Chapter 9: Chapter 9: Kinds of Kinds of FirewallsFirewalls

Kate SolingerKate Solinger

Tamara TeslovichTamara Teslovich

What’s a firewall?What’s a firewall? Any device, software, Any device, software,

or arrangement or or arrangement or equipment that limits equipment that limits network accessnetwork access

Characterized by Characterized by protocol level it protocol level it controls in packet controls in packet filtering, circuit filtering, circuit gateways, and gateways, and application gatewaysapplication gateways

Combination of above Combination of above is dynamic packet filteris dynamic packet filter

Packet FiltersPacket Filters Cheap, useful level of gateway securityCheap, useful level of gateway security

Filtering abilities come with router Filtering abilities come with router softwaresoftware

Drop packets based on contentsDrop packets based on contents Incoming or outgoing interfacesIncoming or outgoing interfaces Blocks spoofed packetsBlocks spoofed packets

Ingress and egress filteringIngress and egress filtering Permits or denies certain servicesPermits or denies certain services

Requires intimate knowledge of TCP and UDP Requires intimate knowledge of TCP and UDP port utilization on a number of operating port utilization on a number of operating systemssystems

How to Configure a How to Configure a Packet FilterPacket Filter

Start with a security policyStart with a security policy Specify allowable packets in terms of Specify allowable packets in terms of

logical expressions on packet fieldslogical expressions on packet fields Rewrite expressions in syntax Rewrite expressions in syntax

supported by your vendorsupported by your vendor General rules:General rules:

All that is not expressly permitted is All that is not expressly permitted is prohibitedprohibited

If you do not need it, eliminate itIf you do not need it, eliminate it

Every ruleset is followed by an Every ruleset is followed by an implicit rule reading like this.implicit rule reading like this.

Example 1: Example 1:

Suppose we want to allow inbound Suppose we want to allow inbound mail (SMTP, port 25) but only to our mail (SMTP, port 25) but only to our

gateway machine. Also suppose gateway machine. Also suppose that mail from some particular site that mail from some particular site

SPIGOT is to be blocked.SPIGOT is to be blocked.

Solution 1: Solution 1:

Example 2: Example 2:

Now suppose that we want to Now suppose that we want to implement the policy “any inside implement the policy “any inside

host can send mail to the outside”.host can send mail to the outside”.

Solution 2: Solution 2:

This solution allows calls to come This solution allows calls to come from any port on an inside machine, from any port on an inside machine, and will direect them to port 25 on and will direect them to port 25 on

the outside. Simple enough…the outside. Simple enough…

So why is it wrong?So why is it wrong?

Our defined restriction is based solely Our defined restriction is based solely on the outside host’s port number, on the outside host’s port number, which we have no way of controlling.which we have no way of controlling.

Now an enemy can access any internal Now an enemy can access any internal machines and port by originating his machines and port by originating his call from port 25 on the outside call from port 25 on the outside machine.machine.

Now for a better solution…Now for a better solution…

The ACK signifies that the packet is The ACK signifies that the packet is part of an ongoing conversationpart of an ongoing conversation

Packets without the ACK are Packets without the ACK are connection establishment messages, connection establishment messages, which we are only permitting from which we are only permitting from internal hostsinternal hosts

Figure 9.2: A firewall router with multiple internal networks.

Filter Rule: Open access to Net 2 means source address from Net 3

• Why not spoof address from Net 3?

Network TopologyNetwork Topology

Address-SpoofingAddress-Spoofing

Detection is virtually impossible Detection is virtually impossible unless source-address filtering and unless source-address filtering and logging are donelogging are done

One should not trust hosts outside of One should not trust hosts outside of one’s administrative controlone’s administrative control

External Interface External Interface RulesetRuleset

Allow outgoing calls, permit incoming Allow outgoing calls, permit incoming calls only for mail and only to gateway GWcalls only for mail and only to gateway GW

Note: Specify GW as destination host instead of Net 1 to prevent open access to Net 1

Net 1 Router Interface Net 1 Router Interface RulesetRuleset

Gateway machine speaks directly only to Gateway machine speaks directly only to other machines running trusted mail other machines running trusted mail server softwareserver software

Relay machines used to call out to GW Relay machines used to call out to GW to pick up waiting mailto pick up waiting mail

Note: Spoofing is avoided with the specification of GW

How Many Routers Do We How Many Routers Do We Need?Need?

If routers only support outgoing filtering, we If routers only support outgoing filtering, we need two:need two: One to use ruleset that protects against One to use ruleset that protects against

compromised gatewayscompromised gateways One to use ruleset that guards against address One to use ruleset that guards against address

forgery and restricts access to gateway machineforgery and restricts access to gateway machine An input filter on one port is exactly equivalent An input filter on one port is exactly equivalent

to an output filter on the other portto an output filter on the other port If you trust the network provider, you can go If you trust the network provider, you can go

without input filterswithout input filters Filtering can be done on the output side of the routerFiltering can be done on the output side of the router

Routing FiltersRouting Filters

All nodes are somehow reachable from the All nodes are somehow reachable from the InternetInternet

Routers need to be able to control what Routers need to be able to control what routes they advertise over various routes they advertise over various interfacesinterfaces

Clients who employ IP source routing make Clients who employ IP source routing make it possible to reach ‘unreachable’ hostsit possible to reach ‘unreachable’ hosts Enables address-spoofingEnables address-spoofing Block source routing at borders, not at Block source routing at borders, not at

backbonebackbone

Routing Filters (cont)Routing Filters (cont)

Packet filters obviate the need for route Packet filters obviate the need for route filtersfilters

Route filtering becomes difficult or Route filtering becomes difficult or impossible in the presence of complex impossible in the presence of complex technologiestechnologies

Route squatting – using unofficial IP Route squatting – using unofficial IP addresses inside firewalls that belong to addresses inside firewalls that belong to someone elsesomeone else

Difficult to choose non-addressed address Difficult to choose non-addressed address spacespace

Packet-Filtering Packet-Filtering PerformancePerformance

Performance penalty – defeats Performance penalty – defeats optimization effortsoptimization efforts

Bottleneck at T1 serial linkBottleneck at T1 serial link Degradation depends on number of Degradation depends on number of

rules applied at any pointrules applied at any point Order rules so that most common Order rules so that most common

traffic is dealt with firsttraffic is dealt with first Correctness is more important than Correctness is more important than

speedspeed

Application-Level Application-Level FilteringFiltering

More complex than packet filtering – More complex than packet filtering – detailsdetails

Special-purpose code for each desired Special-purpose code for each desired applicationapplication

Easy to log and control ALL incoming Easy to log and control ALL incoming and outgoing trafficand outgoing traffic

Only deals with attack from the outsideOnly deals with attack from the outside Principal DisadvantagePrincipal Disadvantage

Need for specialized user program or Need for specialized user program or variant user interfacevariant user interface

Circuit-Level GatewaysCircuit-Level Gateways

Work at TCP levelWork at TCP level Generally used to create specific Generally used to create specific

connectsions between isolated networksconnectsions between isolated networks SOCKS protocol – used in relay serviceSOCKS protocol – used in relay service Log the byte flowLog the byte flow

Can’t catch all abuses, packet filter should Can’t catch all abuses, packet filter should be usedbe used

Launder IP connections, by designLaunder IP connections, by design Well suited for some UDP applicationsWell suited for some UDP applications

Figure 9.7: A typical SOCKS connection through interface A, and rogue connection through the external interface, B.

Dynamic Packet FiltersDynamic Packet Filters Most commonMost common Provide good protection and full Provide good protection and full

transparencytransparency Network administrators given full control Network administrators given full control

over trafficover traffic Captures semantics of a connectionCaptures semantics of a connection

Incoming packets for the same connection are Incoming packets for the same connection are allowed (way to treat UDP similar to TCP’s ACK)allowed (way to treat UDP similar to TCP’s ACK)

FTP filtering introduces connection filteringFTP filtering introduces connection filtering X11 is better handled through sshX11 is better handled through ssh

1.2.3.4

Intended connection from 1.2.3.4 to 5.6.7.8

5.6.7.81.2.3.45.6.7.8

Firewall

Figure 9.8: Redialing on a dynamic packet filter. The dashed arrow shows the intended connection; the solid arrows show the actual connections, to and from the relay in the firewall box. The Firewall impersonates each endpoint to the other.

1.2.3.45.6.7.810.11.12.135.6.7.8

ApplicationProxy

Firewall

Intended connection from 1.2.3.4 to 5.6.7.8

Figure 9.9: A dynamic packet filter with an application proxy. Note the change in source address

Figure 9.10: Asymmetric routes with two dynamic packet filters. Distance on the drawing is intended to be proportional to distance according to the routing protocol metrics. The solid lines show actual routes; the dotted lines show rejected routes, based on these metrics.

Dynamic Packet Filter Dynamic Packet Filter ImplementationImplementation

Dynamically update packet filter’s Dynamically update packet filter’s rulesetruleset Changes may not be benign due to orderingChanges may not be benign due to ordering

Redialing method offers greater Redialing method offers greater assurance of securityassurance of security No special-case code necessaryNo special-case code necessary FTP handled with user-level daemonFTP handled with user-level daemon UDP handled just as TCP except for tear UDP handled just as TCP except for tear

downdown ICMP handled with pseudoconnections and ICMP handled with pseudoconnections and

synthesized packetssynthesized packets

Per-Interface Tables Per-Interface Tables Consulted by Dynamic Consulted by Dynamic

Packet FilterPacket Filter Active Connection TableActive Connection Table

Socket structure decides whether data is Socket structure decides whether data is copied to outside socket or sent to copied to outside socket or sent to application proxyapplication proxy

Ordinary Filter TableOrdinary Filter Table Specifies which packets may pass in Specifies which packets may pass in

stateless mannerstateless manner Dynamic TableDynamic Table

Forces creation of local socket structuresForces creation of local socket structures

Asymmetric RoutesAsymmetric Routes

Both sides of the firewall know Both sides of the firewall know nothing of one another’s topologynothing of one another’s topology

Solutions:Solutions: Maintain full knowledge of the topologyMaintain full knowledge of the topology

Not feasible, too much state to keepNot feasible, too much state to keep Multiple firewalls share state Multiple firewalls share state

informationinformation Volume of messages may be prohibitive, Volume of messages may be prohibitive,

code complexitycode complexity

Are Dynamic Packet Are Dynamic Packet Filters Safe?Filters Safe?

Comparable to that of circuit gateways, Comparable to that of circuit gateways, as long as the implementation strategy as long as the implementation strategy is simpleis simple

If administrative interfaces use physical If administrative interfaces use physical network ports as the highest-level network ports as the highest-level constructconstruct Legal connections are generally defined in Legal connections are generally defined in

terms of the physical topologyterms of the physical topology Not if evildoers exist on the insideNot if evildoers exist on the inside

Circuit or application gateways demand Circuit or application gateways demand user authentication for outbound traffic and user authentication for outbound traffic and are therefore more resistant to this threatare therefore more resistant to this threat

Distributed FirewallsDistributed Firewalls A central management node sets the security A central management node sets the security

policy enforced by individual hostspolicy enforced by individual hosts Combination of high-level policy specification Combination of high-level policy specification

with file distribution mechanismwith file distribution mechanism Advantages:Advantages:

Lack of central point of failureLack of central point of failure Ability to protect machines outside topologically Ability to protect machines outside topologically

isolated spaceisolated space Great for laptopsGreat for laptops

Disadvantage:Disadvantage: Harder to allow in certain services, whereas it’s Harder to allow in certain services, whereas it’s

easy to blockeasy to block

Distributed Firewalls Distributed Firewalls DrawbackDrawback

Allowing in certain services works if Allowing in certain services works if and only if you’re sure the address and only if you’re sure the address can’t be spoofedcan’t be spoofed Requires anti-spoofing protectionRequires anti-spoofing protection Must maintain ability to roam safelyMust maintain ability to roam safely

Solution: IPsecSolution: IPsec A machine is trusted if and only if it can A machine is trusted if and only if it can

perform proper cryptographic perform proper cryptographic authenticationauthentication

Where to Filter?Where to Filter?

Balance between risk and costsBalance between risk and costs Always a higher layer that is hard to Always a higher layer that is hard to

filterfilter HumansHumans

Firewalls Aren’t Perfect?Firewalls Aren’t Perfect?

Useless against attacks from the insideUseless against attacks from the inside Evildoer exists on insideEvildoer exists on inside Malicious code is executed on an internal Malicious code is executed on an internal

machinemachine Organizations with greater insider threatOrganizations with greater insider threat

BanksBanks MilitaryMilitary

Protection must exist at each layerProtection must exist at each layer Assess risks of threats at every layerAssess risks of threats at every layer

Rely on transitive trustRely on transitive trust