Firewalls Original slides prepared by Theo Benson.

Firewalls

Original slides prepared by Theo Benson

Unix Firewalls• FreeBSD: ipfw• Linux: ipfw → ipchains → iptables• MacOS X: ipfw

ipfw example rules:

# SSH# Allow ssh from unc.edu hosts/sbin/ipfw -f add allow tcp from 152.2.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.19.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.23.0.0/16 to any 22 setup

Stateful Firewalls• A bit more complicated• Keep track of transport layer

connections (e.g., TCP, UDP) that may comprise multiple packets

• Often allow only connections initiated from behind the firewall

How are they deployed?

“circle of trust”

The InternetAKA “Everything evil”

The firewall isthe gatekeeper

Only one way in or out into the circle

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Allowing Outbound Connections Only

“circle of trust”

The InternetAKA “Everything evil”

SYN

• Why would someone from the outside want to start a connection?

Allowing Outbound Connections Only

“circle of trust”

The InternetAKA “Everything evil”

SYN

• Why would someone from the outside want to start a connection?– They would if you were running a web-server, an email-server, a gaming

server …. Pretty much any ‘server’ service.– Firewall configuration may allow “punching holes” to specific

addresses/ports

Traversing Firewalls

• Two hosts behind separate firewalls may try to fool their firewalls by simultaneously establishing outbound connections.

• An external server may help coordinate which source ports, sequence numbers, to use. (E.g., STUN protocol.)

Network Address Translation (NAT)

• For outbound packets, the translator replaces (typically) private address with it’s own public address, and rewrites the source port.

• Translator remembers the mapping.• For inbound packets, the reverse translation is performed.

192.168.1.100

128.2.205.42

Src: 192.168.1.100:32532

Src: 128.2.205.42:45323

NAT versus Firewall

• A network address translator is not intrinsically a firewall, but– Often the two are combined in one device– Traffic cannot be sent directly to private addresses

used behind a NAT from the public Internet– A NAT may block incoming connections by

necessity because it does not know which private address to forward the traffic to

What Happens When you Connect to a Website?

Browser NetworkLoading SoundCloud

HTTP RequestsGet: image.png

HTTP RequestsGet: sound.mp3

What happens if the virus/worm is hidden in an email? Picture? Or if the security exploit is in an HTML page?

Deep Packet Inspection

• Examine payload (data) portion of packet as well as headers

IP Header

TCP/UDP Header

Payload

Application Level Firewall

• Why are they needed?

• Attackers are tricky– When exploiting security vulnerabilities– Attacks span multiple packets

• Need a system to scan across multiple packets for Virus/Worm/Vulnerability exploits

Application Level Firewalls

• Similar to Packet-filters except:– Supports regular expression– Search across different packets for a match– Reconstructs objects (images,pictures) from

packets and scans objects.

Application Level Firewalls

• Similar to Packet-filters except:– Supports regular expression– Searches across different packets for a match– Reconstructs objects (images,pictures) from

packets and scans objects.

HTTP RequestsGet: image.png

Appy reg-ex to the object:

Application Level Firewalls

• Similar to Packet-filters except:– Supports regular expression– Searches across different packets for a match– Reconstructs objects (images,pictures) from

packets and scans objects.

HTTP RequestsGet: image.png

Why doesn’t everyone use App level firewalls?

• Object re-assembly requires a lot of memory• Regular-expressions require a lot of CPU

• App level firewalls are a lot more expensive– And also much slower – So you need more -- a lot more.

How do you Attack the Firewall?

• Most Common: Denial-of-Service attacks – Figure out a bug in the Firewall code– Code causes it to handle a packet incorrectly– Send a lot of ‘bug’ packets and no one can use the

firewall