Chapter Five

Security Mechanisms
 Security Techniques/ Access Control and Firewall
Firewalls and Trusted System Technologies:
As a means of protecting local system or network of
systems from security threats!

all
Fire
w
o l icy
 fense P rol
De n t
 cess C o
Ac

 Security Techniques/Firewall
Firewall Overview
It is more feasible to secure a community of users by putting
some control at the entrance rather than trying to secure every
host
This is done in the real world
 Countries protect themselves at their borders
 Neighborhoods protect the whole neighborhood

The term firewall has been around for quite some time and
originally was used to define a barrier constructed to prevent the
spread of fire from one part of a building or structure to another.
Network firewalls provide a barrier between networks that
prevents or denies unwanted or unauthorized traffic.
A firewall may be implemented as a standalone hardware device
or in the form of a software
 Security Techniques/Firewall
Firewall Overview …
The simplest kind of Firewall is a packet filter.
A packet filter is a router that is augmented with an
access control list, usually specified as a list of rules.
When any packet is received by the router, the security
rules are consulted to decide whether the packet should
be forwarded or dropped (Typical value is ALLOW or
DROP).
A rule can specify which packets it will apply to, based
on the header fields of the packets. For instance, the rule
might specify source and destination IP addresses and
port numbers and protocol names, or wild cards for
each of these.
 Security Techniques/Firewall
Firewall Overview …

Suppose that we've built a security policy and

decided that we want to:
• allow inbound connections to port 25 of our
mail server (1.2.3.4), and allow all outbound
connections, and drop all the rest.
Allow tcp *:*  1.2.3.4:25
Allow tcp {ourhosts}:* *:*
Drop *:*  *:*
 Security Techniques/Firewall
Firewall Overview …

General Firewall Features

 Port Control
 Network Address Translation
 Application Monitoring
 Packet Filtering
 Data encryption
 Logging
 E-mail virus protection
 Popup advertisement blocking
 Spyware protection
 Security Techniques/Firewall
Firewall Design goals

All traffic from inside to outside must pass

through the firewall (physically blocking all access
to the local network except via the firewall)
Only authorized traffic (defined by the local
security policy) will be allowed to pass
The firewall itself is immune to penetration (use of
trusted system with a secure operating system)
 Security Techniques/Firewall
Types of firewall

 Firewalls types can be categorized depending on:

1. The Function or methodology the firewall use
2. Whether the communication is being done between a
single node and the network, or between two or
more networks.
3. Whether the communication state is being tracked at
the firewall or not.
 Security Techniques/Firewall

Types of firewall/ Based on function/ methodology

 Packet Filtering
 Stateful Packet Inspection
 Application Gateways/Proxies
 Circuit Level Gateway
 Security Techniques/Firewall
Types of firewall/Packet Filtering Firewall
A packet filtering firewall does exactly what its name implies -- it filters
packets.
As each packet passes through the firewall, it is examined and information
contained in the header is compared to a pre-configured set of rules or filters.
An allow or deny decision is made based on the results of the comparison.
Each packet is examined individually without regard to other packets that are
part of the same connection.
 Security Techniques/Firewall
Types of firewall/(cont…)
A packet filtering firewall is often called a network layer firewall because the
filtering is primarily done at the network layer (layer three) or the transport
layer (layer four) of the OSI reference model.
You use packet filters to instruct a firewall to drop traffic that meets certain
criteria.
For example, you could create a filter that would drop all ping requests.
You can also configure filters with more complex exceptions to a rule.
Packet filtering rules or filters can be configured to allow or deny traffic
based on one or more of the following variables:
Source IP address
Destination IP address
Protocol type (TCP/UDP)
Source port
Destination port
 Security Techniques/Firewall
Types of firewall/Stateful Packet Inspection Firewall

Stateful packet inspection uses the same fundamental packet screening

technique that packet filtering does.
In addition, it examines the packet header information from the network layer
of the OSI model to the application layer to verify that the packet is part of a
legitimate connection and the protocols are behaving as expected.
 Security Techniques/Firewall
Types of firewall/(cont…)
 Security Techniques/Firewall
Types of firewall/(cont…)

The connection state is derived from information gathered in previous packets.

It is an essential factor in making the decision for new communication attempts.
Stateful packet inspection compares the packets against the rules or filters and then
checks the dynamic state table to verify that the packets are part of a valid,
established connection.
By having the ability to "remember" the status of a connection, this method of
packet screening is better equipped to guard against attacks than standard packet
filtering.
 Security Techniques/Firewall
Types of firewall/Application-level Gateways

The application gateway/proxy acts as an intermediary between the two

endpoints.
This packet screening method actually breaks the client/server model in that
two connections are required: one from the source to the gateway/proxy and
one from the gateway/proxy to the destination.
Each endpoint can only communicate with the other by going through the
gateway/proxy.

This type of firewall operates at the application level of the OSI model.
For source and destination endpoints to be able to communicate with each
other, a proxy service must be implemented for each application protocol.
 Security Techniques/Firewall
Types of firewall/(cont…)
When a client issues a request from the untrusted network, a connection is
established with the application gateway/proxy.
The proxy determines if the request is valid (by comparing it to any rules or
filters) and then sends a new request on behalf of the client to the destination.

By using this method, a direct connection is never made from the trusted
network to the untrusted network and the request appears to have originated
from the application gateway/proxy.
 Security Techniques/Firewall
Types of firewall/Circuit-level Gateway

Unlike a packet filtering firewall, a circuit-level gateway does not

examine individual packets.
Instead, circuit-level gateways monitor TCP or UDP sessions.

Once a session has been established, it leaves the port open to allow all
other packets belonging to that session to pass.
The port is closed when the session is terminated.

Circuit-level gateways operate at the transport layer (layer 4) of the

OSI model.
 Security Techniques/Firewall
Types of firewall/ With regard to the scope of filtered

With regard to the scope of filtered communications done

between a single node and the network, or between two or more
networks there exist :

Personal Firewalls, a software application which normally

filters traffic entering or leaving a single computer.

Network firewalls, normally running on a dedicated network

device or computer positioned on the boundary of two or more
networks.
 Security Techniques/Firewall
Types of firewall/ Based on communication state

Finally, Types depending on whether the firewalls keeps track of the state of
network connections or treats each packet in isolation, two additional
categories of firewalls exist:
Stateful firewall
Stateless firewall
Stateful firewall
Keeps track of the state of network connections (such as TCP streams)
traveling across it.
Stateful firewall is able to hold in memory significant attributes of each
connection, from start to finish.
These attributes, which are collectively known as the state of the connection,
may include such details as the IP addresses and ports involved in the
connection and the sequence numbers of the packets traversing the
connection.
 Security Techniques/Firewall
Types of firewall/ Based on communication state

Stateless firewall

Treats each network frame (Packet) in isolation.

 Such a firewall has no way of knowing if any given packet is part of
an existing connection, is trying to establish a new connection, or is
just a rogue packet.

The classic example is the File Transfer Protocol, because by design

it opens new connections to random ports.
 Security Techniques/Firewall
Hardware Firewall
Use one or more of three methods
 Packet filtering
 Proxy service
 State full inspection
It protects from
 Remote logins
 Application backdoors
 SMTP session hijacking
 Spam
 Denial of service
 E-mail bombs
 Security Techniques/Firewall
Software Firewall

It is a firewall that operate at the Application Layer of

OSI

Filters packets at the network layer

Monitors the communication type (TCP, UDP, etc.)

Monitors the origin of the packet, destination port of the

packet

Monitors where the packet is coming from or heading to

 Security Techniques/Firewall
Software Firewall …
Benefits
 Easier to track when a potential vulnerability happens
 Protect against new vulnerabilities before they are found and
exploited
 Ability to "understand" applications specific information
structure
 Incoming or outgoing packets cannot access services for which
there is no proxy
Disadvantages
 Slows down network access dramatically
 More susceptible to distributed denial of service (DDOS) attacks
 Not transparent to end users
 Require manual configuration of each client computer
 Security Techniques/Firewall
Firewall Topology

There is no one way of implementing a firewall.

There are many different ways to deploy the components
that comprise a firewall.
Many organizations use a combination of packet filtering
and proxies in their firewall configuration.
The most widely implemented architectures are…
 Screening routers
 Bastion hosts
 Dual-homed hosts
 Screened hosts
 Screened subnets
 Security Techniques/Firewall
Firewall Topology
 Screening Router
If you are connecting your company network to the Internet you will
probably need the router supplied by your ISP.
Routers can provide a cheap and useful level of security by allowing you
to filter connections based on the IP address and the protocol.
The router examines both incoming and outgoing packets based upon the
rules loaded in the router, it either passes the packet on through or drops it.
Another low-cost alternative for PC-based systems is Drawbridge.
Drawbridge can convert most PCs with two network cards into a packet-
filtering router.
• A screening router is not sufficient
to protect an organization's network
connected to the Internet.
• The routers are designed to route
traffic, not to be firewalls.
 Security Techniques/Firewall
Firewall Topology
Bastion host
A bastion host is somewhat more complicated than a screening
router.
In architectural terms, a bastion is the outer part of a castle.
It is usually a part of the castle that sticks out exposed and is
used to defend the castle.
A bastion host is the outer defense of a network that does not
allow traffic to pass.
With a bastion host you generally want to run a stripped-down
version of the operating system, regardless of the operating
system.
If possible, you should modify the system kernel to remove
utilities and functions that are not needed.
 Security Techniques/Firewall
Firewall Topology/cont…
In general, IP routing should be disabled on a bastion host.
Only the services that the network administrator considers
essential are installed on the bastion host.
 Security Techniques/Firewall
Firewall Topology …
 Dual-Homed Host
 A nonrouting dual-homed host can be thought of as a type of bastion
host.
 A dual-homed host is a computer with two network cards installed One
network card is connected to the outside network, and the other network
card is connected to the inside network.
 The direct flow of IP traffic between the networks should be blocked.
 Traffic between the networks should be controlled by proxies.
 A dual-homed host can perform the function of a router.
 The major vulnerability
of dual-homed hosts can
be the administration.
 Security Techniques/Firewall
Firewall Topology …
Screened host
With this configuration, the host is the only part of the firewall directly
connected to the internal network.
The host is protected by a screening router that provides packet filtering.
The router will only allow certain types of connections or traffic through to
the bastion host.
The router is configured so that the only system on the internal network from
which it will accept connections is the bastion host.
 Security Techniques/Firewall
Firewall Topology (cont…)
The section of the network between the screening router and the
host is referred to as the "demilitarized zone" (DMZ).
It provides an added measure of security.
The DMZ is neither part of the internal nor external network.
The DMZ is a buffer zone between the screening router and the
bastion host.
A screened host provides a greater level of protection to the
internal network than does a dual-homed host alone.
A dual-homed host represents a single point of failure, whereas a
screened host uses a two-tiered approach.
 Security Techniques/Firewall
Firewall Topology …
Screened subnet
With a screened host configuration, if a hacker manages to get
through the screening router and is able to compromise the
bastion host, there is nothing to stop the hacker from
compromising the rest of the network.
o That risk is mitigated with a screened subnet.
 Security Techniques/Firewall
Firewall Topology (cont…)
A screened subnet adds an additional router, so that it
sandwiches a bastion host between two routers that separate
the internal network from the outside network.
This establishes a separate subnetwork that acts as a barrier
between the internal and external networks.
o This separate subnet is a buffer that acts as a DMZ that provides
additional protection for the internal network.
With a screened subnet, the exterior or border router
communicates only with the outside network and the bastion
host on the subnet.
The two routers never directly communicate with each other.
Both routers perform packet filtering and the bastion host has
IP routing disabled and runs proxy services.
 Security Techniques/Firewall
Proxy Server
A "proxy" is a substitute or a surrogate for something else.
With a firewall, a proxy is a program that acts as a
substitute for another program.
A proxy server is designed to prevent a connection from
one entity directly connecting to another entity.
Instead, the connection is stopped at the firewall, and a
proxy application is forwarded.
The proxy server is protecting the entities on the internal
network.
It is important to remember that the proxy is not the
firewall.
 Security Techniques/Firewall
Intrusion Detection (ID)
Firewalls generally don’t detects internal attacks or attacks once the
system is compromised
An "intrusion" can be defined as an unauthorized attempt or
achievement to access, alter, render unavailable, or destroy information
on a system or the system itself.
o Basically, an intrusion is somebody attempting to break into or misuse a
system.
An ID system gathers and analyzes information from various areas
within a computer or a network to identify possible security breaches.
IDSs act much like security guards or sentries.
o They constantly scan network traffic or host audit logs.
 Security Techniques/Firewall
Intrusion Detection (cont…)
It detects both intrusions and misuse
Intrusion detection functions include:
o Monitoring and analyzing both user and system
activities
o Analyzing system configurations and vulnerabilities
o Assessing system and file integrity
o Ability to recognize patterns typical of attacks
o Analysis of abnormal activity patterns
o Tracking user policy violations
 Security Techniques/Firewall
Virtual Private network
A VPN is a cryptographic system including Point-toPoint Tunneling Protocol
(PPTP), Layer 2 Tunneling Protocol (L2TP), and IPSec that carry Point-to-Point
Protocol (PPP) frames across an Internet with multiple data links with added
security.
VPNs can be created using a single remote computer connecting on to a trusted
network or connecting two corporate network sites.
At both ends of the tunnels, a VPN server can also act as a firewall server.
Most firewall servers, however, provide VPN protection which runs in parallel
with other authentication and inspection regimes on the server.
Each packet arriving at a firewall is then passed through an inspection and
authentication module or a VPN module.
 Security Techniques/Firewall
Summary
Firewalls generally don’t detect internal attacks or attacks once the
system is compromised
Public servers are vulnerable to attack
Eliminate unnecessary services
Apply all patches
Use a DMZ to provide layered defense
• Place server/proxy in DMZ
• Place private data/file/servers in Intranet
• Deny all default for Internet-Intranet traffic and apply other firewall
rules like in the example below:
deny all
allow TCP *:*  <web server IP>:80
allow TCP *:*  <web server IP>:443
Add stateful inspection rules for known attacks (Code Red, Slammer, …)
Thank You ! !