12 Firewalls

8/10/2019 12 Firewalls

1/38

FirewallsDan Fleck

CS 469: Security Engineering

Slides modified with permission from original by Arun Sood

Com

ingup:

Re

ferences

1

1

1


2/38

References

1. Mark Stamp, Information Security: Principles and Practice, WileyInterscience, 2006.

2. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 2429.

3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors,

IEEE Computer, June 2004, p 6267.4. Steven Bellovin and William Cheswick, Network Firewalls, IEEECommunications Magazine, Sept 1994, p 5057.

5. William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer,June 2003, p 112113.

6. Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and

Efficiency of Firewall Policy Deployment, IEEE Symposium onSecurity and Privacy, 2007.

7. Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and itsProperties, Proc of the 2005 International Conference onDependable Systems and Networks, 2005.

Com

ing

up:

Firewa

llas

Ne

twork

Access

Con

trol

2

2

2


3/38

Firewall as Network Access Control

Access Control

Authentication

Authorization

Single Sign On

Firewall

Interface between networks

Usually external (internet) and internal

Allows traffic flow in both directions Com

ingup:

Firewa

ll

3

3

3


4/38

Firewall

Interface between networks

Usually external (internet) and internal

Allows traffic flow in both directions

Controls the traffic

Internet

Internal

Com

ingup:

Firewa

ll

4

4

4


5/38

Firewall as Secretary

A firewall is like a secretary

To meet with an executive

First contact the secretary

Secretary decides if meeting is reasonable

Secretary filters out many requests

You want to meet chair of CS department?

Secretary does some filtering You want to meet President of US?

Secretary does lots of filtering!

[1]

Com

ingup:

Securi

tyStra

tegies

5

5

5


6/38

Security Strategies

Least privilege

Objects have the lowest privilege to perform assigned task

Defense in depth

Use multiple mechanisms

Best if each is independent: minimal overlap

Choke point

Facilitates monitoring and control

[2]

Com

ingup:

Securi

tyStra

tegies -2

6

6

6


7/38

Security Strategies - 2

Weakest link -

Fail-safe

If firewall fails, it should go to fail-safe that denies access to avoid

intrusions

Default deny

Default permit

Universal participation

Everyone has to accept the rules

[2]

Com

ingup:

Securi

tyStra

tegies

-3

777


8/38


Diversity of defense

Inherent weaknesses

Multiple technologies to compensate for inherent weakness ofone technology

Common heritage If systems configured by the same person, may have the same

weakness

Simplicity

Security through obscurity

[2]

Com

ingup:

Securi

tyStra

tegies

-4

888


9/38


Configuration errors can be devastating

Testing is not perfect

Ongoing trial and error will identify weaknesses

Enforcing a sound policy is critical

[2]

Com

ingup:

Typeso

fFirewa

ll

999


10/38

Types of Firewall

No Standard Terminology

Packet Filtering (network layer)

Simplest firewall

Filter packets based on specified criteria

IP addresses, subnets, TCP or UDP ports

Does NOT read the packet payload

Vulnerable to IP spoofing

Stateful inspection (transport layer)

In addition to packet inspection

Validate attributes of multi-packet flows

Keeps track of connection state (e.g. TCP streams, active connections,etc)

[2]

Com

ing

up:

Typeso

fFirewa

ll-2

101010


11/38

Types of Firewall - 2

Application Based Firewall (application layer)

Allows data into/out of a process based on that processtype

Can act on a single computer or at the network layer

e.g. allowing only HTTP traffic to a website

Log accessattempted access and allowed access

Personal firewallsingle user, home network

[2]

Com

ing

up:

Typeso

fFirewa

ll-3

111111


12/38


Proxy

Intermediate connection between servers on internet and

internal servers.

For incoming data

Proxy is server to internal network clients For outgoing data

Proxy is client sending out data to the internet

Very secure

Less efficient versus packet filters[2]

No IP packets pass through firewall. Firewall creates new packets.

Com

ing

up:

Typeso

fFirewa

ll-4

121212


13/38


Network Address Translation

Hides internal network from

external network

Private IP addresses

expands the IP address space Creates a choke point

Virtual Private Network

Employs encryption and integrity protection

Use internet as part of a private network

Make remote computer act likeit is on local network

[2]

Com

ingup:

Pac

ke

tFilte

r

131313


14/38

Packet Filter

Advantages

Simplest firewall architecture

Works at the Network layerapplies to all systems

One firewall for the entire network

Disadvantages

Can be compromised by many attacks

Source spoofing

C

om

ingup:

Pac

ke

tFilter

-

Example

141414


15/38

Packet Filter - Example

[2]

C

om

ingup:

Pac

ke

tFilter

-

Example

151515


16/38


[2]

C

om

ingup:

Pac

ke

tFilter

-

Example

161616


17/38


Attack succeeds because of rules B and D

More secure to add source ports to rules

C

om

ingup:

Pac

ke

tFilter

-

Example

171717


18/38


[2]

C

om

ingup:

Pac

ke

tFilter

-

Example

181818


19/38


These packets would be admitted. To avoid this add an ACK bit tothe rule set

[2]

C

om

ingup:

Pac

ke

tFilter

-

Example

191919


20/38


Attack fails, because the ACK bit is not set. ACK bit is set if the connectionoriginated from inside.

Incoming TCP packets must have ACK bit set. If this started outside, thenno matching data, and packet will be rejected.

Note: This rule means we allow no services other than request that weoriginate.

Com

ingup:

TCPAc

kfor

Port

Scanning

202020


21/38

TCP Ack for Port Scanning

Attacker sends packet with ACK set (without prior

handshake) using port p

Violation of TCP/IP protocol

Packet filter firewall passes packet

Firewall considers it part of an ongoing connection

Receiver sends RST

Indicates to the sender that the connection should beterminated

Receiving RST indicates that port p is open!!

[1]

Comingup:

TCPAc

kPort

Scan

212121


22/38

TCP Ack Port Scan

RST confirms that port 1209 is open

Problem: packet filtering is stateless; the firewall should track theentire connection exchange

[1]

Co

mingup:

StatefulPacke

t

Filte

r

222222


23/38

Stateful Packet Filter

Remembers packets in the TCPconnections (and flag bits)

Adds state info to the packet filterfirewalls.

Operates at the transport layer.

Pro: Adds state to packet filter and

keeps track of ongoing connection Con: Slower, more overhead. Packet

content info not used

[1]

application

transport

network

link

physical Com

ingup:

App

lica

tion

Proxy

232323


24/38

Application Proxy

A proxy acts on behalf the system beingprotected.

Application proxy examines incoming app dataverifies that data is safe before passing it to the

system. Pros

Complete view of the connections and app data

Filter bad data (viruses, Word macros)

Incoming packet is terminated and new packet is sentto internal network

Con Speed

[1]

Co

mingup:

Firewa

lkPo

rt

Scanning

242424


25/38

Firewalk Port Scanning

Scan ports through firewalls

Requires knowledge of IP address of firewall

IP address of one system in internal network

Number of hops to the firewall

Set TTL (time to live) = Hops to firewall +1

Set destination port to be p

If firewall does not pass data for port p, then no

response If data passes thru firewall on port p, then time

exceeded error message

[1]

Lets try it Applications->Utilities->Network Utility

Comin

gup:

Firewa

lkan

dProx

y

Firewa

ll

252525


26/38

Firewalk and Proxy Firewall

Attack would be stopped by proxy firewall Incoming packet destroyed (old TTL value also destroyed)

New outgoing packet will not exceed TTL.

[1]

Dest port 12345, TTL=4

Dest port 12344, TTL=4Dest port 12343, TTL=4

Time exceeded

Trudy

Packetfilter

RouterRouterRouter

Com

ingup:

Firewa

llsan

d

De

fense

inDept

h

262626


27/38

Firewalls and Defense in Depth

Example security architecture

Internet

Intranet withPersonalFirewalls

PacketFilter

ApplicationProxy

DMZ

FTP server

DNS server

WWW server

[1]

Comingup:

Researc

h:

Firewa

ll

Po

licy

Veri

fication

272727


28/38

Research: Firewall Policy

Verification Firewall design: consistency, completeness, and compactness

Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness,"

Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol.,

no., pp.320,327, 2004

Lesson: Practical firewalls have complex rulesets. Theyare hard to get right. Research in place to help validate

the configuration for errors

Lets see some simple ones Com

ingup:

Le

tsdosome

example

s

282828


29/38

Lets do some examplesiptables is a common tool to build firewalls

Well supported in Linux:

iptablesA INPUTp tcpdport 22j ACCEPT

-A: append to list of rules

-p:match protocol tcp--dport 22: match destination port 22 (ssh)

-j ACCEPT: if rule matches, ACCEPT the packet.

1st

matching rule wins order matters!

Final rule typically rejects anything that doesnt match: security

says deny all, and only allow in who you want.

Com

ingup:

iptables-c

hain

s

2929


30/38

iptables - chains

INPUTanything with a destination of the firewall box

OUTPUTanything with a source of the firewall box

FORWARDanything going through the firewall box (neither

source or dest is the firewall box)

iptablesA INPUTp tcpdport 22j ACCEPT

# This allows SSH TO THE FIREWALL BOX!

Comin

gup:

iptablesm

atchin

g

rule

s

3030


31/38

iptables matching rulesJump targetswhat to do upon match?

-j ACCEPTallow it-j REJECT -- send a rejection message

-j DROPdrop it, dont send any message

-j logaccept, logdrop, logreject

(there are others)

Protocol matching rules

-p tcp , udp, icmp, all (0 means all)

Port matching rules

--dport destination port

--sport source port

Co

mingup:

iptablesm

or

e

rule

s

3131


32/38

iptables more rulesPhysical device interface:

-i vlan0 # Packets coming in on that physical interface-o eth1 # packets going out on that physical interface

-i only valid for INPUT, FORWARD chain

-o only valid for OUTPUT, FORWARD chain

(Note: Specific interface differs by hardware)

Time-based Limiting

--limit 5/minute (rule matches a maximum of 5 times per

minute (or second or hour, or day, etc)

Syn-flood protection:

iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Comin

gup:

iptables-example

s

3232


33/38

iptables - examples

Lets stop all http access

Lets stop ping

Lets allow www.gmu.edu though (but only GMU!)

--destination www.gmu.edu

Lets allow only my IP to get to HTTP

--source 192.168.3.10 Com

ingup:

iptablesm

or

e

rule

s

3333
http://www.gmu.edu/http://www.gmu.edu/


34/38

iptables more rules

State matching:-m statestate ESTABLISHED, RELATED

NEW- A packet which creates a new connection.

ESTABLISHED- A packet which belongs to an existing connection (i.e., areply packet, or outgoing packet on a connection which has seen

replies).

RELATED- A packet which is related to, but not part of, an existing

connection, such as an ICMP error, or (with the FTP module inserted), a

packet establishing an ftp data connection.

INVALID- A packet which could not be identified for some reason: this

includes running out of memory and ICMP errors which don't

correspond to any known connection. Generally these packets should

be dropped.

Co

mingup:

iptablesm

or

e

rule

s

3434


35/38

iptables more rules

TCP bit matching:

iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

--tcp-flags string 1 = the set of bits to look at

string 2 = the subset of 1 which should be ones

Above command says look at all the bits (ALLis synonymous with`SYN,ACK,FIN,RST,URG,PSH) and verify that only the SYN and ACK bits

are set.

Comin

gup:

Wou

lda

GUIhelp

?

3435


36/38

iptables - Tunneling

In our network we have one outward facing server, so to get in

from home we must travel (tunnel) through that server.

We really use SSH tunnels:

ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p10024 localhost

However if everyone needed to use it we could use a firewall

based tunnel:

iptables -t nat -A PREROUTING -p tcp -d dslsrv.gmu.edu --dport 10024

-j DNAT --to-destination sr1s4.mesa.gmu.edu:22

W ld GUI h l ?


37/38

Would a GUI help?

Com

ingup:

Lesson

s

36


38/38

Lessons

There are many firewall types

Each provides a different level of security versus performance

Multiple firewalls can be used to segment networks into

security zones

iptables is a powerful example of how to create/managefirewalls

En

do

fpresen

tatio

n

293537

Documents

12 Firewalls