FIREWALLS

1
FIREWALLS

• BY
• ARCHANA ANNAMANENI

2

• WHAT IS A FIREWALL
• Firewalls are used to create security checkpoints
  at the boundaries of private networks.By
  providing the routing function between the
  private network and the internet.
• Firewalls inspect all communications passing
  between the two networks and either pass or drop
  the communications depending on how they match
  the programmed policy rules.
• If the firewall is properly configured and
  contains no serious exploitable bugs, that
  network will be as free risk as possible.
  

3

• FIREWALL COMPONENTS
• The following are the two basic methods used to
  create a network firewall.
  
• All other techniques are simply variations on
  these two basic methods.
  
• Packet Filtering
• Rejects TCP/IP packets from unauthorized hosts
  and rejects connection attempts to unauthorized
  services.
  
• Application Gateway
• An application gateway is a software program
  that runs on the firewall to intercept traffic
  for a specific kind of a application.
  
• Other Firewall Components
• In the above methods , each method has its
  strengths and weaknesses.
  
• The other components of firewall are to combine
  the above two methods and to come up with a more
  secure firewall solution.
  
• e.g. Bastion host and DMZ

4

• Types Of Attack
• Denial-of-service Attacks
• The goal of the attacker is usually one of the
  following
  
• Overload a limited resource
• Crash a network device or host computer
• Reconfigure a resource to render it useless
• SYN Flooding
• SYN flag field in the TCP header is used to start
  a connection request.
  
• The ACK flag field is used to acknowledge a
  packet.
  
• If the sender of the initial connection request
  uses a spoofed IP address in its first packet as
  the source address, then the destination host
  tries to send an acknowledgement , but it never
  gets back to source host, and the connection
  eventually times out , and destination host
  releases the memory used by the connection.

5

• The above is the method used to cause a SYN flood
  .
  
• The attacking host keeps sending connection
  request messages with a source IP address that
  is unreachable or does not exist.
  
• IP Spoofing
• Spoofing means malicious user can send out
  packets with a source address of the users
  choosing.
  
• This means that firewall might receive packets
  that it thinks coming from a trusted host
  computer or network but that in fact are being
  generated by someone who wants to get data inside
  once local network.

6
ICMP Redirect

• A field in each ICMP packet defines the message
  type
  
• Routers make use of one of the ICMP functions to
  tell another router that they know a better path
  to destination.And this is done by using redirect
  message type.And this message type can be
  exploited by hackers to cause problems.
• To prevent this firewall should block all the
  incoming ICMP redirect messages
  

7

• OS CONCERNS
• A firewall does not have to run on the same
  operating system as the desktop or servers
  
• Firewall should be based on the features it
  offers to enforce the security policy
  requirements of ones own network
  
• The second important factor in choosing a
  firewall is OS familiarity.
  
• That is the administrator should be familiar with
  the user interface and should know how to
  configure the firewall correctly.
  

8

• What A Firewall Can Do
• Protection from insecure protocols and services
• Keeps information about users, systems, network
  addresses
  
• Provides audit trails(via log files)containing
  security and statistical data that can be used to
  ensure that the network is safe and operating in
  an efficient manner
• Provides centralized management of network
  security as it relates to the outside world.
  
• What A Firewall Cannot Protect Network From
• Viruses
• Trojan Horses
• Social engineering
• Incompetence
• Insider attacks

9
Packet Filtering

• Packet Filters are the first kind of firewall
  developed to protect a network from the
  internet.
  
• Routers are configured to allow or deny packets
  from passing through based on rules created by
  the network administrator.
  
• When a computer on the network needs to send a
  packet to a computer that sits on different
  network, it sends the packet to routers address
  and lets the router determine the best method for
  delivering the information to its final
  destination.The router makes these decisions
  depending on addressing information it finds in
  the packets header.
• A screening router is a router that has been
  configured with a set of rules that specify which
  kinds of network traffic are allowed to come in
  through, or go out through.
• That is after the router has decided that it can
  deliver the packet, it then consults a set of
  rules that tell it whether it should route the
  packet .

10
(No Transcript)
11

• There are two primary types of packet filtering
• Stateless packet filtering
• Stateful inspection packet filters
• Stateless packet filtering
• Packet filters are border routers that increase
  security by determining whether or not to forward
  a packet based on information contained in the
  header of every individual packet.
• Usually most filters are configured to use the
  following data fields
  
• Protocol type
• IP address
• TCP/UDP port
• Fragment number
• Source routing information

12

• Protocol Filtering
• Protocol filtering filters packets based on the
  content of the IP protocol field
  
• For example, if a organization has a single
  purpose server serving a TCP based service like
  HTTP,then we can filter out all the UDP services
  
• IP address filtering
• IP address filtering allows, to limit connections
  to(or from)specific hosts and networks based on
  their IP address
  
• Port filtering
• Instead of having to permit or deny packets based
  only on their source or destination address-and
  thereby allow or disallow all communications-it
  is possible to selectively allow or disallow
  individual services, depending on the port
  number.
• For example one might not want to allow their
  users to Telnet to a remote host computer(or vice
  versa), but they might not care if they exchange
  files via anonymous FTP sessions.
• The following are sample rules to allow incoming
  and outgoing SMTP connections so that email can
  be delivered
  

13

• Rule Direction Protocol Saddress
  Daddress Dest.port Action
  
• Inbound TCP external internal
  25 allow
  
• outbound TCP internal external
  1024 allow
  
• outbound TCP internal external
  25 allow
  
• Inbound TCP external internal
  1024 allow
  
• 
  disallow
  
  
• The above rules looks like few good rules that
  will keep the internal LAN safe while allowing
  SMTP connections in both directions
  
• If we look at the rules 2 and 4 together they
  allow a connection , either inbound or outbound
  ,for any service that uses ports that are greater
  than 1023.
• This hole can be used by hackers to communicate
  with a Trojan horse program.
  
• To fix this set of rules , we need to specify
  the source port in addition to the destination
  port.
  

14

• Rule Direction Protocol Saddress Daddress
  Sou.port Dest.port Action
  
• 1 Inbound TCP external internal
  1024 25 allow
  
• 2 outbound TCP internal external 25
  1024 allow
  
• 3 outbound TCP internal external
  1024 25 allow
  
• 4 Inbound TCP external internal 25
  1024 allow
  
• 
  disallow
  
• In the above set of rules, rules 2 and 4 no
  longer allow a
  
• connection between two ports that are greater
  than 1023. Instead,
  
• those connections must be tied , at one end of
  the connection, to
  
• the SMTP port number of 25.

15
Filtering On Other Information

• Source Routing
• Source routing is the process of defining the
  exact route a packet must take between hosts in
  an IP connection
  
• It was developed for such uses as debugging
  network problems and other maintenance chores
  
• But this feature can be easily exploited by
  hacker, because a hacker can put any address in
  the source filed and still ensure the packet will
  return by specifying their own machine address in
  the source route
• Firewalls should be configured to drop all
  packets that have the source routing option
  turned on.

16

• Fragmentation
• Fragmentation give any router in the path between
  two hosts the ability to chop up an inbound IP
  packet into multiple packets and then forward
  them on size-constrained networks.
• The problem with fragmentation is that most
  useful filter data ,the TCP or UDP port number
  ,is only provided in the beginning of an IP
  packet, so it will only be contained in fragment
  0.So most early filters simply forward all
  subsequent fragments with the assumption that if
  the 0 packet had been dropped , the subsequent
  packets be worthless.
• Many TCP/IP versions running on internal hosts
  used to assemble the packets if the 1 through n
  packets contained a valid TCP packet,this means
  that a hacker could modify his IP stack to start
  all fragment numbers at 1 and effectively bypass
  the filter altogether.

17

• Stateful inspection packet filters
• The problem with stateless packet filtering is
  that ,it makes decisions on a packet-by-packet
  basis and the administrator can not create rules
  which can filter packets based on relationship
  between one packet and another
• Stateful packet filters solve this problem by
  retaining the state of all the communication
  flowing through the firewall in memory, and using
  that remembered state to determine whether or not
  individual packets should be dropped.

18

• When a trusted host connects to a TCP socket on
  an external untrusted host ,it transmits the
  packets including the IP address and port on
  which it expects to receive a response.
• When that packet is routed through the stateful
  inspection filter, the filter makes an entry in
  its state table containing the destination
  socket and the response socket, and then forwards
  the packet onto the untrusted network.
• When the response comes back, the filter can
  simply look up the packets source and
  destination sockets in its state table,see that
  they match an expected response, and pass the
  packet.
• If no table entry exists, the packet is dropped
  because it was not requested from inside the
  network.
  

19

• Advantages
• Packet filtering is free.If an organization
  already have a router, it probably supports
  packet filtering.On a small LAN a single router
  can be sufficient for use as a packet filter.
• No need to train users or use any special client
  or server programs to implement packet filters.
  The screening router or packet filtering host
  transparently does all the work to the clients in
  the network.
• Disadvantages
• Routers can be difficult to configure, especially
  if one try using complex configuration with a
  large number of rules.
  
• When a packet filter fails, or is not configured
  correctly, the damage that might be done to the
  network could be much worse than when a proxy
  server fails.
• Packet filters work on a small set of data- the
  header information in the IP packet.As a result
  packet filter is limited in the decisions it can
  make.
• Many packet-filtering routers lack robust logging
  capabilities, so it is difficult to get a lot of
  helpful information when a system has been
  infiltrated or attacked.

20
(No Transcript)
21
IP Header Information
22

• Application Gateways And Proxy Servers
• Packet filters work at the network transport
  layer by inspecting IP and other protocol header
  information.
  
• Where as proxy servers work at the application
  layer and can be used to provide a variety of
  services to the network
  
• An application gateway or application proxy is a
  software program that runs on the firewall to
  intercept traffic for specific kind of
  application.
• The proxy software intercepts user requests from
  the local LAN, and then makes a connection to the
  server residing outside local LAN on behalf
  user.
• That is an application proxy program acts as
  middle man
  

23
Using Proxy Servers

• 10.10.10.123 10.10.10.250
  140.176.60.69
  
• 
  
  
• Web page request
  web page request
  
• from workstation
  from proxy server
  
• to web server on
  to web server on
  
• The internet
  internet
  
• web page
  response
  web page response
  
• sent from
  proxy server
  sent to proxy
  
• to
  workstation that
  sever that
  
• requested
  it
  requested it
  
• 
  
  
• 
  IP packets blocked
  here
  
• 
  by non routing
  dual-host
  
• 
  proxy server

workstation
Proxy Server
Internet
24

• In addition to blocking IP traffic , we can also
  use the proxy server to perform certain checks
  based on the type of request and on the content
  of the data returned
• Need separate proxy server application for each
  kind of network service
  
• Proxy servers can work in both directions
• Proxy server can also control which users on the
  network are allowed to make Internet requests
  and can also decide which external users or hosts
  are allowed to send requests to servers inside
  the network
• Either way , no IP packets get passed between the
  two networks , and we can allow or deny requests
  by configuring a set of rules.

25

• There are two basic kind of proxies
• Classical Proxies
• Transparent Proxies
• Classical Proxies
• These proxies are the first kind that were
  developed
  
• It makes the client end of the connection
  authenticate itself to the proxy before the proxy
  begins relaying data back and forth
  
• The problem with this kind of proxy is that it
  involves extra work by the client
  
• Transparent Proxies
• A transparent proxy , from the users point of
  view ,works just like a direct connection
  

26
Designing The Firewall System

• When establishing an Internet firewall,an
  organization need to consider the following
  
• Deciding the security policy that is intended to
  implement.
  
• Then should decide the basic architecture of the
  firewall which satisfies their security policy
  
• There are two classes of firewall architectures,
  which are single layer and the multiple layer
  architectures.
  

27
Single layer Architecture

• In a single layer architecture one network host
  is allocated all firewall functions and is
  connected to each network for which it is to
  control access.
• This approach is usually chosen when containing
  cost is a primary factor or when there are only
  two networks to interconnect.
  
• It has the advantage that everything there is to
  know about the firewall resides on that one
  host.
  
• In cases where the policy to be implemented is
  simple and there are few networks being
  interconnected, this approach can also be very
  cost-effective to operate and maintain over
  time.
• The greatest disadvantage of the single layer
  approach is its susceptibility to implementation
  flaws or configuration errors depending on the
  type, a single flaw or error might allow firewall
  penetration.

28
Multi Layer Architecture

• In a multiple layer architecture the firewall
  functions are distributed among a small number of
  hosts, typically connected in series
  
• This approach is more difficult to design and
  operate, but can provide substantially greater
  security by diversifying the defenses we are
  implementing.
• Although more costly, it is advisable using
  different technology in each of these firewall
  hosts.
  
• This reduces the risk that the same
  implementation flaws or configuration errors will
  exist in every layer.
  

29
References

• Practical Firewalls by Terry William Ogletree
• Firewalls by Matthew Strebe
• Charles Perkins
• http//www.cert.org/security-improvement/practices
  /p053.html