Firewall Technology
Firewall Technology - Outline Defining the types of firewalls. Developing a firewall configuration. Designing a firewall rule set.
Firewall: Origin of the Term Since old days, brick walls were built between buildings in apartment complexes so that if a fire broke out, it would not spread from one building to another. Quite naturally, the walls were called " firewalls ".
Castle and Moat Analogy A network firewalls is more like the moat around a castle than a firewall Restricts access from the outside Restricts outbound connections (i.e. filter out undesirable activity from internal hosts)
Overview A firewall is a network access control device. It can perform a centralized security management function. It denies all traffic except that which is explicitly allowed. It can be configured based on services, source or destination IP address, User ID, … etc.
Why use Firewalls? Prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for “ real ” connections. Prevent illegal modification/access of internal data. e.g., attacker replaces Company's homepage with something else Allow only authorized access to inside network (set of authenticated users/hosts) Prevent insider attacks on critical systems: Critical systems (human resources, payroll, etc.) can be hidden behind their own firewalls to prevent attacks from the inside.
The Unprotected Network What could possibly be wrong with this setup? Hackers paradise & administrators nightmare!
What Can We Do? Firewalls give good protection against attacks from the Internet. The problem is that there are various firewall techogies and deployment strategies. To choose the right solution, we need to know a bit more about the underlying TCP/IP protocols used on the Internet.
The TCP/IP-Protocol stack
The IP-protocol Important fields: Source Address, Destination Address, Protocol
The TCP-protocol Important fields: Source Port and Destination Port ACK and SYN flags
The UDP-protocol Important fields: Source Port and Destination Port
Common Ports and Services Windows: %windir%\System32\drivers\etc\services Linux: /etc/services Examples: SMTP = port 25 HTTP = port 80 POP3 = port 110 PPTP = port 1723
Types of Firewalls Packet filtering firewall (network layer) Statefull Inspection firewall (connection state of the transport layer protocol) Application layer firewall (known as Application Gateway or Proxy) Hybrid: combination of the above or a generic service proxy (i.e. a Socks Proxy work for all TCP-based apps).
Packet Filter Firewalls (Chokes) Should arriving packet be allowed in? Departing packet let out? They are IP routers restricting flow of packets between an internal network and external networks. packet-by-packet decision to forward/drop based on: Source/Destination IP Addresses Protocol Value (i.e. drop ICMP packets) TCP/UDP Source Port/Destination Port TCP SYN and ACK bits Internet
Packet Filtering Examples Example 1: Block incoming and outgoing datagrams with IP protocol field = 17 or with either source or destination port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with (SYN=1 & ACK=0). Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.
Packet Filter Firewall - Pros They are fast because they operate on IP addresses and TCP/UDP port numbers alone, ignoring the data part of packets. Due to the fact that packet payload is ignored, application independence exists. Least expensive of the three types of firewalls. Packet filtering rules are relatively easy to configure. There are no configuration changes necessary to the protected workstations.
Packet Filter Firewall - Cons Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. There is no screening of packet payload available. It is impossible to block users from visiting web sites deemed off limits, for example. Logging of network traffic includes only IP addresses and TCP/UDP port numbers, no packet payload information is available. Complex firewall policies are difficult to implement using filtering rules alone. Rely on IP addresses for authentication rather than user authentication.
Stateful packet inspection It is an advanced packet filter that keeps track of the state of the network connections going through it. Take into account the state of the connection; an incoming packet is matched to its outbound request for the packet to be allowed in. Examine and filter based on packet content; for example, drop incoming mail with certain type of attachments
Stateful packet inspection - Pros Offers improved security over basic packet filters due to packet examination. Offers a degree of application independence, based on level of stateful packet examination. Better logging of activities over basic packet filters. Good performance. Configuration changes to the protected workstations are unnecessary.
Stateful packet inspection - Cons Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. No hiding of your private systems. Setting up stateful packet examination rules is more complicated. Only supported protocols at the application layer. No user authentication.
Application Gateway (Proxy) Firewalls Typically, an application proxy is a program that runs on a MULTI-HOMED HOST and emulates both client and server ends of some application protocol. For example, an HTTP proxy (web proxy) acts as an HTTP server for local users and an HTTP client for web servers on the Internet.
Application Gateway (Proxy) Firewall Application Gateway (Proxy) Firewall connections
Application Gateway creates an illusion
Characteristics of Proxy Firewalls Outbound connections terminate on the firewall. A set of policy rules defines how traffic from one network is transported to any other. If no rule exists, firewalls deny or drop the data packets. Policy rules are enforced through the use of proxies. Each protocol on a firewall must have its own proxy.
Proxy/Gateway Firewall Example host-to-gateway telnet session application gateway router and filter Example: allow select internal users to telnet outside. 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to destination host. Gateway relays data between the two connections. 3. Router packet filter blocks all telnet connections not originating from gateway.
Application proxies - Pros end points do not communicate directly with one another. A vulnerability in a protocol which could slip by a packet filter or stateful packet inspection firewall could be overcome by the proxy program. Provide content filtering capability. Hide internal addresses. Web Proxy often do caching to improve response and reduce load on the Internet link Robust user authentication. Offers logging and auditing of user ’ s activities on the Internet. Policy rules are usually easier than packet filtering rules. (i.e. amount and timing of communication)
Application proxies - Cons Performance problems; much slower than the other two Must have a proxy for every protocol. Failure to have a proxy may prevent a protocol from being handled correctly by the firewall. TCP is the preferred transport. UDP may not be supported. Limited transparency, clients may need to be modified. Setting up the proxy server in a browser, for example. No protection from all protocol weaknesses.
Hybrids Hybrid firewalls provide a way for handling protocols for which specific proxies do not exist. The generic services proxy (GSP) allows application layer proxies to handle other protocols. In a hybrid system, the GSP behaves like packet filtering firewalls.
Developing a Firewall Configuration Screened Host Configuration. Screened Subnet Configuration. Dual Firewall Configuration.
Screened Host Configuration Built using a packet filter firewall and a gateway/proxy firewall The gateway is a specially chosen computer running network servers and proxy servers. Only external packets destined for the gateway are allowed through the packet filter firewall. All internal packets destined for outside must go through a proxy server; otherwise, they are dropped by the packet filter firewall. internal network
Screened Subnet Configuration Use a single packet filtering firewall with three network interface cards Place systems that need to be accessed from outside on a network separate from the internal network Proxy firewallSMTP Server
Dual Firewall Configuration For higher security, two chokes and a gateway are used The external choke and gateway are configured as in a screened host firewall. The second choke is a failsafe – if an attacker gains access to the gate, the internal choke prevents further attacks against the internal network. Internet accessible servers are placed in the DMZ (De- Militarized Zone) network between FW1 and FW2.
SOHO Configuration Broadband Modem (DSL or Cable) SOHO Router --- Router DHCP Sever, NAT Firewall, and Limited Application Firewall Ethernet Switch Internet Service Provider User PC UTP Many Access Routers Combine the Router and Ethernet Switch in a Single Box
Developing a Firewall Configuration Organization ’ s Internet policy allows users to use services such as HTTP, HTTPS, FTP, Telnet, and SSH. Based on the Internet policy, a set of policy rules for various architectures can be constructed.
Designing a Firewall Rule Set When designing a firewall rule set, the first match algorithm dictates: The most specific rules to be placed at the top of the rule set. The least specific rules to be placed at the bottom of the rule set.
Designing a Firewall Rule Set To define a general rule set, examine: The expected traffic load of the firewall. Rank the traffic types in order. The Internet service with the largest traffic at the top of the rule set. Place any deny rules pertaining to the protocol.
Firewall Rule Set: Special Rules To define a general rule set, examine: Cleanup Rule – deny everything not explicitly allowed: Fom any any To any any – Deny Cleanup rule is always the last (bottommost) rule Stealth Rule : to protect firewall itself From any any To firewall any – Deny Stealth Rule is placed first (topmost) rule
Internet Accessible Systems Firewall Rules for Internet Systems Accessible Outside the Firewall.
Single Firewall Architecture #2: Single firewall.
Single Firewall - Rule Set Firewall Rules for the Single Firewall Architecture.
Dual Firewalls Architecture #3: Dual Firewalls.
Dual Firewalls Firewall Rules for Firewall #1 in the Dual Firewall Architecture.
Dual Firewalls Firewall Rules for Firewall #2 in the Dual Firewall Architecture.
NAT and PAT Because the firewall keeps track of all live connections through it, the firewall is able to make both NAT and PAT, or any combination thereof. NAT: Network Address Translation PAT: Port Address Translation A firewall performing NAT or PAT is often referred to as a masquerading firewall.
NAT Explained A NAT firewall hides internal IP addresses by replacing internal source IP address of an outgoing packet to that of the firewall device (e.g. – see figure ). Allow hosts with private IP addresses (not-Internet- registered) to access the Internet.
NAT Explained The NAT device replaces the source IP address in an outgoing packet by its own address and saves some information to enable reverse translation for the reply packet that come back from the Internet
Network Address Translation (NAT) 12 NAT Firewall Client From , Port From , Port Internet Server Host IP Addr … Port … IP Addr … Port … InternalExternal Translation Table
Network Address Translation (NAT) 43 NAT Firewall Client Internet Server Host To , Port To , Port Translation Table IP Addr … Port … IP Addr … Port … InternalExternal
NAT used by ISPs A large group of internal clients share a small set of Internet addresses for the purpose of hiding their identities or expanding the internal network address space.
Loading Balancing Translation A single IP address and port is translated to a pool of identically configured servers so that a single public address can be served by a number of servers.