104075181-firewall

1

1

Figure 5-1: Border Firewall

1. Internet(Not Trusted)

Attacker

1. Internal CorporateNetwork (Trusted)

2.InternetBorderFirewall

2


3.AttackPacket


Attacker2.InternetBorderFirewall

4.LogFile

4. Dropped Packet(Ingress)

3



LegitimateUser



5. Passed LegitimatePacket (Ingress) 5. Legitimate

Packet

4



Attacker



4.LogFile

7. Dropped Packet(Egress)

7. Passed Packet(Egress)

5



Attacker

6. HardenedClient PC

6. HardenedServer 1. Internal Corporate

Network (Trusted)


6. Attack Packet thatGot Through Firewall

Hardened HostsProvide Defense

in Depth

6

Figure 5-2: Types of Firewall Inspection

Packet InspectionExamines IP, TCP, UDP, and ICMP headers

Static packet inspection (described later)Stateful inspection (described later)

Application InspectionExamines application layer messages

2

7


Network Address Translation (NAT)Hides IP addresses and port numbers

Denial-of-Service (DoS) InspectionDetects and stops DoS attacks

AuthenticationRequires senders to authenticate themselves

8


Virtual Private Network (VPN) Handling

VPNs are protected packet streams (see Chapter 8)

Packets are encrypted for confidentiality, so firewall inspection is impossible

VPNs typically bypass firewalls, making border security weaker

9


Hybrid Firewalls

Most firewalls offer more than one type of filtering

However, firewalls normally do not do antivirus filtering

Some firewalls pass packets to antivirus filtering servers

10

Firewalls

Firewall Hardware and SoftwareScreening router firewallsComputer-based firewallsFirewall appliancesHost firewalls (firewalls on clients and servers)

Inspection Methods

Firewall Architecture

Configuring, Testing, and Maintenance

11

Figure 5-3: Firewall Hardware and Software

Screening Router Firewalls

Add firewall software to router

Usually provide light filtering only

Expensive for the processing power—usually must upgrade hardware, too

12


Screening Router Firewalls

Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier

Good location for egress filtering—can eliminate scanning responses, even from the router

3

13


Computer-Based Firewalls

Add firewall software to server with an existing operating system: Windows or UNIX

Can be purchased with power to handle any load

Easy to use because know operating system

14



Firewall vendor might bundle firewall software with hardened hardware and operating system software

General-purpose operating systems result in slower processing

15



Security: Attackers may be able to hack the operating system

Change filtering rules to allow attack packets in

Change filtering rules to drop legitimate packets

16


Firewall AppliancesBoxes with minimal operating systems

Therefore, difficult to hack

Setup is minimal

Not customized to specific firm’s situation

Must be able to update

17


Host Firewalls

Installed on hosts themselves (servers and sometimes clients)

Enhanced security because of host-specific knowledge

For example, filter out everything but webserver transmissions on a webserver

18


Host Firewalls

Defense in depth

Normally used in conjunction with other firewalls

Although on single host computers attached to internet, might be only firewall

4

19


Host Firewalls

The firm must manage many host firewalls

If not centrally managed, configuration can be a nightmare

Especially if rule sets change frequently

20


Host Firewalls

Client firewalls typically must be configured by ordinary users

Might misconfigure or reject the firewall

Need to centrally manage remote employee computers

21

Perspective

Computer-Based FirewallFirewall based on a computer with a full operating system

Host FirewallA firewall on a host (client or server)

22

Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering

PerformanceRequirements

Traffic Volume (Packets per Second)

Complexityof Filtering:Number of

FilteringRules,

ComplexityOf rules, etc.

If a firewall cannot inspect packetsfast enough, it will drop unchecked

packets rather than pass them

23

Firewalls

Firewall Hardware and SoftwareInspection Methods

Static Packet InspectionStateful Packet InspectionNATApplication FirewallsIPSs

Firewall ArchitectureConfiguring, Testing, and Maintenance

24

Figure 5-5: Static Packet Filter Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP-H

Only IP, TCP, UDP and ICMPHeaders Examined

Permit(Pass)

Deny(Drop)

Corporate Network The Internet

LogFile

StaticPacketFilter

Firewall

ICMP Message

5

25

Figure 5-5: Static Packet Filter Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP-H

Arriving PacketsExamined One at a Time, in Isolation;

This Misses Many Arracks

Permit(Pass)

Deny(Drop)

Corporate Network The Internet

LogFile

StaticPacketFilter

Firewall

ICMP Message

26

Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router

1. If source IP address = 10.*.*.*, DENY [private IP address range]

2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

3. If source IP address = 192.168.*.*, DENY [private IP address range]

4. If source IP address = 60.40.*.*, DENY [firm’s internal address range]

27

Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router

5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker]

6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]

28


7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver]

8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]

29


9. If TCP destination port = 20, DENY [FTP data connection]

10. If TCP destination port = 21, DENY [FTP supervisory control connection]

11. If TCP destination port = 23, DENY [Telnet data connection]

12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]

30


13. If TCP destination port = 513, DENY [UNIX rlogin without password]14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]

6

31


17. If ICMP Type = 0, PASS [allow incoming echo reply messages]

DENY ALL

32


DENY ALLLast rule

Drops any packets not specifically permitted by earlier rules

In the previous ACL, Rules 8-17 are not needed; Deny all would catch them

33

Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router

1. If source IP address = 10.*.*.*, DENY [private IP address range]

2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

3. If source IP address = 192.168.*.*, DENY [private IP address range]

4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range]

Rules 1-3 are not needed because of this rule34


5. If ICMP Type = 8, PASS [allow outgoing echo messages]

6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages]

7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning]

35


8. If source IP address = 60.47.3.9 and TCP source port = 80 OR 443, PERMIT [public webserver responses]

Needed because next rule stops all packets from well-known port numbers

9. If TCP source port=0 through 49151, DENY [well-known and registered ports]

10. If UDP source port=0 through 49151, DENY [well-known and registered ports]

36


11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections]

12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections]

Note: Rules 9-12 only work if all hosts follow IETF rules for port assignments (well-known, registered, and ephemeral). Windows computers do. Unix computers do not

7

37


13. DENY ALLNo need for Rules 9-12

38

Firewalls

Firewall Hardware and Software

Inspection MethodsStatic Packet InspectionStateful Packet InspectionNATApplication Firewalls

Firewall Architecture


39

Figure 5-8: Stateful Inspection Firewalls

Default BehaviorPermit connections initiated by an internal hostDeny connections initiated by an external hostCan change default behavior with ACL

InternetInternet

Automatically Accept Connection Attempt

Router

Automatically Deny Connection Attempt

New

40


State of Connection: Open or Closed

State: Order of packet within a dialog

Often simply whether the packet is part of an open connection

41


Stateful Firewall Operation

If accept a connection…

Record the two IP addresses and port numbers in state table as OK (open) (Figure 5-9)

Accept future packets between these hosts and ports with no further inspection

This can miss some attacks, but it catches almost everything except attacks based on application message content

New

42

Figure 5-9: Stateful Inspection Firewall Operation I

ExternalWebserver123.80.5.34

InternalClient PC

60.55.33.12

1.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:80

2.Establish

Connection 3.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:80

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

80

Status

OK

Connection Table

Note: OutgoingConnectionsAllowed By

Default

8

43

Figure 5-9: Stateful Inspection Firewall Operation I

ExternalWebserver123.80.5.34

InternalClient PC

60.55.33.12

6.TCP SYN/ACK Segment

From: 123.80.5.34:80To: 60.55.33.12:62600 5.

Check ConnectionOK;

Pass the Packet


From: 123.80.5.34:80To: 60.55.33.12:62600

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

80

Status

OK

Connection Table

44


Stateful Firewall Operation

For UDP, also record two IP addresses and port numbers in the state table

Type

TCP

UDP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

63206

ExternalIP

123.80.5.34

1.8.33.4

ExternalPort

80

69

Status

OK

OK

Connection Table

45


Static Packet Filter Firewalls are Stateless

Filter one packet at a time, in isolation

If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection

But stateful firewalls can (Figure 5-10)

46

Figure 5-10: Stateful Firewall Operation II

AttackerSpoofingExternal

Webserver10.5.3.4

InternalClient PC

60.55.33.12

Stateful Firewall

2.Check

Connection Table: No Connection

Match: Drop

1.Spoofed

TCP SYN/ACK SegmentFrom: 10.5.3.4.:80

To: 60.55.33.12:64640

Type

TCP

UDP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

63206

ExternalIP

123.80.5.34

222.8.33.4

ExternalPort

80

69

Status

OK

OK

Connection Table

47


Static Packet Filter Firewalls are Stateless

Filter one packet at a time, in isolation

Cannot deal with port-switching applications

But stateful firewalls can (Figure 5-11)

48

Figure 5-11: Port-Switching Applications with Stateful Firewalls

ExternalFTP Server123.80.5.34

InternalClient PC

60.55.33.12

1.TCP SYN Segment

From: 60.55.33.12:62600To: 123.80.5.34:21

2.To EstablishConnection 3.

TCP SYN SegmentFrom: 60.55.33.12:62600

To: 123.80.5.34:21

Stateful Firewall

Type

TCP

InternalIP

60.55.33.12

InternalPort

62600

ExternalIP

123.80.5.34

ExternalPort

21

Status

OK

State Table

Step 2

9

49

Figure 5-11: Port-Switching Applications with Stateful Firewalls

ExternalFTP

Server123.80.5.34

InternalClient PC

60.55.33.12


From: 123.80.5.34:21To: 60.55.33.12:62600

Use Ports 20and 55336 forData Transfers

5.To Allow,EstablishSecond

Connection


From: 123.80.5.34:21To: 60.55.33.12:62600

Use Ports 20and 55336 forData Transfers

Stateful Firewall

Type

TCP

TCP

InternalIP

60.55.33.12

60.55.33.12

InternalPort

62600

55336

ExternalIP

123.80.5.34

123.80.5.34

ExternalPort

21

20

Status

OK

OK

State Table

Step 2

Step 5 50


Stateful Inspection Access Control Lists (ACLs)

Primary allow or deny applications (port numbers)

Simple because no need for probe packet rules because they are dropped automatically

Simplicity of stateful firewall gives speed and therefore low cost

Stateful firewalls are dominant today for the main corporate border firewalls

New

51

Firewalls




52

Figure 5-12: Network Address Translation (NAT)

ServerHost

Client192.168.5.7

NATFirewall

1

Internet2

Sniffer

From 192.168.5.7,Port 61000 From 60.5.9.8,

Port 55380

IP Addr192.168.5.7

. . .

Port61000

. . .

InternalIP Addr60.5.9.8

. . .

Port55380

. . .

External

TranslationTable

53


ServerHost

Client192.168.5.7

NATFirewall

3

Internet

4 SnifferTo 60.5.9.8,Port 55380

To 192.168.5.7,Port 61000

IP Addr192.168.5.7

. . .

Port61000

. . .

InternalIP Addr60.5.9.8

. . .

Port55380

. . .

External

TranslationTable

54


Sniffers on the Internet cannot learn internal IP addresses and port numbers

Only learn the translated address and port number

By themselves, provide a great deal of protection against attacks

External attackers cannot create a connection to an internal computers

10

55

Firewalls




56

Figure 5-13: Application Firewall Operation

Browser HTTP Proxy WebserverApplication

1. HTTP RequestFrom 192.168.6.77

2.Filtering

3. ExaminedHTTP RequestFrom 60.45.2.6

Client PC192.168.6.77

Webserver123.80.5.34

Application Firewall60.45.2.6

Filtering:Blocked URLs,

Post Commands, etc.

57



4. HTTPResponse to

60.45.2.6

6. ExaminedHTTP

Response To192.168.6.77

5.Filtering on

Hostname, URL, MIME, etc.


Client PC192.168.6.77


58



FTPProxy

SMTP(E-Mail)Proxy

Client PC192.168.6.77


Outbound Filtering on

PUTInbound and Outbound Filtering on Obsolete Commands, Content

A Separate Proxy Program is Neededfor Each Application Filtered on the Firewall

59

Figure 5-14: Header Destruction With Application Firewalls

AppMSG

(HTTP)

Orig.TCPHdr

Orig.IP

Hdr

AppMSG

(HTTP)

NewTCPHdr

NewIP

Hdr

AppMSG

(HTTP)

Attacker1.2.3.4



Header RemovedArrivingPacket New Packet

Application Firewall Strips Original Headers from Arriving PacketsCreates New Packet with New Headers

This Stops All Header-Based Packet Attacks

X60

Figure 5-15: Protocol Spoofing

InternalClient PC

60.55.33.12

Attacker1.2.3.4

TrojanHorse

1.Trojan Transmits

on Port 80to Get ThroughSimple PacketFilter Firewall

2.Protocol is Not HTTP

Firewall StopsThe Transmission

XApplication

Firewall

11

61

Relay Operation

Application Firewalls Use Relay operation

Act as server to clients, clients to servers

This is slow, so traditionally application firewalls could only handle limited traffic


1. HTTP RequestFrom 192.168.6.77

2.Filtering

3. ExaminedHTTP RequestFrom 60.45.2.6

62

Automatic Protections in Relay Operation

Protocol FidelityApplication that spoofs the port number of another operation (e.g., Port 80) will not work in relay operation

Header DestructionIP, TCP, UDP, and ICMP headers dropped at firewall so cannot do damage

IP Address HidingSniffer on the Internet only learns the application firewall’s IP address

63

Other Application Firewall Protections

Stopping Certain Application CommandsHTTP: Stop POSTTCP: Stop PUTE-Mail: Stop obsolete commands used by attackers

Blocked IP Addresses and URLsBlack lists

Blocking File TypesUse MIME and other identification methods

64

Figure 5-16: Circuit Firewall

Webserver60.80.5.34

Circuit Firewall(SOCKS v5)60.34.3.31

ExternalClient

123.30.82.5

1. Authentication2. Transmission

5. Passed Reply: No Filtering

3. Passed Transmission: No Filtering

4. Reply

Generic Type of Application Firewall

65

Firewalls

Types of Firewalls

Inspection Methods

Firewall ArchitectureSingle site in large organizationHome firewallSOHO firewall routerDistributed firewall architecture


66

Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site

InternetInternet

1. Screening Router 60.47.1.1 Last

Rule=Permit All

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet

Accounting Server on 172.18.7.x

Subnet

Public Webserver 60.47.3.9

SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4

Screening Router FirewallUses Static Packet Filtering.

Drops Simple Attacks.Prevents Probe Replies

from Getting Out.

Last Rule is Permit Allto Let Main Firewall

Handle Everything butSimple Attacks

12

67


InternetInternet

2. Main Firewall Last Rule=Deny All

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet


Subnet


SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4Main FirewallUses Stateful Inspection

Last Rule is Deny All

68


InternetInternet172.18.9.x

Subnet

3. Internal Firewall

4. Client Host

Firewall

Marketing Client on

172.18.5.x Subnet


Subnet


SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4Internal Firewalls and

Hardened HostsProvide Defense in Depth

Stop Attacks from Inside

Stop External Attacks that Get Past theMain Firewall

69


InternetInternet

172.18.9.x Subnet

Marketing Client on

172.18.5.x Subnet


Subnet

5. Server Host

Firewall

6. DMZ


SMTP Relay Proxy

60.47.3.10

HTTPProxy Server

60.47.3.1

External DNS Server

60.47.3.4

Servers that must beaccessed from outside

are placed in aspecial subnet called the

Demilitarized Zone (DMZ).

Attackers cannot get toOther subnets from there

DMZ serversare specially hardened

70

Figure 5-18: Home Firewall

InternetService Provider

Home PC

BroadbandModem

PCFirewall

Always-OnConnection

UTPCord

CoaxialCable

Windows XP has an internal firewall

Originally called the Internet Connection FirewallDisabled by default

After Service Pack 2 called the Windows FirewallEnabled by default

New

71

Figure 5-19: SOHO Firewall Router

Broadband Modem (DSL orCable)

SOHORouter

---Router

DHCP Sever,NAT Firewall, and

Limited Application Firewall

Ethernet SwitchInternet Service Provider

User PC

User PC

User PC

UTPUTP

UTP

Many Access Routers Combine the Router and Ethernet Switch in a Single Box

72

Figure 5-20: Distributed Firewall Architecture

Internet

Home PCFirewall

Management Console

Site A Site B

Remote Managementis needed to

reduce management labor

Dangerous becauseif an attacker compromises

it, they own the network

Remote PCsmust be actively

managedcentrally

13

73

Figure 5-23: FireWall-1 Modular Management Architecture

Log Files

Application Module(GUI)

Create, Edit Policies

Application Module(GUI)

Read Log Files

Management Module Stores Policies Stores

Log Files

Policy

Log FileData

Policy

Log File Entry

Firewall Module Enforces Policy

Sends Log Entries

Firewall Module Enforces Policy

Sends Log Entries

74

Figure 5-24: FireWall-1 Service Architecture

Internal Client

2. Statefully Filtered Packet 1. Arriving Packet

External Server

4. Content Vectoring Protocol

FireWall-1 Firewall

3. DoS Protection Optional

Authentications

5. Statefully Filtered

Packet Plus Application Inspection

Third-Party Application Inspection Firewall

75

Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls

InternetInternet

Internal Network

Automatically Accept Connection

Security Level Outside=0

Automatically Reject Connection

Security Level Inside=100

Connections Are Allowed from More Secure Networks to

Less Secure Networks

Security Level=60

Router

104075181-firewall

Documents