Firewalls

CS591 Topics in Internet Security

November 15 1999

Steve Miskovitz, Steve Peckham, Kan Hayashi

Outline

• Overview/Motivation

• Packet Filtering

• Application Gateway

Overview/Motivation

• Why Do We Need Firewalls?

• Design Issues

• Firewall Characteristics

• Typical Setups/Analysis

Why Do We Need Firewalls?

• Prevent unauthorized access to private networks

• Prevent unauthorized export of private information

Design Issues

• That which is not expressly permitted is prohibited– firewall is designed to block everything, services

are enabled on a case-by-case basis– can be seen as a hindrance by users

• That which is not expressly prohibited is permitted– reactive, must predict what kinds of actions would

compromise the security of the firewall

Firewall Characteristics

• Damage Control– If the firewall is compromised or destroyed

what kinds of threats does it leave the private network open to?

• Zones of Risk– How large is the zone of risk during normal

operation?

Firewall Characteristics

• Failure Mode– If the firewall is broken into or destroyed, how easy

is it to detect?– How much information is retained to analyze the

attack?

• Ease of Use– How much of an inconvenience is the firewall?

• Stance– Permissive or prohibitive?

Typical Setups

• Screening Router

• Dual Homed Gateway

• Screened Host Gateway

• Screened Subnet

Screening Router

• Basic router with some kind of packet filtering capability– Typically will be able to block traffic between

networks or specific hosts on an IP level

Analysis of Screening Router

• Damage control is difficult because you would need to examine every host for traces of a break-in

• Zone of risk is the all the hosts on the private network because direct communication is permitted

• Usually set up as permissive

Analysis of Screening Router

• In the case of destruction of the firewall it is very hard to trace because commercial routers generally do not keep logs

• Can fairly easily get around the screening using tunnelling

• Popular because they allow fairly free access from any point in the private network

Dual Homed Gateway

• Has a system on both the private network and the Internet , with TCP/IP forwarding disabled

Analysis of Dual Homed Gateway

• Often used and easy to implement

• Hosts on the private network can communicate with the gateway, as can hosts on the Internet, but direct traffic between the networks is blocked

• If the gateway is compromised then the whole private network is accessible

• Zone of risk is only the gateway host

Analysis of Dual Homed Gateway

• Permissiveness dependant on the stance of the gateway– logins on gateway is permissive– application gateways is prohibitive

• Can be adapted more easily to keep logs which can help with tracing what went wrong and which machines on the private network were compromised

Screened Host Gateway

• Combines a screening router and a dual homed gateway. The screening router is configured such that the gateway is the only system reachable from the Internet

Analysis of Screened Host Gateway

• Can be configured to block traffic to the gateway on certain ports, permitting only a small number of services to communicate with it

• Generally very secure, while fairly easy to implement

• Router is configured to only permit Internet access to the gateway

Analysis of Screened Host Gateway

• Zone of risk is the gateway and the router

• Gateway can be on the private network so connectivity is good for local users

• Stance is dependant upon the gateway

• Similar to a dual homed gateway

Screened Subnet

• An isolated subnet is created, between the private network and the Internet– isolate the private network using screening

routers with varying levels of filtering

Analysis of Screened Subnet

• Generally, both the Internet and the private network have access to the subnet but traffic across the screened subnet is blocked

• Usually configured with one host as the sole point of access on the subnet

• Zone of risk is host and any screening routers that connect the subnet

• Appealing for firewalls that use routing to reinforce the existing screening

Analysis of Screened Subnet

• Forces all services to be provided by application gateways

• Strongly prohibitive

• Much harder to break into since you need to compromise multiple systems

• Can be an inconvenience since hosts that are not addressed correctly cannot use the firewall properly

Packet FilteringOverview

• Control data traffic using header of each packet– source IP address– destination IP address– etc

• Screened (Host, Subnet) Setups

Static Packet Filtering

• “Static” = “doors” are open at all times

• Advantages– Low overhead / High throughput

– Inexpensive or free

– Good for traffic management

• Disadvantages– Allows dangerous direct connections

– Leaves holes open

– Unsuitable for complex environment

– No user authentication

Dynamic Packet Filtering

• “Dynamic” = opens and closes “doors” according packet header data

• Can keep track of context information about a session. (stateful filtering)

• Advantages– Only temporarily opens holes in Network Perimeter

– Low overhead / High throughput

– Supports almost any service

• Disadvantages– Allows direct IP connections

– No user authentication (requires application gateway)

Application GatewaysOverview

• First Generation vs. Second Generation (transparent)

• TCP connection state and sequencing are maintained.

• Prevents direct access to services on the internal network.

• Outgoing traffic appears to be coming from the firewall rather than the internal network.

• Works on an application (or service) level.

Application GatewaysLawyer Example

A

B

B’sLawyer Approved

Message

UnapprovedMessage

Application GatewaysExample of masking internal network

C lien t 1 C lien t 2 ... C lien t i

F irew a ll

E xte rn a l N e tw ork

Application GatewaysAdvantages

• Doesn’t allow direct connections between internal and external hosts (proxy).

• Supports user-level authentication.

• Ability to analyze application specific commands inside traffic.

• Can keep logs of traffic.

Application GatewaysDisadvantages

• Takes time to check requests.

• Doesn’t support every type of connection.

References

• Thinking About Firewalls V2.0: Beyond Perimeter Security (1997)– http://www.clark.net/pub/mjr/pubs/think/

index.htm

• Application Gateways and Stateful Inspection: A Brief Note Comparing and Contrasting (Avolio & Blask 1998)– http://www.avolio.com/apgw+spf.html