Firewalls

(March 4, 2015)

© Abdou Illia – Spring 2015

2

Test your Firewall knowledge

Which of the following is true about firewalls?a) A firewall is a hardware device

b) A firewall is a software program

c) Firewalls could be hardware or software

Which of the following is true about firewalls?a) They are used to protect a whole network against attacks

b) They are used to protect single computers against attacks

c) Both a and b.

3

Test your Firewall knowledge (cont)

Which of the following is true about firewalls?a) They are configured to monitor inbound traffic and protect

against attacks by intruders

b) They are configured to monitor outbound traffic and prevent specific types of messages from leaving the protected network.

c) Both a and b

4

Firewall: definition

Hardware or software tool used to protect a single host1 or an entire network2 by “sitting” between a trusted network (or a trusted host)

and an untrusted network Applying preconfigured rules and/or traffic knowledge to

allow or deny access to incoming and outgoing traffic

1 Host-based or personal firewall 2 network-based firewall

Untrusted network

Trusted network

PC with Host-based

Firewall

PC with Host-based

Firewall

Network-BasedFirewall

5

Questions

What is the main advantage of having a host-based firewall in addition to having a network-based one?

Answer:_________________________________________

What kind of security issue could be associated with having host-based firewall on users PCs?

Answer:__________________________________________

Untrusted network

Trusted network

PC with Host-based

Firewall

PC with Host-based

Firewall

Network-BasedFirewall

6

Firewall ArchitectureMost firms have multiple

firewalls. Their arrangementis called the firm’s

firewall architecture

InternetInternet

Main BorderFirewall

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

Public Webserver 60.47.3.9

SMTP Application

Proxy Server 60.47.3.10

HTTPApplication

Proxy Server 60.47.3.1

External DNS Server

60.47.3.4

ScreeningRouterFirewall

InternalFirewall

HostFirewall

HostFirewall

Email Server on 172.18.6.x

Subnet

HostFirewall

Demilitarized Zone (DMZ)

7

Firewall Architecture

InternetInternet

Main BorderFirewall

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

Public Webserver 60.47.3.9

SMTP Application

Proxy Server 60.47.3.10

HTTPApplication

Proxy Server 60.47.3.1

External DNS Server

60.47.3.4

ScreeningRouterFirewall

InternalFirewall

HostFirewall

HostFirewall

The DMZ is a subnet that includes most vulnerable hosts to attacks; i.e. hosts that provide services to outside

users. Common hosts in DMZ: Public web servers, Public DNS servers, public FTP servers, Email proxy servers.Host in DMZ must be heavily protected.

Email Server on 172.18.6.x

Subnet

HostFirewall

Demilitarized Zone (DMZ)

8

Questions What is a DMZ? Why are public web servers usually put in the DMZ? Why are public DNS servers usually put in the DMZ?

Which of the following may be placed in a DMZ?a) A SMTP proxy serverb) A server that contains files available for downloading by employeesc) An File Transfer Protocol serverd) A SQL (Structured Query Language) database server

What IP addresses should a DNS server in the DMZ be able to find?

a) All company’s IP addresses

b) Only the IP addresses of the computers in the internal subnet

c) Only the IP addresses of the computers in the DMZ

You work as the security administrator at King.com. King.com has been receiving a high volume of attacks on the king.com web site. You want to collect information on the attackers so that legal action can be taken. Which of the following can you use to accomplish this?

a) A DMZ (Demilitarized Zone).b) A honey pot.c) A firewall.d) None of the above.

9

Basic Firewall Operation

Attack Packet 1

1. Internet(Not Trusted)

Attacker

LogFile

Dropped Packet(Ingress)

LegitimateUser

Legitimate Packet 1

Attack Packet 1

Internal Corporate Network (Trusted)

BorderFirewall

Passed LegitimatePacket (Ingress)Legitimate Packet 1

Egress filtering: filtering packets leaving to external networksIngress filtering:filtering packets coming from external networks

Legitimate Packet 2

Passed Packet(Egress)

Legitimate Packet 2

10

Connection Source IP Destination IP State

Connection 1 123.12.13.4 60.47.3.9:80 TCP opening

Connection 2 213.14.33.56 60.47.3.9:80 Data transfer

…… ………. ………. ………

Types of Firewalls Static Packet Filtering Firewalls (1st generation)

Inspect TCP, UDP, IP headers to make filtering decisions Do static filtering of individual packets based on configured ruleset

(or Access Control List) Prevent attacks that use IP or port spoofing, etc.

Stateful Packet Filtering Firewalls (2nd generation) Inspect TCP, UDP, IP headers to make filtering decisions Do stateful filtering by checking the firewall’s state table for relation

of packets to packets already filtered If packet does not match existing connect, ruleset (static filt.) is used If packet matches existing connection, it is allowed to pass Prevent SYN attacks, teardrops, etc.

State Table

IP-H

IP-H

TCP-H

UDP-H Application Layer Message

Application Layer Message

11

Types of Firewalls (cont.) Application Firewalls (3rd generation)

Also called proxy firewalls Inspect the Application Layer message (e.g. HTTP requests, emails,

etc. Specialized proxy firewalls more effective than general-purpose

HTTP proxy firewalls for HTTP requests SMTP proxy firewalls for SMTP emails FTP proxy firewall for FTP-based file transfer requests

Prevent malware attacks

IP-H

IP-H

TCP-H

UDP-H Application Layer Message

Application Layer Message

HTTPProxy

Browser WebserverApplication

1. HTTP Request2. Passed inspected

HTTP Request

3. HTTPResponse

4. Passed inspectedHTTP Response Log

File

12

Types of Firewalls (cont.) Network Address Translation Firewall

Replace IP address in outgoing message by a spoof IP address Hide internal hosts’ IP address to outsiders Help prevent IP spoofing attacks using internal IP addresses

Host IP Address Outgoing IP Address Request ID

135.12.23.12 135.12.20.1 120121

135.12.22.2 135.12.20.2 120122

135.12.21.3 135.12.20.3 120123

…….. …….. ………

135.12.20.1135.12.20.2135.12.20.3

135.12.23.12

135.12.22.2

135.12.21.3

13

Network Address Translation (Cont)

ServerHost

Client192.168.5.7

NATFirewall

1

Internet

2

Sniffer

From 192.168.5.7,Port 61000 From 60.5.9.8,

Port 55380

IP Addr

192.168.5.7

. . .

Port

61000

. . .

Internal

IP Addr

60.5.9.8

. . .

Port

55380

. . .

External

TranslationTable

14

Network Address Translation (Cont)

ServerHost

Client192.168.5.7

NATFirewall

3

Internet

4Sniffer

To 60.5.9.8,Port 55380

To 192.168.5.7,Port 61000

IP Addr

192.168.5.7

. . .

Port

61000

. . .

Internal

IP Addr

60.5.9.8

. . .

Port

55380

. . .

External

TranslationTable

15

Perspective on NAT

NAT/PAT NAT does more than network (IP) address

translation Also does port number translation Should be called NAT/PAT, but NAT is the

common term

16

Firewalls configuration Default configuration (default Rulesets or ACLs)

Pass connections initiated by an internal host Deny connections initiated by an external host Can change default configuration with access control

lists (ACLs) for ingress and egress filtering ACLs are sets of IF-THEN rules applied in sequential

order

InternetInternet

Automatically Pass Connection Attempt

Router

Automatically Deny Connection Attempt

17

Ingress ACL

1 If Source IP Address = 10.*.*.*, DENY [Private IP Address Range]

2 If Source IP Address = 172.16.*.*, DENY [Private IP Address Range]

3 If Source IP Address = 192.168.*.*, DENY [Private IP Address Range]

4 If Destination IP Address = 60.47.3.9 AND TCP Destination Port = 80 or 443, PASS

5 If Destination IP Address = 60.47.*.*, DENY

6 If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside]

7 If TCP Destination Port = 20, DENY

8 If TCP Destination Port = 135 Trough 139, DENY

9 If UDP Destination Port = 69, DENY

10 DENY ALL

Untrusted network

Trusted network

Firewall

60.47.3.1

60.47.3.2

60.47.3.5

60.47.3.9

Port Number Primary Protocol Application

20 TCP FTP Data Traffic

21 TCP FTP Supervisory Connection. Passwords sent in the clear

23 TCP Telnet. Passwords sent in the clear

25 TCP Simple Mail Transfer Protocol (SMTP)

69 UDP Trivial File Transfer Protocol (TFTP). No login necessary

80 TCP Hypertext Transfer Protocol (HTTP)

137-139 TCP NETBIOS service for peer-to-peer file sharing in older versions of Windows

443 TCP HTTP over SSL/TLS

18

Ingress ACL

1 If Source IP Address = 10.*.*.*, DENY [Private IP Address Range]

2 If Source IP Address = 172.16.*.*, DENY [Private IP Address Range]

3 If Source IP Address = 192.168.*.*, DENY [Private IP Address Range]

4 If Destination IP Address = 60.47.3.9 AND TCP Destination Port = 80 or 443, PASS

5 If Destination IP Address = 60.47.*.*, DENY

6 If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside]

7 If TCP Destination Port = 20, DENY

8 If TCP Destination Port = 135 Trough 139, DENY

9 If UDP Destination Port = 69, DENY

10 DENY ALL

Untrusted network

Trusted network

Firewall

60.47.3.1

60.47.3.2

60.47.3.5

60.47.3.9

What kind of messages does Rule 7 block? Why does Rule 5 have to come after Rule 4? Why does Rule 6 have to come after Rule 4? You work as the security administrator for the trusted network. Employees often

download files from a FTP (File Transfer Protocol) server located in the untrusted network. What TCP port do you open in the firewall configuration?

a) Open port 69 to all inbound connections.

b) Open port 69 to all outbound connections.

c) Open port 20/21 to all inbound connections.

d) Open port 20/21 to all outbound connections.

19

Typical attacks and firewall config.Attacks Typical configuration Comments

Ping of death Any packet with Total Length more than maximum allowed is dropped Stateful firewall

IP fragmentation-based attacks (e.g. Teardrop)

The firewall intercepts all fragments for an IP packet and attempts to reassemble them before forwarding to destination. If any problems or errors are found during reassembly, the fragments are dropped.

Stateful firewall

Smurf Attack The firewall drops any ping responses that are not part of an active session.

Stateful firewall

Attacks that send TCP URG packets

Any TCP packets that have the URG flag set are

discarded by the firewall.

Land Attack Any packets with the same source and destination IP addresses are discarded.

IP broadcast Packets with a broadcast source or destination IP address are discarded.

TCP SYN/ACK attack

TCP Opening segments that have SYN and ACK flags set AND

that are not linked to a TCP SYN request are discarded.

Stateful firewall

Invalid TCP Segment Number

The sequence numbers for every active TCP session are

maintained in the firewall session database. If the firewall

received a segment with an unexpected (or invalid)

sequence number, the packet is dropped.

Stateful firewall

Flag Fields(6 bits)

ACK SYN FIN RSTURG PSH

20

Firewall Principles

Danger of Overload

If a firewall is overloaded and cannot handle the traffic, it drops unprocessed packets

This is the safest choice, because attack packets cannot enter the network

However, this creates a self-inflicted denial-of-service attack

21

Firewall Principles (Continued)

Danger of Overload So firewalls must have the capacity to handle

the traffic Some can handle normal traffic but cannot

handle traffic during heavy attacks Need to regularly check firewalls logs:

If too much unchecked packets are dropped, then need to upgrade the firewall.

22

Centralized Firewall Management System

Internet

Home PCFirewall

Management Console

Site A Site B

Remote Managementis needed to

reduce management labor

Dangerous becauseif an attacker compromises

it, they own the network

Remote PCsmust be actively

managedcentrally

23

Firewall Management

Firewalls are Ineffective without Planning and Maintenance

Planning Asset Assessment: identify all assets and their

relative sensitivities Threat Assessment: what threats can attack

each asset? Design a Firewall Policy for Each Asset Design a Firewall Architecture

24

Firewall Management (Continued)

Implementation Firewall Operating System Hardening

Firewall appliances are hardened at the factory Firewall vendors often sell firewalls that are

general-purpose computers that have pre-hardened versions of Unix or Windows

If a firm purchases a general purpose computer and firewall software, strong actions must be taken to harden the operating system

25

Firewall Management (Continued)

Implementation Select Implementation Options

e.g., Turn off remote management if not needed Firewall ACL Rule Configuration

Complex and therefore error-prone Driven by firewall policies

Vulnerability Testing After Configuration Must do vulnerability test even after “trivial” changes Driven by firewall policies

26

Firewall Management (Continued)

Maintenance Constantly change firewall policies and ACLs to

deal with new threats Document each change carefully!

Read log files daily to understand the current threat environment

Read log files daily to detect problems (the dropping of legitimate traffic, etc.)

Update the firewall software when there are new releases

27

Firewalls, IDSs, and IPSs

Firewalls IDSs IPSs

Drops Packets? Yes No Yes

Logs Packets Yes Yes Yes

Sophistication in Filtering

Medium High High

Creates Alarms? No Yes Sometimes

28

Firewalls, IDSs, and IPSs (Cont)

Sophistication in Filtering Message stream analysis, not just individual

packets Reassemble fragmented application

messages Deep packet inspection: both internet-level

headers and application headers