Firewalls Pavel Aharoni. January 19th, 2006Firewalls2 Main Topics Motivation Types of firewalls...

Firewalls

Pavel Aharoni

January 19th, 2006 Firewalls 2

Main Topics

MotivationTypes of firewallsFiltering methodsExamplesDemo of Kerio PF installation2


The Internet in the B.F. era

Early Internet was a rather closed community, mostly used by the military and the universities in the US.

On Nov. 2,1988, the famous Morris worm hit numerous computers, including NASA and main universities, spreading among the hosts and multiplying itself on them (due to a bug, or a feature?), until no other processes could be run on the hosts.

Good example of smth a firewall could easily prevent.

First firewalls were introduced in the late 80s by Cheswick and Bellovin. Bellovin’s definition: “Firewalls are barriers between

'us' and 'them' for arbitrary values of 'them.”


What Firewalls Can and Should Do

Security Preventing info leaks OS/applications security holes Stopping unwanted data flow

User authentication

Logging and auditing


What Firewalls Can’t Do

Insiders attacksBack-door creation and usageStopping malware (true for firewalls

without content inspection)Mismanaged policy

Giving away passwords,etc.

Some outside attacks


Drawbacks

Traffic bottleneckSingle point of failure

Accurate configuration is a must

User frustration Logins,passwords…who needs them?

Increased management responsibilities Extra work for admins, need to check logs frequently

to verify correct functioning


Types of Firewalls

There are three basic types of firewalls depending on:

1. Whether the communication is being done between a single node and the network, or between two or more networks

2. Whether the communication is intercepted at the network layer, or at the application layer

3. Whether the communication state is being tracked at the firewall or not


Network Firewalls

Can be either software or hardware

Often mistakenly identified with NIDSNetwork Intrusion Detection System

Both are part of security suite – NIDS searches and alerts while firewall protects and prevents


NIDS

Built on so called bastion hosts -computers that is fully exposed to attack.

The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. DMZ can be thought of as unsafe area


DMZ typical structure

“Three-legged firewall” Free access from internal network to DMZ-but only

one way!


Intrusion Detection Methods

Packet filtering Packet header is inspected Decision whether or not to let packet through, can

depend on: Source IP address Destination IP address Protocol type Source port Destination port


Packet Filtering Strengths

Faster than other packet screening Done at relatively low level

Transparent for the userUsually built-in feature

Requires no further configuration

Application independent Decisions are based on incoming packet header only Can help preventing inside malware operation


Packet Filtering Weaknesses

All-or-nothing approach towards ports In most implementations, if port is open, it’s open for

all the traffic – can be a security hole

Complicated configuration Lengthy rules can be prone to errors and slow

Unable to protect from certain types of attacks IP spoofing, buffer overflow, ICMP tunneling,FTP

Direct connection establisment My IP is seen to the outside world


Intrusion Detection Methods

Stateful packet inspection (SPI) Uses packet filtering principles with addition of

connection state inspection Connection state is derived based on previous

packets Dynamic state table is maintained, packets are fed

into it to verify they are part of valid connection Newer firewalls can perform additional operations

while performing SPI, such as reassembling, content filtering…


SPI Strengths

Also low-level Minor processing and network overhead,

transparency, application independent

More secure than basic packet filtering Due to the connection state inspection, more

robust against several types of attacks


Application Gateways/Proxies

Operate on the application level

Communications with untrusted networks are made strictly through gateway/proxy Packets are inspected and forwarded on behalf of

client/server, depending on the direction (proxy usually works both ways)


Gateway/proxy Strengths

No direct client-server connection Provides form of NAT (to be explained)More configuration granularity

Option to enable/disable certain applications and/or their features

User authenticationLogging


Gateway/proxy Weaknesses

Performance! Inspection on application level, as opposed to lower

layers with packet filtering and SPI. Sensitive to scalability problems

Each protocol requires corresponding application Can be difficult to add new protocols

Effectiveness depends on underlying OSProne to denial-of-service attacks


Adaptive proxy

Basic proxies are secure, but slowAdaptive proxy combines application and

network level inspection Only first part of connection is inspected at the

application level, as opposed to all the packets in basic model

If connection is approved, its subsequent packets are inspected at network level


Circuit-level Gateways

No packet inspectionTCP/UDP sessions are checked insteadOnce session is approved, corresponding

port is opened to session’s packetsWhen session is terminated, port is closed

Main advantage – works on transport level


Data Link Layer Firewalls

Also called “bridge firewalls”

Transparent on the network level – can be placed anywhere

Immune to IP-related attacks


Relatively Rare Types of Firewalls

Transparent proxies Client sends/receives packets as usual,but actually

talks with TP only

Signature-based FW Monitoring potentially hazardous data (using pattern

matching)

Distributed FW Among hosts or even among devices


Network Address Translation

NAT is using internal addresses to multiplex/demultiplex Internet flow

The outside world sees the network behind NAT as having single IP

Can be useful for firewalling purpose Internal network is hidden from outside world – all

traffic to/from it goes through NAT facility Used by most home routers


Early Firewalls

First firewalls’ target - to separate a big network into many small LANs, to allow each of them to be administrated autonomously, so that problems in one specific LAN (noisy applications, management problems, etc.) wouldn’t affect the whole network.

It wasn’t before early 1990s when the first security-orientated firewalls emerged. They were IP routers with filtering rules. The first security policy was something like : “Allow anyone "in here" to access "out there." Also, keep anyone

(or anything I don't like) "out there" from

getting "in here."


Early Firewalls – cont.

The first commercial firewall (DEC) was configured for and delivered to the first customer, a large East Coast-based chemical company, on June 13, 1991.


DEC SEAL and Its Structure

1.The only point Internet can talk to2.Only authorized users can access external services

Filtering gateway-user is prompted about

packetsNot accessible from outside


DEC SEAL

Classic example of application-level firewall

Later integrated with AltaVista firewall

No longer exists as is


AT&T Firewall

Designed and written by Presotto and Cheswick

Worked on transport levelAll outbound connection were

allowed,as opposed to DECAlso not very fast


Classic example of application-level firewall

Later integrated with AltaVista firewall

No longer exists as is


CheckPoint’s VPN-1/Firewall-1

CheckPoint’s Firewall-1 emerged soon, becoming world-wide leader in the area

Firewall-1 is integrated in VPN-1First FW to use stateful inspectionAdding time element into filtering policy

Access can be restricted during certain hours of day Allows safe backup/maintenance works without

repaired server being accessed


CheckPoint’s VPN-1/Firewall-1

Strong content security capabilities File name matching for FTP Email address translation for SMTP JS content checking in HTTP

FireWall-1 GX for wireless networksMany-many more components (less

related to firewall lecture…)


Microsoft Internet Security and Acceleration Server (ISA)

Includes,among other things,stateful packet and application layer inspection firewall HTTP content inspection SSL bridging –decryption of SSL content to check for

malicious code Authentication Option for checking valid URLs Can be integrated with already existing authentication

frameworks


ipchains

Software-based firewall for Linux Allows NAT in addition to firewalling

Was re-written since old IPv4 wasn’t supporting IP fragments Another reason is inability to specify protocols to be

inspected,other than TCP,UDP,ICMP

Essentially, gives ability to create your own filtering rules


ipchains

Four chains: input, output, forward, user defined

kernel has to be compiled with numerous enabled options CONFIG_PACKET,CONFIG_NET_ALIAS,

CONFIG_ IP_FIREWALL,etc….


ipchains- - Filtering by IP Address

Flags to define action taken on specific chain, kind of action, protocol(s), IP address space, network type, etc…

# ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0 # ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i ppp0 -d 0.0.0.0/0

# if you are on dialup


ipchains – Filtering by Port

Say we want to restrict access through rlogin We fear that the attacker managed to alter .rhosts

file, for example

Two rules for input chain: restricting all traffic through this port, and then allowing only from trusted network

# ipchains -A input -j DENY -p tcp -l -s 0.0.0.0/0 -d y.y.y.y/32 513 # ipchains -A input -j ACCEPT -p tcp -s x.x.x.x/24 -d

y.y.y.y/32 513


ipchains – Additional Features

In port filtering, also possible to state service name, range of ports, etc.

IP accounting – statistics on packets going through on source/dest IP address basis

Setting up NATPort redirection (for example, if you’re

running a transparent proxy)

# ipchains -A input -j REDIRECT 8080 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 80


Personal Firewalls

Defending a specific host rather than a network

Windows XP has integrated PF

Improved version includes outbound packet filtering, IPv6 and IPSec support,etc.


ZoneAlarm PF by CheckPoint

Part of powerful security suite

Free for personal use

First program to monitor outgoing traffic and deploy application-level filter communication


ZoneAlarm Evaluation

Pros: 1. Very easy to use2. Completely conceals the host from the Internet3. Resistant to leak-test attack

Invention of Steve Gibson – trying to send outbound data on behalf of trusted application

ZA has cryptographic signature for allowed applications

4. Some tests show resistance to file sharing attacks

Cons:1. Poor statistics (too basic)2. Free version can be hardly configured3. No signature-based IDS usage4. Can’t password-protect settings


Sygate PF 5.x

Pros:1. Free version for personal use2. Some degree of advanced program control3. Full packet logging, user-defined rules4. Some outbound inspection

Cons:1. No predefined program permissions2. Confirmation popups are hard to interpret


Norton Personal Firewall

Pros:1. Effective blocking system2. Automatic rule generation for known apps3. Hides almost all ports

Cons:1. A bit expensive2. Some ports are reported as “closed” – that means there is

smth at that IP3. Somewhat difficult access definitions


BlackIce Defender

Pros:1. Four levels of security – Trusting, Cautious, Nervous and

Paranoid2. Efficient intrusion analysis and handling – not seen in other

known firewalls

Cons:1. Pro No. 1 – cumbersome2. Difficult configuration

Many-many others (McAfee, Kerio, Outpost…)


Summary

Firewalls help to solve some security problems and fail with others

Require additional modules (IDS,antivirus…) to keep host/network clean

Firewalls Pavel Aharoni. January 19th, 2006Firewalls2 Main Topics Motivation Types of firewalls...

Documents

Transcript of Firewalls Pavel Aharoni. January 19th, 2006Firewalls2 Main Topics Motivation Types of firewalls...