firewalls - northern kentucky university · types of firewalls . 1. packet filters (stateless) 2....

Firewalls

CSC 482: Computer Security Slide #1


Topics 1. What is a firewall? 2. Types of Firewalls

1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls

3. Configuring the Linux Firewall 4. Firewall Architectures and DMZs 5. Tunneling and VPNs


What is a Firewall?

A software or hardware component that restricts network communication between two computers or networks.

In buildings, a firewall is a fireproof wall

that restricts the spread of a fire. Network firewall prevents threats from

spreading from one network to another.


Internet Firewalls Many organizations/individuals deploy a firewall

to restrict access to their network from Internet.


What is a Firewall? (2) A mechanism to enforce security policy

– Choke point that traffic has to flow through. – ACLs on a host/network level.

Policy Decisions: – What traffic should be allowed into network?

• Integrity: protect integrity of internal systems. • Availability: protection from DOS attacks.

– What traffic should be allowed out? • Confidentiality: protection from data leakage.

Policy Actions Packets flowing through a firewall can have one of three outcomes:

– Accepted: permitted through the firewall – Dropped: not allowed through with no indication of failure – Rejected: not allowed through, accompanied by an attempt to

inform the source that the packet was rejected Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as:

– TCP or UDP – the source and destination IP addresses – the source and destination ports – the application-level payload of the packet (e.g., whether it

contains a virus).

6 CSC 482: Computer Security

Blacklists and White Lists Blacklist approach

– All packets are allowed through except those that fit the rules defined specifically in a blacklist.

– This type of configuration is more flexible in ensuring that service to the internal network is not disrupted by the firewall, but is naïve from a security perspective in that it assumes the network administrator can enumerate all of the properties of malicious traffic.

Whitelist approach – A safer approach to defining a firewall ruleset is the default-deny

policy, in which packets are dropped or rejected unless they are specifically allowed by the firewall.

7 CSC 482: Computer Security

Types of Firewalls Packet Filters (Stateless)

– If individual packet matches rules, then either accept or drop it.

Stateful Filters – Maintains records of all connections, so that – It can accept/deny entire TCP or UDP session.

Application Layer Firewalls – A proxy server that relays byte streams from client to

server and vice versa. – Inspects application headers for undesirable sites and

application data for undesirable content (malware etc.) CSC 482: Computer Security Slide #8

Stateless Firewalls A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously.

Trusted internal network

SYN Seq = x Port=80

SYN-ACK Seq = y

Ack = x + 1

ACK Seq = x + 1 Ack = y + 1

Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80

Client

Server

Firewall


Stateless Restrictions

Stateless firewalls may have to be fairly restrictive in order to prevent most attacks.


SYN Seq = y Port=80

Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80

Client Attacker (blocked)

Firewall



Packet Filtering Information Forward or drop packets based on TCP/IP header

information, most often: – IP source and destination addresses – Protocol (ICMP, TCP, or UDP) – TCP/UDP source and destination ports – TCP Flags, especially SYN and ACK – ICMP message type

Dual-homed hosts also make decisions based on: – Network interface the packet arrived on. – Network interface the packet will depart on.

Stateful Firewalls Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network. Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets. Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network.


Stateful Firewall Example Allow only requested TCP connections:


SYN Seq = x Port=80

SYN-ACK Seq = y

Ack = x + 1

ACK Seq = x + 1 Ack = y + 1

Allow outbound TCP sessions, destination port=80

Client

SYN-ACK Seq = y Port=80 Attacker (blocked)

Established TCP session: (128.34.78.55, 76.120.54.101)

128.34.78.55

76.120.54.101

Firewall state table

Server

Firewall

CSC 482: Computer Security


Stateful Packet Filters Saves packet data to keep state, in order to reconstruct connection at IP level

– Even though UDP has no ACK flag, can construct connection by remembering outgoing packet for UDP 53 (DNS) and know that a response should come from that port to the source port of original packet.

Can examine packets at application layer – Examine FTP packet stream for PASV/PORT

commands to find return port for ftp data stream.

Netfilter and IPtables Tables do specific tasks such as filtering or NAT.

– Each table consists of one or more chains of rules. – Chains can be built-in or user defined.

Slide #15

Filter Table Built-In Chains # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination


Chains are Lists of Rules Packet traverses a chain sequentially until

– A rule matches the packet and makes a final decision to ACCEPT or REJECT it.

– A rule matches the packet and sends it to another chain.

– The end of the chain is reached. If the end is reached, the packet either

– Returns to being processed by the calling chain. – Is processed by the default policy of the chain.


Chain Configuration Append a Rule to a Chain

iptables –A chain firewall-rule List Rules in a Chain

iptables –L chain Delete a Rule from a Chain

iptables –D chain rule-number Set Chain Default Policy

iptables –P chain DROP or append a rule that drops all packets to the end. iptables –P chain –j DROP


Packet Matching Options -p: protocol (tcp, udp, icmp, etc.) -s: source IP address(es) -d: destination IP address --sport: source port (for TCP or UDP) --dport: destination port (for TCP or UDP) -m state: enable stateful filtering --state NEW: allow new connections --state ESTABLISHED: allow established.


Rule Targets ACCEPT: let the packet through. DROP: do not let the packet through. RETURN: stop processing on this chain and return to the next rule in the calling chain. chain: continue processing packet with the named chain.


Writing Firewall Rules Allow incoming SSH

iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow server to be pinged iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT



Where to place Firewall? Gateway Router

– Filtering at interface between networks allows control via a choke point.

– Can filter spoofed IP addresses. Host

– Filter packets on each individual computer. – How to manage thousands of packet filters?


Ingress/Egress Filtering Block spoofed IP addresses Ingress Filtering

Drop packets arriving on external interface whose source IP addresses claims to be from internal network.

Egress Filtering Drop packets arriving on internal interface

whose source IP address is not from internal network.


Packet Filtering Summary Advantages:

– One packet filter can protect an entire network – Efficient (requires little CPU) – Supported by most routers

Disadvantages: – Difficult to configure correctly

• Must consider rule set in its entirety – Difficult to test completely – Performance penalty for complex rulesets

• Stateful packet filtering much more expensive – Enforces ACLs at layer 3 + 4, without knowing any

application details


Proxy Servers

Proxy host relays Transport/App connections – Client makes connection to proxy. – Proxy forwards connection to server.

Proxy can provide multiple security features: – Access Control – Authentication – Logging – Anonymity


Example: SOCKS v5

Socks Server Socks Client Library

– Clients must be linked against library. – Library offers replacements for UNIX network

socket system calls. User Authentication Protocols

– Cleartext username/password. – GSS-API authentication.


Circuit Gateways Advantages:

– User-level authentication possible. – Efficient logging, as proxy deals with circuit

connections instead of individual packets. Disadvantages:

– Clients have to be recompiled or reconfigured to use proxy service.

– Some services can’t be proxied. – Cannot protect you from all protocol weaknesses.

Application Layer Firewalls Application layer rules

– HTTP: URLs, headers, etc. – SMTP: spam statistics

More complex – Only 216 ports, but – An infinite number of URLs.



Single Firewall Simplest type of firewall—one host acts as a

gateway between internal and external networks.

DMZ Firewall Architecture


Single Firewall DMZ



DMZ Bastion hosts isolated from internal network

– Compromise of a bastion host doesn’t directly compromise internal network.

– Bastion hosts also can’t sniff internal traffic, since they’re on a different subnet.

No single point of failure – Attacker must compromise both exterior and interior

routers to gain access to internal net. Advantages: greater security Disadvantages: higher cost and complexity


DMZ External Access

– Filtered: via interior + exterior routers – Proxied: use a bastion host as a proxy server

Bastion Hosts – Proxy server – External web/ftp servers – External DNS server – E-mail gateway


Firewall Limitations Cannot protect from internal attacks

– May be able to limit access with internal firewalls to a segment of your network.

Cannot protect you from user error – Users will still run trojan horses that make it

past your AV scanner. Firewall mechanism may not precisely

enforce your security policy.

Tunneling Tunneling: Encapsulation of one network protocol in another protocol

– Carrier Protocol: protocol used by network through which the information is travelling

– Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data

– Passenger Protocol: protocol that carries original data Can be used to encrypt connections or provider other security features not available to passenger protocol.


Tunneling vs. Eavesdropping

Tunnel over ssh or SSL to offer encryption of packets.

Server Client Encapsulating protocol

(does end-to-end encryption and decryption)

Payloads are encrypted here

TCP/IP TCP/IP

Untrusted Internet


ssh Tunneling SSH can tunnel TCP connections

– Carrier Protocol: IP – Encapsulating Protocol: ssh – Passenger Protocol: TCP on a specific port

POP-3 forwarding ssh -L 110:pop3host:110 -l user pop3host

– Uses ssh to login to pop3host as user – Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host

– User configures mail client to use localhost as POP3 server, then proceeds as normal

IPSec IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets Each protocol can operate in one of two modes, transport mode or tunnel mode.

– In transport mode, additional IPsec header information is inserted before the data of the original packet, and only the payload of the packet is encrypted or authenticated.

– In tunnel mode, a new packet is constructed with IPsec header information, and the entire original packet, including its header, is encapsulated as the payload of the new packet.



Virtual Private Network (VPN) Two or more computers or networks connected by a private tunnel through a public network (typically the Internet.)

Requirements: – Confidentiality: encryption – Integrity: MACs, sequencing, timestamps

Firewall Interactions – Tunnels can bypass firewall – Firewall is convenient place to add VPN features

Types of VPNs Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet.

– For example, an organization may wish to allow employees access to the company network remotely but make it appear as though they are local to their system and even the Internet itself.

– To accomplish this, the organization sets up a VPN endpoint, known as a network access server, or NAS. Clients typically install VPN client software on their machines, which handle negotiating a connection to the NAS and facilitating communication.

Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks.

– Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling.

Slide #40


Key Points • Firewalls

– Packet filtering (stateless) – Stateful firewalls – Proxy servers – Application layer firewalls

• Firewall Architectures – Positioning on network – DMZ architectures

• Tunneling – Protocols: carrier, encapsulating, passenger – Virtual Private Networks


References 1. William Cheswick, Steven Bellovin, and Avriel Rubin,

Firewalls and Internet Security, 2nd edition, 2003. 2. Simson Garfinkel, Gene Spafford, and Alan Schwartz,

Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.

3. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.

4. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.

5. Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000.

firewalls - northern kentucky university · types of firewalls . 1. packet filters (stateless) 2....

Documents