Firewalls CS432

Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls Application gateway firewalls Application gateway firewalls Address Translation firewalls Address Translation firewalls Host based firewalls Host based firewalls Hybrid firewalls Hybrid firewalls

definition  A firewall is a device or systems that control the flow of traffic between different areas of your network  One of the main functions of firewalls is to control access to resources.  This may be achieved by installing a firewall on every workstation, or in a centralized manner (one firewall for the whole network).

Types of Firewalls  Packet filtering firewalls  Stateful firewalls  Application gateway firewalls  Address translation firewalls  Host-based firewalls  Hybrid firewalls

Packet Filtering Firewalls (PFF’s)  The simplest type of firewall.  Typically a router that can filter on some packet content.  Mainly layer 3 (network) and sometimes layer 4 (transport) packets are examined.

Filtering Rules  Packet filtering rules must be defined on the firewall.  These rules indicate which traffic should be allowed and which traffic should be denied.  A decision should also be taken regarding the notification strategy when packets are dropped: inform the sender or not.

Filtering information  Source and destination layer 3 addresses.  Layer 3 protocol information (type of protocol).  Layer 4 protocol information (port numbers and flags).  Interface of sent or received traffic.

A Simple Example

A Typical Rule Table Rule Source address Dest address IP protocol Protocol information action 1any TCP Port 80 allow 2any UDP Port 53 allow 3any TCP Port 25 allow 4any Any other address anyanydeny

Understanding the Rules  Understanding the rule set is crucial to the operation of firewalls.  For example, if you omit rule 4 in table 1 above, there will be two possibilities: allow all not matching traffic, or deny all not matching traffic.  If the first option is taken, you will be creating a big hole for your network

An Example of Firewall Rules

Advantages of packet filtering firewalls  They can process packets at high speed.  They can easily match on most fields in layer 3 and layer 4, giving flexibility in implementing security policies.

Disadvantages  They can be complex to configure.  They cannot prevent application layer attacks.  They are susceptible to some TCP/IP attacks (SYN floods, and IP spoofing and cannot be detected).  They do not support authentication.  They have limited logging capabilities.

Stateful Firewalls  Stateful firewalls keep track of connection states at all stages: initiation, data transfer, or termination.

A Typical Scenario Where PFF’s Fail  Assume that there is an inbound rule saying that any external traffic to is denied.  This implies that connection requests coming from outside will be dropped.  However, assume that tries to access a web server on an external machine, , say.

A Typical Scenario …  The firewall will allow the initiation of the connection.  However, when the reply comes back from it will be dropped.  Two solutions are possible in PFFs: Open ports higher than 1023 for inbound traffic Open ports higher than 1023 for inbound traffic Examine TCP segment flag bits Examine TCP segment flag bits

Problems with the above solutions  Opening ports will cause a lot of problems.  Examining TCP codes is not a good solution for this problem, because they may not be fully supported by all implementations, May be modified by hackers, and UDP traffic uses no flags.

A Stateful Solutin  A stateful firewall solves the above problem by tracking the states of connections.  This is done through dynamic rules that are added when a connection is established and deleted after the connection is torn down.  The rules are either added to the main rule table or to new state table.

A Stateful Solution  For example when machine initiates a connection to external machine , the firewall adds a new rule to the rule table or the state table indicating that this is a request for a connection.  It notes the source and destination ports: sourcedestinationprotocolportsaction TCP Source Dest 80 allow

Sateful solution  When sends a reply to the connection request, the firewall notes from its table that this reply is part of an existing connection and allows the connection.  The traffic along this connection will be allowed as long as the connection is open.  When the connection is torn down, all rules relating to the connection will be removed

Advantages  Aware of the state of the connection.  No need to open a large set of ports.  Prevents a wider set of DoS attacks (state table).  More robust logging (connection states).

limitations  They may be difficult to configure.  Cannot prevent application layer attacks.  Do not support authentication.  Not all protocols contain state information.  Multiple connections with dynamic ports may cause problems.  Additional overhead in maintaining state information.

Application Gateway Firewalls (AGFs)  Sometimes called proxy firewalls.  They filter information at layers 3,4,5 and 7.  Most filtering and processing is done in software which provides more flexibility.  Sometimes they support only limited applications, for example , FTP, Telnet.

AGF’s and Authentication  One of the major advantages of AGF’s is their abilities to authenticate users.  A user requesting a connection to the network is first authenticated by the AGF.  The authentication database usually stores authorization information, e.g. which servers can the user connect to:  Ahmed allow

Authentication Methods  User/password.  Certificates.  Biometrics  Token cards.

Types of AGF’s  Two types of AGF’s: Connection gateway firewalls. Connection gateway firewalls. Cut through proxy firewalls Cut through proxy firewalls

Connection Gateway Firewalls (CGF’s)  All traffic to the web sever passes through the CGF.  First the CGF authenticates the user. If successful, CGF establishes connection to server.  CGF examines all packets sent to server and may control the type of traffic to be allowed or dropped.

Cut Through Proxies (CTP)  Only authenticate user.  Perform filtering based on layer 3 and 4 information.

Address Translation Firewalls.  It is well known that we are running out of IP addresses (address depletion).  A long term solution is to deploy IPv6.  A short term solution is to use Network Address Translation (NAT).

Private Addresses  Tow RFC’s describe how NAT may be used.  RFC 1918 specifies private addresses (reserved addresses that can be used only inside the organization networks, with no global meaning).  Around 17 million addresses are available for local use

Private addresses  – class A  – class B  – class C

NAT  RFC1631 defines how network address translation may be performed.  Two schemes: Simple NAT. Simple NAT. Overloaded NAT or PAT (Port Address Translation). Overloaded NAT or PAT (Port Address Translation).

NAT firewalls  A NAT firewall is a device configured to perform network address translation.

Host based firewalls  Software packet filtering firewalls.  Simplified versions that concentrate only on protecting a single machine.  Some may provide host-based authentication.

Hybrid Firewalls  In real life firewall solutions are usually complex and hybrid.  They involve packet filtering, state tracking, authentication, address translation …etc. Many solutions include even an IDS.  This dictated by competition.  A good example is CISCO PIX firewall.

Designing A Firewall Solution  Develop a security policy.  Create a simple design solution.  Use devices as intended.  Implement a layered defense.  Consider solutions to internal threats.

The policy  Define acceptable and unacceptable behavior.  Restrictions to resources.  Adhere to company plans and policies.  Resources that require access from internal and external users.  Vulnerabilities associated with these resources.  Methods that can be used to protect resources.  Cost-benefit analysis for possible solutions.

Demilitarized zones (DMZ’S)  A demilitarized zone is a segment or segments that have a higher security level than that of external segments, but a lower security level than that of internal segments.  Grant external users access to web servers, DNS servers …etc without risking internal security.  They act as a buffer between internal and external networks.

Demilitarized zones (DMZ’S)  Higher security levels can send traffic to lower security levels but not vice versa.  Same security levels cannot send traffic to each other.

An Example Solution Internet router packet filter Internal network Bastion host, here: a proxy firewall internal packet filter Mail serverWeb server DMZ De-Militarized Zone ? many different topologies can be considered

Bastion Server  A special type of proxy servers.  A single point of contact to the network.  Well fortified.  Logging capabilities.