Firewalls & VPNsFirewalls & VPNsPrinciples of Information SecurityChapter 6 Part 1

ReferencesReferencesCircuit-level Gateways vs Application Gateways

◦ http://www.pcstats.com/articleview.cfm?articleid=1450&page=5

Introduction to Network Firewalls◦ http://www.more.net/technical/netserv/tcpip/firewalls/

Firewalls Explained◦ http://www.dmccormick.org/firewalls.htm

Firewall Architectures◦ http://docstore.mik.ua/orelly/networking/firewall/

ch04_02.htm

Introduction to Firewalls (on-line report)◦ http://www2.hawaii.edu/~sdunan/ics623/

Dunan.FirewallReport.html2

Topic ObjectivesTopic Objectives Describe categories of firewalls. Describe firewall architectures. Discuss considerations for selecting architectures

3

FirewallsFirewalls Goal is to prevent specific

types of information from moving between external networks and internal networks.

In general, the arrangement of security devices placed at the perimeter of a computer network to guard the entry is collectively called a firewall, or firewall perimeter.

At least one of those devices is a program or a hardware device called a firewall.

4

So, this “wall” can be several devices, including firewall itself

Create an integrated security Create an integrated security systemsystem

5

firewall perimeter = firewall+ IDS + antivirus

Also use access control and auditing

Create many firewall perimeters, at strategic entry points

Keep patching and updating them!

Categorizing FirewallsCategorizing Firewalls Processing mode

◦ Packet filtering, aka filtering (e.g. a router) ◦ Application gateways◦ Circuit gateways◦ MAC layer firewalls,◦ hybrid

Development Era (generation)◦ Which level of technology is used

Structure◦ Commercial-grade, residential-grade

Implementation◦ Software, hardware, hybrid

6

Many different firewalls to Many different firewalls to pick from pick from Basic personal use: ZoneAlarm, Norton

Personal, SygateMore commercial: e.g Check Point Next

Generationhttp://directory.google.com/Top/

Computers/Security/Firewalls/Products/ Many!

Cisco firewall appliance (i.e. hardware firewall) http://tools.cisco.com/search/JSP/search-results.get?strQueryText=pix+firewall&Search+All+cisco.com=cisco.com&language=en&country=US&thissection=f&accessLevel=Guest&autosuggest=true

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html Performance tables

7

Pros and ConsPros and Cons

8

Type of firewall

Pros Cons

Software - freeware

Easy and free minimal

Software – commercial personal firewalls

Simple, cheap, Not too many features, not robust

Software – commercial enterprise firewalls

Typically installed on a dedicated host; real time monitoring and other admin features

$$$, not too easy to setup

Hardware appliances

Faster and more scalable than software firewalls

$$$$$$, difficult to patch if bugs are discovered

Hybrid firewall Provides throughput and security of appliance with features of a software firewall

$$$$$$$$$$

Packet Filtering FirewallsPacket Filtering Firewalls Examine packet headers

◦ Use Access Control Lists (ACLs) to examine and control packet flow based on source/destination IP addresses in the network

◦ Simple firewalls examine IP network layer headers source/destination IP address, protocol (udp, tcp), inbound

or outbound traffic can reject (deny), discard, or forward packets

◦ 3 types of packet filtering firewalls static filtering - rules must be configured in advance dynamic filtering

firewall can modify rules dynamically in response to traffic opens and closes doors to allow only specified packet wiht

source, destination, and port to pass through the firewall stateful inspection – firewall keeps track of the state of

connection and if the packet “makes sense” in the context. It can check incoming packets that are responses to internal requests. If it cannot figure it out, it checks ACL tables.

9

IP Packet StructureIP Packet Structure

10

Sample ACL table for a Sample ACL table for a stateless packet filtering stateless packet filtering firewallfirewall

11

Rule

SourceIP Source port

DestIP Dest port Action

1 any any 192.168.120.0

Above 1023

Allow

2 192.168.120.1

any any any Deny

3 any any 192.168.120.1

any Deny

4 192.168.120.0

any any any Allow

5 any any 192.168.120.2

25 Allow

6 any any 192.168.120.3

80 Allow

7 any any any any deny

Discussion: how do we read such a table? (Look at the Review of TCP and Logic file)

Discussion: what do these rules mean? Do you see why an IDS is necessary?

Stateful Inspection Stateful Inspection FirewallsFirewalls

Examine transport layer headers Track the state of transport layer connections using a

state table.◦ Able to track TCP and UDP source/destination ports

and TCP flags in particular Dynamic stateful inspection firewalls

◦ Maintain dynamic state tables to modify filtering rules based on network events

12

TCP and TCP and UDP UDP Packet Packet StructurStructuree

13

Sample ACL table for a Sample ACL table for a statefull packet filtering statefull packet filtering firewallfirewall

15

SourceIP Source port

DestIP Dest port

Connection state

192.168.120.101

1037 209.233.19.22

80 Established

192.168.120.104

1022 165.66.28.22 80 Established

192.168.120.107

1010 65.66.122.101

25 Established

192.168.120.102

1035 212.33.19.4 79 Established

233.54.33.5 1899 192.168.120.101

80 Established

306.33.21.3 3558 192.168.120.101

80 Established

Discussion: how do we read such a table? (Should we look at the Review of TCP and Logic file ?)

Discussion: what do these lines mean?

Where do we put packet Where do we put packet filters?filters?Cloud, packet filter, proxy server,

inside netCloud, packet filter, DMZ, packet

filter, inside net

16

Application GatewaysApplication Gateways AKA, application-level firewall, application firewall, or proxy server Frequently installed on a separate computer but used in conjunction

with the filtering router Examines application layer information to determine service type, etc. Acts as a proxy for a service request

◦ Web server proxy receives requests for web pages, accesses the web server, and returns the pages to the client

◦ Able to store recently accessed pages in a local cache. May be referred to as cache servers.

Frequently placed in an unsecured network location, or a DMZ network Can be used to route all internal traffic for web pages via the

intermediate proxy server Still widely used for e-commerce, but DMZ networks becoming more

commonly used. Can be slower than other types of firewalls. Designed for one or a few protocols; cannot be easily reconfigured.

17

Proxy Server Proxy Server (also called (also called application gateway, or application-level application gateway, or application-level firewall, or application firewall)firewall, or application firewall)

18

E.g. web proxy receives traffic meant for/from the web server and then delivers them to/from the web server.

The web server is protected by a firewall, in the figure above. There can be a packet-filter firewall in front of the proxy too.

Circuit GatewaysCircuit Gateways AKA, circuit gateway firewall or circuit-level

gateway Operates at transport layer Create tunnels connecting specific processes or

systems and allow only authorized traffic in tunnels Only examines address and port information; does

not examine application layer data.

19

MAC Layer & Hybrid MAC Layer & Hybrid FirewallsFirewallsMAC Layer filtering

◦ Operates at Layer 2 and examines MAC addresses

◦ Typically included as a feature of packet filtering firewalls, or hardware firewalls.

Hybrid Firewalls◦ Contain components of different types of

firewalls packet filtering + MAC layer filtering packet filtering + circuit gateway packet filtering + proxy server

20

Firewall GenerationsFirewall Generations First Generation

◦ static packet filtering Second Generation

◦ Proxy servers or application-level firewalls Third Generation

◦ Stateful inspection firewalls Fourth Generation

◦ Dynamic packet filtering firewalls Fifth Generation

◦ kernel proxy - operates at multiple layers of the protocol stack

◦ Windows NTEXEC kernel◦ Cisco Centri Firewall kernel

21

Firewall StructuresFirewall Structures Commercial-Grade Firewall Appliances

◦ standalone, self-contained hardware & software◦ firmware-based instructions increase reliability and

performance and reduce compromise◦ rule sets stored in nonvolatile RAM

Commercial-Grade Firewall Systems◦ Application software running on general-purpose computers

Small Office/Home Office-Grade (SOHO) Firewall Appliances◦ Protection for always-on high speed Internet connections◦ Support stateful inspection, MAC filtering, port forwarding

and NAT◦ May provide intrusion detection capability

Residential-Grade Firewall Software◦ Frequently available as free or inexpensive software

packages that run on individual hosts. 22

SOHO Hardware vs Software SOHO Hardware vs Software FirewallFirewall Suggestion --- use BOTH

◦ Implements the strategy of defense in depth◦ Hardware firewalls reduce/eliminate exposure of

individual systems from scanning and probes Very likely to eliminate 100% of pre-attack probes May improve system performance by reducing

unnecessary traffic on local network SOHO hardware firewalls are not especially expensive and

well worth the investment◦ Software firewalls provide an alternative, secondary

firewall as a backup if someone breaks through the perimeter firewall.

23

Firewall ArchitecturesFirewall Architectures4 common implementations

◦ Packet Filtering Routers◦ Screened Host Firewalls◦ Dual-Home Host Firewalls◦ Screened Subnet Firewalls (with DMZ)

24

Packet Filtering RoutersPacket Filtering Routers

Basic Border Firewall

25

Untrusted HostUntrusted Host Exposed hosts outside

border firewall Host is configured for

minimal services Both incoming and

outgoing traffic goes through the external host◦ E.g., proxy server

Internal hosts cannot trust the external host

If all traffic routes through the untrusted host, it may also be a dual-homed host.

26

Screened Screened HostHost Untrusted host on separate network

and inside firewall Still untrusted by internal hosts Other untrusted hosts can be on same

network Creates a public access network (e.g.,

web access) aka DMZ aka perimeter network, service

network

27

Dual-Homed HostDual-Homed Host All traffic enters/leaves

internal network via proxy server.

Proxy server may or may not be the firewall. Not required to be the same device.

28

Screened Subnet Screened Subnet FirewallFirewall Traffic between internal network and Internet

traverses two firewalls and DMZ network Hosts in DMZ act as publically accessible

servers Traffic entering inner firewally must originate

from a host in the DMZ Internal firewalls provide protection between

internal subnets

29

Firewall Configuration Firewall Configuration Advantages/DisadvantagesAdvantages/Disadvantages

30

Configuration

Advantages Disadvantages

Screening router

Simple, cheap; stateful packet filter good for home use

Min protection; viruses, trojans, etc might get through

Dual-homed host

Simple, cheap, can work well if configured well

Single point of failure and entry, depends entirely on the host computer

Screened host 2 layers of protection for home and small biz

Single point of failure and entry, depends entirely on the host computer and the router that protects it

Screened subnet DMZ

Isolates public servers from the internal LAN and thus protects them

Servers in DMZ are highly vulnerable, must be hardened

Multiple DMZ/firewalls

Layers of protection for a biz net

$$$

SingleDMZ/two firewalls

Balances heavy traffic load $$$

Branch offices/ multiple firewalls

Each office is protected Each location has to be set up

Reverse firewall

Monitors internal users’ access to external nets

Can slow down access to external nets (even parts of internal LAN)

SOCKS SOCKS ServersServers SOCKS

◦ Protocol for handling TCP traffic through a proxy server.

◦ Proprietary, circuit-level proxy server. Uses special client-side SOCKS agents on each

workstation. Filtering occurs in workstations, vice the proxy

server. Each workstation must be managed as a firewall

detection and protection device.

◦ May require extra support and management resources, since individual clients must also be managed.

31

SOCKS ServerSOCKS Server

Note: depicts dual-homed host configuration with inner and outer firewalls.

32

Firewall SelectionFirewall Selection

Factors to consider◦ Which firewall design provides the desired protection?◦ What type of firewall technology offers the right

balance between protection and cost and meets the needs of the organization?

◦ What features are included? In the base price, as add-ons? Are all cost factors known?

◦ How easy is it to set up and configure? How accessible are knowledgeable staff to support the

firewall?

◦ Can the proposed firewall adapt to projected network growth in the organization?

33