1 firewalls chapter 5 copyright prentice-hall 2003

1

Firewalls

Chapter 5

Copyright Prentice-Hall 2003

2

Figure 5-1: Border Firewall

AttackPacket

Internet(Not Trusted)

Attacker

HardenedClient PC

HardenedServer Internal Corporate

Network (Trusted)

InternetBorderFirewall

LogFile

Passed Packet(Ingress)

Dropped Packet(Ingress)

Passed Packet(Egress)

3

Figure 5-2: Types of Firewall Inspection

Packet Inspection Examines IP, TCP,UDP, and ICMP header

contents

Static packet filtering looks at individual packets in isolation. Misses many attacks

Stateful inspection inspects packets in the context of the packet’s role in an ongoing or incipient conversation

Stateful inspection is the proffered packet inspection method today

4


Application Inspection Examines application layer messages

Stops some attacks that packet inspection cannot

Network Address Translation Hides the IP address of internal hosts to thwart

sniffers

Benignly spoofs source IP addresses in outgoing packets

5


Denial-of-Service Inspection Recognizes incipient DoS attacks and takes

steps to stop them

Limited to a few common types of attacks

Authentication Only packets from users who have proven their

identity are allowed through

Not commonly user, but can be valuable

6


Virtual Private Network Handling

Virtual private networks offer message-by-message confidentiality, authentication, message integrity, and anti-replay protection

VPN protection often works in parallel with other types of inspection instead of being integrated with them

7


Integrated Firewalls

Most commercial products combine multiple types of filtering

Some freeware and shareware firewall products offer only one types of filtering

8

Firewalls

Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers)

Inspection Methods

Firewall Architecture

Configuring, Testing, and Maintenance

9

Figure 5-3: Firewall Hardware and Software

Screening Router Firewalls Add firewall software to router

Usually provide light filtering only

Expensive for the processing power—usually must upgrade hardware, too

Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier

Good location for egress filtering—can eliminate scanning responses, even from the router

10


Computer-Based Firewalls

Add firewall software to server with an existing operating system: Windows or UNIX

Can be purchased with power to handle any load

Easy to use because know operating system

Firewall vendor might bundle software with hardened hardware and operating system software

11


Computer-Based Firewalls

General-purpose operating systems result in slower processing

Security: Attackers may be able to hack the operating system

Change filtering rules to allow attack packets in

Change filtering rules to drop legitimate packets

12


Firewall Appliances

Boxes with minimal operating systems

Therefore, difficult to hack

Setup is minimal

Not customized to specific firm’s situation

Must be able to update

13


Host Firewalls

Installed on hosts themselves (servers and sometimes clients)

Enhanced security because of host-specific knowledge

For example, filter out everything but webserver transmissions on a webserver

14


Host Firewalls

Defense in depth

Normally used in conjunction with other firewalls

Although on single host computers attached to internet, might be only firewall

15


Host Firewalls

If not centrally managed, configuration can be a nightmare

Especially if rule sets change frequently

Client firewalls typically must be configured by ordinary users

Might misconfigure or reject the firewall

Need to centrally manage remote employee computers

16

Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering

PerformanceRequirements

Traffic Volume (Packets per Second)

Complexityof Filtering:Number of

FilteringRules,

ComplexityOf rules, etc.

17

Firewalls

Types of Firewalls

Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls



18

Figure 5-5: Static Packet Filter Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP Message

Arriving PacketsExamined One at a Time, in Isolation

Only IP, TCP, UDPand ICMP Headers Examined

Permit(Pass)

Deny(Drop)

Corporate Network The Internet

LogFile

StaticPacketFilter

Firewall

19

Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router

1. If source IP address = 10.*.*.*, DENY [private IP address range]

2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

3. If source IP address = 192.168.*.*, DENY [private IP address range]

4. If source IP address = 60.40.*.*, DENY [internal address range]

5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker]

6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]

20

Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router

7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver]

8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]

9. If TCP destination port = 20, DENY [FTP data connection]

10. If TCP destination port = 21, DENY [FTP supervisory control connection]

11. If TCP destination port = 23, DENY [Telnet data connection]

12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]

21

Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router

13. If TCP destination port = 513, DENY [UNIX rlogin without password]

14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]

15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]

16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]

17. If ICMP Type = 0, PASS [allow incoming echo reply messages]

DENY ALL

22

Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router

1. If source IP address = 10.*.*.*, DENY [private IP address range]

2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

3. If source IP address = 192.168.*.*, DENY [private IP address range]

4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range]

5. If ICMP Type = 8, PASS [allow outgoing echo messages]

6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages]

23

Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router 7. If TCP RST=1, DENY [do not allow outgoing

resets; used in host scanning] 8. If source IP address = 60.47.3.9 and TCP

source port = 80 OR 443, PERMIT [public webserver]

9. If TCP source port=0 through 49151, DENY [well-known and registered ports]

10. If UDP source port=0 through 49151, DENY [well-known and registered ports]

11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections]

12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections]

13. DENY ALL

24

Firewalls

Types of Firewalls




25

Figure 5-8: Stateful Inspection Firewalls

State of Connection: Open or Closed

State: Order of packet within a dialog

Often simply whether the packet is part of an open connection

26


Stateful Firewall Operation

For TCP, record two IP addresses and port numbers in state table as OK (open) (Figure 5-9)

By default, permit connections from internal clients (on trusted network) to external servers (on untrusted network)

This default behavior can be changed with an ACL

Accept future packets between these hosts and ports with little or no inspection

27

Figure 5-9: Stateful Inspection Firewall Operation I

ExternalWebserver123.80.5.34

InternalClient PC

60.55.33.12

1.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:80

2.Establish

Connection 3.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:80

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

80

Status

OK

Connection Table

Note: OutgoingConnectionsAllowed By

Default

28

Figure 5-9: Stateful Inspection Firewall Operation I

ExternalWebserver123.80.5.34

InternalClient PC

60.55.33.12

6.TCP SYN/ACK Segment

From: 123.80.5.34:80To: 60.55.33.12:62600

5.Check Connection

OK


From: 123.80.5.34:80To: 60.55.33.12:62600

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

80

Status

OK

Connection Table

29


Stateful Firewall Operation

For UDP, also record two IP addresses in port numbers in the state table

Type

TCP

UDP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

63206

ExternalIP

123.80.5.34

1.8.33.4

ExternalPort

80

69

Status

OK

OK

Connection Table

30


Static Packet Filter Firewalls are Stateless

Filter one packet at a time, in isolation

If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection

But stateful firewalls can (Figure 5-10)

31

Figure 5-10: Stateful Firewall Operation II

AttackerSpoofingExternal

Webserver10.5.3.4

InternalClient PC

60.55.33.12

StatefulFirewall

2.Check

Connection Table: No Connection

Match: Drop

1.Spoofed

TCP SYN/ACK SegmentFrom: 10.5.3.4.:80

To: 60.55.33.12:64640

Type

TCP

UDP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

63206

ExternalIP

123.80.5.34

222.8.33.4

ExternalPort

80

69

Status

OK

OK

Connection Table

32


Static Packet Filter Firewalls are Stateless

Filter one packet at a time, in isolation

Cannot deal with port-switching applications

But stateful firewalls can (Figure 5-11)

33

Figure 5-11: Port-Switching Applications with Stateful Firewalls

ExternalFTP Server123.80.5.34

InternalClient PC

60.55.33.12

1.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:21

2.To EstablishConnection 3.

TCP SYN SegmentFrom: 60.55.33.12:62600

To: 123.80.5.34:21

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

21

Status

OK

State Table

Step 2

34

Figure 5-11: Port-Switching Applications with Stateful Firewalls

ExternalFTP

Server123.80.5.34

InternalClient PC

60.55.33.12


From: 123.80.5.34:21To: 60.55.33.12:62600

Use Ports 20and 55336 forData Transfers

5.To Allow,EstablishSecond

Connection


From: 123.80.5.34:21To: 60.55.33.12:62600

Use Ports 20and 55336 forData Transfers

Stateful Firewall

Type

TCP

TCP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

55336

ExternalIP

123.80.5.34

123.80.5.34

ExternalPort

21

20

Status

OK

OK

State Table

Step 2

Step 5

35


Stateful Inspection Access Control Lists (ACLs)

Primary allow or deny applications

Simple because probing attacks that are not part of conversations do not need specific rules because they are dropped automatically

In integrated firewalls, ACL rules can specify that messages using a particular application protocol or server be authenticated or passed to an application firewall for inspection

36

Firewalls

Types of Firewalls




37

Figure 5-12: Network Address Translation (NAT)

ServerHost

Client192.168.5.7

NATFirewall

1

3

Internet

2

4Sniffer

From 192.168.5.7,Port 61000 From 60.5.9.8,

Port 55380

To 60.5.9.8,Port 55380

To 192.168.5.7,Port 61000

IP Addr

192.168.5.7

. . .

Port

61000

. . .

Internal

IP Addr

60.5.9.8

. . .

Port

55380

. . .

External

TranslationTable

38

Firewalls

Types of Firewalls




39

Figure 5-13: Application Firewall Operation

Browser HTTP Proxy WebserverApplication

1. HTTP RequestFrom 192.168.6.77

2.Filtering

3. ExaminedHTTP RequestFrom 60.45.2.6

4. HTTPResponse to

60.45.2.6

6. ExaminedHTTP

Response To192.168.6.77

5.Filtering on Post Out,

Hostname, URL, MIME, etc. In

Application Firewall60.45.2.6

FTPProxy

SMTP(E-Mail)ProxyClient PC

192.168.6.77

Webserver123.80.5.34

Outbound Filtering on Put Inbound and Outbound

Filtering on Obsolete Commands, Content

40

Figure 5-14: Header Destruction With Application Firewalls

AppMSG

(HTTP)

Orig.TCPHdr

Orig.IP

Hdr

AppMSG

(HTTP)

NewTCPHdr

NewIP

Hdr

AppMSG

(HTTP)

Attacker1.2.3.4

Webserver123.80.5.34

Application Firewall60.45.2.6

Header RemovedArriving Packet New Packet

Application Firewall Strips Original Headers from Arriving PacketsCreates New Packet with New Headers

This Stops All Header-Based Packet Attacks

X

41

Figure 5-15: Protocol Spoofing

InternalClient PC

60.55.33.12

Attacker1.2.3.4

TrojanHorse

1. Trojan Transmitson Port 80

to Get ThroughSimple PacketFilter Firewall

2. Protocol is Not HTTPFirewall Stops

The Transmission

XApplication

Firewall

42

Figure 5-16: Circuit Firewall

Webserver60.80.5.34

Circuit Firewall(SOCKS v5)60.34.3.31

ExternalClient

123.30.82.5

1. Authentication

2. Transmission

5. Passed Reply: No Filtering

3. Passed Transmission: No Filtering

4. Reply

43

Firewalls

Types of Firewalls

Inspection Methods

Firewall Architecture Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture


44

Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site

InternetInternet

1. Screening Router 60.47.1.1 Last

Rule=Permit All

2. Main Firewall Last Rule=Deny All

172.18.9.x Subnet

3. Internal Firewall

4. Client Host

Firewall

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

5. Server Host

Firewall

6. DMZ

Public Webserver 60.47.3.9

SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4

45

Figure 5-18: Home Firewall

InternetService Provider

Home PC

BroadbandModem

PCFirewall

Always-OnConnection

UTPCord

CoaxialCable

46

Figure 5-19: SOHO Firewall Router

Broadband Modem (DSL orCable)

SOHORouter

---Router

DHCP Sever,NAT Firewall, and

Limited Application Firewall

Ethernet SwitchInternet Service Provider

User PC

User PC

User PC

UTP

UTP

UTP

Many Access Routers Combine the Router and Ethernet Switch in a Single Box

47

Figure 5-20: Distributed Firewall Architecture

Internet

Home PCFirewall

Management Console

Site A Site B

48

Figure 5-21: Other Security Architecture Issues

Host and Application Security (Chapters 6 and 9)

Antivirus Protection (Chapter 4)

Intrusion Detection Systems (Chapter 10)

Virtual Private Networks (Chapter 8)

Policy Enforcement System

49

Firewalls

Types of Firewalls

Inspection Methods



50

Figure 5-22: Configuring, Testing, and Maintaining Firewalls

Firewall Misconfiguration is a Serious Problem

ACL rules must be executed in series

Easy to make misordering problems

Easy to make syntax errors

51


Create Policies Before ACLs

Policies are easier to read than ACLs

Can be reviewed by others more easily than ACLs

Policies drive ACL development

Policies also drive testing

52


Must test Firewalls with Security Audits

Only way to tell if policies are being supported

Must be driven by policies

Maintaining Firewalls

New threats appear constantly

ACLs must be updated constantly if firewall is to be effective

53

Figure 5-23: FireWall-1 Modular Management Architecture

Log Files

Application Module(GUI)

Create, Edit Policies

Application Module(GUI)

Read Log Files

Management Module Stores Policies Stores

Log Files

Policy

Log FileData

Policy

Log File Entry

Firewall Module Enforces Policy

Sends Log Entries

Firewall Module Enforces Policy

Sends Log Entries

54

Figure 5-24: FireWall-1 Service Architecture

Internal Client

2. Statefully Filtered Packet 1. Arriving Packet

External Server

4. Content Vectoring Protocol

FireWall-1 Firewall

3. DoS Protection Optional

Authentications

5. Statefully Filtered Packet

Plus Application Inspection

Third-Party Application Inspection

Firewall

55

Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls

InternetInternet

Internal Network

Automatically Accept Connection

Security Level Outside=0

Automatically Reject Connection

Security Level Inside=100

Connections Are Allowed from More Secure

Networks to Less Secure Networks

Security Level=60

Router

1 firewalls chapter 5 copyright prentice-hall 2003

Documents