Firewalls Pehr Söderman KTH-CSC Pehrs@kth.se 1
Definition A firewall is a network device that separates two parts of a network, enforcing a policy for all traversing traffic. 2
Fundamental requirements We can split the network in two parts The trusted part The untrusted part We can create a policy defining the safe traffic We can implement the policy And we can do it fast enough... 3
Packet filter (Stateless firewall) Works on layer 3 (Network/IP) Can be made very fast Requires a small amount of memory This functionality is built into most equipment Useful for network management Not especially powerful security equipment 4
Statefull firewalls Works on layer 4 (Transport layer) Statefull Can be very fast, as state is faster than rules Requires memory to keep state Memory demands grow quickly for large networks Statefull firewalls are the basic scrubbers of your network They will make your life much easier. 5
Application/Proxy firewalls Works on layer 7 (Application layer) Very specialized (new firewall for each application) Useful for protecting vulnerable clients and servers Typically resource intensive (both CPU and memory) May terminate the connection HTTP and SMTP are most popular 6
Personal Firewalls Statefull firewall protecting a single system Have local information Typically only found in windows environments Due to the lacking functionality of the built in firewall Makes little sense for a correctly configured system Can still protect you from shooting your own foot 7
Network Address Translation (NAT) NAT is a hack needed due to the limited IPv4 address space NAT does not offer any security advantage over a firewall NAT is equivalent to a statefull firewall only allowing outgoing connections. 8
Where do we place our firewalls? 9
Border Firewall Hinders network wide attacks Scrubbing traffic to our core Effective against DoS Can enforce network wide policy No P2P Small installations 10
Core network Typically no firewalls are placed in the core Performance Stability This means your core network will most likely to be as dangerous as the Internet 11
Designing networks: DMZ 12
Dial in/vpn Where do we terminate VPN? 1: In core? 2: In internal networks? 3: In DMZ? 4: Somewhere else? What is the dangers of a modem pool on the internal network? 13
Building a firewall: Policy 1.Identify the network applications 2.Identify the vulnerabilities 3.Do a cost-benefit analysis for each application 4.Create a matrix with protection methods 5.Create a firewall ruleset from the matrix 6.Implement the ruleset 14
Identify network Applications Grab paper and pencil Write down the critical network applications in your home network Classify them as: Client (outbound) Server (Inbound) You have a few minutes 15
My network Outbound Inbound HTTP HTTP Domain (DNS) FTP Bittorrent Domain SSH Bittorrent SMTP NTP... (too many to list) Lots of high ports FreeAllegiance Server (DPlay) AFS X 16
Identify vulnerabilities For each service you make accessible you need to consider the security issues For example SMB (Service Message Block) Microsoft file sharing Lets try to identify the vulnerabilities we know... 17
Do a cost-benefit analysis What is the cost of keeping it running? In manpower In security risks What are the benefits of keeping it running? Is it critical? Can we use an alternative (safer) method? Continues with SMB 18
Create a service matrix 19
Describe the ruleset Write down a technology independent description of the rules you want to implement This way you easily spot errors in the rules And can change the hardware later For example: FTP: Allow outgoing anywhere, max 300kbps FTP: Allow incoming to ftp.example.com FTP: Block everything else 20
Implement the ruleset Write the actual implementation Frequently you can use scripts to get it right Once you have implemented the firewall you need to test it hping2 nmap Telnet Nessus netcat 21
Fundamentals of iptables iptables uses three chains of rules Input Forward Output Additional chains can be described A packet can match a rule or use the default rule 22
Designing rules Filter decides which packet to match Jump target decides what to do ACCEPT DROP REJECT LOG CHAIN iptables -A INPUT -p tcp --dport 22 -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j LOG 23
Using state To save state we need to tell the firewall when to store an entry iptables -A FORWARD -i eth0 -p tcp -m state --state NEW -j ACCEPT We can later recall this state to allow related packets through iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT We can also keep state for UDP (how?) 24
Logging One of the most important functions of a firewall is to log data. Iptables uses syslog: iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: " Frequently you want to limit the amount of data iptables -A INPUT -m limit --limit 15/minute -j LOG Logging can quickly fill harddisks and a common attack is to simply overflow the logs... 25
Anti-spoofing A very important rule is to prevent spoofing In simple configurations use the reverse path check: Does the packet source address match the interface you would route this address to? In iptables this is a kernel flag echo 1 > /proc/sys/net/ipv4/*/rp_filter You don't have to write a rule! But be careful if your routing is asymetric! 26
Scrubbing and normalization Many firewalls have built in scrubbing When using scrubbing the firewall cleans up the traffic by... Defragments packets Enforce MTU, set TTL etc... This is protects against many attacks against bad IP implementations This functionality is not present in iptables 27
How do we block? We can DROP the packet Silent and quick Gives no error message to the user Slows things down for the user Makes it harder to map the firewall We can REJECT the packet Requires a response Gives the user an error message Makes the network seem more responsive Simplifies mapping the firewall 28
Firewall issues: ICMP ICMP requires statefull tracking Some ICMP messages have security issues Today we usually allow ECHO Unreachable Source Quench Do not forget ICMP when writing your rules! How many had ICMP on their original list of services? 29
Firewall issues: Port 80 Today most of the user data goes over port 80 We can not block it... In the other end sits a complex and vulnerable application We can use HTTP proxy and try to scrub data Or we can simply ignore this issue Guess what most people do... 30
Weaknesses of a firewall Is the whole concept valid? 31
Bypassing a firewall Spoofing Fragmentation HTTP TTL DNS Source Route OOB UPNP 32
How to make you firewall useful Read the logs Test the firewall regularly Join the Internet Storm Center www.incidents.org Save packets that seem odd And track down what is going on! Update your policy and configuration regularly 33
Popular firewall implementations Dedicated CheckPoint Cisco IOS Linux: IPTables OpenBSD: PF (PacketFilter) Solaris: IPFilter Windows Windows Firewall ISA Server 34
Conclusions 35
What you should know now What is a firewall? Stateless, Statefull and Application firewalls Placement of firewalls Typical work flow creating a firewall Usage of iptables Limitations of firewalls 36
Additional reading NIST Special publication SP800-41 Guidelines on firewalls and firewall policy RFC 2979 Beyond Fear Schnier looks at what is broken in the security world Internet Storm center http://isc.sans.org/ Daily updates of the current security issues on the net 37
Questions? 38
Extra What do you want to know about: Intrusion Detection Systems Intrusion Prevention Systems? 39