CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013

Required reading: Management of Information Security (MIS), by Whitman & Mattord Chapter 10, pp. 345 353 Recommended reading: Principles of Information Security, by Whitman & Mattord Chapter 6, pp. 250-277

Learning Objectives Upon completion of this material, you should be able to: Identify the various types of firewalls and the common approaches to firewall implementation. Describe the basics principles of firewall configuration and the key challenges of creating effective firewall rules. Explain the pros and cons of the most common forms of firewall deployment (i.e. firewall architecture).

Spheres of Protection

TCP/IP Networking Review OSI Model and TCP/IP Protocol Stack

TCP/IP Networking Review (cont.) Functions of OSI Layers http://highered.mcgraw-hill.com/sites/0072967722/student_view0/animations.html See animations: 2.14 and 2.11!

TCP/IP Networking Review (cont.) Vertical and Horizontal Communication

TCP/IP Networking Review (cont.) Packet = Data + (Protocol) Header Packet Encapsulation http://www.tcpipguide.com/free/diagrams/ipsectransport.png

TCP/IP Networking Review (cont.) IP Addressing IP address = network part + host part IP Packet (Header) http://www.tcpipguide.com/free/t_ipdatagramgeneralformat.htm

TCP/IP Networking Review (cont.) TCP Packet (Header) UDP Packet (Header)

TCP/IP Networking Review (cont.) Protocol and Port Numbers port 23 UDP protocol 6 protocol 17 IP Protocol Numbers TCP 6 UDP 17 ICMP 1 IGMP 2 EGP 8 IGP 9 RSVP 46 address: 172.16.12.2 IP header TCP/UDP Port Numbers HTTP 80 (TCP) DNS 53 (TCP, UDP) SMTP 25 (TCP) Telnet 23 (TCP) FTP D. 20 (TCP) FTP C. 21 (TCP) DHCP 67, 68 (UDP) SNMP 161 (UDP) http://docstore.mik.ua/orelly/networking_2nded/tcp/ch02_06.htm

Introduction Firewall an entity that prevents a specific type of information from moving between outside world (untrusted network) and inside world (trusted network) examples of firewalls: 1) a separate/stand-alone device 2) a service/software running on a router 3) a separate network with a number of supporting devices

Introduction (cont.) What a Firewall CAN Do? A firewall can limit network exposure. can prevent the dangers of the Internet from spreading into a LAN (e.g. DDoS) can keep one (more vulnerable) segment of a LAN from another A firewall can enforce a security policy. acting as a traffic cop, firewall can allow only some services to pass in/out of the network (e.g. no outside web-traffic in) A firewall can log Internet activity. since all traffic passes through the firewall, the firewall is a good place to collect information about system and and network use and misuse!

Introduction (cont.) What a Firewall CANNOT Do? A firewall cannot protect you against malicious or ignorant insiders. insider threats require internal security measures, e.g. host security A firewall cannot protect you against connections that don t pass through it. if a site allows direct wireless access to internal network, a wired firewall cannot guard against wireless-based exposure A firewall cannot protect you against completely new threats. firewalls are designed to protect against known threats you cannot set up a firewall once and expect it to protect you forever

Introduction (cont.) What a Firewall CANNOT Do? (cont.) A firewall cannot fully protect you against viruses. firewalls do scan incoming traffic & some even offer virus protection however, firewalls do not offer good virus protection detecting a virus in a random data packet passing through a firewall would require: 1) recognizing that the packet is a part of a program 2) determining what that program would do once activated

Introduction (cont.) Categories of Firewalls processing mode 1.1) MAC layer firewalls 1.2) packet filtering firewalls 1.3) application gateways 1.4) circuit gateways 1.5) hybrids development era (generation) 2.1) 2.5) 1 st, 2 nd, 3 rd, 4 th, 5 th generation structure 3.1) commercial grade firewall appliances 3.2) commercial grade firewall systems 3.3) small-office/home-office (SOHO) firewall appliances 3.4) residential-grade firewall software architecture 4.1) packet filtering routers 4.2) dual-homed host firewalls 4.3) screened host firewalls 4.4) screened subnet firewalls

Firewalls by Processing Mode Processing Mode Firewalls & OSI Layer of Their Respective Operation

1.1) MAC Layer Firewalls MAC Layer operates on OSI Layer 2 and bases its Firewall filtering decision on devices MAC/NIC addresses MAC addresses of specific hosts are included in ACL, allowing only specific packets to be sent to/from these hosts and blocking others not as widely used as other types of firewalls only used within a single-authority LAN - MAC addresses get stripped off on each hop thus cannot be used to trace back the original sender MAC addresses can easily be spoofed

1.1) MAC Layer Firewalls (cont.) Example: MAC address spoofing in Windows Vista

1.2) Packet Filtering Firewalls Packet Filtering examines headers of IP, TCP/UDP Firewall packets that travel in/out of a network determines whether to drop/forward a packet based on programmed rules most common filtering rules are based on one or combination of IP source and destination address direction (in / out bound) TCP and UDP port numbers

1.2) Packet Filtering Firewalls (cont.) Example: Stateless packet filtering rules Rules for firewall (IP=192.168.120.1) on network 192.168.120.0. Rule 1: external hosts can contact any internal host on ports >1023 Rule 2: firewall CANNOT talk to anybody! Rule 3: nobody can talk to firewall either! Rule 4: (other) internal hosts can talk to any outside host Rule 5: external users allowed to communicate with email server Rule 6: external users allowed to communicate with web server Rule 7: any other traffic (but above explicitly allowed) is denied

1.2) Packet Filtering Firewalls (cont.) stateless vs. stateful packet firewalls * stateless filtering firewalls decides on what to do with packets solely based on information found in packet headers advantage: high speed disadvantage: have no recollection of what packets have already passed through filter, or who has initiated connection * stateful filtering firewalls keep track of connections between internal and external hosts (using/building the so-called state table), and check for protocol anomalies advantage: better security e.g. an attacking TCP-ACK packet gets recognized and dropped disadvantage: more processing lower speed

1.2) Packet Filtering Firewalls (cont.) Example: Stateful packet filtering part 1 STATE TABLE

1.2) Packet Filtering Firewalls (cont.) Example: Stateful packet filtering part 2 STATE TABLE

http://ccnpsecurity.blogspot.ca/2011/11/stateful-firewalls.html 1.2) Packet Filtering Firewalls (cont.) Example: Stateful packet filtering part 3 Some stateful firewalls also keep track of TCP sequence numbers to prevent attacks that depend on the sequence number, such as session hijacking.

1.2) Packet Filtering Firewalls (cont.) static vs. dynamic packet firewalls * static filtering firewalls rules are entered/ changed by a person/admin. * dynamic filtering firewalls can react to an emergent event by updating or creating rules to deal with that event example: drop all packets from a particular IP when number of malformed packets from that IP increases Web server Client 1, Client 2 Web server Client 1, Client 2 Client n Client n static filter does not have intelligence to selectively open or close ports dynamic filter adapts to traffic by learning which ports are needed for a session, and closes others http://www.ibh.de/netglossary/net_16.htm

1.2) Packet Filtering Firewalls (cont.) static packet filter dynamic packet filter http://docstore.mik.ua/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm#xtocid11

1.2) Packet Filtering Firewalls (cont.) Packet filters do NOT examine packet/message content it only examines packet headers, and either passes or blocks packets. Application message contained in TCP and UDP data fields are inspected by programs called proxy servers. Proxy servers do not pass traffic through. The content of the data packet is read and the header is stripped off. The proxy either replies using data preloaded from the actual server, or sends/forwards its own request to the server

1.3) Application Gateways Application Gateway aka proxy server special software installed on a dedicated computer DMZ intermediate area/network between a trusted (internal) and an untrusted (external) network example: proxy used to avoid exposing a Web server, or other internal machines, to direct user traffic proxy receives & returns pages on behalf of users/server http://youngcow.net/doc/oracle10g/network.102/b14212/img/net81083.gif

1.3) Application Gateways (cont.) Example: Packet vs. Application Firewall static packet filter application firewall

1.3) Application Gateways (cont.) Application Gateway Uses IP Address Hiding without app. firewall, IP addresses of internal hosts/server get exposed with application firewall, all outgoing packets carry firewall s IP Header Destruction application firewall replaces headers of passing packets with its own with new headers, all attacks based on IP, TCP, UDP header are stopped (only possible to attack firewall itself) Prevention of Port & Protocol Spoofing with application firewall, port & prot. spoofing on server machine is not possible e.g. sending non-http data over port 80

1.3) Application Gateways (cont.) Uses of HTTP Proxy Command-Based Filtering prevent internal or external hosts from using certain commands e.g. HTTP POST from an internal client might send some proprietary info out of the trusted network URL Filtering a company might want to block outgoing request for URLs of (known) inappropriate sites MIME Filtering MIME filed specifies the type of data carried in the message body proxy might filter out incoming messages containing.exe files

1.3) Application Gateways (cont.) Application Gateway connection between client Disadvantages and server gets broken slower communication loss of transparency

1.4) Circuit Gateways Circuit operates at Transport Layer Gateway gateway establishes 2 TCP connections: between itself and an internal host between itself and an outside host after circuit gets established, gateway acts just as a wire - relays bytes back and forth security function consists of determining which connections will be allowed (by looking at a table of allowed connections) internal net

1.4) Circuit Gateways (cont.) Circuit Gateway (cont.) advantages: provide same advantages as app. gateway - hides internal network/hosts incurs less processing - once a session is allowed, no further checks of individual packets disadvantages: absence of content filtering requirement for software modifications in transport-layer function

1.4) Circuit Gateways (cont.) application-level gateway circuit-level gateway

1.4) Circuit Gateways (cont.) SOCKS protocol/package for implementation of circuit-level gateway builds a shim-layer between application and transport layer SOCKS consists of: SOCKS server - runs on Unix/Windows firewall on port 1080 SOCKS client library - runs on internal hosts protected by the firewall SOCKS-ified version several standard client applications (FTP, TELNET, )

1.5) Hybrid Firewalls Hybrid Firewall combines elements of other types of firewalls typically implies the use of two or more separate firewall devices allows an organization to make security improvements without completely replacing its existing firewalls

Firewalls by Generation Generations of presently, 5 generations are Firewalls generally recognized: 1 st Generation (1985) Packet Filters filters packets solely based on the content of their header 2 nd Generation (1989-90) Application- Level Filters / Proxy Servers can understand certain applications & protocols as well as recognize whether a protocol is being used in a harmful way 3 rd Generation (1991) Stateful Inspection Firewalls: maintains record of connections passing through the firewall this information can be used to apply security rules

Firewalls by Generation (cont.) Generations of (cont.) Firewalls 4 th Generation (1994) Dynamic Packet Filtering Firewalls firewalls capable of communicating with intrusion detection systems to provide adaptive response to an attack 5 th Generation (1996) Kernel Proxies for each new session, a new virtual network (TCP/IP) stack is created to allow examination of the packet by passing it up and down the stack