Firewalls

FirewallsDan FleckCS 469: Security Engineering

Slides modified with permission from original by Arun Sood

Co

min

g u

p:

Re

fere

nce

s

111111

References1. Mark Stamp, Information Security: Principles and Practice, Wiley

Interscience, 2006.2. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 –

29.3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors,

IEEE Computer, June 2004, p 62 – 67.4. Steven Bellovin and William Cheswick, Network Firewalls, IEEE

Communications Magazine, Sept 1994, p 50 – 57.5. William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer,

June 2003, p 112 – 113.6. Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and

Efficiency of Firewall Policy Deployment, IEEE Symposium on Security and Privacy, 2007.

7. Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its Properties, Proc of the 2005 International Conference on Dependable Systems and Networks, 2005.

Co

min

g u

p:

Fire

wa

ll a

s N

etw

ork

A

cce

ss C

on

tro

l

222222

Firewall as Network Access Control• Access Control

• Authentication• Authorization

• Single Sign On

• Firewall• Interface between networks

• Usually external (internet) and internal

• Allows traffic flow in both directions Co

min

g u

p:

Fire

wa

ll

333333

Firewall

– Interface between networks• Usually external (internet) and internal

– Allows traffic flow in both directions– Controls the traffic

InternetInternal

Co

min

g u

p:

Fire

wa

ll

444444

Firewall as Secretary

• A firewall is like a secretary• To meet with an executive

– First contact the secretary– Secretary decides if meeting is reasonable– Secretary filters out many requests

• You want to meet chair of CS department?– Secretary does some filtering

• You want to meet President of US?– Secretary does lots of filtering!

[1]

Co

min

g u

p:

Se

curit

y S

tra

teg

ies

555555

Security Strategies• Least privilege

• Objects have the lowest privilege to perform assigned task

• Defense in depth• Use multiple mechanisms• Best if each is independent: minimal overlap

• Choke point• Facilitates monitoring and control

[2]

Co

min

g u

p:

Se

curit

y S

tra

teg

ies

- 2

666666

Security Strategies - 2• Weakest link - • Fail-safe

• If firewall fails, it should go to fail-safe that denies access to avoid intrusions

• Default deny • Default permit• Universal participation

• Everyone has to accept the rules

[2]

Co

min

g u

p:

Se

curit

y S

tra

teg

ies

- 3

777777

Security Strategies - 3• Diversity of defense• Inherent weaknesses

• Multiple technologies to compensate for inherent weakness of one technology

• Common heritage• If systems configured by the same person, may have the same

weakness• Simplicity• Security through obscurity

[2]

Co

min

g u

p:

Se

curit

y S

tra

teg

ies

- 4

888888

Security Strategies - 4• Configuration errors can be devastating• Testing is not perfect• Ongoing trial and error will identify weaknesses• Enforcing a sound policy is critical

[2]

Co

min

g u

p:

Typ

es

of

Fire

wa

ll

999999

Types of FirewallNo Standard Terminology

•Packet Filtering (network layer)• Simplest firewall• Filter packets based on specified criteria

• IP addresses, subnets, TCP or UDP ports• Does NOT read the packet payload• Vulnerable to IP spoofing

•Stateful inspection (transport layer)• In addition to packet inspection• Validate attributes of multi-packet flows• Keeps track of connection state (e.g. TCP streams, active connections,

etc…)[2]

Co

min

g u

p:

Typ

es

of

Fire

wa

ll - 2

101010101010

Types of Firewall - 2• Application Based Firewall (application layer)

• Allows data into/out of a process based on that process’ type• Can act on a single computer or at the network layer

• e.g. allowing only HTTP traffic to a website

• Log access – attempted access and allowed access

• Personal firewall – single user, home network

[2]

Co

min

g u

p:

Typ

es

of

Fire

wa

ll - 3

111111111111

Types of Firewall - 3• Proxy

• Intermediate connection between servers on internet and internal servers.

• For incoming data• Proxy is server to internal network clients

• For outgoing data• Proxy is client sending out data to the internet

• Very secure• Less efficient versus packet filters

[2]

No IP packets pass through firewall. Firewall creates new packets.No IP packets pass through firewall. Firewall creates new packets.

Co

min

g u

p:

Typ

es

of

Fire

wa

ll - 4

121212121212

Types of Firewall - 4• Network Address Translation

• Hides internal network from external network

• Private IP addresses – expands the IP address space

• Creates a choke point

• Virtual Private Network• Employs encryption and integrity protection• Use internet as part of a private network• Make remote computer “act like” it is on local network

[2]

Co

min

g u

p:

Pa

cke

t F

ilte

r

131313131313

Packet Filter• Advantages

• Simplest firewall architecture• Works at the Network layer – applies to all systems• One firewall for the entire network

• Disadvantages• Can be compromised by many attacks

• Source spoofing

Co

min

g u

p:

Pa

cke

t F

ilte

r -

Exa

mp

le

141414141414

Packet Filter - Example

[2]

Co

min

g u

p:

Pa

cke

t F

ilte

r -

Exa

mp

le

151515151515


[2]

Co

min

g u

p:

Pa

cke

t F

ilte

r -

Exa

mp

le

161616161616


• Attack succeeds because of rules B and D• More secure to add source ports to rules

Co

min

g u

p:

Pa

cke

t F

ilte

r -

Exa

mp

le

171717171717


[2]

Co

min

g u

p:

Pa

cke

t F

ilte

r -

Exa

mp

le

181818181818


• These packets would be admitted. To avoid this add an ACK bit to the rule set

[2]

Co

min

g u

p:

Pa

cke

t F

ilte

r -

Exa

mp

le

191919191919


• Attack fails, because the ACK bit is not set. ACK bit is set if the connection originated from inside.

• Incoming TCP packets must have ACK bit set. If this started outside, then no matching data, and packet will be rejected.

• Note: This rule means we allow no services other than request that we originate.

Co

min

g u

p:

TC

P A

ck f

or

Po

rt

Sca

nn

ing

202020202020

TCP Ack for Port Scanning

• Attacker sends packet with ACK set (without prior handshake) using port p• Violation of TCP/IP protocol

• Packet filter firewall passes packet • Firewall considers it part of an ongoing connection

• Receiver sends RST • Indicates to the sender that the connection should be

terminated

• Receiving RST indicates that port p is open!![1]

Co

min

g u

p:

TC

P A

ck P

ort

Sca

n

212121212121

TCP Ack Port Scan

• RST confirms that port 1209 is open• Problem: packet filtering is stateless; the firewall should track the

entire connection exchange

[1]

Co

min

g u

p:

Sta

tefu

l Pa

cke

t F

ilte

r

222222222222

Stateful Packet Filter

• Remembers packets in the TCP connections (and flag bits)

• Adds state info to the packet filter firewalls.

• Operates at the transport layer.

• Pro: Adds state to packet filter and keeps track of ongoing connection

• Con: Slower, more overhead. Packet content info not used

[1]

application

transport

network

link

physical Co

min

g u

p:

Ap

plic

atio

n P

roxy

232323232323

Application Proxy• A proxy acts on behalf the system being

protected.• Application proxy examines incoming app data –

verifies that data is safe before passing it to the system.

• Pros• Complete view of the connections and app data• Filter bad data (viruses, Word macros)• Incoming packet is terminated and new packet is sent

to internal network• Con

• Speed[1]

Co

min

g u

p:

Fire

wa

lk –

Po

rt

Sca

nn

ing

242424242424

Firewalk – Port Scanning • Scan ports through firewalls• Requires knowledge of

• IP address of firewall• IP address of one system in internal network• Number of hops to the firewall

• Set TTL (time to live) = Hops to firewall +1• Set destination port to be p• If firewall does not pass data for port p, then no

response• If data passes thru firewall on port p, then time

exceeded error message[1]Lets try it Applications->Utilities->Network UtilityLets try it Applications->Utilities->Network Utility

Co

min

g u

p:

Fire

wa

lk a

nd

Pro

xy

Fire

wa

ll

252525252525

Firewalk and Proxy Firewall

• Attack would be stopped by proxy firewall• Incoming packet destroyed (old TTL value also destroyed)• New outgoing packet will not exceed TTL.

[1]

Dest port 12345, TTL=4



Time exceeded

Trudy

Packetfilter

RouterRouterRouter

Co

min

g u

p:

Fire

wa

lls a

nd

D

efe

nse

in D

ep

th

262626262626

Firewalls and Defense in Depth• Example security architecture

Internet

Intranet withPersonalFirewalls

PacketFilter

ApplicationProxy

DMZ

FTP server

DNS server

WWW server

[1]

Co

min

g u

p:

Re

sea

rch

: F

irew

all

Po

licy

Ve

rific

atio

n

272727272727

Research: Firewall Policy Verification• Firewall design: consistency, completeness, and compactness

• Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness," Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol., no., pp.320,327, 2004

• Lesson: Practical firewalls have complex rulesets. They are hard to get right. Research in place to help validate the configuration for errors

• Lets see some simple ones Co

min

g u

p:

Le

ts d

o s

om

e

exa

mp

les

282828282828

Lets do some examplesiptables is a common tool to build firewalls

Well supported in Linux:iptables –A INPUT –p tcp –dport 22 –j ACCEPT

-A: append to list of rules-p:match protocol tcp--dport 22: match destination port 22 (ssh)-j ACCEPT: if rule matches, ACCEPT the packet.

1st matching rule wins… order matters!

Final rule typically rejects anything that doesn’t match: security says deny all, and only allow in who you want.

Co

min

g u

p:

ipta

ble

s -

cha

ins

29292929

iptables - chains• INPUT – anything with a destination of the firewall box• OUTPUT – anything with a source of the firewall box• FORWARD – anything going through the firewall box (neither

source or dest is the firewall box)

• iptables –A INPUT –p tcp –dport 22 –j ACCEPT• # This allows SSH TO THE FIREWALL BOX!

Co

min

g u

p:

ipta

ble

s –

ma

tch

ing

ru

les

30303030

iptables – matching rulesJump targets – what to do upon match?-j ACCEPT – allow it-j REJECT -- send a rejection message-j DROP – drop it, don’t send any message-j logaccept, logdrop, logreject(there are others)

Protocol matching rules-p tcp , udp, icmp, all (0 means all)

Port matching rules--dport destination port--sport source port

Co

min

g u

p:

ipta

ble

s –

mo

re

rule

s

31313131

iptables – more rulesPhysical device interface:

-i vlan0 # Packets coming in on that physical interface-o eth1 # packets going out on that physical interface-i only valid for INPUT, FORWARD chain-o only valid for OUTPUT, FORWARD chain

(Note: Specific interface differs by hardware)

Time-based Limiting --limit 5/minute (rule matches a maximum of 5 times per

minute (or second or hour, or day, etc…)

Syn-flood protection:iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Co

min

g u

p:

ipta

ble

s -

exa

mp

les

32323232

iptables - examples• Lets stop all http access

• Lets stop ping

• Lets allow www.gmu.edu though (but only GMU!)• --destination www.gmu.edu

• Lets allow only my IP to get to HTTP• --source 192.168.3.10 C

om

ing

up

: ip

tab

les

– m

ore

ru

les

33333333

iptables – more rules

State matching:-m state –state ESTABLISHED, RELATED

NEW - A packet which creates a new connection.ESTABLISHED - A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies).RELATED - A packet which is related to, but not part of, an existing connection, such as an ICMP error, or (with the FTP module inserted), a packet establishing an ftp data connection.INVALID - A packet which could not be identified for some reason: this includes running out of memory and ICMP errors which don't correspond to any known connection. Generally these packets should be dropped.

Co

min

g u

p:

ipta

ble

s –

mo

re

rule

s

34343434

iptables – more rules

TCP bit matching:

iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

--tcp-flags <string 1> <string2> string 1 = the set of bits to look atstring 2 = the subset of 1 which should be ones

Above command says look at all the bits (‘ALL’ is synonymous with `SYN,ACK,FIN,RST,URG,PSH’) and verify that only the SYN and ACK bits are set.

Co

min

g u

p:

Wo

uld

a G

UI

he

lp?

34343535

iptables - Tunneling• In our network we have one outward facing server, so to get in

from home we must travel (tunnel) through that server.

• We really use SSH tunnels:• ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p

10024 localhost

• However if everyone needed to use it we could use a firewall based tunnel:• iptables -t nat -A PREROUTING -p tcp -d dslsrv.gmu.edu --dport

10024 -j DNAT --to-destination sr1s4.mesa.gmu.edu:22

Would a GUI help?

Co

min

g u

p:

Le

sso

ns

3636

Lessons• There are many firewall types• Each provides a different level of security versus performance• Multiple firewalls can be used to segment networks into

security zones• iptables is a powerful example of how to create/manage

firewalls

En

d o

f p

rese

nta

tion

292935353737

Documents

Firewalls