Introduction to Firewalls

Firewall topics
Why firewall?
What is a firewall?
What is the perfect firewall?
What types of firewall are there?
How do I defeat these firewalls?
How should I deploy firewalls?
What is good firewall architecture?
Firewall trends.
What are the risks?
Theft or disclosure of internal data
Unauthorized access to internal hosts
Interception or alteration of data
Vandalism & denial of service
Wasted employee time
Bad publicity, public embarassment, and law
suits
What needs to be secured?
Crown jewels: patent work, source
code, market analysis; information
assets
Any way into your network
Any way out of your network
Information about your network
Why do I need a firewall?
Peer pressure.
One firewall is simpler to administer
than many hosts.
Its easier to be security conscientious
with a firewall.
Overview of Firewalls
As the name implies, a firewall acts as a
security guard controlling access between an
internal, protected network and an external,
untrusted network
A firewall may be implemented as a
standalone hardware device or in the form of
a software on a client computer or a proxy
server
The two types of firewall are generally known as
the hardware firewall and the software firewall
Firewalls in Practice
A computer may be protected by both a
hardware and a software firewall
Mode of Operation
A firewall that stands in between two
networks will inspect a packet that is
ready to pass between the networks
and allow or block the packet based on
the rules set for the firewall to operate
The security continuum
Ease of use vs. degree of security
Cheap, secure, feature packed, easy to
administer? Choose three.
Default deny or default accept
Easy to use Secure
Policy for the firewall
Who gets to do what via the Internet?
What Internet usage is not allowed?
Who makes sure the policy works and is
being complied with?
When can changes be made to
policy/rules?
What will be done with the logs?
Will we cooperate with law enforcement?
What firewall matters more than
which firewall you use.
Internal security policy should show
what systems need to be guarded.
How you deploy your firewall
determines what the firewall protects.
The kind of firewall is how much
insurance youre buying.
How to defeat firewalls
Take over the firewall.
Get packets through the firewall.
Get the information without going
through the firewall.
A partial list of back doors.
personal modems
vendor modems
partner networks
home networks
loose cannon experts
employee hacking
reusable passwords
viruses
helpful employees
off-site backup &
hosting

Even perfect firewalls cant fix:
Tunneled traffic.
Holes, e.g. telnet, opened in the
firewall.
WWW browser attacks / malicious
Internet servers.
Priorities in hacking through a
firewall
Collect information.
Look for weaknesses behind the
firewall.
Try to get packets through the firewall.
Attack the firewall itself.
Subvert connections through the
firewall.
Information often leaked through
firewalls
DNS host information
network configuration
e-mail header information
intranet web pages on the Internet
Ground-floor windows
mail servers
web Servers
old buggy daemons
account theft
vulnerable web browsers
Attacking the firewall
Does this firewall pass packets when
its crashed?
Is any software running on the firewall?
A fieldtrip through an IP packet
Important fields are:
source, destination, ports, TCP status
. . TOS . . .. . . SRC DEST opt SPORT DPORT
DATA
SEQ# ACK#
..ACK,URG,SYN .
Firewall Functionality
Main functions of a firewall are
a. Access Control
b. Address/Port Translation
c. Logging
d. Authentication, Caching etc.,
Functionality
Access Control
A firewall filters incoming as well as outgoing packets. A
firewall is said to be configured with a ruleset based on
which it decides which packets are to be allowed and which
are to be dropped.

Network Address Translation (NAT)
Translates the addresses of internal hosts so as to hide them
from the outside world
Also known as IP masquerading
Functionality
Logging
A sound architectures encounters at least one firewall
The firewall logs all anomalous packets or flows for later
study
These are useful for studying attempts at intrusion

Authentication, Caching
Some firewalls perform authentication of external machines
attempting to establish a connection with internal machine.
A special firewall called a web proxy authenticates internal
users attempting to access an external service. Such firewall
is also used to cache frequently requested webpages.
Additional Firewall Features
Data encryption
Hiding presence
Reporting/logging
e-mail virus protection
Pop-up ad blocking
Cookie digestion
Spy ware protection etc.

Viruses and Firewalls
In general, firewalls cannot protect against
viruses
An anti-virus software is needed for that purpose
However, many security suites such as those
offered by MacAfee and Norton offer the
complete protection
Some software firewalls such as Zone Alarm
Pro may contain limited virus protection
features
A Rule of Thumb
Use the best firewall and virus
protection although each may originate
from a different company
Types of firewall
Packet filters
Proxy gateways
Network Address Translation (NAT)
Intrusion Detection
Logging
Packet filters
How Packet filters work
Read the header and filter by whether
fields match specific rules.
SYN flags allow the router to tell if
connection is new or ongoing.
Packet filters come in dumb, standard,
specialized, and stateful models
Standard packet filter
allows connections as long as the ports are
OK
denies new inbound connections, using the
SYN flag
Examples: Cisco & other routers,
Karlbridge, Unix hosts, steelhead.
Packet filter weaknesses
Its easy to botch the rules.
Good logging is hard.
Stealth scanning works well.
Packet fragments, IP options, and source
routing work by default.
Routers usually cant do authentication of
end points.
Stateful packet filters
SPFs track the last few minutes of network
activity. If a packet doesnt fit in, they drop
it.
Stronger inspection engines can search for
information inside the packets data.
SPFs have to collect and assemble packets
in order to have enough data.
Examples: Firewall One, ON Technologies,
SeattleLabs, ipfilter
Firewall Layer of Operation
Network Layer
Application Layer
Network Layer
Makes decision based on the source,
destination addresses, and ports in
individual IP packets.
Based on routers
Has the ability to perform static and
dynamic packet filtering and stateful
inspection.
Static & Dynamic Filtering
Static Packet Filtering looks at minimal
information in the packets to allow or
block traffic between specific service
ports
Offers little protection.
Dynamic Packet Filtering maintains a
connection table in order to monitor
requests and replies.
Stateful Inspection
Compares certain key parts of the
packet to a database of trusted
information. Incoming information is
compared to outgoing information
characteristics. Information is allowed
through only If comparison yields a
reasonable match.
Application Layer
They are generally, hosts running proxy
servers which perform logging and
auditing of traffic through the network.
Logging and access control are done
through software components.
Proxy Services
Application that mediates traffic
between a protected network and the
internet.
Able to understand the application
protocol being utilized and implement
protocol specific security.
Application protocols include: FTP,
HTTP, Telnet etc.
Port Scans
When hackers remotely spy on your
computers to see what software and
services they have.
Port scans are common but with a
properly configured and maintained
firewall you can restrict access.
DMZ
Demilitarized zone
Neither part of the internal network nor
part of the Internet
Never offer attackers more to work with
than is absolutely necessary
Firewall Scenario
Microsoft Internet Security and
Acceleration (ISA) Server as a Dedicated
Server
Network Configuration
Single Computer
Small Office Network
Less than 250 Clients
IP Network Protocol
Demand Dial Connectivity
Larger Organization
Array of ISA Server
Internet
ISA Server
Local Area Network
Software Firewalls
Firewall for Windows
Zone Alarm
Winroute
Trojan Trap - Trojan Horse
Firewall for Linux
Iptables
Firewall for Mac
Netbarrier
Software Firewall
Implementation
Implementing a Firewall
An Example
Using Winroute as a software router for
a small LAN.
Using Trojan Trap as protection against
active code attack.
Software installation.
Firewall configuration.
Test and scan.

Firewall software comparison
Winroute
Routing using NAT(Network Address
Translation)
Packet filtering
Port mapping
Anti-spoofing
VPN support
DNS, DHCP
Remote administration
Configuration and Rule Sets

Setup Winroute for LAN
Winroute-PC should at least have 2
NICs
Check that all IP addresses are pingable
Validate NAT on the Winroute-PC
Deactivate NAT on the NIC connected
to internal LAN
Setup Winroute for LAN
No gateway configured on your local
interface of the Winroute-PC
Configure forwarding options
On each internal PC configure the
default gateway
On each internal PC configure the DNS
server

Scan and Test
http://scan.sygatetech.com/
http://www.csnc.ch/onlinetests/
http://grc.com/
http://hackerwhacker.com/


Trojan Trap
Resources protection restrict access to
system resources by unknown
application
Application control
Content filtering
IP ports monitoring

Hardware Firewall
What is it?
What it does.
An example.
Firewall use.
What it protects you from.

Hardware Firewall (Cont.)
What is it?
It is just a software firewall running on a
dedicated piece of hardware or specialized
device.
Basically, it is a barrier to keep destructive
forces away from your property.
You can use a firewall to protect your home
network and family from offensive Web
sites and potential hackers.


Hardware Firewall (Cont.)
What it does !
It is a hardware device that filters the
information coming through the Internet
connection into your private network or
computer system.
An incoming packet of information is flagged by
the filters, it is not allowed through.

Hardware Firewall (Cont.)
An example !
Hardware Firewall (Cont.)
Firewalls use:
Firewalls use one or more of three
methods to control traffic flowing in
and out of the network:
Packet filtering
Proxy service
State-full inspection
Hardware Firewall (Cont.)
Packet filtering - Packets are analyzed against a set of
filters.
Proxy service - Information from the Internet is
retrieved by the firewall and then sent to the requesting
system and vice versa.
State-full inspection It compares certain key parts
of the packet to a database of trusted information.
Information traveling from inside to the outside is
monitored for specific defining characteristics, then
incoming information is compared to these
characteristics.

Hardware Firewall (Cont.)
What it protects you from:
Remote logins
Application backdoors
SMTP session hijacking
E-mail Addresses
Spam
Denial of service
E-mail bombs
E-mail sent 1000s of times till mailbox is full
Macros
Viruses

Software Firewall
What it is?
Also called Application Level Firewalls
It is firewall that operate at the Application
Layer of the OSI
They filter packets at the network layer
It Operating between the Datalink Layer and
the Network Layer
It monitor the communication type (TCP,
UDP, ICMP, etc.) as well as the origination of
the packet, destination port of the packet, and
application (program) the packet is coming
from or headed to.




Software Firewall (Cont.)
How does software firewall works ?
Software Firewall (Cont.)
Benefit of using application firewalls:
allow direct connection between client and host
ability to report to intrusion detection software
equipped with a certain level of logic
Make intelligent decisions
configured to check for a known Vulnerability
large amount of logging

Software Firewall (Cont.)
Benefit of application firewalls (Cont.)
easier to track when a potential vulnerability happens
protect against new vulnerabilities before they are found
and exploited
ability to "understand" applications specific information
structure
Incoming or outgoing packets cannot access services for
which there is no proxy

Software Firewall (Cont.)
Disadvantage of Firewall:
slow down network access dramatically
more susceptible to distributed denial of service (DDOS)
attacks.
not transparent to end users
require manual configuration of each client computer

Top Picks Personal Firewalls
Norton Personal Firewall
ZoneAlarm Free/Plus/Pro
Conclusion
Web References
www.firewall.com
www.firewall-net.com
www.firewallguide.com
www.msdn.microsoft.com
www.winroute.com
www.tinysoftware.com
www.sunsite.unc.edu
Benefits of Firewall-Summary
Prevent intrusion
Choke point for security audit
Reduce attacks by hackers
Hide network behind a single IP
address
Part of total network security policy
References
http:// www.howstuffworks.com
http://www.microsoft.com
http://www.securityfocus.com
http://grace.com/us-firewalls.htm
http://www.kerio.com/us/supp_kpf_manual.
html
http://www.broadbandreports.com/faq/secur
ity/2.5.1.
http://www.firewall-software.com

Port Numbers

The Well Known Ports are those from 0
through 1023.
The Registered Ports are those from 1024
through 49151.
The Dynamic and/or Private Ports are those
from 49152 through 65535.
http://www.iana.org/assignments/port-numbers
ftp://ftp.isi.edu/in-notes/rfc1700.txt
Well-know TCP / UDP ports
TCP Port Number

Description

20

FTP (Data Channel)

21

FTP (Control Channel)

23

Telnet

80

HyperText Transfer Protocol (HTTP)
used for the World Wide Web

139

NetBIOS session service

UDP Port Number

Description

53

Domain Name System (DNS) Name
Queries

69

Trivial File Transfer Protocol (TFTP)

137

NetBIOS name service

138

NetBIOS datagram service

161

Simple Network Management Protocol
(SNMP)

References
http://www.tlc.discovery.com/convergence/hacker
s/hackers.html
http://www.tuxedo.org/~esr/faqs/hacker-
howto.html
http://www.iss.net/security_center/advice/Underg
round/Hacking/Methods/Technical/
http://www.infosecuritymag.com/articles/march01
/features4_battle_plans.shtml
http://www.nmrc.org/faqs/www/wsec09.html
http://www.microsoft.com/. Tim Rains Technical Lead
Networking Team
Q310099, "Description of the Portqry.exe Command-
Line Utility"

Hardware Firewalls
Some Hardware Firewall Features*
Offers IP security and internet key
exchange network encryption.
Integrated firewall functions.
Network address translation.
Encrypted SNMP management traffic

Some Hardware Firewall
Manufacturers
DLink
Linksys
CISCO
Some Software Firewall Features
Network access control
Trusted zones, Internet zones and Blocked
zones
Program access control
Program access to the Internet
Privacy control
Some Software Firewalls
Zone Alarm
Microsoft Widows Firewall
MacAfee Security Suite
Norton Security Suite
Layer of Operation