2
Test your Firewall knowledge
Which of the following is true about firewalls?a) A firewall is a hardware device
b) A firewall is a software program
c) Firewalls could be hardware or software
Which of the following is true about firewalls?a) They are used to protect a whole network against attacks
b) They are used to protect single computers against attacks
c) Both a and b.
3
Test your Firewall knowledge (cont)
Which of the following is true about firewalls?a) They are configured to monitor inbound traffic and protect
against attacks by intruders
b) They are configured to monitor outbound traffic and prevent specific types of messages from leaving the protected network.
c) Both a and b
4
Firewall: definition
Hardware or software tool used to protect a single host1 or an entire network2 by “sitting” between a trusted network (or a trusted host)
and an untrusted network Applying preconfigured rules and/or traffic knowledge to
allow or deny access to incoming and outgoing traffic
1 Host-based or personal firewall 2 network-based firewall
Untrusted network
Trusted network
PC with Host-based
Firewall
PC with Host-based
Firewall
Network-BasedFirewall
5
Questions
What is the main advantage of having a host-based firewall in addition to having a network-based one?
Answer:_________________________________________
What kind of security issue could be associated with having host-based firewall on users PCs?
Answer:__________________________________________
Untrusted network
Trusted network
PC with Host-based
Firewall
PC with Host-based
Firewall
Network-BasedFirewall
6
Firewall ArchitectureMost firms have multiple
firewalls. Their arrangementis called the firm’s
firewall architecture
InternetInternet
Main BorderFirewall
172.18.9.x Subnet
Marketing Client on
172.18.5.x Subnet
Accounting Server on 172.18.7.x
Subnet
Public Webserver 60.47.3.9
SMTP Application
Proxy Server 60.47.3.10
HTTPApplication
Proxy Server 60.47.3.1
External DNS Server
60.47.3.4
ScreeningRouterFirewall
InternalFirewall
HostFirewall
HostFirewall
Email Server on 172.18.6.x
Subnet
HostFirewall
Demilitarized Zone (DMZ)
7
Firewall Architecture
InternetInternet
Main BorderFirewall
172.18.9.x Subnet
Marketing Client on
172.18.5.x Subnet
Accounting Server on 172.18.7.x
Subnet
Public Webserver 60.47.3.9
SMTP Application
Proxy Server 60.47.3.10
HTTPApplication
Proxy Server 60.47.3.1
External DNS Server
60.47.3.4
ScreeningRouterFirewall
InternalFirewall
HostFirewall
HostFirewall
The DMZ is a subnet that includes most vulnerable hosts to attacks; i.e. hosts that provide services to outside
users. Common hosts in DMZ: Public web servers, Public DNS servers, public FTP servers, Email proxy servers.Host in DMZ must be heavily protected.
Email Server on 172.18.6.x
Subnet
HostFirewall
Demilitarized Zone (DMZ)
8
Questions What is a DMZ? Why are public web servers usually put in the DMZ? Why are public DNS servers usually put in the DMZ?
Which of the following may be placed in a DMZ?a) A SMTP proxy serverb) A server that contains files available for downloading by employeesc) An File Transfer Protocol serverd) A SQL (Structured Query Language) database server
What IP addresses should a DNS server in the DMZ be able to find?
a) All company’s IP addresses
b) Only the IP addresses of the computers in the internal subnet
c) Only the IP addresses of the computers in the DMZ
You work as the security administrator at King.com. King.com has been receiving a high volume of attacks on the king.com web site. You want to collect information on the attackers so that legal action can be taken. Which of the following can you use to accomplish this?
a) A DMZ (Demilitarized Zone).b) A honey pot.c) A firewall.d) None of the above.
9
Basic Firewall Operation
Attack Packet 1
1. Internet(Not Trusted)
Attacker
LogFile
Dropped Packet(Ingress)
LegitimateUser
Legitimate Packet 1
Attack Packet 1
Internal Corporate Network (Trusted)
BorderFirewall
Passed LegitimatePacket (Ingress)Legitimate Packet 1
Egress filtering: filtering packets leaving to external networksIngress filtering:filtering packets coming from external networks
Legitimate Packet 2
Passed Packet(Egress)
Legitimate Packet 2
10
Connection Source IP Destination IP State
Connection 1 123.12.13.4 60.47.3.9:80 TCP opening
Connection 2 213.14.33.56 60.47.3.9:80 Data transfer
…… ………. ………. ………
Types of Firewalls Static Packet Filtering Firewalls (1st generation)
Inspect TCP, UDP, IP headers to make filtering decisions Do static filtering of individual packets based on configured ruleset
(or Access Control List) Prevent attacks that use IP or port spoofing, etc.
Stateful Packet Filtering Firewalls (2nd generation) Inspect TCP, UDP, IP headers to make filtering decisions Do stateful filtering by checking the firewall’s state table for relation
of packets to packets already filtered If packet does not match existing connect, ruleset (static filt.) is used If packet matches existing connection, it is allowed to pass Prevent SYN attacks, teardrops, etc.
State Table
IP-H
IP-H
TCP-H
UDP-H Application Layer Message
Application Layer Message
11
Types of Firewalls (cont.) Application Firewalls (3rd generation)
Also called proxy firewalls Inspect the Application Layer message (e.g. HTTP requests, emails,
etc. Specialized proxy firewalls more effective than general-purpose
HTTP proxy firewalls for HTTP requests SMTP proxy firewalls for SMTP emails FTP proxy firewall for FTP-based file transfer requests
Prevent malware attacks
IP-H
IP-H
TCP-H
UDP-H Application Layer Message
Application Layer Message
HTTPProxy
Browser WebserverApplication
1. HTTP Request2. Passed inspected
HTTP Request
3. HTTPResponse
4. Passed inspectedHTTP Response Log
File
12
Types of Firewalls (cont.) Network Address Translation Firewall
Replace IP address in outgoing message by a spoof IP address Hide internal hosts’ IP address to outsiders Help prevent IP spoofing attacks using internal IP addresses
Host IP Address Outgoing IP Address Request ID
135.12.23.12 135.12.20.1 120121
135.12.22.2 135.12.20.2 120122
135.12.21.3 135.12.20.3 120123
…….. …….. ………
135.12.20.1135.12.20.2135.12.20.3
135.12.23.12
135.12.22.2
135.12.21.3
13
Network Address Translation (Cont)
ServerHost
Client192.168.5.7
NATFirewall
1
Internet
2
Sniffer
From 192.168.5.7,Port 61000 From 60.5.9.8,
Port 55380
IP Addr
192.168.5.7
. . .
Port
61000
. . .
Internal
IP Addr
60.5.9.8
. . .
Port
55380
. . .
External
TranslationTable
14
Network Address Translation (Cont)
ServerHost
Client192.168.5.7
NATFirewall
3
Internet
4Sniffer
To 60.5.9.8,Port 55380
To 192.168.5.7,Port 61000
IP Addr
192.168.5.7
. . .
Port
61000
. . .
Internal
IP Addr
60.5.9.8
. . .
Port
55380
. . .
External
TranslationTable
15
Perspective on NAT
NAT/PAT NAT does more than network (IP) address
translation Also does port number translation Should be called NAT/PAT, but NAT is the
common term
16
Firewalls configuration Default configuration (default Rulesets or ACLs)
Pass connections initiated by an internal host Deny connections initiated by an external host Can change default configuration with access control
lists (ACLs) for ingress and egress filtering ACLs are sets of IF-THEN rules applied in sequential
order
InternetInternet
Automatically Pass Connection Attempt
Router
Automatically Deny Connection Attempt
17
Ingress ACL
1 If Source IP Address = 10.*.*.*, DENY [Private IP Address Range]
2 If Source IP Address = 172.16.*.*, DENY [Private IP Address Range]
3 If Source IP Address = 192.168.*.*, DENY [Private IP Address Range]
4 If Destination IP Address = 60.47.3.9 AND TCP Destination Port = 80 or 443, PASS
5 If Destination IP Address = 60.47.*.*, DENY
6 If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside]
7 If TCP Destination Port = 20, DENY
8 If TCP Destination Port = 135 Trough 139, DENY
9 If UDP Destination Port = 69, DENY
10 DENY ALL
Untrusted network
Trusted network
Firewall
60.47.3.1
60.47.3.2
60.47.3.5
60.47.3.9
Port Number Primary Protocol Application
20 TCP FTP Data Traffic
21 TCP FTP Supervisory Connection. Passwords sent in the clear
23 TCP Telnet. Passwords sent in the clear
25 TCP Simple Mail Transfer Protocol (SMTP)
69 UDP Trivial File Transfer Protocol (TFTP). No login necessary
80 TCP Hypertext Transfer Protocol (HTTP)
137-139 TCP NETBIOS service for peer-to-peer file sharing in older versions of Windows
443 TCP HTTP over SSL/TLS
18
Ingress ACL
1 If Source IP Address = 10.*.*.*, DENY [Private IP Address Range]
2 If Source IP Address = 172.16.*.*, DENY [Private IP Address Range]
3 If Source IP Address = 192.168.*.*, DENY [Private IP Address Range]
4 If Destination IP Address = 60.47.3.9 AND TCP Destination Port = 80 or 443, PASS
5 If Destination IP Address = 60.47.*.*, DENY
6 If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside]
7 If TCP Destination Port = 20, DENY
8 If TCP Destination Port = 135 Trough 139, DENY
9 If UDP Destination Port = 69, DENY
10 DENY ALL
Untrusted network
Trusted network
Firewall
60.47.3.1
60.47.3.2
60.47.3.5
60.47.3.9
What kind of messages does Rule 7 block? Why does Rule 5 have to come after Rule 4? Why does Rule 6 have to come after Rule 4? You work as the security administrator for the trusted network. Employees often
download files from a FTP (File Transfer Protocol) server located in the untrusted network. What TCP port do you open in the firewall configuration?
a) Open port 69 to all inbound connections.
b) Open port 69 to all outbound connections.
c) Open port 20/21 to all inbound connections.
d) Open port 20/21 to all outbound connections.
19
Typical attacks and firewall config.Attacks Typical configuration Comments
Ping of death Any packet with Total Length more than maximum allowed is dropped Stateful firewall
IP fragmentation-based attacks (e.g. Teardrop)
The firewall intercepts all fragments for an IP packet and attempts to reassemble them before forwarding to destination. If any problems or errors are found during reassembly, the fragments are dropped.
Stateful firewall
Smurf Attack The firewall drops any ping responses that are not part of an active session.
Stateful firewall
Attacks that send TCP URG packets
Any TCP packets that have the URG flag set are
discarded by the firewall.
Land Attack Any packets with the same source and destination IP addresses are discarded.
IP broadcast Packets with a broadcast source or destination IP address are discarded.
TCP SYN/ACK attack
TCP Opening segments that have SYN and ACK flags set AND
that are not linked to a TCP SYN request are discarded.
Stateful firewall
Invalid TCP Segment Number
The sequence numbers for every active TCP session are
maintained in the firewall session database. If the firewall
received a segment with an unexpected (or invalid)
sequence number, the packet is dropped.
Stateful firewall
Flag Fields(6 bits)
ACK SYN FIN RSTURG PSH
20
Firewall Principles
Danger of Overload
If a firewall is overloaded and cannot handle the traffic, it drops unprocessed packets
This is the safest choice, because attack packets cannot enter the network
However, this creates a self-inflicted denial-of-service attack
21
Firewall Principles (Continued)
Danger of Overload So firewalls must have the capacity to handle
the traffic Some can handle normal traffic but cannot
handle traffic during heavy attacks Need to regularly check firewalls logs:
If too much unchecked packets are dropped, then need to upgrade the firewall.
22
Centralized Firewall Management System
Internet
Home PCFirewall
Management Console
Site A Site B
Remote Managementis needed to
reduce management labor
Dangerous becauseif an attacker compromises
it, they own the network
Remote PCsmust be actively
managedcentrally
23
Firewall Management
Firewalls are Ineffective without Planning and Maintenance
Planning Asset Assessment: identify all assets and their
relative sensitivities Threat Assessment: what threats can attack
each asset? Design a Firewall Policy for Each Asset Design a Firewall Architecture
24
Firewall Management (Continued)
Implementation Firewall Operating System Hardening
Firewall appliances are hardened at the factory Firewall vendors often sell firewalls that are
general-purpose computers that have pre-hardened versions of Unix or Windows
If a firm purchases a general purpose computer and firewall software, strong actions must be taken to harden the operating system
25
Firewall Management (Continued)
Implementation Select Implementation Options
e.g., Turn off remote management if not needed Firewall ACL Rule Configuration
Complex and therefore error-prone Driven by firewall policies
Vulnerability Testing After Configuration Must do vulnerability test even after “trivial” changes Driven by firewall policies
26
Firewall Management (Continued)
Maintenance Constantly change firewall policies and ACLs to
deal with new threats Document each change carefully!
Read log files daily to understand the current threat environment
Read log files daily to detect problems (the dropping of legitimate traffic, etc.)
Update the firewall software when there are new releases
27
Firewalls, IDSs, and IPSs
Firewalls IDSs IPSs
Drops Packets? Yes No Yes
Logs Packets Yes Yes Yes
Sophistication in Filtering
Medium High High
Creates Alarms? No Yes Sometimes