Packet filtering and other firewall functions Martin Krammer mk@sbox.tugraz.at Martin Krammer Graz, May 25, 2007 1
Overview Firewalls Principles Architectures Security aspects Packet filtering Principles Static packet filters Dynamic packet filters Attacks Additional functions NAT PAT port forwarding 2
Principles Firewalls protective device control traffic between computer networks different zones of trust interfaces between zones security policies default-deny as best practice only as good as its administrator relies heavily on network architecture 3
Software protects single machine Personal Firewalls Desktop Firewalls easy configuration Hardware Types easy to difficult configuration built into several device types Modems Routers Gateways Appliances... capable devices to secure different-sized networks 4
Dual homed host Architectures 2 network interfaces public network talks to dual homed host internal network talks to dual homed host no direct communication, IP traffic blocked proxying as a solution 5
Screened host security due to packet filtering separate router packet filtering on router external connections to bastion host bastion host inside internal network points-of-failure router bastion host Architectures 6
Screened subnet Architectures perimeter network (de-militarized zone) for additional security internal traffic doesn't pass perimeter network one or more hosts on the perimeter network internal to external connections packet filtering on routers proxy servers on perimeter network 2 routers interior exterior 7
many more possible individual network design Do multiple bastion hosts multiple internal networks merge interior & exterior routers merge bastion host & external router... Don't Architectures merge bastion host & interior router internal traffic visible to bastion host 2 or more interior routers between perimeter & internal network... 8
route packets selectively allow or block packets permit or deny services packet filter rules due to security policies Network layer layer 3 does not protect against faulty services on machines Alternative proxy servers Packet filtering 9
packet properties Packet information IP source address IP destination address Protocol (whether the packet is a TCP, UDP, or ICMP packet) TCP or UDP source port TCP or UDP destination port ICMP message type direction inbound outbound routers decisions (the interface the packet arrives on) the interface the packet will go out on route or not the packets content is not important for packet filtering 10
Services services reside on different port numbers ranges specify port number in rule-set 0-1023: fixed 1024-49151: registerable, IANA 49152-65535: dynamic, variable use 11
one packet filtering router can protect entire network no additional effort no user interaction no reconfiguration of client machines widely available hardware and software products Advantages 12
rule sets Disadvantages can be hard to configure difficult to test bugs implementation may permit packets which should be denied 13
for each packet go through the rules find the first one that matches take action according to rule default-rule or default-deny Rules product specific implementations tipps interface-based rules definition of rule-sets use addresses, not hostnames define explicit default-rule 14
Rules 2 static filtering according to fixed rules dynamic filtering stateful inspection remember outgoing packets let corresponding response in criteria: Socket host port layer 3 & 4 rules modified on the fly time-limited 15
Application firewalls layer 7 (application layer) separate proxy for each protocol advantages content inspection analysis of actions machine learning mechanisms authentication separation of networks disadvantages ressource intense real-time requirements protocol-specific proxies needed 16
hybrid solutions best of packet filtering proxy solutions internet technology changes IPv4 vs IPv6 NAT, masquerading,... 3 rd generation firewalls 17
obvious things Attacks intrusion communicate with services behind the firewall run code behind firewalls information theft DoS flooding re-route, redirect, spoofing eavesdropping network sniffing things that happen misconfigured firewall systems network security problems rendering firewall systems redundant 18
Firewall piercing Attacks 2 covert channel communication channel that allows transfer of information that violates the systems security policy without alerting firewalls & IDSs stealthy nature traffic sent through permitted ports HTTP-Tunnel http://www.nocrew.org/software/httptunnel.html http://entreelibre.com/cctt/index_en.html ICMP-Tunnel http://www.securiteam.com/tools/5pp0m0k60o.html DNS DNS is allowed to any internal client 19
network address translation NAT due to lack of IPv4-addresses reserved address ranges for internal uses e.g. class C: 192.0.0.1-223.255.255.255 map internal to external IP-addresses NAT-device remembers mapping convenient feature with security aspect not designed for security 20
port address translation port numbers rewritten outgoing packets Masquerading, PAT source-ip/port replaced by public-ip/port mapping saved in tables incoming packets use table to lookup inquirer external machines can't reach servers since connections can only be instantiated from internal machines solution: port forwarding 21
configured on routers servers port forwarding router listens on given public port forward port on public interface to specific address/port on internal network located in internal network become available to external network 22
Questions? 23
Exam Questions Name a common firewall architecture and describe its benefits as well as its drawbacks. What is the advantage of dynamic packet filtering over static packet filtering? Describe its mechanism in detail. 24
References Building internet firewalls D. Brent Chapman & Elizabeth D. Zwicky; O'Reilly 1995 Wikipedia, 05/2007 Firewalls OSI model Ports Firewalls FAQ http://www.interhack.net/pubs/fwfaq/, 05/2007 Firewall Tutorial Dr. Udo Payer, 2005 25