CSCD 434 Spring 2019 Lecture 16 Firewalls

Introduction Firewalls Firewall as part of a security solution Motivation for firewalls Purpose and definition of firewalls Different types of firewalls Firewall rules Effectiveness of firewalls

Security Mechanisms There are a number of mechanisms that can be used to insure system security Cost needs to be considered along with security, can’t do everything Most businesses purpose is not computer security … producing products/services Will be looking at some models that incorporate these mechanisms

Security Mechanisms Cryptographic Techniques Have discussed these Software and hardware for access limitations Firewalls - today Intrusion Detection and Prevention Systems Hardware for authentication Smartcards, security tokens Security Policies / Access Control Define who has access to which resources. Physical security Keep in safe place with limited and authorized physical access 4 4

What is a firewall? A hardware device and/or software program which sits between the Internet and the intranet, internet, of an organization Its main objectives are to filter: What should come in the intranet (inbound traffic) and What should come out of the intranet (outbound traffic)

Another View Purpose of Firewalls Basic task Control traffic between networks with different zones of trust Internet has no zones of trust Internal network high trust zone Provide controlled interface between zones of trust Enforcement of security policies and connectivity model

Firewall Between Zones of Trust High Trust No Trust

Properties of Firewalls Firewalls Must have following Properties All traffic must pass through firewall Only authorized traffic as defined by security policy Firewall itself immune to penetration

Firewall Types Many ways to categorize firewalls One way looks at where they filter within the protocol stack Four Categories Packet filtering Circuit gateway Application gateway Plus NAT – not just a firewall

Packet Filter Firewall First Generation Firewalls Examines IP, TCP,UDP, and ICMP headers Cheap and fast !!! Usually built into routers, drop packets based on source, destination addresses or port numbers Little or no context is kept – decision based on single packets Administrator creates list of acceptable machines and/or services and stoplist of unacceptable machines or services

Packet Filter Firewall Helps with Spoofed Packets Incoming IP addresses shouldn't have source address of your network Ingress Filtering Outgoing IP addresses should only have source address from your network Egress Filtering Packet filters - Not a complete Answer Cheap, easy method of control but easy to get rules wrong and rules can become too complex ... 147.87.10.1 147.87.10.5 147.87.10.1 187.111.90.9

Packet Filter Firewall Screening Router Firewalls – Type of Packet Filter Add firewall software to router Usually provide light filtering only Millions of packets – can only screen headers for probing types of scans Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier Good location for egress filtering

Packet Filter Firewall Effectiveness of Packet Filter Firewalls What kind of Attacks? Only attack packets that take advantage of TCP/IP Vulnerabilities Probes, Scans, DoS attacks Some attacks on known ports Trojans that use a known port

Packet Filter Firewalls Router Corporate Network The Internet Permit (Pass)‏ IP-H TCP-H Packet Contents IP-H UDP-H Packet Contents Deny (Drop)‏ IP-H ICMP Message Arriving Packets Examined One at a Time, in Isolation Only IP, TCP, UDP and ICMP Headers Examined Static Packet Filter Firewall Log File

Packet Filter Firewalls Have … Access Control Lists (ACL’s)‏ Both Ingress and Egress Filtering Will have two separate ACL’s for Ingress and Egress Goes through rules in order Test rules and either matches rule and pass or match a rule and deny If we reach end of list without matching have option of Denying all or Passing all

Packet Filter Firewalls ACL Design Philosophies Default deny: “Everything not expressly permitted is denied” Default permit: “Everything not expressly prohibited is permitted” Which is better?

Ruleset Design Block Everything Blocking everything provides strongest security but the most inconvenience Things break and people complain Block everything method covers all bases but creates more work in figuring out how to make some applications work then opening holes.

Ruleset Design Block Nothing Blocking nothing provides minimal security by only closing holes you can identify Blocking nothing provides least inconvenience to our users Blocking nothing means you spend time figuring out what you want to protect by closing each hole … lots of holes

Packet Filter Firewalls Example: Ingress ACL Rules 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP addr range] 4. If source IP address = 60.40.*.*, DENY [internal address range] 5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker] 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet] 7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connect to a public webserver]

Packet Filter Firewalls Ingress ACL Rules Continued 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside] 9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients] 13. If TCP destination port = 513, DENY [UNIX rlogin without password] 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]

Packet Filter Firewalls Ingress ACL Rules 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure] 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 17. If ICMP Type = 0, PASS [allow incoming echo reply messages]

Ingress ACL List Rules Explanation of Rules 1. First three rules deal with Ingress IP source filtering 2. Rule 5 blocks a known bad address 3. Rule 6 filters packets with both Syn and Fin bits 4. Rule 7 Web server traffic allowed, port 80, 443 5. Rule 8 No TCP outside connections 6. Rules 9 – 12 – Block incoming FTP, Telnet and Netbios 7. Block Rlogins on ports 513, 514 8. Block ssh too, UDP for port 69 blocked Notes: First three rules deal with Ingress source filtering – IP address can’t be from the Internal hosts Rule 5 identifies a specific address that’s blocked - because its known to be bad Rule 6 Filters packets whose Syn and Fin bits are set Rule 7 – TCP connections are allowed to a Web server, 60.47.3.9 and only web traffic, port 80 or secure web, port 443 is allowed Rule 8 – Doesn’t allow outside TCP connections from outside in Rules 9 – 12 – Block incoming FTP, Telnet connections and NetBios connections Next rules block Rlogins on ports 513, 514 for Unix Also blocks ssh because of vulnerabilities UDP traffic rule is plocked – port 69 ICMP has on allowed msg in – “echo reply” msgs – hosts can ping and get back a reply

Packet Filter Firewalls Egress Filtering Similar but different ACL for Egress routing

Firewall Gateways Firewall runs set of proxy programs Proxies filter incoming, outgoing packets All incoming traffic directed to firewall All outgoing traffic appears to come from firewall Policy embedded in proxy programs Two kinds of proxies Application-level gateways/proxies Tailored to specific applications Http, Ftp, Smtp, etc. Circuit-level gateways/proxies Working on transport TCP level Gateway is like a NAT box, ie, a home router.

Circuit Gateway Second Generation Firewalls A circuit level firewall, Transport Level Validates that packet is either a connection request or Data packet belongs to existing connection, between two peers To validate a session, circuit level firewall examines each connection setup Looks for legitimate handshake for transport layer protocol In addition, data packets are not forwarded until the handshake is complete

Circuit Gateway A circuit level firewall works by ... Maintaining table of valid connections includes state and sequence information Allows network packets containing data pass through when network packet information matches an entry in virtual circuit table Once connection is terminated, its table entry is removed “Virtual circuit” between two peer transport layers is closed

Circuit Gateway Transport Level Uses host in middle that acts like a relay Internal system forwards packet through firewall Packet is inspected by firewall, and source address is modified, in header External server receives packet and replies External server communicates with firewall as if it were actual client Often company Intranet on one side and Internet on other side SOCKS is one example of Circuit Gateway type of firewall SOCKS is an abbreviation for "SOCKetS" http://ftp.icm.edu.pl/packages/socks/socks4/SOCKS4.protocol

Circuit Gateway Specifically ... Launder IP Connections Source IP not available to server on other side of gateway Relay requests arrive at interface If allowed, are relayed through SOCKS gateway Replies are routed back through gateway Acts like Network Address Translator

Application Gateway Application Firewalls Works at application level Go beyond Circuit level to Specific Applications Also, called Proxy Gateways and or Proxy Firewalls Details of particular service are monitored Not a general purpose solution Mail proxy, FTP proxy or Http proxy – very common Looks at details of application so can look at packet contents and takes place of actual application for client

Firewalls Application Firewalls or Application Proxies What do they do? Go deeper into packet analysis and look at packet payload – application, to check for correctness Example: HTTP proxy Browser gives an HTTP request Request goes through application firewall, HTTP proxy HTTP proxy reads packet payload and either passes or drops HTTP request Can disallow certain commands Allow Get but rejects Post commands

Application Firewall An application level gateway that is configured to be a web proxy will not allow any ftp, telnet or other traffic through

Application Firewall 3. Examined HTTP Request From 60.45.2.6 2. Filtering 1. HTTP Request From 192.168.6.77 Browser HTTP Proxy Webserver Application Application Firewall 60.45.2.6 Filtering: Blocked URLs, Post Commands, etc. Webserver 123.80.5.34 Client PC 192.168.6.77

Application Firewall 4. HTTP Response to 60.45.2.6 6. Examined HTTP 192.168.6.77 Browser HTTP Proxy Webserver Application 5. Filtering on Hostname, URL, MIME, etc. Webserver 123.80.5.34 Client PC 192.168.6.77 Application Firewall 60.45.2.6

Application Firewall Application-level gateways can also log user logins and activity. Application-level gateways can offer high degree of security but network performance might suffer It can also use algorithms to determine if content of each application level packet contains malicious material and drop packets if it thinks contact is unauthorized

Network Address Translation Firewall Network Address Translation NAT Operates at IP level What’s this good for? Hackers can put sniffer outside router and sniff for internal host addresses Follow up with Scanning Activity NAT can help to hide internal host addresses Also extends number of available Ipv4 addresses 1. Hackers can put sniffer outside router and sniff internal host addresses 2. Follow up with scanning activity 3. NAT can help hide the internal host addresses

Network Address Translation Firewall From 192.168.5.7, Port 61000 IP: 60.5.9.8, From 60.5.9.8, Port 55380 1 Internet Server 2 Client 192.168.5.7 NAT Firewall 3 To 60.5.9.8, Port 55380 4 Sniffer To 192.168.5.7, Port 61000 Internal External IP Addr Port IP Addr Port Translation Table 192.168.5.7 61000 60.5.9.8 55380 . . . . . . . . . . . .

Firewall Protection What can a firewall protect against? Protect against unauthenticated interactive logins from “outside” your network Block traffic from outside to inside but permit users to talk to the outside Provide a single “choke point” where security and audit are imposed

Firewall Protection What can a firewall protect against? Firewall can provide a logging and auditing function so can list “bad” packets that were attempts to breach system security Used later to establish intent in compromising network Correlate early probe or breach with actual break-in

Firewall Limitations What can’t a firewall protect against? Can’t protect against attacks that don’t go through the firewall Companies concerned about data leaking out through Internet Data can just as easily leave the building via a floppy or CD Systems with really sensitive data should not be connected to the corporate network

Firewall Limitations What can’t a firewall protect against? Can’t protect against naïve users or traitors inside your network Spys are just as likely to leak information through a telephone, FAX machine or floppy disk Firewalls can’t protect you against stupidity Can use social engineering to bypass most firewalls

Firewall Quiz – In Class Only Say you have a packet filter firewall … on a router, stateless Can it protect against the following attacks Yes/No and state how ... 1. Can the firewall prevent a SYN flood denial-of-service attack from the external network? 2. Can the firewall prevent a Smurf attack from the external network? 3. Can the firewall block a virus embedded in an incoming email? 4. Can the firewall be used to block users on the internal network from browsing a specific external IP address?

The End References Do we Need Firewalls? Types of Firewalls https://www.csoonline.com/article/3301354/do-you-still-need-a- firewall.html Types of Firewalls https://www.esecurityplanet.com/network-security/firewall-types.html Overview of Firewalls https://searchsecurity.techtarget.com/feature/The-five-different-types-of-firewalls