3 firewalls

8/3/2019 3 Firewalls

1/54

1

Firewalls


2/54

2

Topics on Defenses

Firewalls and Intrusion Detection Access Control - prevention of the unauthorized use of a

resource

Availability resources (i.e. information) should be

available to authorized parties at all times

Cryptography Data Confidentiality

Authentication Data Integrity

Non-Repudiation


3/54

3

Firewalls Lecture Objectives

To understand the general characteristics of

firewalls

To study different types of firewalls

To examine common firewall configurations


4/54

4

Definition of Firewalls By conventional definition, a firewall is a partition made of fireproof

material designed to prevent the spread of fire from one part of a buildingto another.

Network Firewall

Isolates organizations internal network from largerInternet, allowing some packet to pass, blocking others.

Internet

Firewall

Router

Router

Internet Network


5/54

5

Local Network without Firewall In the case ofLocal Networkdirectly connected to the Internet without

any firewall, the entire network is subject to the attack.

Practical experience shows that it is very difficult to ensure that every

host on the network is secure. One badly chosen password and all thenetwork security can be compromised.

If one of the hosts is penetrated it is not difficult to penetrate all the otherhosts on the network using the resources of that compromised host.

InternetRouter

Router

Internal Network


6/54

6

Why Firewall? Protects network from intrusion.

Provides a single choke point of control andmonitoring

Provides focus for security decisions.

Enforces security policies.

It can limit your exposure to external attacks.


7/54

7

Firewall Goals

All traffic from outside to inside and vice-versa

passes through the firewall.

Only authorized traffic, as defined by local

security policy, will be allowed to pass.

The firewall itself is immune to penetration.


8/54

8

Types of Firewalls

1. Traditional Packet Filter Firewalls

2. Stateful Filter Firewalls

3. Application Gateways


9/54

9

Traditional Packet Filter Firewalls

Every packet has a set of headers containing certain information. Themain information is:

Source IP address (IP Header) Destination IP address (IP Header)

Protocol Type (IP Header)

This specifies whether the data encapsulated in the IP datagram belongs toTCP, UDP or ICMP protocol

Source Port (TCP or UDP Header)

Destination Port (TCP or UDP Header)

ICMP message type

Direction

Is the datagram leaving or entering the internal network?

Router interface

Decisions can be different for different interfaces


10/54

10

Packet Filter Firewall Example 1:

IP Spoofing of Internal Addresses

Many network services base their authentication on source IP addressof the host requesting the service.

It had be known of attacks that exploited this feature and compromisedthe network using IP packets with spoofed source IP address thusimpersonating some trusted host.

This attack could be protected by packet filtering Filtering out all packets that come through external interface and those source

IP address belongs to Internal Network

Internet

FirewallInternal Network

IP: 144.214.0.0Net Mast: 255.255.0.0

SA:144.214.30..23


11/54

11

Access Control List for

IP Spoofing of Internal Addresses

Internet

FirewallInternal Network

IP: 144.214.0.0.0Net Mast: 255.255.0.0

This is an example on using packet filter to protect against the

IP spoofing of internal addresses The Access Control List (ACL) for port #1

Entry number Source IP address/Mask Destination IP address/Mask Action

(1) 144.214.0.0/255.255.0.0 any drop(2) any any permit

Port #1Port #2


12/54

12

Packet Filter Firewall Example 2:

Allowing only email traffic

Suppose you only want to allow email traffic between the Internet andyour Internal Network.

Suppose user on host A wants to send e-mail message to user on host B.

The mail transfer program on host A becomes a SMTP (Simple MailTransfer Protocol) client and forms a TCP connection to SMTP server onhost B.

Internet

Firewall

Host A Host B

Port #1Port #2

Internal NetworkIP: 144.214.0.0.0Net Mast: 255.255.0.0

Mail Gateway

IP: 144.214.5.210


13/54

13

block any other trafficblockanyanyanyany(2)

allow internal traffic

to SMTP port on

external hosts

permit25anyany144.214.0.0/255.255.0.0

(1)

CommentsActionDest portDest IP addr

/Mask

Src portSrc IP addr

/Mask

entry #

ACL for port #2:

ACL for port #1:

block any other trafficblockanyanyanyany(2)

allow external traffic toSMTP port on Mail

Gateway

permit25144.214.5.210/255.255.255.255anyany(1)

CommentsActionDest portDest IP addr

/Mask

Src portSrc IP addr

/Mask

entry #

Security Policy:The Filtering router must permit only following packets:

- coming from the host on the Internal Networkand destined to port 25;

- coming from the Internet to port 25 on the Mail Gateway Machine;


14/54

14

Drop all incoming ICMPPrevent your network from beingtracerouted

Drop all ICMP packets going to a

broadcast address (e.g.

144.2.14.255.255)

Prevent your network from being

used for a Smuft DoS attack.

Drop all incoming UDP packets

except DNS and router broadcasts.

Prevent Web-radios from eating up

the available bandwidth

Drop all outgoing packets to any

IP address except port 80.

Outside Web access only

Firewall SettingPolicy

Packet Filtering Rules Example 3


15/54

15

Access Control Lists

AllAllAllAllAllAllDeny

--->102353UDP144.214/16Outside of144.214/16

Allow

---53>1053UDPOutside of

144.214/16

144.214/16Allow

ACK>102380TCP144.214/16Outside of

144.214/16

Allow

Any80>1023TCPOutside of

144.214/16

144.214/16Allow

Flag

Bit

Dest

Port

Source

Port

ProtocolDest

Address

Source

Address

Action

Apply rules from top to bottom:


16/54

16

Access Control Lists

Each router/firewall interface can have its own

ACL

Most firewall vendors provide both command-line

and graphical configuration interface


17/54

17

Advantages and Disadvantages of

Traditional Packet Filter Firewalls

Advantages

One Screening router can protect entire network Can be efficient if filtering rules are kept simple

Widely available. Almost any router, even Linux boxes

Disadvantages Can be penetrated

Cannot enforce some policies. For example, permit

certain users Rules can get complicated and difficult to test

Can reduce router performance


18/54

18

Stateful Filter Firewalls

In previous example, any packet with ACK=1 and

source port 80 gets in. Attacker could, for example, attempt a malformed

packet attack by sending ACK=1 segments

Stateful filter: Adds more intelligence to the filterdecision-making process

Stateful = remember past packets

Memory implemented in a very dynamic state table


19/54

19

Stateful Filters: Example

Log each TCP connection initiated through firewall: SYN segment

Timeout entries which see no activity for, say, 1 min.

80234567203.45.23.66144.214.30.67

80434577199.1.205.34144.214.30.45

8012345637.98.87.144144.214.30.22

Dest

Port

Source

Port

Dest

Address

Source

Address

If rule table indicates that stateful table must be checked:

Check to see if there is already a connection in stateful table

Stateful filters can also remember outgoing UDP segments


20/54

20

Stateful Fitlers: Example (cont.)

1. Packet arrives from outside: SA: 37.98.87.144, SP=80, DA= 144.214.30.22,DP= 123456, SYN=0, ACK=1

2. Check filter table => check stateful table

3. Connection is listed in connection table => let packet through

AllAllAllAllAllAllDeny

X--->102353UDP144.214/16Outside of

144.214/16

Allow

---53>1053UDPOutside of

144.214/16

144.214/16Allow

XACK>102380TCP144.214/16Outside of

144.214/16

Allow

Any80>1023TCPOutside of

144.214/16

144.214/16Allow

Check

Conxion

Flag

Bit

Dest

Port

Source

Port

ProtocolDest

Address

Source

Address

Action


21/54

21

Application Gateways (or Proxy Servers)

Application gateway sits between user on inside and server onoutside. Instead of talking directly, user and server talk throughproxy.

Allows more fine grained and sophisticated control than packetfiltering. For example, ftp server may not allow files greaterthan a set size.

InternetRouter

Router

Application Gateway

Host-to-gatewayftp session

gateway-to-remote host

ftp session


22/54

22

Proxy Program

ProxyClient

Actual Client Dual-Homed Host

ProxyServer

Proxy Program

Internet

Real Server


23/54

23

Mail Servers and Proxy Web Servers

Local mail server is an application gateway

Virus detection and removal

So is a Web proxy cache

Can also do virus detection and removal


24/54

24

Advantages and Disadvantages of

Proxy Gateways

Advantages

Can log all connections, activity in connections Can provide caching

Can do intelligent filtering based on content

Can perform user level authentication Disadvantages

Not all services have proxied versions

May need different proxy server for each service Require modification of client

Performance


25/54

25

Application Gateways + Packet Filter

Filters packets on application data as well as IP/TCP/UDP fields.

Example: allow select internal users to ftp outside

Require all ftp users to ftp through gateway

For authorized users, gateway sets up ftp connection to dest host.Gateway relays data between 2 connections

Router filter blocks all ftp connections not originating from gateway.

InternetRouter

Routerand Filter

Application Gateway

Host-to-gatewayftp session

gateway-to-remote host

ftp session


26/54

26

Network Address Translation

Network Address Translation (NAT) allows a network to use one set ofaddresses internally and a different set when dealing with external

networks. It helps conceal internal network and force connections to go through

choke point.

Router does the extra work required for address translation.

ExternalNetwork

144.214.40.66

192.168.2.90

192.168.2.91

192.168.2.92

192.168.2.1

NAT Router


27/54

27

NAT Example 1

Internet FTP Client202.66.151.118

Router 144.214.40.66 with NAT that masquerades.

Could be a dual-homed bastion host

Host192.168.2.90

Host192.168.2.91

Host192.168.2.92

Host192.168.2.93

To 202.66.151.118:XFrom 144.214.40.66:21

To 144.214.40.66:21From 202.66.151.118:X

To 202.66.151.118:X

From 192.168.2.92:21

To 192.168.2.92:21

From 202.66.151.118:X

FTP Server Port 21Web Server Port 80


28/54

28

NAT Example 2

Internet RTHK Web Server202.177.192.72

Router 144.214.40.66 with NAT that masquerades.

Could be a dual-homed bastion host

Host192.168.2.90

Web Client192.168.2.91

Host192.168.2.92

Host192.168.2.93

To 202.177.192.72:80From 144.214.40.66:Y

To 144.214.40.66:YFrom 202.177.192.72:80

To 202.177.192.72:80

From 192.168.2.91:Y

To 192.168.2.92:Y

From 202.177.192.72:80

FTP Server Port 23Web Server Port 80


29/54

29

Advantages and Disadvantages of NAT

Advantages

Helps enforce Firewall control over outbound

connections

Can help restrict incoming traffic

Can help conceal internal network configuration

Disadvantages Interferes with logging

Could interfere with packet filtering

Could interfere with encryption and authentication Dynamic allocation could lead to broken connections


30/54

30

Demilitarized Zone (DMZ)

Internet

Interior

Router

Demilitarized Zone

(Perimeter Network)

DNS ServerFTP ServerWeb Server

Internal Network

Exterior

Router

Bastion Stations

Attacker


31/54

31

Some Firewall Definitions

Perimeter network (or DMZ) A network added between a protected network and an external network,

in order to provide an additional layer of security. A perimeter networkis sometimes called a DMZ, which stands for De-Militarized Zone(named after the zone separating North and South Korea).

Bastion host A computer system that must be highly secured because it is

vulnerable to attack, usually because it is exposed to the Internetand is a main point of contact for users of internal networks. Itgets its name from the highly fortified projections on the outerwalls of medieval castles.

Dual-homed host A general-purpose computer system that has at least two network

interfaces (or homes)


32/54

32

Firewall Architectures

Screening Router Architecture

Dual-homed Host Architecture

Screened Host Architecture

Screened Subnet Architecture

Variations Multiple Bastion Hosts

Multiple Exterior Routers

Multiple Perimeter Networks Multiple Interior Routers

etc


33/54

33

Screened Router Architecture

The security of the whole Internal Networkdepends on the correct AccessControl List of the screening router and on the amount of services

permitted.

Screening

Router

Internet

Firewall

Internet Network


34/54

34

Dual-Homed Host Architecture

Dual-Home

Host

Internet

Firewall

Router

Internet Network

Routing turned offon Dual-homed Host.

Useful if no traffic from internal network to external network

allowed. Users have to log into dual homed host to access internet. Implies

user accounts not a good idea!

Services can also be provided by proxying them.


35/54

35

Communication Methods for DHH

Users on theInternal Networkare given accounts on theDual-Homed Host machine.

To use Internet services, user must rlogin on the Dual-HomedHost machine.

The fact that you allow accounts on the machine weakens itssecurity greatly.

Dual-Homed Host runs proxy program for each serviceyou want to permit

There is no more need for users to rlogin to the machine in orderto access the Internet. They can communicate via proxy software.


36/54

36

Security of DHH Architecture

The only host that can be accessed and thus attacked from

the Internet is the Dual-Homed host machine.

It must have much greater level of security than the ordinary host

on theInternal Network.

The excessive logging and auditing of system state must be

performed, only secure software and necessary software installed

and so on.

This architecture is much more secure than the Screening

Router Architecture.

But still once the Dual-Homed Host is subverted the

entireInternal Networkis vulnerable to attack.


37/54

37


Services only provided through bastion host.

Primary security provided by Screening Router (packet

filtering).

InternetRouter

ScreenRouter

Bastion Host


38/54

38


Consists of a packet filtering router & a bastion host

Router rule:

Inbound: only IP packets destined for bastion host are allowed

Outbound: only IP packets from the bastion host are allowed

Bastion host perform authentication & proxy functions

Better security, because of 2 systems

Router may allow direct traffic between a web server &

the internet

If attacker breaks into bastion host, has access to internal

network.


39/54

39

Screened Subnet Architectures

Internet

Interior

Router

Internal Network

Exterior

Router

Bastion Station

Reduces impact of break-in into bastion host.

No single vulnerable point that compromises internal network.


40/54

40

Multiple Bastion Hosts

Internet

Interior

Router

Demilitarized Zone

(Perimeter Network)

DNS ServerFTP ServerWeb Server

Internal Network

Exterior

Router

Bastion Stations

Reasons you might want to do this include performance, redundancy,and the need to separate data or servers.


41/54

41

Merge Interior and Exterior Routers

This architecture, like the screened host architecture, makes the site vulnerable to

the compromise of a single router. In general, routers are easier to protect thanhosts, but they are not impenetrable.

Internet

Internal Network

Bastion Host

Interior/Exterior

Router


42/54

42

Merge Bastion Host and Exterior Router

Internet

Internal Network

InteriorRouter

Bastion Host/

Exterior Router


43/54

43

Merge Bastion Host and Interior Router

Internet

Internal Network

ExteriorRouter

Bastion Host/

Interior Router

One of the main purposes of the perimeter network is to prevent the bastion

host from being able to snoop on internal traffic. Moving the bastion host tothe interior router makes all of your internal traffic visible to it.

Warning: We recommend against this configuration.


44/54

44

It's Dangerous to Merge the Bastion Host and

the Interior Router

The bastion host and the exterior router each perform

distinct protective tasks; they complement each other butdon't back each other up. The interior router functions in

part as a backup to the two of them.

With this type of configuration, if the bastion host is

broken into, there's nothing left in the way of security

between the bastion host and the internal network.


45/54

45

Multiple Interior Routers

Internet

Exterior

Router

Bastion Station

Interior

Router

Interior

Router

PerimeterNetwork

Warning: We recommend against this configuration.


46/54

46

It's Dangerous to Use Multiple Interior Routers

The basic problem is that the routing software on an internal systemcould decide that the fastest way to another internal system is via the

perimeter net. If you're lucky, this approach simply won't work, because it will be

blocked by the packet filtering on one of the routers.

If you're unlucky, it will work, and you'll have sensitive, strictly internaltraffic flowing across your perimeter net, where it can be snooped on ifsomebody has managed to break in to the bastion host.

It's also difficult to keep multiple interior routers correctlyconfigured. The interior router is the one with the most importantand the most complex set of packet filters and having two of them

doubles your chances of getting the rule sets wrong.


47/54

47

Multiple Internal Networks

Internet

Exterior

Router

Bastion Station

Interior

Router

InternalNetwork A

InternalNetwork B

M l i l I l N k


48/54

48

Multiple Internal Network

(Backbone Architecture)

Internet

Exterior

Router

Bastion Station

Interior

Router

InternalNetwork A

InternalNetwork B

Router

Router

Multiple internal networks (separate interfaces in a single router)


49/54

49

Multiple Exterior Routers

Internet

Exterior

Router

Bastion Station

Interior

Router

Exterior

Router

There are some cases in which it makes sense to connect multiple exterior

routers to the same perimeter network.

SupplierNetwork

Wh U i M lti l E t i R t ?


50/54

50

Why Using Multiple Exterior Routers?

Examples are:

You have multiple connections to the Internet (for example, through

different service providers, for redundancy). You have a connection to the Internet plus other connections to other

sites.

In these cases, you might instead have one exterior router with

multiple exterior network interfaces. Attaching multiple exterior routers which go to the same external

network (e.g., two different Internet providers) is not a significantsecurity problem. They may have different filter sets, but that's notcritical in exterior routers. There is twice the chance that one will becompromisable, but a compromise of an exterior router is notparticularly threatening.

M lti l E t i R t ( )


51/54

51

Multiple Exterior Routers (cont.)

Things are more complex if the connections are to different places

For example, one is to the Internet and one is to a site you're

collaborating with and need more bandwidth to. To figure out whether such an architecture makes sense in these

cases, ask yourself this question: what traffic could someone see if

they broke into a bastion host on this perimeter net?

For example, if an attacker broke in, could he snoop on sensitive trafficbetween your site and a subsidiary or affiliate? If so, then you may want

to think about installing multiple perimeter nets instead of multiple

exterior routers on a single perimeter net.

There are other significant problems involved in setting upconnections to external networks with which you have special

relationships, which is called "Internal Firewalls."

M lti l P i t N t k


52/54

52

Multiple Perimeter Networks

Bastion Station

Interior

Router

SupplierNetwork

ExteriorRouter

In certain situations, it makes sense for your configuration to include

multiple perimeter networks.

InteriorRouter

Bastion Station

Internet

Exterior

Router

Multiple Perimeter Networks ( t )


53/54

53

Multiple Perimeter Networks (cont.)

You might put in multiple perimeter networks to provide redundancy.

It doesn't make much sense to pay for two connections to the Internet, and then runthem both through the same router or routers.

Putting in two exterior routers, two perimeter networks, and two interior routersensures that there is no single point of failure between you and the Internet.

You might also put in multiple perimeter nets for privacy, so that you can runmoderately confidential data across one, and an Internet connection across theother. In that case, you might even attach both perimeter nets to the same

interior router. Having multiple perimeter nets is less risky than having multiple interior

routers sharing the same internal net, but it's still a maintenance headache. Youwill probably have multiple interior routers, presenting multiple possible pointsof compromise. Those routers must be watched very carefully to keep them

enforcing appropriate security policies; if they both connect to the Internet,they need to enforce the same policy.

C l i


54/54

54

Conclusion

Understand what is Dual-Homed Host Architecture

Understand what is Screened Host Architecture

Understand what is Screened Subnet Architecture Its OK to Use Multiple Bastion Hosts

Its OK to Merge the Bastion Host and the Exterior Router

It's Dangerous to Merge the Bastion Host and the Interior Router

It's Dangerous to Use Multiple Interior Routers

It's OK to Use Multiple Exterior Routers

It's OK to Have Multiple Perimeter Networks

3 firewalls

Documents