January 2009Prof. Reuven Aviv: Firewalls1 Firewalls

January 2007Prof. Reuven Aviv: Firewalls2 Outline What and where are firewalls Goals of a firewall Types of Firewalls –Packet Filter –Application Level (Proxy Server) Gateway

January 2007Prof. Reuven Aviv: Firewalls3 What and where are Firewalls? Trusted Networks Untrusted Networks & Servers Firewall Router Internet Intranet DMZ Public Accessible Servers & Networks Trusted Users Untrusted Users Goals??

January 2009Prof. Reuven Aviv: Firewalls4 Firewall Goals The firewall is inserted between the premises network and the Internet Goals: –Protect the premises network from Internet- based attacks –Establish access control gate Name types of traffic that passes or blocked by the firewall

January 2009Prof. Reuven Aviv: Firewalls5 Access Control gate Internet DMZ Net Web Server Pool ALERT!! How do we protect the firewall itself?

January 2009Prof. Reuven Aviv: Firewalls6 Access Control Functions Service control: types of traffic to permit/ deny in which direction User control: which user to which service –E.g denied websites Application behavior control –Only Filtered can come in

January 2009Prof. Reuven Aviv: Firewalls7 Types of Firewalls Two common types of Firewalls that we consider in this course –Packet-filtering –Application-level gateways

January 2007Prof. Reuven Aviv: Firewalls8 Packet Filtering Firewalls Apply Rules to incoming/outgoing IP packet and then forwards or discards the packet Rules based on fields in the IP or TCP header –IP address, port numbers, flags Two default policies (discard or forward)

January 2009Prof. Reuven Aviv: Firewalls9 Packet Filter at the TCP/IP Level Applications Transport DataLink Physical DataLink Physical Router/Firewall Applications Transport DataLink Physical Network Network Give examples of rules

January Data Link Layer Header VersionType of ServiceTotal Length IdentifierFlagsFragment Offset Time To LiveProtocolHeader Checksum Source Address Destination Address Options + Padding Source PortDestination Port Sequence Number Acknowledgement Number Offset/ReservedU A P R S FWindow ChecksumUrgent Pointer Options + Padding Data Data Link Layer Trailer IP Datagram IP Header TCP Header TCP/IP packet

January 2007Prof. Reuven Aviv: Firewalls11 Basic Filtering Rules ActionInternalPortExternalPortcomment block* * * AllowOur Mail Server add 25* Block**** Allow***80 Not trusted external host Mail Transport allowed Default: Deny everything Allow http connection to external web servers

January 2007Prof. Reuven Aviv: Firewalls12 Filtering Rules: direction, flags ActionsrcPortDestPortFlag comment AllowInternal*External25 Allow*25**ACK AllowInternal*External* AllowExternal*Internal*ACK Allow***>1024 Outgoing SMTP SMTP ACK from outside Allow All outgoing connections Ack outgoing connections Traffic to non standard Servers (Dangerous)

January 2007Prof. Reuven Aviv: Firewalls13 Session Filtering Applications Transport DataLink Physical DataLink Physical Applications Transport DataLink Physical Network Transport Applications Dynamic State Tables l Screens ALL attempts, Protects All applications l Extracts & maintains ‘state’ information l Makes an intelligent security / traffic decision

January 2007Prof. Reuven Aviv: Firewalls14 Controlling Telnet traffic via firewall  Client opens TCP connection: tells server its port number. The ACK bit is not set  Server sends acknowledgement “PORT 1234”   “ACK” Telnet Client Telnet Server Internal External

January 2007Prof. Reuven Aviv: Firewalls15 access-list 100 permit tcp host gt 1023 any eq 23 ! Allows packets to (External) Telnet servers access-list 101 permit tcp any eq 23 host established ! Allows packets (back) from (External) Telnet Server. It verifies that the ACK bit is set interface Ethernet 0 access-list 100 out ! Apply 1’st rule to outgoing traffic access-list 101 in ! Apply 2’nd rule to incoming traffic ! Rule: Allow telnet from to any External Server (port 23), and reverse Ack

January 2007Prof. Reuven Aviv: Firewalls16 access-list [ ] [ ] Router Rule Format

January 2009 Prof. Reuven Aviv: Firewalls17 FTP “active Mode” Scenario “PORT 5151”   “OK”  DATA CHANNEL  TCP ACK External FTP ClientInternal FTP Server 20 Data 21 Command  Client opens command channel; tells server second port number.  Server acks.  Server opens data channel to client’s 2’nd port.  Client Acknowledges.

January 2007Prof. Reuven Aviv: Firewalls18 Example FTP – Packet Filter access-list 100 permit tcp any gt 1023 host eq 21 access-list 100 permit tcp any gt 1023 host eq 20 ! Allows packets from any (External) client to the (Internal) FTP control and data ports access-list 101 permit tcp host eq 21 any gt 1023 access-list 101 permit tcp host eq 20 any gt 1023 ! Allows the (Internal) FTP server to send packets back to any (External) IP address with TCP ports > 1023 interface Ethernet 0 access-list 100 in ! Apply the first rule to incoming traffic access-list 101 out ! Apply the second rule to outgoing traffic!

January 2007Prof. Reuven Aviv: Firewalls19 “PASV”   “OK 3267”  TCP ACK  DATA CHANNEL FTP Client Internal FTP Server 20 Data 21 Command  Client opens command channel ; requests passive mode.  Server tells client port number.  Client opens data channel to server’s 2nd port.  Server Acknowledges. FTP “Passive Mode” Scenario 3267

January 2007Prof. Reuven Aviv: Firewalls20 Packet Filtering Firewalls Advantages: Simplicity Transparency to users High speed Disadvantages: Difficulty of setting up packet filter rules Lack of Authentication

January 2007Prof. Reuven Aviv: Firewalls21 Packet Filtering Firewall: Attacks IP address spoofing Fragmentation Attacks

January 2007Prof. Reuven Aviv: Firewalls22 Anti Spoofing Policy: Do not allow outgoing traffic with false sender address Internet Service Provider E1 E2E3 E4 Allowed outgoing traffic: E1: only from /24 E2: only from /24 E3: only from /24 ISP: Allow outgoing data only with legal addresses

January Data Link Layer Header VersionType of ServiceTotal Length IdentifierFlagsFragment Offset Time To LiveProtocolHeader Checksum Source Address Destination Address Options + Padding Source PortDestination Port Sequence Number Acknowledgement Number Offset/ReservedU A P R S FWindow ChecksumUrgent Pointer Options + Padding Data Data Link Layer Trailer IP Datagram IP Header TCP Header Fragmentation

Prof. Reuven Aviv: Firewalls24   External Telnet Client Internal Telnet Server Firewall allows OUT: with SYN IN: data with ACK  All following packets will have the ACK bit set  FRAG1 (with ACK) FRAG2 (with ACK) SYN packet (no ACK) ACK Basic Fragmentation Attack Allow only if ACK bit set Allow only if SYN bit set ,  Client Send 2 fragments with ACK. Server re- assembles: Fragments overlap - full datagram SYN bit set!

January 2007Prof. Reuven Aviv: Firewalls25 General Fragmentation Attack Instead of fragmenting TCP header – Fragment data portion of packet or ICMP –attack applications in Clients Clients – not all do bounds checking –Oversized reassembled packets on client maybe too large, cause buffer overflow Remedy: Application Level Firewall

January 2007Prof. Reuven Aviv: Firewalls26 Application Level (Proxy) Gateway

January 2007Prof. Reuven Aviv: Firewalls27 Application Level (Proxy) Gateway Acts as a relay of application-level traffic via a single TCP connection Knows the Application Protocol –Rules are tailored to expected and un expected behavior of application traffic Can stop / deny according to its rules Advantages / Disadvantages?

January 2007Prof. Reuven Aviv: Firewalls28 Application Level Gateway Advantages: –Higher security than packet filters –Only need to scrutinize a few allowable applications –Easy to log and audit all incoming traffic Disadvantages: –Additional processing overhead on each connection (gateway as splice point)

January 2007Prof. Reuven Aviv: Firewalls29 Comparison Table Modify Client Applications? Packet FilterNo Application Level Gateway client application must be proxy- aware & configured to connect to the proxy server