Firewalls

Introduction
 seen evolution of information systems
 now everyone want to be on the Internet
 and to interconnect networks
 has persistent security concerns
 can’t easily secure every system in org
 typically use a Firewall
 to provide perimeter defence
 as part of comprehensive security strategy
 What is a Firewall?
 a choke point of control and monitoring
 interconnects networks with differing trust
 imposes restrictions on network services
 only authorized traffic is allowed
 auditing and controlling access
 can implement alarms for abnormal behavior
 provide NAT & usage monitoring
 implement VPNs using IPSec
 must be immune to penetration
 Firewall Limitations
 cannot protect from attacks bypassing it
 eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
 cannot protect against internal threats
 eg disgruntled or colluding employees
 cannot protect against transfer of all virus
infected programs or files
 because of huge range of O/S & file types
 Firewalls – Packet Filters
 simplest, fastest firewall component
 foundation of any firewall system
 examine each IP packet (no context) and
permit or deny according to rules
 hence restrict access to services (ports)
 possible default policies
 that not expressly permitted is prohibited
 that not expressly prohibited is permitted
Firewalls – Packet Filters
 Screeing policy actions
 Forward
 The package is forwarded to the intended recipient
 Drop
 The packages is dropped (without notification)
 Reject
 The package is rejected (with notification)
 Log
 The packages appearance is logged (to be combined)
 Alarm
 The packages appearance triggers an alarm (to be combined)

7
 Screening policies
 There should always be some default
rules
 The last rule should be „Drop everything from
everyone“ which enforce a defensive strategy
 Network monitoring and control messages
should be considered

8
 Attacks on Packet Filters
 IP address spoofing
 fake source address to be trusted
 add filters on router to block
 source routing attacks
 attacker sets a route other than default
 block source routed packets
 tiny fragment attacks
 split header info over several tiny packets
 either discard or reassemble before check
Firewalls – Stateful Packet Filters
 traditional packet filters do not examine
higher layer context
 ie matching return packets with outgoing flow
 stateful packet filters address this need
 they examine each IP packet in context
 keep track of client-server sessions
 check each packet validly belongs to one
 hence are better able to detect bogus
packets out of context
 Advantage/Disadvantage
+ -
 One screening router  Current filtering tools
Current filtering tools
can protect a whole are not perfect
network  Some policies are
 Packet filtering is difficult to enforce
extremely efficient  Packet filtering
 Packet filtering is generates extra load
widely available for the router

11
 Firewalls - Application Level
Gateway (or Proxy)
 have application specific gateway / proxy
 has full access to protocol
 user requests service from proxy
 proxy validates request as legal
 then actions request and returns result to user
 can log / audit traffic at application level
 need separate proxies for each service
 some services naturally support proxying
 others are more problematic
 Different modes

 Proxy-aware application software

 The application software knows how to connect to the proxy
and forward the final destination
 Proxy-aware operating system software
 The operating system checks and eventually modify the IP
addresses to use the proxy
 Proxy-aware user procedures
 The user has to follow some procedures. He tells the client
software where to connect and also the proxy the
destination address
 Proxy-aware router
 The client attempts to make connections as usual and the
router intercepts and redirects packages to the proxy
13
Firewalls - Application Level
Gateway (or Proxy)
Firewalls - Circuit Level Gateway

 relays two TCP connections

 imposes security by limiting which such
connections are allowed
 once created usually relays traffic without
examining contents
 typically used when trust internal users by
allowing general outbound connections
 SOCKS is commonly used
Firewalls - Circuit Level Gateway
 Advantage/Disadvantage
+ -
 Proxies can do  Proxies cause a delay
intelligent filtering  Proxies can require
 Proxies can provide modifications to clients
logging and caching  Proxies may require a
 Proxies can provide different server for
user-level each service
authentication

17
 Network Adress Transalation
 NAT allows to use a set of
network addresses internally
and a different set externally
 Do not generate security itself
but force connection over one
point

18
 Modes
 Static allocation
 The translation scheme is static
 Dynamic allocation of addresses
 The connection addresses are determined on
a per session base
 Dynamic allocation of addresses and ports
 Both addresses and ports are dynamic

19
 Advantage/Disadvantage
+ -
 NAT helps to enforce the  Embedded IP can become
firewalls control over a problem
outbound traffic  Dynamic allocation may
 NAT helps to restrict interfere with encryption
incoming traffic and authentication
 NAT hides the internal  Dynamic allocation of port
network configuration may interfere with package
filters

20
 Bastion Host
 highly secure host system
 runs circuit / application level gateways
 or provides externally accessible services
 potentially exposed to "hostile" elements
 hence is secured to withstand this
 hardened O/S, essential services, extra auth
 proxies small, secure, independent, non-privileged
 may support 2 or more net connections
 may be trusted to enforce policy of trusted
separation between these net connections
Firewall Configurations
Firewall Configurations
Firewall Configurations
 Mulitple Screened Subnets
 Split-Screened subnet
 Multiple networks between the exterior and
interior router. The networks are usually
connected by dual-homed hosts.
 Independent Screened Subnets
 n Screened Subnets

25
 Hybrid - Example Structure

Supplier
Internet
Net

DMZ
DMZ
DMZ Application

DMZ DMZ
Database

Employee Lan DMZ Back End

26
 Evaluating a Firewall
 Scalability
 Reliability and Redundancy
 Auditability
 Price (Hardware, Software, Setup,
Maintenance)
 Management and Configuration

27
 Firewalls and Malware

 Should preferably control both ingoing and

outgoing traffic
 Windows XP firewall controls only ingoing traffic
 Trojans can start up servers on the inside
 Firewall should preferable inspect packets
on the application layer
 Network layer based packet filters do not
provide adequate protection

28
 Firewalls and Malware

 New worms/viruses often tries to kill firewall

and anti virus processes
 “Tunneled Worms”
 Tunnel IP packet within other IP packet to hide
real IP header
 Tunneling program can be built in in Trojans

Tunneled IP packet

29