Chapter 5r1 September 2004 Copyright Prentice-Hall 2004 Firewalls Chapter 5r1 September 2004 Copyright Prentice-Hall 2004

Figure 5-1: Basic Firewall Operation 1. Internet (Not Trusted) Attacker 2. Internet Border Firewall 1. Internal Corporate Network (Trusted)

Figure 5-1: Basic Firewall Operation (Continued) 3. Attack Packet 1. Internet (Not Trusted) Attacker 2. Internet Border Firewall 4. Dropped Packet (Ingress) 4. Log File

Figure 5-1: Basic Firewall Operation (Continued) 5. Passed Legitimate Packet (Ingress) 5. Legitimate Packet 1. Internet (Not Trusted) Legitimate User 2. Internet Border Firewall 1. Internal Corporate Network (Trusted)

Figure 5-1: Basic Firewall Operation (Continued) 7. Passed Packet (Egress) 1. Internet (Not Trusted) Attacker 2. Internet Border Firewall 7. Dropped Packet (Egress) 4. Log File 1. Internal Corporate Network (Trusted)

Figure 5-1: Basic Firewall Operation (Continued) 6. Attack Packet that Got Through Firewall 6. Hardened Client PC 1. Internet (Not Trusted) Attacker 2. Internet Border Firewall Hardened Hosts Provide Defense in Depth 6. Hardened Server 1. Internal Corporate Network (Trusted)

Figure 5-2: Firewall Architecture (Single Site) Main Border Firewall Internal Firewall Screening Router Firewall Internet 172.18.9.x Subnet Public Webserver 60.47.3.9 External DNS Server 60.47.3.4 Host Firewall Host Firewall Most firms have multiple firewalls. Their arrangement is called the firm’s firewall architecture SMTP Application Proxy Server 60.47.3.10 HTTP Application Proxy Server 60.47.3.1 Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet

Figure 5-3: Firewall Principles The Changing Role of Firewalls In the early 1990s, there was a focus on border security However, some attacks inevitably get through the border firewall And border firewalls provide no protection from internal attackers, attackers who entered the site other than through the Internet, or remote users using VPNs

Figure 5-3: Firewall Principles (Continued) The Changing Role of Firewalls Companies need to employ defense in depth (Figure 5-2) Overall, border firewalls are important but not sufficient

Figure 5-3: Firewall Principles (Continued) Danger of Overload If a firewall is overloaded and cannot handle the traffic, it drops unprocessed packets This is the safest choice, because attack packets cannot enter the network However, this creates a self-inflicted denial-of- service attack

Figure 5-3: Firewall Principles (Continued) Danger of Overload So firewalls must have the capacity to handle the traffic Some can handle normal traffic but cannot handle traffic during heavy attacks Need to be able to work at wire speed

Figure 5-3: Firewall Principles (Continued) Firewall Filtering Methods Several methods exist; we will look at them in this chapter Firewall Inspection Levels Internet Level Internet and transport layer filtering Attacks and therefore firewalls began here Stateful inspection Static packet inspection Network address translation (NAT)

Figure 5-3: Firewall Principles (Continued) Firewall Filtering Methods Firewall Inspection Levels Application Level Attacks growing at the application layer Filter application layer communication Application proxy firewalls Antivirus filtering (general malware filtering) Intrusion prevention systems (also filter internet-level attacks)

Figure 5-3: Firewall Principles (Continued) Firewall Filtering Methods Firewall Inspection Levels Data Link Layer Usually no protection, although attacks could occur here Physical Layer No protection

Main Border Firewalls Stateful Inspection

Figure 5-2: Firewall Architecture (Single Site) Main Border Firewall Internal Firewall Screening Router Firewall Internet 172.18.9.x Subnet Main Border Firewall sits between the Internet and the internal network (after the border router) Main border firewalls predominantly use stateful inspection filtering Public Webserver 60.47.3.9 External DNS Server 60.47.3.4 Host Firewall Host Firewall SMTP Application Proxy Server 60.47.3.10 HTTP Application Proxy Server 60.47.3.1 Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet

Figure 5-4: Opening Connections in Stateful Inspection Firewalls Default Behavior Permit connections initiated by an internal host Deny connections initiated by an external host Can change default behavior with access control lists (ACLs) for ingress and egress Automatically Accept Connection Attempt Internet Router Automatically Deny Connection Attempt

Default Behavior Can be Modified by Access Control Lists (ACLs) Figure 5-5: Permitting Incoming Connections in a Stateful Inspection Firewall Default Behavior Can be Modified by Access Control Lists (ACLs) Ingress ACL permits some externally-initiated connections to be opened Egress ACL prohibits some internally-initiated connections from being opened On basis of IP address, TCP or UDP port number, and/or IP protocol Sets of if-then rules applied in order

Figure 5-5: Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL) (Continued) 1. If TCP destination port = 80, Allow Connection [Pass all HTTP traffic to any webserver. (Port 80 = HTTP)] 2. If TCP destination port = 25 AND destination IP address = 60.47.3.35, Allow Connection [Pass all SMTP traffic to a specific host (mail server), 60.47.3.35. Port 25 = SMTP] Safer than Rule 1

Figure 5-5: Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL) (Continued) 3. If TCP destination port = 500, AND destination IP address = 60.47.3.77, Allow Connection [Pass all Internet Key Exchange traffic to the firm’s IPsec gateway, 60.47.3.77] 4. If protocol = 51, AND destination IP address = 60.47.3.77, Allow Connection [Pass all encrypted ESP traffic to the firm’s IPsec gateway, 60.47.3.77. Protocol 51 is IPsec ESP] Rule based on IP protocol value.

Figure 5-5: Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL) (Continued) 5. Deny ALL [Deny all other externally-initiated connections] (Use the default behavior of stateful inspection firewalls for all other connection-opening attempts)

Figure 5-6: Well-Known Port Numbers Primary Protocol Application 20 TCP FTP Data Traffic 21 FTP Supervisory Connection Passwords sent in the clear 23 Telnet Passwords sent in the clear 25 Simple Mail Transfer Protocol (SMTP)

Figure 5-6: Well-Known Port Numbers (Continued) Primary Protocol Application 53 TCP Domain Name System (DNS) 69 UDP Trivial File Transfer Protocol (TFTP) No login necessary 80 Hypertext Transfer Protocol (HTTP) 110 Post Office Protocol (POP)

Figure 5-6: Well-Known Port Numbers (Continued) Primary Protocol Application 135-139 TCP NETBIOS service for peer-to-peer file sharing in older versions of Windows 143 Internet Message Access Protocol (IMAP) for downloading e-mail to client 161 UDP Simple Network Management Protocol (SNMP) 443 HTP over SSL/TLS

Figure 5-7: Main Border Firewall Stateful Inspection I Stateful Firewall Operation If accept a connection… Record the two IP addresses and port numbers in state table as OK (open) (Figure 5-9) Accept future packets between these hosts and ports with no further inspection This stops most internet-level attacks Does not address application-level attacks

Figure 5-7: Main Border Firewall Stateful Inspection I (Continued) 2. Establish Connection 1. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 3. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 External Webserver 123.80.5.34 Again: Outgoing Connections Allowed By Default Permitted outgoing Connections are Placed in the Connection table Stateful Firewall Internal Client PC 60.55.33.12 Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK

Figure 5-7: Main Border Firewall Stateful Inspection I (Continued) External Webserver 123.80.5.34 6. TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Stateful Firewall 4. TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Internal Client PC 60.55.33.12 5. Check Connection OK; Pass the Packet Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK

Figure 5-7: Main Border Firewall Stateful Inspection I (Continued) Stateful Firewall Operation For UDP, also record two IP addresses and port numbers in the state table Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 1.8.33.4 69 OK

Figure 5-8: Main Border Firewall Stateful Inspection II (Continued) Arriving packets that are not connection opening attempts and that do not match a row in the state table are dropped Stateful Firewall Attacker Spoofing External Webserver 10.5.3.4 1. Spoofed TCP SYN/ACK Segment From: 10.5.3.4.:80 To: 60.55.33.12:64640 Internal Client PC 60.55.33.12 2. Check Connection Table: No Connection Match: Drop Connection Table Type Internal IP Internal Port External IP External Port Status TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 222.8.33.4 69 OK

Figure 5-9: Stateful Inspection Firewall in Perspective Simplicity and Therefore Low Cost Connection opening decisions are somewhat complex But most packets are part of approved ongoing connections Filtering ongoing packets is extremely simple Therefore, stateful inspection is fast and inexpensive

Figure 5-9: Stateful Inspection Firewall in Perspective (Continued) Low Cost Safety Stops nearly all internet-level attacks (Application-level filtering still needed) Dominance for Main Border Firewalls Nearly all use stateful inspection

Figure 5-9: Stateful Inspection Firewall in Perspective (Continued) Beyond Stateful Inspection Most main border firewalls also use other inspection methods Denial-of-service filtering Limited application content filtering Etc.

Screening Router Firewall Static Packet Inspection

Figure 5-2: Firewall Architecture (Single Site) 1. Screening Router 60.47.1.1 Last Rule=Permit All Internet Screening Router Firewall Uses Static Packet Filtering. Drops Simple Attacks. Prevents Probe Replies from Getting Out. Last Rule is Permit All to Let Main Firewall Handle Everything but Simple Attacks 172.18.9.x Subnet Public Webserver 60.47.3.9 External DNS Server 60.47.3.4 SMTP Relay Proxy 60.47.3.10 HTTP Proxy Server 60.47.3.1 Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet

Figure 5-10: Static Packet Inspection on Screening Router Firewalls Screening Firewall Routers Add filtering to the border router (Figure 5-2) Filter out many high-frequency, low-complexity attacks For ingress filtering, reduce the load on the main border firewall

High Cost for Sufficient Performance Figure 5-10: Static Packet Inspection on Screening Router Firewalls (Continued) High Cost for Sufficient Performance Must buy inspection software for the router (expensive) Usually must upgrade router processing speed and memory (expensive)

Good Location for Egress Filtering Figure 5-10: Static Packet Inspection on Screening Router Firewalls (Continued) Good Location for Egress Filtering Stops all replies to probe packets Including those from the border router itself

Figure 5-11: Static Packet Filter Firewall Corporate Network The Internet Permit (Pass) IP-H TCP-H Application Message IP-H UDP-H Application Message Deny (Drop) IP-H ICMP-H ICMP Message Static Packet Filter Firewall Log File Only IP, TCP, UDP and ICMP Headers Examined

Figure 5-11: Static Packet Filter Firewall (Continued) Corporate Network The Internet Permit (Pass) IP-H TCP-H Application Message IP-H UDP-H Application Message Deny (Drop) IP-H ICMP-H ICMP Message Static Packet Filter Firewall Arriving Packets Examined One at a Time, in Isolation; This Misses Many Arracks Log File

Use Static Packet Filtering (Figure 5-11) Figure 5-10: Static Packet Inspection on Screening Router Firewalls (Continued) Use Static Packet Filtering (Figure 5-11) Require complex access control lists (ACLs) (Figures 5-12 and 5-13) Because need an ACL statement for each rule

Figure 5-12: Screening Firewall Router Ingress ACL 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP address range] 4. If source IP address = 60.47.*.*, DENY [internal IP address range] 5. If source IP address = 1.33.3.4, DENY [black- holed IP address of attacker]

Figure 5-12: Screening Firewall Router Ingress ACL (Continued) 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet that makes no sense, asking both to open a connection and to close a connection] 7. If destination IP address = 60.47.3.9 AND TCP destination port = 80 OR 443, PASS [connection to a public webserver via HTTP and HTTP over SSL/TLS] 8. If TCP destination port = 80 OR 443, DENY [prevent communication to other internal webservers] Note: Rule 7 MUST come before Rule 8

Figure 5-12: Screening Firewall Router Ingress ACL (Continued) 9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [File/Print Sharing for Windows clients]

Figure 5-12: Screening Firewall Router Ingress ACL (Continued) 13. If TCP destination port = 513, DENY [Unix rlogin without password] 14. If TCP destination port = 514, DENY [Unix rsh launch shell without login] 15. If TCP destination port = 22, DENY [SSH for secure login, but Version 1 was not secure] 16. If UDP destination port = 69, DENY [Trivial File Transfer Protocol; no login necessary]

Figure 5-12: Screening Firewall Router Ingress ACL (Continued) 17. If ICMP Type = 0, PASS [allow incoming echo reply messages] 18. If ICMP, DENY [drop all other incoming ICMP packets] 19. PASS ALL [pass all other packets; it is the job of the main border firewall to stop attacks not found by the screening firewall router]

Figure 5-13: Screening Firewall Router Egress ACL 1 If source IP address NOT = 60.47.*.*, DENY [not in internal IP address range so must be spoofed] 2. If ICMP Type = 8, PASS [allow outgoing echo messages, that is, pings] 3. If ICMP, DENY [drop all other outgoing ICMP messages] Again, order is important.

Figure 5-13: Screening Firewall Router Egress ACL (Continued) 4. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning] 5. If TCP source port = 1234, DENY [port of a currently-widespread Trojan horse] 6. PASS ALL [screening firewalls have PASS ALL as their last rule]

Network Address Translation (NAT)

Figure 5-14: Network Address Translation (NAT) The problem: Sniffers on the Internet can read packets to and from organizations Reveals IP addresses and port numbers of hosts Provides considerable information about potential victims without the risks of sending probing attacks Solution: Disguise IP addresses and port numbers of internal hosts.

Figure 5-14: Network Address Translation (NAT) (Continued) From 192.168.5.7, Port 61000 From 60.5.9.8, Port 55380 1 Server Host 2 Internet Client 192.168.5.7 NAT Firewall Sniffer Internal External IP Addr Port IP Addr Port Translation Table 192.168.5.7 61000 60.5.9.8 55380 . . . . . . . . . . . .

Figure 5-14: Network Address Translation (NAT) (Continued) Server Host Internet Client 192.168.5.7 NAT Firewall 3 4 Sniffer To 192.168.5.7, Port 61000 To 60.5.9.8, Port 55380 Internal External IP Addr Port IP Addr Port Translation Table 192.168.5.7 61000 60.5.9.8 55380 . . . . . . . . . . . .

Figure 5-15: Perspective on NAT Sniffers on the Internet cannot learn internal IP addresses and port numbers Only learn the translated address and port number By themselves, provide a great deal of protection against attacks External attackers cannot create a connection to an internal computers

Figure 5-15: Perspective on NAT (Continued) Sniffers and NAT Sniffers can read stand-in IP addresses and port numbers Can send back packets to these stand-in values; NAT will deliver them to the real host However, most sessions too brief to exploit Still a potential danger if sniffers act quickly

Figure 5-15: Perspective on NAT (Continued) NAT/PAT NAT does more than network (IP) address translation Also does port number translation Should be called NAT/PAT, but NAT is the common term

Figure 5-15: Perspective on NAT (Continued) Problems with Certain Protocols Virtual private networks (later in the chapter) VoIP, etc. Static rows in translation tables can mitigate these problems Maintained indefinitely But static assignments removes most security benefits of NAT

Figure 5-15: Perspective on NAT (Continued) Box: Using NAT for Address Multiplication Firm may only be given a limited number of public IP addresses Must use these in packets sent to the Internet May use private IP addresses internally

Figure 5-15: Perspective on NAT (Continued) Box: Using NAT for Address Multiplication For each public IP address, there can be a separate connection for each possible port Address 60.5.9.8, Port = 2000 Address 60.5.9.8, Port = 2001 Etc. Each connection can be linked to a different internal IP address Can have thousands of internal IP addresses for each public IP address

Figure 5-15: Perspective on NAT (Continued) Sniffers on the Internet cannot learn internal IP addresses and port numbers Only learn the translated address and port number By themselves, provide a great deal of protection against attacks External attackers cannot create a connection to an internal computers

Application Proxy Firewalls

Figure 5-17: Application Proxy Firewall Operation 2. Filtering 3. Examined HTTP Request From 60.45.2.6 1. HTTP Request From 192.168.6.77 Browser HTTP Proxy Webserver Application Application Proxy Firewall 60.45.2.6 Filtering: Blocked URLs, Post Commands, etc. Webserver 123.80.5.34 Client PC 192.168.6.77

Figure 5-17: Application Proxy Firewall Operation (Continued) 4. HTTP Response to 60.45.2.6 6. Examined HTTP Response To 192.168.6.77 Browser HTTP Proxy Webserver Application 5. Filtering on Hostname, URL, MIME, etc. Webserver 123.80.5.34 Client PC 192.168.6.77 Application Proxy Firewall 60.45.2.6

Figure 5-16: Application Proxy Firewall Client Server Relaying Relay operation: Proxy acts as a server to the client and a client to the server Full protocol support Slow processing per packet

Figure 5-16: Application Proxy Firewall (Continued) HTTP Content Filtering Command filtering (POST) Host or URL filtering MIME and file extension filtering HTML script filtering

Figure 5-16: Application Proxy Firewall (Continued) Core Protections (see Figure 5-18) IP address hiding (sniffer will only see the application proxy firewall’s IP address) Packet header destruction Stopping protocol spoofing with protocol enforcement Problem with HTTP Tunneling

Figure 5-18: Core Protections Due to Application Proxy Firewall Relay Operation Protections Offered Automatically by Relaying: IP Address Hiding: Sniffer only Learns IP Address of Firewall Sniffer Packet from 1.2.3.4 Packet from 60.45.2.6 Internal Host 1.2.3.4 Application Proxy Firewall 60.45.2.6 Webserver 123.80.5.34

Figure 5-18: Core Protections Due to Application Proxy Firewall Relay Operation (Continued) Header Removed Arriving Packet New Packet X App MSG (HTTP) App MSG (HTTP) Orig. TCP Hdr Orig. IP Hdr App MSG (HTTP) New TCP Hdr New IP Hdr Application Proxy Firewall 60.45.2.6 Attacker 1.2.3.4 Webserver 123.80.5.34 Protections Offered Automatically by Relaying: Removes Headers from Arriving Packet: Eliminates Header-Based Attacks

Figure 5-18: Core Protections Due to Application Proxy Firewall Relay Operation (Continued) Protections Offered Automatically by Relaying: Protocol Enforcement: If Use Port 80, Must be HTTP Trojan Horse X 1. Trojan Transmits on Port 80 to Get Through Internet-Level Firewall Application Proxy Firewall Internal Client PC 60.55.33.12 Attacker 1.2.3.4 2. Protocol is Not HTTP Firewall Stops The Transmission

Figure 5-17: Application Proxy Firewall Operation (Continued) A Separate Proxy Program is Needed for Each Application Filtered on the Firewall FTP Proxy SMTP (E-Mail) Proxy Webserver 123.80.5.34 Client PC 192.168.6.77 Outbound Filtering on Put Inbound and Outbound Filtering on Obsolete Commands, Content Application Proxy Firewall 60.45.2.6

Figure 5-16: Application Proxy Firewalls (Continued) Multiple Proxies Each application to be filtered needs a separate proxy program Small firms usually use a single application proxy firewall with multiple application proxies Large firms usually use a single application proxy firewall per proxy

Figure 5-16: Application Proxy Firewalls (Continued) Box: Other Application Proxies FTP (prohibit Put, limit file sizes, etc.) SMTP (Prohibit obsolete commands, delete attachments, limit attachment size, MIME type) Web Services (work in progress)

Figure 5-16: Application Proxy Firewalls (Continued) Box: Circuit Firewalls (Figure 5-19) Non application-specific application proxy firewalls Create connections at the application layer Provide IP address hiding and header destruction, but not protocol enforcement Do not provide content filtering Do provide authentication SOCKS V5 is the dominant standard for circuit firewalls

Figure 5-19: Circuit Firewall Generic Type of Application Firewall 1. Authentication 3. Passed Transmission: No Filtering 2. Transmission 4. Reply 5. Passed Reply: No Filtering Webserver 60.80.5.34 Circuit Firewall (SOCKS v5) 60.34.3.31 External Client 123.30.82.5

Antivirus Filtering

Figure 5-20: Antivirus Filtering Normally, Firewalls Do Not Do Antivirus Filtering Pass packets needing antivirus filtering to an antivirus server (Figure 5-21)

Figure 5-21: Checkpoint’s FireWall-1 and Antivirus Filtering 2. Statefully Filtered Packet 1. Arriving Packet 3. DoS Protection Optional Authentications Internal Client External Server FireWall-1 Firewall 4. Content Vectoring Protocol 5. Statefully Filtered Packet Plus Application Inspection Third-Party Application Inspection Firewall

Figure 5-20: Antivirus Filtering (Continued) Examine Application Messages for Many Forms of Malware (see Chapter 4) Not just viruses Worms, Trojan horses, spyware, adware

Figure 5-20: Antivirus Filtering (Continued) Detection is Based on Signatures Strings of characters found within specific malware files Create a new signature for each piece of malware, add it to signatures database Antivirus filter vendors worry about signatures so complex that signature-based detection will be too slow to be useful

Figure 5-20: Antivirus Filtering (Continued) Updating Antivirus Programs All antivirus programs have an updating feature To get new signatures and program upgrades Without updates, programs cannot handle new threats Users may turn off updating or update too rarely Users may let subscriptions lapse; program remains, but get no new updates

Figure 5-20: Antivirus Filtering (Continued) Where to Filter? On individual user PCs The traditional approach to antivirus filtering But users often fail to update May even turn off the antivirus program because it is inconvenient

Figure 5-20: Antivirus Filtering (Continued) Where to Filter? On the e-mail server Filters mail before the user gets it Systems administrators are likely to maintain the filtering

Figure 5-20: Antivirus Filtering (Continued) Where to Filter? E-mail outsourcing companies Filter mail before it gets to the firm Outsourcers have expertise This reduces corporate labor costs

Figure 5-20: Antivirus Filtering (Continued) Where to Filter? Defense in Depth Filter in two locations or all three

Figure 5-20: Antivirus Filtering (Continued) Spam Unsolicited commercial e-mail Also can be filtered on individual PCs, on e- mail servers, or at e-mail outsourcing firms Not as precise as antivirus filtering Too many false negatives (failing to label spam messages as spam) Too many false positives (labeling good messages as spam) Very dangerous.

The Demilitarized Zone (DMZ)

The Demilitarized Zone (DMZ) Servers that must be accessed from outside are placed in a special subnet called the Demilitarized Zone (DMZ). Attackers cannot get to Other subnets from there DMZ servers are specially hardened. Hardened hosts in the DMZ are called Bastion Hosts Internet 172.18.9.x Subnet Public Webserver 60.47.3.9 External DNS Server 60.47.3.4 6. DMZ SMTP Relay Proxy 60.47.3.10 HTTP Proxy Server 60.47.3.1 Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet 5. Server Host Firewall

Figure 5-22: The Demilitarized Zone (DMZ) Subnet for servers and application proxy firewalls accessible via the Internet (Figure 5-2) Hosts in the DMZ must be especially hardened because they will be attacked by hackers Hardened hosts in the DMZ are called bastion hosts

Figure 5-22: The Demilitarized Zone (DMZ) (Continued) Uses Tri-Homed Main Firewalls 3 NICs, each attached to a different subnet One subnet to the border router One subnet for the DMZ (accessible to the outside world) One subnet for the internal network Access from the subnet to the Internet is strongly controlled Access from the DMZ is also strongly controlled

Figure 5-22: The Demilitarized Zone (DMZ) (Continued) Hosts in the DMZ Public servers (public webservers, FTP servers, etc.) Application proxy firewalls External DNS server that only knows host names for hosts in the DMZ

Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs)

Figure 1-23: Intrusion Detection System (IDS) 1. Suspicious Packet Intrusion Detection System (IDS) 4. Alarm Security Administrator 2. Suspicious Packet Passed Internet Attacker? Hardened Server 3. Log Suspicious Packet Corporate Network Log File

Figure 1-24: Firewalls, IDSs, and IPSs Drops Packets? Yes No Logs Packets Sophistication in Filtering Medium High

Figure 1-24: Firewalls, IDSs, and IPSs (Continued) Sophistication in Filtering Message stream analysis, not just individual packets Reassemble fragmented application messages Deep packet inspection: both internet-level headers and application headers

Figure 1-24: Firewalls, IDSs, and IPSs (Continued) Sophistication in Filtering Medium High Creates Alarms? No Yes Sometimes Precision Low without Tuning Low without Tuning

Figure 1-24: Firewalls, IDSs, and IPSs (Continued) Firewalls Versus IDSs Firewalls drop packets IDSs only generate alarms Too many false positives (false alarms) to drop suspicious packets safely IDSs versus IPSs IDSs merely send alarms IPSs, using the same filtering mechanisms, actually drops suspicious packets with high confidence of being attacks

Figure 5-25: Distributed IDS Host IDS (HIDS) Manager Site Agent Log File Transfer in Batch Mode or Real Time Log File Main Border Firewall Agent Agent Stand-Alone Network IDS (NIDS) (Inside Firewall) Internal Switch-Based Network IDS (NIDS) Stand-Alone Network IDS (NIDS) (Outside Firewall)

Figure 5-26: Event Correlation in An Integrated Log File What is Going on Here? 1. 8:45:05.03 Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry) 2. 8:45:05.45 Host 60.3.4.5. Failed login attempt for account Lee (Host 60.3.4.5 log entry) 3. 8:45:06.03 Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry)

Figure 5-26: Event Correlation in An Integrated Log File (Continued) What is Going on Here? 4. 8:45:12.30 Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry) 5. 8:45:13.02. Host 60.3.4.5. Failed login attempt for account Lee (Host 60.3.4.5 log entry) 6. 8:45:13.27 Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry)

Figure 5-26: Event Correlation in An Integrated Log File (Continued) What is Going on Here? 7. 8:45:30.45 Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry) 8. 8:45:30.59 Host 60.3.4.5. Successful login for account Lee (Host 60.3.4.5 log entry) 9. 8:45:31.11 Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry)

Figure 5-26: Event Correlation in An Integrated Log File (Continued) Do the first nine events constitute an attack with high likelihood of accurate assessment? (Defend your answer.)

Figure 5-26: Event Correlation in An Integrated Log File (Continued) What is Going on Here? 10. 9:05:12.25 Packet from 60.3.4.5 to 123.28.5.210. TFTP request (network IDS log entry) 11. (no corresponding host log entry) 12. 9:05:13.08. Series of packets from 123.28.5.210 to 60.3.4.5. TFTP response (network IDS) 13. (no more host log entries)

Figure 5-26: Event Correlation in An Integrated Log File (Continued) What is Going on Here? 14. 9:10:48.52 Packet from 60.3.4.5 to 60.0.0.1. TCP SYN=1, Dest. Port 25 (network IDS) 15. 9:10:48.54 Packet from 60.0.0.1 to 60.3.4.5. TCP RST=1, Src. Port 25 (network IDS) 16. 9:10.48:58 Packet from 60.3.4.5 to 60.0.0.2. TCP SYN=1, Dest. Port 25 (network IDS) 17. 9:10:49.07 Packet from 60.0.0.2 to 60.3.4.5. TCP RST=1, Src. Port 25 (network IDS) 18. Several hundred packets like 14-17, each increasing the target IP address by 1)

Figure 5-26: Event Correlation in An Integrated Log File (Continued) What is Going on Here? 19. 9:14:18.52 Packet from 60.3.4.5 to 60.3.8.13. TCP SYN=1, Dest. Port 25 (network IDS) 20. 9:14:27.58 Packet from 60.3.8.13 to 60.3.4.5. TCP SYN=1, ACK=1, Src. Port 25 (NIDS) 21. 9:14:28.07 Packet from 60.3.4.5 to 60.3.8.13. TCP ACK=1, Dest. Port 25 (network IDS) 22. 9:15.48.05 Packet from 60.3.4.5 to 60.3.8.13 . SMTP (network IDS) (This would really be several packets back and forth.) 23. 9:15:48.18 Packet from 60.3.4.5 to 60.3.8.13. SMTP (network IDS) (This would really be several packets back and forth.) 24. Several thousand packets similar to 22 and 23

Figure 5-28: Intrusion Prevention Systems (IPSs) IPSs Use IDS Filtering Methods But actually stop attacks instead of just issuing warnings

Figure 5-28: Intrusion Prevention Systems (IPSs) (Continued) Traditional IDSs do Processing in Software Too slow to be placed in-line with the packet stream, so cannot stop attacks Unlike IDSs, use Application Specific Integrated Circuits (ASICs) Fast processing in hardware Can be placed in-line with the packet stream and so can stop attacks

Figure 5-27: IDS and IPS Placement Alert Attack Packet Internal Network Border Router IPS Internet Attack Packet IDSs are slow and cannot be in-line with the packet stream. IPSs use ASICs for speed; can be in-line with the packet stream. Therefore can stop attacks.

Figure 5-28: Intrusion Prevention Systems (IPSs) (Continued) Attack Identification Confidence Spectrum IDSs create too many false alarms to be used in stopping attacks Some attacks can be detected with more confidence than others At first, record what the IPS would have stopped if it had been allowed to stop attacks Later, let the IPS stop high-confidence attacks May later let the IPS stop attacks with somewhat lower detection confidence

Figure 5-28: Intrusion Prevention Systems (IPSs) (Continued) Actions Drop packets Limit bandwidth of attack stream to a server When attack packets and legitimate packets to a host cannot be separated accurately Still hurts legitimate packets to that host Protects other traffic from overload

Host Firewalls

Host Firewalls Host Firewalls Placed on clients and servers. Last line of defense. Precise protection because few host functions to protect. Internet 172.18.9.x Subnet Public Webserver 60.47.3.9 External DNS Server 60.47.3.4 Host Firewall Host Firewall 6. DMZ SMTP Relay Proxy 60.47.3.10 HTTP Proxy Server 60.47.3.1 Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet 5. Server Host Firewall

Figure 5-29: Host Firewalls Firewalls on clients and servers Give defense in depth

Figure 5-29: Host Firewalls (Continued) Client PC Firewalls Third party PC firewalls are common Windows XP introduced the Internet Connection Facility (ICF) Stateful inspection firewall Not turned on by default No egress filtering Can open selected ports for ingress filtering

Figure 5-29: Host Firewalls (Continued) Client PC Firewalls Windows XP Service Pack 2 (Late 2004) introduced the Windows Firewall Upgrade to ICF Turned on by default Can open selected ports for ingress filtering Still no egress filtering

Figure 5-29: Host Firewalls (Continued) Why no egress filtering on PC firewalls? Ingress filtering requires no or little user intervention Egress filtering requires users to decide what programs can communicate over the Internet—a difficult task Does not stop spyware, other outbound attack communication

Figure 5-29: Host Firewalls (Continued) Server Firewalls Internet-level firewalls Precise because only need to open a few specific ports Application-Specific Firewalls Filtering rules linked to specific protocols (SQL, HTTP, etc.) Filtering sometimes linked to specific application programs (Microsoft’s IIS, etc.)

Firewall Management

Figure 5-30: Firewall Management Firewalls are Ineffective without Planning and Maintenance Planning Asset Assessment: identify all assets and their relative sensitivities Threat Assessment: what threats can attack each asset? Design a Firewall Policy for Each Asset Design a Firewall Architecture

Figure 5-30: Firewall Management (Continued) Implementation Firewall Operating System Hardening Firewall appliances are hardened at the factory Firewall vendors often sell firewalls that are general-purpose computers that have pre-hardened versions of Unix or Windows If a firm purchases a general purpose computer and firewall software, strong actions must be taken to harden the firewall’s operating system

Figure 5-30: Firewall Management (Continued) Implementation Select Implementation Options e.g., Turn off remote management if not needed Firewall ACL Rule Configuration Complex and therefore error-prone Driven by firewall policies

Figure 5-30: Firewall Management (Continued) Implementation Vulnerability Testing After Configuration Must do vulnerability test even after “trivial” changes Driven by firewall policies

Figure 5-31: Firewall Policies, Implementation, and Testing Firewall Policy (Example: Allow incoming webserver connections only to specific webservers.) Technology Hardened Firewall Hardened Webserver Procedures ACL Configuration Who may change ACLs, etc. Protection Firewall Hardened Webserver Testing Attempt to Connect to Unauthorized Webserver

Figure 5-30: Firewall Management (Continued) Implementation Maintenance Constantly change firewall policies and ACLs to deal with new threats Document each change carefully! Read log files daily to understand the current threat environment Read log files daily to detect problems (the dropping of legitimate traffic, etc.) Update the firewall software when there are new releases

Figure 5-32: Centralized Firewall Management System Management Console Remote PCs must be actively managed centrally Remote Management is needed to reduce management labor Dangerous because if an attacker compromises it, they own the network Internet Home PC Firewall Site A Site B

Figure 5-33: Hard Problems for Firewall Filtering Firewalls and Encrypted Communication Firewalls cannot read encrypted messages so cannot filter them Must decide upon the placement of the VPN gateway relative to the firewall (Figure 5-34)

Figure 5-34: Encrypted Communication and Firewalls Border Router Border Router Firewall can not read encrypted packets. Merely passes them through to the VPN Gateway VPN Gateway Firewall can read decrypted packets But open to attack because not defended by firewall Firewall VPN Gateway Firewall Internal Host Internal Host

Figure 5-33: Hard Problems for Firewall Filtering (Continued) Denial of Service (DoS) Protection DoS attacks are usually easy to detect But often hard to stop even if detected accurately Good and bad TCP segments in a flood cannot be distinguished

Figure 5-33: Hard Problems for Firewall Filtering (Continued) Rate limiting Limit rate of attack and legitimate packets to a particular server This preserves capacity for other servers Does not work if the access line to the Internet is saturated

Figure 5-33: Hard Problems for Firewall Filtering (Continued) The Need for Outside Help If the Internet access line is saturated, no internal actions help Even if rate limiting works, the target server usually is barely operating Need others to help upstream of the attack Filter out attack packets at the sources Requires ISP efforts Requires the efforts of other companies and individual users

Figure 5-33: Hard Problems for Firewall Filtering (Continued) Signatures Versus Anomaly Detection Signatures are rules based on attack packet content Cannot stop new attacks, for which no signatures exist yet Attacks spread very rapidly today, so there can be significant damage before signatures are created and disseminated Especially bad for zero-day attacks based on vulnerabilities that were not known before hand

Figure 5-33: Hard Problems for Firewall Filtering (Continued) Anomaly Detection Detect anomalous (unusual) behavior indicating attacks Statistical patterns in traffic Behavior that seems wrong (reformatting the hard drive, for instance) Too many false positives (false alarms) today Needed because anomaly detection is the only way to stop zero-day attacks and very rapidly spreading attacks