Presentation, Firewalls

By:By:

Khalid El-darymliKhalid El-darymli

IntroductionIntroduction The vastness of the internet, along with the The vastness of the internet, along with the

differences among its visitors, creates a most unique differences among its visitors, creates a most unique melting pot. melting pot.

It also contains a great potential for misuse, abuse It also contains a great potential for misuse, abuse and criminal activity.and criminal activity.

A number of organizations have been attacked or A number of organizations have been attacked or probed by intruders, resulting in heavy production probed by intruders, resulting in heavy production losses and embarrassment. losses and embarrassment.

On 1996 the US Department of Defense announced that its On 1996 the US Department of Defense announced that its computer systems were attacked 250,000 times in the preceding computer systems were attacked 250,000 times in the preceding year and most of these attacks went undetected.year and most of these attacks went undetected.

The web site of the United States Information Agency which was The web site of the United States Information Agency which was broken by internet vandals.broken by internet vandals.

But all is not lost:But all is not lost: the the FFIREWALLIREWALL still stands as the still stands as the biggest and the best weapon for keeping the evil biggest and the best weapon for keeping the evil forces lurking along the miles of the information forces lurking along the miles of the information superhighway at bay.superhighway at bay.

Data Transmission in TCP/IP Networks:Data Transmission in TCP/IP Networks:

The internet is like a railroad, sort of.The internet is like a railroad, sort of. TCP/IP and the OSI reference model.TCP/IP and the OSI reference model.

What Are What Are FFIREWALLsIREWALLs????

A firewallA firewall

A A FFIREWALLIREWALL is a system ( is a system (either software or either software or hardware or bothhardware or both) that enforces an access ) that enforces an access control policy control policy betweenbetween two networks. two networks.

What can What can FFIREWALLIREWALL protect against, and what protect against, and what

they cannot?they cannot? They Can:They Can: FFirewalls irewalls are excellent at are excellent at

enforcing the corporate enforcing the corporate security policysecurity policy. .

FFirewallsirewalls are used to restrict are used to restrict access to specific servicesaccess to specific services..

FFirewallsirewalls are singular in are singular in purpose.purpose.

FFirewallsirewalls are excellent are excellent auditorsauditors. .

FFirewallsirewalls are very good at are very good at alerting appropriate people alerting appropriate people of events.of events.

They Cannot:They Cannot: Firewalls Firewalls cannot protect against cannot protect against

what is authorized.what is authorized. FirewallsFirewalls are only as effective as are only as effective as

the rules they are configured to the rules they are configured to enforceenforce. .

FirewallsFirewalls cannot stop social cannot stop social engineers or an authorized user engineers or an authorized user intentionally using their access intentionally using their access malicious purposes.malicious purposes.

FirewallsFirewalls cannot fix poor cannot fix poor administrative practices or poorly administrative practices or poorly designed security policy.designed security policy.

FirewallsFirewalls cannot stop attacks in cannot stop attacks in which traffic does not pass which traffic does not pass through themthrough them..

Firewall TechnologyFirewall Technology

Application Level

e.g. Proxy Servers

Network Level

e.g. packet filtering

Both categories together.

FFIREWALLIREWALL Architectures Architectures

FFIREWALLIREWALL primarily functions using four primarily functions using four fundamental methods:fundamental methods:Packet Filters.Packet Filters.Application Gateways.Application Gateways.Circuit-level Gateways.Circuit-level Gateways.Stateful Packet Inspection. Stateful Packet Inspection.

1- Packet Filters:1- Packet Filters:

A packet is like a letter.A packet is like a letter.

TCP/IP Packet structure.TCP/IP Packet structure.

How Packet filtering works:How Packet filtering works:Creating a Rule Set:Creating a Rule Set:In order to provide an example In order to provide an example of packet filtering we need to of packet filtering we need to create a rule set. create a rule set. The rule set contains the The rule set contains the following criteria:following criteria:1- Type of protocol.1- Type of protocol.2- Source address.2- Source address.3- Destination address.3- Destination address.4- Source port.4- Source port.5- Destination port.5- Destination port.6- The action the firewall 6- The action the firewall should take when the rule set should take when the rule set is not matched.is not matched.

(Example) Network topology for the (Example) Network topology for the packet filtering.packet filtering.

(Example) Network topology for the (Example) Network topology for the packet filtering.packet filtering.

Sample packet filtering rule set.

The flow of the packet filtering example.

DENY

Advantages and disadvantages:Advantages and disadvantages:Advantages:Advantages:

It creates little overhead, so the performance of the screening It creates little overhead, so the performance of the screening device is less impacted.device is less impacted.

It’s relatively inexpensive or even free.It’s relatively inexpensive or even free. It provides good traffic management.It provides good traffic management.

DisadvantagesDisadvantages:: It allows direct connections to internal host from external clients.It allows direct connections to internal host from external clients. It leaves many holes in the network perimeter. That’s because it It leaves many holes in the network perimeter. That’s because it

can only examine the traffic at the transport layer (TCP or UDP) or can only examine the traffic at the transport layer (TCP or UDP) or at the network layer (ICMP or IP protocol type).at the network layer (ICMP or IP protocol type).

It’s difficult to manage and scale in complex environments. It’s difficult to manage and scale in complex environments. Because in multilayered security environment, all packet filters in Because in multilayered security environment, all packet filters in both network traffic directions must be synchronized.both network traffic directions must be synchronized.

It’s vulnerable to attacks that “spoof “ source addresses that match It’s vulnerable to attacks that “spoof “ source addresses that match internal IP addressing schemes, unless it’s especially configured to internal IP addressing schemes, unless it’s especially configured to prevent this issue.prevent this issue.

It offers no user authentication.It offers no user authentication.

2- 2- Application Gateways (also, proxy gateway )Application Gateways (also, proxy gateway )

Application level gateway

?DENY

How it works:How it works:

Overview of application gateway virtual connections.

ALLOWED ONLY SSH

Advantages and Disadvantages of Application Advantages and Disadvantages of Application GatewaysGateways

AdvantagesAdvantages:: Application level gatewaysApplication level gateways tend to be more secure tend to be more secure

than packet filters. Rather than trying to deal with the than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed numerous possible combinations that are to be allowed and forbidden at the TCP and IP level, the application and forbidden at the TCP and IP level, the application level gateway need only scrutinize a few allowable level gateway need only scrutinize a few allowable applications. In addition it’s easy to log and audit all applications. In addition it’s easy to log and audit all incoming traffic at the application level.incoming traffic at the application level.

DisadvantagesDisadvantages:: Prime disadvantagePrime disadvantage of the application level gateway is of the application level gateway is

the additional processing overhead on each connection. the additional processing overhead on each connection. In effect there are two spliced connections between the In effect there are two spliced connections between the end users, with the gate way at the splice point, and the end users, with the gate way at the splice point, and the gateway must examine and forward all traffic in both gateway must examine and forward all traffic in both directions. directions.

3- Circuit Level Gateways: (e.g. Proxy and 3- Circuit Level Gateways: (e.g. Proxy and Socks servers)Socks servers)

Circuit-Level gateway.

www.companyName.com

www.companyName.com

Disadvantages:Disadvantages: Most circuit level gateways are configurable on a TCP Most circuit level gateways are configurable on a TCP

port basis.port basis. This does have disadvantage in that the This does have disadvantage in that the circuit level gateway may not examine each packet at circuit level gateway may not examine each packet at the application layer. This allows applications to utilize the application layer. This allows applications to utilize TCP ports that were opened for other, legitimate TCP ports that were opened for other, legitimate applications, several peer to peer applications can be applications, several peer to peer applications can be configured to run on arbitrary ports, such as TCP 80 and configured to run on arbitrary ports, such as TCP 80 and TCP 443 (commonly opened for web browsing). This TCP 443 (commonly opened for web browsing). This opens the possibility for misuse and exposes potential opens the possibility for misuse and exposes potential vulnerabilities inherent in these applications.vulnerabilities inherent in these applications.

There are several other disadvantages to using circuit There are several other disadvantages to using circuit level gateway as a sole meaning of protecting a network. level gateway as a sole meaning of protecting a network. Inbound connection, are in general, not allowed, unless Inbound connection, are in general, not allowed, unless the functionality is built into the gateway as a separate the functionality is built into the gateway as a separate application.application. Some client applications cannot be modified Some client applications cannot be modified to support SOCKS or proxying. This would prevent them to support SOCKS or proxying. This would prevent them from accessing external resources through a gateway. from accessing external resources through a gateway.

Bastion Host:Bastion Host: It is a computer that is the central component It is a computer that is the central component

in a network security architecture, often the in a network security architecture, often the main entrance to the network, intended to main entrance to the network, intended to protect.protect.

It’s running a proxy software.It’s running a proxy software. It’s usually the most critical, and therefore the It’s usually the most critical, and therefore the

best secured, system in the network.best secured, system in the network. An other kind of bastion host called a victim An other kind of bastion host called a victim

machine ( also called a sacrificial lamb).machine ( also called a sacrificial lamb). Bastion hosts are used in all arrangements Bastion hosts are used in all arrangements

that use a proxy server.that use a proxy server.

3- Stateful Packet Inspection:3- Stateful Packet Inspection:How it works:How it works:

T he logic flow of stateful packet inspection.

Advantages and Disadvantages of SPI:Advantages and Disadvantages of SPI:

Advantages:Advantages: The connection table The connection table

greatly reduces the greatly reduces the chance that a packet will chance that a packet will be spoofed to appear as be spoofed to appear as it were part of an it were part of an existing connection. existing connection.

The ability to look into The ability to look into the data of certain the data of certain packet types. packet types.

Disadvantages:Disadvantages: It does not protect the It does not protect the

internal hosts to the internal hosts to the same degree as an same degree as an application layer firewall.application layer firewall.

it does not act as proxy it does not act as proxy or setup a separate or setup a separate connection on behalf of connection on behalf of the source. the source.

Firewall ConfigurationsFirewall Configurations1- Screened Network (Packet Filtering Only):

A simple firewall that uses a screening router

2- Dual-Homed Gateway:2- Dual-Homed Gateway:

A dual homed host has two IP addresses.

3- Screened Host:3- Screened Host:

The screened-host configuration.

BenefitsBenefits & & Disadvantages:Disadvantages:

BenefitsBenefits:: More flexible than a dual-More flexible than a dual-

homed gateway firewall. homed gateway firewall. The rules for packet filter can The rules for packet filter can

be less a complex than for a be less a complex than for a screened network screened network configuration because most or configuration because most or all the traffic will be directed to all the traffic will be directed to the application gateway.the application gateway.

If either component fails in an If either component fails in an “open” condition, so that it no “open” condition, so that it no longer blocks anything, the longer blocks anything, the other component still affords other component still affords some measure of protection.some measure of protection.

Disadvantages:Disadvantages: The two components of the The two components of the

firewall need to be configured firewall need to be configured carefully to work together carefully to work together correctly. correctly.

The flexibility of the system The flexibility of the system can lead to the temptation to can lead to the temptation to take shortcuts that can subvert take shortcuts that can subvert security. security.

4- Screened Subnet:4- Screened Subnet:

The screened-host configuration.

Demilitarized Zone

BenefitsBenefits & & Disadvantages:Disadvantages:

BenefitsBenefits:: The chief benefitThe chief benefit is an is an

other layer of protection. other layer of protection. To gain access to the To gain access to the

protected network, an protected network, an attacker would have to go attacker would have to go through two routers and through two routers and the application gateway-the application gateway-not impossible, but more not impossible, but more difficult than with a difficult than with a screened-host firewall.screened-host firewall.

Disadvantages:Disadvantages: It’s the most expensive It’s the most expensive

configuration (of those configuration (of those described here).described here).

With three machines. With three machines. Including two routers with Including two routers with their rule tables, their rule tables, configuration of the overall configuration of the overall system can become quite system can become quite complicated.complicated.

Other firewall Configuration:Other firewall Configuration:

You can come up with variations of the You can come up with variations of the configurations described here to suit your configurations described here to suit your security policy. security policy.

You might want to use more bastion hosts You might want to use more bastion hosts to separate traffic for different services. to separate traffic for different services.

You could add more layers of screened You could add more layers of screened subnets to deal with traffic to and from subnets to deal with traffic to and from networks with varying degrees of networks with varying degrees of trustworthiness.trustworthiness.

The point:The point:There are no hard and fast rules for how aThere are no hard and fast rules for how a

FFirewall irewall should be set up. Just remember a should be set up. Just remember a couple of guidelines:couple of guidelines:Avoid the temptation to take shortcuts around Avoid the temptation to take shortcuts around more burdensome aspects of the security more burdensome aspects of the security policy. Effective security sometimes means policy. Effective security sometimes means inconvenience.inconvenience.Keep it as simple as possible. More is not Keep it as simple as possible. More is not necessarily better, especially if adding more necessarily better, especially if adding more elements to your firewall makes it impossibly elements to your firewall makes it impossibly complex to set up and administer, or so complex to set up and administer, or so difficult to use that users resort to difficult to use that users resort to unauthorized shortcuts.unauthorized shortcuts.

Practical Practical FFIREWALL IREWALL ImplementationImplementation

Acme’s organizational chart shows a simple management structure with function consolidated in three main departments: production,

sales/marketing, and finance.

New Orleans

SSecurity ecurity IIssue:ssue: Defining the internet connection Defining the internet connection::

SSolutions:olutions:

The system could be created so that no information The system could be created so that no information flows out of Acme via the channel.flows out of Acme via the channel.

Other data that the Web provider might need for the Other data that the Web provider might need for the home page, such as announcements of new products, home page, such as announcements of new products, updates on product availability, special promotions, and updates on product availability, special promotions, and so on, could likewise be transferred via some secure so on, could likewise be transferred via some secure method - e.g., a one way email service on the method - e.g., a one way email service on the company’s intranet-such that no files need to be company’s intranet-such that no files need to be transferred via the internet for this service.transferred via the internet for this service.

Information about ACME’s products.Information about ACME’s products. Web users will have the ability to send Email messages to any of Web users will have the ability to send Email messages to any of

Acme’s regional sales offices, generating a call back from the Acme’s regional sales offices, generating a call back from the appropriate salesperson.appropriate salesperson.

SSecurity ecurity IIssue:ssue: Determining Who Need Access:Determining Who Need Access:


This table shows where various information inside Acme is created and how it’s shared.

SSecurity ecurity IIssue:ssue: Identifying Weak Spots in Information Flow:Identifying Weak Spots in Information Flow:

Limiting access to servers with remote (that is, dial up) Limiting access to servers with remote (that is, dial up) access capabilities.access capabilities.

Securing sensitive design data.Securing sensitive design data. Preventing employees who should not have access to Preventing employees who should not have access to

certain information from getting that information.certain information from getting that information.

The beginnings of the Acme intranet with a server for each department.

I

N

T

R

A

N

E

T

First, sales reps take the orders from the customers and First, sales reps take the orders from the customers and input the information into computer order forms on their input the information into computer order forms on their notebook computers.notebook computers.

They compile the orders into single data files for transfer They compile the orders into single data files for transfer to the regional sales office.to the regional sales office.

Next, sales representatives begin the process of Next, sales representatives begin the process of uploading the sales onto the company’s FTP order sites, uploading the sales onto the company’s FTP order sites, located at each of the regional sales offices. located at each of the regional sales offices.

This is accomplished by using communications software This is accomplished by using communications software on the notebook computer to dial into the regional on the notebook computer to dial into the regional office’s “modem center” via a cellular phone built into the office’s “modem center” via a cellular phone built into the notebook computer.notebook computer.

Anywhere an organization uses a standard telephone Anywhere an organization uses a standard telephone line for remote access; a danger exists that the number, line for remote access; a danger exists that the number, and thus the line, may be attacked by a hacker. and thus the line, may be attacked by a hacker.

SSecurity ecurity IIssue:ssue: Managing Remote Access: Managing Remote Access:


Acme decides to use Acme decides to use aa two-stage two-stage firewall at this point in its system. firewall at this point in its system. Acme decides to use the Acme decides to use the Modem Security EnforcerModem Security Enforcer, that requires users to call in, , that requires users to call in,

and pass a two-step password test, then hangs up the system and calls the user back and pass a two-step password test, then hangs up the system and calls the user back at a pre-established telephone number .at a pre-established telephone number .

After the salesperson successfully passes through the modem security, the After the salesperson successfully passes through the modem security, the salesperson encounters the salesperson encounters the second second firewall located on the firewall located on the Sales/Marketing Web Sales/Marketing Web server.server.

the second firewall located on the Sales/Marketing Web server. Acme uses a proxy the second firewall located on the Sales/Marketing Web server. Acme uses a proxy server such server such Borderware Firewall ServerBorderware Firewall Server which accepts the data from the which accepts the data from the salesperson's notebook-generated order file and passes it through to the FTP site on salesperson's notebook-generated order file and passes it through to the FTP site on the intranet.the intranet.

Any data that comes back to the notebook during this process is protected by means Any data that comes back to the notebook during this process is protected by means of a Network Address Translation (also provided by Borderware's Firewall Server), of a Network Address Translation (also provided by Borderware's Firewall Server), which changes the actual internal addressing on information sent out to the remote which changes the actual internal addressing on information sent out to the remote computer. computer.

Here is the Sales/Marketing part of the Acme intranet with the firewalls added.

A process similar to that described here is used for transferring the A process similar to that described here is used for transferring the data from the three sales offices to the main office. data from the three sales offices to the main office.

That is, the sales orders are combined into a single, larger format That is, the sales orders are combined into a single, larger format order and transferred to the various offices and the appropriate order and transferred to the various offices and the appropriate shipping points.shipping points.

Here, however, Here, however, no public telephone lines are usedno public telephone lines are used. Rather, . Rather, dedicated "dedicated "TTl" telephone lines are used to move the data from the l" telephone lines are used to move the data from the sales offices to the shipping point and main office internal FTP sales offices to the shipping point and main office internal FTP sites, respectively.sites, respectively.

This diagram shows a typical sales order as it travels from the point of sale to the production and shipping facilities.

the regional (and central) sales offices must make available to the sales the regional (and central) sales offices must make available to the sales force the latest information concerning changes to product lines, pricing force the latest information concerning changes to product lines, pricing information, shipping delays, and so on. As with previous tasks, Acme is information, shipping delays, and so on. As with previous tasks, Acme is not only concerned that this information be made available but also that not only concerned that this information be made available but also that the process of making it available be as secure as possible.the process of making it available be as secure as possible.

Also, as noted previously in the Table, all offices (sales, market ing, and Also, as noted previously in the Table, all offices (sales, market ing, and finance) must be able to access production figures and shipping times finance) must be able to access production figures and shipping times from the main production facility.from the main production facility.

SSecurity ecurity IIssue:ssue: Managing Remote Access:Managing Remote Access:

These tasks can be accomplished using a secure e-mail system. These tasks can be accomplished using a secure e-mail system. Thus, the Acme intranet design team decides that, due to the Thus, the Acme intranet design team decides that, due to the need to pass queries and other short messages among various need to pass queries and other short messages among various employees, the primary intranet system will be supplemented employees, the primary intranet system will be supplemented with a dedicated mail server system to handle only internal e-with a dedicated mail server system to handle only internal e-mail.mail.


SSecurity ecurity IIssue:ssue: Managing Internal Access to Sensitive InformationManaging Internal Access to Sensitive Information

Acme's Finance Department presents some Acme's Finance Department presents some unique challenges in that all of the other unique challenges in that all of the other departments must have access to some of the departments must have access to some of the data (for example, budgeting information) but data (for example, budgeting information) but should not be allowed access to other data (for should not be allowed access to other data (for example, the president's expense account) in example, the president's expense account) in that department.that department.


Acme's Secure Server Net approach to controlling data in the Finance Department.(One such product is Borderware’s Secure Server Net system)

Tri Homed Gateway

Additional Security Needs:Additional Security Needs:

A similar approach could be used in any department that A similar approach could be used in any department that has both information that should be available company-has both information that should be available company-wide and data that should be used within that wide and data that should be used within that department only.department only.

In addition to the firewall placement matters mentioned In addition to the firewall placement matters mentioned here, Acme will also employ other, more traditional, here, Acme will also employ other, more traditional, computer security measures. For example, all users will computer security measures. For example, all users will have unique user names and passwords, providing an have unique user names and passwords, providing an additional level of security inside the firewalls. These additional level of security inside the firewalls. These passwords will have relatively short expiration dates and passwords will have relatively short expiration dates and will be changed approximately every 60 days.will be changed approximately every 60 days.

SSecurity ecurity IIssue:ssue: Security Issue: Virus Detection & RemovalSecurity Issue: Virus Detection & Removal

Virus detection and removal software will be used on all Virus detection and removal software will be used on all Acme computers (desktop and notebooks) Acme computers (desktop and notebooks)

Acme's Future:Acme's Future: Acme will begin to automate the flow of essential data Acme will begin to automate the flow of essential data

around the company. At the same time, the company will around the company. At the same time, the company will ensure with each new phase of automation that sensitive ensure with each new phase of automation that sensitive and proprietary information is protected and, as and proprietary information is protected and, as important, that the company's intranet is guarded from important, that the company's intranet is guarded from outside attacks by unscrupulous hackers.outside attacks by unscrupulous hackers.

The completed Acme intranet, included the firewalls described in the chapter.

Presentation, Firewalls

Technology

Transcript of Presentation, Firewalls