1 Guide to Network Defense and Countermeasures Chapter 5

2 Chapter 5 - Configuring Firewalls Describe the difference between stateless and stateful packet filtering Create different packet filter rules for real- world situations Set up Network Address Translation Decide when to use user, session, or client authentication

3 Packet filters filter incoming network traffic Stateless packet filters allow or block packets based on protocol header data, such as: IP address, each packet filter rule specifies a source and destination IP address Ports, which give a finer level of control over what is allowed and what is blocked; and sockets, which are software connections that enable applications to send and receive data using a network protocol ACK bits, part of the TCP header used to indicate whether a packet has reached its destination Approaches to Packet Filtering

4 Stateless packet filters (cont.): Stateless packet filters tend to have fairly simple rules that hackers can get around easily; they are typically not sufficient for most security needs The main advantage to stateless packet filters is cost, they tend to be inexpensive and many are free; some packet filters are included with routers Disadvantages to stateless packet filters are that they can become cumbersome to maintain in a complex network; they are vulnerable to IP spoofing attacks, and they offer no form of authentication Approaches to Packet Filtering

5

6 Stateful packet filters go beyond stateless in that they keep a record of the connections that the host has made with other computers The record of connections is maintained in a file called the state table The packet filter allows incoming packets to pass through it only from external hosts that are already connected and that have a record in the table One of the simplest packet filters in use is built into Windows XP Approaches to Packet Filtering

7

8

9

10 The type of filtering that a firewall, router, or other packet filtering device performs depends on its firewall perimeter configuration position A packet filter (providing the only network protection) positioned between the Internet and the network, must handle all traffic in- and outbound If between the Internet and a proxy server (which can perform stateful packet filtering itself), then it shields internal users from external hosts Another configuration type is to place packet filtering devices at either end of the DMZ Approaches to Packet Filtering

11

12

13 The packet filtering rule base is the primary security tool used by many routers, and is the fundamental security provided by all firewalls Firewalls or packet filters should begin by blocking all traffic, and then selectively allow services The rule base should keep everyone except the network administrator from connecting to the firewall Firewalls should filter all inbound traffic The rule base should permit access to all public servers in the DMZ and enable user Internet access Creating Packet Filter Rules

14

15 Packet filters provide fine-grained traffic control via elements of packet header information IP addresses allow data to reach the right device; port numbers allow data to reach the right server or client program on that device Filtering by TCP or UDP port number is called port filtering or protocol filtering; everything can be filtered out except TCP Port 80 for Web, TCP Port 25 for , or TCP Port 21 for FTP When two computers exchange data, they use two port numbers: the source and the destination Creating Packet Filter Rules

16

17

18 Port filtering is a complicated process: The source and destination ports are different; the destination port is dynamically determined on a per- connection basis and therefore impossible to predict Port numbers are allocated by the Internet Assigned Numbers Authority (IANA) and span 0 to 65535; is reserved for common services and is for dynamic port numbers Traditionally, packet filters would be configured to filter ports below 1024, however, nowadays ports above 1024 are the ones that need monitoring Creating Packet Filter Rules

19

20

21 Firewalls/packet filters must determine whether an ICMP packet should be allowed to pass Because ICMP packets have no authentication method to verify the recipient of a packet, hackers can attempt man-in-the-middle attacks, or they can cause ICMP Redirect message type to direct traffic to an external computer they control Some firewalls filter by services specified Filtering can be based on the IP protocol ID field in the header which can allow or deny an entire type of service, such as TCP, UDP, IGMP, ICMP Creating Packet Filter Rules

22

23

24 Firewalls can filter by the TCP header ACK bit Every packet that is sent must be responded to with a packet with the ACK bit set to 1 before further transmission can take place; a packet filter rule that blocks all packets that do not have the ACK bit set to 1 effectively prevents external hosts from initiating connections with network computers Firewalls can filter by IP option settings Both hosts and routers can set the Options field in an IP header to cause additional packet information; access to these options is tempting for hackers Creating Packet Filter Rules

25 The firewall or router that performs NAT, receives requests from outside the internal network at its own IP address, and forwards each one to the correct in-house IP address Using NAT means that public IP addresses do not have to be assigned to each internal computer NAT is one of the essential functions performed by many firewalls or routers The security-related reason for NAT is to shield the IP addresses of internal hosts, therefore greatly reducing the likelihood of an attack Network Address Translation (NAT)

26 Hide-mode mapping NAT: The process of hiding multiple private IP addresses behind one public IP address The computers on the Internet only see the IP address of the NAT device; packets from internal hosts all seem to be coming from the NAT device Hide-mode NAT has significant limitations in that external hosts on the Internet might occasionally need to make connections with internal hosts; and NAT does not always work, such as when a VPN is in place (use the static form of NAT in this case) Network Address Translation (NAT)

27

28 Static mapping NAT: The process by which internal IP addresses are mapped to external, routable IP addresses Internal IP addresses are hidden, but the devices that have them appear to have public, routable IP addresses; public and private IP addresses are static, they do not change dynamically The external hosts think they are making a direct connection to an internal computer, but in reality, they are still connecting directly to the NAT device, which forwards requests to the internal system Network Address Translation (NAT)

29

30 Authenticating Users Authentication is an important element in a network defense program and is performed by the more full-featured firewalls and IDSs Authentication depends on the exchange of information that tells one entity that another is recognized as authorized and can be trusted The information exchanged can be a password, an encrypted block of code called a key, a formula used to verify digital information called a checksum, a smart card, or from biometrically reading fingerprints, retinas, or voiceprints

31 Authenticating Users Deciding what to authenticate User authentication is the process of identifying a user who has been authorized for network access The user who presents proper credentials can log onto the network from any location; it is not required to have users enter their passwords every time they access the firewall; rather, the authentication can be configured to be transparent and based on the exchange of keys In addition, some firewalls allow the specification of time-based restrictions that control user access

32

33

34 Authenticating Users Deciding what to authenticate (cont.) Client authentication is the process of granting access to network resources based on source IP address or computer name As with user authentication, the identification process can be either transparent or manual Even if a hacker steals an individual’s user name and/or password, having that user log on with client authentication means that access could be gained only by using the computer with the required IP address, or by spoofing the address

35

36 Authenticating Users Deciding what to authenticate (cont.) Session authentication is the process of authorizing a user/computer on a per-connection basis using special authentication software installed on the client computer The client computer and the firewall authenticate in the background, however, the user making the connection does need to enter a password; the authentication can be configured so that the user must enter a password every time a file/resource is requested, once per session, or after a specified number of minutes of inactivity

37

38 Authenticating Users Deciding how to authenticate Password-based authentication is the process of comparing a user’s name and password against a database of approved users Firewalls can use a number of password systems, including: OS password, where the firewall refers to the user’s password stored on the operating system of the host computer; firewall password is used by firewalls that provide their own password system; S/Key password, where a one-time password is generated and then encrypted, the user enters it once to authenticate

39

40 Authenticating Users Deciding how to authenticate (cont.) When physical objects such as smart cards and tokens are combined with passwords, they create secure two-factor authentication Tokens enable network authentication; smart cards (ATM cards) are tokens, as are electronic devices that generate a random number that is entered with a PIN/password to authenticate users Smart cards and tokens are easy to lose or have stolen, but the fact that they require a PIN or a password makes it difficult for a thief to use them

41 Authenticating Users Deciding how to authenticate (cont.) Keys are blocks of encrypted code generated by algorithms; computers use keys to authenticate themselves to servers, firewalls, or other devices Exchanging keys, or public key cryptography, is a popular and secure form of Internet authentication Private keys are never exchanged, you generate them after a Certificate of Authority (CA) provides it to you; public keys are what you create with your private key and that you issue to those with whom you want to conduct secure communications

42

43 Authenticating Users Deciding how to authenticate (cont.) Digital signatures are attachments to messages that enable recipients to authenticate senders Digital signatures deal with two security issues that encryption and decryption do not address: tampering and impersonation The signing software creates a one-way hash by processing data to be sent with a mathematical formula; the software then uses the private key to encrypt the hash; the encrypted hash, along with other information, creates the digital signature

44 Authenticating Users Putting it all together Firewalls must be able to process and recognize a variety of authentication methods Secure Hypertext Transport Protocol (HTTPS) uses security protocols like Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt communications; SSL involves public key cryptography and it uses a digital certificate Internet Protocol Security (IPSec) encrypts communications at the OSI Network layer; IPSec provides secure tunnels between two devices

45 Authenticating Users Putting it all together (cont.) Some special authentication systems designed especially for use with dial-in users can be used by firewalls: Terminal Access Controller Access Control System (TACACS+) uses the MD5 algorithm to produce an encrypted digest version of transmitted data; Remote Authentication Dial-In User Service (RADIUS) transmits authentication packets unencrypted across the network, which means they are vulnerable to attacks from packet sniffers; special TACACS+ and RADIUS servers perform authentication in these systems

46 Chapter Summary This chapter examined the various firewall components and functions that need to be configured in order to create a network defense perimeter. The basic function performed by firewalls is packet filtering, and much of this chapter was devoted to the establishment of a rule base. However, these days, firewalls are being called on to perform more and more security-related functions, and the most common ones were examined in this chapter as well

47 Chapter Summary There are two general approaches to packet filtering: stateless and stateful. Stateless packet filters decide whether to allow or deny packets based on the information in the TCP, IP, or UDP headers. Filtering is usually done by IP address, port number, or ACK flag. Stateless filtering does not take into account established external/internal connections Stateful packet filtering maintains a state table, which keeps a record of the connections that have been made between internal and external computers. Such a packet filter only allows incoming packets to pass through the firewall from external hosts that are already connected and listed in the state table

48 Chapter Summary Both stateless and stateful packet filters depend on a set of rules called a rule base that enables them to perform security functions. Although the exact rules in the rule base depend on the network being protected, some general practices should be observed: the firewall should be protected from all users except administrators, and it should be blocked from making connections on its own; the rule base should block direct access from external computers to computers inside the firewall; it should enable internal users access to the Internet; and both internal and external users should be able to gain access to the servers in the DMZ

49 Chapter Summary Packets can be filtered by TCP or UDP port numbers as well as IP addresses. Such port filtering can be used to block access by services that are not needed and that would not be used in the inbound direction. Keep in mind, though, that the source port and destination port are different when a connection is made. Services that are used by Windows and UNIX for internal communications should be blocked if connection attempts are made from the Internet using their ports. Inbound connection attempts using one of the ICMP message types should be blocked as well

50 Chapter Summary Another basic firewall function, Network Address Translation (NAT), is performed by many firewalls. It is used to conceal the IP address of computers on the internal network so that hackers cannot locate them and initiate intrusion attempts. NAT also has the benefit of enabling network administrators to assign private IP addresses to computers inside the network, thus conserving scare public IP addresses. Hide- mode NAT conceals multiple IP addresses behind a single IP address, while static NAT maps each internal IP address to a public IP address

51 Chapter Summary Many firewalls also perform the essential function of authenticating individuals who access network resources. Firewalls can perform user, client, or session authentication. They can authorize by accepting one-time, or multiple-use passwords; by using two-factor authentication systems such as SecurID; by exchanging public and private keys; and by issuing digital signatures. Many enterprise-level firewalls can operate with encryption schemes such as Secure Sockets Layers (SSL) and Internet Protocol Security (IPSec). In addition, firewalls can work with a server configured to enable dial-in access for remote employees