January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009 Prof. Reuven Aviv: Firewalls 1

Firewalls


OutlineOutline

• What and where are firewalls

• Goals of a firewall

• Types of Firewalls

– Packet Filter

– Application Level (Proxy Server) Gateway


What and where are Firewalls?

Trusted

Networks

Untrusted Networks & Servers

Firewall

RouterInternet

Intranet

DMZPublic Accessible Servers & Networks

Trusted Users

Untrusted Users

Goals??


Firewall Goals

• The firewall is inserted between the premises network and the Internet

• Goals:

– Protect the premises network from Internet-based attacks

– Establish access control gate

Name types of traffic that passes or blocked by the firewall


Access Control gate

InternetInternet

DMZ NetWeb Server Pool

ALERT!!ALERT!!ALERT!!

How do we protect the firewall itself?


Access Control Functions

• Service control: types of traffic to permit/ deny

in which direction

• User control: which user to which service

– E.g denied websites

• Application behavior control

– Only Filtered email can come in


Types of Firewalls

• Two common types of Firewalls that we

consider in this course

– Packet-filtering

– Application-level gateways


Packet Filtering FirewallsPacket Filtering Firewalls

• Apply Rules to incoming/outgoing IP packet and then forwards or discards the packet

• Rules based on fields in the IP or TCP header

– IP address, port numbers, flags

• Two default policies (discard or forward)


Packet Filter at the TCP/IP Level

ApplicationsApplications

TransportTransport

DataLinkDataLink

PhysicalPhysical

DataLinkDataLink

PhysicalPhysical

Router/FirewallRouter/Firewall


TransportTransport

DataLinkDataLink

PhysicalPhysical

NetworkNetwork NetworkNetwork

Give examples of rules

January 200910

Data Link Layer Header

Version Type of Service Total Length

Identifier Flags Fragment Offset

Time To Live Protocol Header Checksum

Source Address

Destination Address

Options + Padding

Source Port Destination Port

Sequence Number

Acknowledgement Number

Offset/Reserved U A P R S F Window

Checksum Urgent Pointer

Options + Padding

Data

Data Link Layer Trailer

IP D

atag

ram

IP H

ead

erT

CP

Hea

der

TCP/IP packet


Basic Filtering Rules

Action Internal Port External Port commentblock * * 134.72.5.1 *

Allow Our Mail

Server add

25 * 25

Block * * * *

Allow * * * 80

Not trusted external host

Mail Transport allowed

Default: Deny everything

Allow http connection to

external web servers


Filtering Rules: direction, flags

• Action src Port Dest Port Flag comment

Allow Internal * External 25

Allow * 25 * * ACK

Allow Internal * External *

Allow External * Internal * ACK

Allow * * * >1024

Outgoing SMTP

SMTP ACK from outside

Allow All outgoing

connectionsAck outgoing connections

Traffic to non standard

Servers (Dangerous)


Session Filtering

Applications

Transport

DataLink

Physical

DataLink

Physical

Applications

Transport

DataLink

Physical

Network Network

Network

Transport


Dynamic State Dynamic State TablesTables

Dynamic State Dynamic State TablesTables

Dynamic State Tables

Screens ALL attempts, Protects All applications Extracts & maintains ‘state’ information Makes an intelligent security / traffic decision


Controlling Telnet traffic via firewall

Client opens

TCP

connection:

tells server its

port number.

The ACK bit is

not set

Server sends acknowledgement

“PORT 1234”

“ACK”

Telnet ClientTelnet Server

23 1234

InternalExternal


access-list 100 permit tcp host 172.168.10.11 gt 1023 any eq 23 ! Allows packets to (External) Telnet serversaccess-list 101 permit tcp any eq 23 host 172.168.10.11 established ! Allows packets (back) from (External) Telnet Server. It verifies that the ACK bit is setinterface Ethernet 0 access-list 100 out ! Apply 1’st rule to outgoing traffic access-list 101 in ! Apply 2’nd rule to incoming traffic !

Rule: Allow telnet from 172.168.10.11 to any External Server (port 23) , and reverse Ack

January 2009Prof. Reuven Aviv: Firewalls 17

FTP

“activeMode”

Scenario

“PORT 5151”

“OK”

DATA CHANNEL

TCP ACK

External FTP ClientInternal FTP Server

20Data

21Command 5150 5151

Client opens command channel; tells server second port number.

Server acks. Server opens data channel to client’s 2’nd port.

Client Acknowledges.


Example FTP – Packet Filteraccess-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20 ! Allows packets from any (External) client to the (Internal) FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023 ! Allows the (Internal) FTP server to send packets back to any (External) IP address with TCP ports > 1023

interface Ethernet 0 access-list 100 in ! Apply the first rule to incoming traffic access-list 101 out ! Apply the second rule to outgoing traffic!


“PASV”

“OK 3267”

TCP ACK

DATA CHANNEL

FTP ClientInternal FTP Server

20Data

21Command 5150 5151

Client opens command channel ; requests passive mode.

Server tells client port number.

Client opens data channel to server’s 2nd port. Server Acknowledges.

FTP“Passive Mode”Scenario

3267


Packet Filtering Firewalls

• Advantages:

• Simplicity

• Transparency to users

• High speed

• Disadvantages:

• Difficulty of setting up packet filter rules

• Lack of Authentication


Packet Filtering Firewall: Attacks

• IP address spoofing

• Fragmentation Attacks


Anti Spoofing Policy:Do not allow outgoing traffic with false

sender addressInternet Service Provider

130.207.5.0 130.207.3.0

130.207.4.0

E1

E2E3

E4

Allowed outgoing traffic:E1: only from 130.207.4.0/24E2: only from 130.207.3.0/24E3: only from 130.207.5.0/24

ISP: Allow outgoing data only with legal addresses

January 200923

Data Link Layer Header

Version Type of Service Total Length

Identifier Flags Fragment Offset

Time To Live Protocol Header Checksum

Source Address

Destination Address

Options + Padding

Source Port Destination Port

Sequence Number

Acknowledgement Number

Offset/Reserved U A P R S F Window

Checksum Urgent Pointer

Options + Padding

Data

Data Link Layer Trailer

IP D

atag

ram

IP H

ead

erT

CP

Hea

der

Fragmentation

Prof. Reuven Aviv: Firewalls 24

External Telnet ClientInternal Telnet Server

23 1234

Firewall allows OUT: with SYNIN: data with ACK

All following packets will have the ACK bit set

FRAG1 (with ACK)

FRAG2 (with ACK)

SYN packet (no ACK)

ACK

Basic Fragmentation Attack

Allow only if ACK bit set

Allow only if SYN bit set

, Client Send 2 fragments with ACK. Server re-assembles: Fragments overlap - full datagram SYN bit set!


General Fragmentation Attack

• Instead of fragmenting TCP header

– Fragment data portion of packet or ICMP

– attack applications in Clients

• Clients – not all do bounds checking

– Oversized reassembled packets on client

maybe too large, cause buffer overflow

• Remedy: Application Level Firewall


Application Level (Proxy) Gateway


Application Level (Proxy) Gateway

• Acts as a relay of application-level traffic via a

single TCP connection

• Knows the Application Protocol

– Rules are tailored to expected and un

expected behavior of application traffic

• Can stop / deny according to its rules

Advantages / Disadvantages?


Application Level Gateway

• Advantages:

– Higher security than packet filters

– Only need to scrutinize a few allowable applications

– Easy to log and audit all incoming traffic

• Disadvantages:

– Additional processing overhead on each connection (gateway as splice point)


Comparison Table

Modify Client Applications?

Packet Filter No

Application Level Gateway

client application must be proxy-aware & configured to connect to the proxy server

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Documents

Transcript of January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.