Firewalls

04/28/23 1

What is a Firewall ?• A firewall :

– Acts as a security gateway between two networks• Usually between trusted

and untrusted networks– Tracks and controls

network communications• Decides whether to pass

or reject

Internet

Corporate Site

Corporate Network Gateway

04/28/23 2

Firewall

• A choke point of control and monitoring • Interconnects networks with differing trust• Imposes restrictions on network services

– only authorized traffic is allowed • Auditing and controlling access

– can implement alarms for abnormal behavior• Itself immune to penetration

04/28/23 3

Firewall Gateways• Firewall runs set of proxy programs

– Proxies filter incoming, outgoing packets– All incoming traffic directed to firewall – All outgoing traffic appears to come from firewall

• Policy embedded in proxy programs• Two kinds of proxies

– Application-level gateways/proxies• Tailored to http, ftp, smtp, etc.

– Circuit-level gateways/proxies• Working on Network level

04/28/23 4

Why Firewalls are Needed?

• Prevent attacks from untrusted networks• Protecting Confidential Information • Protect data integrity of critical information

04/28/23 5

Evolution of Firewalls

PacketFilter

StatefulInspection

Stage of Evolution

ApplicationProxy

04/28/23 6

Packet Filter• Packets examined at the network layer• Commonly deployed on routers• Simple accept or reject decision model• No awareness of higher protocol layers

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network

Presentations

Sessions

Transport

Applications

Network Network

04/28/23 7

Application Gateway or Proxy• Packets examined at the application layer• Application/Content filtering possible - prevent

FTP “put” commands, for example• Modest performance• Limited scalability

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network NetworkNetwork

Presentations

Sessions

Transport

Applications

04/28/23 8

Stateful Inspection• Packets Inspected between data link layer and network

layer in the OS kernel• State tables are created to maintain connection context• Invented by Check Point

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network Network

Network

Presentations

Sessions

Transport

INSPECT Engine

Applications

Dynamic Dynamic State TablesState TablesDynamic Dynamic

State TablesState TablesDynamic State Tables

04/28/23 9

Classification of Firewall

• Packet filtering• Circuit gateways• Application gateways• Combination of above is dynamic packet

filter

04/28/23 10

Firewalls – Packet Filters

04/28/23 11

Firewalls – Packet Filters• Simplest type• Uses transport-layer information only

– IP Source Address, Destination Address– Protocol/Next Header (TCP, UDP, ICMP, etc)– TCP or UDP source & destination ports– TCP Flags (SYN, ACK, FIN, RST, PSH, etc)– ICMP message type

04/28/23 12

Packet Filtering Gateways• Make decision based on header of a packet

– Header contains source and destination addresses and port numbers, port numbers can be used to infer type of packet • 80 -> Web, 22 -> SSH• E.g., allow Web, but not SSH

• Ignore payload of packet• Can drop spoofed traffic

– XY’s firewall could drop all packets originating from XY whose source address is not of the form 129.97.a.b

– Any traffic originating from outside of XY whose source address is of the form 129.97.a.b

04/28/23 13

Usage of Packet Filters• Filtering with incoming or outgoing interfaces

– E.g., Ingress filtering – controls inbound traffic– Egress filtering – control outgoing traffic

• Permits or denies certain services– Requires intimate knowledge of TCP and UDP port utilization on

a number of operating systems

04/28/23 14

Types of Packet Filtering

1. Stateless Packet Filters• A router configured to pass or reject packets

based on information in the header of each individual packet

2. Stateful Packet Filters • Record the state of all connections flowing

through the firewall and use the connection state as the basis for dropping packets

04/28/23 15

Stateless Packet Filters

• A border router configured to pass or reject packets based on information in the header of each individual packet– Can be configured to pass/reject based on any field

but usually done based on:– protocol type– IP address– TCP/UDP port– Fragment number– Source routing information

04/28/23 16

Protocol Filtering• Filtering based on the IP protocol field allows rejecting

of entire protocol suites– UDP– TCP– ICMP– IGMP

• This is almost too general– ex suppose you block UDP then any TCP based application

won’t be able to convert host/domain to IP address(DNS is based on UDP)

• so it is seldom used.

04/28/23 17

IP Address Filtering• Pass/reject packets based on membership in a set of

acceptable IP addresses• Usually not used to block specific hosts• Usually block source routed packets

– big security hole

• If a hacker knows an address that the filter will pass then they can easily forge a packet that will pass through the filter

04/28/23 18

Port Filtering• Accept or reject packet based on port number• Most commonly used filtering method• Pass all but those specified• Reject all but those specified• Important ports/protocol to block:

– telnet– NetBIOS– POP– NFS– X Windows– Windows Terminal Services

04/28/23 19

Source Routed Filtering• Source routed packed should never be allowed into your

network• Source routed

– Allows you to specify the path a packet will take through your network

• Strict Source Routing– Specifies the exact path to be taken

• Loose Source Routing– Indicates one or more hosts the packet must go

through– A hacker can plug in their own address and force

packets to travel through a machine that they can sniff

04/28/23 20

Loose Source Routing• A packet is given a list of hops to be taken• Each packet carries same source address, destination is

whatever the next IP in the hop path is; the hop path is in the IP Option field.

• 131 is the type for Loose Source Routing• Length – total length of the option• Offset – byte offset to next IP to hop to

IP Option field1 byte 1 byte 1byte 4 bytes 4 bytes

Type Length offset IP 1 IP2 ………

131

04/28/23 21

Fragmentation Filtering• Fragmentation was added to IP to facilitate passing through a

network that only supports small packet sizes• Security considerations

– TCP or UDP port number is provided only at the beginning of a packet; appears only in fragments numbered 0

– Fragments numbered 1 or higher will be passed through the filter

– If a hacker modifies an IP header to start all fragment numbers of a packet at 1 or higher, all fragments will go through the filter

• Filtering by Fragmentation Flags– Configure firewall/packet filter to drop all fragmented

packets, or– Have firewall reassemble fragmented packets and allow

only complete packets to pass through04/28/23 22

Problems with Stateless Filters

• Effectiveness of stateless filters is limited due to:

– They cannot check the payload of the packets• service related filtering can only be done by

application level proxies– They do not retain the state of the connections

04/28/23 23

Stateful Packet Filtering• Record the state of all connections flowing

through the firewall and use the connection state as the basis for dropping packets– create an in memory state table for the state of all

Network and session layers– allows only packets that result from connections that

have already been established

• More sophisticated and secure• Has a rule base and a state table• Newer Firewalls all provide Stateful packet

filtering– some also provide higher level protocol proxying

04/28/23 24

Stateful Packet Filters

• Traditional packet filters do not examine higher layer context– ie matching return packets with outgoing flow

• Stateful packet filters address this need• They examine each IP packet in context

– Keep track of client-server sessions– Check each packet validly belongs to one

• Hence are better able to detect bogus packets out of context

04/28/23 25

Stateful Packet Filtering

04/28/23 26

Stateful Packet Filtering

04/28/23 27

Packet-Filtering – Example Filtering RulesService-Dependent Filtering

• Permit incoming Telnet sessions only to a specific list of internal hosts• Permit incoming FTP sessions only to specific internal hosts• Permit all outbound Telnet sessions• Permit all outbound FTP sessions• Deny all incoming traffic from specific external networks

Service-Independent Filtering• Source IP Address Spoofing Attacks• Source Routing Attacks• Tiny Fragment Attacks

04/28/23 28

Other common Firewall Services• Encrypted Authentication

– Allows users on the external network to authenticate to the Firewall to gain access to the private network

• Virtual Private Networking– Establishes a secure connection between two private

networks over a public network• This allows the use of the Internet as a connection medium rather

than the use of an expensive leased line

04/28/23 29

Additional Services Provided• Virus Scanning

– Searches incoming data streams for virus signatures so they may be blocked

– Done by subscription to stay current • McAfee / Norton

• Content Filtering– Allows the blocking of internal users from certain types of

content.

04/28/23 30

How to Configure a Packet Filter

• Start with a security policy• Specify allowable packets in terms of logical

expressions on packet fields• Rewrite expressions in syntax supported by your

vendor• General rules - least privilege

– All that is not expressly permitted is prohibited– If you do not need it, eliminate it

04/28/23 31

Every ruleset is followed by an Every ruleset is followed by an implicit rule reading like this.implicit rule reading like this.

04/28/23 32

Solution 1:

Example 1: Suppose we want to allow inbound

mail (SMTP, port 25) but only to our gateway machine. Also suppose

that mail from some particular site SPIGOT is to be blocked.

04/28/23 33

Solution 2

This solution allows calls to come from any port on an inside machine, and will direct them to port 25 on

the outside. Simple enough…

Example 2 Now suppose that we want to implement the policy “any inside

host can send mail to the outside”.

04/28/23 34

The ACK signifies that the packet is part of an ongoing conversation

Packets without the ACK are connection establishment messages, which we are only permitting from internal hosts

04/28/23 35

Hacking Through Packet Filters– TCP can only be filtered in the 0th fragment

• setting the fragment number to 1 the packet will usually passe through the packet filter

– Older packet filters only filter ports below 1024

• HTTP used higher numbered ports for passing data back to web browsers

• Many new applications use ports above 1024 for normal communication

– Public services must be forwarded

• services like the updating of web pages via Netscape Composer must be controlled to limit public access

04/28/23 36

Best Practices• Use a proxy

– physically breaks the network path• Use Stateful Packet Filters

– can’t be bypassed like stateless filters• Disable all Ports by Default

– enable only what is absolutely needed• Secure the Base Operating System

– apply all patches provided by vendor• check the vendor web site frequently

– always use a hardened protocol stack

04/28/23 37

Security & Performance of Packet Filters• IP address spoofing

– Fake source address to be trusted– Add filters on router to block

• Tiny fragment attacks– Split TCP header info over several tiny packets– Either discard or reassemble before check

• Degradation depends on number of rules applied at any point

• Order rules so that most common traffic is dealt with first

• Correctness is more important than speed

04/28/23 38

Application-Level Filtering• Has full access to protocol

– user requests service from proxy – proxy validates request as legal – then actions for request and returns result to user

• Need separate proxies for each service – E.g., SMTP (E-Mail)– NNTP (Net news)– DNS (Domain Name System)– NTP (Network Time Protocol)– custom services generally not supported

04/28/23 39

Firewalls - Application Level Gateway (Proxy)

04/28/23 40

App-level Firewall Architecture

Daemon spawns proxy when communication detected …

Network Connection

Telnet daemon

SMTP daemon

FTP daemon

Telnet

proxy

FTP proxy SMTP

proxy

04/28/23 41

Network Address Translation (NAT)

• Converts a network’s illegal IP addresses to legal or public IP addresses– Hides the true addresses of individual hosts, protecting

them from attack– Allows more devices to be connected to the network

InternetInternet

InternalIP Addresses

219.22.165.1

Corporate LAN

192.172.1.1-192.172.1.254

PublicIP Address(es)

04/28/23 42

Address Translation—Hiding

192.168.0.15

10.0.0.3

10.0.0.2

PATGlobal

Dest: 192.168.0.15Source: 172.30.0.50

Dest: Dest: 192.168.0.192.168.0.1515Source: Source: 172.30.0.50172.30.0.50

Dest: 10.0.0.2Source: 172.30.0.50

Dest: 10.0.0.3Source: 172.30.0.50

04/28/23 43

Firewalls - Circuit Level Gateway

04/28/23 44

Firewalls - Circuit Level Gateway• A virtual "circuit" exists between the internal client and the

proxy server

• Different clients inside the network are all mapped to the public IP address (firewall)

• Internet requests go through this circuit to the proxy server

• Proxy server delivers those requests to the Internet after changing the IP address.

• Circuit-level firewalls hide the network itself from the outside

• IP spoofing tedious

• operates at the Network Layer. Relays traffic without examining contents

04/28/23 45

Firewall Deployment

• Corporate Network Gateway– Protect internal

network from attack– Most common

deployment point

Internet

Human Resources Network

Corporate Site

Demilitarized Zone(DMZ)

Public Servers

DMZ

Corporate Network Gateway

04/28/23 46

Firewall Deployment• Corporate Network

Gateway• Internal Segment

Gateway– Protect sensitive

segments (Finance, HR, Product Development)

– Provide second layer of defense

– Ensure protection against internal attacks and misuse

Internet

Human Resources Network

Corporate Site

Public Servers

Internal Segment Gateway

04/28/23 47

Firewall Deployment

• Corporate Network Gateway

• Internal Segment Gateway

• Server-Based Firewall– Protect individual

application servers– Files protect

Internet

Human Resources Network

Corporate Site

Server-BasedFirewall

SAP Server

Public ServersDMZ

04/28/23 48

Firewall Deployment

• Hardware appliance based firewall– Single platform, software pre-installed– Can be used to support small organizations or

branch offices with little IT support• Software based firewall

– Flexible platform deployment options– Can scale as organization grows

04/28/23 49

Firewall Architectures

• Dual-Homed Host• Screened Host• Screened Subnet Host

04/28/23 50

Dual-Homed Host Architecture• Dual-Homed Host is a computer that has separate

network connections to two networks • act as a router between the two networks but routing

function is disabled when dual-homed hosts are used in firewall architectures

• ability to see traffic on both networks • Systems inside the internal network can communicate

with the dual homed host via one network interface, and systems on the Internet via the other

• Such hosts are often referred to as Bastion Hosts in the firewall literature

• Trusted network is vulnerable if the bastion host is compromised

04/28/23 51

Dual-Homed Host Architecture

04/28/23 52

Screened Host Architecture• Security is provided by packet filtering and a bastion

host sits on the internal network• Bastion host is the only host accessible from the

Internet• Connections to the Internet may be routed through

the bastion host. In some cases, allowed directly through the screening router, depending on the network security policy

• Trusted network is vulnerable if the bastion host is compromised

04/28/23 53

Screened Host Architecture

04/28/23 54

Screened Subnet Host Architecture

• Isolating bastion host on a perimeter network• The simplest way to provide a perimeter

network is to add an additional screening router to the screened host architecture

• The bastion host is then located on the perimeter network between the two screening routers.

04/28/23 55

Screened Subnet Host Architecture

04/28/23 56

Free Firewall Software Packages

• IP Chains & IP Tables– comes with most linux distributions

• SELinux (Security Enabled Linux – NSA)– comes with some Linux distributions

• Fedora, RedHat

• IPCop – specialized linux distribution

04/28/23 57

Home & Personal Routers

• Provide – configurable packet filtering– NAT/DHCP

• Linksys – single board RISC based linux computer

• D-Link

04/28/23 58

Enterprise Firewalls

• Check Point FireWall-1• Cisco PIX (product family)• MS Internet Security & Acceleration Server• GAI Gauntlet

04/28/23 59

Firewalls Aren’t Perfect?• Useless against attacks from the inside

– Evildoer exists on inside– Malicious code is executed on an internal machine

• Organizations with greater insider threat– Banks and Military

• Protection must exist at each layer– Assess risks of threats at every layer

• Cannot protect against transfer of all virus infected programs or files– because of huge range of O/S & file types

04/28/23 60