Firewalls, IDS and IPS

Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko

Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not Trusted) Attacker 1. Internal Corporate Network (Trusted) 2

Basic Firewall Operation (Continued) 3. Attack Packet 3 4. Dropped Packet (Ingress) 4. Log File 2. Internet Border Firewall 1. Internet (Not Trusted) Attacker

Basic Firewall Operation (Continued) 5. Passed Legitimate Packet (Ingress) 5. Legitimate Packet 2. Internet Border Firewall 1. Internet (Not Trusted) Legitimate User 1. Internal Corporate Network (Trusted) 4

Figure 5-1: Basic Firewall Operation (Continued) 7. Passed Packet (Egress) 5 7. Dropped Packet (Egress) 4. Log File 2. Internet Border Firewall 1. Internet (Not Trusted) 1. Internal Corporate Network (Trusted) Attacker

Figure 5-1: Basic Firewall Operation (Continued) 6. Attack Packet that Got Through Firewall 6. Hardened Client PC Hardened Hosts Provide Defense in Depth 2. Internet Border Firewall 1. Internet (Not Trusted) Attacker 6 6. Hardened Server 1. Internal Corporate Network (Trusted)

Firewall Architecture (Single Site) Internal Firewall 172.18.9.x Subnet Main Border Firewall Screening Router Firewall Internet Host Firewall Host Firewall Public Webserver 60.47.3.9 External DNS Server 60.47.3.4 7 Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet Most firms have multiple firewalls. Their arrangement is called the firm s firewall architecture SMTP Application Proxy Server 60.47.3.10 HTTP Application Proxy Server 60.47.3.1

Firewall Principles The Changing Role of Firewalls In the early 1990s, there was a focus on border security However, some attacks inevitably get through the border firewall And border firewalls provide no protection from internal attackers, attackers who entered the site other than through the Internet, or remote users using VPNs 8

Firewall Principles (Continued) The Changing Role of Firewalls Companies need to employ defense in depth Overall, border firewalls are important but not sufficient 9

Firewall Principles (Continued) Danger of Overload If a firewall is overloaded and cannot handle the traffic, it drops unprocessed packets This is the safest choice, because attack packets cannot enter the network However, this creates a self-inflicted denial-of-service attack 10

Firewall Principles (Continued) Danger of Overload So firewalls must have the capacity to handle the traffic Some can handle normal traffic but cannot handle traffic during heavy attacks Need to be able to work at wire speed 11

Firewall Principles (Continued) Firewall Filtering Methods Several methods exist; we will look at them in this chapter Firewall Inspection Levels Internet Level Internet and transport layer filtering Attacks and therefore firewalls began here Stateful inspection Static packet inspection Network address translation (NAT) 12

Firewall Principles (Continued) Firewall Filtering Methods Firewall Inspection Levels Application Level Attacks growing at the application layer Filter application layer communication Application proxy firewalls Antivirus filtering (general malware filtering) Intrusion prevention systems (also filter internet-level attacks) 13

Main Border Firewalls Stateful Inspection

Host Firewall 15 Marketing Client on 172.18.5.x Subnet Firewall Architecture (Single Site) Internal Firewall 172.18.9.x Subnet Host Firewall Accounting Server on 172.18.7.x Subnet Main Border Firewall Screening Router Firewall Internet Main Border Firewall sits between the Internet Public and the internal network External Webserver (after the border router) DNS Server 60.47.3.9 60.47.3.4 Main border firewalls predominantly use stateful inspection filtering SMTP Application Proxy Server 60.47.3.10 HTTP Application Proxy Server 60.47.3.1

Opening Connections in Stateful Inspection Firewalls Default Behavior Permit connections initiated by an internal host Deny connections initiated by an external host Can change default behavior with access control lists (ACLs) for ingress and egress Automatically Accept Connection Attempt Router Internet Automatically Deny Connection Attempt 16

Permitting Incoming Connections in a Stateful Inspection Firewall Default Behavior Can be Modified by Access Control Lists (ACLs) Ingress ACL permits some externally-initiated connections to be opened Egress ACL prohibits some internally-initiated connections from being opened On basis of IP address, TCP or UDP port number, and/or IP protocol Sets of if-then rules applied in order 17

Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL) (Continued) 1. If TCP destination port = 80, Allow Connection [Pass all HTTP traffic to any webserver. (Port 80 = HTTP)] 2. If TCP destination port = 25 AND destination IP address = 60.47.3.35, Allow Connection [Pass all SMTP traffic to a specific host (mail server), 60.47.3.35. Port 25 = SMTP] Safer than Rule 1 18

Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL) (Continued) 4. Deny ALL [Deny all other externally-initiated connections] (Use the default behavior of stateful inspection firewalls for all other connection-opening attempts) 19

Well-Known Port Numbers Port Number Primary Protocol Application 20 TCP FTP Data Traffic 23 TCP Telnet Passwords sent in the clear 25 TCP Simple Mail Transfer Protocol (SMTP) 53 TCP Domain Name System (DNS) 20

Well-Known Port Numbers (Continued) Port Number Primary Protocol Application 69 UDP Trivial File Transfer Protocol (TFTP) No login necessary 80 TCP Hypertext Transfer Protocol (HTTP) 143 TCP Internet Message Access Protocol (IMAP) for downloading e-mail to client 21

Main Border Firewall Stateful Inspection I Stateful Firewall Operation If accept a connection Record the two IP addresses and port numbers in state table as OK (open) Accept future packets between these hosts and ports with no further inspection This stops most internet-level attacks Does not address application-level attacks 22

Main Border Firewall Stateful Inspection I (Continued) 1. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 2. Establish Connection 3. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 Internal Client PC 60.55.33.12 Again: Outgoing Connections Allowed By Default Stateful Firewall Permitted outgoing Connections are Placed in the Connection table External Webserver 123.80.5.34 Connection Table Type Internal IP Internal Port External IP External Port Status 23 TCP 60.55.33.12 62600 123.80.5.34 80 OK

Main Border Firewall Stateful Inspection I (Continued) Internal Client PC 60.55.33.12 6. TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Stateful Firewall 4. TCP SYN/ACK Segment External From: 123.80.5.34:80 Webserver To: 60.55.33.12:62600 123.80.5.34 Connection Table 5. Check Connection OK; Pass the Packet Type Internal IP Internal Port External IP External Port Status 24 TCP 60.55.33.12 62600 123.80.5.34 80 OK

Main Border Firewall Stateful Inspection II (Continued) Stateful Firewall Arriving packets that are not connection opening attempts and that do not match a row in the state table are dropped Internal Client PC 60.55.33.12 Connection Table 2. Check Connection Table: No Connection Match: Drop 1. Spoofed TCP SYN/ACK Segment From: 10.5.3.4.:80 To: 60.55.33.12:64640 Attacker Spoofing External Webserver 10.5.3.4 Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK 25 UDP 60.55.33.12 63206 222.8.33.4 69 OK

Stateful Inspection Firewall in Perspective Simplicity and Therefore Low Cost Connection opening decisions are somewhat complex But most packets are part of approved ongoing connections Filtering ongoing packets is extremely simple Therefore, stateful inspection is fast and inexpensive 26

Stateful Inspection Firewall in Perspective (Continued) Low Cost Safety Stops nearly all internet-level attacks (Application-level filtering still needed) Dominance for Main Border Firewalls Nearly all use stateful inspection 27

Stateful Inspection Firewall in Perspective (Continued) Beyond Stateful Inspection Most main border firewalls also use other inspection methods Denial-of-service filtering Limited application content filtering Etc. 28

Screening Router Firewall Static Packet Inspection

Firewall Architecture (Single Site) 1. Screening Router 60.47.1.1 Last Rule=Permit All 30 Screening 172.18.9.x Router Subnet Firewall Uses Static Packet Filtering. Drops Simple Attacks. Prevents Probe Replies from Getting Out. Marketing Client on 172.18.5.x Subnet Last Rule is Permit All to Let Main Firewall Handle Everything but Accounting Server on 172.18.7.x Subnet Simple Attacks Public Webserver 60.47.3.9 SMTP Relay Proxy 60.47.3.10 Internet External DNS Server 60.47.3.4 HTTP Proxy Server 60.47.3.1

Static Packet Inspection on Screening Router Firewalls Screening Firewall Routers Add filtering to the border router Filter out many high-frequency, low-complexity attacks For ingress filtering, reduce the load on the main border firewall 31

Screening Router Firewalls (Continued) High Cost for Sufficient Performance Must buy inspection software for the router (expensive) Usually must upgrade router processing speed and memory (expensive) 32

Screening Router Firewalls (Continued) Good Location for Egress Filtering Stops all replies to probe packets Including those from the border router itself 33

Static Packet Filter Firewall Corporate Network Permit (Pass) IP-H IP-H The Internet TCP-H Application Message UDP-H Application Message Deny (Drop) IP-H ICMP-H ICMP Message Log File Static Packet Filter Firewall Only IP, TCP, UDP and ICMP Headers Examined 34

Static Packet Filter Firewall (Continued) Corporate Network Permit (Pass) IP-H IP-H The Internet TCP-H Application Message UDP-H Application Message Deny (Drop) IP-H ICMP-H ICMP Message Log File Static Packet Filter Firewall Arriving Packets Examined One at a Time, in Isolation; This Misses Many Attacks 35

Screening Router Firewalls (Continued) Use Static Packet Filtering Require complex access control lists (ACLs) Because need an ACL statement for each rule 36

Screening Firewall Router Ingress ACL 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP address range] 4. If source IP address = 60.47.*.*, DENY [internal IP address range] 37 5. If source IP address = 1.33.3.4, DENY [black-holed IP address of attacker]

Network Address Translation (NAT)

Network Address Translation (NAT) The problem: Sniffers on the Internet can read packets to and from organizations Reveals IP addresses and port numbers of hosts Provides considerable information about potential victims without the risks of sending probing attacks Solution: Disguise IP addresses and port numbers of internal hosts. 39

Network Address Translation (NAT) (Continued) From 192.168.5.7, Port 61000 From 60.5.9.8, 1 Port 55380 2 Internet Client 192.168.5.7 NAT Firewall Sniffer Server Host Internal External 40 Translation Table IP Addr 192.168.5.7... Port 61000... IP Addr 60.5.9.8... Port 55380...

Network Address Translation (NAT) (Continued) Internet Client 192.168.5.7 4 To 192.168.5.7, Port 61000 NAT Firewall 3 To 60.5.9.8, Port 55380 Sniffer Server Host Internal External 41 Translation Table IP Addr 192.168.5.7... Port 61000... IP Addr 60.5.9.8... Port 55380...

Perspective on NAT Sniffers on the Internet cannot learn internal IP addresses and port numbers Only learn the translated address and port number By themselves, provide a great deal of protection against attacks External attackers cannot create a connection to an internal computers 42

Perspective on NAT (Continued) Sniffers and NAT Sniffers can read stand-in IP addresses and port numbers Can send back packets to these stand-in values; NAT will deliver them to the real host However, most sessions too brief to exploit Still a potential danger if sniffers act quickly 43

Perspective on NAT (Continued) Box: Using NAT for Address Multiplication Firm may only be given a limited number of public IP addresses Must use these in packets sent to the Internet May use private IP addresses internally 44

Perspective on NAT (Continued) Box: Using NAT for Address Multiplication For each public IP address, there can be a separate connection for each possible port Address 60.5.9.8, Port = 2000 Address 60.5.9.8, Port = 2001 Etc. Each connection can be linked to a different internal IP address Can have thousands of internal IP addresses for each public IP address 45

Perspective on NAT (Continued) Sniffers on the Internet cannot learn internal IP addresses and port numbers Only learn the translated address and port number By themselves, provide a great deal of protection against attacks External attackers cannot create a connection to an internal computers 46

Application Proxy Firewalls

Application Proxy Firewall Operation 1. HTTP Request From 192.168.6.77 2. Filtering 3. Examined HTTP Request From 60.45.2.6 Browser HTTP Proxy Webserver Application Application Proxy Firewall 60.45.2.6 Client PC 192.168.6.77 Filtering: Blocked URLs, Post Commands, etc. Webserver 123.80.5.34 48

Application Proxy Firewall Operation (Continued) 6. Examined 4. HTTP Browser HTTP Proxy Response to Webserver HTTP 5. 60.45.2.6 Application Response To Filtering on 192.168.6.77 Hostname, URL, etc. Client PC 192.168.6.77 Application Proxy Firewall 60.45.2.6 Webserver 123.80.5.34 49

Application Proxy Firewall Client Server Relaying Relay operation: Proxy acts as a server to the client and a client to the server Full protocol support Slow processing per packet 50

Application Proxy Firewall (Continued) Core Protections IP address hiding (sniffer will only see the application proxy firewall s IP address) Packet header destruction 51

Core Protections Due to Application Proxy Firewall Relay Operation Protections Offered Automatically by Relaying: IP Address Hiding: Sniffer only Learns IP Address of Firewall Sniffer Packet from 1.2.3.4 Packet from 60.45.2.6 Internal Host 1.2.3.4 Application Proxy Firewall 60.45.2.6 Webserver 123.80.5.34 52

Core Protections Due to Application Proxy Firewall Relay Operation (Continued) Arriving Packet App MSG (HTTP) XOrig. Orig. TCP IP Hdr Hdr Header Removed App MSG (HTTP) App MSG (HTTP) New Packet New TCP Hdr New IP Hdr Attacker 1.2.3.4 Application Proxy Firewall 60.45.2.6 Webserver 123.80.5.34 Protections Offered Automatically by Relaying: 53 Removes Headers from Arriving Packet: Eliminates Header-Based Attacks

Core Protections Due to Application Proxy Firewall Relay Operation (Continued) Protections Offered Automatically by Relaying: Trojan Horse Protocol Enforcement: If Use Port 80, Must be HTTP Internal Client PC 60.55.33.12 1. Trojan Transmits on Port 80 to Get Through Internet-Level Firewall Application Proxy Firewall X 2. Protocol is Not HTTP Firewall Stops The Transmission Attacker 1.2.3.4 54

Application Proxy Firewall Operation (Continued) A Separate Proxy Program is Needed for Each Application Filtered on the Firewall Client PC 192.168.6.77 FTP Proxy SMTP (E-Mail) Proxy Webserver 123.80.5.34 Application Proxy Firewall 60.45.2.6 55

Application Proxy Firewalls (Continued) Multiple Proxies Each application to be filtered needs a separate proxy program Small firms usually use a single application proxy firewall with multiple application proxies Large firms usually use a single application proxy firewall per proxy 56

The Demilitarized Zone (DMZ)

The Demilitarized Zone (DMZ) Servers that must be accessed from outside are placed in a special subnet called the Demilitarized Zone (DMZ). 172.18.9.x Subnet Attackers cannot get to Other subnets from there Public Webserver 60.47.3.9 Internet External DNS Server 60.47.3.4 58 DMZ servers are specially hardened. Hardened hosts in Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet the DMZ are called Bastion Hosts 6. DMZ 5. Server Host Firewall SMTP Relay Proxy 60.47.3.10 HTTP Proxy Server 60.47.3.1

The Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Subnet for servers and application proxy firewalls accessible via the Internet Hosts in the DMZ must be especially hardened because they will be attacked by hackers Hardened hosts in the DMZ are called bastion hosts 59

The Demilitarized Zone (DMZ) (Continued) Uses Tri-Homed Main Firewalls 3 NICs, each attached to a different subnet One subnet to the border router One subnet for the DMZ (accessible to the outside world) One subnet for the internal network Access from the subnet to the Internet is strongly controlled Access from the DMZ is also strongly controlled 60

The Demilitarized Zone (DMZ) (Continued) Hosts in the DMZ Public servers (public webservers, FTP servers, etc.) Application proxy firewalls External DNS server that only knows host names for hosts in the DMZ 61

Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs)

Intrusion Detection System (IDS) Security Administrator 4. Alarm Intrusion Detection System (IDS) 2. Suspicious Packet Passed Internet 1. Suspicious Packet Attacker? Hardened Server Log File 3. Log Suspicious Packet Corporate Network 63

Firewalls, IDSs, and IPSs Firewalls IDSs IPSs Drops Packets? Yes No Yes Logs Packets Yes Yes Yes Sophistication in Filtering Medium High High Creates Alarms? No Yes Sometimes 64

Firewalls, IDSs, and IPSs (Continued) Sophistication in Filtering Message stream analysis, not just individual packets Reassemble fragmented application messages Deep packet inspection: both internet-level headers and application headers 65

Firewalls, IDSs, and IPSs (Continued) Firewalls Versus IDSs Firewalls drop packets IDSs only generate alarms Too many false positives (false alarms) to drop suspicious packets safely IDSs versus IPSs IDSs send alarms IPSs, using the same filtering mechanisms, actually drops suspicious packets with high confidence of being attacks 66