Firewalls

6/27/2014 1
What is a Firewall ?
A firewall :
Acts as a security gateway
between two networks
Usually between trusted
and untrusted networks
Tracks and controls
network communications
Decides whether to pass
or reject

Internet
Corporate
Site
Corporate Network
Gateway
6/27/2014 2
Firewall
A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
only authorized traffic is allowed
Auditing and controlling access
can implement alarms for abnormal behavior
Itself immune to penetration
6/27/2014 3
Firewall Gateways
Firewall runs set of proxy programs
Proxies filter incoming, outgoing packets
All incoming traffic directed to firewall
All outgoing traffic appears to come from firewall
Policy embedded in proxy programs
Two kinds of proxies
Application-level gateways/proxies
Tailored to http, ftp, smtp, etc.
Circuit-level gateways/proxies
Working on Network level
6/27/2014 4
Why Firewalls are Needed?
Prevent attacks from untrusted networks
Protecting Confidential Information
Protect data integrity of critical information
6/27/2014 5
Evolution of Firewalls
Packet
Filter
Stateful
Inspection
Stage of Evolution
Application
Proxy
6/27/2014 6
Packet Filter
Packets examined at the network layer
Commonly deployed on routers
Simple accept or reject decision model
No awareness of higher protocol layers
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network
Presentations
Sessions
Transport
Applications
Network Network
6/27/2014 7
Application Gateway or Proxy
Packets examined at the application layer
Application/Content filtering possible - prevent
FTP put commands, for example
Modest performance
Limited scalability
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
Applications
6/27/2014 8
Stateful Inspection
Packets Inspected between data link layer and network
layer in the OS kernel
State tables are created to maintain connection context
Invented by Check Point
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
INSPECT Engine
Applications
Dynamic
State Tables
Dynamic
State Tables
Dynamic
State Tables
6/27/2014 9
Classification of Firewall
Packet filtering
Circuit gateways
Application gateways
Combination of above is dynamic packet
filter
6/27/2014 10
Firewalls Packet Filters
6/27/2014 11
Firewalls Packet Filters
Simplest type
Uses transport-layer information only
IP Source Address, Destination Address
Protocol/Next Header (TCP, UDP, ICMP, etc)
TCP or UDP source & destination ports
TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
ICMP message type
6/27/2014 12
Packet Filtering Gateways
Make decision based on header of a packet
Header contains source and destination addresses and
port numbers, port numbers can be used to infer type
of packet
80 -> Web, 22 -> SSH
E.g., allow Web, but not SSH
Ignore payload of packet
Can drop spoofed traffic
XYs firewall could drop all packets originating from XY
whose source address is not of the form 129.97.a.b
Any traffic originating from outside of XY whose source
address is of the form 129.97.a.b

6/27/2014 13
Usage of Packet Filters
Filtering with incoming or outgoing interfaces
E.g., Ingress filtering controls inbound traffic
Egress filtering control outgoing traffic
Permits or denies certain services
Requires intimate knowledge of TCP and UDP port utilization on
a number of operating systems
6/27/2014 14
Types of Packet Filtering
1. Stateless Packet Filters
A router configured to pass or reject packets
based on information in the header of each
individual packet
2. Stateful Packet Filters
Record the state of all connections flowing
through the firewall and use the connection state
as the basis for dropping packets
6/27/2014 15
Stateless Packet Filters
A border router configured to pass or reject
packets based on information in the header of
each individual packet
Can be configured to pass/reject based on any field
but usually done based on:
protocol type
IP address
TCP/UDP port
Fragment number
Source routing information
6/27/2014 16
Protocol Filtering
Filtering based on the IP protocol field allows rejecting
of entire protocol suites
UDP
TCP
ICMP
IGMP
This is almost too general
ex suppose you block UDP then any TCP based application
wont be able to convert host/domain to IP address(DNS is
based on UDP)
so it is seldom used.
6/27/2014 17
IP Address Filtering
Pass/reject packets based on membership in a set of
acceptable IP addresses
Usually not used to block specific hosts
Usually block source routed packets
big security hole
If a hacker knows an address that the filter will pass
then they can easily forge a packet that will pass
through the filter
6/27/2014 18
Port Filtering
Accept or reject packet based on port number
Most commonly used filtering method
Pass all but those specified
Reject all but those specified
Important ports/protocol to block:
telnet
NetBIOS
POP
NFS
X Windows
Windows Terminal Services
6/27/2014 19
Source Routed Filtering
Source routed packed should never be allowed into
your network
Source routed
Allows you to specify the path a packet will take through your
network
Strict Source Routing
Specifies the exact path to be taken
Loose Source Routing
Indicates one or more hosts the packet must go
through
A hacker can plug in their own address and force
packets to travel through a machine that they can sniff
6/27/2014 20
Loose Source Routing
A packet is given a list of hops to be taken
Each packet carries same source address, destination is
whatever the next IP in the hop path is; the hop path is in the
IP Option field.





131 is the type for Loose Source Routing
Length total length of the option
Offset byte offset to next IP to hop to
IP Option field
1 byte 1 byte 1byte 4 bytes 4 bytes
Type Length offset IP 1 IP2
131
6/27/2014 21
Fragmentation Filtering
Fragmentation was added to IP to facilitate passing through a
network that only supports small packet sizes
Security considerations
TCP or UDP port number is provided only at the beginning
of a packet; appears only in fragments numbered 0
Fragments numbered 1 or higher will be passed through
the filter
If a hacker modifies an IP header to start all fragment
numbers of a packet at 1 or higher, all fragments will go
through the filter
Filtering by Fragmentation Flags
Configure firewall/packet filter to drop all fragmented
packets, or
Have firewall reassemble fragmented packets and allow
only complete packets to pass through

6/27/2014 22
Problems with Stateless Filters
Effectiveness of stateless filters is limited due to:

They cannot check the payload of the packets
service related filtering can only be done by
application level proxies
They do not retain the state of the connections
6/27/2014 23
Stateful Packet Filtering
Record the state of all connections flowing
through the firewall and use the connection state
as the basis for dropping packets
create an in memory state table for the state of all
Network and session layers
allows only packets that result from connections that
have already been established
More sophisticated and secure
Has a rule base and a state table
Newer Firewalls all provide Stateful packet
filtering
some also provide higher level protocol proxying
6/27/2014 24
Stateful Packet Filters
Traditional packet filters do not examine
higher layer context
ie matching return packets with outgoing flow
Stateful packet filters address this need
They examine each IP packet in context
Keep track of client-server sessions
Check each packet validly belongs to one
Hence are better able to detect bogus packets
out of context
6/27/2014 25
Stateful Packet Filtering
6/27/2014 26
Stateful Packet Filtering
6/27/2014 27
Packet-Filtering Example Filtering Rules
Service-Dependent Filtering

Permit incoming Telnet sessions only to a specific list of internal
hosts
Permit incoming FTP sessions only to specific internal hosts
Permit all outbound Telnet sessions
Permit all outbound FTP sessions
Deny all incoming traffic from specific external networks

Service-Independent Filtering

Source IP Address Spoofing Attacks
Source Routing Attacks
Tiny Fragment Attacks
6/27/2014 28
Other common Firewall Services
Encrypted Authentication
Allows users on the external network to authenticate to
the Firewall to gain access to the private network
Virtual Private Networking
Establishes a secure connection between two private
networks over a public network
This allows the use of the Internet as a connection medium rather
than the use of an expensive leased line
6/27/2014 29
Additional Services Provided
Virus Scanning
Searches incoming data streams for virus signatures so
they may be blocked
Done by subscription to stay current
McAfee / Norton
Content Filtering
Allows the blocking of internal users from certain types of
content.
6/27/2014 30
How to Configure a Packet Filter
Start with a security policy
Specify allowable packets in terms of logical
expressions on packet fields
Rewrite expressions in syntax supported by your
vendor
General rules - least privilege
All that is not expressly permitted is prohibited
If you do not need it, eliminate it
6/27/2014 31
Every ruleset is followed by an implicit rule
reading like this.
6/27/2014 32
Solution 1:

Example 1:
Suppose we want to allow inbound mail
(SMTP, port 25) but only to our gateway
machine. Also suppose that mail from some
particular site SPIGOT is to be blocked.
6/27/2014 33
Solution 2

This solution allows calls to come from any
port on an inside machine, and will direct them
to port 25 on the outside. Simple enough

Example 2
Now suppose that we want to implement the
policy any inside host can send mail to the
outside.
6/27/2014 34
The ACK signifies that the packet is part of an
ongoing conversation
Packets without the ACK are connection
establishment messages, which we are only
permitting from internal hosts
6/27/2014 35
Hacking Through Packet Filters
TCP can only be filtered in the 0th fragment
setting the fragment number to 1 the packet will
usually passe through the packet filter
Older packet filters only filter ports below 1024
HTTP used higher numbered ports for passing data
back to web browsers
Many new applications use ports above 1024 for
normal communication
Public services must be forwarded
services like the updating of web pages via Netscape
Composer must be controlled to limit public access
6/27/2014 36
Best Practices
Use a proxy
physically breaks the network path
Use Stateful Packet Filters
cant be bypassed like stateless filters
Disable all Ports by Default
enable only what is absolutely needed
Secure the Base Operating System
apply all patches provided by vendor
check the vendor web site frequently
always use a hardened protocol stack
6/27/2014 37
Security & Performance of Packet Filters
IP address spoofing
Fake source address to be trusted
Add filters on router to block
Tiny fragment attacks
Split TCP header info over several tiny packets
Either discard or reassemble before check
Degradation depends on number of rules applied at any
point
Order rules so that most common traffic is dealt with
first
Correctness is more important than speed
6/27/2014 38
Application-Level Filtering
Has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions for request and returns result to user
Need separate proxies for each service
E.g., SMTP (E-Mail)
NNTP (Net news)
DNS (Domain Name System)
NTP (Network Time Protocol)
custom services generally not supported
6/27/2014 39
Firewalls - Application Level
Gateway (Proxy)
6/27/2014 40
App-level Firewall Architecture
Daemon spawns proxy when communication detected
Network Connection
Telnet
daemon
SMTP
daemon
FTP
daemon
Telnet
proxy
FTP
proxy
SMTP
proxy
6/27/2014 41
Network Address Translation (NAT)
Converts a networks illegal IP addresses to legal
or public IP addresses
Hides the true addresses of individual hosts, protecting
them from attack
Allows more devices to be connected to the network
Internet
Internal
IP Addresses
219.22.165.1
Corporate LAN
192.172.1.1-192.172.1.254
Public
IP Address(es)
6/27/2014 42
Address TranslationHiding
192.168.0.15
10.0.0.3
10.0.0.2
PATGlobal
Dest: 192.168.0.15
Source: 172.30.0.50
Dest: 192.168.0.15
Source: 172.30.0.50
Dest: 10.0.0.2
Source: 172.30.0.50
Dest: 10.0.0.3
Source: 172.30.0.50
6/27/2014 43
Firewalls - Circuit Level Gateway
6/27/2014 44
Firewalls - Circuit Level Gateway
A virtual "circuit" exists between the internal client and the
proxy server
Different clients inside the network are all mapped to the
public IP address (firewall)
Internet requests go through this circuit to the proxy server
Proxy server delivers those requests to the Internet after
changing the IP address.
Circuit-level firewalls hide the network itself from the outside
IP spoofing tedious
operates at the Network Layer. Relays traffic without
examining contents
6/27/2014 45
Firewall Deployment
Corporate Network
Gateway
Protect internal
network from attack
Most common
deployment point

Internet
Human Resources
Network
Corporate
Site
Demilitarized Zone
(DMZ)
Public Servers
DMZ
Corporate Network
Gateway
6/27/2014 46
Firewall Deployment
Corporate Network
Gateway
Internal Segment
Gateway
Protect sensitive
segments (Finance, HR,
Product Development)
Provide second layer of
defense
Ensure protection
against internal attacks
and misuse


Internet
Human Resources
Network
Corporate
Site
Public Servers
Internal Segment Gateway
6/27/2014 47
Firewall Deployment
Corporate Network
Gateway
Internal Segment
Gateway
Server-Based Firewall
Protect individual
application servers
Files protect
Internet
Human Resources
Network
Corporate
Site
Server-Based
Firewall
SAP
Server
Public Servers
DMZ
6/27/2014 48
Firewall Deployment
Hardware appliance based firewall
Single platform, software pre-installed
Can be used to support small organizations or
branch offices with little IT support
Software based firewall
Flexible platform deployment options
Can scale as organization grows

6/27/2014 49
Firewall Architectures
Dual-Homed Host
Screened Host
Screened Subnet Host
6/27/2014 50
Dual-Homed Host Architecture
Dual-Homed Host is a computer that has separate
network connections to two networks
act as a router between the two networks but routing
function is disabled when dual-homed hosts are used in
firewall architectures
ability to see traffic on both networks
Systems inside the internal network can communicate
with the dual homed host via one network interface, and
systems on the Internet via the other
Such hosts are often referred to as Bastion Hosts in the
firewall literature
Trusted network is vulnerable if the bastion host is
compromised


6/27/2014 51
Dual-Homed Host Architecture
6/27/2014 52
Screened Host Architecture
Security is provided by packet filtering and a bastion
host sits on the internal network
Bastion host is the only host accessible from the
Internet
Connections to the Internet may be routed through
the bastion host. In some cases, allowed directly
through the screening router, depending on the
network security policy
Trusted network is vulnerable if the bastion host is
compromised
6/27/2014 53
Screened Host Architecture
6/27/2014 54
Screened Subnet Host Architecture
Isolating bastion host on a perimeter network
The simplest way to provide a perimeter
network is to add an additional screening
router to the screened host architecture
The bastion host is then located on the
perimeter network between the two
screening routers.
6/27/2014 55
Screened Subnet Host Architecture
6/27/2014 56
Free Firewall Software Packages
IP Chains & IP Tables
comes with most linux distributions
SELinux (Security Enabled Linux NSA)
comes with some Linux distributions
Fedora, RedHat
IPCop specialized linux distribution
6/27/2014 57
Home & Personal Routers
Provide
configurable packet filtering
NAT/DHCP

Linksys single board RISC based linux
computer
D-Link

6/27/2014 58
Enterprise Firewalls
Check Point FireWall-1
Cisco PIX (product family)
MS Internet Security & Acceleration Server
GAI Gauntlet

6/27/2014 59
Firewalls Arent Perfect?
Useless against attacks from the inside
Evildoer exists on inside
Malicious code is executed on an internal machine
Organizations with greater insider threat
Banks and Military
Protection must exist at each layer
Assess risks of threats at every layer
Cannot protect against transfer of all virus
infected programs or files
because of huge range of O/S & file types
6/27/2014 60