Firewalls. Chapter 3

Firewalls Chapter 3 1

Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border Firewall Internal Corporate Network (Trusted) Attacker 2

Types of Firewall Inspection Packet Inspection Examines IP, TCP,UDP, and ICMP header contents Static packet filtering looks at individual packets in isolation. Misses many attacks Stateful inspection inspects packets in the context of the packet s role in an ongoing or incipient conversation Stateful inspection is the proffered packet inspection method today 3

Types of Firewall Inspection Application Inspection Examines application layer messages Stops some attacks that packet inspection cannot Network Address Translation Hides the IP address of internal hosts to thwart sniffers Benignly spoofs source IP addresses in outgoing packets 4

Types of Firewall Inspection Denial-of-Service Inspection Recognizes incipient DoS attacks and takes steps to stop them Limited to a few common types of attacks Authentication Only packets from users who have proven their identity are allowed through Not commonly user, but can be valuable 5

Types of Firewall Inspection Virtual Private Network Handling Virtual private networks offer message-bymessage confidentiality, authentication, message integrity, and anti-replay protection VPN protection often works in parallel with other types of inspection instead of being integrated with them 6

Types of Firewall Inspection Integrated Firewalls Most commercial products combine multiple types of filtering Some freeware and shareware firewall products offer only one types of filtering 7

Firewalls Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance 8

Firewall Hardware and Software Screening Router Firewalls Add firewall software to router Usually provide light filtering only Expensive for the processing power usually must upgrade hardware, too 9

Firewall Hardware and Software Screening Router Firewalls Screens out incoming noise of simple scanning attacks to make the detection of serious attacks easier Good location for egress filtering can eliminate scanning responses, even from the router 10

Firewall Hardware and Software Computer-Based Firewalls Add firewall software to server with an existing operating system: Windows or UNIX Can be purchased with power to handle any load Easy to use because know operating system 11

Firewall Hardware and Software Computer-Based Firewalls Firewall vendor might bundle software with hardened hardware and operating system software General-purpose operating systems result in slower processing 12

Firewall Hardware and Software Computer-Based Firewalls Security: Attackers may be able to hack the operating system Change filtering rules to allow attack packets in Change filtering rules to drop legitimate packets 13

Firewall Hardware and Software Firewall Appliances Boxes with minimal operating systems Therefore, difficult to hack Setup is minimal Not customized to specific firm s situation Must be able to update 14

Firewall Hardware and Software Host Firewalls Installed on hosts themselves (servers and sometimes clients) Enhanced security because of host-specific knowledge For example, filter out everything but webserver transmissions on a webserver 15

Firewall Hardware and Software Host Firewalls Defense in depth Normally used in conjunction with other firewalls Although on single host computers attached to internet, might be only firewall 16

Firewall Hardware and Software Host Firewalls If not centrally managed, configuration can be a nightmare Especially if rule sets change frequently 17

Firewall Hardware and Software Host Firewalls Client firewalls typically must be configured by ordinary users Might misconfigure or reject the firewall Need to centrally manage remote employee computers 18

Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Complexity of Filtering: Number of Filtering Rules, Complexity Of rules, etc. Performance Requirements Traffic Volume (Packets per Second) 19

Firewalls Types of Firewalls Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance 20

Static Packet Filter Firewall Corporate Network The Internet Permit (Pass) IP-H TCP-H Application Message IP-H UDP-H Application Message Deny (Drop) IP-H ICMP Message Log File Static Packet Filter Firewall Arriving Packets Examined One at a Time, in Isolation Only IP, TCP, UDP and ICMP Headers Examined 21

Access Control List (ACL) For Ingress Filtering at a Border Router 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP address range] 4. If source IP address = 60.40.*.*, DENY [internal address range] 22

Access Control List (ACL) for Ingress Filtering at a Border Router 5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker] 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet] 7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver] 23

Access Control List (ACL) for Ingress Filtering at a Border Router 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside] 9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 24

Access Control List (ACL) for Ingress Filtering at a Border Router 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients] 13. If TCP destination port = 513, DENY [UNIX rlogin without password] 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login] 25

Access Control List (ACL) for Ingress Filtering at a Border Router 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure] 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 17. If ICMP Type = 0, PASS [allow incoming echo reply messages] DENY ALL 26

Access Control List (ACL) for Egress Filtering at a Border Router 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP address range] 4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range] 27

Access Control List (ACL) for Egress Filtering at a Border Router 5. If ICMP Type = 8, PASS [allow outgoing echo messages] 6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages] 7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning] 8. If source IP address = 60.47.3.9 and TCP source port = 80 OR 443, PERMIT [public webserver] 28

Access Control List (ACL) for Egress Filtering at a Border Router 9. If TCP source port=0 through 49151, DENY [well-known and registered ports] 10. If UDP source port=0 through 49151, DENY [well-known and registered ports] 11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections] 29

Access Control List (ACL) for Egress Filtering at a Border Router 12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections] 13. DENY ALL 30

Stateful Inspection Firewalls State of Connection: Open or Closed State: Order of packet within a dialog Often simply whether the packet is part of an open connection 32

Stateful Inspection Firewalls Stateful Firewall Operation For TCP, record two IP addresses and port numbers in state table as OK (open) (Figure 5-9) By default, permit connections from internal clients (on trusted network) to external servers (on untrusted network) This default behavior can be changed with an ACL Accept future packets between these hosts and ports with little or no inspection 33

Stateful Inspection Firewall Operation I 1. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 2. Establish Connection 3. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 Internal Client PC 60.55.33.12 Note: Outgoing Connections Allowed By Default Stateful Firewall External Webserver 123.80.5.34 Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK 34

Stateful Inspection Firewall Operation I Internal Client PC 60.55.33.12 6. TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Stateful Firewall 5. Check Connection OK 4. TCP SYN/ACK Segment External From: 123.80.5.34:80 Webserver To: 60.55.33.12:62600 123.80.5.34 Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK 35

Stateful Inspection Firewalls Stateful Firewall Operation For UDP, also record two IP addresses in port numbers in the state table Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 1.8.33.4 69 OK 36

Stateful Inspection Firewalls Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection But stateful firewalls can (Figure 5-10) 37

Stateful Firewall Operation II Stateful Firewall Internal Client PC 60.55.33.12 Connection Table 2. Check Connection Table: No Connection Match: Drop 1. Spoofed TCP SYN/ACK Segment From: 10.5.3.4.:80 To: 60.55.33.12:64640 Attacker Spoofing External Webserver 10.5.3.4 Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 222.8.33.4 69 OK 38

Stateful Inspection Firewalls Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation Cannot deal with port-switching applications But stateful firewalls can (Figure 5-11) 39

Port-Switching Applications with Stateful Firewalls 1. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:21 2. To Establish Connection 3. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:21 Internal Client PC 60.55.33.12 State Table Stateful Firewall External FTP Server 123.80.5.34 Type Internal IP Internal Port External IP External Port Status Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK 40

Port-Switching Applications with Stateful Firewalls Internal Client PC 60.55.33.12 6. TCP SYN/ACK Segment From: 123.80.5.34:21 To: 60.55.33.12:62600 Use Ports 20 and 55336 for Data Transfers Stateful Firewall 5. To Allow, Establish Second Connection 4. TCP SYN/ACK Segment From: 123.80.5.34:21 To: 60.55.33.12:62600 Use Ports 20 and 55336 for Data Transfers External FTP Server 123.80.5.34 State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK Step 5 TCP 60.55.33.12 55336 123.80.5.34 20 OK 41

Stateful Inspection Firewalls Stateful Inspection Access Control Lists (ACLs) Primary allow or deny applications Simple because probing attacks that are not part of conversations do not need specific rules because they are dropped automatically In integrated firewalls, ACL rules can specify that messages using a particular application protocol or server be authenticated or passed to an application firewall for inspection 42

Network Address Translation (NAT) From 192.168.5.7, Port 61000 From 60.5.9.8, 1 Port 55380 2 Internet Client 192.168.5.7 4 To 192.168.5.7, Port 61000 NAT Firewall Translation Table 3 To 60.5.9.8, Port 55380 IP Addr 192.168.5.7... Internal Port 61000... Sniffer IP Addr 60.5.9.8... External Server Host Port 55380... 44

Application Firewall Operation 1. HTTP Request From 192.168.6.77 2. Filtering 3. Examined HTTP Request From 60.45.2.6 6. Examined 4. HTTP Browser HTTP Proxy Response to Webserver HTTP 5. 60.45.2.6 Application Response To Filtering on Post Out, 192.168.6.77 Hostname, URL, MIME, etc. In Client PC 192.168.6.77 FTP Proxy Outbound Filtering on Put Application Firewall 60.45.2.6 SMTP (E-Mail) Proxy Inbound and Outbound Filtering on Obsolete Commands, Content Webserver 123.80.5.34 46

Header Destruction With Application Firewalls Arriving Packet App MSG (HTTP) Orig. TCP Hdr Orig. IP Hdr Header Removed App MSG (HTTP) App MSG (HTTP) New Packet New TCP Hdr New IP Hdr Attacker 1.2.3.4 Application Firewall 60.45.2.6 Webserver 123.80.5.34 Application Firewall Strips Original Headers from Arriving Packets Creates New Packet with New Headers This Stops All Header-Based Packet Attacks 47

Protocol Spoofing Trojan Horse 2. Protocol is Not HTTP Firewall Stops The Transmission Internal Client PC 60.55.33.12 1. Trojan Transmits on Port 80 to Get Through Simple Packet Filter Firewall Application Firewall X Attacker 1.2.3.4 48

Circuit Firewall Webserver 60.80.5.34 3. Passed Transmission: No Filtering 4. Reply Circuit Firewall (SOCKS v5) 60.34.3.31 1. Authentication 2. Transmission 5. Passed Reply: No Filtering External Client 123.30.82.5 49

Firewalls Types of Firewalls Inspection Methods Firewall Architecture Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture Configuring, Testing, and Maintenance 50

Single-Site Firewall Architecture for a Larger Firm with a Single Site 3. Internal Firewall 172.18.9.x Subnet 2. Main Firewall Last Rule=Deny All 1. Screening Router 60.47.1.1 Last Rule=Permit All Internet 4. Client Host Firewall Public Webserver 60.47.3.9 External DNS Server 60.47.3.4 6. DMZ Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet 5. Server Host Firewall SMTP Relay Proxy 60.47.3.10 HTTP Proxy Server 60.47.3.1 51

Home Firewall PC Firewall Internet Service Provider Always-On Connection Coaxial Cable Broadband Modem UTP Cord Home PC 52

SOHO Firewall Router Internet Service Provider Broadband Modem (DSL or Cable) UTP UTP SOHO Router --- Router DHCP Sever, NAT Firewall, and Limited Application Firewall Ethernet Switch UTP User PC User PC Many Access Routers Combine the Router and Ethernet Switch in a Single Box User PC 53

Distributed Firewall Architecture Management Console Internet Home PC Firewall Site A Site B 54

Other Security Architecture Issues Host and Application Security Antivirus Protection Intrusion Detection Systems Virtual Private Networks Policy Enforcement System 55

Firewalls Types of Firewalls Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance 56

Configuring, Testing, and Maintaining Firewalls Firewall Misconfiguration is a Serious Problem ACL rules must be executed in series Easy to make misordering problems Easy to make syntax errors 57

Configuring, Testing, and Maintaining Firewalls Create Policies Before ACLs Policies are easier to read than ACLs Can be reviewed by others more easily than ACLs Policies drive ACL development Policies also drive testing 58

Configuring, Testing, and Maintaining Firewalls Must test Firewalls with Security Audits Only way to tell if policies are being supported Must be driven by policies Maintaining Firewalls New threats appear constantly ACLs must be updated constantly if firewall is to be effective 59

FireWall-1 Modular Management Architecture Application Module (GUI) Create, Edit Policies Policy Log Files Management Module Stores Policies Stores Log Files Policy Firewall Module Enforces Policy Sends Log Entries Application Module (GUI) Read Log Files Log File Data Log File Entry Firewall Module Enforces Policy Sends Log Entries 60

FireWall-1 Service Architecture 2. Statefully Filtered Packet 1. Arriving Packet Internal Client 3. DoS Protection Optional Authentications FireWall-1 Firewall 4. Content Vectoring Protocol External Server 5. Statefully Filtered Packet Plus Application Inspection Third-Party Application Inspection Firewall 61

Security Level-Based Stateful Filtering in PIX Firewalls Automatically Accept Connection Security Level Inside=100 Security Level Outside=0 Router Internet Automatically Reject Connection Security Level=60 Internal Network Connections Are Allowed from More Secure Networks to Less Secure Networks 62