CSCE 201CSCE 201Network Security Network Security
Firewalls Firewalls Fall 2015Fall 2015
CSCE 201 - Farkas 2
Traffic Control – FirewallTraffic Control – FirewallBrick wall placed between apartments to
prevent the spread of fire from one apartment to the next
Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it
CSCE 201 - Farkas 3
FirewallFirewall
security wall between private (protected) network and outside word
Private Network
External Network
Firewall
CSCE 201 - Farkas 4
Firewall ObjectivesFirewall Objectives
Keep intruders, malicious code and
unwanted traffic or
information out Keep proprietary
and sensitive information in
Private Network
External Network
Proprietary data
External attacks
CSCE 201 - Farkas 5
Without firewalls, nodes:Without firewalls, nodes:– Are exposed to insecure services – Are exposed to probes and attacks from outside– Can be defenseless against new attacks– Network security totally relies on host security
and all hosts must communicate to achieve high level of security – almost impossible
CSCE 201 - Farkas 6
Network Address Translation (NAT)
Organization uses private IP addresses on its network increase address spaceSend packet to Internet: convert private IP address to globally assigned IP addressReceive packer from Internet: globally assigned IP addresses converted to private IP addressesFirewalls may
Establish connections on behalf of the clientSupport NAT
CSCE 201 - Farkas 7
Common firewall features
Routing information about the private network can't be observed from outside
traceroute and ping -o can't `see' internal hosts Users wishing to log on to an internal host must
first log onto a firewall machine (or else start `behind' the firewall).
CSCE 201 - Farkas 8
Trade-Off between accessibility Trade-Off between accessibility and Securityand Security
Accessibility Security
Service Access Policy
CSCE 201 - Farkas 9
Firewall AdvantagesFirewall AdvantagesProtection for vulnerable servicesControlled access to site systemsConcentrated securityEnhanced PrivacyLogging and statistics on network use,
misusePolicy enforcement
CSCE 201 - Farkas 10
Controlled Access Controlled Access A site could prevent outside access to its
hosts except for special cases (e.g., mail server).
Do not give access to a host that does not require access.
Some hosts can be reached from outside, some can not.
Some hosts can reach outside, some can not.
CSCE 201 - Farkas 11
Concentrated SecurityConcentrated SecurityFirewall less expensive than securing all
hosts– All or most modified software and additional
security software on firewall only (no need to distribute on many hosts)
Other network security (e.g., Kerberos) involves modification at each host system.
CSCE 201 - Farkas 12
Enhanced PrivacyEnhanced PrivacyEven innocuous information may contain
clues that can be used by attackers– E.g., finger:
information about the last login time, when e-mail was read, etc.
Infer: how often the system is used, active users, whether system can be attacked without drawing attention
CSCE 201 - Farkas 13
Logging and Statistics on Logging and Statistics on Network Use, MisuseNetwork Use, Misuse
If all access to and from the Internet passes through the firewall, the firewall can theoretically log accesses and provide statistics about system usage
Alarm can be added to indicate suspicious activity, probes and attacks – double duty as IDS on smaller networks
CSCE 201 - Farkas 14
Policy enforcementPolicy enforcementMeans for implementing and enforcing a
network access policyAccess control for users and servicesCan’t replace a good education/awareness
program, however:– Knowledgeable users could tunnel traffic to
bypass policy enforcement on a firewall
CSCE 201 - Farkas 15
Firewall DisadvantagesFirewall DisadvantagesRestricted access to desirable servicesLarge potential for back doorsNo protection from insider attacksNo protection against data-driven attacksCannot protect against newly discovered
attacks – policy/situation dependentLarge learning curve
CSCE 201 - Farkas 16
Firewall ComponentsFirewall ComponentsFirewall AdministratorFirewall policyPacket filters
– transparent– does not change traffic, only passes it
Proxies– Active– Intercepts traffic and acts as an intermediary
CSCE 201 - Farkas 17
Firewall AdministratorFirewall AdministratorKnowledge of underpinnings of network
protocols (ex. TCP/IP, ICMP)Knowledge of workings of applications that
run over the lower level protocolsKnowledge of interaction between firewall
implementation and trafficVendor specific knowledge
CSCE 201 - Farkas 18
Firewall PolicyFirewall Policy High-level policy: service access policy
Low-level policy: firewall design policy
Firewall policy should be flexible!
CSCE 201 - Farkas 19
Service Access PolicyService Access Policy Part of the Network Security Policy Defines:
– TCP/IP protocols– Services that are allowed or denied– Service usage– Exception handling
CSCE 201 - Farkas 20
Service Access PolicyService Access PolicyGoal: Keep outsiders outMust be realistic and reflect required
security levelFull security v.s. full accessibility
CSCE 201 - Farkas 21
Firewall Design PolicyFirewall Design Policy Refinement of service access policy for specific firewall configurationDefines:
– How the firewall achieves the service access policy
– Unique to a firewall configuration
– Difficult!
CSCE 201 - Farkas 22
Firewall Design PolicyFirewall Design PolicyApproaches: Open system: Permit any service unless explicitly denied (maximal accessibility)
Closed system: Deny any service unless explicitly permitted (maximal security)
CSCE 201 - Farkas 23
Simple Packet FiltersSimple Packet Filters Applies a set of rules to each incoming IP packet
to decide whether it should be forwarded or discarded.
Header information is used for filtering ( e.g, Protocol number, source and destination IP, source and destination port numbers, etc.)
Stateless: each IP packet is examined isolated from what has happened in the past.
Often implemented by a router (screening router).
CSCE 201 - Farkas 24
Simple Packet Filter
Placing a simple router (or similar hardware) between internal network and “outside”
Allow/prohibit packets from certain services
Private Network
PacketFilter
Outside
Packet-level rules
CSCE 201 - Farkas 25
Simple Packet FiltersSimple Packet FiltersAdvantages:
– Does not change the traffic flow or characteristics –passes it through or doesn’t
– Simple– Cheap– Flexible: filtering is based on current rules
CSCE 201 - Farkas 26
Simple Packet FiltersSimple Packet Filters Disadvantages:
– Direct communication between multiple hosts and internal network
–Unsophisticated (protects against simple attacks)
– Calibrating rule set may be tricky
– Limited auditing
– Single point of failure
CSCE 201 - Farkas 27
Stateful Packet FiltersStateful Packet FiltersCalled Stateful Inspection or Dynamic
Packet FilteringCheckpoint patented this technology in
1997Maintains a history of previously seen
packets to make better decisions about current and future packets
CSCE 201 - Farkas 28
Proxy Firewalls
BastionHost
ViewPrivate Network
Outside
Private Network
Outside
Proxy Server
Reality
CSCE 201 - Farkas 29
Proxy FirewallsProxy FirewallsApplication Gateways
– Works at the application layer must understand and implement application protocol
– Called Application-level gateway or proxy server
Circuit-Level Gateway– Works at the transport layer– E.g., SOCKS
CSCE 201 - Farkas 30
Application GatewaysApplication Gateways Interconnects one network to another for a specific
application Understands and implements application protocol Good for higher-level restrictions
Client ServerApplication Gateway
CSCE 201 - Farkas 31
Application GatewaysApplication Gateways
Advantages: by permitting application traffic directly to internal hosts– Information hiding: names of internal systems are not known to
outside systems– Can limit capabilities within an application – Robust authentication and logging: application traffic can be pre-
authenticated before reaching host and can be logged– Cost effective: third-party software and hardware for
authentication and logging only on gateway– Less-complex filtering rules for packet filtering routers: need to
check only destination– Most secure
CSCE 201 - Farkas 32
Application GatewaysApplication GatewaysDisadvantages:
– Keeping up with new applications– Need to know all aspects of protocols– May need to modify application
client/protocols
CSCE 201 - Farkas 33
Firewall EvaluationFirewall Evaluation Level of protection on the private network ?
– Prevented attacks– Missed attacks– Amount of damage to the network
How well the firewall is protected?– Possibility of compromise– Detection of the compromise– Effect of compromise on the protected network
Ease of use Efficiency, scalability, redundancy Expense