GATE CSE 2011 | Question: 2

Question

A layer-$4$ firewall (a device that can look at all protocol headers up to the transport layer) CANNOT

• A. block entire $\text{HTTP}$ traffic during $9:00PM$ and $5:00AM$
• B. block all $\text{ICMP}$ traffic
• C. stop incoming traffic from specific $\text{IP}$ address but allow outgoing traffic to the same IP address
• D. block $\text{TCP}$ traffic from a specific user on a multi-user system during $9:00PM$ to $5:00AM$

Comments

transport layer has port number and port number of http is 80 and thus firewall can block http traffic

---

Q.11

http://clweb.csa.iisc.ernet.in/rahulsharma/gate2011key.html

---

Question here is asking for can not . Option D is not possible by firewall

Answer 1

Answer is (D).

(A) It is POSSIBLE to block "entire" HTTP traffic by blocking all the traffic on port number $80$ Since here we DON'T need to check anything that is application layer specific. We only need to block port no $80$ for required time span.

(B) & (C) are fairly possible to achieve.

(D) However (D) is not possible to achieve although the service uses TCP at transport layer. But see the question. We dont need to block entire TCP traffic so we cant block any specific PORT number. Also it is given that IT IS MULTI- USER System and so many user may be using same port for communication.Therefore blocking that port would block all the users  WHILE we want a specific user. So how to do that. To do so we need Application layer specific information of the user like user_id type of things which cant be checked as it is $4$-layer firewall. So it is not possible to allow other users and block some specific at the same time using
a $4$-layer firewall  (unless they all be using different port numbers which we actually cant predict).

Comments

@Chhotu Can we block specific user through MAC address instead of IP as u said

"specific user on a multi-user system". means multiple users are sharing same IP.

---

I got it. why MAC is not used -

https://security.stackexchange.com/questions/153597/mac-filtering-the-internet-traffic

---

@chootu i think you are missing one point that here multiuser forms one network or part of a network and every multiuser will have the same public ip because the default gateway of all users are same so when any one user tries to communicate with anyone outside the network he will see the public ip of router(in router we have NAT which takes cares for it ) not private ip so now tell if he wants to block a particular user from that network how he will do ,as all users have the same public ip ,that i think we need a firewall of layer 5 but here it is layer 4 type .if there is something that is needed for correction please tell.

Answer 2

Since it Layer-4 firewall so it includes the following layer ::

Physical layer,Data Link layer,Network layer as well s Transport layer.

So all functionalities of above layer can be prevented by Layer-4 protocol except last one which is associated with the application layer.

Comments

So which is the correct answer ?

---

I think HTTP belong from layer 5 show anw may be option A.

Answer 3

A is wrong
Because we're asked if we can block "entire" HTTP traffic. This is doable by a L4 firewall by disabling port no. 80.

B is wrong
ICMP is a NL protocol, which comes under TL, so we're good.

C is wrong
IP addresses are the characteristics of NL, which comes under TL.

D is right
Because we're asked to manipulate a specific user. We can't do that with a firewall that can see upto TL.

 

---

If option A said, block HTTP traffic from a specific user, then A and D would both be right. Intuitively, you can think of it like, blocking entire stuff requires a strong hammer, but blocking a specific thing out of it requires greater sophistication.