17 Firewalls

8/8/2019 17 Firewalls

1/17

CEN 448Security and Internet Protocols

Chapter 20Firewalls

Dr. Mostafa Hassan DahshanComputer Engineering Department

College of Computer and Information SciencesKing Saud University

[email protected]

Firewalls

Internet connectivity essential to organization

Internet provide benefits

But enables outside to reach local resources

Not practical to secure all workstations

Alternative is firewalls

Inserted between local network and Internet

Single choke point to impose security, audit


2/17

Design Goals

All traffic must pass thru firewall from inside to outside or outside to inside

block all access to LAN except thru firewall

Only authorized traffic is allowed to pass

defined by security policy

Firewall immune to penetrationmust be running secure operating system

access control must be defined

Capabilities

Single choke point

simplify security managementprovide protection from various attack types

Monitoring security related events

implement audits and alarms

Can provide non-security related services

DNS, network management Platform for IPSec

using tunnel mode or implement VPN


3/17

What Firewalls Cannot Protect

Attacks that bypass firewalldial-out or dial-in service inside LAN

violates single choke point rule

Internal threats

disgruntled employee cooperate with attacker

Transfer of virus-infected programsvarious types of operating systems

impossible to scan all file types

Types of Firewalls

Packet-filtering router

Stateful inspection firewalls

Application-level gateway

Circuit-level gateway


4/17

Packet-Filtering Routers

Apply set of rules to each in or out IP packet

Packet is then forwarded or discarded

Filtering rules based on

source IP address: e.g., 192.168.1.1

destination IP address: e.g. 192.168.1.2

transport protocol: TCP, UDP, DCCP, SCTP

transport port number interface: inside, outside, or multiple interfaces


5/17

Packet-Filtering Routers

Filter set up as list of rules Rules match fields in IP or TCP header

If packet matches one of rules, role invoked

If no match, apply default rule

Default rule can either be

deny: discard all packets except permitted by rule

permit: forward all packets except denied by rule

Packet Filtering Examples

Inbound mail allowed, but only to gateway host

Packets from SPIGOT host are blocked

SPIGOT has history of sending massive email


6/17


Explicit statement of default policy

Conservative approach, everything is blocked

Services must be added on a case by case basis

More secure, but inconvenient for users With default allow, admin must identify all threats


Any inside host can send mail to outside

TCP packets with remote port 25 are allowed

Problems

some SMTP may not use default port 25

attacker run have different service on port 25 attacker can send packets using source port 25


7/17


Solve problems with C

Take advantage of TCP ACK flag

sent in response to locally established connection

Allow packets from local host with dest port 25 Allow incoming packets from port 25 with ACK

only replies to local connections


Allow

packets originated internally

reply packets to connection initiated internally

packets destined to high-numbered port on internal host

Most servers use low numbered ports < 1024

Most attack targets are in this range


8/17

Packet Filtering Firewalls

Advantagessimple: few variables

fast: only check TCP/IP headers

transparent to users

Disadvantages

cannot prevent application-level attacksvulnerable to attacks on problems within TCP/IP

few variables: possible weak configurations

Attacks on Packet-Filtering Routers

IP address spoofing

use fake source IP address (e.g. internal IP)goal: penetrate source address based security

countermeasure: discard packets from externalinterface with internal IP address as source

Source routing attackssource routing overwrites routing decision

goal: allow packet get into private IP networkcountermeasure: discard packets with this option


9/17

Attacks on Packet-Filtering Routers

Tiny fragments attacksuse IP fragmentation option

create very small fragments

force transport header into separate fragments

goal: circumvent transport header filtering rules

countermeasure: enforce minimum fragment sizeto predefined min amount of transport header

Stateful Inspection Firewalls

Simple packet-filtering is only based on

individual packets TCP sessions involve multiple connections

Simple packet filter must allow all inboundtraffic on ports 1024-65535

Can create vulnerability

Stateful packet inspection (SPI)maintain directory for established connectionsonly allow inbound packets with existing session


10/17

Stateful Inspection Firewalls

Application-Level Gateway

Also called proxy server

Acts as relay of application-level traffic

Local host contacts gateway

provide authentication information

provide remote host information

Gateway contacts remote host

application service must be supported by GW

relay TCP segments between local, remote


11/17

Application-Level Gateway

Advantagesmore secure than packet filter

restrict to few allowable applications, services

can protect on application level

Disadvantage

additional processing overheadmaintain two spliced connections

Circuit-Level Gateway

Can be standalone or part of application GW

Shim layer between application, transport No direct end-to-end TCP connection

Two separate TCP connections

one between inside host gateway

one between gateway outside host

Once setup, doesnt filter individual packets Security is which connections to allow


12/17

Bastion Host

Also called demilitarized zone (DMZ) Computer host or network inserted between

internal network and Internet

Provides service interface to outside users(web, email, FTP)

Prevents outside users from getting direct

access to companys data Strong point in the security of network

Platform for application, circuit-level gateway

Bastion HostSource: en.wikipedia.org/wiki/Demilitarized_zone_(computing)

DMZ or Bastion Host


13/17

Bastion Host Characteristics

Runs secure operating system Must not contain sensitive data

Only essential services installed

determined by admin

e.g. SSH, DNS, FTP, SMTP, authentication

May require auth, also for each proxy Each proxy allow access to specific hosts

Proxy maintain audit info, log all connections

Firewall Configurations

Screened host firewall, single-homed bastion

Screened host firewall, dual-homed bastion

Screened-subnet firewall


14/17

Screened Host Firewall,Single-Homed Bastion Host

Screened Host Firewall,Single-Homed Bastion Host

Consists of two systems

packet filtering router

bastion host: proxy, authentication

IP packets from Internet only allowed to BH

IP packets to Internet only allowed from BH

Advantages

both packet, app level filtering: 2 layers security

flexibility: public access for web/info server


15/17

Screened Host Firewall,Dual-Homed Bastion Host

Screened Host Firewall,Dual-Homed Bastion Host

Two separate subnets

BH has two network interfaces

Two levels of defense: router, BH

Protect internal hosts if router compromised

Also, same features of previous config


16/17

Screened-Subnet Firewall

Screened-Subnet Firewall

Two packet filtering routers

Creates isolated subnet containing BHmay also contain modems, public servers

can be accessed from Internet or internal net

through traffic is blocked

Advantages

three levels of defense: router, BH, router internal network is invisible to Internet

Internet is invisible to internal network


17/17

Finally

The most secure computer is a one whichis disconnected from the network, ANDTURNED OFF!

Additional References

Microsoft Security Bulletin (MS99-038),www.microsoft.com/technet/security/bulletin/fq99-038.mspx

Stateful Inspection Firewall,www.juniper.net/products/integrated/stateful_inspection_firewall.pdf

Doug Lowe, Networking All-in-One Desk Reference ForDummies, ISBN 0764599399,books.google.com/books?id=GnGDds-1OekC

Home Computer Security Glossary,www.cert.org/homeusers/HomeComputerSecurity/glossary.

html Syngress et al., The Best Da*n Firewall Book Period, ISBN

1931836906, books.google.com/books?id=q7rlxtIlOsEC

Documents

17 Firewalls