FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente
FIREWALL An integrated collection of security measures designed to control the flow of traffic into and out of a network Similar to firewalls in building construction Both are intended to isolate one "network" or "compartment" from another Firewall protects from general probes and many attacks 2
FIREWALL POLICIES To protect private networks and individual devices from the dangers of the Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies Firewall policies Trusted internal network Untrusted Internet 3
FIREWALL POLICIES: APPROACHES Two approaches to creating firewall policies Blacklist approach (default-allow) All packets are allowed through except those that fit the rules defined specifically in a blacklist Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall Cons: unexpected forms of malicious traffic could go through Whitelist approach (default-deny) Packets are dropped or rejected unless they are specifically allowed by the firewall Pros: A safer approach to defining a firewall ruleset Cons: must consider all possible legitimate traffic in rulesets 4
FIREWALLS What system? Network Personal 5
NETWORK FIREWALLS Internet 25 80 445 25 80 6
PERSONAL FIREWALLS Runs on the computer of the user Same filtering capabilities as network firewall Filter may also distinguish between computer programs abcd.exe 7
FIREWALLS What protocol level? Network level Transport level Application level 8
NETWORK LEVEL FIREWALLS Filter on IP header fields Source IP address Destination IP address Type of transport protocol 9
TRANSPORT LEVEL FIREWALLS Filters additionally on TCP header fields Source Port Destination Port Flags (SYN, ACK) established 10
APPLICATION LEVEL FIREWALLS Inspects the contents of packets May filter certain websites Firewall may accept only trusted connections Logging of accepted connections is easy Performance may be problematic Since this type of firewall is quite complex, it may become a security risk itself 11
FIREWALLS What knowledge? Stateless Stateful 12
STATELESS FIREWALLS Treats each packet in isolation Has no memory of previous packets For each packet, check firewall rules again Easy to implement Very efficient Can not easily handle protocols that use random ports For instance, FTP 13
STATELESS FIREWALLS action src port dest port flags comment allow {our-host} * * 25 Our packets to their SMTP port allow * 25 * * ACK Their replies action src port dest port flags comment deny {ATTACK} * * * Deny traffic from this address action src port dest port flags comment allow {our-host} * * * Our outgoing calls allow * * * * ACK Replies to our calls allow * * * >1024 Traffic to non servers 14
STATEFUL FIREWALLS Can tell when packets are part of legitimate sessions originating within a trust network Maintain tables containing Active connections IP addresses Ports Sequence numbers Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to the internal network initiated connections 15
STATEFUL FIREWALLS IF (packet belongs to an existing association ) THEN {accept packet} ELSE {check firewall rules; IF (packet may pass) THEN {store association in state table} ELSE {discard packet}} Time-out inactive connections Connections may send keep alive 16
STATEFUL FIREWALLS Associations may be TCP connections UDP flows ICMP request/response pairs Stateful firewalls can, for example, be configured to Allow associations initiated by internal systems Deny associations initiated by external systems Stateful firewalls can easily deal with protocols such as FTP 17
LOCATIONS OF FIREWALLS Internet Mail WEB DMZ Critical systems 18
NETWORK ADDRESS TRANSLATION (NAT) NAT is a router function where IP addresses are replaced at the boundary of a private network NAT is a method that enables hosts on private networks to communicate with hosts on the Internet A tool in conserving global address space allocations Devices inside a local network not explicitly addressable, visible by outside world A security plus 19
BASIC OPERATION OF NAT 20
TYPES OF NAT Four types of NAT exist Full cone NAT Restricted cone NAT Port restricted cone NAT Symmetric NAT 21
FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 22
FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 23
FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 24
FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 25
FULL CONE NAT Full cone NAT Port IP Private LAN Public Internet 26
FULL CONE NAT Accepts traffic from all ports from all Internet nodes Full cone NAT Port IP Private LAN Public Internet 27
RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 28
RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 29
RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 30
RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 31
RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 32
RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 33
RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 34
RESTRICTED CONE NAT Restricted cone NAT Port IP Private LAN Public Internet 35
RESTRICTED CONE NAT Accepts traffic from all ports, but only from previous Internet nodes Restricted cone NAT Port IP Private LAN Public Internet 36
PORT RESTRICTED CONE NAT Port restricted cone NAT Port IP Private LAN Public Internet 37
PORT RESTRICTED CONE NAT Port restricted cone NAT Port IP Private LAN Public Internet 38
PORT RESTRICTED CONE NAT Port restricted cone NAT Port IP Private LAN Public Internet 39
PORT RESTRICTED CONE NAT Port restricted cone NAT Port IP Private LAN Public Internet 40
PORT RESTRICTED CONE NAT Accepts traffic only from previous ports and nodes Port restricted cone NAT Port IP Private LAN Public Internet 41
SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 42
SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 43
SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 44
SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 45
SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 46
SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 47
SYMMETRIC NAT Symmetric NAT Port IP Private LAN Public Internet 48
SYMMETRIC NAT Accepts traffic only from one previous port and node Symmetric NAT Port IP Private LAN Public Internet 49
50
51
52
53
FIREWALLS VS NAT Origin of NATs is different from that of firewalls In general, NATs do not inspect application data NATs can be compared to transport level firewalls Like certain firewall configurations, certain type of NATs accept incoming data only after an external connection has been established 54
FIREWALL AND NAT TOOLS For *nix users (for both firewall and NAT) iptables For Windows users Firewall: http://windows.microsoft.com/en- US/windows-8/Windows-Firewall-from-start-tofinish NAT: http://windows.microsoft.com/en- US/windows-8/Windows-Firewall-from-start-tofinish 55
VIRTUALBOX A hypervisor It can be installed on a number of host operating systems including Linux, OS X, Windows, Solaris and OpenSolaris It supports creation and management of guest virtual machines running versions and derivations of Windows, Linux, BSD, OS/2, Solaris and others Download from: https://www.virtualbox.org/ 56
SUMMARY Firewall is software that blocks unauthorised network access Firewalls are not a standalone solution Combined with anti-virus software and IDS Firewalls are effective only if configured correctly Use several different firewall configurations to protect a network NAT conceals IP addresses of devices on the internal network from external locations NAT conserves IP addresses 57
RESOURCES Read Chapter 11 of Network Security Essentials Applications and Standards Fourth Edition William Stallings Prentice Hall ISBN 0-13-706792-5 Anatomy: A Look Inside Network Address Translators, available at: http://www.cisco.com/web/about/ac123/ac147/archived _issues/ipj_7-3/anatomy.html 58
Questions? Thanks for your attention! 59