Introduction (cont.) • Categories processing mode 1.1) MAC layer firewalls 1.2) packet filtering firewalls 1.3) application gateways 1.4) circuit gateways 1.5) hybrids

development era (generation) 2.1) – 2.5) 1st, 2nd, 3rd, 4th, 5th generation

structure 3.1) commercial grade firewall appliances 3.2) commercial grade firewall systems 3.3) small-office/home-office (SOHO) firewall appliances 3.4) residential-grade firewall software

architecture 4.1) packet filtering routers 4.2) dual-homed host firewalls 4.3) screened host firewalls 4.4) screened subnet firewalls

of Firewalls

Firewalls by Structure 3.1) Commercial – stand-alone, self-contained combination of hardware and software (~ $1 – $10,000 k)

often a general-purpose computer with customized OS that can be modified only using direct physical connection & strong authentication

not vulnerable to ‘bugs’ and other flaws of common OS + can handle more data with faster throughput

generally more expensive than software counterparts

examples: Cisco’s hardware firewalls running on Cisco’s own Internetwork Operating System (IOS)

Grade Firewall Appliance [Hardware]

The Cisco ASA 5510 Adaptive Security Appliance delivers a wealth of advanced security and networking services for small-to-medium businesses and enterprise remote/branch offices in an easy-to-deploy, cost-effective appliance. These services can be easily managed and monitored by the integrated, Web-based management application, Cisco Adaptive Security Device Manager, thus reducing the overall deployment and operations costs associated with providing this high level of security. The Cisco ASA 5510 Adaptive Security Appliance provides high performance firewall and VPN services, three integrated 10/100 Fast Ethernet interfaces, and optional high-performance intrusion prevention and anti-x services via a Security Services Module making it an excellent choice for businesses requiring a cost-effective, extensible, DMZ-enabled security solution. As business needs grow, the Cisco ASA 5510 Adaptive Security Appliance can also scale to higher interface density and integrate into switched network environments through VLAN support by installing a Security Plus upgrade license. Furthermore, this upgrade license maximizes business continuity by enabling Active/Standby high availability services and expands VPN capacity by supporting a greater number of concurrent VPN connections for mobile users, remote sites, and business partners.

suggested retail price:$5,304.10 $3,978.07

Firewalls by Structure (cont.)

3.2) Commercial – consist of application firewall software that runs on a general purpose computer (~ $1 – $5 k)

aka Enterprise Firewalls – designed for large complex networks

features:

ability to manage multiple firewalls centrally

sophisticated monitoring and reporting

load balancing and failover, …

examples:

Novell’s BorderManager See: http://www.novell.com/documentation/nbm39/pdfdoc/installation/installation.pdf

Grade Firewall Systems [Software]

Firewalls by Structure (cont.) 3.3) Small Office / – aimed to protect small business & residences with DSL or cable modem (always on) connection to the Internet (~ $100)

SOHO firewalls properties:

stateful packet filtering

port filtering & simple intrusion detection

screened subnetting, …

in recent years, SOHO firewall also combine features of WAP & NAT

with NAT, internal computers ‘not visible’ to public network, hence less vulnerable

examples:

SMC Barricade residential broadband router Sonicwall SOHO firewall

Home Office [SOHO] or Residential Grade Firewall Appliance

Firewalls by Structure (cont.)

Firewalls by Structure (cont.)

Firewalls by Structure (cont.)

3.4) Residential – software installed directly on user’s system (free or ~ $100)

aka Personal Firewalls – intended to protect a single computer

features:

lightweight in terms of protection

most guard only against IP threats

some do not handle outbound blocking, …

examples:

ZoneAlarm Pro (freeware available)

Norton Personal Firewall

Sygate Personal Firewall Pro (freeware available)

Microsoft Windows Firewall – integral to Windows XP, Vista, Windows 7 systems http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm

Grade [SOHO] Firewall Software

Firewalls by Structure (cont.)

Example: Firewall advantages and disadvantages

Firewalls by Structure (cont.)

Firewalls by Architecture Firewall Architectures – each of the four classes of firewalls (MAC-layer, packet filtering firewall, application gateway, circuit gateway) can be used and combined in a number of ways

ultimate decision on which and how many firewalls to deploy depends on:

network uses

network objectives

available budget (for initial purchase, maintenance, upgrades)

4.1) Packet Filtering – rejects packets that organi- zation does not want to let ‘in’

simple way to lower risk from high- volume low-complexity attacks

drawbacks:

complex ACL can degrade (slow down) network performance

single point of failure – if router fails, there is no further protection

Firewalls by Architecture (cont.)

(Screening) Firewall/Router

Firewalls by Architecture (cont.) 4.1) Packet Filtering (Screening) Router

appropriate uses:

the network being protected already has a high level of host security

the number of protocols and their rules/use is straightforward

you require maximum performance

Firewalls by Architecture (cont.)

4.2) Dual-Homed – a host-firewall (not router!) with 2 NIC is placed between internal and external network

all traffic must physically go through host-firewall

host-firewall filters data based on higher-layer data (not just IP!)

Firewall (Application Gateway)

Firewalls by Architecture (cont.)

4.2) Dual-Homed Firewall (cont.)

drawbacks:

dual-homed hosts/firewalls are NOT high-performance devices; have more work to do per each connection

a dual-homed host is ‘regular’ computer with all its vulnerabilities

a dual-homed host is the system’s single-point of failure

Firewalls by Architecture (cont.)

4.2) Dual-Homed Firewall (cont.)

appropriate use:

traffic to the Internet is low-volume and is not business-critical

no service is being provided to Internet-based users

4.3) Screened – combines a packet filtering router & a separate application gateway

router prescreens packets to minimize network traffic

gateway - aka bastion-host - performs proxy services for one or more applicat. protocols (e.g. FTP, HTTP)

gateway is the only host in internal network that hosts from the Internet can communicate to

Firewalls by Architecture (cont.)

Host Firewall

Firewalls by Architecture (cont.)

4.3) Screen Host Firewall (cont.)

strengths:

to compromise internal network, attacker must compromise both – the screening router and bastion host

overall, router + proxy protect data (network) more fully than router or dual-homed host alone

appropriate uses:

few connections are coming from the Internet

the network being protected has a relatively high level of host security

Firewalls by Architecture (cont.)

4.4) Screened – adds an extra layer of security to screened host architecture by adding a perimeter network to better isolate bastion host

bastion host is ‘the most likely to be attacked’ machine on a network

by setting up a perimeter network, the ultimate impact of a break-in on bastion host is significantly reduced

it is no longer an instant ‘jackpot’; it gives an intruder some access, but not all

to break into internal network an attacker would have to get past both routers

Subnet Architecture

Firewalls by Architecture (cont.)

4.4) Screened Subnet Architecture (cont.)

it is OK to use multiple bastion hosts

e.g., one host handles services important to your own users (SMTP, DNS), other host handles services that you provide to the Internet (HTTP, FTP) – this way the performance of your own users will not be dragged down by activities of outside users

If you have $$$$

Firewalls by Architecture (cont.)

4.4) Screened Subnet Architecture (cont.)

it is OK to merge bastion host and exterior router

this configuration exposes bastion host more, but it doesn’t open significant new vulnera- bilities to the internal network

If you do not have $$$$

Firewalls by Architecture (cont.)

4.4) Screened Subnet Architecture (cont.)

it is dangerous to merge bastion host and interior router

with this type of configuration, if the bastion host is broken into, there is nothing left in the way of security between the bastion host and the internal network

one of the main purposes of perimeter network is to prevent bastion host from being able to snoop on internal traffic – with this configuration all of your internal traffic is visible to it

If you do not have $$$$

4.4) Screened Subnet Architecture (cont.)

multiple interior routers should be used with caution

in case of misconfiguration on one of interior routers (which happens frequently), strictly internal traffic may end up flowing across perimeter network where it can be snooped on if some- body has managed to break into bastion host

possible solution: backbone architecture

Firewalls by Architecture (cont.)

In multi-LAN networks…

Firewalls by Architecture (cont.)

4.4) Screened Subnet Architecture (cont.)

it is OK to use multiple exterior routers

may be needed if: a) for redundancy purposes, you have multiple connections to the Internet b) you have connection to the Internet plus other connections to other sites

compromise of an exterior router in case of a) is not critical – attacker still cannot see internal traffic

case b) is possibly dangerous if other connections are to sites that require/assume privacy of information

In complex networks…

Firewalls by Architecture (cont.)

HTTP Server

HTTP Proxy

HTTP Server and HTTP Proxy separated by a firewall. Is this architecture optimal with regard to QoS?

Firewalls by Architecture (cont.)

4.5) Screened Subnet – provides an extra layer of security by creating a new network segment (DMZ) of ‘public servers’

DeMilitarized Zone (DMZ) is isolated from rest of internal net.

Firewalls with DMZ

Bastion host.

Exterior and interior filtering

routers.

Firewalls by Architecture (cont.)

4.4) Screened Subnet Firewall with DMZ (cont.)

bastion host acts as proxy for DMZ’s servers and is protected by interior and exterior filtering routers

interior router protects internal network from perimeter network and the Internet

allow only specific DMZ hosts (DNS, SMTP, HTTP server) to communicate with hosts on internal network

exterior router protects perimeter and internal network from the Internet

block incoming and outgoing IP packets with forged IP addresses

if someone successfully breaks into bastion host, internal network is still (reasonably) protected by internal router

attacker will be able to snoop only on DMZ’s local hosts and traffic

Firewalls by Architecture (cont.) Example: Multiple DMZ/Firewall Configurations

server farm 1

server farm 2

server farm 3

Web Server 1: stores public data that requires no (major) protection or is not likely to be a ‘target’

Web Server 2: stores public data that requires protection

Web Server 3: stores private data that requires high level of protection

How Many Firewalls simple home network might be sufficiently protected with a single stateful packet filter

small network with proprietary information can use a proxy server + packet filter to prevent external user from ‘seeing’ internal data and network

large companies with public Web servers & proprietary data may have to build a DMZ with packet filters on either side

Firewalls by Architecture (cont.)

and Where?

Firewall Rules

Configuring Firewall – art as much as science

each rule must be carefully crafted, debugged, tested and placed into Access Control List (ACL) in proper order

rules that can be evaluated quickly & regulate broad access should be performed first

when security rules conflict with performance, security often needs to be removed or redesigned

Rules

Most firewalls operate on the principle of explicitly permitted rules:

“that which is not permitted is prohibited”.

Firewall Rules (cont.)

Firewall Rules (cont.)

‘Best Practices’ for Firewall & Firewall Rules

Firewall devices should not be accessible from public, as well internal network, for management and configuration purposes.

only authorized firewall administrators should be able to access device, using encryption and strong authentication SMTP data should be allowed through firewall, but routed to a well-configured SMTP gateway to filter mail traffic securely. All ICMP data should be denied. Telnet access to all internal servers form the public network should be blocked (especially to DNS server).

if internal users need to come into an organization’s network form outside firewall, Virtual Private Network (VPN) is preferred

Firewall Rules (cont.)

‘Best Practices’ for Firewall & Firewall Rules (cont.)

When Web services are offered outside firewall, use of proxy servers (in or outside DMZ) should be considered.

proxy server – application-level software, checks and forwards packets to & from Web server, and caches Web pages to speed up network performance

Firewall Rules (cont.)

Example: Firewall rules

Assume a network with one internal and one external firewall.

Switch

(external firewall) (internal firewall)

NetIP: 10.10.10.0

10.10.10.1 10.10.10.2 10.10.10.3 192.168.2.1

NAT Addressing

192.168.2.2 192.168.2.3

INT Address 192.168.2.1 192.168.2.2 192.168.2.3 192.168.2.x

EXT Address 10.10.10.7 10.10.10.8 10.10.10.9

10.10.10.10

Firewall Admin.

Internal Server

Firewall Rules (cont.)

I1 I1 I2 I1 I2 I2 I1 I1 I1 I1

both

I1 I1 I2 I1 I2

I1 I2

both

Firewall Rules (cont.)

Firewall Rules (cont.)

Example: Firewall rules (cont.) Rule 1: Responses to internal requests are allowed. External (Inbound) Firewall: Internal Firewall:

Use state tables to track connections and prevent dangerous packets from entering the upper port range.

Client programs run on registered ports.

Firewall Rules (cont.)

Example: Firewall rules (cont.)

Rule 2: Firewall device is never accessible directly from public or internal network, and it should never be allowed to access other devices directly.

External Firewall: Internal Firewall:

Similar rules should be designed for internal firewall as well.

Firewall Rules (cont.)

Example: Firewall rules (cont.)

Rule 3: All traffic from trusted network is allowed out.

External and Internal Firewall:

Rule 4: All traffic intended for SMTP server is allowed into DMZ.

External and Internal Firewall:

Firewall Rules (cont.)

Example: Firewall rules (cont.)

Rule 5: All outside ICMP data (Ping, Traceroute) should be denied, while inside ICMP should be allowed.

External Firewall: Internal Firewall:

Rule 6: All outside Telnet access to all internal servers should be blocked.

External Firewall:

Internal Firewall:

Firewall Rules (cont.)

Example: Firewall rules (cont.)

Rule 7: The proxy server & the Web server are in DMZ. Internal hosts are allowed to access the Web server directly. External hosts are directed to proxy server. Proxy server repackage any HTTP request into a new packet and retransmits to the web server.

Internal Firewall:

External Firewall:

Firewall Rules (cont.)

Example: Firewall rules (cont.)

Rule 8: The Cleanup Rule!

If a request for a service is not explicitly allowed by policy, that request should be denied! External and Internal Firewall: