1. ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 10 - Firewalls

2. 2 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area Networks: - connects PC’s (in “terminal emulation” mode), remote terminals (next building) and mini-computers. Premises Network: - connects LANs and LAN-attached devices to each other. Enterprise-wide Network: - leased data lines (T1, DS-3) connect various offices. Internet Connectivity: - initially for email, now for Web access, e- commerce,.... Makes the world accessible, but now the world also has access to you.

3. 3 Agency Virtual Private Network LANs at Agency Offices across Georgia State WWW Gateway State Internet Citizens Contractors City & County Governments Agency Gateway & Web Server Non-Agency State Server Private Virtual Connection Agency Server Schools Libraries Kiosks Connectivity Provided by the Georgia Backbone Network Other Agencies WWW

4. Agency Firewall - Protects Agency Subnets from Unwanted Connections Agency Firewall - Protects Agency Subnets from Unwanted Connections Subnet 1 Subnet 2 Gate- way WAN Firewalls (and many routers) can reject: Packets with certain source and destination addresses Packets with certain high-level protocols (UDP, Telnet) Proxy Servers - for specific applications Email messages assembled and inspected, then passed to internal email server machine. Prevent Cyber Loafing - Exploring the Internet for fun. Gate- way 4

5. 5 Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) E'net Data Link Layer Ethernet Phys. Layer Network Layer E'net Data Link Layer E'net Phys. Layer Network Layer Web Server Browser Router-Firewall can drop packets based on source or destination, ip address and/or port Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) Token Ring Data-Link Layer Token Ring Phys. Layer IP Address 130.207.22.5 IP Address 24.88.15.22 Port 80 Port 31337 Segment No. Token Ring Data Link Layer Token Ring Phys. Layer

6. Application Layer (HTTP, FTP, TELNET, SMTP) Transport Layer (TCP, UDP) Network Layer (IP) E'net Data Link Layer E'net Phys. Layer Transport Layer (TCP, UDP) Network Layer (IP) E'net Data Link Layer E'net Phys. Layer Process Transport or App.-Layer Gateway, or Proxy Application Layer (HTTP(HTTP, FTP, TELNET, SMTP) Transport Layer (TCP,UDP) Network Layer (IP) TR Data Link Layer TR Phys. Layer Transport Layer (TCP, UDP) Network Layer (IP) TR Data Link Layer TR Phys. Layer 6

7. Policy No outside Web access. Outside connections to Public Web Server Only. Prevent Web-Radios from eating up the available bandwidth. Prevent your network from being used for a Smuft DoS attack. Prevent your network from being tracerouted or Ping scanned. Firewall Setting Drop all outgoing packets to any IP, Port 80 Drop all incoming TCP SYN packets to any IP except 130:207:244.203, port 80 Drop all incoming UDP packets - except DNS and Router Broadcasts. Drop all ICMP packets going to a “broadcast” address (130.207.255.255 or 130.207.0.0). Drop all incoming ICMP, UDP, or TCP echo- request packets, drop all packets with TTL < 5. 7

8. Firewall Attacks IP Internal-Address Spoofing. Source Routing (External Spoof). Tiny Fragment Attacks. 2nd-Fragment Probes. SYN-ACK Probes. Internal Hacking Firewall Defense Drop all incoming packets with local address. Drop all IP packets with Source-Routing Option. Drop all incoming packets with small offset. Assemble IP fragments (hard work). Be “Stateful” -keep track of TCP outgoing SYN packets (start of all TCP connections) (hard work). Drop all outgoing packets which do not have an "internal" source IP address. 8

9. A Firewall is a single point that a Network Administrator can control, even if individual computers are managed by workers or departments. ------- Over half of corporate computer misfeasance is caused by employees who are already behind the main firewall. Solution 1 - isolate subnets with firewalls (usually routers or Ethernet switches with “filter” capabilities). Protect Finance department from Engineering department [Problem: Internal network is much higher bit rate, firewalls more expensive]. Solution 2 - implement /etc/hosts.allow, “IP Chains”, or “IP Tables” (PC “Personal Firewalls”) to limit access except from individual computers on certain ports for specific hosts and subnets. 9

10. "inetd" and "xinetd" hosts.allow #cat /etc/hosts.deny ALL:ALL #cat /etc/hosts.allow in.telnetd: 199.77.146 24.88.154.17 in.ftpd: 199.77.146.19 199.77.146.102 UNIX and Linux computers allow network contact to be limited to individual hosts or subnets (199.77.146 means 199.77.146.any). Above, telnet connection is available to all on the 199.77.146.0 subnet, and a single off-subnet host, 24.88.154.17 FTP service is available to only to two local hosts,.19 and.102. The format for each line is “daemon:host-list” 10

11. The kernel starts with three lists of rules; these lists are called firewall chains or just chains. The three chains are called input, output and forward. When a packet comes in (say, through the Ethernet card) the kernel uses the input chain to decide its fate. If it survives that step, then the kernel decides where to send the packet next (this is called routing). If it is destined for another machine, it consults the forward chain. Finally, just before a packet is to go out, the kernel consults the output chain. A chain is a checklist of rules. Each rule says `if the packet header looks like this, then here's what to do with the packet'. If the rule doesn't match the packet, then the next rule in the chain is consulted. Finally, if there are no more rules to consult, then the kernel looks at the chain policy to decide what to do. In a security-conscious system, this policy usually tells the kernel to reject or deny the packet. http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html#ss4.2 IP Chains 11

12. ---------------------------------------------------------------- | ACCEPT/ "lo" (local) interface | v REDIRECT _______ | C --> S --> ______ --> D --> ~~~~~~~~ -->|forward|----> _______ --> h a |input | e {Routing } |Chain | |output |ACCEPT e n |Chain | m {Decision} |_______| --->|Chain | c i |______| a ~~~~~~~~ | | ->|_______| k t | s | | | | | s y | q | v | | | u | v e v DENY/ | | v m | DENY/ r Local Process REJECT | | DENY/ | v REJECT a | | | REJECT | DENY d --------------------- | v e ----------------------------- DENY ipchains -A good-if -i ! eth1 -j DENY ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A good-if -j icmp-acc 12

13. # iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- localhost anywhere tcp spt:smtp ACCEPT tcp -- anywhere anywhere tcp spt:smtp state ESTABL ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT icmp -- 1.185.lancope.com anywhere DROP all -- 0.0.0.0/8 anywhere DROP all -- anywhere 127.0.0.0/8 DROP icmp -- anywhere anywhere state NEW DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT icmp -- anywhere 10.0.0.0/24 ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED 13

14. Router Setup with Network Address Translation (NAT) Addresses 10.0.0.0 and 192.168.0.0 reserved for private networks. 14

15. 15

16. 16

17. Internet Router 24.88.48.47 with NAT that Masquerades could be a “dual-homed bastion host” Host 192.168.0.10 Host 192.168.0.20 17 Host 192.168.0.30 Host 192.168.0.40 Web Server port 80 FTP Server port 21 FTP Client 130.27.8.35 To 130.27.8.35:x from 192.168.0.40:23 To 130.27.8.35:x from 24.88.48.47:23 To 24.88.48.47:23 from 130.27.8.35:x To 192.168.0.40:23 from 130.27.8.35:x Note: x is a high port number, 1024-65,535

18. Internet Router 24.88.48.47 with NAT that Masquerades Host 192.168.0.10 Web Client 192.168.0.20 18 Host 192.168.0.30 Host 192.168.0.40 Web Server port 80 FTP Server port 21 Web Host 130.27.8.35 To 130.27.8.35:80 from 192.168.0.20:x To 130.27.8.35:80 from 24.88.48.47:x To 24.88.48.47:x from 130.27.8.35:80 To 192.168.0.20:x from 130.27.8.35:80

19. Combined Firewalls and IDS (see also: ISS Proventia) 19

20. Protocol Anomaly Detection WatchGuard Transparent Application layer proxies examine entire connection data streams, identifying and destroying protocol anomalies and discarding harmful or questionable information. In addition, WatchGuard firewalls perform: * Packet Handling - prevents packets from entering the network until they are reassembled and examined. * Packet Reassembly - reassembles packet fragments to prevent fragment overlap attacks such as Teardrop and other Layer 3 protocol anomaly based attacks. Signature Element Analysis Rather than using signatures that precisely identify specific attacks, WatchGuard systems look at what any attack of a certain type (e.g., e-mail) must do to succeed (e.g., auto-execute an attachment). With rule sets, you can choose to allow or deny traffic, or even deny all traffic from a source for a specific period. In addition to rigorous rule sets, the firewall processes policy-based configurations, and management subsystems perform state and content analysis. These processes protect against entire known and unknown attack classes, and can narrow the vulnerability window without having to make you wait for updated attack- specific signatures. Behavior-Based Analysis Although behavior-based intrusion detection is a relatively new technology, WatchGuard already has mechanisms in place within the firewall to identify known attack behaviors, such as: * Port scans and probes * Spoofing * SYN flood attacks * DoS and DDoS attacks * The misuse of IP options such as source routing 20