Documente Academic
Documente Profesional
Documente Cultură
10 Firewalls
10 Firewalls
10.1 Overview
• Network defences – a cascade of security zones
• Secure routers, packet filtering firewalls, application gateways (proxies)
• Firewall functions
10.2 Technologies
• Example firewall – Linux Netfilter
• Packet filtering – filter rules
• Application gateway
• Proxy services
• Stateful inspection technology
• Network address translation (NAT)
• Port address translation (PAT)
10.3 Management
• Remote Administration
• Examples: Checkpoint FireWall-1 and Linux IPCop
• Monitoring and Logging
1
Learning Objectives
2
Internet Security (IntSec)
10.1 Overview
3
Castle Defences: A Cascade of Security Zones
Keep
Last building in
castle to fall
Inner Perimeter
Stronghold, higher walls Moat / Main Gate
create a containment area Outer perimeter controlling
between Inner & Outer Perimeters castle access
4
Network Defences: A Cascade of Security Zones
Outer Perimeter
Inner Perimeter
Stronghold Keep
Internal
Internet Firewall
Mission
Critical
Systems
De-Militarized Internal Network
Zone (DMZ) (Intranet)
1. Internet (insecure zone): This zone is insecure by all practical purposes. It has no
means of protecting the network from the others. The only security in this zone
comes from the machine itself.
2. Demilitarized Zone (DMZ): This zone is separated from the Internet by a first part of a
firewall (typically a Filtering Firewall). It has usually those servers which are accessed
frequently from the Internet (e.g. Company Web-Server, DNS with the address
mapping of the public addresses, Mail-Server)
3. Intranet (secure zone, trusted zone): This zone is separated from the DMZ by a second
part of a firewall (typically a proxy server i.e. Application Level Firewall), which
processes requests for connections from the internal network to the outside.
There may be further specifically secured zones within the Intranet, which are protected
against attacks from hosts on the Intranet. These zones contain mission critical
systems or organizations with high security requirements (e.g. the police departement
within a government organization).
5
Example: HSR
6
Firewalls can control traffic at various OSI layers
Application Application
Some firewalls check the packets one by one only. Stateful inspection firewalls look at
packet flows, trying to assign a state to the connections.
Most of the modern firewalls are hybrid products that cannot be easily classified into
groups.
7
Firewall Functions
Filtering, Inspection, Detection, Logging, Alerting
Logging IDS
Detection
ITA, 4.02.2007, 10-Firewalls.ppt 8
8
Internet Security (IntSec)
10.2 Technologies
9
Example Firewall - Linux Netfilter
eth0 eth1
Route FORWARD
FORWARD
eth1 eth0
Route
INPUT
INPUT OUTPUT
OUTPUT
Chain
Chain
Firewall Host
local process
http://www.netfilter.org
10
Filter Rules – Default Policy
http://www.netfilter.org
11
Packet Filtering
Screening Router, Deep Packet Inspection
Application Application
Inbound Inbound
Transport Transport
160.85.128.1 • SYN
• ACK
152.96.129.3 • 1 ICMP • 53 DNS • FIN
• 6 TCP • 80 HTTP • ...
• 17 UDP • 23 Telnet
• 50 ESP • ...
Packet-Filtering Firewalls use a special rule set to filter IP, TCP, ICMP, and other packets
that pass through the network interface. Arriving and outgoing packets are filtered by the
type, source address, destination address, and port information contained in each packet.
A filtering gateway doesn't require a powerful machine to run on; using an old x468 box
and a specialized one-floppy Linux mini-distribution should do the trick.
12
Packet Filtering
Examples
There are various strategies for implementing packet filters. The following two are
rather general:
• Build rules from most to least specific.
Most packet filters process their rule sets from top to bottom and stop processing once
a match is made.
• Place the most active rules near the top of the rule set.
Screening packet is a processor-intensive operation. Hence, placing the popular rules
first will save the processor from going through all rules for every packet.
13
Application Gateway
Application Firewall, Proxy
Application Application
Inbound Inbound
Transport Transport
160.85.128.1 • SYN
• ACK
152.96.129.3 • 1 ICMP • 53 DNS • FIN • HTTP
• 6 TCP • 80 HTTP • ... • SOAP/XML
• 17 UDP • 23 Telnet • SQL
• 50 ESP • ... • ...
Application Gateway has become synonymous with terms such as bastion host, proxy
gateway, and proxy server. An application gateway makes access decisions based on
packet information at all seven layers of the OSI model. An application gateway may also
be configured with the ability to remove objectionable content, such as ActiveX or Java
scripts from web pages.
Some proxies are not „seen“ be the end-systems and therefore are called „transparent
proxies“ (as opposed to „visible proxies“).
The proxy must “understand” each service. Proxies for newer services are usually hard
to find.
14
Proxy Services
• Circuit-level gateway
• establishes a TCP connection according to defined rules
(a security policy)
• No content filtering can be defined. No user authentication.
• Application-level gateway
• establishes TCP connections with an application-level gateway
in place.
• administrator can control access for selected applications/network
services (e.g. HTTP, SOAP/XML, etc.).
• can filter content and can provide user authentication.
Application Gateway or Proxy Firewalls usually contain additional security that support
software like a VPN server, strong authentication services (tokens, smart cards), or virus
scan engines. Proxy Firewalls also known as “Proxy services” work between external
and internal networks and provide replacement connections instead of direct connections
with remote services. Proxies try to act more or less transparently. Proxy firewalls require
powerful machines. It is possible to divide this category into a two groups:
•A circuit-level gateway is a proxy service that establishes a TCP connection (or
crosswire TCP ports) between internal and external networks according to defined rules
(a security policy). No content filtering can be defined. The freely available SOCKS (a
standard, generic networking proxy protocol -- see Resources for more information) proxy
server is a typical example of this approach. Circuit-level gateways don't provide user
authentication.
•An application-level gateway is a proxy service that establishes TCP connections
between internal and external networks; with an application-level gateway in place, an
administrator can control access for selected applications/network services (i.e., HTTP,
FTP, NNTP). Application-level gateways can filter content, while packet-filter and circuit-
level gateways are unable to determine transmission content. Some application proxies
can cache requested data to save bandwidth. Application-level gateways can provide
user authentication and implement an access rights policy.
15
Proxy Service Example
Server X
Intranet Internet
16
Stateful Inspection Technology
Stateful inspection is an advanced firewall architecture that was invented by Check Point
Software Technologies in the early 1990s. Also known as dynamic packet filtering, it has
replaced static packet filtering as the industry standard firewall solution for networks.
Stateful inspection provides enhanced security by keeping track of communications
packets over a period of time. Both incoming and outgoing packets are examined.
Outgoing packets that request specific types of incoming packets are tracked; only those
incoming packets constituting a proper response are allowed through the firewall. In
contrast to static packet filtering, in which only the headers of packets are checked,
stateful inspection analyzes packets up to the Application layer.
In a firewall that uses stateful inspection, the network administrator can set the
parameters to meet specific needs. In a typical network connected to the Internet, ports
are normally closed unless an incoming packet requests connection to a specific port,
and then only that port is opened to the packet. This prevents port scanning, a well-known
technique used by hackers to gain entry to networks and individual computers connected
to the Internet.
[http://searchnetworking.techtarget.com]
17
Stateful Inspection I
“connections”
virtual machine
“pending”
ACCEPT DROP/REJECT
Sources:
Thomas Lopatic, John McDonald, TÜV data protect GmbH,
tl@dataprotect.com, jm@dataprotect.com
Dug Song, CITI at the University of Michigan, dugsong@umich.edu
“A Stateful Inspection of Firewall-1”, Black Hat Briefings, 2000.
18
Stateful Inspection II
C any
UDP replies accepted
internal external
client server
• UDP “connections”
• from a client, port C
• to a server, port S + wildcard port
• <s-address, s-port, d-address, d-port, protocol>
19
Stateful Inspection III
“PORT 192,168,0,2,4,36”
21 > 1023
20 1060
data connection
FTP server FTP client
172.16.0.2 192.168.0.2
“PASV”
21 > 1023
“227 ... (172,16,0,2,4,36)”
1060 > 1023
FTP server data connection FTP client
172.16.0.2 192.168.0.2
20
Stateful Inspection with Linux Netfilter
Examples
21
Network Address Translation (NAT)
• NAT goals
• Allow use of internal [private] IP-addresses
• Hide internal network structure
• Disable direct [inbound] Internet connections
• NAT types
• Dynamic
For connections from inside to outside
There may be fewer outside addresses than internal addresses
• Static
For connections from outside to specific servers inside
One-to-one address mapping (fixed)
22
Network Address Translation (NAT)
SA
10.0.0.4
?
10.0.0.4
23
Port Address Translation (PAT)
10.0.0.4
PAT is used when several privately addressed workstations share a single public
address. PAT uses the TCP and UDP port numbers to map multiple private addresses to
the single public address. For normal applications such as web browsing and FTP
transfers, PAT can be configured by just enabling the feature.
When accesses are originated from the private addressed LAN, a mapping is established
between the source port number and the source private address. When the response is
received on the public addressed WAN port, the destination port is mapped back to the
private address.
Static PAT port mappings or the PAT default address need to be configured when an
application will initiate a TCP or UDP connection from the public network. If a publicly
accessible server resides on a privately addressed LAN, static ports can be defined for
the applications they are running. For example, TCP port 80 for a Web Server and TCP
port 21 for a FTP server can be statically assigned. The PAT default address can be used
with, or instead of, static port assignments, and is set to the private address of a
workstation on the local LAN. If an incoming IP data packet is received on a WAN port
and there is no existing dynamic or static port mapping, the packet will be translated
using the PAT default address.
24
NAT with Linux Netfilter
eth0 eth1
PREROUTING
PREROUTING Route FORWARD
FORWARD POSTROUTING
POSTROUTING
eth1 eth0
Dst
DstNAT
NAT Src
SrcNAT
NAT
Route
-t nat -t nat
INPUT
INPUT OUTPUT
OUTPUT
Dst
DstNAT
NAT
Chain
Chain -t nat
Firewall Host
Table local process
Table
http://www.netfilter.org
25
NAT with Linux Netfilter
Examples
http://www.netfilter.org
26
Internet Security (IntSec)
10.3 Management
27
Administration Example 1: Checkpoint FireWall-1
Define authorization
based on multiple
criteria
A firewall’s number one job is to provide access control. By default, FireWall-1 operates
under the strictest security policy: “That which is not explicitly permitted is denied.” From
this starting point, security managers add rules to allow access as appropriate.
Defining these rules is easy and intuitive with FireWall-1. A broad range of applications
and services are supported out of the box, and defining additional network resources
(e.g., protocols, services, users, groups, servers, etc.) is easy. These network resources
are then used as the basis of security policy rules.
http://www.checkpoint.com/products/firewall-1/index.html
28
Administration Example 2: Linux IPCop
http://www.ipcop.org
29
Monitoring and Logging
30