Frank Lyons

Copyright Entellus Technology Group, Inc. XI - 1Firewalls Page

Firewalls

Risks and ControlsBy

Mr. Frank W. LyonsEntellus Technology Group Inc

[email protected]


Module Objectives

What You Will Learn During This Seminar

1. Introduction to Firewalls

2. Packet Filtering Firewalls

3. Proxy Firewalls

4. Virtual Firewalls

5. Firewall for Electronic Commerce

6. Summary


Firewalls Have Evolved

Simple packet-filtering

Multipurpose devices

Ability to examine traffic for intrusion detection

Scan for viruses in java and activeX scripts

Filter web traffic based on content

Provide IP address translation

And more


The INTERNET is a global collaboration of data networks that are connected to each other, using common protocols (e.g., TCP/IP) to provide instant access to an almost indescribable wealth of information and access to computers around the world

What Is The INTERNET?


Stealing passwords Computer software bugs Authentication failures Protocol failures Information leakage Denial of service

INTERNET Security Risks


Collection of components placed between two networks that have the following properties:

All traffic from inside to outside, and vice-versa, must pass through the firewall

Only authorized traffic, as defined by the local security policy, will be allowed to pass

The firewall itself should be immune to penetration

Definition of a Firewall


Router Router

TrustedNetwork XXX

LAN LAN

UntrustedNetwork YYY

FIREWALL

Purpose of a Firewall

Protect a network from an untrusted network


Firewalls Shapes

Perimeter router

Look at weaknesses in TCP/IP protocols like SNMP, TCP and others

Traffic content for something like pornography

Combinations

Simply put, a firewall allows you to control traffic between two networks


Firewall Selection Depends

Functions that you need in a firewall

Find a product that meets or exceeds these abilities

For instance• How many devices do you need to protect?

• How many segments need to be directly connected to the firewall

• What resources do you need to protect your network?

• What applications do your users use?

• What internal resources do your users need access to?

• How much traffic will the firewall have to handle?

• Do you need to protect data between different sites?


Firewall Selection Depends

More• Will you be using private addresses in your network, and do you need address translation?

• Are you concerned about weaknesses in the TCP/IP protocol stack?

• Do you worry about your users’ productivity and how surfing the Internet will affect this?

• Are you concerned about the content of material that your users will download to their desktops?

• Does your network have to support multimedia traffic?

• Do you need to authenticate users before allowing them access into or out of your network?

• How many firewalls do you need?


Recommendations

PIX

Nokia

Checkpoint

Maybe with a router to filter

A firewall does not have be a single device

It may be a group of devices but should include Perimeter router

Main firewall

Virtual private network (VPN)

Intrusion detection system (IDS)


System Vulnerabilities Unauthorized Access

User Logins

Privileged User Logins

Object Access

Data Integrity Vulnerabilities

Trojan Horses

Logic Bombs

Viruses

Application Vulnerabilities

Audit Vulnerabilities


Trojan Horses

Programs that appear to perform one function but actually perform another:

Renaming or replacing

executables files

Replacing librariesDynamic Link Libraries

Shared Libraries


What Is a Network?

Two or more systems connected (i.e., Data is transferred or shared) via a communications medium


Limited geographic coverage

Generally owned and administered by one group

Limited number of users

No common carrier communications

LAN


Networking and Communications

SWITCHES

Internet

Mainframe

Workstation

FileServer

BackplaneSpeedHas ACLs


Wider geographic coverage

Integrated voice/data network

Often uses common carrier lines

Interconnection of LANs

WAN


Network Topologies


Bus or Switched Network Topology

File ServerFile

Server


Ethernet

BUS topology

Broadcast LAN - transmissions from one station are received at all stations

Unless switched and then only during overloads of the switch

“Pull and plug” - very easy to connect a new station to the Ethernet, usually without LAN administrator

HostHostHostHost

HostHost HostHost HostHost


Protocols - FTP

HostHost

Host 2Host 2

Host 3Host 3 HostHost

HostHost

File to sendto Host 3


No access control

Undetectable presence of listening devices

Denial of service

Is someone listening?

Do you send clear text over the network

Security Issues for “Pull and Plug”


Denial of Service

HostHost HostHost HostHost

Host 2Host 2 HostHost


““NO!!”NO!!”

Denial of Service

Prevention

Detection

Recovery


Packet-Switched Network

• Source• Destination• Sequence number• CRC check sum total


Layer 7Layer 7

Layer 6Layer 6

Layer 5Layer 5

Layer 4Layer 4

Layer 3Layer 3

Layer 2Layer 2

Layer 1Layer 1

Layer 7Layer 7

Layer 6Layer 6

Layer 5Layer 5

Layer 4Layer 4

Layer 3Layer 3

Layer 2Layer 2

Layer 1Layer 1

The OSI Model

Copyright Entellus Technology Group, Inc. XI - 27Firewalls

OSI Model - 7 Layers

7

Layer

6

5

4

3

2

1

Provides means of transmitting data units across any type of network.

Application

Presentation

Session

Transport

Network

Data Link

Physical

Provides end user and application processes access to the network and OSI environment.Provides message transformation and formatting services.Provides logical session initiation, maintenance and termination services between end users.Ensures that data units are delivered error free, in sequence, with no loss or duplication.

Provides for the transfer of data across the physical link.Concerned with establishing, maintaining, and terminating the physical link.



REPEATER

Presentation

Application

Session

Transport

Network

Data Link

Physical

System A System B

Physical Media

Repeater work at the physical layer and there isnot too much excitement with these type of products.

They just regenerate the signal as its goes across the network



BRIDGE

Presentation

Application

Session

Transport

Network

Data Link

Physical

System A System B

Physical Media

Bridges work at the physicaladdress layer of the protocol.

They are called learning bridges

They can isolate traffic betweentwo local area networks

They can also set up filtersor Access Control Lists (ACL)



ROUTER

Presentation

Application

Session

Transport

Network

Data Link

Physical

System A System B

Physical Media

Routers are very powerful asthey can determine which patha message needs to take to goto the destination address.

They work on the network address level

They also have ACLs and aresometimes used as a Firewall



GATEWAY

Presentation

Application

Session

Transport

Network

Data Link

Physical

System A System B

Physical Media


Why Firewalls? Because

Weaknesses in the TCP/IP protocol stack

Enforcement of your company’s business and security policies


Perimeter Router Function

Provide connection to the Internet: Translating the data link layer media types from LAN to WAN.

It might also perform more functions, like packet filtering, BGP routing, or VPN connections


Main Firewall Function

Controlling traffic between two networks

Can be to the external world or between divisions and/or departments.


Packet Filter

INSIDE OUTSIDE

Network Layer

IP Filter

X

Host “C”

AuthorizedHost “A”

UnauthorizedHost “B”

Packet from “A”

Packet from “B”

Packet from “A”

Host “D”

X


VPN

Remote offices

A VPN allows you to protect your traffic from eavesdroppers

All external communications should go through a VPN


IDS Major component of a firewall

Intrusion detection

The main firewall component will control traffic (filtering) based on the policy rules

To deal with new security threats you need to understand what traffic is being sent into your network and its intentions

May auto reconfigure your firewall system to block strange acting traffic


Latest Firewalls

Other services

DHCP

WINS server address

DNS server address

Content filtering• Email for viruses

• Web downloads for Java or ActiveX scripts and filters them

• But if the content is encrypted then no content search maybe (Web Sense)


Firewall Weaknesses Even the best firewall has weakness

No completely secured network

Weaknesses• People who administer it

• Next is the configuration of the firewall

• KISS keep it simple otherwise mistakes will be made

• Not using multiple components or devices

– Onion approach to security or layered


Understand Your Data

Classify your data

Use firewalls to protect the sensitive data form external and internal users

Internal user have cause the most dollar losses


OSI Layers Firewall layers of activity

The application, presentation and session layers are typically integrated into the application itself.

The transport, network, data link, and physical layers affect the transmission of traffic between devices.


OSI Mode l - 7 Layers

7

Layer

6

5

4

3

2

1

Provides means of transmitting data units across any type of network.

Application

Presentation

Session

Transport

Network

Data Link

Physical

Provides end user and application processes access to the network and OSI environment.Provides message transformation and formatting services.Provides logical session initiation, maintenance and termination services between end users.Ensures that data units are delivered error free, in sequence, with no loss or duplication.

Provides for the transfer of data across the physical link.Concerned with establishing, maintaining, and terminating the physical link.


Packet Filtering Firewalls Most prolific form of a firewall

Filters at layer 3

Sometimes layer 4

Example is an router which has ACLs

Functions

Filters on • Source IP address

• Destination IP address

• IP protocol type, like ICMP, TCP, UDP and others

• Protocol specific information like ICMP (echo, echo reply, destination unreachable, and etc) which allow for identification of DoS attacks.


Packet Filtering Firewalls Functions

Layer 4 • Port numbers of applications for TCP and UDP

• Port number 23 for telnet

• Port number 25 for email

• Port number 80 for web

Works on a specific interfaces on a firewall or router like inbound or outbound


Packet Filtering Firewalls Advantages

Quick

Filtering policy definitions are very flexible


Filtering Strategy

Filters

First match

Most restrictive

Any match

Filters are processed top down

If no match then it drops the packet with implicit deny

If it find a match then it execute the policy defined and either permit or deny.

• When denying a packet a firewall has two options:

– It can drop the packet silently

– Or notify the source that the packet has been dropped


Location of a Packet Filtering Firewall Because of packet filtering

Perimeter or boundary

With another firewall inside the network handle more advanced filtering functions


Packet Filter

INSIDE OUTSIDE

X

Host “C”

Host “D”

AuthorizedHost “A”

UnauthorizedHost “B”

X

e-mail connection

finger connection

e-mail connection

FTP connection

TRANSFORTLAYER FILTER


Packet Filtering Firewalls Disadvantages

Cannot prevent application threats and attacks

No user authentication

Limited logging abilities

Vulnerable to certain TCP/IP protocol weaknesses• IP spoofing attacks

• DoS attack on three way handshake by flooding your network with TCP SYNs (with no intention of completing the connection)

Can be complex to configure


Detect

Deter

Reveal

Reconstruct

Audit Trail Purpose


Stateful Firewalls Filter traffic at layers 3 and 4

Sounds like a Packet Filtering Firewall

But it adds “awareness” at layer 4

Maintain information

About the connection• It looks at the packet to see if it is part of a process that is setting up, maintaining, or tearing down a connection


Stateful Firewall Example Filter

Drop traffic if source is 2 on inbound

But 1 wants a file from 2 in response to a request

Packet Filtering Firewalls cannot perform this type activity because they do not look at the nature of the connection

Stateful

Adds a temporary filtering policy to the specific port to allow 1 to communicate with 2

It only allows traffic for the existing connection with the original IP address and original port – any deviation and by 2 will cause the connection to be dropped.


Stateful Firewall Uses a “connection state table”

Once the connection is idle for a maximum period of time the connection entry is removed

Use 2 could try and fool the firewall afterward but the connection entry is gone

Disadvantage

Process and maintain more information

Cost More than a Packet Filtering Firewall


Authentication

Communications Integrity


Application Gateways (Proxy Firewalls)

Combine

Filtering with layer 7 access control

User must authenticate for each session

Also called “dedicated proxy” firewalls• Email proxy

• Web proxy

• FTP proxy

• Telnet proxy

• DNS proxy

• Finger proxy

• LDAP proxy

• Usenet News proxy


Authentication Methods

Methods

User account name and password

Source address authentication

Hardware/software-based token card authentication

Biometric authentication


Digital signature

Communications Integrity


Types of Application Gateway Firewalls

Connection

User authentication and application privileges both are verified

Advantage• Work also at layer 7 as well as 3 and 4

• Detail logging and filtering of application data

• Every command or keystroke

• Content filtering

• Web pages

• Java or ActiveX filtering

• FTP but only to certain directory structures


Keystroke Monitoring


Connection Gateways Very slow in processing

Limited typically to a specific application or small number of applications

Sometimes require special software to be loaded on the clients


Cut-Through Gateway Firewalls Almost the same as a connection firewall

User must authenticate

If user is successful• Then they connect to the application

• Or the gateway builds the second half of the connect and binds it to the first half

• Now there is a single process that the cut-through gateway can then process at layer 3 or 4 of the gateway

• After authenticating at layer 7 it can process at layer 3 or 4 and improve throughput

• Plus it can authenticate the user on layer 7 for many more applications

• Plus maybe no modifications needed to the clients


Cut-Through Downside

Better throughput but loses application layer 7 filtering

Cannot capture as detailed logging information


Address Translation Firewalls Problems

Handling a shortage of IP addresses

Hiding network addressing schemes

Network Class

A 10.0.0.0 – 10.255.255.255

B 172.16.0.0 – 172.31.255.255

C 192.168.0.0 – 192.168.255.255


Address Translation Firewalls - Terms Inside

• Networks located on the inside of your company that will have their addresses translated

Outside• Networks located outside of your network with valid public address

Inside local IP address• An inside device with an assigned private IP address

Inside global IP address• An inside device with a registered public IP address

Outside global IP address•An outside device with an registered public IP address


Network Address Translation - NAT NAT

Static• Maps a single IP address to a different IP address

• Typically from the outside to the inside on the destination address

Dynamic• Static each one must be configured

• With dynamic it assigns a public pool of addresses to the local machine


Port Address Translation - PAT NAT

Only provide one to one translation

PAT Address overloading

Share the IP address

But port number are changed

When the translation table is built it contains four entries• Inside local IP address – Private

• Inside local port number (original port number)

• Inside global IP address – Public

• Inside global port number (new port number)


Address Translation Firewalls PAT

Used to allow your inside users access to the Internet

Static NAT

Used to assign public IP addresses to services that Internet users will be addressing


Security Address Translation

Protect or hide your network infrastructure

Traffic must pass through the firewall itself

Disadvantages

Adds a delay to packet streams

Makes troubleshooting more difficult

Does not work with all applications


Host-Based Firewalls Protects

Contents of the computer

Also protects the operating system itself

Disadvantages Less filtering

Less loggings

More administration

Advantages Harden the operating system as well as the applications and data on the

computer

Cable modems is one example


Consider Security

Hybrid Firewalls

Set security policy first

Use onion defense

Protect against insider threats too

KISS principle


DMZ Demilitarized Zone

A DMZ is an area in your network that creates a buffer between the public network and your internal network

Typically services that you want the public to access are placed within the DMZ

• FTP

• Email

• DNS


Measures taken to protect communications transmission from interception and exploitation by means other than crypto analysis.

Transmission Security


““NO!!”NO!!”

Denial of Service

Prevention

Detection

Recovery


Sniffer Attacks

Sniffer

Router

Internet

Packet with password

Router Router Router

Router


INSIDE OUTSIDE

Packet Filter

Host “C”

Host “D”

Host “A”

Host “B”

Auditing/MonitoringServices

Auditing/MonitoringServices

Auditing/Monitoring Services


Security Assessment

Overall Security Assessment External

Internet Exposure Points

Points of Entry

InternalNetwork FirewallOperating Systems Policies/ProceduresDatabase Systems Change Control

Workstations Disaster PlanningWeb/Proxy Servers Security LogsSecurity Administration Communication ServersWireless/Voice SecurityASPs

Physical SecurityApplications


Security Monitoring

Internal MonitoringEstablishment of an effective Security Command center to monitor and control external and internal threats using staff personnel

Outsourced MonitoringPartnering with a Managed Security Monitoring company focused on protecting your critical information resources


MSM ArchitectureDetection and Response

Network Intelligence

Service Agreement

SOCRATES

Business Assets

Engineering

IDS

Router

Firewall

ServerCustomers

NetworkEvents

ForwardedEvents

AnalyzedExpert

Response Contact

Team of Security Analysts

Intellectual Properties

Customer Data

Business Plans

Sentry


Audit Trails Must be Protected!Audit Trails Must be Protected!

Audit Trail Security


Summary Understand and implement password controls on Cisco

routers

Understand and implement IP access control lists and filtering services on Cisco routers

Understand remote authentication mechanisms supported by Cisco routers


Router

Controlling Access to Cisco Routers

Router

AnalogTelephone

Line

WAN• X.25• ISDN• SMDS• Frame Relay Console Port

Router to othernetworks

Local Network

Telnet fromremote sites

Clients dialingto access network

Telnet to routerfrom local network

Serialinterface

router >

Asynchronousinterface

Local workstationsand servers


Establishing Password Protection

For each access method, you can allow:

Nonprivileged mode access

Privileged mode access

Intermediate level access


Controlling Console Access

Restrict access to console port

Cisco Router (config) # line console 0

Cisco Router (config-line) # login

Cisco Router (config) # password

Restrict access to auxiliary ports

Cisco Router (config) # line aux 0

Cisco Router (config-line) # login

Cisco Router (config) # password


The Enable Secret Password

Uses a non-reversible MD5 encryption algorithm

Once set, it will always be required

Set an enable secret password:

Cisco Router (config) # enable-secret password

Gain privileged mode access:

Accessed the same as enable password

Cisco Router > enable

Password: XXXXX

Cisco Router #


Defining Level Command Access

New levels will have normal user exec mode access by default

To define access privileges for a level, use the following command:

Cisco Router (config) # privilege command_mode level command

Example:

Cisco Router (config) # privilege exec level 5 ping

Cisco Router (config) # privilege exec level 5 trace


Cisco Password Hacks

Programs are readily available on the Internet which are capable of decrypting user passwords on Cisco routers

Not capable of decrypting enable secret

Can decrypt passwords using the standard Cisco encryption scheme

It is very important to maintain strict control of configuration files

16


Standard IP Access List Commands

First, set the parameters defining test conditions:Cisco Router (config) # access-list access-list-number {permit | deny} address [wildcard-mask]

Example: Cisco Router (config) # access-list 1 permit 172.16.0.0 0.0.255.255

Cisco Router (config) # access-list 1 permit 199.245.180.0 0.0.0.255

This can be done using several statements

Second, configure an interface to be part of a group that uses the specified access list:Cisco Router (config-if) # ip access-group access-list-number {in | out}

Example: Cisco Router (config) # interface ethernet 0

Cisco Router (config-if) # ip access group 1 out


Network Authentication Options

Authentication mechanisms supported by Cisco

TACACS

Extended TACACS

AAA/TACACS+

RADIUS

30


Local Security Database

Cisco 2511Security Database

Stored Locally

UNIX Server

Windows Server

Small network with only one dial-in access server

Small numberof dial-in ports


Remote Security Database

Router

Provides centralizedsecurity database to

all dial-in access servers

UNIX Server

Windows Server

Large network with many dial-in access servers

Large numberof Access Serversand dial-in ports

ServerTACAS+ or

RADIUS server


Check List

Auditor check list

Reference for more material

Csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

Documents

Frank Lyons