Firewalling TechniquesFirewalling Techniques

Prabhaker MatetiPrabhaker Mateti

ACKACK

Not linux specificNot linux specificSome figures are from 3comSome figures are from 3com

Components of the Firewall SystemComponents of the Firewall System

Bastion HostBastion HostPacket-filtering routerPacket-filtering routerApplication-level gateway (or proxy server)Application-level gateway (or proxy server)Circuit-level gatewayCircuit-level gateway

Dual Homed GatewayDual Homed Gateway

A system that has A system that has two or more network interfaces, each of which two or more network interfaces, each of which

is connected to a different network. is connected to a different network. Acts to block or filter some or all of the Acts to block or filter some or all of the

traffic trying to pass between the networks.traffic trying to pass between the networks.

Bastion HostBastion Host

Runs general purpose Runs general purpose operating system operating system

hardened to resist hardened to resist attack attack

Proxy servicesProxy services

Proxy servers on a bastion host can prohibit Proxy servers on a bastion host can prohibit direct connections from the outside and reduce direct connections from the outside and reduce data-driven attacks.data-driven attacks.

Circuit RelayCircuit Relay

Determines if the connection is Determines if the connection is valid according to rulesvalid according to rules

opens a session and permits opens a session and permits traffic traffic only from the allowed source and only from the allowed source and possibly only for a limited period possibly only for a limited period

of time. of time. Whether a connection is valid is Whether a connection is valid is

based upon:based upon: destination IP address and/or port destination IP address and/or port source IP address and/or port source IP address and/or port time of day time of day protocol protocol user user password password

Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)

a neutral zone between the private LAN a neutral zone between the private LAN and the public Internet. and the public Internet.

FTP servers, Web servers and the like are FTP servers, Web servers and the like are located in DMZ. located in DMZ.

Location of a FirewallLocation of a Firewall

UntrustedNetwork

FirewallFirewall DMZDMZ

Internal LANInternal LAN

External LAN www

SMTP

An Application Gateway: ProblemAn Application Gateway: Problem

Allow select internal users to telnet Allow select internal users to telnet outside.outside.

Users authenticate themselves to Users authenticate themselves to create telnet connectioncreate telnet connection

A “gateway” used in this sense is A “gateway” used in this sense is different from a standard gateway.different from a standard gateway.

An Application Gateway: An Application Gateway: SolutionSolution

Router filter blocks all telnet connections not originating Router filter blocks all telnet connections not originating from gateway.from gateway.

For authorized users, gateway sets up telnet connection to For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connectionsdest host. Gateway relays data between 2 connections

host-to-gatewaytelnet session

gateway-to-remote host telnet session

applicationgateway

router and filter

Packet Filtering RouterPacket Filtering Router

Packet Filtering RouterPacket Filtering Router Decide not only Decide not only howhow, but , but shouldshould a packet be a packet be

forwardedforwarded Not best when detail protocol knowledge Not best when detail protocol knowledge

required for decisionrequired for decision Proxy may be a better choiceProxy may be a better choice

Lots of leverage as all hosts behind are Lots of leverage as all hosts behind are protectedprotected

Can provide unique capabilitiesCan provide unique capabilities Rejecting forged internal or external packets (address Rejecting forged internal or external packets (address

spoofing)spoofing) Recognition of malformed packetsRecognition of malformed packets

Packet-Filtering Router Service-Dependent FilteringService-Dependent Filtering

Some typical filtering rules include:Some typical filtering rules include: Permit incoming Telnet sessions only to aPermit incoming Telnet sessions only to a specific list of internal hostsspecific list of internal hosts Permit incoming FTP sessions only toPermit incoming FTP sessions only to specific internal hostsspecific internal hosts Permit all outbound Telnet sessionsPermit all outbound Telnet sessions Permit all outbound FTP sessionsPermit all outbound FTP sessions Deny all incoming traffic from specificDeny all incoming traffic from specific external networksexternal networks

Service-Independent FilteringService-Independent Filtering

Source IP Address Spoofing Attacks. Source Routing Attacks. In TinySource IP Address Spoofing Attacks. Source Routing Attacks. In Tiny Fragment Attacks. Tiny fragment attacks are designed to circumventFragment Attacks. Tiny fragment attacks are designed to circumvent userdefined filtering rules; the hacker hopes that a filtering routeruserdefined filtering rules; the hacker hopes that a filtering router will examine only the first fragment and allows all other fragments towill examine only the first fragment and allows all other fragments to pass. A tiny fragment attack can be defeated by discarding all packetspass. A tiny fragment attack can be defeated by discarding all packets where the protocol type is TCP and the IP FragmentOffset is equal towhere the protocol type is TCP and the IP FragmentOffset is equal to 1.1.

Defining packet filters can be a complex taskDefining packet filters can be a complex task

Generally, the packet throughput of a router decreases as the numberGenerally, the packet throughput of a router decreases as the number of filters increases.of filters increases.

Filtering by ServiceFiltering by Service Characteristics of internal to external telnet Characteristics of internal to external telnet

connectionconnection Source is inside, Source is inside, destination is outside, destination is outside, is TCP, destination port 23, is TCP, destination port 23, source port > 1023, source port > 1023, first packet an outbound SYNfirst packet an outbound SYN

Characteristics of ext to int ‘opposite’Characteristics of ext to int ‘opposite’ Risk: trusting the port implies trusting the server Risk: trusting the port implies trusting the server

on that porton that port Any service can be run from any port by rootAny service can be run from any port by root Can telnet Can telnet fromfrom port 23, for example port 23, for example

Security PolicySecurity Policy ““It is important to note that an Internet firewall is not just a router, a It is important to note that an Internet firewall is not just a router, a

bastion host, or a combination of devices that provides security for a bastion host, or a combination of devices that provides security for a network. network.

““The firewall is part of an overall security policy that creates a The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of perimeter defense designed to protect the information resources of the organization. the organization.

““This security policy must include published security guidelines to This security policy must include published security guidelines to inform users of their responsibilities; corporate policies defining inform users of their responsibilities; corporate policies defining network access, service access, local and remote user network access, service access, local and remote user authentication, dial-in and dialout, disk and data encryption, and authentication, dial-in and dialout, disk and data encryption, and virus protection measures; and employee training. All potential virus protection measures; and employee training. All potential points of network attack must be protected with the same level of points of network attack must be protected with the same level of network security. Setting up an Internet firewall without a network security. Setting up an Internet firewall without a comprehensive security policy is like placing a steel door on a tent.”comprehensive security policy is like placing a steel door on a tent.”

[From a web based article][From a web based article]

Security Policy Describes a Security Policy Describes a Perimeter DefensePerimeter Defense

A Connection Circumventing an Internet Firewall

Benefits of an Internet FirewallBenefits of an Internet Firewall Without a firewall, each host system on the private Without a firewall, each host system on the private

network is exposed to attacks from other hosts on the network is exposed to attacks from other hosts on the Internet.Internet.

Firewalls offer a convenient point where Internet security Firewalls offer a convenient point where Internet security can be monitored and alarms generated.can be monitored and alarms generated.

An Internet firewall is a logical place to deploy a Network An Internet firewall is a logical place to deploy a Network Address Translator (NAT) that can help alleviate the Address Translator (NAT) that can help alleviate the address space shortage and eliminate the need to address space shortage and eliminate the need to renumber when an organization changes Internet service renumber when an organization changes Internet service providers (ISPs).providers (ISPs).

An Internet firewall is the perfect point to audit or log An Internet firewall is the perfect point to audit or log Internet usage.Internet usage.

An Internet firewall can also offer a central point of An Internet firewall can also offer a central point of contact for information delivery service to customers.contact for information delivery service to customers.

Limitations of an Internet FirewallLimitations of an Internet Firewall

Creates a single point of failure.Creates a single point of failure. Cannot protect against attacks that do not go through the Cannot protect against attacks that do not go through the

firewall.firewall. Cannot protect against the types of threats posed by Cannot protect against the types of threats posed by

traitors or unwitting users.traitors or unwitting users. Cannot protect against the transfer of virus-infected Cannot protect against the transfer of virus-infected

software or files.software or files. Cannot protect against data-driven attacks. A data-Cannot protect against data-driven attacks. A data-

driven attack occurs when seemingly harmless data is driven attack occurs when seemingly harmless data is mailed or copied to an internal host and is executed to mailed or copied to an internal host and is executed to launch an attack.launch an attack.

Limitations of firewalls and Limitations of firewalls and gatewaysgateways

IP spoofingIP spoofing router can’t know if data “really” comes from claimed router can’t know if data “really” comes from claimed

sourcesource If multiple app’s. need special treatment, each If multiple app’s. need special treatment, each

has own app. gateway.has own app. gateway. client software must know how to contact client software must know how to contact

gateway.gateway. e.g., must set IP address of proxy in Web browsere.g., must set IP address of proxy in Web browser

TradeoffTradeoff degree of communication with outside world, level of degree of communication with outside world, level of

securitysecurity Performance problemPerformance problem

Three Myths of FirewallsThree Myths of Firewalls

Firewalls make the assumption that the only way in or out of a corporate Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network is through the firewalls; that there are no "back doors" to your network. In practice, this is rarely the case, especially for a network which network. In practice, this is rarely the case, especially for a network which spans a large enterprise. Users may setup their own backdoors, using spans a large enterprise. Users may setup their own backdoors, using modems, terminal servers, or use such programs as "PC Anywhere" so that modems, terminal servers, or use such programs as "PC Anywhere" so that they can work from home. The more inconvenient a firewall is to your user they can work from home. The more inconvenient a firewall is to your user community, the more likely someone will set up their own "back door" community, the more likely someone will set up their own "back door" channel to their machine, thus bypassing your firewall. channel to their machine, thus bypassing your firewall.

Firewalls make the assumption that all of the bad guys are on the outside of Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered the firewall, and everyone on the inside of the can be considered trustworthy. This neglects the large number of computer crimes which are trustworthy. This neglects the large number of computer crimes which are committed by insiders. committed by insiders.

Newly evolving systems are blurring the lines between data and Newly evolving systems are blurring the lines between data and executables more and more. With  macros, JavaScript, Java, and other executables more and more. With  macros, JavaScript, Java, and other forms executable fragments which can be embedded inside data, a security forms executable fragments which can be embedded inside data, a security model which neglects this will leave you wide open to a wide range of model which neglects this will leave you wide open to a wide range of attacks. attacks.