Firewalls (1)

7/24/2019 Firewalls (1)

1/53

FirewallsFirewalls

7/24/2019 Firewalls (1)

2/53

What is a Firewall?What is a Firewall?

AA choke pointchoke pointof control and monitoringof control and monitoring

Interconnects networks with dieringInterconnects networks with diering

trusttrust

Imposes restrictions on network servicesImposes restrictions on network services only authorized traic is allowedonly authorized traic is allowed

Auditing and controlling accessAuditing and controlling access

can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior Itself immune to penetrationItself immune to penetration

ProvidesProvides perimeter defenceperimeter defence

7/24/2019 Firewalls (1)

3/53

Classication of FirewallClassication of Firewall

Characterized by protocol level itCharacterized by protocol level itcontrols incontrols in

Packet lteringPacket ltering

Circuit gatewaysCircuit gateways Application gatewaysApplication gateways

7/24/2019 Firewalls (1)

4/53

Firewalls Packet FiltersFirewalls Packet Filters

7/24/2019 Firewalls (1)

5/53

Firewalls Packet FiltersFirewalls Packet Filters

Simplest of componentsSimplest of components ses transport!layer information onlyses transport!layer information only

IP Source Address" #estination AddressIP Source Address" #estination Address

Protocol$%e&t 'eader ()CP" #P" IC*P" etc+Protocol$%e&t 'eader ()CP" #P" IC*P" etc+ )CP or #P source , destination ports)CP or #P source , destination ports

)CP -lags (S.%" AC/" -I%" 0S)" PS'" etc+)CP -lags (S.%" AC/" -I%" 0S)" PS'" etc+

IC*P message typeIC*P message type 1&amples1&amples

#%S uses port 23#%S uses port 23 %o incoming port 23 packets e&cept known trusted%o incoming port 23 packets e&cept known trusted

serversservers

7/24/2019 Firewalls (1)

6/53

Usage of Packet FiltersUsage of Packet Filters

-iltering with incoming or outgoing-iltering with incoming or outgoing

interfacesinterfaces14g4" Ingress ltering of spoofed IP14g4" Ingress ltering of spoofed IP

addressesaddresses

1gress ltering1gress ltering

Permits or denies certain servicesPermits or denies certain services 0e5uires intimate knowledge of )CP and0e5uires intimate knowledge of )CP and

#P port utilization on a number of#P port utilization on a number of

operating systemsoperating systems

7/24/2019 Firewalls (1)

7/53

How to Congure aHow to Congure a

Packet FilterPacket Filter Start with a security policyStart with a security policy

Specify allowable packets in terms ofSpecify allowable packets in terms of

logical e&pressions on packet eldslogical e&pressions on packet elds 0ewrite e&pressions in synta&0ewrite e&pressions in synta&

supported by your vendorsupported by your vendor

6eneral rules ! least privilege6eneral rules ! least privilegeAll that is not e&pressly permitted isAll that is not e&pressly permitted is

prohibitedprohibited

If you do not need it" eliminate itIf you do not need it" eliminate it

7/24/2019 Firewalls (1)

8/53

1very ruleset is followed by an1very ruleset is followed by an

implicit rule reading like this4implicit rule reading like this4

1&ample 781&ample 78

Suppose we want to allow inboundSuppose we want to allow inbound

mail (S*)P" port 92+ but only to ourmail (S*)P" port 92+ but only to ourgateway machine4 Also supposegateway machine4 Also suppose

that traic from some particularthat traic from some particular

site SPI6:) is to be blocked4site SPI6:) is to be blocked4

7/24/2019 Firewalls (1)

9/53

Solution 78Solution 78

1&ample 981&ample 98

%ow suppose that we want to%ow suppose that we want to

implement the policy ;any insideimplement the policy ;any insidehost can send mail to the outside

7/24/2019 Firewalls (1)

10/53

Solution 98Solution 98

)his solution allows calls to come)his solution allows calls to come

from any port on an inside machine"from any port on an inside machine"

and will direct them to port 92 onand will direct them to port 92 on

the outside4 Simple enough=the outside4 Simple enough=

So why is it wrong>So why is it wrong>

7/24/2019 Firewalls (1)

11/53

:ur dened restriction is based solely:ur dened restriction is based solelyon the outside host?s port number" whichon the outside host?s port number" whichwe have no way of controlling4we have no way of controlling4

%ow an enemy can access any internal%ow an enemy can access any internal

machines and port by originating hismachines and port by originating hiscall from port 92 on the outsidecall from port 92 on the outsidemachine4machine4

@hat can be a better solution >@hat can be a better solution >

7/24/2019 Firewalls (1)

12/53

)he AC/ signies that the packet is)he AC/ signies that the packet ispart of an ongoing conversationpart of an ongoing conversation

Packets without the AC/ arePackets without the AC/ are

connection establishment messages"connection establishment messages"which we are only permitting fromwhich we are only permitting from

internal hostsinternal hosts

7/24/2019 Firewalls (1)

13/53

Security Performance ofSecurity Performance of

Packet FiltersPacket Filters

)iny fragment attacks)iny fragment attacks Split )CP header info over several tinySplit )CP header info over several tiny

packetspackets 1ither discard or reassemble before check1ither discard or reassemble before check

#egradation depends on number of rules#egradation depends on number of rulesapplied at any pointapplied at any point

:rder rules so that most common traic:rder rules so that most common traic

is dealt with rstis dealt with rst Correctness is more important thanCorrectness is more important than

speedspeed

7/24/2019 Firewalls (1)

14/53

7/24/2019 Firewalls (1)

15/53

Port !um"eringPort !um"ering )CP connection)CP connection

Server port is number less than 79BServer port is number less than 79B Client port is number between 79B and 73D3Client port is number between 79B and 73D3

Permanent assignmentPermanent assignment Ports E79B assigned permanentlyPorts E79B assigned permanently

9"97 for -)P 93 for )elnet9"97 for -)P 93 for )elnet92 for server S*)P D for '))P92 for server S*)P D for '))P

Fariable useFariable use Ports G79B must be available for client to makePorts G79B must be available for client to make

any connectionany connection )his presents a limitation for stateless packet)his presents a limitation for stateless packet

lteringltering IfIf client wants to use port 9BD" rewall must allowclient wants to use port 9BD" rewall must allowincomingincoming traic on this porttraic on this port

Hetter8 stateful ltering knows outgoing re5uestsHetter8 stateful ltering knows outgoing re5uests

7/24/2019 Firewalls (1)

16/53

Firewalls Stateful PacketFirewalls Stateful Packet

FiltersFilters )raditional packet lters do not)raditional packet lters do not

e&amine higher layer conte&te&amine higher layer conte&t ie matching return packets with outgoingie matching return packets with outgoing

owow Stateful packet lters address this needStateful packet lters address this need

)hey e&amine each IP packet in conte&t)hey e&amine each IP packet in conte&t

/eep track of client!server sessions/eep track of client!server sessions Check each packet validly belongs to oneCheck each packet validly belongs to one

'ence are better able to detect bogus'ence are better able to detect bogus

packets out of conte&tpackets out of conte&t

f l il i

7/24/2019 Firewalls (1)

17/53

Stateful FilteringStateful Filtering

7/24/2019 Firewalls (1)

18/53

Firewall #utlinesFirewall #utlines

Packet lteringPacket lteringApplication gatewaysApplication gateways

Circuit gatewaysCircuit gateways

7/24/2019 Firewalls (1)

19/53

Firewall $atewaysFirewall $ateways

-irewall runs set of pro&y programs-irewall runs set of pro&y programs Pro&ies lter incoming" outgoing packetsPro&ies lter incoming" outgoing packets

All incoming traic directed to rewallAll incoming traic directed to rewall

All outgoing traic appears to come fromAll outgoing traic appears to come fromrewallrewall

Policy embedded in pro&y programsPolicy embedded in pro&y programs

)wo kinds of pro&ies)wo kinds of pro&iesApplication!level gateways$pro&iesApplication!level gateways$pro&ies

)ailored to http" ftp" smtp" etc4)ailored to http" ftp" smtp" etc4

Circuit!level gateways$pro&iesCircuit!level gateways$pro&ies

@orking on )CP level@orking on )CP level

7/24/2019 Firewalls (1)

20/53

Firewalls %Firewalls %&pplication&pplication

'e(el $ateway )or Pro*y+'e(el $ateway )or Pro*y+

& li i ' l

7/24/2019 Firewalls (1)

21/53

&pplication%'e(el&pplication%'e(el

FilteringFiltering

'as full access to protocol'as full access to protocol user re5uests service from pro&yuser re5uests service from pro&y

pro&y validates re5uest as legalpro&y validates re5uest as legal

then actions re5uest and returns result tothen actions re5uest and returns result to

useruser

%eed separate pro&ies for each service%eed separate pro&ies for each service 14g4" S*)P (1!*ail+14g4" S*)P (1!*ail+

%%)P (%et news+%%)P (%et news+ #%S (#omain %ame System+#%S (#omain %ame System+

%)P (%etwork )ime Protocol+%)P (%etwork )ime Protocol+

custom services generally not supportedcustom services generally not supported

7/24/2019 Firewalls (1)

22/53

&pp%le(el Firewall&pp%le(el Firewall

&rchitecture&rchitecture

#aemon spawns pro&y when communication detected =#aemon spawns pro&y when communication detected =

Network Connection

Telnetdaemon

SMTPdaemon

FTPdaemon

Telnet

proxy

FTPproxy SMTP

proxy

7/24/2019 Firewalls (1)

23/53

,nforce policy for specic,nforce policy for specic

protocolsprotocols 14g4" Firus scanning for S*)P14g4" Firus scanning for S*)P

%eed to understand *I*1" encoding" Jip archives%eed to understand *I*1" encoding" Jip archives

h l l l

7/24/2019 Firewalls (1)

24/53

Where to -eploy &pp%le(elWhere to -eploy &pp%le(el

FirewallFirewallHastion 'ost8 highly secure host systemHastion 'ost8 highly secure host system Potentially e&posed to KhostileK elementsPotentially e&posed to KhostileK elements

'ence is secured to withstand this'ence is secured to withstand this

#isable all non!re5uired servicesL keep it#isable all non!re5uired servicesL keep itsimplesimple

0uns circuit $ application level gateways0uns circuit $ application level gateways

Install$modify services you wantInstall$modify services you want :r provides e&ternally accessible:r provides e&ternally accessible

servicesservices

7/24/2019 Firewalls (1)

25/53

Screened HostScreened Host


7/24/2019 Firewalls (1)

26/53

Screened Su"net Using .woScreened Su"net Using .wo

/outers/outers

7/24/2019 Firewalls (1)

27/53

Firewalls &ren0t Perfect?Firewalls &ren0t Perfect?

seless against attacks from theseless against attacks from theinsideinside 1vildoer e&ists on inside1vildoer e&ists on inside *alicious code is e&ecuted on an internal*alicious code is e&ecuted on an internal

machinemachine

:rganizations with greater insider:rganizations with greater insiderthreatthreat

Hanks and *ilitaryHanks and *ilitary Cannot protect against transfer of allCannot protect against transfer of allvirus infected programs or lesvirus infected programs or les

because of huge range of :$S , le typesbecause of huge range of :$S , le types

7/24/2019 Firewalls (1)

28/53

1ui21ui2 In this 5uestion" we e&plore some applicationsIn this 5uestion" we e&plore some applications

and limitations of a packet ltering rewall4and limitations of a packet ltering rewall4-or each of the 5uestion" briey e&plain 7+ can-or each of the 5uestion" briey e&plain 7+ can

stateless rewall be congured to defendstateless rewall be congured to defend

against the attack and how> and 9+ if not" whatagainst the attack and how> and 9+ if not" what

about stateful rewall >about stateful rewall > Can the rewall prevent a S.% ood denial!of!Can the rewall prevent a S.% ood denial!of!

service attack from the e&ternal network>service attack from the e&ternal network>

Can the rewall prevent a Smurf attack from theCan the rewall prevent a Smurf attack from the

e&ternal network> 0ecall that as we discussed ine&ternal network> 0ecall that as we discussed in

the class before" the Smurf attack uses thethe class before" the Smurf attack uses the

broadcast IP address of the subnet4broadcast IP address of the subnet4

Can the rewall block P9P applications" e4g4"Can the rewall block P9P applications" e4g4"

Hit)orrent>Hit)orrent>

7/24/2019 Firewalls (1)

29/53

Can the rewall prevent e&ternal users fromCan the rewall prevent e&ternal users from

e&ploiting a security bug in a C6I script on ane&ploiting a security bug in a C6I script on an

internal web server (the web server is servinginternal web server (the web server is serving

re5uests from the Internet+>re5uests from the Internet+> Can the rewall prevent an online passwordCan the rewall prevent an online password

dictionary attack from the e&ternal network on thedictionary attack from the e&ternal network on the

telnet port of an internal machine>telnet port of an internal machine>

Can the rewall prevent a user on the e&ternalCan the rewall prevent a user on the e&ternalnetwork from opening a window on an M server innetwork from opening a window on an M server in

the internal network> 0ecall that by default an Mthe internal network> 0ecall that by default an M

server listens for connections on port server listens for connections on port

Can the rewall block a virus embedded in anCan the rewall block a virus embedded in anincoming email>incoming email>

Can the rewall be used to block users on theCan the rewall be used to block users on the

internal network from browsing a specic e&ternalinternal network from browsing a specic e&ternal

IP address>IP address>

7/24/2019 Firewalls (1)

30/53

3ackup Slides3ackup Slides

7/24/2019 Firewalls (1)

31/53

Firewalls %Firewalls % Circuit 'e(elCircuit 'e(el

$ateway$ateway 0elays two )CP connections0elays two )CP connections

Imposes security by limiting which suchImposes security by limiting which such

connections are allowedconnections are allowed

:nce created usually relays traic:nce created usually relays traic

without e&amining contentswithout e&amining contents

)ypically used when trust internal users)ypically used when trust internal users

by allowing general outboundby allowing general outboundconnectionsconnections

S:C/S commonly used for thisS:C/S commonly used for this

7/24/2019 Firewalls (1)

32/53




Combination of above is dynamicCombination of above is dynamic

packet lterpacket lter

7/24/2019 Firewalls (1)

33/53

-ynamic Packet Filters-ynamic Packet Filters

*ost common*ost common

Provide good administratorsProvide good administrators

protection and full transparencyprotection and full transparency

%etwork given full control over%etwork given full control over

traictraic

Captures semantics of a connectionCaptures semantics of a connection

7/24/2019 Firewalls (1)

34/53

749434B

Intended connection from 749434B to 244N4D

244N4D749434B244N4D

-irewall

0edialing on a dynamic packet lter4 )he dashed arrowshows the intended connectionL the solid arrows show thconnections" to and from the relay in the rewall bo&4 )-irewall impersonates each endpoint to the other4

7/24/2019 Firewalls (1)

35/53

749434B244N4D7477479473244N4D

ApplicationPro&y

-irewall

Intended connection from 749434B to 244N4D

A dynamic packet lter with an application pro&y4 %ote

the change in source address

7/24/2019 Firewalls (1)

36/53

Figure 4567A rewall router with multiple inter

-ilter 0ule8 :pen access to %et 9means source address from %et 3

O@hy not spoof address from %et3>

!etwork .opology!etwork .opology

7/24/2019 Firewalls (1)

37/53

&ddress%Spoong&ddress%Spoong

#etection is virtually impossible#etection is virtually impossible

unless source!address ltering andunless source!address ltering and

logging are donelogging are done

:ne should not trust hosts outside of:ne should not trust hosts outside of

one?s administrative controlone?s administrative control

7/24/2019 Firewalls (1)

38/53

,*ternal 8nterface,*ternal 8nterface

/uleset/uleset Allow outgoing calls" permit incomingAllow outgoing calls" permit incoming

calls only for mail and only to gateway 6@calls only for mail and only to gateway 6@

%ote8 Specify 6@ as destination host insteadto prevent open access to %et 7

f

7/24/2019 Firewalls (1)

39/53

!et 9 /outer 8nterface!et 9 /outer 8nterface

/uleset/uleset 6ateway machine speaks directly only to6ateway machine speaks directly only to

other machines running trusted mailother machines running trusted mailserver softwareserver software

0elay machines used to call out to 6@ to0elay machines used to call out to 6@ topick up waiting mailpick up waiting mail

%ote8 Spoong is avoided with the specicati

7/24/2019 Firewalls (1)

40/53

How :any /outers -o WeHow :any /outers -o We

!eed?!eed? If routers only support outgoing ltering" weIf routers only support outgoing ltering" we

need two8need two8 :ne to use ruleset that protects against:ne to use ruleset that protects against

compromised gatewayscompromised gateways

:ne to use ruleset that guards against address:ne to use ruleset that guards against addressforgery and restricts access to gateway machineforgery and restricts access to gateway machine

An input lter on one port is e&actlyAn input lter on one port is e&actly

e5uivalent to an output lter on the other porte5uivalent to an output lter on the other port

If you trust the network provider" you can goIf you trust the network provider" you can gowithout input lterswithout input lters -iltering can be done on the output side of the-iltering can be done on the output side of the

routerrouter

7/24/2019 Firewalls (1)

41/53

/outing Filters/outing Filters

All nodes are somehow reachable from theAll nodes are somehow reachable from the

InternetInternet

0outers need to be able to control what0outers need to be able to control what

routes they advertise over variousroutes they advertise over variousinterfacesinterfaces

Clients who employ IP source routing makeClients who employ IP source routing make

it possible to reach unreachable? hostsit possible to reach unreachable? hosts 1nables address!spoong1nables address!spoong Hlock source routing at borders" not atHlock source routing at borders" not at

backbonebackbone

7/24/2019 Firewalls (1)

42/53

/outing Filters )cont+/outing Filters )cont+

Packet lters obviate the need for routePacket lters obviate the need for route

lterslters

0oute ltering becomes diicult or0oute ltering becomes diicult or

impossible in the presence of comple&impossible in the presence of comple&technologiestechnologies

0oute s5uatting Q using unoicial IP0oute s5uatting Q using unoicial IP

addresses inside rewalls that belong toaddresses inside rewalls that belong to

someone elsesomeone else #iicult to choose non!addressed address#iicult to choose non!addressed address

spacespace

7/24/2019 Firewalls (1)

43/53




Combination of above is dynamicCombination of above is dynamic

packet lterpacket lter

7/24/2019 Firewalls (1)

44/53

Firewalls %Firewalls % Circuit 'e(elCircuit 'e(el

$ateway$ateway

7/24/2019 Firewalls (1)

45/53

Figure 45;7A typical S:C/S connection throughinterface A" and rogue connection through thee&ternal interface" H4

- l H d H- l H d H t

7/24/2019 Firewalls (1)

46/53

-ual Homed Host-ual Homed Host


7/24/2019 Firewalls (1)

47/53

&symmetric /outes&symmetric /outes

Hoth sides of the rewall knowHoth sides of the rewall know

nothing of one another?s topologynothing of one another?s topology

Solutions8Solutions8 *aintain full knowledge of the topology*aintain full knowledge of the topology

%ot feasible" too much state to keep%ot feasible" too much state to keep

*ultiple rewalls share state*ultiple rewalls share state

informationinformationFolume of messages may be prohibitive"Folume of messages may be prohibitive"

code comple&itycode comple&ity

& - i P k t& - i P k t

7/24/2019 Firewalls (1)

48/53

&re -ynamic Packet&re -ynamic Packet

Filters Safe?Filters Safe? Comparable to that of circuit gateways"Comparable to that of circuit gateways"

as long as the implementation strategy isas long as the implementation strategy issimplesimple

If administrative interfaces use physicalIf administrative interfaces use physicalnetwork ports as the highest!levelnetwork ports as the highest!levelconstructconstruct Regal connections are generally dened inRegal connections are generally dened in

terms of the physical topologyterms of the physical topology

%ot if evildoers e&ist on the inside%ot if evildoers e&ist on the inside Circuit or application gateways demand userCircuit or application gateways demand user

authentication for outbound traic and areauthentication for outbound traic and aretherefore more resistant to this threattherefore more resistant to this threat

7/24/2019 Firewalls (1)

49/53

-istri"uted Firewalls-istri"uted Firewalls

A central management node sets the securityA central management node sets the securitypolicy enforced by individual hostspolicy enforced by individual hosts

Combination of high!level policy specicationCombination of high!level policy specicationwith le distribution mechanismwith le distribution mechanism

Advantages8Advantages8 Rack of central point of failureRack of central point of failure Ability to protect machines outside topologicallyAbility to protect machines outside topologically

isolated spaceisolated space

6reat for laptops6reat for laptops #isadvantage8#isadvantage8

'arder to allow in certain services" whereas it?s'arder to allow in certain services" whereas it?seasy to blockeasy to block

-i t i" t d Fi ll-i t i" t d Fi ll

7/24/2019 Firewalls (1)

50/53

-istri"uted Firewalls-istri"uted Firewalls

-raw"ack-raw"ackAllowing in certain services works ifAllowing in certain services works if

and only if you?re sure the addressand only if you?re sure the address

can?t be spoofedcan?t be spoofed 0e5uires anti!spoong protection0e5uires anti!spoong protection *ust maintain ability to roam safely*ust maintain ability to roam safely

Solution8 IPsecSolution8 IPsecA machine is trusted if and only if it canA machine is trusted if and only if it can

perform proper cryptographicperform proper cryptographic

authenticationauthentication

7/24/2019 Firewalls (1)

51/53

Where to Filter?Where to Filter?

Halance between risk and costsHalance between risk and costs

Always a higher layer that is hard toAlways a higher layer that is hard to

lterlter 'umans'umans

-ynamic Packet Filter-ynamic Packet Filter

7/24/2019 Firewalls (1)

52/53

-ynamic Packet Filter-ynamic Packet Filter

8mplementation8mplementation

#ynamically update packet lter?s ruleset#ynamically update packet lter?s ruleset Changes may not be benign due to orderingChanges may not be benign due to ordering

0edialing method oers greater0edialing method oers greater

assurance of securityassurance of security %o special!case code necessary%o special!case code necessary -)P handled with user!level daemon-)P handled with user!level daemon #P handled ust as )CP e&cept for tear#P handled ust as )CP e&cept for tear

downdown IC*P handled with pseudoconnections andIC*P handled with pseudoconnections and

synthesized packetssynthesized packets

Per%8nterface .a"lesPer%8nterface .a"les

7/24/2019 Firewalls (1)

53/53

Per 8nterface .a"lesPer 8nterface .a"lesConsulted "y -ynamicConsulted "y -ynamic

Packet FilterPacket FilterActive Connection )ableActive Connection )able Socket structure decides whether data isSocket structure decides whether data is

copied to outside socket or sent tocopied to outside socket or sent to

application pro&yapplication pro&y :rdinary -ilter )able:rdinary -ilter )able

Species which packets may pass inSpecies which packets may pass in

stateless mannerstateless manner #ynamic )able#ynamic )able

-orces creation of local socket structures-orces creation of local socket structures

Firewalls (1)

Documents

Transcript of Firewalls (1)