Principles and Practice of Modern Information Security

1
Principles and Practice of Modern Information
Security

• 5. Firewalls
• Overview of firewalls
• What is a firewall
• Why are they needed
• Their limitations
• Types of firewalls
• Services provided by firewalls
• Packet filtering firewalls
• Application proxy firewalls
• Hybrid firewalls
• Sample firewall architectures
• Trivial packet filtering example
• Typical Internet firewall architectures
• References

2
Overview of firewalls

• What is a firewall?
• Collection of components placed between two
  networks that collectively have the following
  properties
• all traffic from inside to outside, and
  vice-versa, must pass through the firewall
• only authorized traffic, as defined by the local
  security policy, will be allowed to pass
• the firewall itself is immune to penetration

Source Firewalls and Internet Security,
Cheswick and Bellovin, 1994
3
Overview of firewalls (cont.)

• Why do I need a firewall?
• Protect corporate network from external threats
• Prevent unauthorized use of company assets
• Help enforce company security policy
• Enable access to required facilities and
  resources
• Limit exposure if network is compromised
  (internal firewalls)
• Provide valuable audit trails and logging
  information
• Firewall Limitations
• Cant protect against attacks which do not go
  through the firewall
• Limited use against viruses (can utilize handoff
  hosts to perform virus scanning)
• Cant protect against data-driven attacks

4
Overview of firewalls (cont.)

• Types
• Packet filters (network layer)
• Application proxy firewalls (application layer)
• Hybrid firewalls (application layer)
• Services Provided
• Primary
• Access control
• Secondary
• Authentication
• Privacy (Virtual Private Networks)

5
OSI and TCP/IP Models
OSI
TCPIP
7
Application Layer
Application Layer
telnetftpSMTPNNTPHTTPSNMP
5, 6, 7
6
Presentation Layer
5
Session Layer
4
Transport Layer
Transport Layer
TCP, UDP
4
3
Network Layer
Internetwork Layer(or Network Layer)
IP
3
2
Data Link Layer
EthernetToken RingATMT1, X.25Frame Relay
1, 2
Network Interface Layer(or Networks Layer, or
Link Layer,or PhysicalData Link Layer)
1
Physical Layer
6
Packet Filtering Firewalls

• Traditional domain of network level firewalls
• Operate at network layer of TCP/IP model
• Route packets based on filtering rules as they
  pass through the firewalls interfaces
• Filter on some or all of the following
• IP source and destination address
• Protocol (tcp/udp)
• tcp/udp source and destination port
• Source and destination interface on the firewall
  device
• Example Traditional network router

7
Packet Filtering Firewalls (cont.)

• Advantages
• Fast
• Transparent to users
• Inexpensive capabilities exist in existing
  networking equipment
• Disadvantages
• No visibility into application data
• Lack of context or state information
• Cumbersome to implement
• Limited logging capability

8
Packet Filtering Firewalls (cont.)
9
Application Proxy Firewalls

• Computers running as proxy servers
• Operate at the application layer of the TCP/IP
  model
• Do not route traffic between networks
• Mediate traffic between networks
• Only services which have proxy pass through the
  firewall
• Example NAI Gauntlet

10
Application Proxy Firewalls (cont.)

• Advantages
• Robust authentication and logging
• Visibility into application data
• Higher level of security than packet filters
• Disadvantages
• Need separate proxy application software
  developed for every desired service
• Performance overhead
• Not transparent to user

11
Application Proxy Firewalls (cont.)
12
Hybrid Firewalls

• Attempt to provide benefits of packet filtering
  and application gateways
• Operate at network, transport, and application
  layers of TCP/IP model
• Maintain connection context information
  internally
• Treat packets in context of a session, not
  individually
• Can use combination of packet filtering and
  application proxies
• Example Checkpoint Firewall-1

13
Hybrid Firewalls (cont.)

• Advantages
• Robust authentication and logging
• Network address translation
• Visibility to application data
• Maintain session context
• GUI driven configuration
• Disadvantages
• Need specialized software
• Performance overhead
• May not be transparent to user

14
A Trivial Packet Filter Example
15
A Trivial Packet Filter Example (cont.)

• Communications requirements
• Based on functional requirements
• Based on company policy
• NOTE this configuration is used as a trivial
  example and is not recommended for production
  implementation.

16
A Trivial Packet Filter Example (cont.)

• Access Control lists applied to appropriate
  interfaces
• Serial 0 interface example (apply as inbound ACL)
• access-list 101 deny ip 10.1.1.0 0.0.0.255 any
  log
• access-list 101 deny ip 192.168.20.0 0.0.0.255
  any log
• access-list 101 deny ip 192.168.21.0 0.0.0.255
  any log
• access-list 101 permit udp any host 192.168.20.1
  eq domain log
• access-list 101 permit tcp any host 192.168.21.1
  eq www log
• access-list 101 permit tcp any host 192.168.21.1
  eq 443 log
• access-list 101 deny ip any any log

17
Typical Internet Architecture (simplistic)
18
References

• Books
• D. Brent Chapman and Elizabeth D. Zwicky,
  Building Internet Firewalls, OReilly and
  Associates, 1995.
• William Cheswick and Steven Bellovin, Firewalls
  and Internet Security Repelling the Wily Hacker,
  Addison-Wesley, 1994.
• WWW URLs
• http//www.checkpoint.com - Checkpoint
  (firewall-1) vendor specific web site, contains
  general firewall info.
• http//www.nai.com - Network Associates
  (Gauntlet) vendor specific web site, contains
  general firewall info.
• http//www.icsa.net/html/communities/firewalls/ind
  ex.shtml - Security assoication with
  certification programs and numerous technology
  links (including firewall buyers guide).
• http//www.gocsi.com/ - The Computer Security
  Institute, training and educational materials on
  information security.
• http//www.cert.org/security-improvement/ -
  Recommendations for improving particular aspects
  of information security.