-
Firewalls
CS461/ECE422 Spring 2012
-
Reading Material
Text chapter 9 Firewalls and Internet Security: Repelling the
Wily Hacker, Cheswick, Bellovin, and Rubin.
-
Firewall Goal
Insert a"er the fact security by wrapping or interposing a
filter on network traffic
Inside Outside
-
Firewall Requirements
All traffic between network secTon A and network secTon B (and
visa versa) must pass through the firewall (or a consistently
controlled set of firewalls)
Only authorized traffic (as specified by the security policy) is
allowed to pass
The firewall itself is immune to penetraTon
-
Typical corporate network
Web Server
Mail forwarding
Mail server DNS (internal)
DNS (DMZ)
Internet
File Server
User machines User machines User machines
Web Server
Demilitarized Zone (DMZ)
Intranet Firewall
Firewall
-
Packet Filter Firewall
Operates at Layer 3 in router or HW firewall Has access to the
Layer 3 header and Layer 4 header Can block traffic based on source
and desTnaTon address, ports, and protocol
Does not reconstruct Layer 4 payload, so cannot do reliable
analysis of layer 4 or higher content
-
Rule Scenario
-
Example Packet Filter Rules
Rules a^ached to outside interface
Rules a^ached to inside interface
Ac#on Source Addr
Src port
Dest Addr Dest Port
Protocol Comment
Block Outside host * * * * Dont trust
Allow * * Our Mail Server
25 Tcp Allow mail traffic
Ac#on Source Addr
Source Port
Dest Addr Dest Port Protocol Comment
Block * * Outside host
* * Dont trust
Allow Our Mail Server
25 * * Tcp Allow Mail traffic
-
Same Rules in iptables Rules in the filter table -A FORWARD p ip
-s outside_host j REJECT
-A FORWARD p ip d outside_host j REJECT -A FORWARD i outside p
tcp d our_mail_server m tcp --dport 25 j ACCEPT -A FORWARD i inside
p tcp s our_mail_server m tcp --sport 25 j ACCEPT -A FORWARD j
REJECT
-
More Example Pack Filter Rules
Rules a^ached to inside interface
Rules a^ached to outside interface
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Comment
Allow * * * 25 TCP Allow traffic to all mail servers
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Comment
Allow * 25 * * TCP Allow return traffic from all mail
servers
-
A Be^er Example
Rules a^ached to inside interface
Rules a^ached to outside interface
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Comment
Allow Inside networks
* * 25 TCP Allow traffic to all mail servers
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Flags Comment
Allow * 25 Inside networks
* TCP ACK Allow return traffic from all mail servers
-
FTP Example Rules a^ached to inside interface
Rules a^ached to outside interface
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Flags Comment
Allow Inside networks
* * 21 TCP Allow Control channel traffic out
Allow Inside networks
> 1024 * * TCP ACK Allow data traffic back
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Flags Comment
Allow * 21 Inside networks
* TCP ACK Allow return traffic for FTP control channel
Allow * * Inside networks
>1024 TCP IniTate data traffic
-
Stateful InspecTon Firewall Evolved as packet filters aimed for
proxy funcTonality In addiTon to Layer 3 reassembly, it can
reconstruct layer 4 traffic Some applicaTon layer analysis exists,
e.g., for HTTP, FTP, H.323
Called context-based access control (CBAC) on IOS Configured by
fixup command on PIX
Some of this analysis is necessary to enable address translaTon
and dynamic access for negoTated data channels
ReconstrucTon and analysis can be expensive. Must be configured
on specified traffic streams At a minimum the user must tell the
Firewall what kind of traffic to
expect on a port Degree of reconstrucTon varies per plaform,
e.g. IOS does not do IP
reassembly
-
Circuit Firewall
Actually creates two separate TCP connecTons Completely
reconstructs TCP connecTons SOCKS is an example implementaTon
-
Example Stateful Rules
Rules a^ached to outside interface
Rules a^ached to inside interface
Ac#on Source Addr
Src port
Dest Addr Dest Port
Protocol Comment
Block Outside host * * * * Dont trust
Allow * * Our Mail Server
25 Tcp Allow mail traffic
Ac#on Source Addr
Source Port
Dest Addr Dest Port Protocol Comment
Block * * Outside host
* * Dont trust
-
Same Rules in iptables Rules in the filter table -A FORWARD p ip
-s outside_host j REJECT
-A FORWARD p ip d outside_host j REJECT -A FORWARD m state
--state ESTABLISHED, RELATED j ACCEPT -A FORWARD i outside m state
state NEW p tcp d our_mail_server m tcp --dport 25 j ACCEPT -A
FORWARD j REJECT
-
ApplicaTon Proxy Firewall
Firewall sogware runs in applicaTon space on the firewall
The traffic source must be aware of the proxy and add an
addiTonal header Now transparent proxy support is available
(TPROXY)
Leverage basic network stack funcTonality to saniTze applicaTon
level traffic Block java or acTve X Filter out bad URLs Ensure well
formed protocols or block suspect aspects of protocol
-
Traffic reconstrucTon
X Y
FTP: X to YGET /etc/passwd
GET command causes firewall to dynamically
open data channel initiate from Y to X
Might have filter for files to block, like /etc/passwd
-
Ingress and Egress Filtering Ingress filtering
Filter out packets from invalid addresses before entering your
network Egress filtering
Filter out packets from invalid addresses before leaving your
network
Inside Outside
Owns network X
Egress FilteringBlock outgoing traffic not sourced from network
X
Ingress FilteringBlock incoming traffic from
one of the set of invalid networks
-
Denial of Service
Example a9acks Smurf A9ack TCP SYN A9ack Teardrop
DoS general exploits resource limita#ons Denial by ConsumpTon
Denial by DisrupTon Denial by ReservaTon
-
Teardrop A^ack
Send series of fragments that don't fit together Poor stack
implementaTons would crash Early windows stacks
Offset 0, len 60
Offset 30, len 90
Offset 41, len 173
-
Address TranslaTon TradiTonal NAT RFC 3022 Reference RFC Map
real address to alias address
Real address associated with physical device, generally an
unroutable address
Alias address generally a routeable associated with the
translaTon device
Originally moTvated by limited access to publicly routable IP
addresses Folks didnt want to pay for addresses and/or hassle with
gemng
official addresses Later folks said this also added security
By hiding structure of internal network Obscuring access to
internal machines
Adds complexity to firewall technology Must dig around in data
stream to rewrite references to IP addresses
and ports Limits how quickly new protocols can be firewalled
-
Address Hiding (NAPT)
Many to few dynamic mapping Packets from a large pool of private
addresses are mapped to a small pool of public addresses at
runTme
Port remapping makes this sharing more scalable Two real
addresses can be rewri^en to the same alias address
Rewrite the source port to differenTate the streams Traffic must
be iniTated from the real side Called masquerading in iptables if
the interface IP is used for the alias address
-
NAT example
EnforcingDevice192.168.1.0/24
10.10.10.0/24
Internet
Hide from inside to outside192.168.1.0/24 behind 128.274.1.1
Static map from inside to DMZ192.168.1.5 to 128.274.1.5
inside
DMZ
outside
Src=192.168.1.100Dst=microsoft.com
Src=128.274.1.1Dst=microsoft.com
-
StaTc Mapping
One-to-one fixed mapping One real address is mapped to one alias
address at configuraTon Tme Traffic can be iniTated from either
side
Used to staTcally map out small set of servers from a network
that is otherwise hidden
StaTc port remapping is also available
-
NAT example
EnforcingDevice192.168.1.0/24
10.10.10.0/24
Internet
Hide from inside to outside192.168.1.0/24 behind 128.274.1.1
Static map from DMZ to Internet10.10.10.5 to 128.274.1.5
inside
DMZ
outside
Src=XDst=10.10.10.5
Src=XDst=128.274.1.5
-
Deployment Hardware Firewall Buy firewall from vendor
They provide sogware and hardware Depending on cost, may include
hardware accelerators
Sogware Firewall on hardened basTon server Buy sogware from
vendor or use open source Harden server to reduce a^ack surface
Host-based firewall AddiTonal layer of defense for applicaTon
server
Personal firewall Protect desktops/laptops from undesired
probing
-
DMZ Network
Web Server
Mail forwarding
Mail server DNS (internal)
DNS (DMZ)
Internet
File Server
User machines User machines User machines
Web Server
Demilitarized Zone (DMZ)
Intranet Firewall
Firewall
-
VPN Network
-
Distributed Firewalls
-
Intrusion PrevenTon
Discussed in the Intrusion DetecTon lecture Enables more dynamic
rules and access rules that rely on more communicaTon details Can
download new signatures or adapt anomaly rules on a daily basis
-
Unified Threat Management (UTM)
Firewalls at the border provide a nice point for analysis Might
as well perform other analysis as long as flows have been
tracked
Deploy one box instead of N boxes AddiTonal acTons could be
Virus scanning URL filtering IDS/IPS/anomaly detecTon Spam
filtering
-
Limits to firewalls Cannot analyze encrypted traffic
Beyond header informaTon Everything is driven through port
80
Relies on port as indicator of service Newer firewalls
dynamically analyze traffic to determine protocol
Cannot react to new a^acks on protocols that must be allowed IPS
can help
Tracking IP addresses instead of people Costs too much to manage
firewalls
-
Summary
Different types of firewalls for different needs Packet
filtering/stateful/applicaTon Network/Host/personal
Firewalls have been a stalwart element of network security for
decades Not the end all soluTon But sTll beneficial
