Firewalls Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall.

Figure 5-1: Border Firewall
1. Internet (Not Trusted) Attacker 2. Internet Border Firewall 1. Internal Corporate Network (Trusted)

3. Attack Packet 1. Internet (Not Trusted) Attacker 2. Internet Border Firewall 4. Dropped Packet (Ingress) 4. Log File

5. Passed Legitimate Packet (Ingress) 5. Legitimate Packet 1. Internet (Not Trusted) Legitimate User 2. Internet Border Firewall 1. Internal Corporate Network (Trusted)

7. Passed Packet (Egress) 1. Internet (Not Trusted) Attacker 2. Internet Border Firewall 7. Dropped Packet (Egress) 4. Log File 1. Internal Corporate Network (Trusted)

6. Attack Packet that Got Through Firewall 6. Hardened Client PC 1. Internet (Not Trusted) Attacker 2. Internet Border Firewall Hardened Hosts Provide Defense in Depth 6. Hardened Server 1. Internal Corporate Network (Trusted)

Figure 5-2: Types of Firewall Inspection
Packet Inspection Examines IP, TCP, UDP, and ICMP headers Static packet inspection (described later) Stateful inspection (described later) Application Inspection Examines application layer messages

Network Address Translation (NAT) Hides IP addresses and port numbers Denial-of-Service (DoS) Inspection Detects and stops DoS attacks Authentication Requires senders to authenticate themselves

Virtual Private Network (VPN) Handling VPNs are protected packet streams (see Chapter 8) Packets are encrypted for confidentiality, so firewall inspection is impossible VPNs typically bypass firewalls, making border security weaker

Hybrid Firewalls Most firewalls offer more than one type of filtering However, firewalls normally do not do antivirus filtering Some firewalls pass packets to antivirus filtering servers

Firewalls Firewall Hardware and Software Inspection Methods
Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance

Figure 5-3: Firewall Hardware and Software
Screening Router Firewalls Add firewall software to router Usually provide light filtering only Expensive for the processing power—usually must upgrade hardware, too

Screening Router Firewalls Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier Good location for egress filtering—can eliminate scanning responses, even from the router

Computer-Based Firewalls Add firewall software to server with an existing operating system: Windows or UNIX Can be purchased with power to handle any load Easy to use because know operating system

Computer-Based Firewalls Firewall vendor might bundle firewall software with hardened hardware and operating system software General-purpose operating systems result in slower processing

Computer-Based Firewalls Security: Attackers may be able to hack the operating system Change filtering rules to allow attack packets in Change filtering rules to drop legitimate packets

Firewall Appliances Boxes with minimal operating systems Therefore, difficult to hack Setup is minimal Not customized to specific firm’s situation Must be able to update

Host Firewalls Installed on hosts themselves (servers and sometimes clients) Enhanced security because of host-specific knowledge For example, filter out everything but webserver transmissions on a webserver

Host Firewalls Defense in depth Normally used in conjunction with other firewalls Although on single host computers attached to internet, might be only firewall

Host Firewalls The firm must manage many host firewalls If not centrally managed, configuration can be a nightmare Especially if rule sets change frequently

Host Firewalls Client firewalls typically must be configured by ordinary users Might misconfigure or reject the firewall Need to centrally manage remote employee computers

Perspective Computer-Based Firewall Host Firewall
Firewall based on a computer with a full operating system Host Firewall A firewall on a host (client or server)

Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering
Number of Filtering Rules, Of rules, etc. Performance Requirements If a firewall cannot inspect packets fast enough, it will drop unchecked packets rather than pass them Traffic Volume (Packets per Second)

Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls IPSs Firewall Architecture Configuring, Testing, and Maintenance

Figure 5-5: Static Packet Filter Firewall
Corporate Network The Internet Permit (Pass) IP-H TCP-H Application Message IP-H UDP-H Application Message Deny (Drop) IP-H ICMP-H ICMP Message Static Packet Filter Firewall Log File Only IP, TCP, UDP and ICMP Headers Examined

Figure 5-5: Static Packet Filter Firewall
Corporate Network The Internet Permit (Pass) IP-H TCP-H Application Message IP-H UDP-H Application Message Deny (Drop) IP-H ICMP-H ICMP Message Static Packet Filter Firewall Arriving Packets Examined One at a Time, in Isolation; This Misses Many Arracks Log File

Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = *.* to *.*, DENY [private IP address range] 3. If source IP address = *.*, DENY [private IP address range] 4. If source IP address = *.*, DENY [firm’s internal address range]

Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
5. If source IP address = , DENY [black-holed address of attacker] 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]

7. If destination IP address = AND TCP destination port=80 OR 443, PASS [connection to a public webserver] 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]

9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]

13. If TCP destination port = 513, DENY [UNIX rlogin without password] 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login] 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure] 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]

17. If ICMP Type = 0, PASS [allow incoming echo reply messages] DENY ALL

DENY ALL Last rule Drops any packets not specifically permitted by earlier rules In the previous ACL, Rules 8-17 are not needed; Deny all would catch them

Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = *.* to *.*, DENY [private IP address range] 3. If source IP address = *.*, DENY [private IP address range] 4. If source IP address NOT = *.*, DENY [not in internal address range] Rules 1-3 are not needed because of this rule

5. If ICMP Type = 8, PASS [allow outgoing echo messages] 6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages] 7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning]

8. If source IP address = and TCP source port = 80 OR 443, PERMIT [public webserver responses] Needed because next rule stops all packets from well-known port numbers 9. If TCP source port=0 through 49151, DENY [well-known and registered ports] 10. If UDP source port=0 through 49151, DENY [well-known and registered ports]

11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections] 12. If UDP source port = through 65,536, PERMIT [allow outgoing client connections] Note: Rules 9-12 only work if all hosts follow IETF rules for port assignments (well-known, registered, and ephemeral). Windows computers do. Unix computers do not

13. DENY ALL No need for Rules 9-12

Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance

Figure 5-8: Stateful Inspection Firewalls
New Default Behavior Permit connections initiated by an internal host Deny connections initiated by an external host Can change default behavior with ACL Automatically Accept Connection Attempt Internet Router Automatically Deny Connection Attempt

State of Connection: Open or Closed State: Order of packet within a dialog Often simply whether the packet is part of an open connection

New Stateful Firewall Operation If accept a connection… Record the two IP addresses and port numbers in state table as OK (open) (Figure 5-9) Accept future packets between these hosts and ports with no further inspection This can miss some attacks, but it catches almost everything except attacks based on application message content

Figure 5-9: Stateful Inspection Firewall Operation I
2. Establish Connection 1. TCP SYN Segment From: :62600 To: :80 3. TCP SYN Segment From: :62600 To: :80 External Webserver Note: Outgoing Connections Allowed By Default Stateful Firewall Internal Client PC Connection Table Type Internal IP Internal Port External IP External Port Status TCP 62600 80 OK

Figure 5-9: Stateful Inspection Firewall Operation I
Stateful Firewall External Webserver 6. TCP SYN/ACK Segment From: :80 To: :62600 4. TCP SYN/ACK Segment From: :80 To: :62600 Internal Client PC 5. Check Connection OK; Pass the Packet Connection Table Type Internal IP Internal Port External IP External Port Status TCP 62600 80 OK

Stateful Firewall Operation For UDP, also record two IP addresses and port numbers in the state table Connection Table Type Internal IP Internal Port External IP External Port Status TCP 62600 80 OK UDP 63206 69 OK

Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection But stateful firewalls can (Figure 5-10)

Figure 5-10: Stateful Firewall Operation II
Attacker Spoofing External Webserver Stateful Firewall 1. Spoofed TCP SYN/ACK Segment From: :80 To: :64640 Internal Client PC 2. Check Connection Table: No Connection Match: Drop Connection Table Type Internal IP Internal Port External IP External Port Status TCP 62600 80 OK UDP 63206 69 OK

Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation Cannot deal with port-switching applications But stateful firewalls can (Figure 5-11)

Figure 5-11: Port-Switching Applications with Stateful Firewalls
2. To Establish Connection 1. TCP SYN Segment From: :62600 To: :21 3. TCP SYN Segment From: :62600 To: :21 External FTP Server Internal Client PC Stateful Firewall State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP 62600 21 OK

Figure 5-11: Port-Switching Applications with Stateful Firewalls
External FTP Server 6. TCP SYN/ACK Segment From: :21 To: :62600 Use Ports 20 and for Data Transfers 4. TCP SYN/ACK Segment From: :21 To: :62600 Use Ports 20 and for Data Transfers Internal Client PC Stateful Firewall 5. To Allow, Establish Second Connection State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP 62600 21 OK TCP 55336 20 OK Step 5

New Stateful Inspection Access Control Lists (ACLs) Primary allow or deny applications (port numbers) Simple because no need for probe packet rules because they are dropped automatically Simplicity of stateful firewall gives speed and therefore low cost Stateful firewalls are dominant today for the main corporate border firewalls

Figure 5-12: Network Address Translation (NAT)
From , Port 61000 From , Port 55380 1 Server Host 2 Internet Client NAT Firewall Sniffer Internal External IP Addr Port IP Addr Port Translation Table 61000 55380 . . . . . . . . . . . .

Server Host Internet Client NAT Firewall 3 To , Port 55380 4 Sniffer To , Port 61000 Internal External IP Addr Port IP Addr Port Translation Table 61000 55380 . . . . . . . . . . . .

Sniffers on the Internet cannot learn internal IP addresses and port numbers Only learn the translated address and port number By themselves, provide a great deal of protection against attacks External attackers cannot create a connection to an internal computers

Figure 5-13: Application Firewall Operation
3. Examined HTTP Request From 2. Filtering 1. HTTP Request From Browser HTTP Proxy Webserver Application Application Firewall Filtering: Blocked URLs, Post Commands, etc. Webserver Client PC

4. HTTP Response to 6. Examined HTTP Response To Browser HTTP Proxy Webserver Application 5. Filtering on Hostname, URL, MIME, etc. Webserver Client PC Application Firewall

A Separate Proxy Program is Needed for Each Application Filtered on the Firewall FTP Proxy SMTP ( ) Proxy Webserver Client PC Outbound Filtering on PUT Inbound and Outbound Filtering on Obsolete Commands, Content Application Firewall

Figure 5-14: Header Destruction With Application Firewalls
Header Removed Arriving Packet X App MSG (HTTP) New Packet App MSG (HTTP) Orig. TCP Hdr Orig. IP Hdr App MSG (HTTP) New TCP Hdr New IP Hdr Application Firewall Attacker Webserver Application Firewall Strips Original Headers from Arriving Packets Creates New Packet with New Headers This Stops All Header-Based Packet Attacks

Figure 5-15: Protocol Spoofing
Trojan Horse 2. Protocol is Not HTTP Firewall Stops The Transmission X 1. Trojan Transmits on Port 80 to Get Through Simple Packet Filter Firewall Application Firewall Internal Client PC Attacker

Relay Operation Application Firewalls Use Relay operation
Act as server to clients, clients to servers This is slow, so traditionally application firewalls could only handle limited traffic 3. Examined HTTP Request From 2. Filtering 1. HTTP Request From Browser HTTP Proxy Webserver Application

Automatic Protections in Relay Operation
Protocol Fidelity Application that spoofs the port number of another operation (e.g., Port 80) will not work in relay operation Header Destruction IP, TCP, UDP, and ICMP headers dropped at firewall so cannot do damage IP Address Hiding Sniffer on the Internet only learns the application firewall’s IP address

Other Application Firewall Protections
Stopping Certain Application Commands HTTP: Stop POST TCP: Stop PUT Stop obsolete commands used by attackers Blocked IP Addresses and URLs Black lists Blocking File Types Use MIME and other identification methods

Figure 5-16: Circuit Firewall
Generic Type of Application Firewall 1. Authentication 3. Passed Transmission: No Filtering 2. Transmission 4. Reply 5. Passed Reply: No Filtering Webserver Circuit Firewall (SOCKS v5) External Client

New Firewall Hardware and Software Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls IPSs Firewall Architecture Configuring, Testing, and Maintenance

Intrusion Prevention System (IPS)
New Provide More Sophisticated Inspection Examine Streams of Packets Look for patterns that cannot be diagnosed by looking at individual packets (such as denial-of-service attacks And cannot be diagnosed by simply accepting packets that are part of a connection Do Deep Packet Inspection Examine all headers at all layers—internet, transport, and application

Intrusion Prevention System (IPS)
New IPSs Act Proactively Once an attack is diagnosed, future packets in the attacks are blocked This frightens many firms because if an IPS acts incorrectly, it effectively generates a self-serve denial of service attack First that use IPSs may only permit the most definitively identifiable attacks to be blocked, such as SYN flood denial of service attacks.

Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture Configuring, Testing, and Maintenance

Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
1. Screening Router Last Rule=Permit All Internet x Subnet Screening Router Firewall Uses Static Packet Filtering. Drops Simple Attacks. Prevents Probe Replies from Getting Out. Last Rule is Permit All to Let Main Firewall Handle Everything but Simple Attacks Public Webserver External DNS Server SMTP Relay Proxy HTTP Proxy Server Marketing Client on x Subnet Accounting Server on x Subnet

2. Main Firewall Last Rule=Deny All Internet x Subnet Public Webserver External DNS Server Main Firewall Uses Stateful Inspection Last Rule is Deny All SMTP Relay Proxy HTTP Proxy Server Marketing Client on x Subnet Accounting Server on x Subnet

3. Internal Firewall Internet x Subnet 4. Client Host Firewall Public Webserver External DNS Server Internal Firewalls and Hardened Hosts Provide Defense in Depth Stop Attacks from Inside Stop External Attacks that Get Past the Main Firewall SMTP Relay Proxy HTTP Proxy Server Marketing Client on x Subnet Accounting Server on x Subnet

Servers that must be accessed from outside are placed in a special subnet called the Demilitarized Zone (DMZ). Attackers cannot get to Other subnets from there DMZ servers are specially hardened Internet x Subnet Public Webserver External DNS Server 6. DMZ SMTP Relay Proxy HTTP Proxy Server Marketing Client on x Subnet Accounting Server on x Subnet 5. Server Host Firewall

Figure 5-18: Home Firewall
PC Firewall Always-On Connection Home PC Internet Service Provider UTP Cord Coaxial Cable Broadband Modem Windows XP has an internal firewall Originally called the Internet Connection Firewall Disabled by default After Service Pack 2 called the Windows Firewall Enabled by default New

Figure 5-19: SOHO Firewall Router
Internet Service Provider UTP Ethernet Switch UTP User PC UTP Broadband Modem (DSL or Cable) SOHO Router --- DHCP Sever, NAT Firewall, and Limited Application Firewall User PC User PC Many Access Routers Combine the Router and Ethernet Switch in a Single Box

Figure 5-20: Distributed Firewall Architecture
Management Console Remote PCs must be actively managed centrally Remote Management is needed to reduce management labor Dangerous because if an attacker compromises it, they own the network Internet Home PC Firewall Site A Site B

Figure 5-21: Other Security Architecture Issues
Host and Application Security (Chapters 6 and 9) Antivirus Protection (Chapter 4) Intrusion Detection Systems (Chapter 10) Virtual Private Networks (Chapter 8) Policy Enforcement System

Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Configuring, Testing, and Maintenance

Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Firewall Misconfiguration is a Serious Problem ACL rules must be executed in series Easy to make misordering problems Easy to make syntax errors

Create Policies Before ACLs Policies are easier to read than ACLs Can be reviewed by others more easily than ACLs Policies drive ACL development Policies also drive testing

Must test Firewalls with Security Audits Attack your own firewall based on your policies Only way to tell if policies are being supported Maintaining Firewalls New threats appear constantly ACLs must be updated constantly if firewall is to be effective

Figure 5-23: FireWall-1 Modular Management Architecture
Log Files Policy Policy Firewall Module Enforces Policy Sends Log Entries Application Module (GUI) Create, Edit Policies Management Module Stores Policies Stores Log Files Log File Entry Log File Data Firewall Module Enforces Policy Sends Log Entries Application Module (GUI) Read Log Files

Figure 5-24: FireWall-1 Service Architecture
2. Statefully Filtered Packet 1. Arriving Packet 3. DoS Protection Optional Authentications Internal Client External Server FireWall-1 Firewall 4. Content Vectoring Protocol Statefully Filtered Packet Plus Application Inspection Third-Party Application Inspection Firewall

Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls
Automatically Accept Connection Internet Security Level Inside=100 Security Level Outside=0 Router Automatically Reject Connection Internal Network Security Level=60 Connections Are Allowed from More Secure Networks to Less Secure Networks

Topics Covered Border Firewalls Types of Firewall Inspection
Sit between a trusted and untrusted network Drop and log attack packets Types of Firewall Inspection Static packet inspection Stateful inspection Application proxy firewalls NAT Denial-of-Service, Authentication, VPNs

Topics Covered Firewall Hardware and Software
Screening firewall router Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Performance is critical; overloaded firewalls drop packets they cannot filter

Topics Covered Static Packet Inspection
Examine IP, TCP, UDP, and ICMP headers Examine packets one at a time Miss many attacks Used primarily in screening firewall routers Access Control Lists (ACLs) List of if-then pass/deny statements Applied in order (sensitive to misordering) For main firewall, last rule is Deny All For screening firewall, last rule is Pass All

Topics Covered Stateful Inspection
Packets that Attempt to Open Connections By default, permits all internally initiated connections By default, denies all externally initiated connections ACLs can change default behavior

Topics Covered Stateful Inspection Other Packets
Permitted if part of established connection Denied if not part of established connections Importance Fast and therefore inexpensive Catches almost all attacks Dominates main border firewall market

Topics Covered Network Address Translation (NAT) Operation
Internal host sends a packet to an external host NAT device replaces source IP address and TCP or UDP port number with stand-in values When packets are sent back, the stand-in values are replaced with the original value Transparent to internal and external hosts

Topics Covered Network Address Translation (NAT) Why?
To hide internal host IP addresses and port numbers from sniffers on the Internet To permit firms to have more hosts than they have assigned public IP addresses Perspective Often used in other types of firewalls

Topics Covered Application Firewalls Inspect application messages
Catch attacks that other firewalls cannot Usually do NOT do antivirus filtering Programs that do filtering are called proxies Proxies are application-specific Circuit firewalls are not application-specific; use required authentication for control

Topics Covered Application Firewalls Relay operation
Application firewall acts as server to clients, clients to servers This is slow, so traditionally application firewalls could only handle limited traffic

Topics Covered Application Firewalls
Automatic Protection from Relay Operation Protocol fidelity: stops port spoofing Header destruction: no IP, TCP, UDP, or ICMP attacks IP address hiding

Topics Covered Application Firewalls
Command-based filtering (HTTP POST, etc.) Host or URL filtering (black lists) File type filtering (MIME, etc.) NOT antivirus filtering

Topics Covered Intrusion Prevention Systems (IPSs)
New Intrusion Prevention Systems (IPSs) Use sophisticated detection methods created for intrusion detection systems Examine streams of packets, not just individual packets Deep inspection: filter all layer messages in a packet But unlike IDSs, do not simply report attacks Stop detected attacks

New Intrusion Prevention Systems (IPSs) Spectrum of attack detection confidence Stop attacks detected with high confidence Do not stop attacks with low detection confidence because doing so can create a self-inflicted DoS Attack

New Intrusion Prevention Systems (IPSs) Sophisticated filtering in processing-intensive Traditional IDSs could not filter in real-time so could not be placed in-line with traffic ASICs provide higher speeds, allowing IPSs to be placed in-line with traffic

Firewall Architectures
Site Protection Screening Firewall Router (Static Packet) Main Border Firewall (Stateful) Internal Firewalls Host Firewalls DMZ Defense in Depth

Site Protection DMZ For hosts that must face Internet attack Must be hardened (bastion hosts) Public webservers, etc. Application firewalls External DNS server

Home Firewall Host firewalls are especially needed for always-on broadband connection SOHO Firewall Separate firewall between the switch and the broadband modem Some broadband modems do NAT, providing considerable protection

Distributed Firewall Architecture Most firms have multiple sites Multiple firewalls at many sites A central manager controls them If the manager is hacked, very bad Management traffic must be encrypted

Configuring, Testing, and Maintenance
Configuration Firewalls must be configured (ACLs designed, etc.) Testing Configuration errors are common, so firewalls must be tested Maintenance Must be reconfigured frequently over time as the threat environment changes

Firewalls Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall.

Similar presentations

Presentation on theme: "Firewalls Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Firewalls Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall.

Similar presentations

Presentation on theme: "Firewalls Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall."— Presentation transcript:

Similar presentations

About project

Feedback