Unit 4: Firewalls (I)

What is a firewall?

Types of firewalls Packet Filtering

Statefull

Application and Circuit Proxy

Firewall services and limitations

Writing firewall rules Example 1

Example 2

What is a Firewall? A system that enforces access policy between two (or more) networks. Based on a rules/policies, the firewall:

Blocks prohibited traffic. Note: this can be done silently (just drop) or actively, send back reset or ICMP messages. Usually better to do silently.

Allow authorized traffic. And, (some) check that the traffic for a given application is behaving correctly.

Firewall examines all traffic between the networks. Firewall may also perform other services:

NAT / PAT Caching Web access control/site filtering VPN/IPSEC

Two main philosophy to setup Firewall either: Block all that is not explicitly authorized. Authorize all that is not specifically blocked. Note: this can be used together on same firewall. Example: a firewall between

an organization and the Internet you may at the same time setup: All inbound traffic except specifically authorized is blocked. All outbound traffic except specifically blocked is authorized.

Always remember the implied rule. My suggestion: always write it explicitly. For this class: you are required to write it explicitly! … Else I choose which one it is

What is a Firewall?

A firewall is a device that makes the decision on what to do with a packet. The actions a firewall can take: Forward/accept the packet.

Drop the packet silently.

Drop the packet and send ICMP back to source to notify why it was dropped. This adhere to strict Internet standards but is it wise?

How is it performed? Packets are evaluated against a list of “rules” and

conditions

When the packet matches a rule: the action is triggered (reject or allow). The rest of the rules are not evaluated.

What is a Firewall?

Concretely what is a firewall? Can be many things: A router that runs traffic filtering rules or a modified version of

the routing software (For example Cisco IOS Firewall Feature Set). This is often referred as “Screening Router Firewalls” or “Screening Firewalls”. Pro: Can use existing router to perform some traffic filtering

such as RFC 1918 and RFC 2827 Filtering. Con: That can kill your router performance! Specially if rules

become complex!

A server with 2+ NICS running some traffic filtering or application proxy or specialized software. Usually Unix/Linux or Windows. Pro: Usually easy to use, nice GUI, use OS that the

administrator may already be familiar with. Con: Using a general-purpose OS to support firewall has lower

performance. If there is a security flaw in the OS (I know how likely is that ) the firewall may be compromised!

What is a Firewall?

A specialized hardware piece running a specialized software. Often referred as “Firewall Appliances”. Pro: Used specialized OS that is stripped down to

remove unnecessary services. Higher performance. Con: Higher Costs. May not have nice GUI.

A “Host-based” firewall. A.K.A. “Personal” Firewall. This is the last firewall piece in a defense in-depth strategy: load firewall software on all hosts. Pro: Greatly enhanced security because of host-specific

knowledge (For example, encrypted traffic can only be firewalled at end points). May allow to detect the presence/addition of unnecessary services at host.

Con: Expensive. May be very hard to manage. Trends: host firewall or host IDS on all desktops the

same way you see (or should see) anti-virus on all desktops today.

Types of Firewalls

Packet Filter

Statefull packet filter

Application and Circuit Proxy

Packet Filtering Firewalls

Control the forwarding or dropping of the data based on the IP header information.

It does not keep track of the connection or session state.

The information and fields that may be taken into consideration are: IP destination address

IP source address

Protocol type/number (ie: TCP, UDP, ICMP, …etc...)

Source protocol port number (TCP/80, UDP/53, …etc…)

Destination protocol port number (TCP/80, UDP/53, …etc…)

Flags (SYN, ACK, FIN, ..etc..)

Packet Filtering Pros and Cons Advantages

High performance Application independent Provide an economical solution to filter out many threats (SMURF, IP

source route, some spoofing) Can be implemented at “no cost” on existing routers using Access

Control Lists (ACL) – Note: need to be careful here: this can very negatively impact routing performance on certain routers. This is specially true for core routers (Usually NEVER enable ACL on core routers). Make sure that: 1. You understand the impact of enabling ACL on router operation 2. You know the router can handle the extra load of doing ACL

lookups and can still handle traffic in an acceptable manner.

Disadvantages Only look at Header information How do you handle incoming or return traffic that use a random/high

port for communication – Example when you connect to www/80 what is your source port #?

Can fairly easily be forced to pass traffic that is not proper Can dramatically lower performance of certain routers if implemented

on them

Connection establishment: Three-way handshake

Connection Release: Four-way handshake

Closing data stream in this direction only

State transition diagram

Client states

Server states

Statefull Packet Filtering Perform all the functions of a packet filtering firewall but also keep

track of the state of the connection and past packets in the communication.

The firewall will attempt to track all the information in the communication. This can be at all layers of the OSI. Examples: At layer 4 – If it evaluate a TCP packet from B to A that has a SYN-ACK

flag, it will verify that it has seen a corresponding SYN packet from A to B before.

At Layer 7 – If on SMTP, it see “MAIL FROM” message from A to B. It will verify that there has been a proper TCP connection established before and that a “HELO” command was sent and replied by a “2xx” response from B to A.

In other words: the statefull packet filter will keep track of all conversations and ensure that all packets transiting comply with proper protocol rules and operation.

Note: new variation of statefull firewall is starting to be popular: statefull FW with Intrusion Detection System/Intrusion Prevention System. More on that in the IDS unit.

Statefull Packet Filtering

Advantages

Scalable and transparent

High performance

Can handle “pesky” applications that jump ports in the process – Example: FTP in passive mode – H.323 – These are very hard to manage in a packet-filtering fw.

Disadvantages

Weak for “stateless” protocols

Harder to handle UDP return traffic

May not look at certain application layer data as a proxy would

Application and Circuit Proxy

A proxy firewall acts as an intermediate communication point between 2 parties: Each party “think” they directly communicate to

the other. Actually they communicate to the Proxy Firewall. A – Proxy – B: A communicates to the proxy,

the proxy then “acts” as A when communicating to B and vice-versa.

These proxy firewalls acts either at layer 3-4 (circuit proxy) or layer 7 (application proxy). Most often they act at layer 7.

Application and Circuit Proxy

Advantages

Better security as it looks at all data in the packet up to layer 7.

Can perform other functions such as Email virus scanning.

Disadvantages

Lower performance

L7 - Limited to protocols that are supported

Poor scalability under heavy traffic

May break custom applications

May not support standard applications on non-standard ports.

Other Services Sometime Performed by Firewall

Network Address Translation

Intrusion Detection/Prevention

Denial-of-Service (DOS) Inspection

Authentication

Virtual Private Network Termination

Traffic Logging

URL and/or Content Filtering

Virus Scanning

Firewalls Limitations

Firewalls have limitations. It is VERY important to understand them: They do not protect against viruses, worms, or trojans

(except in Application-level firewalls and new IDS/firewall hybrids.)

Can’t protect traffic that is not sent through them: Dial-up attacks; modems

Social engineering

Rerouting due to incompatibility with legacy system

Back doors

Cannot protect from danger in authorized traffic. (See Nimda and code red)

Cannot protect from some spoofing.

Firewall Rules Template The XLS available proposes a template to write firewall rules. This template will be

used in the class. Fields are: Set Name Rule # Protocol (IP, UDP, TCP, GRE, or protocol number) A/R (Accept/Reject) Source IP (Start) Source IP End or Source Wildcard Src Port (or protocol number) Destination IP (start) Destination IP (End) or Wildcard Dest Port Flag Comments

Always have a last rule that says either: Deny all Permit all Note #1: Often firewalls come with a “default” last rule that is always inserted at

the end and invisible. Strong suggestion ALWAYS specify a last rule even if it is the same as the system’s default.

Note #2: Often firewalls have a default “deny all” for ingress traffic and “accept all” for egress traffic. Why?

Class discussion. The rule must then be applied to a firewall interface and to an interface traffic

direction: Inbound or outbound.

Simple Firewall Rule Example

Firewall 1

Internet

Router

My-AC-store.com E-Commerce Infrastructure

Email Server

199.4.5.3

ISP DNS

12.11.22.33

Internet Users

E-Comm - Web

199.4.5.2

Intruder,

threat,

opponent

Inside Users

199.4.5.100-200

Outside Interface

- 199.4.6.2

Inside Interface -

199.4.5.1

Note: all subnets are 24

bits

199.4.6.1

Administrator

199.4.5.99

Simple Firewall Rule Example

The spreadsheet present full rule set for a packet filtering firewall that do not use statefull inspection.

Discussion in-class You can notice that some fairly general rules had to

be added to allow return traffic. This is a problem and can allow attacker to bypass the firewall

The simplified rule show rule set for a statefull firewall. The firewall will keep track of connection establishment, high port assignment and correspondence to conversation.

This make rule writing simpler and enhance security… But cost more $$$.

Firewall Example #2

Firewall 1

Internet

Router

My-ac-corporate.com E-Commerce

Infrastructure

Email Server

Internal DNS

202.22.1.3

ISP DNS

12.11.22.33

Internet Users

Corporate Web

202.22.1.2

Intruder,

threat,

opponent

Inside Users

202.22.1.100-200

Outside Interface

- 202.22.2.2

Inside Interface -

202.22.1.1

Note: all subnets are 24

bits

202.22.3.1

Firewall 2Inside Interface -

202.22.2.1

Outside Interface

- 202.22.3.2Email Relay

External Web

External DNS

202.22.2.3Headquarters

Router198.1.1.1

Firewall 3Inside Interface -

202.22.4.1

Outside Interface

- 198.1.1.2

Inside Users

202.22.4.2-254

Remote Office

12.55.55.55

Firewall Example #2 Functional Requirements:

Internal users are Headquarters and remote office. Internal user do DNS resolution on 202.22.1.3 and can access corporate web and internal mail. Email between Internal and Internet transit via Email replay for virus scan. The Internal DNS resolve to ISP DNS for unknown zones. External web, relay email handles all Internet user access including DNS resolve. All internal users can access web on 80/443. A “Bad guy” is 12.55.55.5 – prevent him any access. Ping and ping responses should be allowed All firewalls are statefull, return traffic inspection is not required. OPTIONAL – You should perform RFC 1918 and anti-spoofing filtering.

Please work on it and come up with solutions for next week. We will discuss in class. How many rule sets should be developed?

1 2 4 6 8 10 12 300.5? More?

Based on no traffic initiated or terminating at the FW, can we establish how many rules sets we will ever need if written correctly?

Firewall Example #2 (contd.)

Part of Homework #3 (which is due in two weeks) is to write the firewall rules for the above example. Please try to write the rules and bring them to class next week. The initial thinking process, and some additional discussion during next class, will likely help you to do a better job for HW #3! This initial solution is to be included in your final HW #3 submission.