Figure 5-1: Border Firewall Firewallshossein/Teaching/Fa07... · 4 19 Figure 5-3: Firewall Hardware...
Transcript of Figure 5-1: Border Firewall Firewallshossein/Teaching/Fa07... · 4 19 Figure 5-3: Firewall Hardware...
1
1
Firewalls
Chapter 5
Revised March 2004Panko, Corporate Computer and Network SecurityCopyright 2004 Prentice-Hall
2
Figure 5-1: Border Firewall
1. Internet(Not Trusted)
Attacker
1. Internal CorporateNetwork (Trusted)
2.InternetBorderFirewall
3
Figure 5-1: Border Firewall
3.AttackPacket
1. Internet(Not Trusted)
Attacker2.InternetBorderFirewall
4.LogFile
4. Dropped Packet(Ingress)
4
Figure 5-1: Border Firewall
1. Internet(Not Trusted)
LegitimateUser
1. Internal CorporateNetwork (Trusted)
2.InternetBorderFirewall
5. Passed LegitimatePacket (Ingress) 5. Legitimate
Packet
5
Figure 5-1: Border Firewall
1. Internet(Not Trusted)
Attacker
1. Internal CorporateNetwork (Trusted)
2.InternetBorderFirewall
4.LogFile
7. Dropped Packet(Egress)
7. Passed Packet(Egress)
6
Figure 5-1: Border Firewall
1. Internet(Not Trusted)
Attacker
6. HardenedClient PC
6. HardenedServer 1. Internal Corporate
Network (Trusted)
2.InternetBorderFirewall
6. Attack Packet thatGot Through Firewall
Hardened HostsProvide Defense
in Depth
2
7
Figure 5-2: Types of Firewall Inspection
Packet InspectionExamines IP, TCP, UDP, and ICMP headers
Static packet inspection (described later)Stateful inspection (described later)
Application InspectionExamines application layer messages
8
Figure 5-2: Types of Firewall Inspection
Network Address Translation (NAT)Hides IP addresses and port numbers
Denial-of-Service (DoS) InspectionDetects and stops DoS attacks
AuthenticationRequires senders to authenticate themselves
9
Figure 5-2: Types of Firewall Inspection
Virtual Private Network (VPN) Handling
VPNs are protected packet streams (see Chapter 8)
Packets are encrypted for confidentiality, so firewall inspection is impossible
VPNs typically bypass firewalls, making border security weaker
10
Figure 5-2: Types of Firewall Inspection
Hybrid Firewalls
Most firewalls offer more than one type of filtering
However, firewalls normally do not do antivirus filtering
Some firewalls pass packets to antivirus filtering servers
11
Firewalls
Firewall Hardware and SoftwareScreening router firewallsComputer-based firewallsFirewall appliancesHost firewalls (firewalls on clients and servers)
Inspection Methods
Firewall Architecture
Configuring, Testing, and Maintenance
12
Figure 5-3: Firewall Hardware and Software
Screening Router Firewalls
Add firewall software to router
Usually provide light filtering only
Expensive for the processing power—usually must upgrade hardware, too
3
13
Figure 5-3: Firewall Hardware and Software
Screening Router Firewalls
Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier
Good location for egress filtering—can eliminate scanning responses, even from the router
14
Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls
Add firewall software to server with an existing operating system: Windows or UNIX
Can be purchased with power to handle any load
Easy to use because know operating system
15
Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls
Firewall vendor might bundle firewall software with hardened hardware and operating system software
General-purpose operating systems result in slower processing
16
Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls
Security: Attackers may be able to hack the operating system
Change filtering rules to allow attack packets in
Change filtering rules to drop legitimate packets
17
Figure 5-3: Firewall Hardware and Software
Firewall AppliancesBoxes with minimal operating systems
Therefore, difficult to hack
Setup is minimal
Not customized to specific firm’s situation
Must be able to update
18
Figure 5-3: Firewall Hardware and Software
Host Firewalls
Installed on hosts themselves (servers and sometimes clients)
Enhanced security because of host-specific knowledge
For example, filter out everything but webserver transmissions on a webserver
4
19
Figure 5-3: Firewall Hardware and Software
Host Firewalls
Defense in depth
Normally used in conjunction with other firewalls
Although on single host computers attached to internet, might be only firewall
20
Figure 5-3: Firewall Hardware and Software
Host Firewalls
The firm must manage many host firewalls
If not centrally managed, configuration can be a nightmare
Especially if rule sets change frequently
21
Figure 5-3: Firewall Hardware and Software
Host Firewalls
Client firewalls typically must be configured by ordinary users
Might misconfigure or reject the firewall
Need to centrally manage remote employee computers
22
Perspective
Computer-Based FirewallFirewall based on a computer with a full operating system
Host FirewallA firewall on a host (client or server)
23
Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering
PerformanceRequirements
Traffic Volume (Packets per Second)
Complexityof Filtering:Number of
FilteringRules,
ComplexityOf rules, etc.
If a firewall cannot inspect packetsfast enough, it will drop unchecked
packets rather than pass them
24
Firewalls
Firewall Hardware and SoftwareInspection Methods
Static Packet InspectionStateful Packet InspectionNATApplication FirewallsIPSs
Firewall ArchitectureConfiguring, Testing, and Maintenance
5
25
Figure 5-5: Static Packet Filter Firewall
IP-H
IP-H
TCP-H
UDP-H Application Message
Application Message
IP-H ICMP-H
Only IP, TCP, UDP and ICMPHeaders Examined
Permit(Pass)
Deny(Drop)
Corporate Network The Internet
LogFile
StaticPacketFilter
Firewall
ICMP Message
26
Figure 5-5: Static Packet Filter Firewall
IP-H
IP-H
TCP-H
UDP-H Application Message
Application Message
IP-H ICMP-H
Arriving PacketsExamined One at a Time, in Isolation;
This Misses Many Arracks
Permit(Pass)
Deny(Drop)
Corporate Network The Internet
LogFile
StaticPacketFilter
Firewall
ICMP Message
27
Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range]
2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]
3. If source IP address = 192.168.*.*, DENY [private IP address range]
4. If source IP address = 60.40.*.*, DENY [firm’s internal address range]
28
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker]
6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]
29
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver]
8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]
30
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
9. If TCP destination port = 20, DENY [FTP data connection]
10. If TCP destination port = 21, DENY [FTP supervisory control connection]
11. If TCP destination port = 23, DENY [Telnet data connection]
12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]
6
31
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
13. If TCP destination port = 513, DENY [UNIX rlogin without password]14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]
32
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
17. If ICMP Type = 0, PASS [allow incoming echo reply messages]
DENY ALL
33
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
DENY ALLLast rule
Drops any packets not specifically permitted by earlier rules
In the previous ACL, Rules 8-17 are not needed; Deny all would catch them
34
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range]
2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]
3. If source IP address = 192.168.*.*, DENY [private IP address range]
4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range]
Rules 1-3 are not needed because of this rule
35
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
5. If ICMP Type = 8, PASS [allow outgoing echo messages]
6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages]
7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning]
36
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
8. If source IP address = 60.47.3.9 and TCP source port = 80 OR 443, PERMIT [public webserver responses]
Needed because next rule stops all packets from well-known port numbers
9. If TCP source port=0 through 49151, DENY [well-known and registered ports]
10. If UDP source port=0 through 49151, DENY [well-known and registered ports]
7
37
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections]
12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections]
Note: Rules 9-12 only work if all hosts follow IETF rules for port assignments (well-known, registered, and ephemeral). Windows computers do. Unix computers do not
38
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
13. DENY ALLNo need for Rules 9-12
39
Firewalls
Firewall Hardware and Software
Inspection MethodsStatic Packet InspectionStateful Packet InspectionNATApplication Firewalls
Firewall Architecture
Configuring, Testing, and Maintenance
40
Figure 5-8: Stateful Inspection Firewalls
Default BehaviorPermit connections initiated by an internal hostDeny connections initiated by an external hostCan change default behavior with ACL
InternetInternet
Automatically Accept Connection Attempt
Router
Automatically Deny Connection Attempt
New
41
Figure 5-8: Stateful Inspection Firewalls
State of Connection: Open or Closed
State: Order of packet within a dialog
Often simply whether the packet is part of an open connection
42
Figure 5-8: Stateful Inspection Firewalls
Stateful Firewall Operation
If accept a connection…
Record the two IP addresses and port numbers in state table as OK (open) (Figure 5-9)
Accept future packets between these hosts and ports with no further inspection
This can miss some attacks, but it catches almost everything except attacks based on application message content
New
8
43
Figure 5-9: Stateful Inspection Firewall Operation I
ExternalWebserver123.80.5.34
InternalClient PC
60.55.33.12
1.TCP SYN Segment
From: 60.55.33.12:62600To: 123.80.5.34:80
2.Establish
Connection 3.TCP SYN Segment
From: 60.55.33.12:62600To: 123.80.5.34:80
Stateful Firewall
Type
TCP
InternalIP
60.55.33.12
InternalPort
62600
ExternalIP
123.80.5.34
ExternalPort
80
Status
OK
Connection Table
Note: OutgoingConnectionsAllowed By
Default
44
Figure 5-9: Stateful Inspection Firewall Operation I
ExternalWebserver123.80.5.34
InternalClient PC
60.55.33.12
6.TCP SYN/ACK Segment
From: 123.80.5.34:80To: 60.55.33.12:62600 5.
Check ConnectionOK;
Pass the Packet
4.TCP SYN/ACK Segment
From: 123.80.5.34:80To: 60.55.33.12:62600
Stateful Firewall
Type
TCP
InternalIP
60.55.33.12
InternalPort
62600
ExternalIP
123.80.5.34
ExternalPort
80
Status
OK
Connection Table
45
Figure 5-8: Stateful Inspection Firewalls
Stateful Firewall Operation
For UDP, also record two IP addresses and port numbers in the state table
Type
TCP
UDP
InternalIP
60.55.33.12
60.55.33.12
InternalPort
62600
63206
ExternalIP
123.80.5.34
1.8.33.4
ExternalPort
80
69
Status
OK
OK
Connection Table
46
Figure 5-8: Stateful Inspection Firewalls
Static Packet Filter Firewalls are Stateless
Filter one packet at a time, in isolation
If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection
But stateful firewalls can (Figure 5-10)
47
Figure 5-10: Stateful Firewall Operation II
AttackerSpoofingExternal
Webserver10.5.3.4
InternalClient PC
60.55.33.12
Stateful Firewall
2.Check
Connection Table: No Connection
Match: Drop
1.Spoofed
TCP SYN/ACK SegmentFrom: 10.5.3.4.:80
To: 60.55.33.12:64640
Type
TCP
UDP
InternalIP
60.55.33.12
60.55.33.12
InternalPort
62600
63206
ExternalIP
123.80.5.34
222.8.33.4
ExternalPort
80
69
Status
OK
OK
Connection Table
48
Figure 5-8: Stateful Inspection Firewalls
Static Packet Filter Firewalls are Stateless
Filter one packet at a time, in isolation
Cannot deal with port-switching applications
But stateful firewalls can (Figure 5-11)
9
49
Figure 5-11: Port-Switching Applications with Stateful Firewalls
ExternalFTP Server123.80.5.34
InternalClient PC
60.55.33.12
1.TCP SYN Segment
From: 60.55.33.12:62600To: 123.80.5.34:21
2.To EstablishConnection 3.
TCP SYN SegmentFrom: 60.55.33.12:62600
To: 123.80.5.34:21
Stateful Firewall
Type
TCP
InternalIP
60.55.33.12
InternalPort
62600
ExternalIP
123.80.5.34
ExternalPort
21
Status
OK
State Table
Step 2
50
Figure 5-11: Port-Switching Applications with Stateful Firewalls
ExternalFTP
Server123.80.5.34
InternalClient PC
60.55.33.12
6.TCP SYN/ACK Segment
From: 123.80.5.34:21To: 60.55.33.12:62600
Use Ports 20and 55336 forData Transfers
5.To Allow,EstablishSecond
Connection
4.TCP SYN/ACK Segment
From: 123.80.5.34:21To: 60.55.33.12:62600
Use Ports 20and 55336 for
Data Transfers
Stateful Firewall
Type
TCP
TCP
InternalIP
60.55.33.12
60.55.33.12
InternalPort
62600
55336
ExternalIP
123.80.5.34
123.80.5.34
ExternalPort
21
20
Status
OK
OK
State Table
Step 2
Step 5
51
Figure 5-8: Stateful Inspection Firewalls
Stateful Inspection Access Control Lists (ACLs)
Primary allow or deny applications (port numbers)
Simple because no need for probe packet rules because they are dropped automatically
Simplicity of stateful firewall gives speed and therefore low cost
Stateful firewalls are dominant today for the main corporate border firewalls
New
52
Firewalls
Firewall Hardware and SoftwareInspection Methods
Static Packet InspectionStateful Packet InspectionNATApplication FirewallsIPSs
Firewall ArchitectureConfiguring, Testing, and Maintenance
53
Figure 5-12: Network Address Translation (NAT)
ServerHost
Client192.168.5.7
NATFirewall
1
Internet2
Sniffer
From 192.168.5.7,Port 61000 From 60.5.9.8,
Port 55380
IP Addr192.168.5.7
. . .
Port61000
. . .
InternalIP Addr60.5.9.8
. . .
Port55380
. . .
External
TranslationTable
54
Figure 5-12: Network Address Translation (NAT)
ServerHost
Client192.168.5.7
NATFirewall
3
Internet
4 SnifferTo 60.5.9.8,Port 55380
To 192.168.5.7,Port 61000
IP Addr192.168.5.7
. . .
Port61000
. . .
InternalIP Addr60.5.9.8
. . .
Port55380
. . .
External
TranslationTable
10
55
Figure 5-12: Network Address Translation (NAT)
Sniffers on the Internet cannot learn internal IP addresses and port numbers
Only learn the translated address and port number
By themselves, provide a great deal of protection against attacks
External attackers cannot create a connection to an internal computers
56
Firewalls
Firewall Hardware and SoftwareInspection Methods
Static Packet InspectionStateful Packet InspectionNATApplication FirewallsIPSs
Firewall ArchitectureConfiguring, Testing, and Maintenance
57
Figure 5-13: Application Firewall Operation
Browser HTTP Proxy WebserverApplication
1. HTTP RequestFrom 192.168.6.77
2.Filtering
3. ExaminedHTTP RequestFrom 60.45.2.6
Client PC192.168.6.77
Webserver123.80.5.34
Application Firewall60.45.2.6
Filtering:Blocked URLs,
Post Commands, etc.
58
Figure 5-13: Application Firewall Operation
Browser HTTP Proxy WebserverApplication
4. HTTPResponse to
60.45.2.6
6. ExaminedHTTP
Response To192.168.6.77
5.Filtering on
Hostname, URL, MIME, etc.
Application Firewall60.45.2.6
Client PC192.168.6.77
Webserver123.80.5.34
59
Figure 5-13: Application Firewall Operation
Application Firewall60.45.2.6
FTPProxy
SMTP(E-Mail)Proxy
Client PC192.168.6.77
Webserver123.80.5.34
Outbound Filtering on
PUTInbound and Outbound Filtering on Obsolete Commands, Content
A Separate Proxy Program is Neededfor Each Application Filtered on the Firewall
60
Figure 5-14: Header Destruction With Application Firewalls
AppMSG
(HTTP)
Orig.TCPHdr
Orig.IP
Hdr
AppMSG
(HTTP)
NewTCPHdr
NewIP
Hdr
AppMSG
(HTTP)
Attacker1.2.3.4
Webserver123.80.5.34
Application Firewall60.45.2.6
Header RemovedArrivingPacket New Packet
Application Firewall Strips Original Headers from Arriving PacketsCreates New Packet with New Headers
This Stops All Header-Based Packet Attacks
X
11
61
Figure 5-15: Protocol Spoofing
InternalClient PC
60.55.33.12
Attacker1.2.3.4
TrojanHorse
1.Trojan Transmits
on Port 80to Get ThroughSimple PacketFilter Firewall
2.Protocol is Not HTTP
Firewall StopsThe Transmission
XApplication
Firewall
62
Relay Operation
Application Firewalls Use Relay operation
Act as server to clients, clients to servers
This is slow, so traditionally application firewalls could only handle limited traffic
Browser HTTP Proxy WebserverApplication
1. HTTP RequestFrom 192.168.6.77
2.Filtering
3. ExaminedHTTP RequestFrom 60.45.2.6
63
Automatic Protections in Relay Operation
Protocol FidelityApplication that spoofs the port number of another operation (e.g., Port 80) will not work in relay operation
Header DestructionIP, TCP, UDP, and ICMP headers dropped at firewall so cannot do damage
IP Address HidingSniffer on the Internet only learns the application firewall’s IP address
64
Other Application Firewall Protections
Stopping Certain Application CommandsHTTP: Stop POSTTCP: Stop PUTE-Mail: Stop obsolete commands used by attackers
Blocked IP Addresses and URLsBlack lists
Blocking File TypesUse MIME and other identification methods
65
Figure 5-16: Circuit Firewall
Webserver60.80.5.34
Circuit Firewall(SOCKS v5)60.34.3.31
ExternalClient
123.30.82.5
1. Authentication2. Transmission
5. Passed Reply: No Filtering
3. Passed Transmission: No Filtering
4. Reply
Generic Type of Application Firewall
66
Firewalls
Firewall Hardware and SoftwareInspection Methods
Static Packet InspectionStateful Packet InspectionNATApplication FirewallsIPSs
Firewall ArchitectureConfiguring, Testing, and Maintenance
New
12
67
Intrusion Prevention System (IPS)
Provide More Sophisticated Inspection
Examine Streams of PacketsLook for patterns that cannot be diagnosed by looking at individual packets (such as denial-of-service attacksAnd cannot be diagnosed by simply accepting packets that are part of a connection
Do Deep Packet InspectionExamine all headers at all layers—internet, transport, and application
New
68
Intrusion Prevention System (IPS)
IPSs Act Proactively
Once an attack is diagnosed, future packets in the attacks are blocked
This frightens many firms because if an IPS acts incorrectly, it effectively generates a self-serve denial of service attack
First that use IPSs may only permit the most definitively identifiable attacks to be blocked, such as SYN flood denial of service attacks.
New
69
Firewalls
Types of Firewalls
Inspection Methods
Firewall ArchitectureSingle site in large organizationHome firewallSOHO firewall routerDistributed firewall architecture
Configuring, Testing, and Maintenance
70
Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
InternetInternet
1. Screening Router 60.47.1.1 Last
Rule=Permit All
172.18.9.x Subnet
Marketing Client on
172.18.5.x Subnet
Accounting Server on 172.18.7.x
Subnet
Public Webserver 60.47.3.9
SMTP Relay Proxy
60.47.3.10
HTTPProxy Server
60.47.3.1
External DNS Server
60.47.3.4
Screening Router FirewallUses Static Packet Filtering.
Drops Simple Attacks.Prevents Probe Replies
from Getting Out.
Last Rule is Permit Allto Let Main Firewall
Handle Everything butSimple Attacks
71
Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
InternetInternet
2. Main Firewall Last Rule=Deny All
172.18.9.x Subnet
Marketing Client on
172.18.5.x Subnet
Accounting Server on 172.18.7.x
Subnet
Public Webserver 60.47.3.9
SMTP Relay Proxy
60.47.3.10
HTTPProxy Server
60.47.3.1
External DNS Server
60.47.3.4Main FirewallUses Stateful Inspection
Last Rule is Deny All
72
Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
InternetInternet172.18.9.x
Subnet
3. Internal Firewall
4. Client Host
Firewall
Marketing Client on
172.18.5.x Subnet
Accounting Server on 172.18.7.x
Subnet
Public Webserver 60.47.3.9
SMTP Relay Proxy
60.47.3.10
HTTPProxy Server
60.47.3.1
External DNS Server
60.47.3.4Internal Firewalls and
Hardened HostsProvide Defense in Depth
Stop Attacks from Inside
Stop External Attacks that Get Past theMain Firewall
13
73
Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
InternetInternet
172.18.9.x Subnet
Marketing Client on
172.18.5.x Subnet
Accounting Server on 172.18.7.x
Subnet
5. Server Host
Firewall
6. DMZ
Public Webserver 60.47.3.9
SMTP Relay Proxy
60.47.3.10
HTTPProxy Server
60.47.3.1
External DNS Server
60.47.3.4
Servers that must beaccessed from outside
are placed in aspecial subnet called the
Demilitarized Zone (DMZ).
Attackers cannot get toOther subnets from there
DMZ serversare specially hardened
74
Figure 5-18: Home Firewall
InternetService Provider
Home PC
BroadbandModem
PCFirewall
Always-OnConnection
UTPCord
CoaxialCable
Windows XP has an internal firewall
Originally called the Internet Connection FirewallDisabled by default
After Service Pack 2 called the Windows FirewallEnabled by default
New
75
Figure 5-19: SOHO Firewall Router
Broadband Modem (DSL orCable)
SOHORouter
---Router
DHCP Sever,NAT Firewall, and
Limited Application Firewall
Ethernet SwitchInternet Service Provider
User PC
User PC
User PC
UTPUTP
UTP
Many Access Routers Combine the Router and Ethernet Switch in a Single Box
76
Figure 5-20: Distributed Firewall Architecture
Internet
Home PCFirewall
Management Console
Site A Site B
Remote Managementis needed to
reduce management labor
Dangerous becauseif an attacker compromises
it, they own the network
Remote PCsmust be actively
managedcentrally
77
Figure 5-21: Other Security Architecture Issues
Host and Application Security (Chapters 6 and 9)
Antivirus Protection (Chapter 4)
Intrusion Detection Systems (Chapter 10)
Virtual Private Networks (Chapter 8)
Policy Enforcement System
78
Firewalls
Types of Firewalls
Inspection Methods
Firewall Architecture
Configuring, Testing, and Maintenance
14
79
Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Firewall Misconfiguration is a Serious Problem
ACL rules must be executed in series
Easy to make misordering problems
Easy to make syntax errors
80
Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Create Policies Before ACLs
Policies are easier to read than ACLs
Can be reviewed by others more easily than ACLs
Policies drive ACL development
Policies also drive testing
81
Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Must test Firewalls with Security AuditsAttack your own firewall based on your policies
Only way to tell if policies are being supported
Maintaining FirewallsNew threats appear constantly
ACLs must be updated constantly if firewall is to be effective
82
Figure 5-23: FireWall-1 Modular Management Architecture
Log Files
Application Module(GUI)
Create, Edit Policies
Application Module(GUI)
Read Log Files
Management Module Stores Policies Stores
Log Files
Policy
Log FileData
Policy
Log File Entry
Firewall Module Enforces Policy
Sends Log Entries
Firewall Module Enforces Policy
Sends Log Entries
83
Figure 5-24: FireWall-1 Service Architecture
Internal Client
2. Statefully Filtered Packet 1. Arriving Packet
External Server
4. Content Vectoring Protocol
FireWall-1 Firewall
3. DoS Protection Optional
Authentications
5. Statefully Filtered
Packet Plus Application Inspection
Third-Party Application Inspection
Firewall84
Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls
InternetInternet
Internal Network
Automatically Accept Connection
Security Level Outside=0
Automatically Reject Connection
Security Level Inside=100
Connections Are Allowed from More Secure Networks to
Less Secure Networks
Security Level=60
Router
15
85
Topics Covered
Border FirewallsSit between a trusted and untrusted networkDrop and log attack packets
Types of Firewall InspectionStatic packet inspectionStateful inspectionApplication proxy firewallsNATDenial-of-Service, Authentication, VPNs
86
Topics Covered
Firewall Hardware and Software
Screening firewall router
Computer-based firewalls
Firewall appliances
Host firewalls (firewalls on clients and servers)
Performance is critical; overloaded firewalls drop packets they cannot filter
87
Topics Covered
Static Packet InspectionExamine IP, TCP, UDP, and ICMP headersExamine packets one at a timeMiss many attacks
Used primarily in screening firewall routersAccess Control Lists (ACLs)
List of if-then pass/deny statementsApplied in order (sensitive to misordering)For main firewall, last rule is Deny AllFor screening firewall, last rule is Pass All
88
Topics Covered
Stateful InspectionPackets that Attempt to Open Connections
By default, permits all internally initiated connections
By default, denies all externally initiated connections
ACLs can change default behavior
89
Topics Covered
Stateful InspectionOther Packets
Permitted if part of established connectionDenied if not part of established connections
ImportanceFast and therefore inexpensiveCatches almost all attacksDominates main border firewall market
90
Topics Covered
Network Address Translation (NAT)Operation
Internal host sends a packet to an external host
NAT device replaces source IP address and TCP or UDP port number with stand-in values
When packets are sent back, the stand-in values are replaced with the original value
Transparent to internal and external hosts
16
91
Topics Covered
Network Address Translation (NAT)Why?
To hide internal host IP addresses and port numbers from sniffers on the Internet
To permit firms to have more hosts than they have assigned public IP addresses
Perspective
Often used in other types of firewalls
92
Topics Covered
Application FirewallsInspect application messages
Catch attacks that other firewalls cannot
Usually do NOT do antivirus filtering
Programs that do filtering are called proxies
Proxies are application-specific
Circuit firewalls are not application-specific; use required authentication for control
93
Topics Covered
Application FirewallsRelay operation
Application firewall acts as server to clients, clients to servers
This is slow, so traditionally application firewalls could only handle limited traffic
94
Topics Covered
Application Firewalls
Automatic Protection from Relay Operation
Protocol fidelity: stops port spoofing
Header destruction: no IP, TCP, UDP, or ICMP attacks
IP address hiding
95
Topics Covered
Application FirewallsCommand-based filtering (HTTP POST, etc.)
Host or URL filtering (black lists)
File type filtering (MIME, etc.)
NOT antivirus filtering
96
Topics Covered
Intrusion Prevention Systems (IPSs)Use sophisticated detection methods created for intrusion detection systems
Examine streams of packets, not just individual packetsDeep inspection: filter all layer messages in a packet
But unlike IDSs, do not simply report attacksStop detected attacks
New
17
97
Topics Covered
Intrusion Prevention Systems (IPSs)Spectrum of attack detection confidence
Stop attacks detected with high confidence
Do not stop attacks with low detection confidence because doing so can create a self-inflicted DoS Attack
New
98
Topics Covered
Intrusion Prevention Systems (IPSs)Sophisticated filtering in processing-intensive
Traditional IDSs could not filter in real-time so could not be placed in-line with traffic
ASICs provide higher speeds, allowing IPSs to be placed in-line with traffic
New
99
Firewall Architectures
Site ProtectionScreening Firewall Router (Static Packet)
Main Border Firewall (Stateful)
Internal Firewalls
Host Firewalls
DMZ
Defense in Depth
100
Firewall Architectures
Site ProtectionDMZ
For hosts that must face Internet attack
Must be hardened (bastion hosts)
Public webservers, etc.
Application firewalls
External DNS server
101
Firewall Architectures
Home FirewallHost firewalls are especially needed for always-on broadband connection
SOHO FirewallSeparate firewall between the switch and the broadband modem
Some broadband modems do NAT, providing considerable protection
102
Firewall Architectures
Distributed Firewall ArchitectureMost firms have multiple sites
Multiple firewalls at many sites
A central manager controls them
If the manager is hacked, very bad
Management traffic must be encrypted
18
103
Configuring, Testing, and Maintenance
ConfigurationFirewalls must be configured (ACLs designed, etc.)
TestingConfiguration errors are common, so firewalls must be tested
MaintenanceMust be reconfigured frequently over time as the threat environment changes