Protocol Specific Protocol Specific Extension for Extension for

Firewall Firewall Itai AlmogItai Almog

Eran LibertyEran Liberty

Oved Itzhak (Instructor)Oved Itzhak (Instructor)

AgendaAgenda

Who needs a firewall ?Who needs a firewall ?

Firewall infrastructureFirewall infrastructurePacket filteringPacket filtering

ProxyProxy

NatNat

Firewalls and common protocolsFirewalls and common protocols

Case study – Age of Empires IICase study – Age of Empires II

Who needs a Who needs a firewall ?firewall ?

Everyone connects to the Everyone connects to the webweb

The internet has doubled it’s size The internet has doubled it’s size every year in the last 20 years.every year in the last 20 years.More and more Companies connects More and more Companies connects their private network to the internet.their private network to the internet.The internet is used for:The internet is used for:

E-commerceE-commercePublic relationsPublic relationsCostumers supportCostumers supportKnowledge gainKnowledge gainCommunicationCommunication

Private users also connect to the Private users also connect to the internet for similar reasons.internet for similar reasons.

Connectivity tradeoffConnectivity tradeoff

When you connect your private When you connect your private network to the internet, you also network to the internet, you also connect the internet to your private connect the internet to your private network!network!Your private network becomes a public Your private network becomes a public place for internet hackers.place for internet hackers.Computers on your network are Computers on your network are exposed to:exposed to:

Denial of service attacks.Denial of service attacks.Information steal.Information steal.Data integrity violation.Data integrity violation.And much more…And much more…

Recent attacksRecent attacks

10/0010/00 - Microsoft corporate network hacked. - Microsoft corporate network hacked.Hackers claim to steal Long-Horn source Hackers claim to steal Long-Horn source code.code.17/06/0017/06/00 - AOL users e-mail accounts - AOL users e-mail accounts hacked.hacked.22/12/0022/12/00 - Egghead costumers credit card - Egghead costumers credit card numbers stolen.numbers stolen.02/0002/00 - Amazon, Yahoo, CNN home page - Amazon, Yahoo, CNN home page down for couple of hours.down for couple of hours.FBI web page filled with pornographic FBI web page filled with pornographic pictures.pictures.CIA web page hacked, name changed to CIA web page hacked, name changed to “Central Stupidity Agency”.“Central Stupidity Agency”.

Recent attacks Recent attacks (cont.)(cont.)

These attacks cause those These attacks cause those companies to loose:companies to loose:

Money (Amazon)Money (Amazon)

Customers (AOL)Customers (AOL)

Customers trust (Microsoft)Customers trust (Microsoft)

Pride (Everyone)Pride (Everyone)

The solutionThe solution

Implement an Implement an Access control Access control policypolicy

The policy will define which The policy will define which traffic should pass from the traffic should pass from the internet to the private network.internet to the private network.

The policy can also control The policy can also control access from the private network access from the private network to the internet (controlling the to the internet (controlling the employees).employees).

The solution The solution (cont.)(cont.)

FirewallFirewall is the best and most common is the best and most common solution for implementing access solution for implementing access control policy.control policy.Firewall can give us the best balance Firewall can give us the best balance between gaining internet power and between gaining internet power and preserving a secure private network. preserving a secure private network. What is a firewall ?What is a firewall ?What can it control ?What can it control ?How does it work ?How does it work ?These questions takes us to the next These questions takes us to the next chapter . . .chapter . . .

Firewall Firewall infrastructureinfrastructure

What is a firewall ?What is a firewall ?

A component placed between A component placed between several networks and controls several networks and controls the data transferred between the data transferred between them.them.

The firewall enforces a The firewall enforces a predefined access control policy.predefined access control policy.

The policy can be based on IP The policy can be based on IP addresses, port numbers, user addresses, port numbers, user groups, etc’.groups, etc’.

Firewall goalsFirewall goals

Protect the private (internal) Protect the private (internal) network from attacks that comes network from attacks that comes from the public (external) from the public (external) network.network.

Control outgoing traffic.Control outgoing traffic.

Where should I place the firewall ?Where should I place the firewall ?

In the simplest scenario with In the simplest scenario with only two network (internal and only two network (internal and external), the firewall should be external), the firewall should be placed between the networks.placed between the networks.

All the traffic should pass All the traffic should pass through the firewallthrough the firewall

Example . . . Example . . .

Firewall location exampleFirewall location example

Internal (private) Network

External Network (e.g. Internet)

Internal (private) Network

External Network (e.g. Internet)

Firewall infrastructureFirewall infrastructure

Firewalls are built from one or Firewalls are built from one or more of the following more of the following components:components:

Packet filter.Packet filter.

Proxy.Proxy.

NAT.NAT.

Packet filterPacket filter

Scans every IP packet that it Scans every IP packet that it receives and decide whether to receives and decide whether to drop the packet or to forward it.drop the packet or to forward it.

The decision is based on a The decision is based on a predefined security policy.predefined security policy.

the “Table Model” is commonly the “Table Model” is commonly used to describe a policy used to describe a policy definition . . .definition . . .

The “Table Model”The “Table Model”

The table is built from allow and The table is built from allow and deny rules.deny rules.When a packet arrives, the When a packet arrives, the packet filter scans the table rule packet filter scans the table rule by rule.by rule.When a matching rule is found, When a matching rule is found, the packet perform the rule the packet perform the rule action (allow/deny).action (allow/deny).If no rule matches the packet, If no rule matches the packet, the packet is dropped.the packet is dropped.

The “Table Model” - The “Table Model” - ExampleExample

RuleSource

Address

Dest. Addres

sProtocol

Source Port

Dest. Port

ACK bit Action

telnet out

Internal Any TCP >1023 23 Any Permit

telnetin

AnyInterna

lTCP 23 >1023 Yes Permit

The following table defines a policy The following table defines a policy that blocks all traffic except for that blocks all traffic except for telnet to the external network:telnet to the external network:

Filtering policyFiltering policy

Filtering policy can be based on:Filtering policy can be based on:Source/Destination addresses.Source/Destination addresses.

Protocol (TCP/UDP).Protocol (TCP/UDP).

Source/Destination Port – used Source/Destination Port – used mainly to distinguish between mainly to distinguish between different applications.different applications.

ACK Bit – can be used to identify ACK Bit – can be used to identify the initiator of the TCP session.the initiator of the TCP session.

Types of packet filtersTypes of packet filters

Packet filters can be:Packet filters can be:StatelessStateless – same policy applied to – same policy applied to all packets. Usually means the table all packets. Usually means the table is fixed.is fixed.

StatefullStatefull – policy applied to packet – policy applied to packet based on their context (session based on their context (session context). Usually means the table is context). Usually means the table is dynamic.dynamic.

Packet filters - ProsPacket filters - Pros

Fast & Efficient – decisions are Fast & Efficient – decisions are based on IP header inspection.based on IP header inspection.

Common – implemented in most Common – implemented in most routers.routers.

User transparent.User transparent.

Application independent.Application independent.

Easy to implement.Easy to implement.

Packet filters - ConsPacket filters - Cons

Not every security policy can be Not every security policy can be translated to a list of allow/deny translated to a list of allow/deny rules.rules.

Even if it is possible, building Even if it is possible, building and maintaining those lists is and maintaining those lists is difficult.difficult.

ProxyProxy

A component that divides between the A component that divides between the client and the server.client and the server.

In the client-server model: In the client-server model:

The client thinks the proxy is the serverThe client thinks the proxy is the server

The server thinks the proxy is the clientThe server thinks the proxy is the client

The proxy will only establish connections The proxy will only establish connections that are allowed by the security policy.that are allowed by the security policy.

Proxy exampleProxy example

Request

Response

ServerClient

Request

Response

Response

Request

ServerProxyClient

No proxy

With proxy

Proxy featuresProxy features

A Proxy inspects the traffic up to the A Proxy inspects the traffic up to the application level. This detailed application level. This detailed inspection can be used for inspection can be used for implementing a much more detailed implementing a much more detailed and complex security policy.and complex security policy.

A Proxy is commonly used for caching.A Proxy is commonly used for caching.

All the requests and responses pass All the requests and responses pass through the proxy.through the proxy.

The proxy is protocol aware.The proxy is protocol aware.

Proxy - ProsProxy - Pros

Prevents a direct connection Prevents a direct connection between a machine from the between a machine from the private network and a machine private network and a machine from the external (public) network.from the external (public) network.

Protocol aware – can implement Protocol aware – can implement security policies that are based on security policies that are based on a specific protocol data.a specific protocol data.

Can save network traffic by caching Can save network traffic by caching responses.responses.

Proxy - ConsProxy - Cons

Protocol specific – requires Protocol specific – requires different proxy for each different proxy for each application (protocol).application (protocol).

Inefficient – parsing application Inefficient – parsing application data is expensive.data is expensive.

Not transparent to the client.Not transparent to the client.

NATNAT

Stands for – Stands for –

““NNetwork etwork AAddress ddress TTranslation”.ranslation”.

A mechanism that changes A mechanism that changes source and destination addresses source and destination addresses (and ports).(and ports).

First used as a way to overcome First used as a way to overcome the shortage in internet the shortage in internet addresses. addresses.

NAT common useNAT common use

A company can use only A company can use only oneone valid/public IP address for all the valid/public IP address for all the communications to the external communications to the external network.network.Computers in the private network Computers in the private network will have an internal (not – routable) will have an internal (not – routable) IP address.IP address.NAT will take care of all the address NAT will take care of all the address translation work for outbound translation work for outbound traffic.traffic.

NAT ExampleNAT Example

Server

NAT

Client

Source: 10.0.0.17

Dest: 197.256.143.12

Source: 192.154.0.10

Dest: 197.256.143.12

Source: 197.256.143.12

Dest: 192.154.0.10

Source: 197.256.143.12

Dest: 10.0.0.17

(1 )Request (2 )Request

(3 )Response(4 )Response

NAT security featuresNAT security features

Hides the private network’s Hides the private network’s configuration/structure.configuration/structure.

Can be used to enforce the Can be used to enforce the firewall as a choke point – all the firewall as a choke point – all the traffic that will get around the traffic that will get around the firewall will not be routed.firewall will not be routed.

NAT - ProsNAT - Pros

Enforces a single choke point for Enforces a single choke point for outbound traffic.outbound traffic.

Hides private network Hides private network configuration.configuration.

Saves expensive public IP Saves expensive public IP addressesaddresses

Can be used to filter inbound Can be used to filter inbound traffic.traffic.

NAT - ConsNAT - Cons

Problematic working with Problematic working with protocols that pass addressing protocols that pass addressing information at the application information at the application level (e.g. FTP).level (e.g. FTP).

Changing port numbers can Changing port numbers can collide with packet filter port collide with packet filter port dependent policy.dependent policy.

Firewall infrastructure - Firewall infrastructure - SummarySummary

Each component has it’s own Each component has it’s own pros and cons.pros and cons.

Good firewalls combine them all Good firewalls combine them all together to provide a more together to provide a more secure solution.secure solution.

Firewalls and Firewalls and Common ProtocolsCommon Protocols

IntroductionIntroduction

All firewall components we saw All firewall components we saw have problems dealing with have problems dealing with certain protocols.certain protocols.

We will try to locate the We will try to locate the problems and to solve them.problems and to solve them.

Packet filters & Packet filters & dynamic port protocolsdynamic port protocols

These protocols often have more These protocols often have more them one connection.them one connection.The first connection (primary The first connection (primary connection) is on a known fixed port.connection) is on a known fixed port.On the primary connection both side On the primary connection both side negotiate details concerning the negotiate details concerning the secondary connection.secondary connection.One of the details is port number.One of the details is port number.A secondary connection is established A secondary connection is established to a dynamically chosen port.to a dynamically chosen port.

Example – Passive FTP protocol:Example – Passive FTP protocol:FTP ServerClient

5000

7000

21

3000

“I want the file abc.txt”

“Please Connect to Port 3000”

Establishing a Connection…

Transfering abc.txt

Port Number

Packet filters & Packet filters & dynamic port protocols dynamic port protocols (cont.)(cont.)

Packet filters & Packet filters & dynamic port protocols dynamic port protocols (cont.)(cont.)

To allow this traffic, we should add to To allow this traffic, we should add to the Rules table the following lines:the Rules table the following lines:

RuleSource

Address

Dest. Addres

sProtocol

Source Port

Dest. Port

ACK bit Action

Passive FTP Data Out

Internal Any TCP Any Any Any Permit

Passive FTP

Data InAny

Internal

TCP Any Any Yes Permit

Packet filters & Packet filters & dynamic port protocols dynamic port protocols (cont.)(cont.)

It is clear that adding those lines will It is clear that adding those lines will cause the packet filter to allow cause the packet filter to allow allall TCP TCP traffic.traffic.

A solutionA solution – A Dynamic packet filter that – A Dynamic packet filter that will add the following line after will add the following line after inspecting the primary connection inspecting the primary connection traffic:traffic:

RuleSource

Address

Dest. Addres

sProtocol

Source Port

Dest. Port

ACK bit Action

Passive FTP Data Out

ClientIP

Server IP

TCP Any 3000 Any Permit

Passive FTP

Data In

ServerIP

ClientIP

TCP 3000 Any Yes Permit

Packet filters & Packet filters & dynamic port protocols dynamic port protocols (cont.)(cont.)

The suggested solution will solve the The suggested solution will solve the problem but requires the Packet problem but requires the Packet Filter to understand Passive FTP Filter to understand Passive FTP protocol.protocol.Most Packet Filters parse only the IP Most Packet Filters parse only the IP and TCP/UDP headers.and TCP/UDP headers.A solutionA solution – In a hybrid Firewall, a – In a hybrid Firewall, a protocol aware component that protocol aware component that understands FTP (e.g. FTP proxy) will understands FTP (e.g. FTP proxy) will inspect the primary connection traffic inspect the primary connection traffic and pass the required information and pass the required information (port number) to the packet filter.(port number) to the packet filter.

Proxy protocol dependencyProxy protocol dependency

A different proxy should be used for every A different proxy should be used for every protocol.protocol.What if we use a new protocol or a private What if we use a new protocol or a private protocol ?protocol ?Two solutionsTwo solutions – –

Don’t base the security policy on this Don’t base the security policy on this protocol traffic.protocol traffic.Use an extensible proxy – Use an extensible proxy – There are proxies that are designed in a There are proxies that are designed in a generic form which is not protocol generic form which is not protocol dependent.dependent.This proxy can extended to understand This proxy can extended to understand any protocol. In out case, develop an any protocol. In out case, develop an extension for the new protocol.extension for the new protocol.

Client’s proxy supportClient’s proxy support

It is not transparent for a client to use a It is not transparent for a client to use a proxy server. The client should connect the proxy server. The client should connect the proxy instead of the real server and to tell proxy instead of the real server and to tell the proxy who is the real server.the proxy who is the real server.

Example - schematic HTTP without a proxy:Example - schematic HTTP without a proxy:Web Server

Client

5000 80Connect to www.cnn.com

Connected

Get MainPage.html

Transferring MainPage.html

Client’s proxy support Client’s proxy support (cont.)(cont.)

Example - schematic HTTP with a proxy:Example - schematic HTTP with a proxy:Web ServerProxy

Client

Connect to Proxy

Connected

Get MainPage.htmlfrom www.cnn.com Connect to

www.cnn.com

Connected

Get MainPage.html

Transferring

MainPage.html

Transferring

MainPage.html

Client’s proxy support Client’s proxy support (cont.)(cont.)

No change in the server side.No change in the server side.

Big change in the client side.Big change in the client side.

A solutionA solution – Installing a proxy client – Installing a proxy client software on each client.software on each client.This software will steel connect This software will steel connect requests and will divert them to the requests and will divert them to the proxy.proxy.The proxy client should also inform The proxy client should also inform the proxy on the original server the the proxy on the original server the client tried to connect to.client tried to connect to.

NAT detection of closed NAT detection of closed sessionssessions

Most NAT implementations store a dynamic Most NAT implementations store a dynamic mapping table with all the open sessions mapping table with all the open sessions and their appropriate mappings.and their appropriate mappings.These mappings are stored so that NAT will These mappings are stored so that NAT will know how to multiplex the responses.know how to multiplex the responses.A mapping is removed from the table when A mapping is removed from the table when the session is over – no more expected the session is over – no more expected incoming packets for the session.incoming packets for the session.NAT should have a way to know when a NAT should have a way to know when a session is over.session is over.In TCP sessions, it is easy – just wait for a In TCP sessions, it is easy – just wait for a fin of a reset.fin of a reset.How should NAT know when a UDP session How should NAT know when a UDP session is over?is over?

NAT detection of closed NAT detection of closed sessionssessions

Two solutionsTwo solutions – –

Keep a timeout for every UDP Keep a timeout for every UDP mapping.mapping.

In a hybrid firewall, a protocol In a hybrid firewall, a protocol aware components (e.g. proxy) will aware components (e.g. proxy) will notify NAT when a session is over.notify NAT when a session is over.

NAT & NAT & addressing information in application addressing information in application

level level There are some protocols that send There are some protocols that send addressing information (IP address, addressing information (IP address, port number) in the application level port number) in the application level data.data.E.g. - Active FTP.E.g. - Active FTP.

This information must be translated This information must be translated by NAT.by NAT.

NAT doesn’t understands FTP, it NAT doesn’t understands FTP, it works in the IP and TCP/UDP levels.works in the IP and TCP/UDP levels.

NAT & NAT & addressing information in application addressing information in application

level level Two solutionsTwo solutions – –

Install a special spy application in the Install a special spy application in the client. Whenever a client application client. Whenever a client application will try to find out It’s IP address or a will try to find out It’s IP address or a port number, forward those queries port number, forward those queries to the NAT component so that he will to the NAT component so that he will answer with the correct numbers.answer with the correct numbers.In a hybrid firewall, a protocol aware In a hybrid firewall, a protocol aware components (e.g. proxy) will notify components (e.g. proxy) will notify NAT of addressing information traffic NAT of addressing information traffic that must be translated.that must be translated.

NAT & NAT & authentication / encryption protocols authentication / encryption protocols

There are some protocols that perform There are some protocols that perform integrity checks on the packets integrity checks on the packets received.received.This checks validates that the packet This checks validates that the packet was not changed in the middle.was not changed in the middle.This is usually done by signing the data This is usually done by signing the data with a secret key and appending the with a secret key and appending the signature to the data.signature to the data.When NAT will change the IP/TCP/UDP When NAT will change the IP/TCP/UDP header, the Integrity check will fail and header, the Integrity check will fail and the receiver will think that an attacker the receiver will think that an attacker messed up with the packet on the way.messed up with the packet on the way.

NAT & NAT & authentication / encryption protocols authentication / encryption protocols

Three solutionsThree solutions – –

Give NAT the secret key. NAT will Give NAT the secret key. NAT will resign the modified packets.resign the modified packets.

Don’t use NAT for computers using Don’t use NAT for computers using these protocols.these protocols.

Use NAT compatible Use NAT compatible authentication/encryption protocolsauthentication/encryption protocols

Case Study:Case Study: Age Of Empires IIAge Of Empires II

IntroductionIntroduction

In the previous chapters we gained In the previous chapters we gained knowledge regarding firewall’s knowledge regarding firewall’s infrastructure and the effect of a infrastructure and the effect of a firewall on different protocols.firewall on different protocols.

In this chapter we will use this In this chapter we will use this knowledge to enable a specific knowledge to enable a specific application (the protocols it uses) application (the protocols it uses) to pass through the firewall.to pass through the firewall.

Introduction Introduction (cont.)(cont.)

We will pick a widely used, network We will pick a widely used, network based application.based application.

Learn it’s underlying protocols.Learn it’s underlying protocols.

Understand the difficulties of passing Understand the difficulties of passing this protocols through a firewall.this protocols through a firewall.

For each difficulty, suggest several For each difficulty, suggest several solutions and pick the best one.solutions and pick the best one.

Implement the solutions in a module Implement the solutions in a module that will extend a given firewall.that will extend a given firewall.

The application The application (cont.)(cont.)

The application we choose is one The application we choose is one of the most popular games calledof the most popular games calledAge Of Empires IIAge Of Empires II (AOE2) (AOE2)

This is a multiplayer strategy This is a multiplayer strategy game.game.

Each player runs the game on a Each player runs the game on a different computer and plays different computer and plays with the other players.with the other players.

AOE2 & Direct PlayAOE2 & Direct Play

The game, like almost all other The game, like almost all other games, uses games, uses Microsoft Direct PlayMicrosoft Direct Play package for dealing with package for dealing with networking issues.networking issues.Direct Play uses an internal (not Direct Play uses an internal (not RFC) protocol to handle the game RFC) protocol to handle the game traffic.traffic.In every Direct Play based game, In every Direct Play based game, one of the players is a one of the players is a HostHostThe host computer is responsible The host computer is responsible for managing the game.for managing the game.

Organizing a multi-player Organizing a multi-player gamegame

How can a player join a multi-How can a player join a multi-player game ? player game ?

There are several “meeting There are several “meeting places” in the internet.places” in the internet.

The biggest and most famous The biggest and most famous one is one is Microsoft Gaming Zone.Microsoft Gaming Zone.

Microsoft Gaming ZoneMicrosoft Gaming Zone

The Zone also uses his own The Zone also uses his own internal protocol for organizing a internal protocol for organizing a multi-player game.multi-player game.

The same protocol is used for all The same protocol is used for all games that can be organized games that can be organized from the zone.from the zone.

The goalThe goal

Let a player protected by a Let a player protected by a firewall join a multi-player game firewall join a multi-player game of AOE2 with a player in the of AOE2 with a player in the internet using the Zone.internet using the Zone.

The firewall should enable the The firewall should enable the player to participate the game player to participate the game without tempering with the without tempering with the internal network security.internal network security.

The solutionThe solution

Use an extensible firewall that can be Use an extensible firewall that can be taught to handle new protocols.taught to handle new protocols.

The firewall will be extended with our The firewall will be extended with our component that is aware of Direct component that is aware of Direct Play and the Zone protocols.Play and the Zone protocols.

NoticeNotice::By developing an extension that will By developing an extension that will enable Direct Play and Zone protocols enable Direct Play and Zone protocols we make almost every windows base we make almost every windows base game ISA firewall compatible.game ISA firewall compatible.

Internet Security and Internet Security and Acceleration server 2000 Acceleration server 2000

(ISA)(ISA)The firewall we choose is The firewall we choose is Microsoft Internet Security and Microsoft Internet Security and Acceleration Server 2000.Acceleration Server 2000.

The firewall can be extended The firewall can be extended with modules called application with modules called application filters.filters.

The working environmentThe working environment

Technion Network

Internet

Internal Network

AOE2 ClientAOE2 Client

Router

Firewall

Zone.com

Learning the protocolsLearning the protocols

This was one of the hardest This was one of the hardest tasks in the project.tasks in the project.

All the protocols involved areAll the protocols involved areinternal – no RFC can be found.internal – no RFC can be found.

Learning was done by reverse Learning was done by reverse engineering using Microsoft engineering using Microsoft Network MonitorNetwork Monitor

Microsoft network monitorMicrosoft network monitor

Implementing the solutionsImplementing the solutions

A DirectXFilter application filter A DirectXFilter application filter was written.was written.

It’s a COM object built in C++ It’s a COM object built in C++ using ATL.using ATL.

The main API the application The main API the application filter is using is the firewall’s API filter is using is the firewall’s API (ISA).(ISA).

The filter Class diagramThe filter Class diagram

CDirectXFilter

IFWXFilter

CFirstPhaseDataFilter

IFWXIOCompletion IFWXDataFilter

CComObjectRootEx CComObjectRootEx CComCoClass

CSecondPhaseDataFilter

IFWXIOCompletion IFWXDataFilter

CComObjectRootEx

CThirdPhaseDataFilter

IFWXIOCompletion IFWXDataFilter

CComObjectRootEx

Legend: Class Interface