FirewallsFirewalls

CS432CS432

OverviewOverview

What are firewalls?What are firewalls? Types of firewallsTypes of firewalls

Packet filtering firewallsPacket filtering firewalls Sateful firewallsSateful firewalls Application gateway firewallsApplication gateway firewalls Address Translation firewallsAddress Translation firewalls Host based firewallsHost based firewalls Hybrid firewallsHybrid firewalls

definitiondefinition

A firewall is a device or systems that A firewall is a device or systems that control the flow of traffic between different control the flow of traffic between different areas of your networkareas of your network

One of the main functions of firewalls is to One of the main functions of firewalls is to control access to resources.control access to resources.

This may be achieved by installing a This may be achieved by installing a firewall on every workstation, or in a firewall on every workstation, or in a centralized manner (one firewall for the centralized manner (one firewall for the whole network).whole network).

Types of FirewallsTypes of Firewalls

Packet filtering firewallsPacket filtering firewalls Stateful firewallsStateful firewalls Application gateway firewallsApplication gateway firewalls Address translation firewallsAddress translation firewalls Host-based firewallsHost-based firewalls Hybrid firewallsHybrid firewalls

Packet Filtering Firewalls (PFF’s)Packet Filtering Firewalls (PFF’s)

The simplest type of firewall.The simplest type of firewall. Typically a router that can filter on some Typically a router that can filter on some

packet content.packet content. Mainly layer 3 (network) and sometimes Mainly layer 3 (network) and sometimes

layer 4 (transport) packets are examined.layer 4 (transport) packets are examined.

Filtering RulesFiltering Rules

Packet filtering rules must be defined on Packet filtering rules must be defined on the firewall.the firewall.

These rules indicate which traffic should These rules indicate which traffic should be allowed and which traffic should be be allowed and which traffic should be denied.denied.

A decision should also be taken regarding A decision should also be taken regarding the notification strategy when packets are the notification strategy when packets are dropped: inform the sender or not.dropped: inform the sender or not.

Filtering informationFiltering information

Source and destination layer 3 addresses.Source and destination layer 3 addresses. Layer 3 protocol information (type of Layer 3 protocol information (type of

protocol).protocol). Layer 4 protocol information (port numbers Layer 4 protocol information (port numbers

and flags).and flags). Interface of sent or received traffic.Interface of sent or received traffic.

A Simple ExampleA Simple Example

A Typical Rule TableA Typical Rule Table

Rule Rule Source addressSource address Dest addressDest address IP IP protocolprotocol

Protocol Protocol informationinformation

actionaction

11 anyany 219.1.1.2219.1.1.2 TCPTCP Port 80Port 80 allowallow

22 anyany 219.1.1.3219.1.1.3 UDPUDP Port 53Port 53 allowallow

33 anyany 219.1.1.4219.1.1.4 TCPTCP Port 25Port 25 allowallow

44 anyany Any other Any other addressaddress

anyany anyany denydeny

Understanding the RulesUnderstanding the Rules

Understanding the rule set is crucial to the Understanding the rule set is crucial to the operation of firewalls.operation of firewalls.

For example, if you omit rule 4 in table 1 For example, if you omit rule 4 in table 1 above, there will be two possibilities: allow above, there will be two possibilities: allow all not matching traffic, or deny all not all not matching traffic, or deny all not matching traffic.matching traffic.

If the first option is taken, you will be If the first option is taken, you will be creating a big hole for your network creating a big hole for your network

An Example of Firewall RulesAn Example of Firewall Rules

Advantages of packet filtering Advantages of packet filtering firewallsfirewalls

They can process packets at high speed.They can process packets at high speed. They can easily match on most fields in They can easily match on most fields in

layer 3 and layer 4, giving flexibility in layer 3 and layer 4, giving flexibility in implementing security policies.implementing security policies.

DisadvantagesDisadvantages

They can be complex to configure.They can be complex to configure. They cannot prevent application layer They cannot prevent application layer

attacks.attacks. They are susceptible to some TCP/IP They are susceptible to some TCP/IP

attacks (SYN floods, and IP spoofing and attacks (SYN floods, and IP spoofing and cannot be detected).cannot be detected).

They do not support authentication.They do not support authentication. They have limited logging capabilities.They have limited logging capabilities.

Stateful FirewallsStateful Firewalls

Stateful firewalls keep track of connection Stateful firewalls keep track of connection states at all stages: initiation, data transfer, states at all stages: initiation, data transfer, or termination.or termination.

A Typical Scenario Where PFF’s A Typical Scenario Where PFF’s FailFail

Assume that there is an inbound rule Assume that there is an inbound rule saying that any external traffic to saying that any external traffic to 134.1.1.10 is denied.134.1.1.10 is denied.

This implies that connection requests This implies that connection requests coming from outside will be dropped.coming from outside will be dropped.

However, assume that 134.1.1.10 tries to However, assume that 134.1.1.10 tries to access a web server on an external access a web server on an external machine, 189.1.2.3, say.machine, 189.1.2.3, say.

A Typical Scenario …A Typical Scenario …

The firewall will allow the initiation of the The firewall will allow the initiation of the connection.connection.

However, when the reply comes back from However, when the reply comes back from 189.1.2.3 it will be dropped.189.1.2.3 it will be dropped.

Two solutions are possible in PFFs:Two solutions are possible in PFFs: Open ports higher than 1023 for inbound Open ports higher than 1023 for inbound

traffictraffic Examine TCP segment flag bitsExamine TCP segment flag bits

Problems with the above solutionsProblems with the above solutions

Opening ports will cause a lot of problems.Opening ports will cause a lot of problems. Examining TCP codes is not a good Examining TCP codes is not a good

solution for this problem, because they solution for this problem, because they may not be fully supported by all may not be fully supported by all implementations, May be modified by implementations, May be modified by hackers, and UDP traffic uses no flags.hackers, and UDP traffic uses no flags.

A Stateful SolutinA Stateful Solutin

A stateful firewall solves the above A stateful firewall solves the above problem by tracking the states of problem by tracking the states of connections.connections.

This is done through dynamic rules that This is done through dynamic rules that are added when a connection is are added when a connection is established and deleted after the established and deleted after the connection is torn down.connection is torn down.

The rules are either added to the main rule The rules are either added to the main rule table or to new state table.table or to new state table.

A Stateful SolutionA Stateful Solution

For example when machine 134.1.1.10 initiates For example when machine 134.1.1.10 initiates a connection to external machine 189.1.2.3, the a connection to external machine 189.1.2.3, the firewall adds a new rule to the rule table or the firewall adds a new rule to the rule table or the state table indicating that this is a request for a state table indicating that this is a request for a connection.connection.

It notes the source and destination ports:It notes the source and destination ports:

sourcesource destinationdestination protocolprotocol portsports actionaction

134.1.1.0134.1.1.0 189.1.2.3189.1.2.3 TCPTCP Source 10000Source 10000

Dest 80Dest 80allowallow

Sateful solutionSateful solution

When 189.1.2.3 sends a reply to the When 189.1.2.3 sends a reply to the connection request, the firewall notes from connection request, the firewall notes from its table that this reply is part of an existing its table that this reply is part of an existing connection and allows the connection.connection and allows the connection.

The traffic along this connection will be The traffic along this connection will be allowed as long as the connection is open.allowed as long as the connection is open.

When the connection is torn down, all When the connection is torn down, all rules relating to the connection will be rules relating to the connection will be removedremoved

AdvantagesAdvantages

Aware of the state of the connection.Aware of the state of the connection. No need to open a large set of ports.No need to open a large set of ports. Prevents a wider set of DoS attacks (state Prevents a wider set of DoS attacks (state

table).table). More robust logging (connection states).More robust logging (connection states).

limitationslimitations

They may be difficult to configure.They may be difficult to configure. Cannot prevent application layer attacks.Cannot prevent application layer attacks. Do not support authentication.Do not support authentication. Not all protocols contain state information.Not all protocols contain state information. Multiple connections with dynamic ports Multiple connections with dynamic ports

may cause problems.may cause problems. Additional overhead in maintaining state Additional overhead in maintaining state

information.information.

Application Gateway Firewalls Application Gateway Firewalls (AGFs)(AGFs)

Sometimes called proxy firewalls.Sometimes called proxy firewalls. They filter information at layers 3,4,5 and They filter information at layers 3,4,5 and

7.7. Most filtering and processing is done in Most filtering and processing is done in

software which provides more flexibility.software which provides more flexibility. Sometimes they support only limited Sometimes they support only limited

applications, for example e-mail, FTP, applications, for example e-mail, FTP, Telnet. Telnet.

AGF’s and AuthenticationAGF’s and Authentication

One of the major advantages of AGF’s is One of the major advantages of AGF’s is their abilities to authenticate users.their abilities to authenticate users.

A user requesting a connection to the A user requesting a connection to the network is first authenticated by the AGF.network is first authenticated by the AGF.

The authentication database usually The authentication database usually stores authorization information, e.g. stores authorization information, e.g. which servers can the user connect to:which servers can the user connect to:

Ahmed 232.1.5.6 allowAhmed 232.1.5.6 allow

Authentication MethodsAuthentication Methods

User/password.User/password. Certificates.Certificates. BiometricsBiometrics Token cards.Token cards.

Types of AGF’sTypes of AGF’s

Two types of AGF’s:Two types of AGF’s: Connection gateway firewalls.Connection gateway firewalls. Cut through proxy firewalls Cut through proxy firewalls

Connection Gateway Firewalls Connection Gateway Firewalls (CGF’s)(CGF’s)

All traffic to the web sever passes through All traffic to the web sever passes through the CGF.the CGF.

First the CGF authenticates the user. If First the CGF authenticates the user. If successful, CGF establishes connection to successful, CGF establishes connection to server.server.

CGF examines all packets sent to server CGF examines all packets sent to server and may control the type of traffic to be and may control the type of traffic to be allowed or dropped.allowed or dropped.

Cut Through Proxies (CTP)Cut Through Proxies (CTP)

Only authenticate user.Only authenticate user. Perform filtering based on layer 3 and 4 Perform filtering based on layer 3 and 4

information.information.

Address Translation Firewalls.Address Translation Firewalls.

It is well known that we are running out of It is well known that we are running out of IP addresses (address depletion).IP addresses (address depletion).

A long term solution is to deploy IPv6.A long term solution is to deploy IPv6. A short term solution is to use Network A short term solution is to use Network

Address Translation (NAT).Address Translation (NAT).

Private AddressesPrivate Addresses

Tow RFC’s describe how NAT may be Tow RFC’s describe how NAT may be used.used.

RFC 1918 specifies private addresses RFC 1918 specifies private addresses (reserved addresses that can be used only (reserved addresses that can be used only inside the organization networks, with no inside the organization networks, with no global meaning).global meaning).

Around 17 million addresses are available Around 17 million addresses are available for local usefor local use

Private addressesPrivate addresses

10.0.0.0 – 10.255.255.255 class A10.0.0.0 – 10.255.255.255 class A 172.16.0.0 – 172.31.255.255 class B172.16.0.0 – 172.31.255.255 class B 192.168.0.0 – 192.168.255.255 class C192.168.0.0 – 192.168.255.255 class C

NATNAT

RFC1631 defines how network address RFC1631 defines how network address translation may be performed.translation may be performed.

Two schemes:Two schemes: Simple NAT.Simple NAT. Overloaded NAT or PAT (Port Address Overloaded NAT or PAT (Port Address

Translation). Translation).

NAT firewallsNAT firewalls

A NAT firewall is a device configured to A NAT firewall is a device configured to perform network address translation.perform network address translation.

Host based firewallsHost based firewalls

Software packet filtering firewalls.Software packet filtering firewalls. Simplified versions that concentrate only Simplified versions that concentrate only

on protecting a single machine.on protecting a single machine. Some may provide host-based Some may provide host-based

authentication.authentication.

Hybrid FirewallsHybrid Firewalls

In real life firewall solutions are usually In real life firewall solutions are usually complex and hybrid.complex and hybrid.

They involve packet filtering, state They involve packet filtering, state tracking, authentication, address tracking, authentication, address translation …etc. Many solutions include translation …etc. Many solutions include even an IDS.even an IDS.

This dictated by competition.This dictated by competition. A good example is CISCO PIX firewall.A good example is CISCO PIX firewall.

Designing A Firewall SolutionDesigning A Firewall Solution

Develop a security policy.Develop a security policy. Create a simple design solution.Create a simple design solution. Use devices as intended.Use devices as intended. Implement a layered defense.Implement a layered defense. Consider solutions to internal threats.Consider solutions to internal threats.

The policyThe policy

Define acceptable and unacceptable behavior.Define acceptable and unacceptable behavior. Restrictions to resources.Restrictions to resources. Adhere to company plans and policies.Adhere to company plans and policies. Resources that require access from internal and Resources that require access from internal and

external users.external users. Vulnerabilities associated with these resources.Vulnerabilities associated with these resources. Methods that can be used to protect resources.Methods that can be used to protect resources. Cost-benefit analysis for possible solutions.Cost-benefit analysis for possible solutions.

Demilitarized zones (DMZ’S)Demilitarized zones (DMZ’S)

A demilitarized zone is a segment or segments A demilitarized zone is a segment or segments that have a higher security level than that of that have a higher security level than that of external segments, but a lower security level external segments, but a lower security level than that of internal segments. than that of internal segments.

Grant external users access to web servers, Grant external users access to web servers, DNS servers …etc without risking internal DNS servers …etc without risking internal security.security.

They act as a buffer between internal and They act as a buffer between internal and external networks.external networks.

Demilitarized zones (DMZ’S)Demilitarized zones (DMZ’S)

Higher security levels can send traffic to Higher security levels can send traffic to lower security levels but not vice versa.lower security levels but not vice versa.

Same security levels cannot send traffic to Same security levels cannot send traffic to each other.each other.

An Example SolutionAn Example Solution

Internet

router

packet filter

Internal network

Bastion host, here: a proxy firewall

internal packet filter

Mail server Web server

DMZDe-Militarized Zone

?

many differenttopologies can be

considered

Bastion ServerBastion Server

A special type of proxy servers.A special type of proxy servers. A single point of contact to the network.A single point of contact to the network. Well fortified.Well fortified. Logging capabilities.Logging capabilities.