Firewalls

TopicsFirewall design principles

CharacteristicsTypesConfigurations

Trusted systemsCommon Criteria for Information Technology

Security Evaluation

FirewallsInternet connectivity has become a necessity in

corporations and organizationsHowever, this allows outsiders to interact with

network assetsAn organization may own thousands of

computersCould install strong security software on every

computer…A security patch is releasedNow thousands of computers need to be patched

FirewallsEasier solution?

Place a firewall between the Internet and the organization’s network

Protects a network from Internet-based attacks

Impose security and auditing on one choke point

Special hardware, a computer, or many computers can function as a firewall

Firewall characteristicsGoals:

All traffic is directed towards the firewall. There must be no way to access the network without going through the firewall first

Only authorized traffic is allowed to pass through the firewall, as defined by local security policies

The firewall is immune to penetration. Implies use of a trusted system and a secure operating system

Firewall characteristicsFour techniques used to control access:

Service control Determine what Internet services are allowed to be

accessed May filter traffic based on IP address or port May act as proxy software (receive and interpret

services before passing them on) May host service software itself

Direction control Determine what direction service requests may be

initiated or allowed to pass through

Firewall characteristicsUser control

Control which services can be accessed by particular users (inside or outside the network)

Behaviour control Control how services are used (e.g., spam firewall

or website filter)

Firewall characteristicsOther features:

Monitoring of security-related eventsNon-security-related Internet functions

Network address translation (NAT) Log Internet usage

Platform for IPSec

Firewall characteristicsLimitations:

Cannot protect against attacks that bypass the firewall

Cannot protect against internal threats For example, an angry employee deleting files Or, an employee cooperating with an outside attacker

Cannot protect against the transfer of viruses Different operating systems and applications inside

the network Need to scan all incoming data…impractical, perhaps

impossible

Types of firewallsPacket-filtering routerApplication-level gatewayCircuit-level gateway

Packet-filtering routerApplies a set of rules to each incoming and outgoing

packetPossible rules:

Source or destination IP addressPort numberTransport protocol (TCP or UDP)Other information contained in a network packet

Filters are a list of rulesIf a rule is matched, either forward or discard the packet

Default action may be either forward or discardHappens when a packet is not filtered

Packet-filtering router

Packet-filtering routerAdvantages:

Fast, simple, transparentDisadvantages:

Cannot prevent attacks on specific application weaknesses

Limiting logging capabilitiesTypically no support for user authenticationVulnerable to exploits that take advantage of

problems in the TCP/IP specificationEasy to make mistakes when creating rules

Application-level gatewayAlso called a proxy serverUsage:

User contacts gateway through an application (e.g., telnet or FTP)

User must authenticate and provide name of remote host

Gateway connects to remote host and relays data back to the user

If code for an application is not implemented, gateway will not support that application

May be configured to support only certain features of an application

Application-level gatewayAdvantages:

Tend to be more secure than packet filtersWhole applications can be allowed or blocked,

rather than many possible combinations of packets

Easy to log and audit traffic at the application level

Disadvantage:Additional overhead due to splicing every

connection

Circuit-level gatewayDoes not permit end-to-end connections

Sets ups two TCP connection (inner host to gateway, gateway to outer host)

Gateway relays segments from one connection to the other

Does not examine contents of segmentsSecurity function is to determine what

connections are allowedCould be a standalone system or function

performed by application-level gateway for some applications

Circuit-level gatewayExample implementation: SOCKS

Consists of a server, client library, and client programs that have been linked with or are compatible with SOCKS

A client wants to access an object beyond the firewall

A TCP connection is opened on port 1080 on the SOCKS server

Client is authenticatedClient makes relay requestSOCKS either accepts (and establishes

connection) or rejects

Bastion hostA system identified to be a critical strong point in a

network’s securityTypically used as platform for application-level or

circuit-level gatewaysCharacteristics:

Runs a secure version of an operating systemOnly essential services are installedRequires user authentication to access proxy servicesEach proxy is a tiny software package that runs

independently and requires little configurationEach proxy may only support a subset of application

features, may only access specific hosts, and maintains detailed logs

Firewall configurationsA single router or gateway are simple

configurationsMore complex configurations are possible

and are more common:Screened host firewall, single-homed bastionScreened host firewall, dual-homed bastionScreened subnet firewall

Screened host firewall, single-homed bastionA packet-filtering router with a bastion hostRouter’s configuration:

Only packets destined for the bastion host may pass

Only packets from the bastion host may leaveBastion host performs authentication and

proxy functionsInternal network is protected by two systems

Screened host firewall, single-homed bastionAllows for flexibility:

For example, a web server does not need strong security; router can be configured to allow traffic directly to it

Problem: A compromised router will allow traffic to flow

directly through to the internal network, bypassing the bastion

Screened host firewall, dual-homed bastionAll of the same features and functionality of a

single-homed bastion setupHowever, physically prevents traffic from

going anywhere but through the bastion firstSolves problem with single-homed bastion

setup

Screened subnet firewallTwo packet-filtering routers and one bastion

hostOne router between Internet and bastionAnother between bastion and internal network

Creates an isolated, screened sub-networkBesides bastion, could also contain servers,

modems, etc.Three levels of defenseInternet only sees the screened sub-networkInternal network cannot construct direct

routes to the Internet

Trusted systemsTrusted system technologies enhance the

ability to defend against intruders and malicious programs

Data access controlNeed a way to state what sort of permissions

a user may have in a system (e.g., file access, database access, etc.)

Access matrixA general model of access control used by file

or database management systems

Data access controlElements:

Subject: An entity that can access objects. Usually a user or application is represented by a process, since a process gains access to an object

Object: Anything to which access is controlled (e.g., files or memory)

Access right: The way in which an object is accessed (e.g., read, write, or execute)

One axis lists the subject, the other lists objects

Each entry consists of access rights of a subject on an object

Data access control

Data access controlAccess matrix is usually implemented by

decomposing itAccess control list (ACL)

Decomposition by columnLists subjects and their access rights for each

objectMay include a default set of rights

Capability ticketsDecomposition by rowLists objects and associated access rights for

each subject

Concept of trusted systemsMultilevel security

Multiple groups (or levels) of data are definedIdea is a high level subject cannot convey

information to a lower level subjectTwo rules need to be enforced:

No read up: A subject only reads objects less or equal to their security level

No write down: A subject only writes into an object equal or greater than their security level

Concept of trusted systemsReference monitor

Element of hardware or operating systemRegulates the access of objects by subjects on the basis

of security parametersA security kernel database stores all access privileges

and object levelsProperties:

Complete mediation: Security rules are enforced on every single access to an object

Isolation: No unauthorized modification to reference monitor and database

Verifiability: The reference monitor’s correctness must be mathematically provable

An audit file may be used to log security violations or changes to the kernel database

Concept of trusted systemsA trusted system provides the amount of

verification as seen in the reference monitorTrojan horse defense

A trusted operating system can prevent Trojan horse attacks

A user’s documents and programs are classified under a high security level

A Trojan horse is planted by a user who has gained access, but under a low security level

The Trojan horse can read the documents, but cannot copy them to a low security level file

Common Criteria for Information Technology Security EvaluationDefines a set of potential security requirements for

use in evaluating part of a systemRequirements:

Functional: Defines desired security behaviourAssurance: Basis for gaining confidence that security

measures are effective and implemented correctlyProfiles that can be generated:

Protection: Defines a set of security requirements and objectives of a category of systems

Security: Contains security requirements and objectives of a target system and functional and assurance measures offered to meet those requirements