sld9-2015

Computer/Information SecurityDR M Y Siyal P9-1


FIREWALLS

Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-3

A firewall is hardware or software (or a combination of hardware andsoftware) that monitors the transmission of packets of digital information thatattempt to pass through the perimeter or a network.

HARDWARE FIREWALLS

Protect an entire network

Implemented on the router level

Usually more expensive, harder to configure

SOFTWARE FIREWALLS

Protect a single computer

Usually less expensive, easier to configure

HOW DOES A SOFTWARE FIREWALL WORK?

Inspects each individual “packet” of data as it arrives at either side of thefirewall (Inbound to or outbound from your computer)

Determines whether it should be allowed to pass through or if it should beblocked

FIRE WALLS


When you request something from the internet, the firewall pretends that itmade the request, not your computer.

Since the internet never even sees your computer, there’s nothing for theworms or crackers to probe or attack other than your firewall.

And your firewall is just a dumb box.

KEEPING WORMS AND CRACKERS OUT


A firewall is said to provide “perimeter security” because it sits on the outerboundary, or perimeter, or a network. The network boundary is the point atwhich one network connects to another.

PERIMETER DEFENSE

Computer/Information SecurityComputer/Information Security

BASIC FIREWALL OPERATION

DR M Y Siyal P9-6



1.Legitimate hosts send innocent packets.

Attackers send attack packets.

2.Ingress packets come into a site.Egress packets go out from a site.

DR M Y Siyal P9-7


Firewalls drop and logprovable attack packets

DR M Y Siyal P9-8



Firewalls do not drop packets unless they are provably attack packets.

This means that some attack packets that are not provably attack packets get

through the firewall.

DR M Y Siyal P9-9



To protect private networks and individual machines from the dangers of thegreater Internet, a firewall can be employed to filter incoming or outgoingtraffic based on a predefined set of rules called firewall policies.

Trusted Internal Network

FIREWALL POLICIES

Un-trusted Internet

DR M Y Siyal P9-10

FIREWALL POLICIES


FIREWALL RULES

ALLOW: Traffic that flows automatically because it has been deemed as“safe”

BLOCK: Traffic that is blocked because it has been deemed dangerous toyour computer

ASK: Asks the user whether or not the traffic is allowed to pass through

There are two approaches to creating firewall policies

1. BLACK LIST APPROACH

All packets are allowed through except those that fit the rules definedspecifically in a blacklist.

This configuration is flexible, but naive as it assumes the networkadministrator can enumerate all of the properties of malicious traffic.

2. WHITE LIST APPROACH

A safer approach to defining a firewall rule set is the default-denypolicy, in which packets are dropped or rejected unless they arespecifically allowed by the firewall.

POLICY ACTIONS

DR M Y Siyal P9-11


A personal firewall (sometimes called a desktop firewall) is a softwareapplication used to protect a single Internet-connected computer fromintruders

WHAT A PERSONAL FIREWALL CAN DO

Stop hackers from accessing your computer

Protects your personal information

Blocks “pop up” ads and certain cookies

Determines which programs can access the Internet

WHAT A PERSONAL FIREWALL CANNOT DO

Cannot prevent e-mail viruses

Only an antivirus product with updated definitions can prevent e-mailviruses

After setting it initially, you can forget about it

The firewall will require periodic updates to the rule sets and thesoftware itself

DR M Y Siyal P9-12

PERSONAL FIREWALL


Five processing modes by which firewalls can be categorized

1. Packet filtering

2. Application gateways

3. Circuit gateways

Packet filtering firewalls examine header information of datapackets

Most often based on combination of:

Internet Protocol (IP) source and destination address

Direction (inbound or outbound)

Transmission Control Protocol (TCP) or User DatagramProtocol (UDP) source and destination port requests

Simple firewall models enforce rules designed to prohibitpackets with certain addresses or partial addresses

DR M Y Siyal P9-13

FIREWALLS PROCESSING MODES


Packet filtering firewalls is low cost and low impact on network performance

Three subsets of packet filtering firewalls

STATIC FILTERING: If a packet matches the packet filter's set of rules,the packet filter will drop or accept it.

DYNAMIC FILTERING: Allows firewall to react to emergent event andupdate or create rules to deal with event by understanding how theprotocol functions, based on information in the packet header.

STATEFUL INSPECTION: Firewalls that keep track of each networkconnection between internal and external systems using a state table.

DR M Y Siyal P9-14

PACKET FILTERING FIREWALLS

Sample Firewall Rule and Format


PACKET FILTERING FIREWALLS


A stateless firewall doesn’t maintain any remembered context (or “state”) withrespect to the packets it is processing. Instead, it treats each packetattempting to travel through it in isolation without considering packets that ithas processed previously.

Trusted internalnetwork

SYNSeq = xPort=80

SYN-ACKSeq = y

Ack = x + 1

ACKSeq = x + 1Ack = y + 1

Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80

Client

Server

Firewall

DR M Y Siyal P9-16

STATIC PACKET FILTERING FIREWALL


Stateless firewalls may have to be fairly restrictive in order to prevent mostattacks.

Trusted internalnetwork

SYNSeq = yPort=80

Allow outbound SYN packets, destination port=80

Drop inbound SYN packets,

Allow inbound SYN-ACK packets, source port=80

Client Attacker(blocked)

Firewall

DR M Y Siyal P9-17



This was the earliest firewall filtering mechanism.

Examines packets one at a time, in isolation.

Only looks at some internet and transport headers.

Consequently, unable to stop many types of attacks.

It can stop attacks Packets with spoofed IP addresses.

No longer used as the main filtering mechanism for border firewalls.

May be used as a secondary filtering mechanism on main border firewalls.

18DR M Y Siyal P9-18



Stateful Packet Inspection Firewalls (SPI): Reviews the same packetinformation but also records information about TCP connections.

Keeps track of each network connection established between internal andexternal systems using a state table.

Tracks the state and context of each packet in the conversation byrecording which station sent what packet and when.

SPI firewalls can tell when packets are part of legitimate sessions originatingwithin a trusted network.

SPI firewalls maintain tables containing information on each activeconnection, including the IP addresses, ports, and sequence numbers ofpackets.

Using these tables, SPI can allow only inbound TCP packets that are inresponse to a connection initiated from within the internal network.

Primary disadvantage: Additional processing requirements of managingand verifying packets against the state table which can possibly expose thesystem to a DoS attack.

DR M Y Siyal P9-19

SPI FIREWALL


Connections have distinct states or stages

Different states are subject to different attacks

SPI firewalls use different filtering rules for different states

20

Connection Opening

State

Ongoing Communication

State

Connection Closing

State

DR M Y Siyal COMPUTER SECURITY P9-20

STATES IN CONNECTION

Computer/Information SecurityComputer/Information Security21DR M Y Siyal COMPUTER SECURITY P9-21

SPI RULES WITH TWO STATES

Computer/Information SecurityComputer/Information SecurityDR M Y Siyal COMPUTER SECURITY P9-22

SPI for a Packet that Does Not Attempt to Open a Connection 1

Computer/Information SecurityComputer/Information Security23DR M Y Siyal COMPUTER SECURITY P9-23

SPI for a Packet that Does Not Attempt to Open a Connection 2


LOW COST

Most packets are not part of packet-opening attempts

These can be handled very simply and therefore inexpensively

Connection-opening attempt packets are more expensive processbut are rare

SAFETY

Attacks other than application-level attacks usually fail to getthrough SPI firewalls

In addition, SPI firewalls can use other forms of filtering whenneeded

DOMINANCE

The combination of high safety and low cost makes SPI firewallsextremely popular

Nearly all main border firewalls today use stateful packet inspection

PERSPECTIVE ON SPI FIREWALL


Frequently installed on a dedicated computer; also known as a proxy server

Since proxy server is often placed in unsecured area of the network (e.g.,DMZ), it is exposed to higher levels of risk from less trusted networks

With this configuration the proxy server, rather than the Web server, isexposed to the outside world.

Additional filtering routers can be implemented behind the proxy server.

Gateway that is configured to be a web proxy will not allow any ftp, gopher,telnet or other traffic through

Has full access to protocol

User requests service from proxy.

Proxy validates request as legal.

Then actions request and returns result to user.

Tends to be more secure than packet filters

Need only scrutinize a few allowable apps.

Easy to log and audit all incoming traffic.

APPLICATION GATEWAYS


PROXY FIREWALLAPPLICATION GATEWAYS


APPLICATION PROXY FIREWALL OPERATION


ROLES FOR APPLICATION PROXY FIREWALLS TODAY


Protections for Internal Clients against Malicious Web Servers URL blacklists for known attack sites Protection against some or all scripts in webpages

Protections against Misbehaving Internal Clients Disallowing the HTTP POST method, which can be use to send out

sensitive files Protections for Internal Web Servers against Malicious Clients

Disallow HTTP POST methods, which could allow malware files to beplaced on the server

Indications of SQL injection attacks Automatic Protections The hiding of internal host IP addresses from sniffers The data link, internet, and transport headers are discarded—along with

any attacks they may have contained If the client or server does not follow the protocol of the indicated port

number, communication with the firewall automatically breaks down

DR M Y Siyal P9-29

APPLICATION PROXY FIREWALL PROTECTION


Circuit level gateways work at the session layer of the OSI model, orthe TCP layer of TCP/IP

They monitor TCP handshaking between packets to determinewhether a requested session is legitimate

Like filtering firewalls, do not usually look at data traffic flowingbetween two networks, but prevent direct connections between onenetwork and another

Accomplished by creating tunnels connecting specific processes orsystems on each side of the firewall, and allow only authorized traffic inthe tunnels

Circuit level gateways are

Inexpensive

Have the advantage of hiding information about the private networkthey protect.

CIRCUIT GATEWAY S


CIRCUIT LEVEL FIREWALLS


GENERAL PERFORMANCE

TECHNOLOGY SPEED FLEXIBILITY INTELLIGENCE

Packet Filtering V Good V Good Low

Application Proxy Low Low V Good

Stateful Inspection Good Good Good

Circuit Level Proxy Low Low Low

SECURITY PERFORMANCE

Packet Filter 3 1

SPI 2 2

Circuit GW 2 3

App. GW 1 4

LOWER IS BETTER FOR SECURITY & PERFORMANCE


FIREWALLS CATEGORIZED BY GENERATION

FIRST GENERATION

Static packet filtering firewalls

SECOND GENERATION

Application-level firewalls or proxy servers

THIRD GENERATION

Stateful inspection firewalls

FOURTH GENERATION

Dynamic packet filtering firewalls; allow only packets withparticular source, destination, and port addresses to enter

FIFTH GENERATION

Kernel proxies; specialized form working under kernel ofWindows NT


FIREWALL ARCHITECTURES

Firewall devices can be configured in a number of network connectionarchitectures

Best configuration depends on three factors:

Objectives of the network

Organization’s ability to develop and implement architectures

Budget available for function

Four common architectural implementations of firewalls: packet filteringrouters, screened host firewalls, dual-homed firewalls, screened subnetfirewalls

PACKET FILTERING ROUTERSMost organizations with Internet connection have a router serving as

interface to Internet

Many of these routers can be configured to reject packets that organizationdoes not allow into network

Drawbacks include a lack of auditing and strong authentication


PACKET FILTERING ROUTER

Packet filtering routerused as a first generation

firewall TRUSTED NETWORK

Untrusted Network

FilteredData Packets

UnrestrictedData Packets

BlockedData Packets


SCREENED HOST FIREWALLS

Combines packet filtering router with separate, dedicated firewall such asan application proxy server

Allows router to prescreen packets to minimize traffic/load on internalproxy

Separate host (referred to as bastion host or sacrificial host) and can berich target for external attacks and should be very thoroughly secured

BASTION HOST

The bastion host is the system that any outsiders - friends or possiblefoes - must ordinarily connect with to access a system or a service that'sinside your firewall.

Only services that the network administrator considers essential areinstalled on the bastion host (e.g. Telnet, DNS, FTP, and userauthentication).

The system could have single, dual or multiple bastion hosts.


FilteredData

Packets

SCREENED-HOST FIREWALL

Trusted network

Untrusted Network


BlockedData Packets

Bastion-host

Application Level Firewall

Proxy access


There are single homed-bastion and dual homed-bastion based firewalls. SINGLE-HOMED BASTION: ADVANTAGES Has greater security than simply a packet filtering router or an application

level gateway alone.Implements both packet-level and application-level filtering, allowing for

considerable flexibility in defining security policy.An intruder must generally penetrate two separate systems before the

security of the internal network is compromised. Affords flexibility in providing direct Internet access. DUAL-HOMED BASTION The bastion-host contains two NICs (network interface cards). One NIC connected to the external network, and one connected to the

internal network. With two NICs all traffic must physically go through the firewall to move

between the internal and external networks.A technology known as network-address translation (NAT) is

implemented with this architecture, creating another barrier to intrusionfrom external attackers

BASTION HOST


SINGLE-HOMED BASTION


DUAL-HOMED BASTION


DUAL-HOMED HOST FIREWALL

Trusted network

Untrusted Network


Blocked ExternalData Packets

Dual-homed Host used as a firewall providing Network Address Translation

(NAT)External

filtering router

Internalfiltering router

Public IP Addresses NAT assigned local addresses

Blocked InternalData Packets

Proxy Access


SCREENED-SUBNET FIREWALLS Consists of two or more internal bastion-hosts, behind a packet-filtering router,

with each host protecting the trusted network. The first general model consists of two filtering routers, with one or more dual-

homed bastion-host between them. The second general model involves the connection from the outside or un-

trusted network going through this path:Through an external filtering router.Into and then out of a routing firewall to the separate network segment

known as the DMZ Connections into the trusted internal network are allowed only from the DMZ

bastion-host servers. ADVANTAGES There are now three levels of defense to thwart intruders. The outside router advertises only the existence of the screened subnet to the

Internet; therefore, the internal network is invisible to the Internet. Similarly, the inside router advertises only the existence of the screened subnet

to the internal network; therefore, the systems on the inside network cannotconstruct direct routes to the Internet.


Trusted network

Untrusted Network

BlockedData Packets

Proxy access

External filtering router Internal

filtering router

Controlled access

Demilitarized zone (DMZ)

Servers

SCREENED-SUBNET FIREWALLS


PROTECTING THE PERIMETER IS NO LONGER POSSIBLE

There are too many ways to get through the perimeter

AVOIDING THE BORDER FIREWALL

Internal attackers are inside the firewall already

Compromised internal hosts are inside the firewall

Wireless LAN drive-by hackers enter through access points that are insidethe site

Home notebooks, mobile phones, and media brought into the site

Internal firewalls can address some of these threats

EXTENDING THE PERIMETER

Remote employees must be given access

Consultants, outsourcers, customers, suppliers, and other subsidiariesmust be given access

Essentially, all of these tend to use VPNs to make external parties“internal” to your site

DR M Y Siyal P9-44

THE DEATH OF THE PERIMETER


SELECTING THE RIGHT FIREWALL

What type of firewall technology offers the right balance of protectionfeatures and cost for the needs of the organization?

What features are included in the base price? What features are available atextra cost? Are all cost factors known?

How easy is it to set up and configure the firewall? How accessible are stafftechnicians with the mastery to do it well?

Can the candidate firewall adapt to the growing network in the targetorganization?

CONFIGURING AND MANAGING FIREWALLS

Each firewall device will have its own set of configuration rules that regulateits actions.

Simple mistakes can turn the device into a choke point.

When security rules conflict with the performance of business, security losessince organizations are much more willing to live with a potential risk than acertain failure.


RECOMMENDED PRACTICES

All traffic from the trusted network is allowed out.

The firewall device is always inaccessible directly from the public network.

Allow Simple Mail Transport Protocol (SMTP) data to pass through yourfirewall, but insure it is all routed to a well-configured SMTP gateway to filterand route messaging traffic securely.

All Internet Control Message Protocol (ICMP) data should be denied.

Block telnet (terminal emulation) access to all internal servers from thepublic networks.

When Web services are offered outside the firewall, deny HTTP traffic fromreaching your internal networks by using some form of proxy access or DMZarchitecture.

TRADEOFF

Degree of communication with outside world, level of security!

Remember many highly protected sites still suffer from attacks.

sld9-2015

Documents

y siyal p9

firewall policies1

software firewall work

innocent packets

transmission of packets

egress packets

ingress packets

perimeter security