this PDU thus created is referred to as a packet. 

- On creation of a packet, the address of the receiving host is included in the header. 

- This address is commonly known as the destination address. 

- Apart from this address the address of the source or the sender host is also stored in the header. 

- This address is termed as the source address. 

- Once the encapsulation process is complete, the layer 3 sends this packet to the data link layer for preparing it to be transmitted over the communication media.

Routing: 

- The services provided by the network layer for directing the packets to the destination addresses define this characteristic. 

- It is not necessary that the destination and the source hosts must always be connected to the same network.

- In actual, the packet might have to go through a number of networks before reaching the destination. 

- During this journey the packet has to be guided to reach the proper address. - This is where the routers come in to action. 

- They help in selecting the paths for guiding the packets to the destination. 

- This is called routing. 

- During the course of routing of the packet, it may need to traverse a number of devices.

- We call the route taken by the packet to reach one intermediate device as “hop”. 

- The contents of the packet remain intact until the destination host has been reached.

De-capsulation: 

- On the arrival of the packet at the destination address, it is sent for processing at the third layer. 

- The destination address is examined by the host system for verifying whether the packet is meant for itself or not. 

- If the address is found to be correct, the decapsulation process is carried out at the network layer. 

- This layer passes the layer 4 PDU to the transport layer for appropriate servicing. 

Explain the concept of piggybacking?

- Piggybacking is a well known technique used in the transmission of data in the third layer of the OSI model i.e., the network layer. 

- It is employed in making a majority of the frames that are transmitted from receiver to the emitter. 

- It adds to the data frame, the confirmation that the sender sent on successful delivery of data frame. 

- This confirmation is called the ACK or acknowledge signal. 

- Practically, this ACK signal is piggybacked on the data frame rather than sending it individually by some other means. 

Principle behind Piggybacking

- The piggybacking technique should not be confused with the sliding window protocols that are also employed in the OSI model. 

- In piggybacking, an additional field for the ACK or the acknowledgement signal is incorporated in to the data frame itself. 

- There is only a difference of bit between the sliding window protocol and piggybacking.

- Whenever some data has to be sent from party to another, the data will be sent along with the field for ACK. 

The piggybacking data transfer is governed by the following three rules:

Ø  If both the data as well as the acknowledgement have to be sent by the party A, it has to include both the fields in the same frame.

Ø  If only the acknowledgement has to be sent by the party A, then it will have use a separate frame i.e., an ACK for that.

Ø  If only the data has to be by the party A, then the ACK field will be included within the data frame and thus transmitted along with it. This duplicate ACK frame is simply ignored by the receiving party B.

- The only advantage of using this technique is that it helps in improving efficiency. 

- The disadvantage is that is the service can be blocked or jammed by the receiving party if there is no data to be transmitted. 

- Enabling a receiver timeout by means of a counter the moment when the party receives the data frame can solve this problem to a great extent. 

- An ACK control frame will be sent by the receiver if the timeout occurs and still there is no data for transfer. 

- A counter called the emitter timeout is also set up by the sender which if ends without getting any confirmation from the receiver will make the sender assume that the data packet got lost in the way and therefore will have to re-transmitted.

- Piggybacking is also used in accessing the internet.

- It is used in establishment of a wireless internet connection by means of wireless internet access service of the subscriber without taking explicit permission from the subscriber. 

- However, according to the various jurisdiction laws around the world, this practice is under ethical and legal controversy. 

- In some places it is completely regulated or outlawed while at other places it is allowed.  

- A business customer who provides services related to hotspots, as of cafe and hotels, cannot be thought of using piggybacking technique via non – customers. - A number of such locations provide services for a fee. 

What are different aspects of network testing?

Network is interconnected collection of hardware components and computers interconnected by communication channels which shares data and resources. Computers are said to be interconnected if they are capable of sharing data and information. These computers are said to be autonomous since no computer can start, stop and control the other computer.

NEED OF NETWORK
- Network is needed because through network we can share resource which means we can make all programs, data and peripherals available to anyone on the network irrespective of the physical location of the resources and user.
- It provides reliability i.e.a file can have copies on two or three different machines, so if one of them is not available ,the other copies can be used.
- It also affects the cost factor which means personal computer have better price/performance ratio then the micro computers.
- Using a network, it is possible for managers, working far apart, to prepare financial report for the company.
- The changes at one end can be noticed at another and hence it speeds up the co-operation among them.

Network has some disadvantages also.
- Network makes systems more sophisticated and complex to run.
- This can add to costs and you may need a specialist staff to run the network. - If software and files are held centrally, it may be impossible to carry out any work if the central server fails.
- If networks are badly managed services can become unusable and productivity fails.
- File security is more important especially if connected to WAN e.g. protection from viruses.

Network testing is done by various types of tools. These tools help us to test switches, routers, servers and other networks. Network testing aims at determining the strength of the integrity of the network.


- Network testing methodology aims at testing the networking equipments and live networks.
- Network testing requires the network to adhere to the standards of networking. - It doesn’t matter what the software testers test the network for inter- operability, scalability, performance or protocol conformance, they can always rely only network testing for in depth and un biased testing of the network.

Speed testing is another aspect of network testing.
- Speed test can be used to verify if the internet service provider is delivering the connection speed that they promised or not.
- These days network equipment face validation challenges.
- There is a dire need of improving the quality and the performance of the core product.
- While the network complexity is constantly increasing, the process of network testing is increasingly becoming more intricate and time consuming.

There are certain problems that arise while performing the network test. They have been listed below:


- The complex combination of software, firmware and hardware components makes it very difficult to test a particular device as a single integrated system. Such cases often require manual intervention.
- The streamlining of remote manufacturing processes not only makes the whole testing process more complicated but it also makes it difficult to meet the market requirements on time.
- Performing network testing across a wide variety of scripts, testing equipments and network protocols requires complex configuration processes and long set up.

Whether the network to be tested is WAN (wide area network), LAN (local area network), VPN (virtual private network, data center products or other networking devices, network testing over comes their validation challenges and at the same time it increases test automation coverage and provides massive reduction in overhead testing costs and time consumption.

These days automated network testing set up is available. It significantly reduces the test duration, coverage and optimized test operations. Such set ups offer complete automation and configuration of the test prior to testing. The created test cases confirm to standards and provide maximum flexibility and re-usability.

Quick Tech Tip: Overview Of The Network Layer

The network layer provides services to the transport layer through virtual circuits or datagrams. In both cases, its main job is routing packets from the source to the destination. In virtual circuit subnets, a routing decision is made when the virtual circuit is set up. In datagram subnets, it is made on every packet.
Many routing algorithms are used in computer networks. Static algorithms include shortest path routing, flooding, and flow-based routing. Dynamic algorithms include distance vector routing and link state routing. Most actual networks use one of these. Other important routing techniques are hierarchical routing, routing for mobile hosts, broadcast routing, and multicast routing.
Subnets can become congested, increasing the delay and lowering the throughput for packets. Techniques include traffic shaping, flow specifications, and bandwidth reservation. If congestion does occur, it must be dealt with. Choke packets can be sent back, load can be shed, and other methods applied.
Networks differ in various ways, so when multiple networks are connected together problems can occur. Sometimes problems can be finessed by tunneling a packet through a hostile network, but if the source and the destination networks are different, this approach fails. Fragmentation may be called for if different networks are having different maximum sizes.
The Internet has a rich variety of protocols related to the network layer. These include the data protocol, IP, but also the control protocols ICMP, ARP, and RARP, and the routing protocols OSPF and BGP. The Internet is rapidly running out of IP addresses, so a new version of IP, IPv6, has been developed.
Unlike the datagram-based Internet, ATM networks use virtual circuits inside. There must be a set up before data can be transferred and torn down after transmission is completed. Quality of service and congestion control are major issues with ATM networks.

Introduction to Firewalls

A firewall is a hardware or software system that prevents unauthorized access to or from a network. They can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All data entering or leaving the Intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.

Firewalls can greatly enhance the security of a host or a network. They can be used to do one or more of the following things:
* To protect and insulate the applications, services and machines of your internal network from unwanted traffic coming in from the public Internet.
* To limit or disable access from hosts of the internal network to services of the public Internet.
* To support network address translation (NAT), which allows your internal network to use private IP addresses and share a single connection to the public Internet (either with a single IP address or by a shared pool of automatically assigned public addresses).



FIREWALL CONCEPTS
There are two basic ways to create firewall rulesets: “inclusive” or “exclusive”. An exclusive firewall allows all traffic through except for the traffic matching the ruleset. An inclusive firewall offers much better control of the outgoing traffic, making it a better choice for systems that offer services to the public Internet. It also controls the type of traffic originating from the public Internet that can gain access to your private network. All traffic that does not match the rules, is blocked and logged by design.
Inclusive firewalls are generally safer than exclusive firewalls because they significantly reduce the risk of allowing unwanted traffic to pass through them.

HOW FIREWALLS WORK ?
A firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources.
Firewalls use one or more of three methods to control traffic flowing in and out of the network:
* Packet filtering - Packets are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded.
* Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.
* Stateful inspection - It compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.

Introduction to Packet Fragmentation

Each network imposes some maximum size on its packets. The network designers are not free to choose any maximum packet size they wish as there are various factors like hardware, operating system, protocols, compliance with some (inter)national standard, desire to reduce error induced transmissions to some level and desire to prevent one packet from occupying the channel too long.
Packets larger than the allowable MTU (Maximum Transmission Unit) must be divided into multiple smaller packets, or fragments, to enable them to traverse the network.
If a packet that is about to be sent (for eg : over an Ethernet link) is bigger than that, the router which is about to send the packet over that link will fragment the packet i.e. the router will split the packet up into smaller messages (known as fragments) that are each small enough to be transmitted over the link. When the fragments arrive at their destination (the computer to which they are being sent), that computer can reassemble the fragments to recover the original message - assuming none of the messages are lost in transit.

How can be fragmentation avoided ?
If the option of "don't fragment" is set ON in IP version 4, and the router wants to send the packet over a link for which the packet is too large, the router will not send the packet at all. Instead, the router will send a message back to the sender of the packet that was too large. The sending computer can then respond to this by sending out smaller packets. This is known as "path MTU discovery".

Strategies for recombining fragments :
- Transparent Fragmentation : When an oversized packet arrives at gateway, the gateway breaks it into smaller fragments, each fragment is addressed to same exit gateway, where pieces are recombined. In this way passage through the small packet network has been made transparent.
Benefits : It maximizes bandwidth on higher links and deterministic fragmentation unlikely.
Drawbacks : Packets may be reassembled/fragmented, gateways more complex, performance gains bounded because the max TU will be the MTU of the first hop. Plus, the IP layer at the destination may still have to perform reassembly if the last link had a smaller MTU than the first link. Only use on links with unusually small MTUs.



- Non transparent Fragmentation : This strategy includes refraining the recombining of fragmented packets at intermediate gateway. Once a packet is fragmented, each fragment is treated as an original packet. All fragments are passed through the exit gateway. Recombination exists only at destination host.
Benefits : Multiple exit gateways can now be used and higher performance can be achieved.
Drawbacks : Overhead increases. Also, it requires every host to be able to do reassembly.

Quick Tech Tip: Concatenated Virtual Circuits

Two styles of internetworking are common:

* a connection-oriented concatenation of virtual circuit subnets,
* a datagram internet style.

In the concatenated virtual circuit model, a connection to a host in a distant network is set up in a way similar to the way connections are normally established. The virtual circuit consists of concatenated virtual circuits between the routers or gateways along the way from the source node to the destination node. Each gateway maintains tables telling which virtual circuits pass through it, where they are to be routed, and what the new virtual circuit number is. This process continues until the destination host has been reached.



Once data packets begin flowing along the path, each gateway relays incoming packets, converting between packet formats and virtual circuit numbers as needed. Clearly, all data packets must traverse the same sequence of gateways , and thus arrive in order.
This scheme works best when all the networks have roughly the same properties.
Concatenated virtual circuits are also common in the transport layer. In particular, it is possible to build a bit pipe using OSI, which terminates in a gateway, and have a TCP connection go from the gateway to the next gateway. In this manner, an end-to-end virtual circuit can be built spanning different networks and protocols.