2. What is a Firewall?What is a Firewall?
AA choke pointchoke point of control and monitoringof control and monitoring
Interconnects networks with differing trustInterconnects networks with differing trust
Imposes restrictions on network servicesImposes restrictions on network services
only authorized traffic is allowedonly authorized traffic is allowed
Auditing and controlling accessAuditing and controlling access
can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior
Itself immune to penetrationItself immune to penetration
ProvidesProvides perimeter defenceperimeter defence
3. Classification of FirewallClassification of Firewall
Characterized by protocol level it controls inCharacterized by protocol level it controls in
Packet filteringPacket filtering
Circuit gatewaysCircuit gateways
Application gatewaysApplication gateways
Combination of above is dynamic packet filterCombination of above is dynamic packet filter
5. Firewalls – Packet FiltersFirewalls – Packet Filters
Simplest of componentsSimplest of components
Uses transport-layer information onlyUses transport-layer information only
IP Source Address, Destination AddressIP Source Address, Destination Address
Protocol/Next Header (TCP, UDP, ICMP, etc)Protocol/Next Header (TCP, UDP, ICMP, etc)
TCP or UDP source & destination portsTCP or UDP source & destination ports
TCP Flags (SYN, ACK, FIN, RST, PSH, etc)TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
ICMP message typeICMP message type
ExamplesExamples
DNS uses port 53DNS uses port 53
No incoming port 53 packets except known trusted serversNo incoming port 53 packets except known trusted servers
6. Usage of Packet FiltersUsage of Packet Filters
Filtering with incoming or outgoing interfacesFiltering with incoming or outgoing interfaces
E.g., Ingress filtering of spoofed IP addressesE.g., Ingress filtering of spoofed IP addresses
Egress filteringEgress filtering
Permits or denies certain servicesPermits or denies certain services
Requires intimate knowledge of TCP and UDP portRequires intimate knowledge of TCP and UDP port
utilization on a number of operating systemsutilization on a number of operating systems
7. How to Configure a Packet FilterHow to Configure a Packet Filter
Start with a security policyStart with a security policy
Specify allowable packets in terms of logicalSpecify allowable packets in terms of logical
expressions on packet fieldsexpressions on packet fields
Rewrite expressions in syntax supported by yourRewrite expressions in syntax supported by your
vendorvendor
General rules - least privilegeGeneral rules - least privilege
All that is not expressly permitted is prohibitedAll that is not expressly permitted is prohibited
If you do not need it, eliminate itIf you do not need it, eliminate it
8. Every ruleset is followed by an implicit ruleEvery ruleset is followed by an implicit rule
reading like this.reading like this.
Example 1:Example 1:
Suppose we want to allow inbound mailSuppose we want to allow inbound mail
(SMTP, port 25) but only to our gateway(SMTP, port 25) but only to our gateway
machine. Also suppose that mail from somemachine. Also suppose that mail from some
particular site SPIGOT is to be blocked.particular site SPIGOT is to be blocked.
9. Solution 1:Solution 1:
Example 2:Example 2:
Now suppose that we want to implement theNow suppose that we want to implement the
policy “any inside host can send mail to thepolicy “any inside host can send mail to the
outside”.outside”.
10. Solution 2:Solution 2:
This solution allows calls to come from anyThis solution allows calls to come from any
port on an inside machine, and will direct themport on an inside machine, and will direct them
to port 25 on the outside. Simple enough…to port 25 on the outside. Simple enough…
So why is it wrong?So why is it wrong?
11. Our defined restriction is based solely on theOur defined restriction is based solely on the
outside host’s port number, which we have nooutside host’s port number, which we have no
way of controlling.way of controlling.
Now an enemy can access any internal machinesNow an enemy can access any internal machines
and port by originating his call from port 25 onand port by originating his call from port 25 on
the outside machine.the outside machine.
What can be a better solution ?What can be a better solution ?
12. The ACK signifies that the packet is part of anThe ACK signifies that the packet is part of an
ongoing conversationongoing conversation
Packets without the ACK are connectionPackets without the ACK are connection
establishment messages, which we are onlyestablishment messages, which we are only
permitting from internal hostspermitting from internal hosts
13. Security & Performance of Packet FiltersSecurity & Performance of Packet Filters
IP address spoofingIP address spoofing
Fake source address to be trustedFake source address to be trusted
Add filters on router to blockAdd filters on router to block
Tiny fragment attacksTiny fragment attacks
Split TCP header info over several tiny packetsSplit TCP header info over several tiny packets
Either discard or reassemble before checkEither discard or reassemble before check
Degradation depends on number of rules applied atDegradation depends on number of rules applied at
any pointany point
Order rules so that most common traffic is dealt withOrder rules so that most common traffic is dealt with
firstfirst
Correctness is more important than speedCorrectness is more important than speed
14. Port NumberingPort Numbering
TCP connectionTCP connection
Server port is number less than 1024Server port is number less than 1024
Client port is number between 1024 and 16383Client port is number between 1024 and 16383
Permanent assignmentPermanent assignment
Ports <1024 assigned permanentlyPorts <1024 assigned permanently
20,21 for FTP 23 for Telnet20,21 for FTP 23 for Telnet
25 for server SMTP 80 for HTTP25 for server SMTP 80 for HTTP
Variable useVariable use
Ports >1024 must be available for client to make anyPorts >1024 must be available for client to make any
connectionconnection
This presents a limitation for stateless packet filteringThis presents a limitation for stateless packet filtering
IfIf client wants to use port 2048, firewall must allowclient wants to use port 2048, firewall must allow incomingincoming
traffic on this porttraffic on this port
Better: stateful filtering knows outgoing requestsBetter: stateful filtering knows outgoing requests
15. Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters
Traditional packet filters do not examine higherTraditional packet filters do not examine higher
layer contextlayer context
ie matching return packets with outgoing flowie matching return packets with outgoing flow
Stateful packet filters address this needStateful packet filters address this need
They examine each IP packet in contextThey examine each IP packet in context
Keep track of client-server sessionsKeep track of client-server sessions
Check each packet validly belongs to oneCheck each packet validly belongs to one
Hence are better able to detect bogus packetsHence are better able to detect bogus packets
out of contextout of context
17. Firewall OutlinesFirewall Outlines
Packet filteringPacket filtering
Application gatewaysApplication gateways
Circuit gatewaysCircuit gateways
Combination of above is dynamic packet filterCombination of above is dynamic packet filter
18. Firewall GatewaysFirewall Gateways
Firewall runs set of proxy programsFirewall runs set of proxy programs
Proxies filter incoming, outgoing packetsProxies filter incoming, outgoing packets
All incoming traffic directed to firewallAll incoming traffic directed to firewall
All outgoing traffic appears to come from firewallAll outgoing traffic appears to come from firewall
Policy embedded in proxy programsPolicy embedded in proxy programs
Two kinds of proxiesTwo kinds of proxies
Application-level gateways/proxiesApplication-level gateways/proxies
Tailored to http, ftp, smtp, etc.Tailored to http, ftp, smtp, etc.
Circuit-level gateways/proxiesCircuit-level gateways/proxies
Working on TCP levelWorking on TCP level
20. Application-Level FilteringApplication-Level Filtering
Has full access to protocolHas full access to protocol
user requests service from proxyuser requests service from proxy
proxy validates request as legalproxy validates request as legal
then actions request and returns result to userthen actions request and returns result to user
Need separate proxies for each serviceNeed separate proxies for each service
E.g., SMTP (E-Mail)E.g., SMTP (E-Mail)
NNTP (Net news)NNTP (Net news)
DNS (Domain Name System)DNS (Domain Name System)
NTP (Network Time Protocol)NTP (Network Time Protocol)
custom services generally not supportedcustom services generally not supported
21. App-level Firewall ArchitectureApp-level Firewall Architecture
Daemon spawns proxy when communication detectedDaemon spawns proxy when communication detected
……
Network Connection
Telnet
daemon
SMTP
daemon
FTP
daemon
Telnet
proxy
FTP
proxy SMTP
proxy
22. Enforce policy for specific protocolsEnforce policy for specific protocols
E.g., Virus scanning for SMTPE.g., Virus scanning for SMTP
Need to understand MIME, encoding, Zip archivesNeed to understand MIME, encoding, Zip archives
23. Firewall OutlinesFirewall Outlines
Packet filteringPacket filtering
Application gatewaysApplication gateways
Circuit gatewaysCircuit gateways
Combination of above is dynamic packet filterCombination of above is dynamic packet filter
25. Figure 9.7: A typical SOCKS connection through interface A,
and rogue connection through the external interface, B.
26. Bastion HostBastion Host
Highly secure host systemHighly secure host system
Potentially exposed to "hostile" elementsPotentially exposed to "hostile" elements
Hence is secured to withstand thisHence is secured to withstand this
Disable all non-required services; keep it simpleDisable all non-required services; keep it simple
Trusted to enforce trusted separation betweenTrusted to enforce trusted separation between
network connectionsnetwork connections
Runs circuit / application level gatewaysRuns circuit / application level gateways
Install/modify services you wantInstall/modify services you want
Or provides externally accessible servicesOr provides externally accessible services
29. Firewalls Aren’t Perfect?Firewalls Aren’t Perfect?
Useless against attacks from the insideUseless against attacks from the inside
Evildoer exists on insideEvildoer exists on inside
Malicious code is executed on an internal machineMalicious code is executed on an internal machine
Organizations with greater insider threatOrganizations with greater insider threat
Banks and MilitaryBanks and Military
Protection must exist at each layerProtection must exist at each layer
Assess risks of threats at every layerAssess risks of threats at every layer
Cannot protect against transfer of all virusCannot protect against transfer of all virus
infected programs or filesinfected programs or files
because of huge range of O/S & file typesbecause of huge range of O/S & file types
30. QuizQuiz
In this question, we explore some applications andIn this question, we explore some applications and
limitations of a stateless packet filtering firewall. Forlimitations of a stateless packet filtering firewall. For
each of the question, briefly explain how the firewalleach of the question, briefly explain how the firewall
should be configured to defend against the attack, orshould be configured to defend against the attack, or
why the firewall cannot defend against the attack.why the firewall cannot defend against the attack.
Can the firewall prevent a SYN flood denial-of-serviceCan the firewall prevent a SYN flood denial-of-service
attack from the external network?attack from the external network?
Can the firewall prevent a Smurf attack from the externalCan the firewall prevent a Smurf attack from the external
network? Recall that as we discussed in the class before,network? Recall that as we discussed in the class before,
the Smurf attack uses the broadcast IP address of thethe Smurf attack uses the broadcast IP address of the
subnet.subnet.
31. Can the firewall prevent external users from exploiting aCan the firewall prevent external users from exploiting a
security bug in a CGI script on an internal web server (thesecurity bug in a CGI script on an internal web server (the
web server is serving requests from the Internet)?web server is serving requests from the Internet)?
Can the firewall prevent an online password dictionaryCan the firewall prevent an online password dictionary
attack from the external network on the telnet port of anattack from the external network on the telnet port of an
internal machine?internal machine?
Can the firewall prevent a user on the external networkCan the firewall prevent a user on the external network
from opening a window on an X server in the internalfrom opening a window on an X server in the internal
network? Recall that by default an X server listens fornetwork? Recall that by default an X server listens for
connections on port 6000connections on port 6000
Can the firewall block a virus embedded in an incomingCan the firewall block a virus embedded in an incoming
email?email?
Can the firewall be used to block users on the internalCan the firewall be used to block users on the internal
network from browsing a specific external IP address?network from browsing a specific external IP address?
33. Firewalls -Firewalls - Circuit Level GatewayCircuit Level Gateway
Relays two TCP connectionsRelays two TCP connections
Imposes security by limiting which suchImposes security by limiting which such
connections are allowedconnections are allowed
Once created usually relays traffic withoutOnce created usually relays traffic without
examining contentsexamining contents
Typically used when trust internal users byTypically used when trust internal users by
allowing general outbound connectionsallowing general outbound connections
SOCKS commonly used for thisSOCKS commonly used for this
34. Firewall OutlinesFirewall Outlines
Packet filteringPacket filtering
Application gatewaysApplication gateways
Circuit gatewaysCircuit gateways
Combination of above is dynamic packet filterCombination of above is dynamic packet filter
35. Dynamic Packet FiltersDynamic Packet Filters
Most commonMost common
Provide good administrators protection and fullProvide good administrators protection and full
transparencytransparency
Network given full control over trafficNetwork given full control over traffic
Captures semantics of a connectionCaptures semantics of a connection
36. 1.2.3.4
Intended connection from 1.2.3.4 to 5.6.7.8
5.6.7.81.2.3.45.6.7.8
Firewall
Redialing on a dynamic packet filter. The dashed arrow
shows the intended connection; the solid arrows show the actual
connections, to and from the relay in the firewall box. The
Firewall impersonates each endpoint to the other.
38. Figure 9.2: A firewall router with multiple internal networks.
Filter Rule: Open access to Net 2 means source
address from Net 3
• Why not spoof address from Net 3?
Network TopologyNetwork Topology
39. Address-SpoofingAddress-Spoofing
Detection is virtually impossible unless source-Detection is virtually impossible unless source-
address filtering and logging are doneaddress filtering and logging are done
One should not trust hosts outside of one’sOne should not trust hosts outside of one’s
administrative controladministrative control
40. External Interface RulesetExternal Interface Ruleset
Allow outgoing calls, permit incoming calls onlyAllow outgoing calls, permit incoming calls only
for mail and only to gateway GWfor mail and only to gateway GW
Note: Specify GW as destination host instead of Net 1
to prevent open access to Net 1
41. Net 1 Router Interface RulesetNet 1 Router Interface Ruleset
Gateway machine speaks directly only to otherGateway machine speaks directly only to other
machines running trusted mail server softwaremachines running trusted mail server software
Relay machines used to call out to GW to pickRelay machines used to call out to GW to pick
up waiting mailup waiting mail
Note: Spoofing is avoided with the specification of GW
42. How Many Routers Do We Need?How Many Routers Do We Need?
If routers only support outgoing filtering, we need two:If routers only support outgoing filtering, we need two:
One to use ruleset that protects against compromisedOne to use ruleset that protects against compromised
gatewaysgateways
One to use ruleset that guards against address forgery andOne to use ruleset that guards against address forgery and
restricts access to gateway machinerestricts access to gateway machine
An input filter on one port is exactly equivalent to anAn input filter on one port is exactly equivalent to an
output filter on the other portoutput filter on the other port
If you trust the network provider, you can go withoutIf you trust the network provider, you can go without
input filtersinput filters
Filtering can be done on the output side of the routerFiltering can be done on the output side of the router
43. Routing FiltersRouting Filters
All nodes are somehow reachable from theAll nodes are somehow reachable from the
InternetInternet
Routers need to be able to control what routesRouters need to be able to control what routes
they advertise over various interfacesthey advertise over various interfaces
Clients who employ IP source routing make itClients who employ IP source routing make it
possible to reach ‘unreachable’ hostspossible to reach ‘unreachable’ hosts
Enables address-spoofingEnables address-spoofing
Block source routing at borders, not at backboneBlock source routing at borders, not at backbone
44. Routing Filters (cont)Routing Filters (cont)
Packet filters obviate the need for route filtersPacket filters obviate the need for route filters
Route filtering becomes difficult or impossibleRoute filtering becomes difficult or impossible
in the presence of complex technologiesin the presence of complex technologies
Route squatting – using unofficial IP addressesRoute squatting – using unofficial IP addresses
inside firewalls that belong to someone elseinside firewalls that belong to someone else
Difficult to choose non-addressed address spaceDifficult to choose non-addressed address space
46. Asymmetric RoutesAsymmetric Routes
Both sides of the firewall know nothing of oneBoth sides of the firewall know nothing of one
another’s topologyanother’s topology
Solutions:Solutions:
Maintain full knowledge of the topologyMaintain full knowledge of the topology
Not feasible, too much state to keepNot feasible, too much state to keep
Multiple firewalls share state informationMultiple firewalls share state information
Volume of messages may be prohibitive, code complexityVolume of messages may be prohibitive, code complexity
47. Are Dynamic Packet Filters Safe?Are Dynamic Packet Filters Safe?
Comparable to that of circuit gateways, as longComparable to that of circuit gateways, as long
as the implementation strategy is simpleas the implementation strategy is simple
If administrative interfaces use physical networkIf administrative interfaces use physical network
ports as the highest-level constructports as the highest-level construct
Legal connections are generally defined in terms ofLegal connections are generally defined in terms of
the physical topologythe physical topology
Not if evildoers exist on the insideNot if evildoers exist on the inside
Circuit or application gateways demand userCircuit or application gateways demand user
authentication for outbound traffic and are thereforeauthentication for outbound traffic and are therefore
more resistant to this threatmore resistant to this threat
48. Distributed FirewallsDistributed Firewalls
A central management node sets the security policyA central management node sets the security policy
enforced by individual hostsenforced by individual hosts
Combination of high-level policy specification with fileCombination of high-level policy specification with file
distribution mechanismdistribution mechanism
Advantages:Advantages:
Lack of central point of failureLack of central point of failure
Ability to protect machines outside topologically isolatedAbility to protect machines outside topologically isolated
spacespace
Great for laptopsGreat for laptops
Disadvantage:Disadvantage:
Harder to allow in certain services, whereas it’s easy to blockHarder to allow in certain services, whereas it’s easy to block
49. Distributed Firewalls DrawbackDistributed Firewalls Drawback
Allowing in certain services works if and only ifAllowing in certain services works if and only if
you’re sure the address can’t be spoofedyou’re sure the address can’t be spoofed
Requires anti-spoofing protectionRequires anti-spoofing protection
Must maintain ability to roam safelyMust maintain ability to roam safely
Solution: IPsecSolution: IPsec
A machine is trusted if and only if it can performA machine is trusted if and only if it can perform
proper cryptographic authenticationproper cryptographic authentication
50. Where to Filter?Where to Filter?
Balance between risk and costsBalance between risk and costs
Always a higher layer that is hard to filterAlways a higher layer that is hard to filter
HumansHumans
51. Dynamic Packet Filter ImplementationDynamic Packet Filter Implementation
Dynamically update packet filter’s rulesetDynamically update packet filter’s ruleset
Changes may not be benign due to orderingChanges may not be benign due to ordering
Redialing method offers greater assurance ofRedialing method offers greater assurance of
securitysecurity
No special-case code necessaryNo special-case code necessary
FTP handled with user-level daemonFTP handled with user-level daemon
UDP handled just as TCP except for tear downUDP handled just as TCP except for tear down
ICMP handled with pseudoconnections andICMP handled with pseudoconnections and
synthesized packetssynthesized packets
52. Per-Interface Tables Consulted byPer-Interface Tables Consulted by
Dynamic Packet FilterDynamic Packet Filter
Active Connection TableActive Connection Table
Socket structure decides whether data is copied toSocket structure decides whether data is copied to
outside socket or sent to application proxyoutside socket or sent to application proxy
Ordinary Filter TableOrdinary Filter Table
Specifies which packets may pass in stateless mannerSpecifies which packets may pass in stateless manner
Dynamic TableDynamic Table
Forces creation of local socket structuresForces creation of local socket structures
Notas do Editor
A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, and will allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Hence they are better able to detect bogus packets sent out of context.
Gateway is like a NAT box, ie, a home router.
One advantage over normal packet filters: the IP addr is changed. So no internal IP addr is leaked out.
A circuit-level gateway relays two TCP connections, one between itself and an inside TCP user, and the other between itself and a TCP user on an outside host. Once the two connections are established, it relays TCP data from one connection to the other without examining its contents. The security function consists of determining which connections will be allowed. It is typically used when internal users are trusted to decide what external services to access.
One of the most common circuit-level gateways is SOCKS, defined in RFC 1928. It consists of a SOCKS server on the firewall, and a SOCKS library & SOCKS-aware applications on internal clients.