1
Firewalls
Chapter 5
Copyright Prentice-Hall 2003
2
Figure 5-1: Border Firewall
AttackPacket
Internet(Not Trusted)
Attacker
HardenedClient PC
HardenedServer Internal Corporate
Network (Trusted)
InternetBorderFirewall
LogFile
Passed Packet(Ingress)
Dropped Packet(Ingress)
Passed Packet(Egress)
3
Figure 5-2: Types of Firewall Inspection
Packet Inspection Examines IP, TCP,UDP, and ICMP header
contents
Static packet filtering looks at individual packets in isolation. Misses many attacks
Stateful inspection inspects packets in the context of the packet’s role in an ongoing or incipient conversation
Stateful inspection is the proffered packet inspection method today
4
Figure 5-2: Types of Firewall Inspection
Application Inspection Examines application layer messages
Stops some attacks that packet inspection cannot
Network Address Translation Hides the IP address of internal hosts to thwart
sniffers
Benignly spoofs source IP addresses in outgoing packets
5
Figure 5-2: Types of Firewall Inspection
Denial-of-Service Inspection Recognizes incipient DoS attacks and takes
steps to stop them
Limited to a few common types of attacks
Authentication Only packets from users who have proven their
identity are allowed through
Not commonly user, but can be valuable
6
Figure 5-2: Types of Firewall Inspection
Virtual Private Network Handling
Virtual private networks offer message-by-message confidentiality, authentication, message integrity, and anti-replay protection
VPN protection often works in parallel with other types of inspection instead of being integrated with them
7
Figure 5-2: Types of Firewall Inspection
Integrated Firewalls
Most commercial products combine multiple types of filtering
Some freeware and shareware firewall products offer only one types of filtering
8
Firewalls
Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers)
Inspection Methods
Firewall Architecture
Configuring, Testing, and Maintenance
9
Figure 5-3: Firewall Hardware and Software
Screening Router Firewalls Add firewall software to router
Usually provide light filtering only
Expensive for the processing power—usually must upgrade hardware, too
Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier
Good location for egress filtering—can eliminate scanning responses, even from the router
10
Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls
Add firewall software to server with an existing operating system: Windows or UNIX
Can be purchased with power to handle any load
Easy to use because know operating system
Firewall vendor might bundle software with hardened hardware and operating system software
11
Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls
General-purpose operating systems result in slower processing
Security: Attackers may be able to hack the operating system
Change filtering rules to allow attack packets in
Change filtering rules to drop legitimate packets
12
Figure 5-3: Firewall Hardware and Software
Firewall Appliances
Boxes with minimal operating systems
Therefore, difficult to hack
Setup is minimal
Not customized to specific firm’s situation
Must be able to update
13
Figure 5-3: Firewall Hardware and Software
Host Firewalls
Installed on hosts themselves (servers and sometimes clients)
Enhanced security because of host-specific knowledge
For example, filter out everything but webserver transmissions on a webserver
14
Figure 5-3: Firewall Hardware and Software
Host Firewalls
Defense in depth
Normally used in conjunction with other firewalls
Although on single host computers attached to internet, might be only firewall
15
Figure 5-3: Firewall Hardware and Software
Host Firewalls
If not centrally managed, configuration can be a nightmare
Especially if rule sets change frequently
Client firewalls typically must be configured by ordinary users
Might misconfigure or reject the firewall
Need to centrally manage remote employee computers
16
Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering
PerformanceRequirements
Traffic Volume (Packets per Second)
Complexityof Filtering:Number of
FilteringRules,
ComplexityOf rules, etc.
17
Firewalls
Types of Firewalls
Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls
Firewall Architecture
Configuring, Testing, and Maintenance
18
Figure 5-5: Static Packet Filter Firewall
IP-H
IP-H
TCP-H
UDP-H Application Message
Application Message
IP-H ICMP Message
Arriving PacketsExamined One at a Time, in Isolation
Only IP, TCP, UDPand ICMP Headers Examined
Permit(Pass)
Deny(Drop)
Corporate Network The Internet
LogFile
StaticPacketFilter
Firewall
19
Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range]
2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]
3. If source IP address = 192.168.*.*, DENY [private IP address range]
4. If source IP address = 60.40.*.*, DENY [internal address range]
5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker]
6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]
20
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver]
8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]
9. If TCP destination port = 20, DENY [FTP data connection]
10. If TCP destination port = 21, DENY [FTP supervisory control connection]
11. If TCP destination port = 23, DENY [Telnet data connection]
12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]
21
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
13. If TCP destination port = 513, DENY [UNIX rlogin without password]
14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]
15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]
16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]
17. If ICMP Type = 0, PASS [allow incoming echo reply messages]
DENY ALL
22
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range]
2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]
3. If source IP address = 192.168.*.*, DENY [private IP address range]
4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range]
5. If ICMP Type = 8, PASS [allow outgoing echo messages]
6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages]
23
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router 7. If TCP RST=1, DENY [do not allow outgoing
resets; used in host scanning] 8. If source IP address = 60.47.3.9 and TCP
source port = 80 OR 443, PERMIT [public webserver]
9. If TCP source port=0 through 49151, DENY [well-known and registered ports]
10. If UDP source port=0 through 49151, DENY [well-known and registered ports]
11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections]
12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections]
13. DENY ALL
24
Firewalls
Types of Firewalls
Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls
Firewall Architecture
Configuring, Testing, and Maintenance
25
Figure 5-8: Stateful Inspection Firewalls
State of Connection: Open or Closed
State: Order of packet within a dialog
Often simply whether the packet is part of an open connection
26
Figure 5-8: Stateful Inspection Firewalls
Stateful Firewall Operation
For TCP, record two IP addresses and port numbers in state table as OK (open) (Figure 5-9)
By default, permit connections from internal clients (on trusted network) to external servers (on untrusted network)
This default behavior can be changed with an ACL
Accept future packets between these hosts and ports with little or no inspection
27
Figure 5-9: Stateful Inspection Firewall Operation I
ExternalWebserver123.80.5.34
InternalClient PC
60.55.33.12
1.TCP SYN Segment
From: 60.55.33.12:62600To: 123.80.5.34:80
2.Establish
Connection 3.TCP SYN Segment
From: 60.55.33.12:62600To: 123.80.5.34:80
Stateful Firewall
Type
TCP
InternalIP
60.55.33.12
InternalPort
62600
ExternalIP
123.80.5.34
ExternalPort
80
Status
OK
Connection Table
Note: OutgoingConnectionsAllowed By
Default
28
Figure 5-9: Stateful Inspection Firewall Operation I
ExternalWebserver123.80.5.34
InternalClient PC
60.55.33.12
6.TCP SYN/ACK Segment
From: 123.80.5.34:80To: 60.55.33.12:62600
5.Check Connection
OK
4.TCP SYN/ACK Segment
From: 123.80.5.34:80To: 60.55.33.12:62600
Stateful Firewall
Type
TCP
InternalIP
60.55.33.12
InternalPort
62600
ExternalIP
123.80.5.34
ExternalPort
80
Status
OK
Connection Table
29
Figure 5-8: Stateful Inspection Firewalls
Stateful Firewall Operation
For UDP, also record two IP addresses in port numbers in the state table
Type
TCP
UDP
InternalIP
60.55.33.12
60.55.33.12
InternalPort
62600
63206
ExternalIP
123.80.5.34
1.8.33.4
ExternalPort
80
69
Status
OK
OK
Connection Table
30
Figure 5-8: Stateful Inspection Firewalls
Static Packet Filter Firewalls are Stateless
Filter one packet at a time, in isolation
If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection
But stateful firewalls can (Figure 5-10)
31
Figure 5-10: Stateful Firewall Operation II
AttackerSpoofingExternal
Webserver10.5.3.4
InternalClient PC
60.55.33.12
StatefulFirewall
2.Check
Connection Table: No Connection
Match: Drop
1.Spoofed
TCP SYN/ACK SegmentFrom: 10.5.3.4.:80
To: 60.55.33.12:64640
Type
TCP
UDP
InternalIP
60.55.33.12
60.55.33.12
InternalPort
62600
63206
ExternalIP
123.80.5.34
222.8.33.4
ExternalPort
80
69
Status
OK
OK
Connection Table
32
Figure 5-8: Stateful Inspection Firewalls
Static Packet Filter Firewalls are Stateless
Filter one packet at a time, in isolation
Cannot deal with port-switching applications
But stateful firewalls can (Figure 5-11)
33
Figure 5-11: Port-Switching Applications with Stateful Firewalls
ExternalFTP Server123.80.5.34
InternalClient PC
60.55.33.12
1.TCP SYN Segment
From: 60.55.33.12:62600To: 123.80.5.34:21
2.To EstablishConnection 3.
TCP SYN SegmentFrom: 60.55.33.12:62600
To: 123.80.5.34:21
Stateful Firewall
Type
TCP
InternalIP
60.55.33.12
InternalPort
62600
ExternalIP
123.80.5.34
ExternalPort
21
Status
OK
State Table
Step 2
34
Figure 5-11: Port-Switching Applications with Stateful Firewalls
ExternalFTP
Server123.80.5.34
InternalClient PC
60.55.33.12
6.TCP SYN/ACK Segment
From: 123.80.5.34:21To: 60.55.33.12:62600
Use Ports 20and 55336 forData Transfers
5.To Allow,EstablishSecond
Connection
4.TCP SYN/ACK Segment
From: 123.80.5.34:21To: 60.55.33.12:62600
Use Ports 20and 55336 forData Transfers
Stateful Firewall
Type
TCP
TCP
InternalIP
60.55.33.12
60.55.33.12
InternalPort
62600
55336
ExternalIP
123.80.5.34
123.80.5.34
ExternalPort
21
20
Status
OK
OK
State Table
Step 2
Step 5
35
Figure 5-8: Stateful Inspection Firewalls
Stateful Inspection Access Control Lists (ACLs)
Primary allow or deny applications
Simple because probing attacks that are not part of conversations do not need specific rules because they are dropped automatically
In integrated firewalls, ACL rules can specify that messages using a particular application protocol or server be authenticated or passed to an application firewall for inspection
36
Firewalls
Types of Firewalls
Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls
Firewall Architecture
Configuring, Testing, and Maintenance
37
Figure 5-12: Network Address Translation (NAT)
ServerHost
Client192.168.5.7
NATFirewall
1
3
Internet
2
4Sniffer
From 192.168.5.7,Port 61000 From 60.5.9.8,
Port 55380
To 60.5.9.8,Port 55380
To 192.168.5.7,Port 61000
IP Addr
192.168.5.7
. . .
Port
61000
. . .
Internal
IP Addr
60.5.9.8
. . .
Port
55380
. . .
External
TranslationTable
38
Firewalls
Types of Firewalls
Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls
Firewall Architecture
Configuring, Testing, and Maintenance
39
Figure 5-13: Application Firewall Operation
Browser HTTP Proxy WebserverApplication
1. HTTP RequestFrom 192.168.6.77
2.Filtering
3. ExaminedHTTP RequestFrom 60.45.2.6
4. HTTPResponse to
60.45.2.6
6. ExaminedHTTP
Response To192.168.6.77
5.Filtering on Post Out,
Hostname, URL, MIME, etc. In
Application Firewall60.45.2.6
FTPProxy
SMTP(E-Mail)ProxyClient PC
192.168.6.77
Webserver123.80.5.34
Outbound Filtering on Put Inbound and Outbound
Filtering on Obsolete Commands, Content
40
Figure 5-14: Header Destruction With Application Firewalls
AppMSG
(HTTP)
Orig.TCPHdr
Orig.IP
Hdr
AppMSG
(HTTP)
NewTCPHdr
NewIP
Hdr
AppMSG
(HTTP)
Attacker1.2.3.4
Webserver123.80.5.34
Application Firewall60.45.2.6
Header RemovedArriving Packet New Packet
Application Firewall Strips Original Headers from Arriving PacketsCreates New Packet with New Headers
This Stops All Header-Based Packet Attacks
X
41
Figure 5-15: Protocol Spoofing
InternalClient PC
60.55.33.12
Attacker1.2.3.4
TrojanHorse
1. Trojan Transmitson Port 80
to Get ThroughSimple PacketFilter Firewall
2. Protocol is Not HTTPFirewall Stops
The Transmission
XApplication
Firewall
42
Figure 5-16: Circuit Firewall
Webserver60.80.5.34
Circuit Firewall(SOCKS v5)60.34.3.31
ExternalClient
123.30.82.5
1. Authentication
2. Transmission
5. Passed Reply: No Filtering
3. Passed Transmission: No Filtering
4. Reply
43
Firewalls
Types of Firewalls
Inspection Methods
Firewall Architecture Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture
Configuring, Testing, and Maintenance
44
Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
InternetInternet
1. Screening Router 60.47.1.1 Last
Rule=Permit All
2. Main Firewall Last Rule=Deny All
172.18.9.x Subnet
3. Internal Firewall
4. Client Host
Firewall
Marketing Client on
172.18.5.x Subnet
Accounting Server on 172.18.7.x
Subnet
5. Server Host
Firewall
6. DMZ
Public Webserver 60.47.3.9
SMTP Relay Proxy
60.47.3.10
HTTPProxy Server
60.47.3.1
External DNS Server
60.47.3.4
45
Figure 5-18: Home Firewall
InternetService Provider
Home PC
BroadbandModem
PCFirewall
Always-OnConnection
UTPCord
CoaxialCable
46
Figure 5-19: SOHO Firewall Router
Broadband Modem (DSL orCable)
SOHORouter
---Router
DHCP Sever,NAT Firewall, and
Limited Application Firewall
Ethernet SwitchInternet Service Provider
User PC
User PC
User PC
UTP
UTP
UTP
Many Access Routers Combine the Router and Ethernet Switch in a Single Box
47
Figure 5-20: Distributed Firewall Architecture
Internet
Home PCFirewall
Management Console
Site A Site B
48
Figure 5-21: Other Security Architecture Issues
Host and Application Security (Chapters 6 and 9)
Antivirus Protection (Chapter 4)
Intrusion Detection Systems (Chapter 10)
Virtual Private Networks (Chapter 8)
Policy Enforcement System
49
Firewalls
Types of Firewalls
Inspection Methods
Firewall Architecture
Configuring, Testing, and Maintenance
50
Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Firewall Misconfiguration is a Serious Problem
ACL rules must be executed in series
Easy to make misordering problems
Easy to make syntax errors
51
Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Create Policies Before ACLs
Policies are easier to read than ACLs
Can be reviewed by others more easily than ACLs
Policies drive ACL development
Policies also drive testing
52
Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Must test Firewalls with Security Audits
Only way to tell if policies are being supported
Must be driven by policies
Maintaining Firewalls
New threats appear constantly
ACLs must be updated constantly if firewall is to be effective
53
Figure 5-23: FireWall-1 Modular Management Architecture
Log Files
Application Module(GUI)
Create, Edit Policies
Application Module(GUI)
Read Log Files
Management Module Stores Policies Stores
Log Files
Policy
Log FileData
Policy
Log File Entry
Firewall Module Enforces Policy
Sends Log Entries
Firewall Module Enforces Policy
Sends Log Entries
54
Figure 5-24: FireWall-1 Service Architecture
Internal Client
2. Statefully Filtered Packet 1. Arriving Packet
External Server
4. Content Vectoring Protocol
FireWall-1 Firewall
3. DoS Protection Optional
Authentications
5. Statefully Filtered Packet
Plus Application Inspection
Third-Party Application Inspection
Firewall
55
Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls
InternetInternet
Internal Network
Automatically Accept Connection
Security Level Outside=0
Automatically Reject Connection
Security Level Inside=100
Connections Are Allowed from More Secure
Networks to Less Secure Networks
Security Level=60
Router