8/10/2019 Firewalls (16)

1/22

SMU CSE 5349/7349

Firewalls

8/10/2019 Firewalls (16)

2/22

SMU CSE 5349/7349

Firewalls

Most widely sold solution for Internetsecurity

Solution in a box appeal Not a substitute for proper configuration

management

Firewall needs to be configured properlyfor intended protection

8/10/2019 Firewalls (16)

3/22

SMU CSE 5349/7349

Types of Firewalls

IP packet level Packet filtering

TCP session level Circuit gateways

Application level Application relays/gateway

Dynamic packet filtering

Combination of packet filtering and circuit-levelgateways, often with application level semantics

NATs, IDSs, Logging Ingress vs. Egress filtering

8/10/2019 Firewalls (16)

4/22

SMU CSE 5349/7349

Firewalls and OSI Layers

OSI Model Layer Firewall Functionality

7 - Application

Application Level Proxies, forward andreverse proxies

6 - Presentation

5 - Session Stateful Firewall

4TransportTCP/UDP Port filtering, circuit level proxy

3Network - IP Packet filtering, Address filtering, packet

filtering firewall2Data Link

1- Physical

8/10/2019 Firewalls (16)

5/22

SMU CSE 5349/7349

Packet Filters

Read the header and filter by whether fieldsmatch specific rules Administrator makes a list of acceptable/unacceptable

field values Ingress/Egress filtering

Come in standard, specialized, and stateful models

Weaknesses

Easy to botch rules Logging difficult

Lack of authentication between end points

8/10/2019 Firewalls (16)

6/22

SMU CSE 5349/7349

Network Topology and

Address Spoofing Consider a three network (N1, N2, and N3) system

with one router firewall N1 the DMZ net connecting the GW

Very limited connection between GW and outside

Very limited connection (different set) between GW andN2/N3 (Why?)

Anything can pass between N2 and N3

Outgoing connections only from N2 or N3 How to set the packet filter rules

External nodes can spoof internal addresses block allthe source addresses same as internal addresses

8/10/2019 Firewalls (16)

7/22

8/10/2019 Firewalls (16)

8/22

SMU CSE 5349/7349

Stateful Packet Filters (SPFs)

Track last few minutes of network activity.

If a packet doesnt fit in, drop it

Stronger inspection engines search for

information inside the packets data Have to collect and assemble packets in order

to have enough data

Examples: Firewall One, SeattleLabs, ipfilter

8/10/2019 Firewalls (16)

9/22

SMU CSE 5349/7349

Packet Filtering Performance

May affect the router optimization inhandling packets

Still the serial link from the router to theInternet may be the bottleneck

Keep the rules simple and uniform

Ordering the rules to get the most commontype traffic through, first

8/10/2019 Firewalls (16)

10/22

SMU CSE 5349/7349

Proxy Firewalls

Pass data between two separateconnections, one on each side of the

firewall. Types:

Circuit level proxy

Application proxy

Store and forward proxy

Higher latency and lower throughput

8/10/2019 Firewalls (16)

11/22

SMU CSE 5349/7349

Circuit Level Proxy

Client asks connects to the relay host andrequest a connection to the server

FW connects to server Server usually do not get details such as IP

address of the client

All IP tricks are stopped at the relay host

Fragments Fire walking probes

8/10/2019 Firewalls (16)

12/22

SMU CSE 5349/7349

Application Proxy

FW transfers only acceptable informationbetween the two connections

The proxy can understand the protocol andfilter the data within Example mail proxies

Usually sore-and-forward

8/10/2019 Firewalls (16)

13/22

SMU CSE 5349/7349

Caching Proxies

Client asks firewall for document; thefirewall downloads the document, saves it

to disk, and provides the document to theclient. The firewall may cache thedocument

Can do data filtering.

More administration time, hardware, andcost

8/10/2019 Firewalls (16)

14/22

SMU CSE 5349/7349

Network Address Translation

(NAT) Changes ip addresses in a packet

Address of the client inside never shows up

outside Many IPs inside to many static IPs outside

Many IPs inside to many random IPs outside

Many IPs inside to one IP address outside

Examples: Cisco PIX, Linux Masquerading,Firewall One, ipfilter

8/10/2019 Firewalls (16)

15/22

SMU CSE 5349/7349

Logging

Cheap solution to most behavioral problems program logging syslog /NT event log sniffers

TCPdump, SSLdump Argus, Network General, HPOpenview

Down side Overhead intensive Does not prevent damage (more reactive than

proactive)

8/10/2019 Firewalls (16)

16/22

SMU CSE 5349/7349

Firewall Pitfalls

Single point of failure

Useful ones are difficult to configure and

integrate Performance requirements tend to create

back doors

False sense of security May be 40% protection against the top attacks

8/10/2019 Firewalls (16)

17/22

8/10/2019 Firewalls (16)

18/22

SMU CSE 5349/7349

Where (contd)

8/10/2019 Firewalls (16)

19/22

SMU CSE 5349/7349

8/10/2019 Firewalls (16)

20/22

SMU CSE 5349/7349

DMZ

Neither internal nor external Placed between the external router and

the bastion host Idea is to minimize the services and hencepotential attacks

Example: For a web server stop everything

but http Multiple zones for increased

availability/security

8/10/2019 Firewalls (16)

21/22

SMU CSE 5349/7349

Distributed Firewalls (DFWs)

To avoid S-P-O-F

To distribute risks

Better scalability Trend to use sophisticated protocols

IPSec

Instead of IP headers use authentication codes

8/10/2019 Firewalls (16)

22/22

SMU CSE 5349/7349

Switched Firewalls

(Air-gap Technology)