Firewalls P+S Linux Router & Firewall 2013
Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust. Types of operation Simple packet filter Stateful filter Application layer/ proxy based Attack O Attack O 2
Firewall Rules Filtering Ingress: Filter incoming traffic Egress: Filter outgoing traffic Default Policy Accept all versus reject all Deny Access Drop - silently drop packet Reject - drop packet and inform sender Addressing Transparency Firewall and network fingerprinting 3
Firewall Rule Processing NIC = Network Interface Card 4
Stateless Firewall - Packet Filter Functionality Examine a packet at the network layer. Decision based on header in packet. Pros Application independent Good performance and scalability Cons No state or application context Source: CheckPoint 5
Stateful Firewall Functionality Keep track of the state of the network connections. Decision based on session state. Pros Easier to specifiy rules Cons State explosion State for UDP? 6
Application Layer Firewall Functionality Take application state into security decision. Pros Application layer awareness. Cons Supported application protocols. Performance, scalability 7
Web Application Firewall (WAF) Protect web-based applications from malicious requests Response to trend towards Software as a Service (SaaS) Instance of an application layer firewall Request filtering Request patterns (signatures) - Forceful browsing, SQL injection, cross-site scripting, buffer overflow attempts, checking number of form parameters,... Static or dynamic blacklisting / whitelisting False positive problem Implementation often as a reverse proxy 8
Organizational Challenges Extensive Rulesets Firewall rulesets are complex and grow over time, with thousands of rules on a single firewall. Rulesets are hard to manage and understand (do they really reflect your security policy?). Big Organizations Tools needed to manage hundreds of firewalls securely. What is the process to change rulesets? Conflicting goal: networking vs. security staff Networking staff: Paid for providing connectivity, blamed for disruptions. Security staff: Paid to protect and disrupt connectivity 9
Network Address Translation (NAT) A small man s firewall P+S Linux Router & Firewall 2013
NAT Network Adress Translation One way to the Internet ubiquitously deployed in home networks Hosts behind NAT device Initiate communiation NAT device Hosts in the public Internet Host A Home network 155.99.25.11 Public Internet Host B 10.0.0.1 18.181.0.31 Host B Host C Initiate communiation 10.0.0.2 10.0.0.3 11
Network Address Translation Enable multiple hosts on a private network to access the Internet using a single public IP address. Re-writing of source and/or destination addresses of IP packets as they pass through a router or firewall. Benefits Prevents malicious activity initiated by outside hosts. Saves address space. Drawbacks No true end-to-end connectivity. Some protocols can be disrupted (IPsec, SIP, ftp,..) 12
NAT Concept Session A session endpoint for TCP or UDP is a pair {IP address, port number}. A particular session is uniquely identified by its two session endpoints (local IP:port, remote IP:port) The direction of a session is normally the flow direction of the packet that initiates the session: - the initial SYN packet for TCP - the first user datagram for UDP. 13
NAT Modes Asymmetric bridge between private and public network. Allows only outbound sessions to traverse NAT. 1. Basic NAT Translates IP addresses only, keeps port numbers. One public IP for each internal host needed (one to one) 2. Network Address and Port Translation NAPT Translate entire session endpoints. Many internal host can share public IPs (many to one) 14
NAT Operation Src: 10.0.0.1:4321 Dst: 18.181.0.31:1234 NAT Device Src: 155.99.25.11:6200 Dst: 18.181.0.31:1234 Host A Private Network 155.99.25.11 Internet Host B 10.0.0.1 18.181.0.31 Src: 18.181.0.31:1234 Src:18.181.0.31:1234 Dst: 10.0.0.1:4321 NAT Binding 10.0.0.1:4321-155.99.25.11:6200 Dst:155.99.25.11:6200 15
Peer to Peer through NAT Peer A tries to contact Peer B but is blocked by router B Peer B tries to contect Peer A but is blocked by router A No communication can be established NAT hole punching techniques Public Internet Peer A A s NAT B s NAT Peer B Router Router 16
NAT UDP Hole Punching - 1 Hole punching assumes that the clients A and B already have active UDP sessions with a rendezvous server S Server S records the clients private and public session endpoints: A:(10.0.0.1:4321, 155.99.25.11:62000) B:(10.1.1.3:4321, 138.76.29.7:31000) Source http://pdos.csail.mit.edu/papers/p2pnat.pdf 17
NAT UDP Hole Punching - 2 1. A asks S for help to establish a session with B 2. S replies to A with B's public and private endpoints 3. S sends B a connection request with A s endpoints (using the pre-established session B-S) Now A and B know each others public and private endpoints 18
NAT UDP Hole Punching - 3 A and B start sending UDP packets to the peers endpoints (without synchronization) A s first packet to B s public endpoint punches a hole in A s NAT is blocked at B s NAT B s first packet to A s public endpoint punches a hole in B s NAT passes A s NAT A s next packet to B s public endpoint passes B s NAT 19
NAT UDP Hole Punching - 4 Communication through the peers public endpoints is established. Only the messages to the public endpoints get through. 20
NAT UDP Hole Punching - 5 Assumption: NAT-A is well behaved NAT-A preserves the identity of A s private endpoint, consistently translating all outbound sessions from (10.0.0.1:4321) to the corresponding public endpoint (155.99.25.111:62000). The new session s source endpoint (10.0.0.1:4321) is the same as that of the existing session A-S. This is supported by most vendors of NAT devices. Recommended reading http://pdos.csail.mit.edu/papers/p2pnat.pdf - Section 3: UDP Hole Punching - Section 5.1: Consistent Endpoint Translation 21