Firewalls

Mahalingam Ramkumar

Evolution of Networks

● Centralized data processing● LANs● Premises network – interconnection of LANs

and mainframes● Enterprise-wide network – interconnection of

LANs in a private WAN● LANs interconnected using the Internet and

using virtual private networks

What is a Firewall?

● A “ choke point”● A location for monitoring security related

events– Audits and alarms

● Non-security related functions– NAT, network management

● An end-point for IPSec

Firewall Limitations

● Cannot protect from attacks bypassing it– eg sneaker net, utility modems, trusted

organisations, trusted services (eg SSL/SSH)

● Cannot protect against internal threats– eg disgruntled employee

● Cannot protect against transfer of virus infected programs or files– because of huge range of O/S & file types

Firewall – Basic Types

● Packet-Filtering Router● Stateful Inspection Firewalls● Application Level Gateway● Circuit Level Gateway

Packet Filters

Packet Filters

● Filtering based on– Source IP address– Destination IP address– Source and Destination transport-level address– IP protocol field– Interface (physical)

● Rules!– Configuration files– Explicit allow / block

Packet Filtering Example

Attacks on Packet Filtering

● IP address spoofing● Source routing attacks● Tiny fragment attacks

Firewalls – Stateful Packet Filters

● Examine each IP packet in context– keeps tracks of client-server sessions– checks each packet belongs to a valid session

● Better ability to detect bogus packets “ out of context”

● A session might be pinned down by – Source IP and Port,

– Dest IP and Port, – Protocol, and

– Connection State

Firewalls - Application Level Gateway (or Proxy)

Application Level Gateway

● Application specific gateway / proxy ● has full access to protocol

– user requests service from proxy – proxy validates request as legal – acts on behalf of the user, – returns result to user

● need to separate proxies for each service – some services naturally support proxying – others are more problematic – custom services generally not supported

Firewalls - Circuit Level Gateway

Circuit Level Gateway

● Relays two TCP connections● Imposes security by limiting types of connections

that are allowed● Once created, usually relays traffic without

examining contents● Typically used with trusted internal users (by

allowing general outbound connections)● SOCKS (RFC 1928)

– SOCKS server

– SOCKS client library

– SOCKSified versions of application programs

SOCKS

Bastion Host

● Highly secure host system ● Exposed to "hostile" elements

– hence secured to withstand attacks– Trusted System

● May be single or multi-homed● Enforce trusted separation between network

connections● Run circuit / application level gateways ● Provide externally accessible services

Firewall Configurations

● Screened Host – Single Homed Bastion Host● Screened Host – Dual Homed Bastion Host● Screened Subnet

Screened Host – Single Homed Bastion Host

Screened Host – Dual Homed Bastion Host

Screened-subnet Firewall

Access Control

● Given that system has identified a user ● Determine what resources they can access● General model - access matrix

– subject - active entity (user, process) – object - passive entity (file or resource) – access right – way object can be accessed

● can decompose by– columns as access control lists– rows as capability tickets

Access Control Matrix

Trusted Computer Systems

● Varying degrees of sensitivity of information– military classifications: confidential, secret, TS, etc

● Subjects (people or programs) have varying rights of access to objects (information)

● Need to consider ways of increasing confidence in systems to enforce these rights

● Multilevel security– subjects have maximum & current security level – objects have a fixed security level classification

Bell LaPadula (BLP) Model

● One of the well-known security models● Implemented as mandatory policies on system ● Two key policies:

– no read up (simple security property)● a subject can only read/write an object if the current

security level of the subject dominates (>=) the classification of the object

– no write down (*-property)● a subject can only append/write to an object if the

current security level of the subject is dominated by (<=) the classification of the object