Karlstad University

Firewall

Ge Zhang

Karlstad University

A typical network topology

• Threats example– Back door– Port scanning– …

Karlstad University

Karlstad University

What is Firewall?A single checking point that reacts traffic to and from a

network (pass, discard, block, log)• Design goals

– All traffic from inside to outside and vice versa must pass through the firewall

Internet

Karlstad University

Services by a firewall

• Service control • Direction control • User Control (internal network)• Behavior control (the firewall needs to know the

application protocol)• Logging flow information• Hidden internal topology

Karlstad University

Capabilities and limitations

• Capabilities– Prevent unauthorized traffics– Monitoring security-related events– The platform for Network address translator (NAT) – The platform for IPSec tunnel mode (VPN)

• Limitations– Attacks the bypass the firewall (over other channels)– Internal threats (internal employees cooperate with external

attackers)– Transferring virus-infected programs

Karlstad University

The working flow of a Firewall

if {condition_1} then {action_1}

else if{condition_2} then {action_2}

else if{condition_3} then {action_3}

else if{condition_4} then {action_4}

…

else if{condition_n} then {action_n}

How to define the conditions?

Karlstad University

Layered TCP/IP model

Karlstad University

Types of firewalls

• Packet-Filtering router• Application-level gateway• Circuit-level gateway

Karlstad University

Packet-Filtering router (1)

External network

Internal network

Security perimeter

IP headers

TCP/UDP headers

• Packet-Filtering Firewall– Applies a set of rules– Decides forwarding or discarding the packet– Only examine the header, do not “see inside” a packet

Karlstad University

Packet-Filtering router (2)source destination protocol dest. port action

Ane_home Ane_work any any Allow

any SIP proxy Tcp, udp 5060, 5061 Allow

any Mail server Tcp, udp 25 Allow

any Web server tcp 80, 8080 Allow

any any any any Deny

source destination protocol dest. port action

mal1 any any any Deny

mal2 any any any Deny

mal1 any any any Deny

mal3 any any any Deny

any any any any Allow

Karlstad University

Requirements on rule set design

• Consistency: The rules are ordered correctly• Completeness: every packet satisfies at least one

rule in the firewall• Compactness: firewall has no redundant rules

Karlstad University

An example

Interface source destination protocol dest. port action

0 any Web server tcp 80 Allow

0 any Web server any any Deny

0 malicious any any any Deny

1 host any any any Allow

1 any any any any Allow

Internet

Host

Web Server0 1

Malicious

Consistencyerror

Compactnesserror

0 Not malicious host any any ???? Completenesserror

Karlstad University

Improvement

Interface source destination protocol dest. port action

0 malicious any any any Deny

0 any Web server tcp 80 Allow

0 any Web server any any Deny

0 any any any any Allow

1 any any any any Allow

Internet

Host

Web Server0 1

Malicious

Karlstad University

Efficiency of rule setsource destination protocol dest. port action

192.163.0.1 any tcp 80, 8080 Deny

192.163.0.2 any tcp 80, 8080 Deny

192.163.0.3 any tcp 80, 8080 Deny

10.1.1.2 any tcp 80, 8080 Allow

10.1.1.3 any tcp 80, 8080 Allow

source destination protocol dest. port action

192.163.0.* any tcp 80,8080 Deny

10.1.1.* any tcp 80,8080 Allow

Karlstad University

Stateful PF• For TCP connections

– Server ports are mostly fixed (<1024)– Client ports are dynamically used ( from 1024 to 65535)

• Stateful: tightens up the rules for TCP traffic by creating a directory of outbound TCP connections

src Src port des Des port state

192.168.1.100 1030 210.9.88.29 80 established

192.168.1.102 3331 216.32.1.122 25 established

Karlstad University

Pro and cons in PF

• Pro: – Simple, high efficient – Transparent to users

• Con:– Does not work with application-specific vulnerabilities– Limited log information– No user authentication– Difficulty to configure rulesets

Karlstad University

Attacks on a PF

• IP address spoofing: (use spoofed IP address which can be trusted)

• Fragment attacks– Tiny fragment– Overlapping fragment

Karlstad University

IP fragment

• A firewall only inspects the first fragmented one.

IP h. TCP/UDP h. data

IP h. IP h. IP h.

IP h. TCP/UDP h. data

Sender

recipient

intermediaries

Karlstad University

Tiny fragment attack

IP h. TCP/UDP h. data

IP h. IP h. IP h.

IP h. TCP/UDP h. data

Sender

recipient

intermediaries

Not enough information

Karlstad University

Overlapping fragment

IP h. TCP/UDP h. data

IP h. IP h. IP h.

IP h. TCP/UDP h. data

Sender

recipient

intermediaries

Offset 20 Offset 16

Rewrite the overlapped part

Offset 0

Offset 16

Karlstad University

Application-level Gateway (mainly for inbound requests)

HTTP

SIP Inside hostOutside host

FTP

Outside host

• Have more checking parameters (user names, message format, client software version, etc)

• Only deal with allowable applications• More useful log information• Con: high processing overhead

Karlstad University

Circuit level gateway (mainly for outbound requests)

• Based on connections instead of packets• Similar to stateful PF• Perform authentication• Implementations: Socks server

Inside hostOutside host

out

out

out

in

in

in

Karlstad University

Bastion Host

• A secure version of its operating system• A platform for an application-level gateway or

circuit-level gateway• Only support allowed applications• Only support a subset of the standard applications• Needs additional authentication

Karlstad University

Demilitarized Zone (DMZ)

• Demilitarized zone is a subnet that contains and exposes an organization's public services to an external network

• DNS, web server, VoIP server

• Internal network, work stations

Karlstad University

Setup Firewalls in a network

• Screened host firewall (single-homes bastion)

External network

PF

Bastion host

Information server (web, DNS...)

Work station

Work stationWork station

Karlstad University

• Sceened host firewall (dual-homed bastion host)

External network

PF

Bastion host

Information server (web, DNS...)

Work station

Work stationWork station

Karlstad University

• Screened subnet firewall

External network

PF

Bastion host

Information server (web, DNS...)

PF

Internal network

Karlstad University

Practical experiences on firewall itself

• Stealth rule: drop any packet from outside to the firewall

• Insecure firewall management: drop packets to the firewall over insecure protocols (telnet, ftp, x11)

• Limited management machines: firewalls should be managed from a small number of machines

Karlstad University

High-throughput firewall (1)

• Application Specific Integrated Circuit (ASIC)• e.g., netscreen 100 (100Mbps firewall)

Karlstad University

High-throughput firewall (2)

• Load balance

Firewall 1

Internal router

Firewall 2

Firewall n

External router...

Karlstad University

Key points• Types of firewall • Pros and cons of the three types• Ruleset of PF (consistency, completeness, compactness,

efficiency)• Stateful PF• Attack on PF• Bastion host• DMZ• Setup firewalls in a network