Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls the spreading of a network threat. Software-Based Firewalls Advantages: Cheaper and ideal for personal or home use Disadvantages: Takes up system resources Susceptible to many of the security weaknesses inherent in Windows NT and UNIX Examples: Check Point Firewall-1 or Novell BorderManager 1
Hardware-Based Firewalls Devices that have the software preinstalled on a specialized hardware platform. Advantages: Speed: faster response times and handle more traffic loads. Security: its own operating system is less prone for attacks. Disadvantages: Cost more. All traffic from inside to outside and vice versa must pass through the firewall. Only authorized traffic is allowed in or out. 2
Common firewall technologies: Packet filtering Limits the information that enters a network based on IP header. Circuit level Gateway--Applies security mechanisms when a TCP/UDP connection is Established. o Once the connection has been made, packets can flow between the hosts without further checking. (TCP layer) Application Level Gateway --Applies security mechanisms to specific applications, such as FTP and Telnet servers. o Very effective, o Impose a performance degradation. (Application layer) Stateful inspection combine the aspects of the three types of firewalls techniques These technologies operate at different levels of detail, providing varying degrees of network access protection. These technologies are not mutually exclusive as some firewall products may implement several of these technologies simultaneously 3
Packet Filtering Work at IP layer of TCP/IP. They are usually part of a router. Each packet is compared to a set of access control rules before it is forwarded. o Rules include source and destination IP address, source and destination port number and protocol used o Depending on rules, the firewall can drop the packet, forward it or send a message to the originator 4
Source IP address Source port Destination IP address Destination port IP Protocol (TCP, UDP, ICMP, etc.) These elements are compared to the ACL to determine if the packets are permitted or denied. Advantage: Packet filters process information only up to layer 3, making them very efficient. Disadvantage: The least secure type of firewall. o Packet filters don't track the TCP session information generated when two computers are communicating with one another. o They are not application aware that is, they cannot understand the context of a given communication, making them easier for hackers to break. Example: if a packet filtering firewall was set to allow incoming email from the internet, then an attack on the SMTP service would pass through the firewall without problem. 5
Circuit Level Gateway Monitors TCP handshaking between packets of trusted clients to untrusted hosts Determine if a requested session is legitimate. Example: (1) A trusted client requests a service, and the gateway accepts this request. (2) Acting on behalf of the client, the gateway opens a connection to the requested untrusted host and then closely monitors the TCP handshaking that follows. It determines that a requested session is legitimate only if the SYN, ACK, and sequence numbers involved in the TCP handshaking are logical. Trusted Client Circuit level gateway untrusted host (3) The gateway establishes a connection. From this point on, the circuit-level gateway simply copies and forwards packets back and forth without further filtering them. 6
Disadvantage: It cannot examine the application-level content of the packets. Most circuit-level gateways are not stand-alone products but instead are packaged with application-level gateways. 7
Application Level Gateway Like a circuit-level gateway, it runs proxies that copy and forward information across the gateway. The proxies that an application-level gateway runs differ in two important ways from the circuit-level gateway: o The proxies are application specific. Accept only packets generated by services they are designed to copy, forward, and filter. For example, if an application-level gateway ran FTP and Telnet proxies, only packets generated by these services could pass through the firewall. All other services would be blocked. o The proxies can filter packets at the application layer of the TCP/IP model. Check each packet that passes through the gateway, verifying the contents of the packet up through the application layer. Example, the gateway could be configured to prevent users from performing the FTP put command. This command lets users write to the FTP server. Prohibiting this action can prevent serious damage of the information stored on the server. 8
The Application Level Gateway acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others, limiting file access to certain types, varying rules according to authenticated users and so forth. 9
Example: allow selected internal users to telnet outside. 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to destination host. Gateway relays data between two connections 3. Router filter blocks all telnet connections not originating from gateway Application Gateway Weakness Very CPU intensive: There are two spliced connections between the end users and the gateway must examine and forward all traffic in both directions. Requires high performance host computer 10
Stateful Inspection Combines aspects of a packet-filtering firewall, a circuit-level gateway, and an application-level gateway. Like a packet-filtering firewall, it operates at the network layer, filtering all packets based on source and destination IP addresses and port numbers. Like a circuit-level gateway, determining whether the packets in a session are appropriate. For example, a stateful inspection firewall verifies that SYN and ACK flags and sequence numbers are logical. Like an application-level gateway, evaluating the contents of each packet up through the application layer. 11
Stateful inspection firewall and application-level gateway Like an application-level gateway, a stateful inspection firewall can be configured to drop packets that contain specific commands. o For example, you could configure a stateful inspection firewall to drop FTP packets containing a Put or Get command. An application-level gateway requires two connections: one connection between the trusted client and the gateway and another connection between the gateway and the untrusted host. o A stateful inspection firewall does not require two connections, allowing a direct connection between a trusted client and an untrusted host. Application - level gateway rely on application-specific proxies. o A stateful inspection firewall relies on algorithms to recognize and process application-layer data. These algorithms compare packets against known patterns of authorized packets and are able to filter packets more efficiently. 12
Dynamic State Table o Stateful inspection combines the speed of packet filters with the enhanced security of stored session information. o While traffic is being forwarded through the firewall, the connection information (Source IP, Source port, Destination IP, Destination port, TCP sequencing information) is written to the state table. o If the connection is allowed by the security policy, the request goes out. Return traffic is compared to the existing state information. If the information does not match, the firewall drops the connection. 13
Overview of the Cisco PIX Firewall Finesse OS A secure, real-time, embedded system. Adaptive Security Algorithm (ASA) Implements stateful connection control. Cut-through proxy An authentication method of both inbound and outbound. (1) Finesse OS --- The PIX has a single system that is responsible for operating the device. Better security there is no separation between the operating system and the firewall application, there are no known vulnerabilities to exploit. Better performance The Cisco PIX 535 Firewall can handle 500,000 concurrent connections while maintaining stateful inspection of all connections. (2) Adaptive Security Algorithm (ASA) More secure and efficient than packet filtering and provides better performance than proxy firewalls (Circuit level and application gateways). ASA is a stateful, connection-oriented process that maintains session information in a state table. 14
How the Adaptive Security Algorithm Works 1 The internal host initiates a connection to an external resource. 2 The PIX writes the following information about this connection into the state table: Source IP, Source port, Destination IP, Destination port, and a randomly generated TCP sequence number. 3 The connection is compared to the security policy. If the connection is not allowed, the session is deleted, and the connection is dropped. 4 If the connection is approved by the ACL, the request continues to the external resource. 5 The external resource replies to the request. 6 The response arrives at the firewall and is compared to the state table. If the response matches the session object, the traffic passes to the internal host. If it does not match, the connection is dropped. 15
The ASA implements the ACL based on interface security levels. Interface Security Levels An interface with a higher security level can access an interface with a lower security level. Conversely, an interface with a lower security level cannot access an interface with a higher security level without an ACL. 16
ASA Security Levels Example More secure interface with a higher security level, to a less secure interface with a lower security level - allows all IP-based traffic unless restricted by ACLs. Less secure interface with a lower security level, to a more secure interface with a higher security level This rule drops all packets unless specifically allowed by the access list. Equally secure interfaces No traffic flows between two interfaces with the same security level for example, if both interfaces are set to level 50. 17
Example of Using ACL Permitting DMZ Access to Internal Mail A hole in the firewall must be opened up with an ACL that allows a particular type of traffic to move from a lower-security network to a higher-security network. The ACL permits the client mail access to the internal mail server on the inside interface. nameif ethernet0 inside sec100 nameif ethernet1 outside sec0 nameif ethernet2 dmz sec50 access-list 100 permit tcp host 172.16.0.6 host 172.8.10.8 eq smtp access-group 100 interface dmz 18
(3) Authentication with Cut-Through Proxy The PIX Firewall verify the identity of users at the firewall and permitting or denying access to any TCP- or UDP-based application. 1 A connection to the firewall is initiated via HTTP, FTP, or Telnet, and the user is prompted by the PIX Firewall for a user ID and password. 2 The PIX Firewall uses either RADIUS or TACACS+ protocols to forward the user information to an external authentication server, where it is validated. 3 After successful authentication, the connection is opened at the network layer, the session information is written to the connection table and the ASA process begins. 19
What a Firewall does? it is at the entry point of the networked system it protects. The firewall is the first process that receives and handles incoming network traffic, and it is the last to handle outgoing traffic. Provide strong authentication Allow VPN What a Firewall does not do? Protect against internal threats Protect against the transfer of virus-infected programs or files 20