1

PROTECTION/PREVENTION I

FIREWALLS

1

Lecture 4

Quick Review2

� The security process� Assessment, protection/prevention, detection and response

� The security attack process� Reconnaissance (����������), exploitation (��� ��������),reinforcement (��������������), consolidation (�������) and pillage (���)

� Security issues in networking protocols

� Specific attacks� Denial of service, sequence number guessing…

Next Step3

� Consider protection and prevention mechanisms� Try to address direct agents of security attacks

� How do attacks succeed?� Oscar gets information (reconnaissance)� Oscar exploits vulnerabilities

� Common weaknesses in design and bugs in software services

� Protection and prevention� Stop (or block) packets that are sent with the purpose of reconnaissance or exploitation

� Authenticate and encrypt communications to prevent Oscar from obtaining information or being able to communicate

Firewalls4

� Protect buildings that were susceptible to fire� People built thick walls made of brick between such buildings

� If a building caught fire, the thick wall would prevent it from spreading to surrounding buildings

� Damages would be minimized

� The “Internet Firewall” prevents security attacks from spreading into the intranet or private network of an organization

2

What is a Firewall?5

� A network level access control mechanism

� In broad terms, a firewall is all of the following� A collection of hardware and software PLUS a security policy

� Something placed between a corporate intranet and the Internet

� Seeks to prevent unauthorized and unwanted communications into or out of the corporate intranet

� Allows the organization to implement and enforce its own traffic flow policy between the Internet and the Intranet

� Today it means many things� Ranges from a simple packet filter to a complex intrusion

prevention system

What is a Firewall? (2)

� Establishes a controlled link between the insecure public network and the secure private network

� Erects a security wall or perimeter around the network

� These days you have “host firewalls” that prevent a host machine from picking up some types of packets

� Idea of “perimeter” is not completely valid these days

6

Public Private

Firewall

“Inside”“Outside”

Design Goals7

� All traffic from inside the private network to outside and vice-versa MUST pass through the firewall

� Only authorized traffic defined by a local “security policy” will be allowed to pass

� The Firewall is as tamperproof as possible� Fewer bugs, vulnerabilities, and security loopholes

� Host security does not scale well

� Multiple Operating Systems

� Complex access controls

� Vulnerabilities in new software

� Difficult to audit

� Runs less software than most hosts and is much more controlled

Advantages and Disadvantages8

� There is only one host/machine/device to be protected -the firewall

� Simplifies security management � Possible to implement advanced logging and monitoring

� Can create a VPN using IPSec to other hosts

� Enables segmentation and isolation of problems

� Hides the IP addresses of client stations in an internal network by presenting one IP address to the outside world

� Disadvantages

� Bottleneck

� Single point of failure

� False aura of confidence

3

Services provided by a firewall9

� Service control� Determines the types of services that can be allowed inbound or outbound

� Direction control� Determines the direction in which a service may be initiated and allowed to flow

� User control� Determines access to a service depending on which user is attempting to access it (both inbound and outbound)

� Behavior Control� Controls how some services are employed

� Example: DNS, filtering e-mail, etc.

Protection with Firewalls10

� Protects against� Information theft (Reconnaissance)

�Example: Prevents requests to and responses from services within the private network reaching the outside

� Information sabotage (Exploitation/Pillage)�Example: Prevents uploading derogatory content onto a company’s web page or changing an employee’s medical records

�Denial of Service (Pillage)�Example: Prevents common DoS attacks like Smurf on internal hosts

Additional features in firewalls11

� Demilitarized zone firewalls (DMZ firewalls)� A region of the network is protected, but accessible to outsiders

� The rest of the network is NOT accessible

� Content filtering� Ensure that employees do not access particular content like stock

quotes ☺

� Can define categories of unwelcome material

� Can block certain web-sites

� Anti-virus protection� Can assist with virus detection

� Virtual Private Networks (VPNs)

Limitations of Firewalls12

� Cannot protect against

� Attacks that bypass it� Physical removal of files

� Dial-up modems from hosts on the Intranet

� Internal threats and insider attacks� Malicious employees

� Viruses in general� Viruses may come in to the network in several ways

� Firewalls are not foolproof

� They will allow what you permit them to allow

� Human errors can lead to security breach

4

Firewall Topics13

� Types of firewalls� Packet Filters, Stateful Firewalls, Proxy Firewalls

�Performance – Security tradeoffs

� Firewall policies� Implementation and pitfalls

� Firewall architectures� Where do you place firewalls?� What functions will they perform?� How do you isolate different segments of your private network?

OPERATION OF PACKET FILTERS AND GATEWAYS

14

Types of Firewalls

Types of Firewalls – based on functionality15

Types of Firewalls

Packet FiltersProxy

Firewalls

Static Packet Filters

Dynamic or StatefulPacket Filters

Circuit Level Gateways

ApplicationLevel

Gateways

Packet Filters Vs Proxies16

� Packet filters examine packets entering a network one at a time� Examination of packets involves rules set by an administrator

� Packets can be blocked to certain hosts or services (IP addresses and ports)

� Packets can be blocked if they correspond to certain protocols

� Proxies� Reproduce application layer functionality

� Isolate the protected network from the rest of the world

� Packets are not examined one-by-one but are completely decoded

� Examination after decoding reveals if it is a valid request

5

Types of Firewalls – based on device types17

� Routers� Most routers can be configured to act as packet filters� Simple and fast, but usually not very secure

� Multi-homed Hosts� Run a software application on top of an OS� Slower, but more secure

� Single host� Most new OSs come with a built in software Firewall to protect a single host

� Appliances� Hardware, software and firmware particularly optimized for firewall functionality

Some Remarks – I18

� The “type” of firewall depends on how high in the protocol stack a “packet” is examined� The higher the layer of examination, the worse the performance� Requires more processing and slows down packet flow

� The higher the layer of examination, the more secure the network is� Obtains more information about what a packet is trying to do before allowing it or dropping it

� Improvements in technology have reduced the degradation in performance, but it is still a factor

PHY

LINK

NETWORK

TCP/UDP

APP

Some Remarks – II19

� Classification of firewalls is a useful exercise, but actual products may do many things

� Most firewalls have overlapping functions

� May do some static and some dynamic filtering

� May also look at the payload of certain applications but may or may not act as a proxy

� They may have both software and hardware components

� Policies of firewalls can also fall into overlapping categories

Static Packet or Screening Filters20

� A type of firewall that blocks or allows a packet based on IP addresses or port numbers � Stateless

� Operates on IP packets individually at the network layer

� Oldest type of firewall

� Whether a packet is allowed or not depends on � A set of rules encoded in the software running the packet filter

� Parses the IP header and TCP/UDP segment header and checks for� Protocol numbers, source and destination IP addresses, TCP port numbers, TCP connection flags, ICMP etc.

� Compares the information with the rules in sequential order till the packet matches a particular rule� If no rule matches the packet, a default action is taken

6

Operation of Static Packet Filters21

•When you filter packets, what is outside and what is inside can get fuzzy depending on the interface•Need to exercise great care in setting rules as we will see next

PHY

LINK

NETWORK

TCP/UDP

Examine Packet

Packet from“outside”

Packet allowed“inside”

In and Out…

� Packets coming “in” to one interface may be going “out” of another interface

� Many access control lists are based on filtering packets coming “in” or going “out” of an interface

� Best to filter packets as they come in to avoid additional processing

22

i1

in

outi2

in

outPublic

“Outside” “Inside”

Private

Packet Filtering – Cisco IOS 23

� Cisco routers maintain what is called an access control list (ACL)� To configure a Cisco ACL, you have a command that looks like

this� > access-list <number> <criteria>� The number is a label for the type of protocol (IP, IPX etc.)� Can also use a named ACL that has the syntax

� > ip access-list <type> <name>� > permit | deny <criteria>

� Can add logging of packets that are rejected

� There are many types – standard, extended and reflexive ACLs� Standard ACL blocks only source addresses for example

� Faster at the packet filter device� Extended ACL looks at port numbers and destination addresses

IPchains and IPtables24

� Popular on Linux� IPChains is deprecated - being replaced by IPtables

� IP Chains also maintains a list of what is allowed and what is not

�> ipchains –A input –i <interface> -p <protocol> -s <source IP address> -d <destination IP address> -l –j DENY/PERMIT

�The parameter –l says that the information must be logged

�The parameter –A says that this command must be appended at the end of the current list

7

Rules for Packet Filtering

� Default:� Discard: Prohibit any packet that is not

allowed� Also called the “security-first” policy

� Forward: Allow any packet that is not forbidden� Also called the “ease-of-use-first”

policy

� Example:� Default discard policy� * is a match for anything

25

Action Ourhost Port Theirhost Port Comments

Block * * Dracula * Don’t trust’em

Allow Our-

Gateway

25 * * Connection to

SMTP Port

� What does this rule set do?� First it checks to see if the

packet is from/to Dracula

� If it is it is dropped

� Next it sees if some host not Dracula has sent a packet to port 25 of the gateway

� If yes it is allowed, otherwise it is dropped

No directionality

in this rule set

Example Continued26

� Consider the policy: Any internal host can send e-mail to outside

� Rule for this may look like this

� What are potential problems with this rule?� We cannot control the outside hosts - they may be running some malicious service on port 25

� An outside host may connect to the internal host using port 25 which is allowed!

� Better option is to allow outgoing calls to port 25, not all calls

Action Ourhost Port Theirhost Port Comments

Allow * * * 25 Allow to connect to any SMTP port

Most packet filters now support source and destination separately and allow different rules at different interfaces and in different directions

Source Address Filtering27

� There are some common terms used to indicate packet filtering by source address

� Friendly Net

� Allow some IP addresses that are from known networks

� Not advisable to use this approach - why?

� Ingress filtering

� Refers to filtering at the interface that allows packets from outside to come into the internal network

� Egress filtering

� Refers to filtering at the interface that accepts packets leaving the internal network

� Block addresses that do not belong to the internal network (why?)

� Block addresses that are NOT supposed to connect to the Internet

� Log all rejected packets - why?

Some Common Rules - IFiltering by source address

28

� Deny entry to IP packets with certain source addresses

� What addresses can we deny without fear of blocking legitimate traffic?

� RFC 1918 addresses - Block addresses such as 10.0.0.0 - 10.255.255.255, 172.16.0.0 -172.31.255.255, 198.168.0.0 - 192.168.255.255

� Loopback address 127.0.0.1, multicast addresses 224.0.0.0 - 239.255.255.255

� Internal addresses

� Perhaps addresses originating from certain domains (.in, .ru, .cn)

� Deny exit from network to IP addresses that are supposed to be used internally

� Temporarily or otherwise block certain IP source addresses

� You can identify some IP addresses that are launching DoS attacks

� There are some IRC servers that you don’t want your users to connect

� A domain like login.oscar.aol.com

8

Port Number and Destination Address Filtering

29

� Allows access for� Specific “channels” between networks

� Specific public services like DNS or web

� Specific packet types like ICMP MTU violations

� Can filter packets based on port numbers, flags in headers, specific protocol types� Additional granularity

� Slows filtering process compared to “source address only” filtering

Some Common Rules - IIFiltering by destination address and ports

30

� Friendly Net� It is possible to tighten up the friendly net rule by specifying

certain port numbers and destination hosts only

� Example: Allow host 130.215.17.13 to access 136.142.117.13 if it has port number larger than 1023 and it is connecting to port number 80 only

� Still not recommended without authentication and architectural separation

� Allowing and disallowing certain types of traffic� You can block certain types of traffic leaving your network like

IRC, Instant Messaging, Kazaa or ICMP

� Example: Block ICMP echo requests from any host to any host

� Is this a good idea? Where should an alternative be placed?

Example of Rule Set

� Identify protocol and what the rule may mean

� Assume it is applied at the interface of a filter that accepts incoming packets to the network 136.142.117.y/24

31

Rule Protocol Source Address Destination

Address

SRC-Port DEST-Port Action

1 TCP 130.215.17.0/24 136.142.117.221 > 1023 22 Allow

2 TCP Any 136.142.117.13 > 1023 80 Allow

3 TCP 136.142.117.0/24 Any Any Any Block

4 UDP Any 136.142.117.13 > 1023 53 Allow

5 UDP Any 136.142.117.14 > 1023 53 Allow

6 Any Any Any Any Any Block

Packet Filtering Rule Set - Rules of Thumb32

� Unless all parts of the rule are matched, the packet is moved down the list of rules

� Complete match test

� Better to allow stuff you need and deny the rest than specifically deny the stuff you suspect

� Specific rules must precede general rules

� Otherwise packets may be admitted or denied by a general rule before it is tested for a specific rule

� Example: In the previous rule set, Rule 6 cannot be placed prior to any other rule� What happens if it is placed first in the list?

� Adding rules in an ad hoc manner can result in catastrophes

� Great care must be exercised to ensure that rules do what they are supposed to do

9

Services to Filter33

� Common protocols

� Web� Allow outbound HTTP or HTTPS

requests

� Use architectural methods to protect your network against inbound http requests (later)

� FTP� Tricky protocol - needs more attention

than the rest

� TCP� Incoming TCP connections should not

be allowed unless they were initiated from the inside

� Hard to do with simple packet filters

� NTP� Restrict to specific hosts only

� SMTP/Mail

� Need to be checked to see if they are “valid”

� No viruses, spoofed addresses etc.

� Hard to do with packet filters

� POP3/IMAP

� Should block access from outside, but will irritate users

� Use SSL tunneling - later

� UDP

� Must block all calls - a bit draconian but sometimes necessary

� Others

� Block all other unnecessary protocols

like H.323, SMB, Kazaa, etc.

Personal Firewalls - I34

WindowsXP SP2comes withits own GUIand controlsfor the WindowsFirewall

Previously known as Internet Connection Firewall

More Windows Firewall35

Show Log

Personal Firewalls - II36

� Also called “desktop firewalls” are becoming very popular

� Protect individual hosts from malicious packets

� Perform per host packet filtering

� Many products are available

� Zone Alarm - http://www.zonelabs.com

� Tiny Firewall - http://www.tinysoftware.com

� McAfee Personal Firewall Plus -http://us.mcafee.com/default.asp

� Symantec, Sygate, Panda Software, Computer Associates etc.

10

Network Statistics on a Mandrake Firewall37

Firewall Rules38

Packet Filtering: Advantages and Disadvantages

39

� It is hard to set packet filtering rules correctly

� Error-prone process

� Order matters!

� Packet filtering is fast and a low-cost technology

� It is transparent to user applications

� It is however not very secure

� Example: Standard ACL filters based on source addresses� Source addresses can be easily spoofed

Attacks on Packet Filters40

� IP Spoofing

� The attacker can use an internal IP address or some other allowed IP address

� Countermeasures:� Deny all internal IP addresses arriving from outside

� Use IPSec for authentication

� Opening holes

� Sometimes, to accommodate certain protocols, sysads open holes in the ruleset

� Care must be taken to restrict access through the holes to a limited number of hosts

� ACK Flags

� Can fool packet filters that accept packets from “established” sessions that are not really established

11

Fragmentation41

� Fragmentation occurs when the maximum transmission unit (MTU) of a link is smaller than the size of the IP datagram� Example: In Ethernet, the MTU is 1500 bytes

� Example: In Frame Relay, the MTU is 1600 bytes

� Similarly, for a TCP segment, a maximum segment size (MSS) is also specified

� Oscar tries to mask his probes and facilitate attacks using fragmentation of IP datagrams� Many filters fail to recognize fragmented packets

� Many IDSs do not support packet reassembly

� Oscar can get through to a target network and to a victim host

� Tiny fragment attacks� IP fragmentation is used to separate the TCP header information into multiple IP

packets

� RFC 1858 defines methods to deter such attacks (drop fragments smaller than a given size)

Fragmentation Basics42

� When a packet is fragmented, all fragments reach the destination

� The destination has to reassemble the fragments� It should be able to figure out

� What fragments are associated together

� Where the fragments fit (what is the offset from the start of the packet)

� How much of data does a fragment contain (as a check)

� Whether more fragments exist or the reassembly can be undertaken

� The IP header contains the information to reassemble the fragments

� Some fields may be omitted except in the first fragment

Example

� An IP datagram of size 4000 bytes arrives at a router

� The MTU of the link is 1500 bytes

� The IP header is 20 bytes long

� So the payload has to be fragmented and sent in new IP datagrams

� Each IP datagram has the source and destination address

� The header of the payload protocol is NOT repeated

� This enables Oscar to play some tricks

43

This packet shows the

protocol that it carries

Example - 244

� Each IP header has a 16 bit identification field� This identifies the datagram sent by the host and will be the same

for all fragmented packets� The fragment id is set to this identification value

� The first IP fragment will contain the protocol header of the payload (e.g. TCP, ICMP etc.)� It has offset = 0, length = 1480 bytes

� It also has the “more fragments” field set to 1

� The second IP fragment simply contains the next 1480 bytes of payload data - offset = 1480, length = 1480, more fragments = 1

� The third IP fragment has 1020 bytes of data, more fragments = 0

12

Fragmentation and Packet Filters45

� The IP header of each fragment indicates the protocol of the payload (e.g. TCP, ICMP, etc.) but the filter often does not read the contents� Many packet filters are stateless - they are asked to block packets

to port number N from all hosts� They let the fragments into the networks blocking only the first

one

� Many services set a Do not Fragment (DF) flag� This is done to discover the smallest MTU along a route� An ICMP error message reports that the IP datagram cannot be

delivered because the MTU is smaller and reports this value

� Malicious fragmentation has led to many attacks� Now possible to block any fragmented packet

Fragmentation Attacks46

� A common port scanning tool is nmap� It can be used to fragment TCP headers into many IP datagrams

� Filters may not recognize the port number and allow all fragments into the network

� Oscar can successfully scan for open ports and services

� No final fragment� Common for DoS attacks on routers that try to reassemble

packets for broadcast over a link

� Overlapping fragments� Teardrop is a DoS attack that uses overlapping fragments to

confuse the OS and crash it

� Ping of death crafts IP packets with MTU’s greater than 65535 causing a crash

Other protocols that may bypass packet filters

47

� Tunneling � Using SSH to access services bypasses all filtering

� MBone encapsulation� MBone is the multicast backbone on the Internet� Used for example, for reaching large audiences with video traffic

� Encapsulates packets resulting in bypassing filters

� Arbitrary port creation� P2P software: BitTorrent, KaZaa, eDonkey, etc.� IP telephony

Firewall vulnerabilities48

� Since port 80 is typically open, many users abuse it by tunneling other applications within HTTP using SOAP� Read http://www.schneier.com/crypto-gram-0006.html

� Checkpoint’s FireWall-1 product vulnerabilities reported in July 2000

� Cisco’s IOS has security vulnerabilities in some versions� IOS is used in most Cisco products including packet filters and

firewalls

� IOS source code was stolen and posted on the web allegedly by a 16 year old at Uppsala, Sweden in 2004

� Symantec’s Raptor firewall� Oscar could hijack sessions passing through the firewall

13

Dynamic packet filtering49

� Idea� Create rulesets on-the-fly and tear them down when completed

� Example� A host from the internal network - say 136.142.117.221 connects to a

telnet server 130.215.17.13 on the outside� Say the port number on the client side is 1091� What is the port number at the server?

� A new ruleset would be created as follows� Allow packets from host 130.215.17.13 port = 23 to host 136.142.117.221 port =

1091

� The dynamic packet filter will examine all packets to make sure that the SYN, SYNACK and ACK were completed

� When it observes the FIN packets, it tears down the ruleset thereby disallowing further communication from 130.215.17.13

� In Cisco devices, this is called a “reflexive” access list� Can be a burden on routers in terms of performance

Attacking dynamic packet filters50

� Much harder to do this� Trojans and worms internal to the network can abuse dynamic filters

� Oscar needs to know� Existence of dynamically created access list

� Internal host connecting to external host will create the access list - nothing else can do it

� Only the host 130.215.17.13 can connect through this access list� Oscar will have to spoof this address

� The connection can be made only to host 136.142.117.221� Oscar cannot attack any arbitrary host in the internal network

� The connection can only be made to port 1091� The communication stage (state) must be precisely known

� Dynamic packet filters can keep track of sequence numbers

� If Oscar can do all this, it probably means that there are much bigger security problems with the internal network

Stateful Firewalls51

� Most advanced and secure Firewall technology

� Also called stateful packet filtering (SPI)

� Same as dynamic packet filtering in many cases

� Firewall keeps track of all requests for information from the

intranet

� Scans the destination of an inbound packet to see if it matches the source of a previous outbound request

� This can generally examine multiple layers of the protocol stack

� Typically at layers 4 and below, but sometimes at the application layer as well

� Data can also be analyzed if required

� Blocking can be done at any layer or depth

� The “state” of each packet is determined and hence the name “stateful”

More on Stateful Firewalls52

� Stateful firewalls maintain “state” in a content table� Allows them to accomplish a higher level of security than simple

packet filters

� Still possible to fool them because some incoming connections are allowed without outgoing connections being created

� Maintaining state information for UDP and ICMP is hard� There is no concept of state for these protocols

� For UDP, the port numbers are important in maintaining some pseudo-state information

� Some ICMP messages can have pseudo-states (requests and responses) but one way ICMP traffic is harder to manage

14

Some more on stateful firewalls53

� Filters typically look at only layer 3 and some layer 4 information

� This is called filtering

� It is possible to examine higher layer information, sequence numbers, and payload as well

� Example: the state of HTTP and FTP can be examined - The GET command can be examined or the port number exchange in FTP can be examined

� This is called stateful inspection

� In stateful firewalls, application layer examination is minimal and abbreviated

� The entire protocol stack is NOT implemented and it is harder for the firewall to perform a thorough examination

� It can make the rules extremely complex

Application Level Inspection54

� Typically only partial inspection is performed

� The packets used to initiate the application session are

examined

� Other packets are simply let through

� Malicious application packets afterwards are not detected

� Detection improves making it harder to attack in stealth

� Deep packet examination

� Sometimes needed to detect covert channels or malicious payloads carried by known protocols

� Example: Several worms use SQL or NetBIOS or HTTP to

travel over the Internet

� Sometimes called IPS-Lite (more when we discuss detection)

Filtering Vs Inspection55

� What is state?

� Protocol, sequence numbers, ports, flags, ack nos., application level commands (GET, etc.), timeouts, …

� Blurred line

� Dropping packets using state information is filtering?

� Examining packets using state information and application information is inspection?

� How does the firewall handle and track state information?

Examples of Stateful Firewall Products56

� Cisco PIX firewall

� Windows firewall is said to be stateful

� Checkpoint

� Very first stateful firewall products

� FireWall-1� Tracks UDP using pseudo-state information

� Juniper’s NetScreen Firewall Appliance

� Most new firewalls support dynamic packet filtering

� IPtables and Netfilter are two freely available software firewalls for Linux

15

Proxy Firewalls or Gateways57

� Act as a relay for application/lower level traffic� Client contacts the gateway with identification information

� The gateway contacts the application server and relays packets to and from it

� It acts on behalf of a client and shields either side from direct connection

� Make two separate TCP connections� One between the proxy and the outside host

� Another between the proxy and the inside host

� The gateway can be made to support only certain services and protocols� Example no javascript in html pages

More on Proxy Firewalls

� Proxies are both clients and servers� To the client connecting to it, a proxy behaves as a server

� To the server providing network services, it acts as a client

� To distinguish between the real client and server, often times we refer to the “listener” and “initiator” of the proxy

� Proxies shield the protected system from being viewed by external systems

� Proxies usually run on a dual homed host called a Bastion host

58

InternetProtected System

Proxy Firewall

Dual Homed with IPForwarding Disabled

Bastion Host59

� Bastion = fortress

� A Bastion Host is a system that serves as a platform for a proxy firewall

� It employs a secure version of the operating system

� Only required services are installed on it� E.g. you cannot have a new server installed

� No user accounts exist on the Bastion host

� Proxy modules implement simplified versions of the software

� Easy to analyze code for loopholes

How do clients work with proxies?60

� SOCKS approach� Use a protocol that allows adding modules to clients to make them “proxy - aware”

� Client sends request to proxy instead of the real server

� Client transparency� Proxy modules masquerade as clients and servers on the fly

� They intercept packets, connection requests, etc.� Client is fooled into thinking it has connected with the real server

� Proxy needs to be on the network path between client and real server

16

Types of Proxy Firewalls61

� Circuit Level Gateway� Packet filtering ++ at the TCP level� Validate and monitor sessions (like stateful packet filters)

� Application Level Gateway� Custom client/server software implemented for each service scrutinized by the firewall

� Only allows properly formatted packets to go through

Circuit-level Gateway - CLGW

� Idea:� Internal users are trustworthy while

external ones are not

� Check connections from inside to outside or vice versa to see if they are allowed

� Example: Check if SYN and ACK sequence numbers are ok

� All outbound traffic is relayed without inspection

� All inbound traffic is examined but minimally or as in the case of a packet filter

62

in

in

in

in

out

out

out

out

Circuit-Level Gateway

More on CLGWs63

� Pros� Faster than application level gateways� Provides some protection by preventing connection to/from certain internal hosts

� Shields internal network topological and host information

� Cons� Minimal examination of packets flowing into the network

� Cannot restrict protocols that do not use TCP� Does not perform application level examination of packets

Proxy Firewalls or Gateways64

� Act as a relay for application/lower level traffic� Client contacts the gateway with identification information

� The gateway contacts the application server and relays packets to and from it

� It acts on behalf of a client and shields either side from direct connection

� Make two separate TCP connections� One between the proxy and the outside host

� Another between the proxy and the inside host

� The gateway can be made to support only certain services and protocols� Example no javascript in html pages

17

Bastion Host65

� Bastion = fortress

� Bastion hosts are expected to be attacked!

� A Bastion Host is a system that typically serves as a platform for a proxy firewall

� It employs a secure version of the operating system

� Only required services are installed on it� E.g. you cannot have a new server

installed

� No user accounts exist on the Bastion host

� Proxy modules implement simplified versions of the software

� Easy to analyze code for loopholes

� Services on Bastion Hosts

� Web

� FTP

� E-mail

� DNS

Application-level gateway

� Prevents direct communication between external servers and internal computers � Gives users the appearance that they are communicating directly with external

servers� Recreates the application request and response and makes sure they are valid

� For example, a client accesses a server to get a web page� Server serves it with a malicious java applet� The ALGW drops the applet after examining it

� Example 2: FTP disallows “put” command to prevent writing on to internal network

66

Telnet

FTP

SMTP

HTTP

Application-Level Gateway

Client

Server

Advantages of Proxy Firewalls67

� Maintain detailed audit information� Sys Ads can monitor violations of security policies easily

� Logs are extremely useful

� Prevents information leakage� What are IP addresses in the protected network, what OSs are running (based on TTL, window size), etc.

� Better than packet filters� Not susceptible to IP spoofing� Supports user authentication� Less complex filtering rules - rules are within the proxied application itself

Other uses68

� Reverse Proxy� Earliest proxy firewalls

� Internal user trying to connect to the outside through a proxy is what we call a “forward” proxy

� User connecting from outside to internal services is called “reverse proxy”

� Enables monitoring who is accessing what data from your server

� Can require authentication at the proxy

� Web proxies can cache information enabling quicker response

� Anonymizing proxies� Help prevent digital trails of activities

� Proxychaining using SocksChain

18

Drawbacks of Proxy Firewalls69

� Could be a single point of failure

� Performance reduction due to processing of many flows at the same host

� All network protocols are not supported

� Limited number of services are available� If new applications are created, it will be hard to proxy them for a

while

� If there is a bug in the OS of the gateway, there could be a severe security breach

� Protocol issues� Security protocols like IPSec are incompatible with proxies

hurting end-to-end VPNs

Proxy Tools70

� FWTK� Stands for Firewall Toolkit

� Developed by Trusted Information Systems (TIS) through a DARPA project in 1993

� Source code is available, but development has stopped

� Check http://www.fwtk.org/fwtk/docs/ for documentation

� Does not support many new protocols like H.323

SOCKS71

� What is SOCKS?� It is a proxy toolkit that can be used with several applications

� More an enabling technology than a product� Applications need not be designed with proxying in mind

� SOCKS is a software that has the following components� A SOCKS server that runs in the firewall� A SOCKS client that runs in the internal hosts� SOCKS-ified versions of Telnet, FTP etc.

� SOCKS server � Authenticates requests (password based or Kerberos based)

� It authorizes the request� Establishes proxy connection to the other host

� Relays the data between the two connections

Versions of SOCKS72

� SOCKS V4

� Lacks strong authentication

� Uses TCP headers, IP addresses to grant access

� Needs client to resolve domain names

� SOCKS V5

� Also known as authenticated firewall traversal

� Has strong authentication (many methods are supported)

� Performs address resolution proxy services as well

� Proxy for UDP applications are possible

� Check: http://www.socks.permeo.com/ for more details

19

Remarks73

� Proxy firewalls are becoming less significant� Not many vendors are marketing proxy firewalls

� Primarily due to performance issues in high-bandwidth networks

� Secondarily due to compatibility issues

Other Proxy Firewall Software74

� Gauntlet� Available for both Windows and UNIX environments

� Offers a wide range of proxied services - FTP, Telnet, HTTP, NetMeeting, RealAudio, Microsoft SQL etc.

� PORTUS

� Squid� Open source web proxy

Other types of firewalls75

� Cutoff Proxy� Combination of CLGW (Circuit-level Gateway) and packet filters

� Initially operates as a CLGW and then switches to a dynamic packet filter

� It creates a direct connection between client and server

� No longer acts as a listener and initiator

� Provides a balance between security and performance

� Airgap Proxy� Writes the output of the “external” connection to an SCSI e-disk

from where it is read by an internal connection

� Because the direct connection is broken, it is considered to be more secure

SOME CONFIGURATIONS AND EXAMPLES

76

Firewall Architectures

20

Firewall Architectures77

� Placement of packet filters and gateways can impact the security

� Depending on the network layout and protocol Oscar could get some access, no access etc.

� Many types of architectures are possible

� Bastion host – “fortress” guards the rest of the private network

� Bastion host may be single or multi-homed

� Network segments may also be isolated

Firewall Configurations (1)

� Screened host firewall, single homed bastion

� Packet filter allows packets addressed only to or from the bastion host

to pass through

� Two levels of security

� If the packet filter is compromised, so is the network

78

Packet Filter

Private

Bastion hostOr proxy firewall

Firewall Configurations (2)

� Screened host firewall, dual homed bastion

� Prevents breach of security when the packet filter is compromised

� More secure and prevents any direct physical connection between the private network and the outside world

79

Packet Filter

Private

Bastion hostOr proxy firewall

DMZ

Example

� Gateway is in the DMZ - the outside world can contact GW but in a limited way because of the packet filter

� Limited connections are possible between Net1 or Net2 and GW

� Anything can pass between Net1 and Net2

� Outgoing calls are possible from Net1/Net2 to the outside world

80

GW Packet FilterOutside

H1 H2

Inside Net0

Inside Net1 Inside Net2

21

Firewall Configurations (3)

� Screened subnet firewall� Two packet filters are used� An isolated subnetwork containing the bastion host and other insecure

connections is created� There are three levels of defense and the private network is invisible to

the rest of the world� The rest of the world is invisible to the private network

81

Outside PacketFilter

Private

Dial-up

Inside Packet Filter

Bastion hostOr proxy firewall

DMZ

Example - FTP

� Operation

� The client (user) first opens a “control” channel to the server

� To set up the data connection, there are two options

� PORT

� Client sends a PORT command in the control channel

� Contains IP address (perhaps different) and random port number of client

� FTP server connects from port 20 to the random port at client

� PASV - Passive option

82

More Details of PORT83

Example - FTP 2

� PASV

� Client sends PASV

� Server starts listening on a random port and informs client in the response

� Client initiates the data channel

� Could be any new IP address

and port number

84

22

More Details of PASV85

Impact on Firewalls86

� Packet Filter

� If all incoming TCP connections (SYN) to random ports are disabled, FTP will not work with PORT, it will with PASV

� Similar impact with dynamic packet filters

� Stateful Firewalls

� With deep packet inspection, may allow FTP to proceed

� Proxy Firewalls

� Need to be aware of the two channels and behave appropriately

Potential attack using FTP - 1

� FTP server allows anonymous connections

� Web server also runs Telnet for administrators

� Stateful firewall blocks all inbound connections except those to port 21 on the FTP server and port 80 on the web server� Appears that we are protected if the Telnet service has vulnerabilities

87

Source: Northcutt et al, Network Perimeter Security

Screened subnet

Potential attack using FTP - 288

� What does Oscar do?

� Uses legitimate FTP connection to upload a file to the FTP server� File contains exploit commands against Telnet

� Using the control channel, sets the IP address and port number for data transfer to 136.142.117.132 and 23

� Uses command channel and “RETR” command to retrieve the malicious file

� The malicious file is however sent to the web server at port 23!

� Solution

� Allow uploads but not downloads

� Use a proxy firewall� The proxy can determine that the IP address in the port command is an

internal IP address and block the transfer

� Exercise caution

23

DNS and Firewalls89

� Implementing DNS in a DMZ topology� Prevents outsiders from accessing host names/addresses on the inside

� Still allows internal users to contact the outside world

DNS and Firewalls - 290

DNS and Firewalls - 391

Other topics of importance92

� Filtering routing information

� Given a topology where certain hosts/subnets are NOT supposed to be visible to the outside world, routers must take care not to advertise their existence

� See Section 9.1.2 FIS for issues in addressing etc.

� Building and testing firewalls

� See Chapter 11 of FIS

24

Choosing a firewall93

� Router/firmware-based firewalls� Add additional components in a router to enable firewall functionality

� Expensive and sometimes may burden the router

� Software-based firewalls� Sophisticated� Run on dedicated UNIX/Linux or WinNT hosts� Require continuous maintenance and support

�Patches

� Dedicated firewall appliances� High performance� Plug-and-play installation

Firewall Policies94

� Common policy� Everything is denied except those that are explicitly permitted

� Or those that make it inside the network anyways :-(

� Complexity of policy may make it un-enforceable and inconsistent� If a policy is not enforceable, people will ignore the rules

� Example: Report all virus attacks - people clean the virus and move on

� Must have tools that can collect information related to “MUSTS” in the policy

� Creating an organization wide policy is important� Risks must be identified, policies must be updated, policies for

mobile employees must be specified and extreme care must be taken

Example of iptable firewall95

� OSI Model

Sample of TCP/IP Data Packet96

ProtocolProtocolProtocolProtocol ContentsContentsContentsContents OSI LayerOSI LayerOSI LayerOSI Layer

Ethernet MAC address Datalink

IP IP address Network

TCP TCP header Transport

HTTP HTTP header Application

Application Data Web page Data

25

Security Business Process97

� 1. Develop a network use policy

� 2. Map out services needed outward and inward

� 3. Convert the network use policy and needed services into firewall rules

� 4. Implement and test for functionality and security

� 5. Review and test your firewall rules on a periodic basis

iptable98

� linux open source firewall

� Website: www.netfilter.org� Also available as a module for many Linux admin software

� Basic tables for rule set� input

� forward

� prerouting

� postrouting

� output

� command line argument� iptables command rule-specification extensions

Example of Commands99

CommandCommandCommandCommand DescriptionDescriptionDescriptionDescription

-A chain Append one or more rule

-I chain rulenum Insert chain at the location number

-D chain Delete the indicated chain

-L List all rules

-F Flush all the rules in the current chain

-P chain policy Set a chain for a specific policy

Example of Rule-Specification100

Rule SpecificationsRule SpecificationsRule SpecificationsRule Specifications DescriptionsDescriptionsDescriptionsDescriptions

-p protocol Specify a certain protocol for rule match

-s address/

mask/port

Specify the IP address, masking and port number

-j target This tells what to do with the packet I if it matches the specification

DROP – drop without any further action

REJECT – drop and send error packet in return

LOG – log the packet to a file

MARK – mark the packet for further action

REDIRECT – redirect the packet

26

Creating an iptables Firewall101

� 0. Assume that your local LAN subnet is 192.168.0.1 -192.168.0.254,

� eth1 interface is your local LAN connection and

� eth0 interface is your Internet or WAN connection

� 1. Start by eliminating any existing rules with a Flush command:� iptables -F FORWARD

� 2. Flush the other chains:� iptables -F INPUT iptables -F OUTPUT

� 3. Put your standard "deny all" statement right up front.� iptables -P FORWARD DROP

� iptables -A INPUT -i eth0 -j DROP

Creating an iptables Firewall (2)102

� 4. To accept fragmented packets in Iptables, this must be done explicitly.� iptables -A FORWARD -f -j ACCEPT

� 5. Prevent spoofing and smurf attack� iptables -A FORWARD -s 192.168.0.0/24 -I eth0 -j DROP

� iptables -A FORWARD -p icmp –i eth0 –d 192.168.0.0/24 –j DENY

� 6. Allow only connection initiated from inside � iptables –A FORWARD –p tcp –i eth0 –d 192.168.0.0/24 --dports www,smtp --tcp-flags SYN,ACK –j ACCEPT

� iptables –A FORWARD –p tcp –i eth0 –d 192.168.0.0/24 --sports www,smtp --tcp-flags SYN,ACK –j ACCEPT

Creating an iptables Firewall (3)103

� 7. Accept incoming connections from outside only on certain ports� iptables –A FORWARD –m multiport –p tcp –i eth0 –d 192.168.0.0/24 --dports smtp --syn –j ACCEPT

� 8. Allow outgoing connections to be initiated by users, but only on the specific protocols � iptables –A FORWARD –m multiport –p tcp –i eth0 –d 0.0.0.0 --dports www,smtp --syn –j ACCEPT

� 9. Allow certain incoming UDP packets � iptables –A FORWARD –m multiport –p udp –i eth0 –d 192.168.0.0/24 --dports domain –j ACCEPT

� iptables –A FORWARD –m multiport –p udp –i eth0 –s 192.168.0.0/24 --sports domain –j ACCEPT

Creating an iptables Firewall (4)104

� 10. Allow all types of internal ICMP outwards, but only certain types such as echo-reply inwards� iptables –A FORWARD –m multiport –p icmp –I

eth0 –d 192.168.0.0/24 --dports 0,3,11 –j

ACCEPT

� iptables –A FORWARD –m multiport –p icmp –I

eth1 –d 0.0.0.0 --dports 8,3,11 –j ACCEPT

� 11. Set up logging � iptables –A FORWARD –m tcp –p tcp –j LOG

� iptables –A FORWARD –m udp –p udp –j LOG

� iptables –A FORWARD –m udp –p icmp –j LOG