Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure 5-1: Border Figure 5-1: Border 3. Attack Packet 5. Passed Legitimate Packet (Ingress) 5. Legitimate Packet 4. Dropped Packet (Ingress) 4. Log File 1. (Not Trusted) Border Attacker 3 Border 1. (Not Trusted) 1. Corporate Network (Trusted) Legitimate User 4 Figure 5-1: Border 7. Passed Packet (Egress) Figure 5-1: Border 6. Attack Packet that Got Through 7. Dropped Packet (Egress) 4. Log File 1. (Not Trusted) Border 1. Corporate Network (Trusted) Attacker 5 6. Hardened 6. Hardened Server Hardened Hosts Provide Defense in Depth Border 1. (Not Trusted) 1. Corporate Network (Trusted) Attacker 6

Figure 5-2: Types of Inspection Figure 5-2: Types of Inspection Packet Inspection Examines, TCP, UDP, and ICMP headers Static packet inspection (described later) Stateful inspection (described later) Application Inspection Examines application layer messages Network Address Translation (NAT) Hides addresses and port numbers Denial-of-Service (DoS) Inspection Detects and stops DoS attacks Authentication Requires senders to authenticate themselves 7 8 Figure 5-2: Types of Inspection Figure 5-2: Types of Inspection Virtual Private Network (VPN) Handling VPNs are protected packet streams (see Chapter 8) Packets are encrypted for confidentiality, so firewall inspection is impossible VPNs typically bypass firewalls, making border security weaker Hybrid s Most firewalls offer more than one type of filtering However, firewalls normally do not do antivirus filtering Some firewalls pass packets to antivirus filtering servers 9 10 s Figure 5-3: Hardware and Hardware and Screening router firewalls Computer-based firewalls appliances Host firewalls (firewalls on clients and servers) Inspection Methods Screening Router s Add firewall software to router Usually provide light filtering only Expensive for the processing power usually must upgrade hardware, too Architecture Configuring, Testing, and Maintenance 11 12

Figure 5-3: Hardware and Figure 5-3: Hardware and Screening Router s Screens out incoming noise of simple scanning attacks to make the detection of serious attacks easier Good location for egress filtering can eliminate scanning responses, even from the router Computer-Based s Add firewall software to server with an existing operating system: Windows or UNIX Can be purchased with power to handle any load Easy to use because know operating system 13 14 Figure 5-3: Hardware and Figure 5-3: Hardware and Computer-Based s vendor might bundle firewall software with hardened hardware and operating system software General-purpose operating systems result in slower processing Computer-Based s Security: Attackers may be able to hack the operating system Change filtering rules to allow attack packets in Change filtering rules to drop legitimate packets 15 16 Figure 5-3: Hardware and Figure 5-3: Hardware and Appliances Boxes with minimal operating systems Therefore, difficult to hack Setup is minimal Not customized to specific firm s situation Must be able to update Host s Installed on hosts themselves (servers and sometimes clients) Enhanced security because of host-specific knowledge For example, filter out everything but webserver transmissions on a webserver 17 18

Figure 5-3: Hardware and Figure 5-3: Hardware and Host s Defense in depth Normally used in conjunction with other firewalls Although on single host computers attached to internet, might be only firewall Host s The firm must manage many host firewalls If not centrally managed, configuration can be a nightmare Especially if rule sets change frequently 19 20 Figure 5-3: Hardware and Perspective Host s Client firewalls typically must be configured by ordinary users Might misconfigure or reject the firewall Need to centrally manage remote employee computers Computer-Based based on a computer with a full operating system Host A firewall on a host (client or server) 21 22 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering s Complexity of Filtering: Number of Filtering Rules, Complexity Of rules, etc. Performance Requirements If a firewall cannot inspect packets fast enough, it will drop unchecked packets rather than pass them Traffic Volume (Packets per Second) Hardware and Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application s Ss Architecture Configuring, Testing, and Maintenance 23 24

Figure 5-5: Static Packet Filter Figure 5-5: Static Packet Filter Corporate Network The Corporate Network The Permit (Pass) -H TCP-H Application Message Permit (Pass) -H TCP-H Application Message -H UDP-H Application Message -H UDP-H Application Message Deny (Drop) -H ICMP-H ICMP Message Deny (Drop) -H ICMP-H ICMP Message Log File Static Packet Filter Only, TCP, UDP and ICMP Headers Examined Log File Static Packet Filter Arriving Packets Examined One at a Time, in Isolation; This Misses Many Arracks 25 26 Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router 1. If source address = 10.*.*.*, DENY [private address range] If source address = 1716.*.* to 1731.*.*, DENY [private address range] 3. If source address = 19168.*.*, DENY [private address range] 4. If source address = 60.40.*.*, DENY [firm s internal address range] 5. If source address = 1.3.4, DENY [black-holed address of attacker] 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet] 27 28 Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router 7. If destination address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver] 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside] 29 9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 11. If TCP destination port = 23, DENY [Telnet data connection] 1 If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients] 30

Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router 13. If TCP destination port = 513, DENY [UNIX rlogin without password] 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login] 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure] 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 31 17. If ICMP Type = 0, PASS [allow incoming echo reply messages] DENY ALL 32 Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router DENY ALL Last rule Drops any packets not specifically permitted by earlier rules In the previous ACL, Rules 8-17 are not needed; Deny all would catch them 33 1. If source address = 10.*.*.*, DENY [private address range] If source address = 1716.*.* to 1731.*.*, DENY [private address range] 3. If source address = 19168.*.*, DENY [private address range] 4. If source address NOT = 60.47.*.*, DENY [not in internal address range] Rules 1-3 are not needed because of this rule 34 Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router 5. If ICMP Type = 8, PASS [allow outgoing echo messages] 6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages] 7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning] 35 8. If source address = 60.47.3.9 and TCP source port = 80 OR 443, PERMIT [public webserver responses] Needed because next rule stops all packets from well-known port numbers 9. If TCP source port=0 through 49151, DENY [well-known and registered ports] 10. If UDP source port=0 through 49151, DENY [well-known and registered ports] 36

Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router 11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections] 13. DENY ALL No need for Rules 9-12 1 If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections] Note: Rules 9-12 only work if all hosts follow IETF rules for port assignments (well-known, registered, and ephemeral). Windows computers do. Unix computers do not 37 38 s Figure 5-8: Stateful Inspection s Hardware and Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application s Architecture Configuring, Testing, and Maintenance Default Behavior Permit connections initiated by an internal host Deny connections initiated by an external host Can change default behavior with ACL Automatically Accept Connection Attempt Automatically Deny Connection Attempt Router 39 40 Figure 5-8: Stateful Inspection s Figure 5-8: Stateful Inspection s State of Connection: Open or Closed State: Order of packet within a dialog Stateful Operation If accept a connection Often simply whether the packet is part of an open connection Record the two addresses and port numbers in state table as OK (open) (Figure 5-9) Accept future packets between these hosts and ports with no further inspection This can miss some attacks, but it catches almost everything except attacks based on application message content 41 42

Figure 5-9: Stateful Inspection Operation I Type TCP 1. TCP SYN Segment From: :62600 To: :80 Note: Outgoing Connections Allowed By Default 62600 Establish Connection 3. Stateful Connection Table TCP SYN Segment From: :62600 To: :80 80 Status OK 43 Type TCP Figure 5-9: Stateful Inspection Operation I Connection Table 6. TCP SYN/ACK Segment From: :80 To: :62600 62600 Stateful 5. Check Connection OK; Pass the Packet 4. TCP SYN/ACK Segment From: :80 To: :62600 80 Status OK 44 Figure 5-8: Stateful Inspection s Stateful Operation For UDP, also record two addresses and port numbers in the state table Connection Table Type TCP UDP 62600 63206 1.8.33.4 80 69 Status OK OK 45 Figure 5-8: Stateful Inspection s Static Packet Filter s are Stateless Filter one packet at a time, in isolation If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection But stateful firewalls can (Figure 5-10) 46 Figure 5-10: Stateful Operation II Figure 5-8: Stateful Inspection s Connection Table Type TCP UDP Stateful Check Connection Table: No Connection Match: Drop 62600 63206 1. Spoofed TCP SYN/ACK Segment From: 10.5.3.4.:80 To: :64640 228.33.4 80 69 Status OK OK Attacker Spoofing 10.5.3.4 47 Static Packet Filter s are Stateless Filter one packet at a time, in isolation Cannot deal with port-switching applications But stateful firewalls can (Figure 5-11) 48

Figure 5-11: -Switching Applications with Stateful s 1. To Establish Connection 3. TCP SYN Segment From: :62600 To: :21 TCP SYN Segment From: :62600 To: :21 State Table Type Step 2 TCP Stateful 62600 21 FTP Server Status OK 49 State Table Step 2 Step 5 Figure 5-11: -Switching Applications with Stateful s 6. TCP SYN/ACK Segment From: :21 To: :62600 Use s 20 and 55336 for Data Transfers Type TCP TCP Stateful 5. To Allow, Establish Second Connection 62600 55336 4. TCP SYN/ACK Segment From: :21 To: :62600 Use s 20 and 55336 for Data Transfers 21 20 FTP Server Status OK OK 50 Figure 5-8: Stateful Inspection s s Stateful Inspection Access Control Lists (ACLs) Primary allow or deny applications (port numbers) Simple because no need for probe packet rules because they are dropped automatically Simplicity of stateful firewall gives speed and therefore low cost Stateful firewalls are dominant today for the main corporate border firewalls Hardware and Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application s Ss Architecture Configuring, Testing, and Maintenance 51 52 Client 19168.5.7 Figure 5-12: Network Address Translation (NAT) From 19168.5.7, 61000 From 60.5.9.8, 1 55380 2 NAT Translation Table Addr 19168.5.7 61000...... Sniffer Server Host Addr 60.5.9.8 55380...... 53 Client 19168.5.7 Figure 5-12: Network Address Translation (NAT) NAT 3 To 60.5.9.8, 4 Sniffer 55380 To 19168.5.7, 61000 Translation Table Addr 19168.5.7 61000...... Server Host Addr 60.5.9.8 55380...... 54

Figure 5-12: Network Address Translation (NAT) s Sniffers on the cannot learn internal addresses and port numbers Only learn the translated address and port number By themselves, provide a great deal of protection against attacks attackers cannot create a connection to an internal computers Hardware and Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application s Ss Architecture Configuring, Testing, and Maintenance 55 56 Figure 5-13: Application Operation 1. HTTP Request From 19168.6.77 Filtering 3. Examined HTTP Request From 60.45.6 Browser HTTP Proxy Application Application 60.45.6 Figure 5-13: Application Operation Browser 6. Examined 4. HTTP HTTP Proxy Response to HTTP 60.45.6 Application Response To 5. 19168.6.77 Filtering on Hostname, URL, MIME, etc. 19168.6.77 Filtering: Blocked URLs, Post Commands, etc. 19168.6.77 Application 60.45.6 57 58 Figure 5-13: Application Operation Figure 5-14: Header Destruction With Application s 19168.6.77 A Separate Proxy Program is Needed for Each Application Filtered on the FTP Proxy Outbound Filtering on PUT Application 60.45.6 SMTP (E-Mail) Proxy Inbound and Outbound Filtering on Obsolete Commands, Content 59 Attacker 1.3.4 Arriving Packet App MSG (HTTP) XOrig. Orig. TCP Hdr Hdr Header Removed App MSG (HTTP) Application 60.45.6 App MSG (HTTP) Packet TCP Hdr Hdr Application Strips Original Headers from Arriving Packets Creates Packet with Headers This Stops All Header-Based Packet Attacks 60

Figure 5-15: Protocol Spoofing Trojan Horse 1. Trojan Transmits on 80 to Get Through Simple Packet Filter Protocol is Not HTTP Stops The Transmission X Application Attacker 1.3.4 61 Relay Operation Application s Use Relay operation Act as server to clients, clients to servers This is slow, so traditionally application firewalls could only handle limited traffic 1. HTTP Request From 19168.6.77 Filtering 3. Examined HTTP Request From 60.45.6 Browser HTTP Proxy Application 62 Automatic Protections in Relay Operation Other Application Protections Protocol Fidelity Application that spoofs the port number of another operation (e.g., 80) will not work in relay operation Header Destruction, TCP, UDP, and ICMP headers dropped at firewall so cannot do damage Address Hiding Sniffer on the only learns the application firewall s address 63 Stopping Certain Application Commands HTTP: Stop POST TCP: Stop PUT E-Mail: Stop obsolete commands used by attackers Blocked Addresses and URLs Black lists Blocking File Types Use MIME and other identification methods 64 Figure 5-16: Circuit s 60.80.5.34 Generic Type of Application 3. Passed Transmission: No Filtering 4. Reply Circuit (SOCKS v5) 60.34.3.31 1. Authentication Transmission 5. Passed Reply: No Filtering Client 123.30.85 Hardware and Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application s Ss Architecture Configuring, Testing, and Maintenance 65 66

Intrusion Prevention System (S) Provide More Sophisticated Inspection Examine Streams of Packets Look for patterns that cannot be diagnosed by looking at individual packets (such as denial-ofservice attacks And cannot be diagnosed by simply accepting packets that are part of a connection Do Deep Packet Inspection Examine all headers at all layers internet, transport, and application 67 Intrusion Prevention System (S) Ss Act Proactively Once an attack is diagnosed, future packets in the attacks are blocked This frightens many firms because if an S acts incorrectly, it effectively generates a self-serve denial of service attack First that use Ss may only permit the most definitively identifiable attacks to be blocked, such as SYN flood denial of service attacks. 68 s Figure 5-17: Single-Site Architecture for a Larger Firm with a Single Site Types of s Inspection Methods Architecture Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture Configuring, Testing, and Maintenance 69 Marketing Client on 1718.5.x Subnet 1718.9.x Subnet Screening Router Uses Static Packet Filtering. Drops Simple Attacks. Prevents Probe Replies from Getting Out. Last Rule is Permit All Accounting to Let Main Server on Handle 1718.7.x Everything but Subnet Simple Attacks 1. Screening Router 60.47.1.1 Last Rule=Permit All Public 60.47.3.9 SMTP Relay Proxy 60.47.3.10 DNS Server 60.47.3.4 HTTP Proxy Server 60.47.3.1 70 Figure 5-17: Single-Site Architecture for a Larger Firm with a Single Site Figure 5-17: Single-Site Architecture for a Larger Firm with a Single Site Marketing Client on 1718.5.x Subnet 1718.9.x Subnet Accounting Server on 1718.7.x Subnet Main Last Rule=Deny All Public 60.47.3.9 Main Uses Stateful Inspection Last Rule is Deny All SMTP Relay Proxy 60.47.3.10 DNS Server 60.47.3.4 HTTP Proxy Server 60.47.3.1 71 4. Client Host Marketing Client on 1718.5.x Subnet 3. 1718.9.x Subnet Accounting Server on 1718.7.x Subnet Public s and Hardened 60.47.3.9 Hosts Provide Defense in Depth DNS Server 60.47.3.4 Stop Attacks from Inside SMTP HTTP Stop Attacks Relay that Get Past Proxy the Main Proxy Server 60.47.3.10 60.47.3.1 72

Figure 5-17: Single-Site Architecture for a Larger Firm with a Single Site Figure 5-18: Home Servers that must be accessed from outside are placed in a special subnet 1718.9.x called the Subnet Demilitarized Zone (DMZ). Attackers cannot get to Other subnets from there DMZ servers are specially hardened Marketing Client on 1718.5.x Subnet Accounting Server on 1718.7.x Subnet 6. DMZ 5. Server Host Public 60.47.3.9 SMTP Relay Proxy 60.47.3.10 DNS Server 60.47.3.4 HTTP Proxy Server 60.47.3.1 73 Service Provider Always-On Connection Coaxial Cable Broadband Modem UTP Cord PC Home PC Windows XP has an internal firewall Originally called the Connection Disabled by default After Service Pack 2 called the Windows Enabled by default 74 Figure 5-19: SOHO Router Figure 5-20: Distributed Architecture Service Provider Ethernet Switch UTP UTP Broadband SOHO Modem Router (DSL or --- Cable) Router DHCP Sever, NAT, and Limited Application UTP User PC User PC Remote Management is needed to reduce management labor Dangerous because if an attacker compromises it, they own the network Management Console Remote PCs must be actively managed centrally Home PC Many Access Routers Combine the Router and Ethernet Switch in a Single Box User PC 75 Site A Site B 76 Figure 5-21: Other Security Architecture Issues s Host and Application Security (Chapters 6 and 9) Antivirus Protection (Chapter 4) Intrusion Detection Systems (Chapter 10) Virtual Private Networks (Chapter 8) Policy Enforcement System Types of s Inspection Methods Architecture Configuring, Testing, and Maintenance 77 78

Figure 5-22: Configuring, Testing, and Maintaining s Figure 5-22: Configuring, Testing, and Maintaining s Misconfiguration is a Serious Problem ACL rules must be executed in series Easy to make misordering problems Easy to make syntax errors Create Policies Before ACLs Policies are easier to read than ACLs Can be reviewed by others more easily than ACLs Policies drive ACL development Policies also drive testing 79 80 Figure 5-22: Configuring, Testing, and Maintaining s Figure 5-23: FireWall-1 Modular Management Architecture Must test s with Security Audits Attack your own firewall based on your policies Only way to tell if policies are being supported Maintaining s threats appear constantly ACLs must be updated constantly if firewall is to be effective 81 Application Module (GUI) Create, Edit Policies Policy Log File Data Application Module (GUI) Read Log Files Log Files Management Module Stores Policies Stores Log Files Policy Log File Entry Module Enforces Policy Sends Log Entries Module Enforces Policy Sends Log Entries 82 Figure 5-24: FireWall-1 Service Architecture Figure 5-25: Security Level-Based Stateful Filtering in PIX s Client Statefully Filtered Packet 3. DoS FireWall- Protection 1 Optional Authentications 5. Statefully Filtered Packet Plus Application Inspection 1. Arriving Packet 4. Content Vectoring Protocol Third-Party Application Inspection Server 83 Automatically Accept Connection Security Level Inside=100 Security Level Outside=0 Automatically Reject Connection Security Level=60 Router Network Connections Are Allowed from More Secure Networks to Less Secure Networks 84

Border s Sit between a trusted and untrusted network Drop and log attack packets Types of Inspection Static packet inspection Stateful inspection Application proxy firewalls NAT Denial-of-Service, Authentication, VPNs Hardware and Screening firewall router Computer-based firewalls appliances Host firewalls (firewalls on clients and servers) Performance is critical; overloaded firewalls drop packets they cannot filter 85 86 Static Packet Inspection Examine, TCP, UDP, and ICMP headers Examine packets one at a time Miss many attacks Used primarily in screening firewall routers Access Control Lists (ACLs) List of if-then pass/deny statements Applied in order (sensitive to misordering) For main firewall, last rule is Deny All For screening firewall, last rule is Pass All Stateful Inspection Packets that Attempt to Open Connections By default, permits all internally initiated connections By default, denies all externally initiated connections ACLs can change default behavior 87 88 Stateful Inspection Other Packets Permitted if part of established connection Denied if not part of established connections Importance Fast and therefore inexpensive Catches almost all attacks Dominates main border firewall market 89 Network Address Translation (NAT) Operation host sends a packet to an external host NAT device replaces source address and TCP or UDP port number with stand-in values When packets are sent back, the stand-in values are replaced with the original value Transparent to internal and external hosts 90

Network Address Translation (NAT) Why? To hide internal host addresses and port numbers from sniffers on the To permit firms to have more hosts than they have assigned public addresses Perspective Often used in other types of firewalls Application s Inspect application messages Catch attacks that other firewalls cannot Usually do NOT do antivirus filtering Programs that do filtering are called proxies Proxies are application-specific Circuit firewalls are not application-specific; use required authentication for control 91 92 Application s Relay operation Application firewall acts as server to clients, clients to servers This is slow, so traditionally application firewalls could only handle limited traffic Application s Automatic Protection from Relay Operation Protocol fidelity: stops port spoofing Header destruction: no, TCP, UDP, or ICMP attacks address hiding 93 94 Application s Command-based filtering (HTTP POST, etc.) Host or URL filtering (black lists) File type filtering (MIME, etc.) NOT antivirus filtering Intrusion Prevention Systems (Ss) Use sophisticated detection methods created for intrusion detection systems Examine streams of packets, not just individual packets Deep inspection: filter all layer messages in a packet But unlike IDSs, do not simply report attacks Stop detected attacks 95 96

Intrusion Prevention Systems (Ss) Spectrum of attack detection confidence Stop attacks detected with high confidence Do not stop attacks with low detection confidence because doing so can create a self-inflicted DoS Attack Intrusion Prevention Systems (Ss) Sophisticated filtering in processing-intensive Traditional IDSs could not filter in real-time so could not be placed in-line with traffic ASICs provide higher speeds, allowing Ss to be placed in-line with traffic 97 98 Architectures Architectures Site Protection Screening Router (Static Packet) Main Border (Stateful) s Host s DMZ Defense in Depth Site Protection DMZ For hosts that must face attack Must be hardened (bastion hosts) Public webservers, etc. Application firewalls DNS server 99 100 Architectures Architectures Home Host firewalls are especially needed for alwayson broadband connection SOHO Separate firewall between the switch and the broadband modem Some broadband modems do NAT, providing considerable protection Distributed Architecture Most firms have multiple sites Multiple firewalls at many sites A central manager controls them If the manager is hacked, very bad Management traffic must be encrypted 101 102

Configuring, Testing, and Maintenance Configuration s must be configured (ACLs designed, etc.) Testing Configuration errors are common, so firewalls must be tested Maintenance Must be reconfigured frequently over time as the threat environment changes 103