CSIS 4823Data Communications

Networking – FirewallsMr. Mark Welton

Firewalls are devices that prevent traffic from entering or leaving a network

Firewalls are often used between networks, or when a network connects to another network, such as the Internet or business partners

Firewalls can be standalone appliances, software, or integrated modules in other devices

VPN services are often also supported on firewalls

Firewalls

Basic Security Practices:◦ Keep it simple◦ Monitor your logs◦ Deny everything◦ Everything not mine is firewalled

Firewalls

Keep it simple – make security rules easy to read and understand, use naming conventions over numbering schemes

Monitor your logs – log all firewall activity to a separate syslog server, and review the logs as part of your normal daily routine

Firewalls

Deny everything – best practice, nothing should be allowed inbound unless there is a valid documented business need for it. Restricting outbound traffic is also the smart thing to do, but it often comes with the heated debate between conveniences over security. Many firewalls default to allow everything outbound.

Firewalls

Everything not mine is firewalled – any third-party devices or networks should be separated for your network by a firewall

Firewalls

DMZ (Demilitarized Zone is a network that is neither inside nor outside the firewall

A middle ground network that is less restrictive than the inside network but more secure than the outside network

Firewalls

Common DMZ Scenario

Firewalls

Inside Network - can initiate connections to any other network, but no other network can initiate connections to it

Outside network - The outside network cannot initiate connections to the inside network but can initiate connections to the DMZ

DMZ - The DMZ can initiate connections to the outside network, but not to the inside network. Any other network can initiate connections into the DMZ

Firewalls

One of the main benefits of this type of design is isolation

Should the email server come under attack and become compromised, the attacker will not have access to the users on the inside network

Servers in a DMZ should be locked down with security measures as if they were on the Internet

Firewalls

Understanding how each service works will help you to understand how the firewall should be configured

Firewalls

Email server - POP, IMAP, and SMTP (TCP ports 110, 143, and 25) should be allowed. All other ports should not be permitted from the Internet

Firewalls

Web server - HTTP and HTTPS (TCP ports 80 and 443) should be allowed. All other ports should be denied from the Internet

Firewalls

DNS server - Only DNS (UDP port 53, and, possibly, TCP port 53) should be allowed from the Internet. All other ports should be denied.

Firewalls

Ideally, only the protocols needed to manage and maintain the servers should be allowed from the managing hosts inside to the DMZ

Traffic should not be allowed from the DMZ the inside network

Firewalls

Another common DMZ implementation involves connectivity to a third party, such as a vendor or supplier

Firewalls

Firewalls

Access Control List (ACL) are made up of individual entries called access control entries (ACE)

Wildcard masks (also called inverse masks) are used in many devices for creating access lists

A wildcard mask is to match a range that can be described with a subnet mask (typical used on routers)

Access Lists

A simple rules that will solve Classful subnet/wildcard mask is:◦ If the subnet mask has 0 replace it with 255◦ If the subnet mask has 255 replace it with 0

Subnet mask Matching wildcard mask

255.0.0.0 0.255.255.255 255.255.0.0 0.0.255.255 255.255.255.0 0.0.0.255

Access Lists

What if it is not a Classful subnet 255.255.255.224 The wildcard mask will be a derivative of

the number of host addresses provided by the subnet mask minus one

So how many host are in this subnet?

Access Lists

255.255.255.224 Last octet is 11100000 So what is the power of two that represents

the number of hosts?

Access Lists

255.255.255.224 or /27 The last 5 bits represent the number of

hosts 25 = 32 – 1 =31 So the wildcard mask is 0.0.0.31

Access Lists

11100000128 64 32 16 8 4 2 1

27 26 25 24 23 22 21 20

What would the wildcard mask be for 255.240.0.0

Access Lists

What would the wildcard mask be for 255.240.0.0

1. Replace all 0 octets with 255 and all 255 octets with 0◦ 0.240.255.255

2. 240 in the last octet of a subnet mask (255.255.255.240) would yield 16 hosts

16 − 1 = 15 The wildcard mask is 0.15.255.255

Access Lists

So on a Cisco router this would be what a access control entry would look like to allow web traffic to a subnet 10.10.10.0/24

Permit tcp any 10.10.10.0 0.0.0.255 eq www

Access Lists

To make it more confuring this is what a Cisco ASA(firewall) ACE would look like for the same network

access-list GAD extended permit tcp any 10.0.0.0 255.255.255.0 eq www

Some equipment like NX-OS use CIDR 10 permit tcp 10.10.10.0/24 any eq www

Access Lists

So where should we apply the ACL?

Where to Apply Access Lists

ACLs can be placed on either inbound on an interface or outbound

Inbound traffic is referred to as ingress Outbound traffic is referred to as egress In almost all cases you will place the ACL on

the inbound of the interface (coming into the device)

Where to Apply Access Lists

If you placed the ACL outbound on E0 the router would have to process the packet to then only drop them based on an ACL

Where to Apply Access Lists

ACL are applied “Top Down” Unlike routes which are applied as most

specific ACL are applied as first match This can cause the concept of hidden rulesip access-list extended GAD permit tcp any 10.10.10.0 0.0.0.255 eq www permit tcp any host 10.10.10.100 eq www permit tcp any host 10.10.10.100 eq domain The second rule will be “hidden” by the first

Hidden Rules

Most devices allow objects to be “grouped” under a single name

Object groups allow a group of networks, IP addresses, protocols, or services

The name can then be used in a single ACL instead of writing multiple ACLs

Object Grouping

Routers typically use packet filtering on ACLs

As the ACLs get more complex on multiple interfaces ACE will need to be written to allow the traffic in and then allow the return packet to go back

These rules can become hard to manage

Firewalls vs. Routers

Protocols like HTTP are not handled in a single packet

A request (and handshake with TCP) are sent over several packets then a reply is returned

Firewalls vs. Routers

Routers can use the concept of reflexive access lists to create temporary permit statements that are a reflection of the original communication

Firewalls vs. Routers

Firewalls use stateful inspection Firewalls track the connection of the flow of

data An ACL on the inside interface allowing

HTTP will allow the return traffic based on the client request happening first

Firewalls vs. Routers

Motivation: local network uses just one IP address as far as outside world is concerned:◦ range of addresses not needed from ISP: just one

IP address for all devices◦ can change addresses of devices in local network

without notifying outside world◦ can change ISP without changing addresses of

devices in local network◦ devices inside local net not explicitly addressable,

visible by outside world (a security plus)

Network Address Translation

Why use NAT?◦ You need to connect a network to the Internet and

your hosts do not have globally unique IP addresses

◦ You change over to a new ISP that requires you to renumber your network

◦ Two intranets with duplicate addresses are now connected

Network Address Translation

Two types of NAT Translation◦ Static translation occurs when you specifically

configure addresses in a lookup table A specific inside address maps into a

prespecified outside address Also called one-for-one mapping

◦ Dynamic translation occurs when the NAT border router is configured to understand which inside addresses must be translated, and which pool of addresses may be used for the outside addresses

Network Address Translation

In static NAT the device will always translate to the same external address

Most common use is for NAT servers running services to the Internet

Network Address Translation

In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use

What happen if all the addresses in the pool are in use?

Network Address Translation

In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use

What happen if all the addresses in the pool are in use?

Network Address Translation

Network Address Translation

NAT conserves the legally registered addressing scheme by allowing privatization of intranets, yet allows legal addressing scheme pools to be set up to gain access to the Internet.

NAT also reduces the instances in which addressing schemes overlap. If a scheme was originally set up within a private network, then the network was connected to the public network (which may use the same addressing scheme) without address translation, the potential for overlap exists globally.

NAT Advantages

NAT increases the flexibility of connection to the public network. Multiple pools, backup pools, and load sharing/balancing pools can be implemented to help ensure reliable public network connections. Network design is also simplified as planners have more flexibility when creating an address plan.

Deprivatization of a network requires renumbering of the existing network; the costs can be associated to the number of hosts that require conversion to the new addressing scheme. NAT allows the existing scheme to remain, and still supports the new assigned addressing scheme outside the private network.

NAT Advantages

NAT increases delay◦ Switching path delays, of course, are introduced

because of the translation of each IP address within the packet headers

◦ Performance may be a consideration because NAT is currently done using process switching

◦ The CPU must look at every packet to decide if it has to translate it, and then alter the IP header and possibly the TCP header

◦ It is not likely that this process will be easily cacheable.

NAT Disadvantages

One significant disadvantage when implementing and using NAT is the loss of end-to-end IP trace ability

It becomes much harder to trace packets that undergo numerous packet address changes over multiple NAT hops

This scenario does, however, lead to more secure links because hackers who want to determine a packet's source will find it difficult, if not impossible to trace or obtain the origination source or destination address

This also means that you may have the same issue

NAT Disadvantages

NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses

Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router

Sometimes this problem can be avoided by implementing static NAT mappings

NAT Disadvantages

User at host 10.1.1.1opens a connection to outside host B.

NAT Step 1

The first packet that the border router receives from host 10.1.1.1 causes the router to check its NAT table. If a translation is found because it has been statically configured, the router continues to the next step.

If no translation is found, the router determines that address 10.1.1.1must be translated. The router allocates a new address and sets up a translation of the inside local address 10.1.1.1to a legal inside global address from the dynamic address pool

NAT Step 2

The border router replaces 10.1.1.1's inside local IP address with the selected inside global address, 192.168.2.2, and forwards the packet.

NAT Step 3

Host B receives the packet and responds to that node using the inside global IP address 192.168.2.2.

NAT Step 4

When the border router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address as the reference.

NAT Step 5

The router then translates the address to 10.1.1.1's inside local address and forwards the packet to 10.1.1.1. Host 10.1.1.1 receives the packet and continues the conversation. For each packet, the router performs Step 2 through Step 5.

NAT Step 6

Port Address Translation (PAT) allows for a single Internet IP address to translate to a large number of internal hosts

This is done by using both the source and destination IP address and the source and destination port to handle the translation

PAT is considered a subset of NAT Same vendors refer to this a overloading

Port Address Translation

User at host 10.1.1.1opens a connection to host B

PAT Step 1

The first packet the router receives from 10.1.1.1 causes the router to check its NAT table

PAT Step 2

If no translation is found, the router determines that address 10.1.1.1 must be translated

PAT Step 2

The router allocates a new address and sets up a translation of the inside local address 10.1.1.1 to a legal global address

PAT Step 2

the router will reuse the global address from that translation and save enough information to be able to distinguish it from the other translation entry

PAT Step 2

The router replaces 10.1.1.1's inside local IP address with the selected inside global address, 192.168.2.2, and forwards the packet.

PAT Step 3

Outside host B receives the packet and responds to that node using the inside global IP address 192.168.2.2

PAT Step 4

When the router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address and port number, and the outside address and port number as the references

PAT Step 5

The router then translates the address to 10.1.1.1's inside local address and forwards the packet to 10.1.1.1

PAT Step 6

Host 10.1.1.1 receives the packet and continues the conversation.

For each packet, the router performs Step 2 through Step 5

PAT Step 6