stephen s. yau 1cse 465-591, fall 2006 firewalls

Stephen S. Yau 1CSE 465-591, Fall 2006

FirewallsFirewalls


DMZDMZ The The DMZDMZ ( (stands for stands for DDeemmilitarized ilitarized

ZZone) one) is a portion of a network that is a portion of a network that separates a purely internal network separates a purely internal network from an external network. from an external network.

DMZDMZ is the place, where public is the place, where public servers and proxies should be locatedservers and proxies should be located ProxyProxy is an intermediate agent or server is an intermediate agent or server

that acts on behalf of an endpoint that acts on behalf of an endpoint without allowing a direct connection without allowing a direct connection between the two endpointsbetween the two endpoints T1:

ch23.3 T2: ch26.3


FirewallsFirewalls A A firewallfirewall is a host that mediates access is a host that mediates access

to a network, allowing and disallowing to a network, allowing and disallowing certain types of access on the basis of a certain types of access on the basis of a configured security policy.configured security policy.

Protect a network from external Protect a network from external networksnetworks

Block unwanted traffic and pass Block unwanted traffic and pass desirable traffic to and from both sides of desirable traffic to and from both sides of the networkthe network Examples:Examples:

Allows: http, mailsAllows: http, mails Keeps out: suspected users, denial of services Keeps out: suspected users, denial of services

attacks, spam, virusesattacks, spam, viruses T1: ch23.3.1 T2: ch26.3.1

Stephen S. Yau 4

Operations of Operations of FirewallFirewall


Firewalls in Different Firewalls in Different LayersLayers

Network layer:Network layer: Packet-Filtering FirewallsPacket-Filtering Firewalls

- Concerned with - Concerned with routingrouting of packets to their of packets to their destinations. destinations.

- Determine if a packet is from a permitted source to - Determine if a packet is from a permitted source to a permitted destinationa permitted destination

Transport layer: Transport layer: Circuit-Level FirewallsCircuit-Level Firewalls- Concerned with Concerned with sessionsession of packets of packets- Need more knowledge of packet header to make Need more knowledge of packet header to make

decisions on accepting or denying packetsdecisions on accepting or denying packets Application layer: Application layer: Application-Level FirewallsApplication-Level Firewalls

- Concerned with Concerned with contentscontents of packets of packets- Need information about data make decision on Need information about data make decision on

accepting or denying packetsaccepting or denying packetsFurther reading: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm


Packet Filtering Packet Filtering FirewallsFirewalls

A A packet filtering firewallpacket filtering firewall performs access performs access control on the basis of attributes of the packet control on the basis of attributes of the packet headers, such as destination addresses, source headers, such as destination addresses, source address, and options.address, and options.

Whenever network receives a packet, three Whenever network receives a packet, three possible actions: possible actions: forward it to destinationforward it to destination block itblock it return it to senderreturn it to sender

One of these actions is chosen according to a set One of these actions is chosen according to a set of rules usually in a form of “access control of rules usually in a form of “access control lists”.lists”.

T1: ch23.3.1 T2: ch26.3.1

RulRulee

Source Source Address Address

Destination Destination Address Address

ActionAction

11 149.59.0.0/16149.59.0.0/16 123.45.6.0/24123.45.6.0/24 permitpermit

22 149.59.34.0/2149.59.34.0/244

123.45.0.0/16123.45.0.0/16 denydeny

33 0.0.0.0/00.0.0.0/0 0.0.0.0/00.0.0.0/0 deny deny (default)(default)


Packet Filtering Packet Filtering Firewalls Firewalls (cont.)(cont.)

Factors which determine the actions:Factors which determine the actions:

- Source address- Source address

- Destination address- Destination address

- Direction of traffic - Direction of traffic Rules applied top to bottomRules applied top to bottom

Ordered from least restrictive to most Ordered from least restrictive to most restrictiverestrictive

Packets are not scrutinized Packets are not scrutinized Auditing is possibleAuditing is possible


An Example of Packet Filtering An Example of Packet Filtering FirewallFirewall

Local Network(4.0.0.0/8)

Incoming Packet[24.128.34.8, 4.16.128.3]

(denied)

Network Server: Firewall(Rule 1: 24.128.0.0/16, 4.0.0.0/8 deny

Rule 2: 64.248.128.0/24, 8.16.192.0/24 permit…•••

Rule N: 34.128.0.0/16, 14.16.128.0/20 permit)

Another Network(8.16.192.0/24)

Incoming Packet[64.248.128.5, 8.16.192.7]

(permitted)


Circuit-Level FirewallsCircuit-Level Firewalls Validates sessions before opening Validates sessions before opening

connections (handshakes)connections (handshakes) Once a connection is made, all Once a connection is made, all

packets related to that connection packets related to that connection passpass

Packets not scrutinizedPackets not scrutinized No direct connections with other No direct connections with other

networks without validationnetworks without validation


Circuit-Level Firewalls Circuit-Level Firewalls (cont.)(cont.)

Establishes two connections:Establishes two connections: Between client and firewall Between client and firewall Between firewall and serverBetween firewall and server

Implemented using sockets ( which Implemented using sockets ( which is IP address + Port number)is IP address + Port number)

Manipulating established connection Manipulating established connection is easyis easy

Packets are not scrutinizedPackets are not scrutinized Auditing is possibleAuditing is possible


An Example of Circuit-Level An Example of Circuit-Level FirewallFirewall

Network News Transfer Protocol (NNTP):Network News Transfer Protocol (NNTP): The NNTP server connects to firewallThe NNTP server connects to firewall Internal systems' NNTP clients connect to firewall. Internal systems' NNTP clients connect to firewall. Circuit-level firewall simply passes bytes between Circuit-level firewall simply passes bytes between

systemssystems

Internal Systems (NNTP clients)

External Servers (NNTP news providers)

Circuit-Level Firewall (Choke Point)


Application-Level Application-Level FirewallsFirewalls

Application-level firewallApplication-level firewall (also called (also called Proxy firewallProxy firewall)) uses proxies to perform uses proxies to perform access control. access control.

Acts as a proxy server, evaluates Acts as a proxy server, evaluates requests and decides according to requests and decides according to security concernssecurity concerns

Two connections per sessionTwo connections per session All packets are scrutinizedAll packets are scrutinized Auditing is possibleAuditing is possible

T1: ch23.3.1 T2: ch26.3.1


Application-Level Application-Level FirewallsFirewalls (cont.)(cont.)

Access control based on Access control based on contentscontents of of packets and messages, as well as on packets and messages, as well as on attributes of packet headers. attributes of packet headers.

Not allow direct connections between two Not allow direct connections between two endpoints through a proxy firewallendpoints through a proxy firewall

Accept/Deny Rules

Application Level Proxy

Network Layer

Outgoing Packets

Incoming packets

Application Level

Network Level

Applications


An Example of Application-Level An Example of Application-Level FirewallFirewall

Simple (Send) Mail Transfer Protocol Simple (Send) Mail Transfer Protocol ProxiesProxies SMTP application proxies configured to allow SMTP application proxies configured to allow

only necessary SMTP commands, such as only necessary SMTP commands, such as helohelo, , mail from:mail from: and and rcpt to:rcpt to:, to pass through firewall , to pass through firewall

Stop “Stop “expnexpn” command, which tries to expand a ” command, which tries to expand a list list

Stop “Stop “vrfyvrfy” command, which tries to verify that ” command, which tries to verify that an account existsan account exists

The above are used by attackers and spammers The above are used by attackers and spammers to enumerate e-mail accounts. to enumerate e-mail accounts.

MIME type and message size can be used to MIME type and message size can be used to filter traffic. filter traffic.


An Example of Application Level An Example of Application Level Firewall Firewall

(cont.)(cont.)

Local Network: Mail Clients

Incoming/Outgoing Requestfor SMTP<expn> (denied)

Network Server: Implements Application Firewall in SMTP/POP/IMAP

Deny: expn, vrfyAllow: helo, mail from:

Incoming/Outgoing Mail<helo>;<mail from:>

(permitted)


An Example of Using An Example of Using FirewallsFirewalls

Requirements of the Requirements of the Drib CorporationDrib Corporation:: The Drib wants the public be able to access its The Drib wants the public be able to access its

web server and mail server, and no other web server and mail server, and no other services.services.

The Drib wishes to check all incoming e-mails The Drib wishes to check all incoming e-mails for computer viruses through emails and for computer viruses through emails and attacks though web connections.attacks though web connections.

The Drib’s has sensitive data which it does not The Drib’s has sensitive data which it does not want outsiders to see.want outsiders to see.

The Drib allows file sharing among its systems. The Drib allows file sharing among its systems. It does not want the packets containing It does not want the packets containing sensitive information to leak to the Internet. sensitive information to leak to the Internet. T1: ch23.3 T2:

ch26.3


An Example of Using An Example of Using Firewalls Firewalls (cont.)(cont.)

Desirable Network InfrastructureDesirable Network Infrastructure The The publicpublic entities should be confined to the DMZ entities should be confined to the DMZ

areaarea The The outer firewallouter firewall presents an interface between presents an interface between

DMZ and internet, that allows connections to the DMZ and internet, that allows connections to the WWW service (HTTP and HTTPS) and to electronic WWW service (HTTP and HTTPS) and to electronic mail (SMTP) service. mail (SMTP) service.

Proxies having virus and attack scanning programs should Proxies having virus and attack scanning programs should be implemented at the outer firewall. be implemented at the outer firewall.

The Drib’s most sensitive data and systems should The Drib’s most sensitive data and systems should reside in the reside in the internal network.internal network.

The The inner firewallinner firewall sitting between DMZ and internal sitting between DMZ and internal network will block all traffic, except those network will block all traffic, except those specifically authorized to enter the internal networkspecifically authorized to enter the internal network



Mail server

Outer Firewall

Internal DNS server

Internet

Internet

Web Server

DMZINTERNAL Inner Firewall

Internal mail server

DNS serverCorporate data subnet

Customer data subnet

Development subnet

Network designed for the Dribble Corporation



Outer firewall configurationOuter firewall configuration The outer firewall is a The outer firewall is a proxy-basedproxy-based

firewall. firewall. When e-mail connection is initiated, When e-mail connection is initiated,

the mail proxy on the firewall collects the mail proxy on the firewall collects the mail, analyzes it for computer the mail, analyzes it for computer viruses and other forms of malicious viruses and other forms of malicious logic. If none is found, it forwards the logic. If none is found, it forwards the mail to the DMZ mail server. mail to the DMZ mail server.

Similarly, when a web connection Similarly, when a web connection arrives, the web proxy scans the arrives, the web proxy scans the message for any suspicious message for any suspicious components, if none is found, it components, if none is found, it forwards the messages to DMZ web forwards the messages to DMZ web server. server.

Mail server

Outer Firewall

Internet

Internet

Web Server

DMZ


DMZ


Inner firewall configurationInner firewall configuration The inner firewall is also a The inner firewall is also a proxy-basedproxy-based firewall. firewall. Mail connections through the inner firewall are Mail connections through the inner firewall are

allowed, and all emails are sent to DMZ mail server allowed, and all emails are sent to DMZ mail server for disposition for disposition

Disallows packets containing sensitive information Disallows packets containing sensitive information (detected by the proxies in the inner firewall) to (detected by the proxies in the inner firewall) to reach DMZreach DMZ

All other traffic, including web access, are blockedAll other traffic, including web access, are blocked

Internal DNS server

INTERNALInner Firewall

Internal mail server

Corporate data subnet

Customer data subnet

Development subnet


Choosing a FirewallChoosing a Firewall What OS required and other OSs What OS required and other OSs

supported?supported? How much CPU/RAM/Disk space it How much CPU/RAM/Disk space it

needs?needs? What is the authentication scheme?What is the authentication scheme? Does it support logging?Does it support logging? What hardware is provided? What hardware is provided? What software is provided?What software is provided? What is the cost for installing and What is the cost for installing and

operating the firewall?operating the firewall? What are other features?What are other features?


Firewall Design Criteria Firewall Design Criteria Organizations deciding to use firewalls must Organizations deciding to use firewalls must

analyze their security needs. Potential risks analyze their security needs. Potential risks and threats must be contemplated. and threats must be contemplated.

The following considerations may affect The following considerations may affect design and extensiveness of implementation design and extensiveness of implementation of firewalls: of firewalls: Organizational policies Organizational policies

What level of access control does What level of access control does management want? management want?

The desired level of monitoring and The desired level of monitoring and access must be determined. access must be determined.

What level of risk is the organization What level of risk is the organization willing to accept? willing to accept?


Firewall Design Criteria Firewall Design Criteria (cont.)(cont.)

A checklist of what messages should be A checklist of what messages should be monitored, permitted and denied must be monitored, permitted and denied must be established. established.

The cost of various firewall programs, including on-The cost of various firewall programs, including on-going maintenance, must be considered against the going maintenance, must be considered against the potential threat. What would be the potential potential threat. What would be the potential cost/damage of attacks to the system from outside? cost/damage of attacks to the system from outside?

The number, placement, and types of firewalls to be The number, placement, and types of firewalls to be used must be determined. used must be determined.

Firewalls should have packet filtering, circuit-level Firewalls should have packet filtering, circuit-level controls, and application-level proxies in order to controls, and application-level proxies in order to provide effective security.provide effective security.

What is the estimated overhead in using the What is the estimated overhead in using the selected firewalls?selected firewalls?


Some Commercially Some Commercially Available FirewallsAvailable Firewalls

HardwareHardware Linksys Etherfast Cable/DSL Firewall Router, Linksys Etherfast Cable/DSL Firewall Router,

Microsoft MN-100, D-Link Express Microsoft MN-100, D-Link Express EtherNetwork EtherNetwork

Mac OS X serversMac OS X servers DoorStop Server Firewall, Firewall X2, DoorStop Server Firewall, Firewall X2,

Impasse, IPNetSentry, Net BarrierImpasse, IPNetSentry, Net Barrier LinuxLinux

IP tables, SINUS, ipchainsIP tables, SINUS, ipchains WindowsWindows

BlackICE, Kerio, McAfee, Norton Personal BlackICE, Kerio, McAfee, Norton Personal Firewall, Outpost, Sygate, Terminet, and Firewall, Outpost, Sygate, Terminet, and ZoneAlarm ZoneAlarm


ReferencesReferences Matt Bishop, Matt Bishop, Introduction to Computer SecurityIntroduction to Computer Security, ,

Addison-Wesley, 2004, ISBN: 0321247442Addison-Wesley, 2004, ISBN: 0321247442 Matt Bishop, Matt Bishop, Computer Security: Art and ScienceComputer Security: Art and Science, ,

Addison- Wesley, 2002, ISBN: 0201440997Addison- Wesley, 2002, ISBN: 0201440997 M. Merkow, J. Breithaupt, M. Merkow, J. Breithaupt, Information Security: Information Security:

Principles and PracticesPrinciples and Practices,, Prentice Hall, August Prentice Hall, August 2005, 448 pages, ISBN 0131547291 2005, 448 pages, ISBN 0131547291

J. G. Boyce, D. W. Jennings, J. G. Boyce, D. W. Jennings, Information AssuranceInformation Assurance:: Managing Organizational IT Security RisksManaging Organizational IT Security Risks. . Butterworth Heineman, 2002, ISBN 0-7506-7327-3Butterworth Heineman, 2002, ISBN 0-7506-7327-3

httphttp://www.du.edu/~jtinucci/Security/Thaxton/thaxton.h://www.du.edu/~jtinucci/Security/Thaxton/thaxton.htmltml

stephen s. yau 1cse 465-591, fall 2006 firewalls

Documents

network examples

internal network

packet filtering firewalls

packet headers

network block unwanted

different layers network

packets application

knowledge of packet