UNIT 2: Firewalls

Content :Content :

• Firewalls in general basic operation and architecture

• Main border firewalls using stateful inspection

• Screening firewalls using static packet inspection

• Application proxy firewalls

UNIT 2UNIT 2

• Network addresses translation (NAT).

• Antivirus filtering.

• Demilitarized zones (DMZs)+IDS/IPS

FirewallsA system or group of systems that enforce a network access control policyFilters data packets in and out of intended targetStrength relies on configurationGoverns the flow of data into and out of a Local Area NetworkSeparates a private network (LAN) from the public IP Net

Will defend the following attacks:Denial of Services (DoS) AttacksUnauthorized Access

Port-scanning and ProbingIntrusion Detection SystemsComplements firewalls to detect if internal assets are being hacked or exploitedNetwork-based Intrusion DetectionMonitors real-time network traffic for malicious activitySimilar to a network snifferSends alarms for network traffic that meets certain attack patterns or signaturesHost-based Intrusion DetectionMonitors computer or server files for anomaliesSends alarms for network traffic that meets a predetermined attack signature

Will defend the following attacks:Denial of Service (DoS) attacksWebsite DefacementsMalicious Code and Trojans

Security Technology (Measures or Tools)

Virus ProtectionSoftware should be installed on all network servers, as well as computersShall include the latest versions, as well as signature files (detected viruses)Should screen all software coming into your computer or network system (files, attachments, programs, etc.)

Will defend the following attacks:Viruses and WormsMalicious Code and Trojans

Authentication and AuthorizationAuthenticationComes in (3) forms: What you have, know, or areHave – Smartcard, tokenKnow – Password or PINAre – Fingerprint, Retina scanTwo factor authentication is the strongest – (2) out of the (3) listed means (i.e. ATM card)Password (most common)Should be at least (8) mixed characters and numbersShould be changed at least every (90) daysShould have a timeout of (3) attemptsAuthorization

What an individual has access to once authenticatedWill defend the following attacks:Unauthorized access

Security Technology (Measures or Tools)

EncryptionProtects data in transit or stored on diskThe act of ciphering and enciphering data through theuse of shared software keys, data cannot be accessed without the appropriate software keysCommon use of encryption includes the following technologies:Virtual Private Networking (VPN): Used to secure data transfer across the IP NetSecure Sockets Layer: Used to secure client to server web-based transactionsS-MIME: Used to secure e-mail transactionsWireless Equivalency Privacy (WEP) protocol: Used to secure wireless transactions

Will defend the following attacks:Data sniffing and spoofingWireless attacks

Security Technology (Measures or Tools)

Assessment and AuditingAssessment (Risk and Vulnerability)Process by which an organization identifies what needs to be done to achieve sufficient securityInvolves identifying and analyzing threats, vulnerabilities, attacks, and corrective actionsKey driver in the Information Security processShould be conducted by a third-partyInclude manual and automated (vulnerability scanners) methods

AuditingCompare the state of a network or system against a set of standards or policyWill defend the following attacks:Identify weaknesses and vulnerabilities that address all of the mentioned attacks

Data and Information BackupsMust have for disaster recovery and business continuityShould include daily and periodic (weekly) backupsShould be stored off-site, at least (20) miles away from geographic location, and have 24X7 accessShould be kept for at least (30) days while rotating stockpileWill defend the following attacks:Used to respond and replace information that is compromised by all the mentioned attacks

The Unprotected Network

What could possibly be wrong with this setup?Hackers paradise & administrators nightmare!

What Can We Do?

•Fortunately firewalls can give us very good protection against attacks from the IP Net.

•The only problem is that there are numerous firewall strategies.

•In order to choose the right strategy we need to know a bit more about the underlying communication

protocol TCP/IP.

Intranets

An intranet is a network that employs the same types of services, applications, and protocols present in an IP Net implementation, without

involving external connectivity Intranets are typically implemented behind

firewall environments.

Intranets

Extranets

Extranet is usually a business-to-business intranet Controlled access to remote users via some form of

authentication and encryption such as provided by a VPN

Extranets employ TCP/IP protocols, along with the same standard applications and services

Type of Firewalls

Firewalls fall into four broad categories

1. Packet filters

2. Circuit level

3. Application level

4. Stateful multilayer

1. Packet Filtering

A Simple Packet Filter Firewall

This must be really secure...?

Packet Filter

Two Packet Filters Is a Must

2. Circuit level

Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP

Monitor TCP handshaking between packets to determine whether a requested session is legitimate.

Circuit Level

3. Application Level

Application level gateways, also called proxies, are similar to circuit-level gateways except that they are application specific

Gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through

Application Level

Proxy Firewall

4. Stateful Multilayer

Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls

They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer

Stateful Multilayer

A Stateful firewall Can Do That

A stateful firewall is an advanced packet filter that keeps track of the state of the network connections going through it.

Whenever a packet arraives to the stateful firewall, it checks whether it matches an ongoing connection. If a match is found the packet can pass through.

Masquerading Firewall

Stateful Inspection Takes Us Further

A stateful inspecting firewall is not limited to the network TCP/IP protocols.

For known applications it looks at the application protocol as well.

This enables the firewall to detect when a communication link does something out of the ordinary

It also enables the firewall to filter out certain parts of the data transmitted.

For the HTTP protocol it may filter out javascripts

For the SMTP protocol it may filter out certain types of attachments.

General Performance

Well-Known Port Numbers

Port Number

Primary Protocol

Application

20 TCP FTP Data Traffic

21 TCP FTP Supervisory ConnectionPasswords sent in the clear

23 TCP TelnetPasswords sent in the clear

25 TCP Simple Mail Transfer Protocol (SMTP)

Well-Known Port Numbers

Port Number

Primary Protocol

Application

53 TCP Domain Name System (DNS)

69 UDP Trivial File Transfer Protocol (TFTP)No login necessary

80 TCP Hypertext Transfer Protocol (HTTP)

110 TCP Post Office Protocol (POP)

Well-Known Port Numbers

Port Number

Primary Protocol

Application

135-139 TCP NETBIOS service for peer-to-peer file sharing in older versions of Windows

143 TCP IP Net Message Access Protocol (IMAP) for downloading e-mail to client

161 UDP Simple Network Management Protocol (SNMP)

443 TCP HTP over SSL/TLS

Firewalls

Log File

HardenedServer

IDS

HardenedClient PC

Network ManagementConsole

InternalCorporateNetwork

IP NetFirewall

Allowed LegitimatePacket

LegitimateHost

LegitimatePacket

Attacker

Firewall

Log File

HardenedServer

IDS

HardenedClient PC

Network ManagementConsole

InternalCorporateNetwork

IP NetFirewall

LegitimateHost

AttackerAttackPacket

DeniedAttackPacket

Firewall Architecture (Single Site)

IP NETIP NET

Main BorderFirewall

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

Public Webserver 60.47.3.9

SMTP Application

Proxy Server 60.47.3.10

HTTPApplication

Proxy Server 60.47.3.1

External DNS Server

60.47.3.4

ScreeningRouterFirewall

InternalFirewall

HostFirewall

HostFirewall

Defense in Depth with Firewalls

ClientwithHost

FirewallSoftware

IP Net

ApplicationFirewalle-mail,HTTP,

etc.

MainFirewall:Stateful

InspectionFirewall

ScreeningBorder

Router withPacket Filter

FirewallSoftware Site

Basic Firewall Operation

1. IP Net(Not Trusted)

Attacker

1. Internal CorporateNetwork (Trusted)

2.IP NetBorderFirewall

Basic Firewall Operation

3.AttackPacket

1. IP Net(Not Trusted)

Attacker2.BorderFirewall

4.LogFile

4. Dropped Packet(Ingress/from)

Basic Firewall Operation

1. IP Net(Not Trusted)

LegitimateUser

1. Internal CorporateNetwork (Trusted)

2.IP NetBorderFirewall

5. Passed LegitimatePacket (Ingress/from)

5. LegitimatePacket

Basic Firewall Operation

1. IP Net(Not Trusted)

Attacker

1. Internal CorporateNetwork (Trusted)

2.IP NetBorderFirewall

4.LogFile

7. Dropped Packet(Egress/to)

7. Passed Packet(Egress/to)

Basic Firewall Operation

1. IP Net(Not Trusted)

Attacker

6. HardenedClient PC

6. HardenedServer 1. Internal Corporate

Network (Trusted)

2.IP NetBorderFirewall

6. Attack Packet thatGot Through Firewall

Border Firewall

1. IP Net(Not Trusted)

Attacker

1. Internal CorporateNetwork (Trusted)

2.IP NetBorderFirewall

Border Firewall

1. IP Net(Not Trusted)

Attacker

6. HardenedClient PC

6. HardenedServer 1. Internal Corporate

Network (Trusted)

2.IP NetBorderFirewall

6. Attack Packet thatGot Through Firewall

Hardened HostsProvide Defense

in Depth

Packet Filter RuleBase

Source Address

Source Port

Destination Address

Destination Port

Action Description

Any Any 192.168.1.0 > 1023 Allow Rule to allow return TCP Connections to internal subnet

192.168.1.1 Any Any Any Deny Prevent Firewall system itself from directly connecting to anything

Any Any 192.168.1.1 Any Deny Prevent External users from directly accessing the Firewall system.

192.168.1.0 Any Any Any Allow Internal Users can access External servers

Any Any 192.168.1.2 SMTP (25) Allow Allow External Users to send Email in

Any Any 192.168.1.3 HTTP (80) Allow Allow External Users to access WWW server

Any Any Any Any Deny "Catch-All" Rule -Everything not previously allowed is explicitly

denied

•Any type of access from the inside to the outside is allowed.Any type of access from the inside to the outside is allowed.•No access originating from the outside to the inside is allowed except No access originating from the outside to the inside is allowed except for SMTP and HTTP.for SMTP and HTTP.•SMTP and HTTP servers are positioned “behind” the firewall.SMTP and HTTP servers are positioned “behind” the firewall.

A network of IP address 192.168.1.0, with the “0” indicating that the A network of IP address 192.168.1.0, with the “0” indicating that the network has addresses that range from 192.168.1.0 to 192.168.1.254.network has addresses that range from 192.168.1.0 to 192.168.1.254.

The firewall would normally accept a packet and examine its source and The firewall would normally accept a packet and examine its source and destination addresses and ports, and determine what protocol is in use.destination addresses and ports, and determine what protocol is in use.

Firewall starts at the top of the rulebase and work down through the rules Firewall starts at the top of the rulebase and work down through the rules – whenever it finds a rule that permits or denies the packet, it takes – whenever it finds a rule that permits or denies the packet, it takes

the appropriate action:the appropriate action:• Accept: firewall passes the packet through the firewall as requested, Accept: firewall passes the packet through the firewall as requested,

subject to whatever logging capabilities may or may not be in place.subject to whatever logging capabilities may or may not be in place.• Deny: firewall drops the packet, without passing it through the Deny: firewall drops the packet, without passing it through the

firewall. Once the packet is dropped, an error message is returned to firewall. Once the packet is dropped, an error message is returned to the source system. The “Deny” action may or may not generate log the source system. The “Deny” action may or may not generate log

entries depending on the firewall’s rule base configuration.entries depending on the firewall’s rule base configuration.• Discard: firewall not only drops the packet, but it does not return an Discard: firewall not only drops the packet, but it does not return an

error message to the source system. This particular action is used to error message to the source system. This particular action is used to implement the “black hole” methodology in which a firewall does not implement the “black hole” methodology in which a firewall does not

reveal its presence to an outsider. “Discard” action may or may not reveal its presence to an outsider. “Discard” action may or may not generate log entries.generate log entries.

1.1. A first rule permits return packets from external systems to return to A first rule permits return packets from external systems to return to the internal systems, thus completing the connection – it is assumed the internal systems, thus completing the connection – it is assumed that if a connection to an external system was permitted, then the that if a connection to an external system was permitted, then the return packets from the external system should be permitted as well. return packets from the external system should be permitted as well.

2.2. The second rule prohibits the firewall from forwarding any packets The second rule prohibits the firewall from forwarding any packets with a source address from the firewall – this would indicate that an with a source address from the firewall – this would indicate that an attacker is spoofing the firewall’s address, hoping that the firewall attacker is spoofing the firewall’s address, hoping that the firewall would pass this packet to an internal destination, which might then would pass this packet to an internal destination, which might then accept the packet since it would appear to have come from the trusted accept the packet since it would appear to have come from the trusted firewall. firewall.

3.3. The third rule simply blocks external packets from directly accessing The third rule simply blocks external packets from directly accessing the firewall.the firewall.

4.4. The fourth rule allows internal systems to connect to external systems, The fourth rule allows internal systems to connect to external systems, using any external addresses and any protocol.using any external addresses and any protocol.

5.5. Rules 5 and 6 allow external packets past the firewall if they contain Rules 5 and 6 allow external packets past the firewall if they contain SMTP data or HTTP data – email and web, respectively. SMTP data or HTTP data – email and web, respectively.

6.6. The final rule blocks any other packets from the outside. The final rule blocks any other packets from the outside.

Content :Content :

• Firewalls in general basic operation and architecture

• Main border firewalls using stateful inspection

• Screening firewalls using static packet inspection

• Application proxy firewalls

UNIT 2UNIT 2

• Network addresses translation (NAT).

• Antivirus filtering.

• Demilitarized zones (DMZs)+IDS/IPS.

Opening Connections in Stateful Inspection Firewalls

Default Behavior Permit connections initiated by an internal host

(ingress) Deny connections initiated by an external host (egress) Can change default behavior with access control lists

(ACLs) for ingress and egress

IP NetIP Net

Automatically Accept Connection Attempt

Router

Automatically Deny Connection Attempt

Permitting Incoming Connections in a Stateful Inspection Firewall

Default Behavior Can be Modified by Access Control Lists (ACLs) Ingress ACL permits some externally-initiated

connections to be opened Egress ACL prohibits some internally-initiated

connections from being opened On basis of IP address, TCP or UDP port number,

and/or IP protocol Sets of if-then rules applied in order

Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL)

1. If TCP destination port = 80, Allow Connection [Pass all HTTP traffic to any webserver. (Port 80

= HTTP)]

2. If TCP destination port = 25 AND destination IP address = 60.47.3.35, Allow Connection [Pass all SMTP traffic to a specific host (mail

server), 60.47.3.35. Port 25 = SMTP] Safer than Rule 1

Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL)

3. If TCP destination port = 500, AND destination IP address = 60.47.3.77, Allow Connection [Pass all IP Net Key Exchange traffic to the firm’s

IPsec gateway, 60.47.3.77]

4. If protocol = 51, AND destination IP address = 60.47.3.77, Allow Connection [Pass all encrypted ESP traffic to the firm’s IPsec

gateway, 60.47.3.77. Protocol 51 is IPsec ESP Encapsulating Security Payload ]

Rule based on IP protocol value.

Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL)

5. Deny ALL [Deny all other externally-initiated

connections] (Use the default behavior of stateful inspection

firewalls for all other connection-opening attempts)

Stateful Firewall Default Operation

Internal HostExternal

Host

Internally initiatedcommunication

is allowed.

Externallyinitiated

communicationis stopped.

X

Main Border Firewall Stateful Inspection

Stateful Firewall Operation

If accept a connection…

Record the two IP addresses and port numbers in state table as OK (open)

Accept future packets between these hosts and ports with no further inspection This stops most IP Net-level attacks Does not address application-level attacks

Main Border Firewall Stateful Inspection I

ExternalWebserver123.80.5.34

InternalClient PC

60.55.33.12

1.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:80

2.Establish

Connection 3.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:80

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

80

Status

OK

Connection Table

Again: OutgoingConnectionsAllowed By

Default

Permitted outgoingConnections are

Placed in theConnection table

Main Border Firewall Stateful Inspection I

ExternalWebserver123.80.5.34

InternalClient PC

60.55.33.12

6.TCP SYN/ACK Segment

From: 123.80.5.34:80To: 60.55.33.12:62600

4.TCP SYN/ACK Segment

From: 123.80.5.34:80To: 60.55.33.12:62600

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

80

Status

OK

Connection Table

5.Check Connection

OK;Pass the Packet

Main Border Firewall Stateful Inspection I

Stateful Firewall Operation

For UDP, also record two IP addresses and port numbers in the state table

Type

TCP

UDP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

63206

ExternalIP

123.80.5.34

1.8.33.4

ExternalPort

80

69

Status

OK

OK

Connection Table

Main Border Firewall Stateful Inspection II

AttackerSpoofingExternal

Webserver10.5.3.4

InternalClient PC

60.55.33.12

StatefulFirewall

2.Check

Connection Table: No Connection

Match: Drop

1.Spoofed

TCP SYN/ACK SegmentFrom: 10.5.3.4.:80

To: 60.55.33.12:64640

Type

TCP

UDP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

63206

ExternalIP

123.80.5.34

222.8.33.4

ExternalPort

80

69

Status

OK

OK

Connection Table

Stateful Inspection Firewall in Perspective

Simplicity and Therefore Low Cost Connection opening decisions are somewhat

complex But most packets are part of approved ongoing

connections Filtering ongoing packets is extremely simple Therefore, stateful inspection is fast and

inexpensive

Stateful Inspection Firewall in Perspective

Low Cost Safety

Stops nearly all IP Net-level attacks (Application-level filtering still needed)

Dominance for Main Border Firewalls Nearly all use stateful inspection

Stateful Inspection Firewall in Perspective

Beyond Stateful Inspection Most main border firewalls also use other

inspection methods Denial-of-service filtering Limited application content filtering Etc.

Content :Content :

• Firewalls in general basic operation and architecture

• Main border firewalls using stateful inspection

• Screening firewalls using static packet inspection

• Application proxy firewalls

UNIT 2UNIT 2

• Network addresses translation (NAT).

• Antivirus filtering.

• Demilitarized zones (DMZs)+IDS/IPS.

Firewall Architecture (Single Site)

IP NetIP Net

1. Screening Router 60.47.1.1 Last

Rule=Permit All

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

Public Webserver 60.47.3.9

SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4

Static Packet Inspection on Screening Router Firewalls

Screening Firewall Routers Add filtering to the border router to stop

scanning TCP/IP probes packets at IP level that contains IP addresses and Port numbers

Filter out many high-frequency, low-complexity attacks

For ingress filtering, reduce the load on the main border firewall

Static Packet Inspection on Screening Router Firewalls

High Cost for Sufficient Performance Must add inspection software for the router

(expensive) Usually must upgrade router processing speed

and memory (expensive)

Static Packet Inspection on Screening Router Firewalls

Good Location for Egress Filtering Stops all replies to probe packets Including those from the border router

itself

Static Packet Filter Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP-H

Only IP, TCP, UDP and ICMPHeaders Examined

Permit(Pass)

Deny(Drop)

Corporate Network The IP Net

LogFile

ICMP Message

Static Packet Filter Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP-H

Arriving PacketsExamined One at a Time, in Isolation;

This Misses Many Arracks

Permit(Pass)

Deny(Drop)

Corporate Network The IP Net

LogFile

ICMP Message

Static Packet Inspection on Screening Router Firewalls

Use Static Packet Filtering Require complex access control lists

(ACLs) Because need an ACL statement for each

rule

Screening Firewall Router Ingress (out to in) ACL

1. If source IP address = 10.*.*.*, DENY [private IP address range]

2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

3. If source IP address = 192.168.*.*, DENY [private IP address range]

4. If source IP address = 60.47.*.*, DENY [internal IP address range]

5. If source IP address = 1.33.3.4, DENY [black-holed IP address of attacker]

6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet that makes no sense, asking both to open a connection and to close a connection]

7. If destination IP address = 60.47.3.9 AND TCP destination port = 80 OR 443, PASS [connection to a public webserver via HTTP and HTTP over SSL/TLS]

8. If TCP destination port = 80 OR 443, DENY [prevent communication to other internal webservers]

Note: Rule 7 MUST come before Rule 8

Screening Firewall Router Screening Firewall Router IngressIngress ACL ACL

9. If TCP destination port = 20, DENY [FTP data connection]

10. If TCP destination port = 21, DENY [FTP supervisory control connection]

11. If TCP destination port = 23, DENY [Telnet data connection]

12. If TCP destination port = 135 through 139, DENY [File/Print Sharing for Windows clients]

Screening Firewall Router Screening Firewall Router IngressIngress ACL ACL

13. If TCP destination port = 513, DENY [Unix rlogin without password]

14. If TCP destination port = 514, DENY [Unix rsh launch shell without login]

15. If TCP destination port = 22, DENY [SSH for secure login, but Version 1 was not secure]

16. If UDP destination port = 69, DENY [Trivial File Transfer Protocol; no login necessary]

Screening Firewall Router Screening Firewall Router Ingress Ingress ACLACL

17. If ICMP Type = 0, PASS [allow incoming echo reply messages]

18. If ICMP, DENY [drop all other incoming ICMP packets]

19. PASS ALL [pass all other packets; it is the job of the main border firewall to stop attacks not found by the screening firewall router]

Screening Firewall Router Screening Firewall Router IngressIngress ACL ACL

Screening Firewall Router Egress (in to out) ACL

1 If source IP address NOT = 60.47.*.*, DENY [not in internal IP address range so must be spoofed]

2. If ICMP Type = 8, PASS [allow outgoing echo messages, that is, pings]

3. If ICMP, DENY [drop all other outgoing ICMP messages] Again, order is important.

4. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning]

5. If TCP source port = 1234, DENY [port of a currently-widespread Trojan horse]

6. PASS ALL [screening firewalls have PASS ALL as their last rule]

Screening Firewall Router Egress ACLScreening Firewall Router Egress ACL

Content :Content :

• Firewalls in general basic operation and architecture

• Main border firewalls using stateful inspection

• Screening firewalls using static packet inspection

• Application proxy firewalls

UNIT 2UNIT 2

• Network addresses translation (NAT).

• Antivirus filtering.

• Demilitarized zones (DMZs)+IDS/IPS.

NAT and PAT

Because the firewall keeps track of all live connections through it, the firewall is able to make both NAT and PAT, or

any combination thereof.

NAT: Network Address Translation

PAT: Port Address Translation

A firewall performing NAT or PAT is often referred to as a masquerading firewall.

Network Address Translation (NAT)

Here, we look at several filtering methods that firewalls use to make pass/deny decisions about arriving packets.

There is one IP Net-level method used in several types of firewalls that does not actually filter packets but that effectively provides a great deal of protection.

This is network address translation (NAT).

It is used in firewalls that use different types of examination methods as a second type of protection.

Network Address Translation (NAT)

The problem: Sniffers on the IP Net can read packets to and from organizations Reveals IP addresses and port numbers of hosts Provides considerable information about potential

victims without the risks of sending probing attacks

Solution: Hide IP addresses and port numbers of internal hosts.

Network Address Translation (NAT)

ServerHost

Client192.168.5.7

NAT

1

IP Net2

From 192.168.5.7,Port 61000

From 60.5.9.8,Port 55380

IP Addr

192.168.5.7. . .

Port

61000. . .

Internal

IP Addr

60.5.9.8. . .

Port

55380. . .

External

3

To 60.5.9.8,Port 55380

4To 192.168.5.7,

Port 61000

Network Address Translation (NAT)

ServerHost

Client192.168.5.7

NATFirewall

3

IP Net

4Sniffer

To 60.5.9.8,Port 55380

To 192.168.5.7,Port 61000

IP Addr

192.168.5.7

. . .

Port

61000

. . .

Internal

IP Addr

60.5.9.8

. . .

Port

55380

. . .

External

TranslationTable

Comments on NAT

Sniffers on the IP Net cannot learn internal IP addresses and port numbers Only learn the translated address and port number

By themselves, provide a great deal of protection against attacks External attackers cannot create a connection to

an internal computers

Sniffers and NAT Sniffers can read stand-in IP addresses and port

numbers Can send back packets to these stand-in values;

NAT will deliver them to the real host

Comments on NAT

NAT/PAT NAT does more than network (IP) address

translation Also does port number translation Should be called NAT/PAT, but NAT is the

common term

Comments on NAT

Problems with Certain Protocols Virtual private networks VoIP, etc.

Comments on NAT

Box: Using NAT for Address Multiplication Firm may only be given a limited number of

public IP addresses Must use these in packets sent to the IP Net May use private IP addresses internally

Comments on NAT

Using NAT for Address Multiplication For each public IP address, there can be a

separate connection for each possible port Address 60.5.9.8, Port = 2000 Address 60.5.9.8, Port = 2001 Etc.

Each connection can be linked to a different internal IP address

Can have thousands of internal IP addresses for each public IP address

Comments on NAT

Content :Content :

• Firewalls in general basic operation and architecture

• Main border firewalls using stateful inspection

• Screening firewalls using static packet inspection

• Application proxy firewalls

UNIT 2UNIT 2

• Network addresses translation (NAT).

• Antivirus filtering.

• Demilitarized zones (DMZs)+IDS/IPS.

Application Proxy Firewalls

Application Proxy Firewall

Browser HTTP Proxy WebserverApplication

1 .HTTP RequestFrom 192.168.6.77

2.Filtering

3 .ExaminedHTTP RequestFrom 60.45.2.6

Client PC192.168.6.77

Webserver123.80.5.34

Application Proxy Firewall60.45.2.6

Filtering:Blocked URLs,

Post Commands, etc.

Browser HTTP Proxy WebserverApplication

4. HTTPResponse to

60.45.2.6

6. ExaminedHTTP

Response To192.168.6.77

5.Filtering on

Hostname, URL, MIME, etc.

Application Proxy Firewall60.45.2.6

Client PC192.168.6.77

Webserver123.80.5.34

Application Proxy Firewall Operation

Application Proxy Firewall Client Server Relaying

Relay operation: Proxy acts as a server to the client and a client to the server

Full protocol support Slow processing per packet

Application Proxy Firewall

HTTP Content Filtering Command filtering (POST) Host or URL filtering MIME and file extension filtering HTML script filtering

Application Proxy Firewall

Core Protections IP address hiding (sniffer will only see the

application proxy firewall’s IP address) Packet header destruction Stopping protocol spoofing with protocol

enforcement Problem with HTTP Tunneling

Core Protections Due to Application Proxy Firewall Relay Operation

Internal Host1.2.3.4

Webserver123.80.5.34

Application Proxy Firewall60.45.2.6

Packet from1.2.3.4

Packet from60.45.2.6

Sniffer

AppMSG

(HTTP)

Orig.TCPHdr

Orig.IP

Hdr

AppMSG

(HTTP)

NewTCPHdr

NewIP

Hdr

AppMSG

(HTTP)

Attacker1.2.3.4

Webserver123.80.5.34

Application Proxy Firewall60.45.2.6

Header RemovedArriving Packet New Packet

X

Core Protections Due to Application Proxy Firewall Relay Operation

InternalClient PC

60.55.33.12

Attacker1.2.3.4

TrojanHorse

1. Trojan Transmitson Port 80

to Get ThroughIP Net-Level

Firewall2.

Protocol is Not HTTPFirewall Stops

The Transmission

XApplication

Proxy Firewall

Core Protections Due to Application Proxy Firewall Relay Operation

Application Proxy Firewall Operation

ApplicationProxy

Firewall60.45.2.6

FTPProxy

SMTP(E-Mail)Proxy

Client PC192.168.6.77

Webserver123.80.5.34

Outbound Filtering on Put Inbound and Outbound

Filtering on Obsolete Commands, Content

A Separate Proxy Program is Neededfor Each Application Filtered on the Firewall

Application Proxy Firewalls

Multiple Proxies

Each application to be filtered needs a separate proxy program

Small firms usually use a single application proxy firewall with multiple application proxies

Large firms usually use a single application proxy firewall per proxy

Application Proxy Firewalls

Other Application Proxies

FTP (prohibit Put, limit file sizes, etc.)

SMTP (Prohibit obsolete commands, delete attachments, limit attachment size, MIME type)

Web Services (work in progress)

Proxy Firewall Advantages

We can safely allow any kind of network traffic from the inside to the outside, as long as we use a proxy to do it.

To the outside it seems that only the firewall exists.

It is impossible to send any network packets directly to the internal hosts or vice versa.

Proxy Firewall Disadvantages

For every network service we wish to use we must install a proxy designed exactly for that service on the firewall.

Furthermore, every network service we wish to use, we must use a client that is able to use a proxy.

What can we do if no proxy exists for a given service?

Proxy Friewall

In general proxy firewalls are considered very secure.

Unfortunately they are not very flexible

Ideally we wish to be able to use any client software.

Circuit Firewalls

Circuit Firewalls Non application-specific application proxy firewalls

Create connections at the application layer

Provide IP address hiding and header destruction, but not protocol enforcement

Do not provide content filtering

Do provide authentication

SOCKS V5 is the dominant standard for circuit firewalls

Circuit Firewall

Webserver60.80.5.34

Circuit Firewall(SOCKS v5)60.34.3.31

ExternalClient

123.30.82.5

1. Authentication

2. Transmission

5. Passed Reply: No Filtering

3. Passed Transmission: No Filtering

4. Reply

Generic Type of Application Firewall

Content :Content :

• Firewalls in general basic operation and architecture

• Main border firewalls using stateful inspection

• Screening firewalls using static packet inspection

• Application proxy firewalls

UNIT 2UNIT 2

• Network addresses translation (NAT).

• Antivirus filtering.

• Demilitarized zones (DMZs)+IDS/IPS.

Antivirus Filtering

Antivirus Filtering

Normally, Firewalls Do Not Do Antivirus Filtering Pass packets needing antivirus filtering to

an antivirus server

Checkpoint’s FireWall-1 and Antivirus Filtering

Internal Client

2. Statefully Filtered Packet 1. Arriving Packet

External Server

4. Content Vectoring Protocol

FireWall-1 Firewall

3. DoS Protection Optional

Authentications

5. Statefully Filtered

Packet Plus Application Inspection

Third-Party Application Inspection

Firewall

Antivirus Filtering

Examine Application Messages for Many Forms of Malware Not just viruses Worms, Trojan horses, spyware, adware

Antivirus Filtering

Detection is Based on Signatures Strings of characters found within

specific malware files Create a new signature for each piece of

malware, add it to signatures database Antivirus filter vendors worry about

signatures so complex that signature-based detection will be too slow to be useful

Antivirus Filtering

Updating Antivirus Programs All antivirus programs have an updating feature

To get new signatures and program upgrades

Without updates, programs cannot handle new threats

Users may turn off updating or update too rarely Users may let subscriptions lapse; program

remains, but get no new updates

Antivirus Filtering

Where to Filter? On individual user PCs

The traditional approach to antivirus filtering

But users often fail to update

May even turn off the antivirus program because it is inconvenient

Antivirus Filtering

Where to Filter? On the e-mail server

Filters mail before the user gets it

Systems administrators are likely to maintain the filtering

Antivirus Filtering

Where to Filter? E-mail outsourcing companies

Filter mail before it gets to the firm

Outsourcers have expertise

This reduces corporate labor costs

Antivirus Filtering

Where to Filter? Defense in Depth

Filter in two locations or all three

Antivirus Filtering Spam

Unsolicited commercial e-mail Also can be filtered on individual PCs, on e-mail

servers, or at e-mail outsourcing firms Not as precise as antivirus filtering Too many false negatives (failing to label spam

messages as spam) Too many false positives (labeling good

messages as spam) Very dangerous.

Host Firewalls

Host Firewalls

IP NetIP Net

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

5. Server Host

Firewall

6. DMZ

Public Webserver 60.47.3.9

SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4Host

FirewallHost

Firewall

Host Firewalls

Host Firewalls Firewalls on clients and servers Give defense in depth

Host Firewalls Client PC Firewalls

Third party PC firewalls are common Windows XP introduced the IP Net

Connection Facility (ICF) Stateful inspection firewall Not turned on by default No egress filtering Can open selected ports for ingress filtering

Host Firewalls

Client PC Firewalls Windows XP Service Pack 2 (Late 2004)

introduced the Windows Firewall Upgrade to ICF Turned on by default Can open selected ports for ingress filtering Still no egress filtering

Host Firewalls

Why no egress filtering on PC firewalls? Ingress filtering requires no or little user

intervention Egress filtering requires users to decide what

programs can communicate over the IP Net—a difficult task

Does not stop spyware, other outbound attack communication

Host Firewalls

Server Firewalls IP Net-level firewalls

Precise because only need to open a few specific ports

Application-Specific Firewalls Filtering rules linked to specific protocols

(SQL, HTTP, etc.) Filtering sometimes linked to specific

application programs (Microsoft’s IIS, etc.)

Home Firewall

IP NetService Provider

Home PC

BroadbandModem

PCFirewall

Always-OnConnection

UTPCord

CoaxialCable

Windows XP has an internal firewall

Originally called the IP Net Connection FirewallDisabled by default

After Service Pack 2 called the Windows FirewallEnabled by default

SOHO Firewall Router

Broadband Modem (DSL orCable)

SOHORouter

---Router

DHCP Sever,NAT Firewall, and

Limited Application Firewall

Ethernet SwitchIP Net Service Provider

User PC

User PC

User PC

UTP

UTP

UTP

Many Access Routers Combine the Router and Ethernet Switch in a Single Box

Many firewalls, particularly those based on Stateful Inspection Security Technology (Measures or Tools), have maintained

successful defense arsenals against network assaults. As a result, a growing number of attacks attempt to exploit

vulnerabilities in network applications rather than target the firewall directly. This important shift in attack methodology

requires that firewalls provide not only access control and network-level attack protection, but also understand application

behavior to protect against application attacks and hazards. The application layer attracts numerous attacks for several reasons. First, it is the layer that contains a hacker’s ultimate

goal—actual user data. Second, the application layer supports many protocols (HTTP, CIFS, VoIP, SNMP, SMTP, SQL, FTP,

DNS, etc.), so it houses numerous potential attack methods. And third, detecting and defending against attacks at the

application layer is more difficult than at lower layers because more vulnerabilities arise in this layer.

Comments Stateful Inspection vs. Application Layer Filtering:

Application layer filtering is considered to be the more secure method, Why?

When using stateful inspection you are only looking at the envelope’s information to determine whether or not you will accept the letter. With Application Level Filtering Security Technology (Measures or Tools), you are opening the envelope to inspect the letter itself.

1) Stateful inspection firewalls cannot defend internal systems against application specific attacks such as buffer overflows or code exploits. These firewalls rely on the software running on internal systems for security in protecting against these types of attacks. Often customers will not secure internal systems and applications because they are given a false sense of security from their firewall.

2) Application Layer Filtering firewalls offer a more secure method of handling traffic without exposing internal machines to application specific attacks. By verifying incoming data against an application level filter, they can intercept these types of attacks before reaching internal systems.

Comments Stateful Inspection vs. Application Layer Filtering:

3) Stateful inspection firewalls may not detect inserted ‘destructive’ data that may be within a session that appears safe. Because stateful inspection firewalls do not inspect each packet for application information, a remote user can establish a session with a stateful inspection firewall to pass ‘destructive’ data. Once a session is established on a valid port, a remote user can embed potentially harmful data within a seemingly safe packet. Due to the fact that the application data can not be verified, the stateful inspection firewall would be unable to check the data of the incoming packets to verify whether they are harmful or not.

Comments Stateful Inspection vs. Application Layer Filtering

4) Stateful inspection firewalls do not provide the same level of logging that application level filters can. Because stateful inspection firewalls do not intercept the application data, they are limited to the information that they can log.

Application level filters allow for more detailed logging.

Comments Stateful Inspection vs. Application Layer Filtering:

The traditional argument for the use of stateful inspection Security Technology (Measures or Tools) has always been that they achieve similar levels of security as other firewall technologies, but with greater throughput capabilities. This is a faulty concept based on two points:

1) Application level filtering has always been seen as a more secure alternative to stateful inspection. Stateful inspection does not give a similar level of security as application level filtering for the reasons mentioned above. It is a less secure alternative.

2) With current operating system and hardware advances, the idea of application level filtering being slower than stateful inspection is no longer valid. Stateful Inspection Firewall can achieve a throughput of near line speed for 10 Mbps or 100 Mbps networks and do not exceed these speeds, meaning that a company’s link to the IP Net will have a bottleneck for throughput.

Application Layer Filtering Firewall:

Content :Content :

• Firewalls in general basic operation and architecture

• Main border firewalls using stateful inspection

• Screening firewalls using static packet inspection

• Application proxy firewalls

UNIT 2UNIT 2

• Network addresses translation (NAT).

• Antivirus filtering.

• Demilitarized zones (DMZs)+IDS/IPS.

The Demilitarized Zone (DMZ)

The Demilitarized Zone (DMZ)

IP NetIP Net

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

5. Server Host

Firewall

6. DMZ

Public Webserver 60.47.3.9

SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4

The Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ)

Subnet for servers and application proxy firewalls accessible via the IP Net

Hosts in the DMZ must be especially hardened because they will be attacked by hackers

Hardened hosts in the DMZ are called bastion hosts

The Demilitarized Zone (DMZ)

Uses Tri-Homed Main Firewalls 3 NICs, each attached to a different subnet One subnet to the border router

One subnet for the DMZ (accessible to the outside world)

One subnet for the internal network Access from the subnet to the IP Net is strongly

controlled Access from the DMZ is also strongly controlled

The Demilitarized Zone (DMZ)

Hosts in the DMZ

Public servers (public webservers, FTP servers, etc.)

Application proxy firewalls

External DNS server that only knows host names for hosts in the DMZ

DMZ

DMZ Environment

Can be created out of a network connecting two firewalls

Boundary router filter packets protecting server

First firewall provide access control and protection from server if they are hacked

Intrusion Detection Systems (IDSs)

Intrusion Detection System (IDS)

1.Suspicious

Packet

Internet

Attacker?

SecurityAdministrator

HardenedServer

Corporate Network

2. SuspiciousPacket Passed

3. LogSuspicious

Packet

4. Alarm IntrusionDetectionSystem (IDS)

Log File

IDS and IPS Placement

InternalNetwork

InternetBorderRouterIPS

IDSAlert

AttackPacket

AttackPacket

IDSs are slow and cannot be in-line with the packet stream.IPSs use ASICs for speed; can be in-line with the packet stream.

Therefore can stop attacks.

Firewalls, IDSs, and IPSs

Firewalls IDSs IPSs

Drops Packets? Yes No Yes

Logs Packets Yes Yes Yes

Sophistication in Filtering

Medium High High

Firewalls, IDSs, and IPSs

Firewalls IDSs IPSs

Sophistication in Filtering

Medium High High

Creates Alarms?

No Yes Sometimes

Precision High Low without Tuning

Low without Tuning

Event Correlation in An Integrated Log File

1. 8:45:05.03 Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry)

2. 8:45:05.45 Host 60.3.4.5. Failed login attempt for account Lee (Host 60.3.4.5 log entry)

3. 8:45:06.03 Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry)

4. 8:45:12.30 Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry)

5. 8:45:13.02. Host 60.3.4.5. Failed login attempt for account Lee (Host 60.3.4.5 log entry)

6. 8:45:13.27 Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry)

Event Correlation in An Integrated Log File

7. 8:45:30.45 Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry)

8. 8:45:30.59 Host 60.3.4.5. Successful login for account Lee (Host 60.3.4.5 log entry)

9. 8:45:31.11 Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry)

Event Correlation in An Integrated Log File

10. 9:05:12.25 Packet from 60.3.4.5 to 123.28.5.210. TFTP request (network IDS log entry)

11. (no corresponding host log entry) 12. 9:05:13.08. Series of packets from

123.28.5.210 to 60.3.4.5. TFTP response (network IDS)

13. (no more host log entries)

Event Correlation in An Integrated Log File

14. 9:10:48.52 Packet from 60.3.4.5 to 60.0.0.1. TCP SYN=1, Dest. Port 25 (network IDS)

15. 9:10:48.54 Packet from 60.0.0.1 to 60.3.4.5. TCP RST=1, Src. Port 25 (network IDS)

16. 9:10.48:58 Packet from 60.3.4.5 to 60.0.0.2. TCP SYN=1, Dest. Port 25 (network IDS)

17. 9:10:49.07 Packet from 60.0.0.2 to 60.3.4.5. TCP RST=1, Src. Port 25 (network IDS)

18. Several hundred packets like 14-17, each increasing the target IP address by 1)

Event Correlation in An Integrated Log File

19. 9:14:18.52 Packet from 60.3.4.5 to 60.3.8.13. TCP SYN=1, Dest. Port 25 (network IDS)

20. 9:14:27.58 Packet from 60.3.8.13 to 60.3.4.5. TCP SYN=1, ACK=1, Src. Port 25 (NIDS)

21. 9:14:28.07 Packet from 60.3.4.5 to 60.3.8.13. TCP ACK=1, Dest. Port 25 (network IDS)

22. 9:15.48.05 Packet from 60.3.4.5 to 60.3.8.13 . SMTP (network IDS) (This would really be several packets back and forth.)

23. 9:15:48.18 Packet from 60.3.4.5 to 60.3.8.13. SMTP (network IDS) (This would really be several packets back and forth.)

24. Several thousand packets similar to 22 and 23

Event Correlation in An Integrated Log File

Distributed IDS

Log File

Manager Host IDS(HIDS)

MainBorderFirewallAgent

Agent

AgentSite

InternalSwitch-Based

Network IDS (NIDS)

Stand-AloneNetwork IDS (NIDS)

(Inside Firewall) Stand-AloneNetwork IDS (NIDS)

(Outside Firewall)

Log FileTransfer in

Batch Mode orReal Time

Information Sources: the different sources of event information used to determine whether an intrusion has taken place. These sources can be drawn from different levels of the system, with

network, host, and application monitoring. Analysis: the part of intrusion detection systems that actually

organizes and makes sense of the events derived from the information sources, deciding when those events indicate that

intrusions are occurring or have already taken place. The most common analysis approaches are misuse detection and anomaly

detection. Response: the set of actions that the system takes once it detects

intrusions. These are typically grouped into active and passive measures, with active measures involving some automated

intervention on the part of the system, and passive measures involving reporting IDS findings to take action based on those

reports

Major types of IDSs:

The architecture of IDS refers to how the functional components of the IDS are arranged with respect to

each other.

The primary architectural components are: The Host

The system on which the IDS software runs The Target the system that the IDS are monitoring

for problems..

IDS Architecture:

IDS Centralized Control Strategy:

IDS Partially Distributed Control Strategy:

IDS Fully Distributed Control Strategy:

Timing refers to the elapsed time between the events that are monitored and the analysis of those events.

Interval-Based (Batch Mode) In interval-based IDSs, the information flow from monitoring

points to analysis engines is not continuous. The information is handled in a fashion similar to “store and forward”

communications schemes. Many early host-based IDSs used this timing scheme, as they relied on OS audit trails, which were generated as files. Interval

based IDSs are precluded from performing active responses.Real-Time (Continuous)

Real-time IDSs operate on continuous information feeds from information sources. This is the predominant timing scheme for

network based IDSs, which gather information from network traffic streams. In this document, we use the term “real-time” as

it is used in process control situations. This means that detection performed by “real-time” IDS yields

results quickly enough to allow the IDS to take actions.

Timing

The most common way to classify IDSs is to group them by information source.

Some IDSs analyze network packets, captured from network backbones or LAN segments (DMZ) , to

find attackers. Other IDSs analyze information sources generated

by the OS or application software for signs of intrusion.

Information Sources

NIDS and HIDS

Log File

Manager Host IDS(HIDS)

MainBorderFirewallAgent

Agent

AgentSite

InternalSwitch-Based

Network IDS (NIDS)

Stand-AloneNetwork IDS (NIDS)

(Inside Firewall) Stand-AloneNetwork IDS (NIDS)

(Outside Firewall)

Log FileTransfer in

Batch Mode orReal Time

NIDS and HIDS

Log File

Manager Host IDS(HIDS)

MainBorderFirewallAgent

Agent

AgentSite

InternalSwitch-Based

Network IDS (NIDS)

Stand-AloneNetwork IDS (NIDS)

(Inside Firewall) Stand-AloneNetwork IDS (NIDS)

(Outside Firewall)

Log FileTransfer in

Batch Mode orReal Time

Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a software

application. The most common information sources used by application-based IDSs are the application’s transaction

log files.

The ability to interface with the application directly, with significant domain or application-specific knowledge

included in the analysis engine, allows application-based IDSs to detect suspicious behavior due to authorized users

exceeding their authorization. This is because such problems are more likely to appear in the interaction

between the user, the data, and the application.

Application-Based IDSs

Deploying Network-Based IDSs

Monitoring and analysis of system events and user behaviors

Testing the security states of system configurations Base lining the security state of a system, then tracking

any changes to that baseline Recognizing patterns of system events that correspond

to known attacks Recognizing patterns of activity that statistically vary

from normal activity

Strengths of Intrusion Detection Systems

Almost all IDSs will output a small summary line about each detected attack: Time/date,

Sensor IP address, Vendor specific attack name,

Standard attack name (if one exists), Source and destination IP address,

Source and destination port numbers Network protocol used by attack.

Typical IDS Output

Text description of attack, Attack severity level,

Type of loss experienced as a result of the attack, The type of vulnerability the attack exploits,

List of software types and version numbers that are vulnerable to the attack,

Patch/cover information so that computers can resist the attack

References to public advisories about the attack or the vulnerability it exploits.

Handling Attacks

Three types of computer attacks are most commonly reported by IDSs:

1. System scanning

2. Denial of service (DOS)

3. System penetration. These attacks can be launched locally, on the attacked

machine, or remotely, using a network to access the target. An IDS operator must understand the differences between

these types of attacks, as each requires a different set of responses.

Types of Computer Attacks Detected by IDSs

Conclusion

It is clear that some form of security for private networks connected to the IP Net is essential

A firewall is an important and necessary part of that security, but cannot be expected to perform all the required security functions.

Distributed IDS

Log File

Manager Host IDS(HIDS)

MainBorderFirewallAgent

Agent

AgentSite

InternalSwitch-Based

Network IDS (NIDS)

Stand-AloneNetwork IDS (NIDS)

(Inside Firewall) Stand-AloneNetwork IDS (NIDS)

(Outside Firewall)

Log FileTransfer in

Batch Mode orReal Time

Many thanks