Second Editionby William Stallings and Lawrie

Brown

Lecture slides by Susan Lincke & Lawrie Brown

Chapter 9 – Chapter 9 – Firewalls and Intrusion Firewalls and Intrusion Prevention SystemsPrevention Systems

Chapter ObjectivesObjectives:The student should be able to:Describe the different types of firewalls: Circuit,

Application Proxy, Packet, Stateful, Personal including how they differ in an example attack that each can fend off.

Describe 3 firewall vulnerabilitiesDraw configurations for network types: double

inline, T, multihomed, distributed, load balanced.Describe what a firewall policy is, give an example

policy, and indicate how a policy may be used Describe each of the following: border router,

static and dynamic NAT and PAT.

Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls

Firewall Required FunctionsRequired Functions:Serve as an entry point into a networkScreens all packets entering the network

Service controlDirection controlUser controlBehavior control (access only part of Web service)

Log and alarm eventsPerform Network Address Translation functions

(optional)Perform Virtual Private Network functions (optional)Support no other functions (that can be compromised)

Firewall Locations

ScreeningRouter

Firewall A

External DNS

IDS Web Server

E-CommerceVPNServer

Firewall B

IDS

Protected Internal Network

IDS

Database/File Servers

Internet

Router

Firewall B

External DNS

IDS Web Server

E-Commerce VPNServer

Firewall A

Protected Internal Network

IDSDatabase/File Servers

Internet

ScreeningRouter

Router

External DNS

IPS Web Server

E-Commerce VPNServer

Firewall

Protected Internal NetworkZone

IPSDatabase/File Servers

Internet

Demilitarized Zone

ScreeningRouter

ScreeningRouter

Firewall A

External DNS

IDS Web Server

E-CommerceVPNServer

Firewall B

IDS

Protected Internal Network

IDS

Database/File Servers

Internet

Firewall Firewall Firewall Firewall Fi

rew

all

Bastion Hostscritical strongpoint in networkhosts application/circuit-level gatewayscommon characteristics:

runs secure O/S, only essential servicesmay require user auth to access proxy or hosteach proxy can restrict services & hosts

accessedeach proxy small, simple, checked for securityeach proxy is independent, non-privilegedproxy disk use is boot only; hence read-only code

Firewall Topologieshost-resident firewallscreening routersingle bastion inline: One firewallsingle bastion T: with 3 zonesdouble bastion inline: Serial firewallsdouble bastion T: with 3 zonesdistributed firewall configuration: double

with host firewalls

Router

FirewallVendor A

External DNS

IPS Web Server

E-CommerceVPNServer

Firewall Vendor B

IDS

Protected Internal Network

IPS

Database/File Servers

Internet

SecurityMgmt Syslog

Types of Firewalls

A A

terminal

firewall

hostRouter Packet Filtering:Packet header is inspectedSingle packet attacks caughtVery little overhead in firewall: very quickHigh volume filter

A A

terminal

firewall

host

A

Stateful InspectionState retained in firewall memoryMost multi-packet attacks caughtMore fields in packet header inspectedLittle overhead in firewall: quick

Packet Filtering Firewallapplies rules to packets in/out of firewallbased on information in packet header

src/dest IP addr & port, IP protocol, interfacetypically a list of rules of matches on fields

if match rule says if forward or discard packettwo default policies:

discard - prohibit unless expressly permittedforward - permit unless expressly prohibited

Packet Filter ProblemsIn heavy load may forward all packets without

loggingCannot catch application-level errors

ICMP can have invalid contentsFTP, RPC use ports > 1023, dynamically allocatedCannot recognized spoofed IP or port addressesDo not support advanced user authenticationTiny fragments can hide attacksImproper configuration can lead to breachesRouters can do packet filtering, most firewalls do

more

Stateful Inspection Firewallreviews packet header information but also

keeps info on TCP connectionstypically have low, “known” port no for serverand high, dynamically assigned client port nosimple packet filter must allow all return high port

numbered packets back instateful inspection packet firewall tightens rules

for TCP traffic using a directory of TCP connections

only allow incoming traffic to high-numbered ports for packets matching an entry in this directory

may also track TCP seq numbers as well

Packet Filter Rules

Stateful Packet Filters Tracks TCP/UDP connection status Can configure outbound-only connections Packets are allowed in if connection is established Records source/destination IP and port addresses, protocol (TCP/UDP),

timer expiration TCP: Also supports TCP state, Sequence numbers UDP: Supports expiration timer, pseudo state May prevent fragmentation attacks

Advantage: Supports higher loads than Circuit-Level Firewalls at same memory/processor speed levels

Problems ICMP: Messages may come from intermediate node, not destination. Must

accept/reject all ICMP messages of type N DOS Attack: Establish connections to fill table Applications change ports or use multiple ports: e.g., ftp Application attacks not detected since application protocols not scanned Some routers support Stateful packet filtering; nearly all firewalls do

Stateful Firewall Connection State Table

Source Address

Source Port

Destination Address

Destination Port

Connection State

215.34.55.143

2011 188.55.43.59

80 Established

84.22.428.143

1027 188.55.43.59

80 Established

188.55.42.34

1022 89.42.33.143

23 Established

184.56.23.123

88 188.55.43.49

80 Established

A B

terminal

firewall

hostCircuit-Level Firewall:Packet session terminated and recreated via a Proxy ServerAll multi-packet attacks caughtPacket header completely inspectedHigh overhead in firewall: slow

A B

terminal

firewall

host

A

Application-Proxy FirewallPacket session terminated and recreated via a Proxy ServerPacket header completely inspectedMost or all of application inspectedHighest overhead: slow & low volume

A B

B

IP Header TCP Header Application Header & Data

…Prot

Src Addr

DestAddr

… … SrcPort

DestPort

IP Header TCP Header Application Header & Data

…Prot Src

AddrDestAddr

… … SrcPort

DestPort

Flag

SeqNo

IP Header TCP Header Application Header & Data

…Prot Src

AddrDestAddr

… … SrcPort

DestPort

Flag

SeqNo

IP Header TCP Header Application Header & Data

…Prot Src

AddrDestAddr

… … SrcPort

DestPort

Flag

SeqNo

ApplHdr

ApplHdr

ApplData

Application Proxy Firewall

Guard Firewall – Sophisticated Application Proxy Firewall – IDS/IPS

Packet Filter

Stateful Packet Filter – Circuit Level Filter – Proxy Server

Fields shown are monitored by these types of Firewalls

Circuit-Level Firewalls or Proxy Server

Establishes a TCP connection with remote end before passing information through.

Creates two sessions: one with sender & one with receiver Does not filter based on packet contents (other than state) Also known as Pass-Through Proxy or Generic Proxy Advantages: If firewall failure, no packets are forwarded through

firewall Catches fragmentation errors

Problems: Does not detect invalid application data Moves security issues from service to firewall: e.g., DOS attacks Less able to handle high loads since each connection becomes two Requires much greater memory and processor at application level

(Web page is > 1 connection) Slower interfaces can result in poor performance for streaming

applications

Application Proxy FirewallExamines packets and their contents at the

Application LayerCan cause delay due to additional processingMay strip info on internal servers, server version

on outgoing messages (e.g., email)May allow only certain types of sessions through:

FTP: May permit receives, no sends. Or sends of specific files only.

Email: Encrypts email between all of company’s offices

HTTP: May filter PUT commands, URL names. Can cache replies.

Authentication: Perform extra authentication for external access (via dialup or internet)

Application-Level Gatewayacts as a relay of application-level traffic

user contacts gateway with remote host nameauthenticates themselvesgateway contacts application on remote host

and relays TCP segments between server and user

must have proxy code for each applicationmay restrict application features supported

more secure than packet filtersbut have higher overheads

SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow

TCP/UDP client-server applications to use firewall

components:SOCKS server on firewallSOCKS client library on all internal hostsSOCKS-ified client applications

client app contacts SOCKS server, authenticates, sends relay request

server evaluates & establishes relay connectionUDP handled with parallel TCP control channel

Distributed Firewalls

Host-Based Firewallsoften used on serversused to secure individual hostavailable in/add-on for many O/Sfilter packet flowsadvantages:

taylored filter rules for specific host needsprotection from both internal / external attacksadditional layer of protection to org firewall

Personal Firewallcontrols traffic flow to/from PC/workstationfor both home or corporate usemay be software module on PCor in home cable/DSL router/gatewaytypically much less complexprimary role to deny unauthorized accessmay also monitor outgoing traffic to

detect/block worm/malware activity

Virtual Private Networks

NAT

x Dynamic NAT: Single external IP address may translate into many IP addresses.

NAT

x

y

Hide NAT or PAT: IP/Port translates to IP/Port

Static NAT: External IP address translates into Internal IP address.

NAT

x

External Organization IP:201.25.44.0/24

Internal Addresses:10.0.0.0/8

Network Address TranslationStatic NAT: One external IP address translates into one

fixed internal IP addressDynamic NAT: Internal IP addresses are assigned an

external IP address on a FCFS basis.Port Address Translation (PAT) or Hide NAT: Translates

one incoming IP address/port into an internal IP address/port. Multiple internal IP addresses can map to one external IP address

Firewall Capabilities & Limitscapabilities:

defines a single choke pointprovides a location for monitoring security eventsconvenient platform for some Internet functions

such as NAT, usage monitoring, IPSEC VPNslimitations:

cannot protect against attacks bypassing firewallmay not protect fully against internal threatsimproperly secure wireless LANlaptop, PDA, portable storage device infected

outside then used inside

Firewall VulnerabilitiesFirewalls can be bypassed via other means (e.g.,

modem, CDs)Data transmitted to the outside may be vulnerableFirewalls may lie: in heavy loads attack packets may

get through without logging.Extra software on the firewall device increase

vulnerabilityFirewalls are vulnerable if installed above a general-

purpose OSFirewalls do not prevent malicious acts within the

networkLayers of defense are safer than a single firewallAuditing: Scan weekly or at every changeRetain a baseline of perimeter device configurations

Designing Firewalls/RoutersBefore creating a firewall configuration, create

firewall policies.Firewall policy: An Access Control List (ACL) item

in EnglishPolicies can be reviewed, turned into ACLs, and

testedExample Policy: IP addresses with internal source

addresses shall not be allowed into the internal network from the outside.

Often ports > 1000 cannot be closed due to applications like FTP

Other policies may deal with failover protection, detecting malicious code, …

 

Configuring Firewalls/RoutersPut specific rules first, then general rulesWhen a rule matches, no further testing is

done.Minimize tests & speed processing by placing

common rules first

Auditing FirewallsIf there is no security policy, speak with mgmt

about their expectations of the firewallAfter configuring the firewall, test the firewall by

launching an attackUse a sniffer to determine which attack packets

get throughOther required operations include:

Log Monitoring and NotificationUser Mgmt and Password policyPatch Update and BackupChange ControlSecure build for firewall platforms

Audit TestingScan all TCP and UDP ports 0-65,535 on the firewallPing devices to see if Echo Requests passScan using ‘TCP Connect Scan’ (Full SYN-ACK)Do a slow SYN scan (with 15 second delay) to se if port

scans are detected (by IDS)Scan with FINs, ACKs, and fragmented ACKs , Xmas Tree

scans (URG, PUSH, FIN flags) to see how all performScan the subnet using UDP ports to look for open

applicationsCheck routing capability, including NATTest other blocked source IP addresses: Spoofed, private,

loopback, undefinedTest other protocols: ICMP, IP fragmentation, all policies, all

directions.Verify logging occurs for illegal probesAlways get signed-off permission first!!!

Intrusion Prevention Systems (IPS)enhanced security product which

inline net/host-based IDS that can block trafficfunctional addition to firewall that adds IDS

capabilitiescan block traffic like a firewall

alternatively send commands to firewalluses IDS algorithmsmay be network or host based

Host-Based IPSaddresses:

modification of system resourcesprivilege-escalation exploitsbuffer overflow exploitsaccess to email contact listdirectory traversal

identifies attacks using: sandbox applets to monitor behavior signature techniquesanomaly detection techniques

can be tailored to the specific platforme.g. general purpose, web/database

may protect file access, system registry, I/O, system calls

Network-Based IPSinline NIDS that can discard packets or

terminate TCP connectionscan provide flow data protection

reassembling whole packetsmonitoring full application flow content

can identify malicious packets using:pattern matching, stateful matching, protocol

anomaly, traffic anomaly, statistical anomalycf. SNORT inline can drop/modify packets

Unified Threat Management Products

SummaryFirewall filters packetsTypes of networks

double inline, T or multihomed, distributed, load balanced, screening router

Types of firewallspacket filter, stateful inspection, application and circuit

gateways

Other capabilitiesVirtual Private Network (VPN), Network Address

Translation (NAT)

Advanced configurations: IPS, Unified Threat Management