Post on 20-Dec-2015
Firewalls
Pavel Aharoni
January 19th, 2006 Firewalls 2
Main Topics
MotivationTypes of firewallsFiltering methodsExamplesDemo of Kerio PF installation2
January 19th, 2006 Firewalls 3
The Internet in the B.F. era
Early Internet was a rather closed community, mostly used by the military and the universities in the US.
On Nov. 2,1988, the famous Morris worm hit numerous computers, including NASA and main universities, spreading among the hosts and multiplying itself on them (due to a bug, or a feature?), until no other processes could be run on the hosts.
Good example of smth a firewall could easily prevent.
First firewalls were introduced in the late 80s by Cheswick and Bellovin. Bellovin’s definition: “Firewalls are barriers between
'us' and 'them' for arbitrary values of 'them.”
January 19th, 2006 Firewalls 4
What Firewalls Can and Should Do
Security Preventing info leaks OS/applications security holes Stopping unwanted data flow
User authentication
Logging and auditing
January 19th, 2006 Firewalls 5
What Firewalls Can’t Do
Insiders attacksBack-door creation and usageStopping malware (true for firewalls
without content inspection)Mismanaged policy
Giving away passwords,etc.
Some outside attacks
January 19th, 2006 Firewalls 6
Drawbacks
Traffic bottleneckSingle point of failure
Accurate configuration is a must
User frustration Logins,passwords…who needs them?
Increased management responsibilities Extra work for admins, need to check logs frequently
to verify correct functioning
January 19th, 2006 Firewalls 7
Types of Firewalls
There are three basic types of firewalls depending on:
1. Whether the communication is being done between a single node and the network, or between two or more networks
2. Whether the communication is intercepted at the network layer, or at the application layer
3. Whether the communication state is being tracked at the firewall or not
January 19th, 2006 Firewalls 8
Network Firewalls
Can be either software or hardware
Often mistakenly identified with NIDSNetwork Intrusion Detection System
Both are part of security suite – NIDS searches and alerts while firewall protects and prevents
January 19th, 2006 Firewalls 9
NIDS
Built on so called bastion hosts -computers that is fully exposed to attack.
The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. DMZ can be thought of as unsafe area
January 19th, 2006 Firewalls 10
DMZ typical structure
“Three-legged firewall” Free access from internal network to DMZ-but only
one way!
January 19th, 2006 Firewalls 11
Intrusion Detection Methods
Packet filtering Packet header is inspected Decision whether or not to let packet through, can
depend on: Source IP address Destination IP address Protocol type Source port Destination port
January 19th, 2006 Firewalls 12
Packet Filtering Strengths
Faster than other packet screening Done at relatively low level
Transparent for the userUsually built-in feature
Requires no further configuration
Application independent Decisions are based on incoming packet header only Can help preventing inside malware operation
January 19th, 2006 Firewalls 13
Packet Filtering Weaknesses
All-or-nothing approach towards ports In most implementations, if port is open, it’s open for
all the traffic – can be a security hole
Complicated configuration Lengthy rules can be prone to errors and slow
Unable to protect from certain types of attacks IP spoofing, buffer overflow, ICMP tunneling,FTP
Direct connection establisment My IP is seen to the outside world
January 19th, 2006 Firewalls 14
Intrusion Detection Methods
Stateful packet inspection (SPI) Uses packet filtering principles with addition of
connection state inspection Connection state is derived based on previous
packets Dynamic state table is maintained, packets are fed
into it to verify they are part of valid connection Newer firewalls can perform additional operations
while performing SPI, such as reassembling, content filtering…
January 19th, 2006 Firewalls 15
SPI Strengths
Also low-level Minor processing and network overhead,
transparency, application independent
More secure than basic packet filtering Due to the connection state inspection, more
robust against several types of attacks
January 19th, 2006 Firewalls 16
Application Gateways/Proxies
Operate on the application level
Communications with untrusted networks are made strictly through gateway/proxy Packets are inspected and forwarded on behalf of
client/server, depending on the direction (proxy usually works both ways)
January 19th, 2006 Firewalls 17
Gateway/proxy Strengths
No direct client-server connection Provides form of NAT (to be explained)More configuration granularity
Option to enable/disable certain applications and/or their features
User authenticationLogging
January 19th, 2006 Firewalls 18
Gateway/proxy Weaknesses
Performance! Inspection on application level, as opposed to lower
layers with packet filtering and SPI. Sensitive to scalability problems
Each protocol requires corresponding application Can be difficult to add new protocols
Effectiveness depends on underlying OSProne to denial-of-service attacks
January 19th, 2006 Firewalls 19
Adaptive proxy
Basic proxies are secure, but slowAdaptive proxy combines application and
network level inspection Only first part of connection is inspected at the
application level, as opposed to all the packets in basic model
If connection is approved, its subsequent packets are inspected at network level
January 19th, 2006 Firewalls 20
Circuit-level Gateways
No packet inspectionTCP/UDP sessions are checked insteadOnce session is approved, corresponding
port is opened to session’s packetsWhen session is terminated, port is closed
Main advantage – works on transport level
January 19th, 2006 Firewalls 21
Data Link Layer Firewalls
Also called “bridge firewalls”
Transparent on the network level – can be placed anywhere
Immune to IP-related attacks
January 19th, 2006 Firewalls 22
Relatively Rare Types of Firewalls
Transparent proxies Client sends/receives packets as usual,but actually
talks with TP only
Signature-based FW Monitoring potentially hazardous data (using pattern
matching)
Distributed FW Among hosts or even among devices
January 19th, 2006 Firewalls 23
Network Address Translation
NAT is using internal addresses to multiplex/demultiplex Internet flow
The outside world sees the network behind NAT as having single IP
Can be useful for firewalling purpose Internal network is hidden from outside world – all
traffic to/from it goes through NAT facility Used by most home routers
January 19th, 2006 Firewalls 24
Early Firewalls
First firewalls’ target - to separate a big network into many small LANs, to allow each of them to be administrated autonomously, so that problems in one specific LAN (noisy applications, management problems, etc.) wouldn’t affect the whole network.
It wasn’t before early 1990s when the first security-orientated firewalls emerged. They were IP routers with filtering rules. The first security policy was something like : “Allow anyone "in here" to access "out there." Also, keep anyone
(or anything I don't like) "out there" from
getting "in here."
January 19th, 2006 Firewalls 25
Early Firewalls – cont.
The first commercial firewall (DEC) was configured for and delivered to the first customer, a large East Coast-based chemical company, on June 13, 1991.
January 19th, 2006 Firewalls 26
DEC SEAL and Its Structure
1.The only point Internet can talk to2.Only authorized users can access external services
Filtering gateway-user is prompted about
packetsNot accessible from outside
January 19th, 2006 Firewalls 27
DEC SEAL
Classic example of application-level firewall
Later integrated with AltaVista firewall
No longer exists as is
January 19th, 2006 Firewalls 28
AT&T Firewall
Designed and written by Presotto and Cheswick
Worked on transport levelAll outbound connection were
allowed,as opposed to DECAlso not very fast
January 19th, 2006 Firewalls 29
Classic example of application-level firewall
Later integrated with AltaVista firewall
No longer exists as is
January 19th, 2006 Firewalls 30
CheckPoint’s VPN-1/Firewall-1
CheckPoint’s Firewall-1 emerged soon, becoming world-wide leader in the area
Firewall-1 is integrated in VPN-1First FW to use stateful inspectionAdding time element into filtering policy
Access can be restricted during certain hours of day Allows safe backup/maintenance works without
repaired server being accessed
January 19th, 2006 Firewalls 31
CheckPoint’s VPN-1/Firewall-1
Strong content security capabilities File name matching for FTP Email address translation for SMTP JS content checking in HTTP
FireWall-1 GX for wireless networksMany-many more components (less
related to firewall lecture…)
January 19th, 2006 Firewalls 32
Microsoft Internet Security and Acceleration Server (ISA)
Includes,among other things,stateful packet and application layer inspection firewall HTTP content inspection SSL bridging –decryption of SSL content to check for
malicious code Authentication Option for checking valid URLs Can be integrated with already existing authentication
frameworks
January 19th, 2006 Firewalls 33
ipchains
Software-based firewall for Linux Allows NAT in addition to firewalling
Was re-written since old IPv4 wasn’t supporting IP fragments Another reason is inability to specify protocols to be
inspected,other than TCP,UDP,ICMP
Essentially, gives ability to create your own filtering rules
January 19th, 2006 Firewalls 34
ipchains
Four chains: input, output, forward, user defined
kernel has to be compiled with numerous enabled options CONFIG_PACKET,CONFIG_NET_ALIAS,
CONFIG_ IP_FIREWALL,etc….
January 19th, 2006 Firewalls 35
ipchains- - Filtering by IP Address
Flags to define action taken on specific chain, kind of action, protocol(s), IP address space, network type, etc…
# ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 # ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i ppp0 -d 0.0.0.0/0
# if you are on dialup
January 19th, 2006 Firewalls 36
ipchains – Filtering by Port
Say we want to restrict access through rlogin We fear that the attacker managed to alter .rhosts
file, for example
Two rules for input chain: restricting all traffic through this port, and then allowing only from trusted network
# ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -d y.y.y.y/32 513 # ipchains -A input -j ACCEPT -p tcp -s x.x.x.x/24 -d
y.y.y.y/32 513
January 19th, 2006 Firewalls 37
ipchains – Additional Features
In port filtering, also possible to state service name, range of ports, etc.
IP accounting – statistics on packets going through on source/dest IP address basis
Setting up NATPort redirection (for example, if you’re
running a transparent proxy)
# ipchains -A input -j REDIRECT 8080 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 80
January 19th, 2006 Firewalls 38
Personal Firewalls
Defending a specific host rather than a network
Windows XP has integrated PF
Improved version includes outbound packet filtering, IPv6 and IPSec support,etc.
January 19th, 2006 Firewalls 39
ZoneAlarm PF by CheckPoint
Part of powerful security suite
Free for personal use
First program to monitor outgoing traffic and deploy application-level filter communication
January 19th, 2006 Firewalls 40
ZoneAlarm Evaluation
Pros: 1. Very easy to use2. Completely conceals the host from the Internet3. Resistant to leak-test attack
Invention of Steve Gibson – trying to send outbound data on behalf of trusted application
ZA has cryptographic signature for allowed applications
4. Some tests show resistance to file sharing attacks
Cons:1. Poor statistics (too basic)2. Free version can be hardly configured3. No signature-based IDS usage4. Can’t password-protect settings
January 19th, 2006 Firewalls 41
Sygate PF 5.x
Pros:1. Free version for personal use2. Some degree of advanced program control3. Full packet logging, user-defined rules4. Some outbound inspection
Cons:1. No predefined program permissions2. Confirmation popups are hard to interpret
January 19th, 2006 Firewalls 42
Norton Personal Firewall
Pros:1. Effective blocking system2. Automatic rule generation for known apps3. Hides almost all ports
Cons:1. A bit expensive2. Some ports are reported as “closed” – that means there is
smth at that IP3. Somewhat difficult access definitions
January 19th, 2006 Firewalls 43
BlackIce Defender
Pros:1. Four levels of security – Trusting, Cautious, Nervous and
Paranoid2. Efficient intrusion analysis and handling – not seen in other
known firewalls
Cons:1. Pro No. 1 – cumbersome2. Difficult configuration
Many-many others (McAfee, Kerio, Outpost…)
January 19th, 2006 Firewalls 44
Summary
Firewalls help to solve some security problems and fail with others
Require additional modules (IDS,antivirus…) to keep host/network clean