By Sylvain Maret / Datelec Networks SAMarch 2000

Welcome to Introduction to Firewall Essentials

This course is intended to provide you with an understanding of key concepts and theories associated with firewalls, security policies and attacks directed toward your network.

Course Objectives

Understand firewall basics, including the definition of a firewall, firewall functions and the need for firewalls

Understand firewall technologies, including TCP/IP basics, routers and application-level gateways (proxies)

Course Objectives (cont.)

Understand security hazards

Understand cryptography, including the need for encryption and virtual private networks (VPNs)

Course Map

Firewall Essentials Unit I

Chapter 1: What is a Firewall?Chapter 2: Types of FirewallsChapter 3: How Firewalls Work

Course Map

Firewall Essentials Unit II

Chapter 1: The Need for a FirewallChapter 2: Security Hazards

Course Map

Firewall Essentials Unit III

Chapter 1: Firewall FeaturesChapter 2: Security Policies

Open Discussion

Unit I - Chapter 1What is a Firewall?

Securing a Network

Firewall Visiting Packets

Placed at the entrance to an organization’s intranet

Placed inside an internal network Placed between RAS and internal network

It is the check point for communication to an outside network

Firewall Location

Company intranet

Firewall Router

Restricted Network

Corporate Data Center

Firewall

Internet

Firewall Location

Firewall

Network packet (level 3)

Network session (level 7)

Communicating Across a Network

Contains all the information required to route it to the final destination

Contains the information to deliver it to the correct application on the destination system

Requires five specific pieces of information for routing

Network Packet

IP Packet Components

U. S. Mail AddressComponents Comments

Destination IP address Street address and zip code Each host on an IP Internetor intranet must have aunique IP address

Protocol Organization name The standard protocols above IP are TCP and UDP

Destination port number Recipient name Identifies the networkapplication to receive the packet

Source IP address Sender’s return address So the application knows where to send replies

Source port number Sender’s name To identify the applicationof the sending host for return packets

Comparing IP Packet with a Letter Address

Network - similar to a zip code, the primary information used by routers to deliver the packet to the correct LAN

Host - similar to a letter address, directs the packet to the correct host on the LAN

Division of IP Address

LAN

LAN

To: 204.32.38.102

204.32.38.102204.32.38.103

204.32.38.104

204.32.38.105

192.38.1.1

192.38.1.2 192.38.1.3 192.38.1.4

“Mailing” a Letter

The total data sent between an initial request and the completion of that request

Evident at the user or application level of the protocol stack

Network Session

Access Control

Authentication

Activity Logging

Other Firewall Services

Standard Firewall Services

Allows the firewall to consider the network interface where the packet enters

Prevents or limits IP spoofing

“Don’t talk to me unless I talk to you first”

Access Control

Standards have usually relied on passwords or smartcards or token

No based on IP address but user level

Authentication

Allows the firewall to record information concerning all successful and failed session attempts

Referred to as an audit log

Activity Logging

Proxy Applications

Virus Scanning

Address Mapping

Virtual Private Networks (VPN)

Other Firewall Services

Three classes of firewall administrator interfaces:

Text-file based administration

Text-menu based administration

GUI-based administration

Firewall Administration Interfaces

Popular in routers and homegrown firewalls

Interface of choice for UNIX administrators

Easier to make errors

Text-File Based Administration

Reduces likelihood of errors

Less flexibility of control

Limited visual feedback to changes made

Text-Menu Based Administration

Most prominent

Easier to use

Less prone to errors

GUI-Based Administration

A firewall can reduce the vulnerabilities on a network, not eliminate them

Firewalls act as filters

Actual Security Provided

Unit I - Chapter 2Types of Firewalls

Packet Filter

Application-Level Gateway

Stateful Inspection

Three Basic Types ofFirewalls

Referred to as filtering routers with a set of simple rules

Determines whether a packet should pass based on the source and destination information within the packet

Process is performed at the kernel level

Packet Filter Firewall

Less secure than application-level gateway firewalls

Packet Filter Firewall (cont.)

Packet Filter

ApplicationLevel

Kernel Level

Filter Route

DROP

PASSPackets

Network 1

Network 2

Network 3

Packet Filtering Firewall

Does not allow packets to pass directly between networks

Original connections are made to a proxy on the firewall

Application-level Gateway Firewall

Requires a separate application for each network service

TELNET

FTP

E-mail

WWW

Application-level Gateway Firewall (cont.)

Application-Level Gateway

ApplicationLevel

Kernel Level

RoutePackets

Network 1

Network 2

Network 3Proxy Proxy

Application-level Gateway Firewall

Ensures the highest level of firewall security by performing the following functions:

Accessing, analyzing and utilizing communication information

Communication-derived state

Application-derived state

Information Manipulation

Stateful Packet Filtering

Communication information

Information from all seven layers of the packet

Stateful Inspection

Communication-derived state

State information derived from previous communications

Stateful Inspection

Application-derived state

State information derived from other applications

Stateful Inspection

Information manipulation

Evaluation of flexible expressions based on the following:

communication informationcommunication-derived stateapplication-derived state

Stateful Inspection

Inspect Engine

DynamicState Tables

Application

Presentation

Session

Transport

Network

DataLink

Physical

Application

Presentation

Session

Transport

DataLink

Physical

Network

Application

Presentation

Session

Transport

Network

DataLink

Physical

Check Point’s FireWall-1 Stateful Inspection

Comparison of Firewall Architecture

FirewallCapability

Packet Filters ApplicationLevel Gateways

Stateful Inspection

Communicationinformation

Communication-derived state

Application-derived state

Informationmanipulation

Partial

No

No

Partial

Partial

Partial

Yes

Yes

Yes

Yes

Yes

Yes

Unit I - Chapter 3How Firewalls Work

Identify the packet processing locations on a firewall

Describe packet filtering and its limitations

Describe proxy applications and their limitations

Identify user authentication

Describe firewall auditing

How Firewalls Work: Objectives

Application Level

Proxy services

Kernel Level

Routers and host-based packet filters

Network Interface Card (NIC) Level

Packet Processing Locations

Application

Kernel

Network Cards

Proxy

Application Level

Kernel Level

Network Card Level

Possible FirewallProcessing Locations -

Packet Processing Locations Within a Firewall

May occur at any one of the processing locations

Most often supported at the NIC or kernel level

Passes or drops packet based on source and destination IP addressing

Packet Filtering

Field Purpose

Source IP address

Destination IP address

Upper level protocol

TCP source port number

TCP destination port number

Host address of sender

Host address of service provider

Different protocols offer different services

A random number greater than 1024

Indicates service such as Telnet or HTTP

Fields of Interest for Packet Filtering

HTTP Filtering

Router

HTTP Packet +

FTP Packet

X

Pass

XX

X

Drop

RuleNumber

1

SourceAddress

DestinationAddress

Protocol SourcePortNumber

Action

2

3

4

5

10.56.2.99

10.56.*

10.122.*

*

*

*

10.122.*

10.56.*

10.56.*

*

*

TCP

TCP

TCP

*

*

*

23

*

*

Drop

Pass

Pass

Pass

Drop

Example Rule List

MatchRule #

10.56.2.98

SourceAddress

DestinationAddress

Protocol SourcePortNumber

ActionTaken

10.56.2.99

10.56.2.98

10.122.34.9

10.122.23.1

10.122.6.11

10.122.6.11

10.122.6.11

10.56.2.5

TCP

TCP

other

TCP

TCP

23567

6723

23568

23

1543

23 (Telnet)

23 (Telnet)

23 (Telnet)

98455

25 (mail)

Pass

Drop

Drop

Pass

Pass

DestinationPortNumber

10.56.2.98

2

1

5

3

4

Example Packets and Resulting Actions

Some rules could leave open doors to the network

Difficult to determine examine exactly what the rules permit

Limitations of Packet Filtering

Applications on proxy gateways that act on behalf of the user requesting service through the firewall

Proxy Applications

Application-level Gateway

ApplicationLevel

Kernel Level

2

AuthorizationDatabase

Proxy2

1 34

User DestinationHost

Connection Process Using an Application-level Gateway

1 User first establishes a connection to the proxy application on the firewall

2 The proxy application gathers information concerning the connection and the requesting user

Connection Process

3 This information is used to determine whether the request should be permitted - if approved, the proxy creates another connection from the firewall to the intended destination

Connection Process (cont.)

4 The proxy shuttles the user data from one connection to the other

Connection Process (cont.)

Initial connection must go through the proxy application on the firewall, not to the intended destination

Proxy application must obtain the IP address of the intended destination

Proxy Challenges

Direct Connection

Modified Client

Invisible Proxy

Proxy Connections

Connect directly to the firewall proxy using the address of the firewall and the port number of the proxy

Least preferred method

Requires two addresses for each connection:

Address of firewall

Address of the intended destination

Direct Connection

Applications are executed client-side, at the user’s computer

Effective and transparent

The need to have a modified client application for each network service is a significant drawback

Modified Client

No need to modify client applications

Users don’t have to direct their communication to the firewall

Packets are automatically redirected to an awaiting proxy as they enter the firewall

Invisible Proxy

New applications must be developed for each supported service

Proxy Limitations

Three traditional methods for verifying someone’s identity:

“Something known” - a password

“Something possessed” - a key to a lock, or a smartcard

“Something embodied” - fingerprint or retinal scan

User Authentication

Information provided by log files:

Time and date of session start

Time and date of session end

Source host address

Destination host address

Activity Logging

Information provided by log files (cont.):

Protocol

Destination Port

Action taken - accepted or denied

User name - if authentication used

Activity Logging (cont.)

Administrators may review the logs to look for suspicious activities:

Repeated failed connection attempts

Flood of allowed connection attempts going to the same host

Connections made at odd hours

Multiple failed authentication attempts

Audit Information

Unit II - Chapter 1The Need for a Firewall

Intranet

Internet Services RAS Financial connection (Reuters, Bloomberg, etc) Extranet etc.

Firewall need (discussion)

Lab 1What Firewall is Best?

Discussion Lab

Company intranetRestricted Network

Corporate Data Center

Internet

Place firewall(s) in this network.

Discussion lab

Internet connection Email, ftp, dns, web public Web surfing and ftp

Intranet Oracle server

Company intranet

Firewall

Restricted Network

Corporate Data Center

Internet

Discussion Lab

Possible solution.

Firewall

Unit II - Chapter 2Security Hazards

Describe the threat of opens systems networking

Identify simple denial of service attacks

Identify packet sniffing

Identify IP spoofing

Security Hazards: Objectives

A standard approach to computing and networking that allows for:

Greater interoperability

Flexibility

Portability of software and system components

Open Systems Internetworking

Isolated “Islands” of Phone Connectivity

Phone Connectivity No Longer Isolated

Increased connectivity increases the threat of attack

The more networks that are connected, the greater chance of those networks being infiltrated

Open Systems Threat

Denial-of-Service

Network Packet Sniffing

IP Spoof Attack

Internet Attacks Simplified

Denial of Service

A simple attack where the attacker repeatedly sends their victim voluminous amounts of electronic mail until the network can no longer handle the volume - denying them of mail service

Denial-of-Service Attack

AttackerMail ServerTarget Mailbox

Flood of E-mailto Target

Denial of Service Mail Attack

The attacker “listens in” to the data on your network with a packet sniffer, capturing data and displaying it in a readable manner

Source and destination users usually don’t even know that they’ve been “sniffed”

Network Packet Sniffing

Attacker

Network

TCP Packet Copies

Original TCP Packet

Original TCP Packet

Network Packet Sniffing Attack

The attacker uses the unique IP address of an unsuspecting target user, presumably for illicit purposes

An IP spoof becomes a serious attack if the external attacker claims to have an IP address that is internal to the targeted network

IP Spoof Attack

External10.35.25.6

Internal10.12.1.1

Internal10.12.1.5

PacketFilter

Reports source addressto be 10.12.1.1

Filter assumes packet isfrom trusted source, and allowsdata into the network

IP Spoof Attack

Unit III - Chapter 1Firewall Features

Access Rules and Lists

Host Spoofing Controls

Basic Access Control

Host-Based

Describes the sets of services allowed for each host or network

Service-Based

Identifies the sets of hosts or networks that may use each service

Access Rules and Lists

Reducing the threat of spoofing IP addresses:

Restriction of the “source routing option” allows a host to control the route taken to return to the source host address

Control by network interface also reduces the threat

Host Spoofing Controls

Domain Name System (DNS)

DNS servers share information

An attacker could possible redefine the address of a trusted host within a network to an address outside the network

Supported Services

Finger

Used to find out logins, user names, and information concerning a users previous login

Supported Services (cont.)

File Transfer Protocol (FTP)

A separate network connection is usually made from the destination host back to the original FTP connection

Most FTP servers supports a PASV (passive mode) capability allowing the connection to originate from the client rather than the server

Supported Services (cont.)

Internet Control Messaging Protocol (ICMP)

Used to send error or test messages between systems

“PING” uses ICMP to send echo requests to see if a host is reachable

Supported Services (cont.)

Internet Relay Chat (IRC)

Using IRC, a user can contact an IRC server and join an Internet conversation

Threats associated with IRC are of a “social engineering” nature - an attacker may contact a user through IRC and convince them to compromise their network

Supported Services (cont.)

Network News Transfer Protocol (NNTP)

Allows users to access newsgroups to read information or participate in discussions

Network File System (NFS)

Allows users to share file systems with other users

Little security and vulnerable to attacks

Supported Services (cont.)

Network Time Protocol (NTP)

A service used to synchronize clocks between computers and networks

Supported Services (cont.)

rlogin

Developed at the University of California at Berkeley

Used for remote access between local systems, but not recommended for use across the Internet because of lack of proper authentication capability

Supported Services (cont.)

TELNET

Standard remote login protocol application

Provides a character-based connection between two systems

Supported Services (cont.)

Authentication Mechanisms

User Authentication

Firewalls in multiple geographic locations should be administered by a single group within the company

With central administration the administrator configures the firewalls from a central database they all share

Remote/Central Administration

Recording the action in a log or alarm file

Sending e-mail to an administrator

Displaying a message on the firewall console

Sending an SNMP alarm to a network manager system

Actions Taken From Alarms

Activating and sending a message to an administrator’s pager

Running a specialized application or script file from the firewall

Actions Taken From Alarms (cont.)

Dual-Host Firewalls

Splitting the functions of a firewall between two hosts to force attackers to break into two systems for a successful attack

Integrity Scanner

An application on the firewall that continually scans the firewall for any unauthorized changes to files, file size, or devices

Firewall Integrity

Invisibility

A firewall that can’t be seen is difficult to attack

Firewall Integrity (cont.)

Address Mapping

Day and Time Restrictions

Load Control

Tunneling

Virtual Private Networks (VPN)

Hacker Traps

Special Features

Most organizations have invalid or illegal IP addressing internally

Firewalls can map illegal addresses internally to legal addresses as packets leave the network

Address Mapping

LAN

192.168.1.3192.168.1.4

192.168.1.1192.168.1.2

Illegal IP address192.168.1.2

Legal IP address204.32.38.1

InternalExternal

Address Mapping

Security policies can be set to restrict certain network access based on day and time

Day and Time Restrictions

x

FTP allowed FTP disallowed

Day and Time Restrictions

Limits the number of simultaneous connections permitted to a host

Helps protect against flooding attacks

Load Control

Limiting the number of simultaneous connections

x

Load Control

Enables encryption all or selected communication between two or more sites

Requires cooperating firewalls to encrypt and decrypt packets as they are sent and received

Virtual Private Networks (VPN)

Companyintranet 1

Companyintranet 2

Internet

Firewall Firewall

Not encryptedPRIVATE

Not encryptedPRIVATE

EncryptedPUBLIC

Virtual Private Networks (VPNs)

Sometimes referred to as “lures and traps” or “honey pots”

Intruders think they have succeeded in breaking into the network when in reality they have been redirected to a “safe” place on the network

Hacker Traps

Unit III - Chapter 2Security Policies

Flexibility

Service-access

Firewall Design

Information

Remote Access

Security Policy Philosophies

Flexibility

Ability to adapt or change the policy

Flexible due to the following considerations:

Internet changes

Internet risks

Security Policy Philosophies (cont.)

Service Access

Internal user issues

Remote access policies

External connections

Security Policy Philosophies (cont.)

Firewall Design

Permit any service unless it is expressly denied

Deny any service unless it is expressly permitted

Security Policy Philosophies (cont.)

Information concerns

E-mail

Web browsing

Security Policy Philosophies (cont.)

Remote Access

A user’s dial-out capability might become an intruder dial-up threat

Outside users must be forced to pass through the advanced authentication features of the firewall

Security Policy Philosophies (cont.)