CS 356 Firewalls and
Intrusion Prevention
Fall 2013
Review• Chapter 1: Basic Concepts and Terminology
• Chapter 2: Basic Cryptographic Tools
• Chapter 3 – User Authentication
• Chapter 4 – Access Control Lists
• Chapter 5 – Database Security (skipped)
• Chapter 6 – Malicious Software
• Networking Basics (not in book)
• Chapter 7 – Denial of Service
• Chapter 8 – Intrusion Detection
• Chapter 9 – Firewalls and Intrusion Prevention
Chapter 9
Firewalls and Intrusion Prevention Systems
The Need For Firewalls
�� internet connectivity is essentialinternet connectivity is essential�� however it creates a threathowever it creates a threat
�� effective means of protecting LANseffective means of protecting LANs
�� inserted between the premises network and the inserted between the premises network and the Internet to establish a controlled linkInternet to establish a controlled link�� can be a single computer system or a set of two or can be a single computer system or a set of two or
more systems working togethermore systems working together
�� used as a perimeter used as a perimeter defensedefense�� single choke point to impose security and auditing single choke point to impose security and auditing
�� insulates the internal systems from external networksinsulates the internal systems from external networks
Firewall Characteristics
Types of
Firewalls
Packet Filtering Firewall
•• applies rules to each incoming and outgoing IP packet applies rules to each incoming and outgoing IP packet –– typically a list of rules based on matches in the IP or TCP headtypically a list of rules based on matches in the IP or TCP headerer–– forwards or discards the packet based on rules matchforwards or discards the packet based on rules match
•• two default policies:two default policies:–– discard discard -- prohibit unless expressly permittedprohibit unless expressly permitted
•• more conservative, controlled, visible to usersmore conservative, controlled, visible to users–– forward forward -- permit unless expressly prohibitedpermit unless expressly prohibited
•• easier to manage and use but less secureeasier to manage and use but less secure
Packet
Filter
Rules
Packet Filter
Advantages And Weaknesses•• advantagesadvantages
–– simplicitysimplicity
–– typically transparent to users and are very fasttypically transparent to users and are very fast
•• weaknessesweaknesses
–– cannot prevent attacks that employ application cannot prevent attacks that employ application specific vulnerabilities or functionsspecific vulnerabilities or functions
–– limited logging functionalitylimited logging functionality
–– do not support advanced user authenticationdo not support advanced user authentication
–– vulnerable to attacks on TCP/IP protocol bugsvulnerable to attacks on TCP/IP protocol bugs
–– improper configuration can lead to breachesimproper configuration can lead to breaches
Stateful Inspection Firewall
StatefulStateful Firewall Connection State TableFirewall Connection State Table
Application-Level Gateway��also called an application proxyalso called an application proxy
��acts as a relay of applicationacts as a relay of application--level trafficlevel traffic��user contacts gateway using a TCP/IP user contacts gateway using a TCP/IP
applicationapplication
��user is authenticateduser is authenticated
��gateway contacts application on remote host gateway contacts application on remote host and relays TCP segments between server and relays TCP segments between server and userand user
��must have proxy code for each applicationmust have proxy code for each application��may restrict application features supportedmay restrict application features supported
�� tend to be more secure than packet filterstend to be more secure than packet filters
��disadvantage is the additional processing disadvantage is the additional processing overhead on each connectionoverhead on each connection
Circuit-Level
Gateway
SOCKS Circuit-Level Gateway
�� SOCKS v5 defined in SOCKS v5 defined in
RFC1928 RFC1928
�� designed to provide a designed to provide a framework for clientframework for client--server server applications in TCP/UDP applications in TCP/UDP domains to conveniently and domains to conveniently and securely use the services of a securely use the services of a network firewallnetwork firewall
�� client application contacts client application contacts
SOCKS server, authenticates, SOCKS server, authenticates,
sends relay requestsends relay request
•• server evaluates and either server evaluates and either establishes or denies the establishes or denies the connectionconnection
componentscomponents
Types of
Firewalls
Bastion Hosts�� system identified as a critical strong point in the networksystem identified as a critical strong point in the network’’s s
securitysecurity
��serves as a platform for an applicationserves as a platform for an application--level level or circuitor circuit--level gatewaylevel gateway
��common characteristics:common characteristics:�� runs secure O/S, only essential servicesruns secure O/S, only essential services
�� may require user authentication to access proxy or hostmay require user authentication to access proxy or host
�� each proxy can restrict features, hosts accessedeach proxy can restrict features, hosts accessed
�� each proxy is small, simple, checked for securityeach proxy is small, simple, checked for security
�� each proxy is independent, noneach proxy is independent, non--privilegedprivileged
�� limited disk use, hence readlimited disk use, hence read--only codeonly code
Host-Based Firewalls
•• used to secure an individual hostused to secure an individual host
•• available in operating systems or can be available in operating systems or can be
provided as an addprovided as an add--on packageon package
•• filter and restrict packet flowsfilter and restrict packet flows
•• common location is a servercommon location is a server
Personal Firewall
�� controls traffic between a personal computer or workstation controls traffic between a personal computer or workstation and the Internet or enterprise networkand the Internet or enterprise network
�� for both home or corporate usefor both home or corporate use
�� typically is a software module on a personal computertypically is a software module on a personal computer
�� can be housed in a router that connects all of the home can be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interfacecomputers to a DSL, cable modem, or other Internet interface
�� typically much less complex than servertypically much less complex than server--based or standbased or stand--alone alone firewallsfirewalls
�� primary role is to deny unauthorized remote accessprimary role is to deny unauthorized remote access
�� may also monitor outgoing traffic to detect and block worms may also monitor outgoing traffic to detect and block worms and malware activityand malware activity
Personal Firewall Interface
FirewallConfiguration
Virtual Private Networks (VPNs)
Distributed Distributed
Firewall Firewall
ConfigurationConfiguration
Firewall Topologies
Intrusion Prevention Systems
(IPS)
�� recent addition to security productsrecent addition to security products
�� inline networkinline network--based IDS that can block trafficbased IDS that can block traffic
�� functional addition to firewall that adds IDS functional addition to firewall that adds IDS
capabilitiescapabilities
��can block traffic like a firewallcan block traffic like a firewall
��makes use of algorithms developed for makes use of algorithms developed for
IDSsIDSs
��may be network or host basedmay be network or host based
Host-Based IPS
(HIPS)�� identifies attacks using both signature and anomaly detection identifies attacks using both signature and anomaly detection
techniquestechniques•• signature: focus is on the specific content of application paylosignature: focus is on the specific content of application payloads ads
in packets, looking for patterns that have been identified as in packets, looking for patterns that have been identified as maliciousmalicious
•• anomaly: IPS is looking for behavior patterns that indicate anomaly: IPS is looking for behavior patterns that indicate malwaremalware
�� can be tailored to the specific platformcan be tailored to the specific platform
�� can also use a sandbox approach to monitor behaviorcan also use a sandbox approach to monitor behavior
Network-Based IPS
(NIPS)�� inline NIDS with the authority to discard inline NIDS with the authority to discard
packets and tear down TCP connectionspackets and tear down TCP connections
��uses signature and anomaly detectionuses signature and anomaly detection
��may provide flow data protectionmay provide flow data protection
��monitoring full application flow contentmonitoring full application flow content
��can identify malicious packets using:can identify malicious packets using:
��pattern matchingpattern matching
��statefulstateful matchingmatching
��protocol anomalyprotocol anomaly
�� traffic anomalytraffic anomaly
��statistical anomalystatistical anomaly
Snort Inline
� enables Snort to function as an intrusion prevention capability
� includes a replace option which allows the Snort user to modify packets rather than drop them
� useful for a honeypotimplementation
� attackers see the failure but can’t figure out why it occurred
Unified
Threat
Management
Products
Sidewinder G2
Security
Appliance
Attack
Protections
Summary -
Transport Level
Examples
Sidewinder G2
Security Appliance
Attack Protections
Summary -
Application Level
Examples (page 1 of 2)
Summary
� firewall location and
configurations
� DMZ networks
� virtual private networks
� distributed firewalls
� intrusion prevention systems
(IPS)
� host-based IPS (HIPS)
� network-based IPS (NIPS)
� Snort Inline
� UTM products
� firewalls
� need for
� characteristics of
� techniques
� capabilities/limitations
� types of firewalls
� packet filtering firewall
� stateful inspection firewalls
� application proxy firewall
� circuit level proxy firewall
� bastion host
� host-based firewall
� personal firewall