Cryptography and Cryptography and Network SecurityNetwork Security

Chapter 20 FirewallsChapter 20 Firewalls

Fourth EditionFourth Edition

by William Stallingsby William Stallings

Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown extended and adopted by Hans extended and adopted by Hans

HedbomHedbom

Chapter 20 – FirewallsChapter 20 – Firewalls

The function of a strong position is to make The function of a strong position is to make the forces holding it practically the forces holding it practically unassailableunassailable

——On War, On War, Carl Von ClausewitzCarl Von Clausewitz

IntroductionIntroduction

seen evolution of information systemsseen evolution of information systems now everyone want to be on the Internet now everyone want to be on the Internet and to interconnect networks and to interconnect networks has persistent security concernshas persistent security concerns

can’t easily secure every system in orgcan’t easily secure every system in org typically use a typically use a FirewallFirewall to provide to provide perimeter defenceperimeter defence as part of comprehensive security strategyas part of comprehensive security strategy

What is a Firewall?What is a Firewall?

a a choke pointchoke point of control and monitoring of control and monitoring interconnects networks with differing trustinterconnects networks with differing trust imposes restrictions on network servicesimposes restrictions on network services

only authorized traffic is allowed only authorized traffic is allowed auditing and controlling accessauditing and controlling access

can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior provide NAT & usage monitoringprovide NAT & usage monitoring implement VPNs using IPSecimplement VPNs using IPSec must be immune to penetrationmust be immune to penetration

Firewall LimitationsFirewall Limitations

cannot protect from attacks bypassing itcannot protect from attacks bypassing it eg sneaker net, utility modems, trusted eg sneaker net, utility modems, trusted

organisations, trusted services (eg SSL/SSH)organisations, trusted services (eg SSL/SSH) cannot protect against internal threatscannot protect against internal threats

eg disgruntled or colluding employeeseg disgruntled or colluding employees cannot protect against transfer of all virus cannot protect against transfer of all virus

infected programs or filesinfected programs or files because of huge range of O/S & file typesbecause of huge range of O/S & file types

Firewalls – Packet FiltersFirewalls – Packet Filters

simplest, fastest firewall component simplest, fastest firewall component foundation of any firewall system foundation of any firewall system examine each IP packet (no context) and examine each IP packet (no context) and

permit or deny according to rules permit or deny according to rules hence restrict access to services (ports)hence restrict access to services (ports) possible default policiespossible default policies

that not expressly permitted is prohibited that not expressly permitted is prohibited that not expressly prohibited is permittedthat not expressly prohibited is permitted

Firewalls – Packet FiltersFirewalls – Packet Filters

88

Screeing policy actionsScreeing policy actions

ForwardForward The package is forwarded to the intended recipientThe package is forwarded to the intended recipient

DropDrop The packages is dropped (without notification)The packages is dropped (without notification)

RejectReject The package is rejected (with notification)The package is rejected (with notification)

LogLog The packages appearance is logged (to be combined)The packages appearance is logged (to be combined)

AlarmAlarm The packages appearance triggers an alarm (to be combined)The packages appearance triggers an alarm (to be combined)

99

Screening policiesScreening policies

There should always be some default There should always be some default rulesrules The last rule should be „Drop everything from The last rule should be „Drop everything from

everyone“ which enforce a defensive strategyeveryone“ which enforce a defensive strategy Network monitoring and control messages Network monitoring and control messages

should be consideredshould be considered

Firewalls – Packet FiltersFirewalls – Packet Filters

Attacks on Packet FiltersAttacks on Packet Filters

IP address spoofingIP address spoofing fake source address to be trustedfake source address to be trusted add filters on router to blockadd filters on router to block

source routing attackssource routing attacks attacker sets a route other than defaultattacker sets a route other than default block source routed packetsblock source routed packets

tiny fragment attackstiny fragment attacks split header info over several tiny packetssplit header info over several tiny packets either discard or reassemble before checkeither discard or reassemble before check

Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters

traditional packet filters do not examine traditional packet filters do not examine higher layer contexthigher layer context ie matching return packets with outgoing flowie matching return packets with outgoing flow

stateful packet filters address this needstateful packet filters address this need they examine each IP packet in contextthey examine each IP packet in context

keep track of client-server sessionskeep track of client-server sessions check each packet validly belongs to onecheck each packet validly belongs to one

hence are better able to detect bogus hence are better able to detect bogus packets out of context packets out of context

1313

Advantage/DisadvantageAdvantage/Disadvantage

One screening router One screening router can protect a whole can protect a whole networknetwork

Packet filtering is Packet filtering is extremely efficientextremely efficient

Packet filtering is Packet filtering is widely availablewidely available

Current filtering tools Current filtering tools are not perfectare not perfect

Some policies are Some policies are difficult to enforcedifficult to enforce

Packet filtering Packet filtering generates extra load generates extra load for the routerfor the router

++ --

Firewalls - Firewalls - Application Level Application Level Gateway (or Proxy)Gateway (or Proxy)

have application specific gateway / proxy have application specific gateway / proxy has full access to protocol has full access to protocol

user requests service from proxy user requests service from proxy proxy validates request as legal proxy validates request as legal then actions request and returns result to userthen actions request and returns result to user can log / audit traffic at application level can log / audit traffic at application level

need separate proxies for each service need separate proxies for each service some services naturally support proxying some services naturally support proxying others are more problematic others are more problematic

1515

Different modesDifferent modes

Proxy-aware application softwareProxy-aware application software The application software knows how to connect to the proxy The application software knows how to connect to the proxy

and forward the final destinationand forward the final destination Proxy-aware operating system softwareProxy-aware operating system software

The operating system checks and eventually modify the IP The operating system checks and eventually modify the IP addresses to use the proxyaddresses to use the proxy

Proxy-aware user proceduresProxy-aware user procedures The user has to follow some procedures. He tells the client The user has to follow some procedures. He tells the client

software where to connect and also the proxy the software where to connect and also the proxy the destination addressdestination address

Proxy-aware routerProxy-aware router The client attempts to make connections as usual and the The client attempts to make connections as usual and the

router intercepts and redirects packages to the proxyrouter intercepts and redirects packages to the proxy

Firewalls - Firewalls - Application Level Application Level Gateway (or Proxy)Gateway (or Proxy)

Firewalls - Firewalls - Circuit Level GatewayCircuit Level Gateway

relays two TCP connectionsrelays two TCP connections imposes security by limiting which such imposes security by limiting which such

connections are allowedconnections are allowed once created usually relays traffic without once created usually relays traffic without

examining contentsexamining contents typically used when trust internal users by typically used when trust internal users by

allowing general outbound connectionsallowing general outbound connections SOCKS is commonly usedSOCKS is commonly used

Firewalls - Firewalls - Circuit Level GatewayCircuit Level Gateway

1919

Advantage/DisadvantageAdvantage/Disadvantage

Proxies can do Proxies can do intelligent filteringintelligent filtering

Proxies can provide Proxies can provide logging and cachinglogging and caching

Proxies can provide Proxies can provide user-level user-level authenticationauthentication

Proxies cause a delayProxies cause a delay Proxies can require Proxies can require

modifications to clientsmodifications to clients Proxies may require a Proxies may require a

different server for different server for each serviceeach service

++ --

2020

Network Adress TransalationNetwork Adress Transalation NAT allows to use a set of NAT allows to use a set of

network addresses internally network addresses internally and a different set externallyand a different set externally

Do not generate security itself Do not generate security itself but force connection over one but force connection over one pointpoint

2121

ModesModes

Static allocationStatic allocation The translation scheme is staticThe translation scheme is static

Dynamic allocation of addressesDynamic allocation of addresses The connection addresses are determined on The connection addresses are determined on

a per session basea per session base Dynamic allocation of addresses and portsDynamic allocation of addresses and ports

Both addresses and ports are dynamicBoth addresses and ports are dynamic

2222

Advantage/DisadvantageAdvantage/Disadvantage

NAT helps to enforce the NAT helps to enforce the firewalls control over firewalls control over outbound trafficoutbound traffic

NAT helps to restrict NAT helps to restrict incoming trafficincoming traffic

NAT hides the internal NAT hides the internal network configurationnetwork configuration

Embedded IP can become Embedded IP can become a problema problem

Dynamic allocation may Dynamic allocation may interfere with encryption interfere with encryption and authenticationand authentication

Dynamic allocation of port Dynamic allocation of port may interfere with package may interfere with package filtersfilters

++ --

Bastion HostBastion Host

highly secure host system highly secure host system runs circuit / application level gateways runs circuit / application level gateways or provides externally accessible servicesor provides externally accessible services potentially exposed to "hostile" elements potentially exposed to "hostile" elements hence is secured to withstand thishence is secured to withstand this

hardened O/S, essential services, extra authhardened O/S, essential services, extra auth proxies small, secure, independent, non-privileged proxies small, secure, independent, non-privileged

may support 2 or more net connectionsmay support 2 or more net connections may be trusted to enforce policy of trusted may be trusted to enforce policy of trusted

separation between these net connectionsseparation between these net connections

Firewall ConfigurationsFirewall Configurations

Firewall ConfigurationsFirewall Configurations

Firewall ConfigurationsFirewall Configurations

2727

Mulitple Screened SubnetsMulitple Screened Subnets

Split-Screened subnetSplit-Screened subnet Multiple networks between the exterior and Multiple networks between the exterior and

interior router. The networks are usually interior router. The networks are usually connected by dual-homed hosts.connected by dual-homed hosts.

Independent Screened SubnetsIndependent Screened Subnets n Screened Subnetsn Screened Subnets

2828

Hybrid - Example StructureHybrid - Example Structure

DMZ

DMZ

DMZDMZ

InternetInternet Supplier Net

Supplier Net

DMZEmployee Lan Back End

Application

Database

DMZ

2929

Evaluating a FirewallEvaluating a Firewall

ScalabilityScalability Reliability and RedundancyReliability and Redundancy AuditabilityAuditability Price (Hardware, Software, Setup, Price (Hardware, Software, Setup,

Maintenance)Maintenance) Management and ConfigurationManagement and Configuration

3030

Firewalls and MalwareFirewalls and Malware

Should preferably control both Should preferably control both ingoingingoing and and outgoingoutgoing traffic traffic Windows XP firewall controls only ingoing trafficWindows XP firewall controls only ingoing traffic Trojans can start up servers on the insideTrojans can start up servers on the inside

Firewall should preferable inspect packets Firewall should preferable inspect packets on the on the application layerapplication layer Network layer based packet filters do not Network layer based packet filters do not

provide adequate protectionprovide adequate protection

3131

Firewalls and MalwareFirewalls and Malware

New worms/viruses often tries to kill firewall New worms/viruses often tries to kill firewall and anti virus processesand anti virus processes

““Tunneled Worms”Tunneled Worms” Tunnel IP packet within other IP packet to hide Tunnel IP packet within other IP packet to hide

real IP headerreal IP header Tunneling program can be built in in TrojansTunneling program can be built in in Trojans

Tunneled IP packet

3232

IP- TablesIP- Tables IP Tables is the IP Tables is the

standard kernel firewall standard kernel firewall system for Linux since system for Linux since Kernel 2.4.xKernel 2.4.x

Packet Filtering and Packet Filtering and NAT for linuxNAT for linux

3333

RuleRule

-t table-t table Nat (PREROUTING, POSTROUTING)Nat (PREROUTING, POSTROUTING) Mangle (PREROUTING, POSTROUTING)Mangle (PREROUTING, POSTROUTING) Filter (default) (FORWARD, INPUT, OUTPUT)Filter (default) (FORWARD, INPUT, OUTPUT)

iptables [-t table] command [match] [traget/jump]

3434

RuleRule

CommandCommand -P, --policy-P, --policy -A, --append-A, --append -D, --delete-D, --delete -R, --replace-R, --replace -L, --list-L, --list ......

iptables [-t table] command [match] [traget/jump]

3535

RuleRule

Match (generic)Match (generic) -p, --protocoll (TCP, UDP, ICMP)-p, --protocoll (TCP, UDP, ICMP) -s, --source (IP Adresse/port)-s, --source (IP Adresse/port) -d, --destination (IP Adresse/port)-d, --destination (IP Adresse/port) -i, --in-interface (eth0, eth1, ppp1)-i, --in-interface (eth0, eth1, ppp1) -o, --out-interface (eth0, eth1, ppp1)-o, --out-interface (eth0, eth1, ppp1) -m, --match (special commands)-m, --match (special commands)

iptables [-t table] command [match] [traget/jump]

3636

RuleRule

Target/jumpTarget/jump -j ACCEPT-j ACCEPT -j DROP-j DROP -j LOG-j LOG -j MAQUERADE-j MAQUERADE ......

iptables [-t table] command [match] [traget/jump]

3737

Example RulesExample Rules

iptable –P FORWARD DROPiptable –P FORWARD DROP Introduce the general policy to drop all packagesIntroduce the general policy to drop all packages

Iptable –t nat –P PREROUTING ACCEPTIptable –t nat –P PREROUTING ACCEPT Accept prerouting nat trafficAccept prerouting nat traffic

iptable –A FORWARD -i eth1 –p TCPiptable –A FORWARD -i eth1 –p TCP–d 193.10.221.184 -–dport 80 –j ACCEPT–d 193.10.221.184 -–dport 80 –j ACCEPT

Accept all tcp connections to port 80 coming in at my second Accept all tcp connections to port 80 coming in at my second network interface to my ipnetwork interface to my ip

iptables –A FORWARD –m limit –-limit 3/minutes –j iptables –A FORWARD –m limit –-limit 3/minutes –j LOGLOG

Log all refused connections but max. 3 per minuteLog all refused connections but max. 3 per minute

3838

Additional LiteratureAdditional Literature

Building Internet FirewallsBuilding Internet FirewallsZwicky, CooperZwicky, CooperISBN 1565928717; O‘ReillyISBN 1565928717; O‘Reilly

iptables Tutorial 1.1.16iptables Tutorial 1.1.16Oskar AndreassonOskar Andreassonhttp://iptables-tutorial.frozentux.net/iptables-tutorial.html