To add to the confusion, sometimes a single hardware system is called a

firewall, while other times a complex collection of multiple routers and servers

implement the firewall function. But we need to be concerned only with the

policies enforced by the firewall, and what the effect is on the data traffic.



15.2 What Does a Firewall Do?

Firewalls can affect any type of network traffic, depending on their

configuration. The areas we are especially concerned with are the following:

1. The loading of Java applets from a server to a client

2. Network accesses by Java applets to a server

Firewalls may be present at the client network, the server network, or both. In

order to understand the implications, we must understand the basic functions

provided by a firewall.

Current literature on firewalls is filled with buzzwords used by specialists to

describe the different software techniques that can be used to create

firewalls. Techniques include packet filtering, application gateways, proxy

servers, dynamic filters, bastion hosts, demilitarized zones, and dual-homed

gateways. For the purpose of this book, we can ignore the details of the

software technologies, and simply concentrate on what a firewall does with

data packets flowing through it.

There are several other firewalls functions that have no real effect on Java

security; for example, logging, reporting and management functions are

available, and these may themselves be written in Java. As an example, the

IBM Firewall has a graphical user interface developed in Java.

The basic security functions of any firewall are to examine data packets sent

through the firewall, and to accept, reject or modify the packets according to

the security policy requirements. Most of today’s firewalls work with TCP/IP

data only, so it is worth seeing what is inside a TCP/IP data packet, in order to

understand the firewall’s actions.



15.2.1 Inside a TCP/IP Packet

All network traffic exchange is performed by sending blocks of data between

two connected systems. The blocks of data are encapsulated within a data

packet by adding header fields to control what happens to the data block en

route and when it reaches its final destination. Network architectures are

constructed of layers of function, each built on the services of the layer

beneath it. The most thorough layered architecture is the open systems



558



Java 2 Network Security



interconnection (OSI) model, whereas other architectures, such as TCP/IP,

use broader layer definitions. On the wire, these layers are translated into a

series of headers placed before the data being sent, as shown in the following

diagram:



OSI Model



TCP/IP Model



Application

Presentation



Application



Session

Transport



Transport



Network



Internet



Data Link



Network Interface

Physical



Physical



Header



Payload



Figure 279. Mapping the Layered Network Model to Packet Headers



The first part of the header, the Data Link/Physical header, is determined by

the type of network. Ethernet, token-ring, serial lines, FDDI, and so on, each

have their own headers, containing synchronization, start-of-packet

identifiers, access control, and physical addresses1 as required by the

network type. There may be fields to distinguish Internet Protocol (IP) packets

from other types of packets, such as NetBIOS or SNA. We need to consider

only IP packets here.

The next part of the header of IP packets is the standard IP header, which

specifies the originator (source) address and the intended recipient

(destination) address, together with fields to control how the packet is

1

Network devices require an adapter to physically attach to the LAN. This adapter must provide both physical and logical

capabilities for the device. The adapter contains a unique 48-bit address, assigned to it during the manufacturing process,

called Media Access Control (MAC). All the MAC addresses are assigned by the IEEE 802 committee. The IEEE

provides the vendor building adapters with a range of MAC addresses to use for assigning adapters their unique 48-bit

address so that no two adapters should ever have a duplicate address. Ethernet and token-ring require the MAC address

for both the origin and the destination adapters when communicating over a LAN. Besides the IP address, the MAC

address also must be known when sending data to a LAN-attached device.



Java and Firewalls – In and Out of the Net



559



forwarded through the Internet. There are two main types of IP headers: the

common IP V4 standard, and the new IPv6 standard, which is intended to

replace IPv4.

This is followed by the transport layer header, which controls what happens to

the packet when it reaches its destination. Almost all the user-level protocols

commonly referred to as TCP/IP use either a Transmission Control Protocol

(TCP) or a User Datagram Protocol (UDP) header at the transport layer.

Finally, application protocol headers and data are contained in the payload

portion of the packet, and are passed from the sending process to the

receiving process.

Each of these packet headers contain a number of data fields, which may be

examined by a firewall and used to decide whether to accept or reject the

data packet.

For current purposes, the most important data fields are:

• Source IP address – a 32-bit address (IPv4) or a 128-bit address (IPv6)

• Destination IP address – a 32-bit address (IPv4) or a 128-bit address

(IPv6)

• Source port number – a 16-bit value

• Destination port number – a 16-bit value

The source and destination IP addresses identify the machines at each end

of the connection, and are used by intermediate machines to route the packet

through the network. Strictly speaking, an IP address identifies a physical or

logical network interface on the machine, which allows a single machine to

have several IP addresses.

The source and destination port numbers are used by the TCP/IP networking

software at each end, to send the packets to the appropriate program running

on the machines. Standard port numbers are defined for the common network

services; for example, by default, an FTP server expects to receive TCP

requests addressed to port 21, and an HTTP Web server expects to receive

TCP requests to port 80.

However, non-standard ports may be used. It is quite possible to put a Web

server on port 21, and access it with a URL of http://server :21/. Because of

this possibility, some firewall systems will examine the inside details of the

protocol data, not just headers, to ensure that only valid data can flow

through.



560



Java 2 Network Security



As an elementary security precaution, port numbers less than 1024 are

privileged ports. On some systems, such as UNIX, programs are prevented

from listening to these ports, unless they have the appropriate privileges. On

less secure operating systems, a program can listen on any port, although it

may require extra code to be written. HTTP Web servers, in particular, are

often run on non-standard ports such as 8000 or 8080 to avoid using the

privileged standard port 80.

The non-privileged ports of 1024 and above can be used by any program;

when a connection is created, a free port number will be allocated to the

program. For example, a Web browser opening a connection to a Web server

might be allocated port 1044 to communicate with server port 80. But what

happens, you may ask, if a Web browser from another client also gets

allocated port 1044? The two connections are distinguished by looking at all

four values (source IP address, source port, destination IP address,

destination port), as this group of values is guaranteed to be unique by the

TCP standards.



15.2.2 How Can Programs Communicate through a Firewall?

Simple packet-filtering firewalls use the source and destination IP addresses

and ports to determine whether packets may pass through the firewall.

Packets going to a Web server on destination port 80, and the replies on

source port 80, may be permitted, while packets to other port numbers might

be rejected by the firewall. This may be allowed in one direction only and it

may be further restricted by only allowing packets to and from a particular

group of Web servers, as shown in the following figure:



Request for

HTTP Session

(tcp/80)



STOP



Firewall

GO

Request for

HTTP Session

(tcp/80)



Internet

Responses

Requests



Figure 280. Asymmetric Firewall Behavior



Java and Firewalls – In and Out of the Net



561



There may be more than one firewall through which data needs to pass.

Users in a corporate network will often have a firewall between them and the

Internet in order to protect the entire corporate network. And at the other end

of the connection, the remote server will often have a firewall to protect it and

its networks.

These firewalls may enforce different rules on what types of data are allowed

to flow through, which can have consequences for Java (or any other)

programs. It is not uncommon to find Java-enabled Web pages that work over

a home Internet connection simply fail to run on a corporate network.

There are two problem areas:

1. Can the Java program be downloaded from a remote server?

2. Can the Java program create the network connections that it requires?

The HTTP protocol is normally used for downloading. In order to understand

the restrictions that firewalls put on HTTP, especially with regard to proxy

servers and SOCKS servers (discussed in 15.4, “Proxy Servers and SOCKS

Gateways” on page 570), we will describe this protocol in detail in the next

section.



15.3 Detailed Example of TCP/IP Protocol

Let us consider the simple case of a browser requesting a Web page using

HTTP. There are two steps to this:

1. First the browser must translate a host name (for example, www.ibm.com)

into its IP address (204.146.17.33 in this case). The normal way to do this

in the Internet is to use the Domain Name System (DNS).

2. In the second step, the browser sends the HTTP request and receives a

page of HTML in response.



15.3.1 DNS Flow (UDP Example)

DNS uses the UDP protocol at the transport layer, sending application data to

the DNS (udp/53) port of a name server. The packet header for UDP is shown

in the following figure:



562



Java 2 Network Security



0

1

2

3

01234567890123456789012345678901

IP



VERS=4



HLEN



Type of

Service



Total Length



Identification



20

bytes



Time to Live



Fragment Offset



Flags



Protocol



Header Checksum



Source IP Address

Destination IP Address

IP Options (if any)



UDP



...Padding (if needed)



Source Port

Length



8

bytes



Destination Port

Checksum



Data Bytes (packet payload)



Figure 281. IPv4 and UDP Headers



If the newer IPv6 is used, the header is simpler, but with 128-bit addresses,

instead of 32-bit.

The actual DNS request is a simple request and response sequence (see

Figure 282 on page 563 and Figure 283 on page 564).



Packet 1, length 57 bytes

Client

(Browser)



IP



Source address 10.1.1.1 (client)

Destination address 10.1.1.5 (server)



UDP



Source port 1048 (dynamically assigned)

Destination port 53 (DNS well-known port)



Data



Server

(DNS Server)



DNS question:

www.ibm.com, type=A, class=IN



Figure 282. Client Requests Name Resolution



Java and Firewalls – In and Out of the Net



563



Packet 2, length 73 bytes

Client

(Browser)



IP



Source address 10.1.1.5

Destination address 10.1.1.1



UDP



Server

(DNS Server)



Source port 53

Destination port 1048



Data



DNS question:

www.ibm.com, type=A, class=IN

DNS answers:

www.ibm.com internet

address 204.146.17.33



Figure 283. DNS Name Resolution Response



15.3.2 HTTP Flow (TCP Example)

Now the client can request the URL of http://www.ibm.com/example1.html

because it knows that the real IP address of www.ibm.com is 204.146.17.33.

Requests such as this use TCP at the transport layer to carry the HTTP

application data. HTTP is a very simple protocol, where the client requests a

particular item of data from the server, and the server returns the item,

preceded by a short descriptive header.

TCP headers are similar to UDP but have more control fields to provide a

guaranteed2 delivery service:



2

In this context, guaranteed means that the data will be delivered, or an error will be eventually returned. With UDP, in

comparison, data may be discarded without warning.



564



Java 2 Network Security



0

1

2

3

01234567890123456789012345678901

IP



VERS=4



Type of

Service



HLEN



Total Length



Identification



20

bytes



Time to Live



Fragment Offset



Flags



Protocol



Header Checksum



Source IP Address

Destination IP Address

IP Options (if any)



TCP



...Padding (if needed)



Source Port



Destination Port

Sequence Number

Acknowledgment Number



20

bytes



U



A



P



R



S



F



Data

Reserved R C S S Y I

Offset

G K H T N N

Checksum



Urgent Pointer



TCP Options (if any)



...Padding (if needed)



Data Bytes (packet payload)



Figure 284. IPv4 and TCP Packet Headers



TCP using IPv6 is similar, with an IPv6 header followed by a TCP header.

The following data packets are sent:

• Packets 1, 2 and 3 establish the TCP connection. The opening connection

sequence is sometimes called the three-way handshake.



Java and Firewalls – In and Out of the Net



565



Client

(Browser)



Packet 1, length 44 bytes

IP

TCP



Data



Source address 10.1.1.1 (client)

Destination address 204.146.17.33 (server)



Server

(Web Server)



Source port 1044 (dynamically assigned)

Destination port 80 (HTTP well-known port)

Flags: SYN

Options: Set maximum segment size to

1452 bytes

(None)



Figure 285. (Part 1 of 3). TCP Handshake



Client

(Browser)



Packet 2, length 44 bytes

IP

TCP



Data



Source address 204.146.17.33 (server)

Destination address 10.1.1.1 (client)



Server

(Web Server)



Source port 80

Destination port 1044

Flags: SYN+ACK

Options: Set maximum segment size to 1452

bytes

(None)



Figure 286. (Part 2 of 3). TCP Handshake



Client

(Browser)



Packet 3, length 40 bytes

IP

TCP



Data



Source address 10.1.1.1 (client)

Destination address 204.146.17.33 (server)

Source port 1044

Destination port 80

Flags: ACK

(None)



Figure 287. (Part 3 of 3). TCP Handshake



566



Java 2 Network Security



Server

(Web Server)



• Packet 4 contains the HTTP request from the browser; you can see the

GET request itself, together with other data being passed to the server.



Client

(Browser)



Packet 4, length 299 bytes

IP

TCP



Data



Source address 10.1.1.1 (client)

Destination address 204.146.17.33 (server)



Server

(Web Server)



Source port 1044

Destination port 80

Flags: PUSH+ACK

GET /example1.html HTTP/1.0

Connection: Keep-Alive

User-Agent: Mozilla/v3.01 (X11;I;AIX1)

Host: www.ibm.com

Accept: image/gif, image/x-xbitmap,

image/jpeg, image/pipeg, */*





Figure 288. HTTP Request from the Browser



• Packet 5 contains the reply from the server, with the page data preceded

by page information. You can see this information by selecting Page

Source and Page Info from the View menu of a Web browser. Larger

replies would need to be sent in more than one packet, and the client

would periodically send TCP acknowledgment packets back to the server.

But only a single item of data is returned, so that the page data, images,

applets and other components are returned separately. Using JAR files,

several items can now be sent in a single TCP connection, which is more

efficient.



Java and Firewalls – In and Out of the Net



567



Client

(Browser)



Packet 5, length 388 bytes

IP

TCP



Data



Source address 204.146.17.33 (server)

Destination address 10.1.1.1 (client)



Server

(Web Server)



Source port 80

Destination port 1044

Flags: PUSH+ACK

HTTP/1.1 200 Document follows

Server: IBM-ICS/4/2/1

Date: Mon, 22 Sep 1997 12:45:27 GMT

Connection: Keep-Alive

Accept-Ranges: bytes

Content-Type: text/html

Content-Length: 116

Last-Modified: Wed, 10 Jul 1996 14:59:23 GMT

Example 1 - HTML only