Title: FIREWALLS
1FIREWALLS
- Presentation by Gökhan AYDIN
- 2004800233
CMPE 526 Operating System and Network Security
Bogazici University, 05/05/2005
2INTRODUCTION
- A security system that acts as a protective
boundary between a network or a computer and the
outside world - Using a wall of code , they isolate
- private networks from Internet as in Perimeter
Firewalls - a single computer from the network it is
connected as in Personal Firewalls - Their primary goal was to provide traffic control
and monitoring - By enforcing the security policy represented by a
set of rules, specifying what is explicitly
permitted/denied
3INTRODUCTION (cont.)
- Firewalls are used to create security checkpoints
at the boundaries of private networks or personal
computer - As a result, firewalls are first line of defense
against outside attacks - Firewalls emerged in the early 1990s and they
became particularly popular around 1996 - the
time where some new attack techniques emerged
(buffer overflows, remote exploits)
4INTRODUCTION (cont.)
5CAPABILITIES of FIREWALLS
- A firewall, defining a single choke point,
simplifies security management because security
capabilities are consolidated on a single system
or set of systems. - They provide a location for monitoring
security-related events. Audit and alarms can be
implemented on the firewalls. - A firewall is a convenient platform for several
function that are not security related such as
Network Address Translation - A firewall can be used to implement VPNs.
- They can authenticate users with the use of
different authentication methods in order users
reach certain resources
6TECHNIQUES USED by FIREWALLS
- Service Control
- Allows or blocks certain types of Internet
services - Direction Control
- Initiate and allow certain direction in which
particular service requests - User Control
- Controls access to a service according to which
user is attempting to access it. - Behavior Control
- Controls how particular services are used.
- Time Control
- Controls when some services can be used
7TYPES of FIREWALLS
- Firewalls can be classified according to
different criterions - Places at where they are deployed
- Perimeter Firewalls
- Internal firewalls
- Personal Firewalls
- Distributed Firewalls
- The layer in a network protocol stack at which
they are filtering and what they are doing - Packet Filtering Firewalls _at_
- Circuit Gateways _at_ Transport Layer
- Application Gateways _at_ Application Layer
- Dynamic Packet Filtering Firewalls
8PACKET FILTERING FIREWALLS
- One of the oldest type of firewalls
- Packet filters, historically implemented on
routers, filter user-defined content, such as IP
addresses. - They examine a packet a the Network or Transport
Layers - They are cheap and useful.
9PACKET FILTERING FIREWALLS (cont.)
- They are application independent this feature is
advantageous in terms of performance - Since they are not application-aware and can not
understand the context of a given communication,
they are least secure type of firewalls and are
good targets for intruders. - Packet filter is a three-step process
- One must decide on what should and should not be
permitted based on a pre-defined security policy - The allowable types of packets must be specified
formally in terms of logical expressions on
packet fields. - The expression should be rewritten in whatever
syntax the vendor of the firewall supports.
10PACKET FILTERING FIREWALLS (cont.)
- Packet filtering is typically set up as a list of
rules based on matches to fileds in the IP or TCP
header. - If there is a match to one of the rules, that
rule is invoked and predefined action is taken,
such as dropping that packet or forwarding it but
also warning user or admin. - The rules are evaluated from top rule to bottom
rule, that is also an important issue that should
be carefully considered. - Rules are created according to two different
policies - Default Discard That which is not expressly
permitted is prohibited - Default Pass That which is not expressly
prohibited is permitted - Default Discard policiy is more conservative
initially everything is blocked, and services are
added on a case-by-case basis.
11CIRCUIT GATEWAYS
- The idea of a circuit gateway is fundamentally
different from packet filtering. - Circuit gateways do not permit an end-to-end TCP
connection. - Circuit gateway works on TCP level and takes a
TCP connection request from a client,
authenticates and authorizes the client, and
establishes a second connection to the origin
server on clients behalf. - After establishment of the connection, circuit
gateways simply relays data forth and back
between two connections. - It does not interfere with data stream.
- The single circuit gateway that is actually
widely used is SOCKS.
12CIRCUIT GATEWAYS (cont.)
- Circuit gateways can bridge two networks that
do not share any IP connectivity or DNS
processing.
13APPLICATION GATEWAY
- Application gateways are also called proxy
servers. - Application gateways are deal with the details of
the particular service they are checking. - Since they are dealing with details, they are
usually more complex than packet filters. - Rather than using a general-purpose mechanism to
allow many different kinds of traffic to flow,
special purpose code is used for each desired
application. - Application gateways have another advantage that
since they are controlling the content, they can
be used as content filters.
14APPLICATION GATEWAY (cont.)
- The main disadvantage is the need for a
specialized program or user interfaces for
different services. This results in supporting
only basic services.
15DYNAMIC PACKET FILTERING FWs (cont.)
- New approach to packet filtering is Dynamic
Packet Filtering based on Stateful Inspection. - What is new with this approach is that beside the
functionalities that stateless packet filters
have such as looking header information is that
stateful inspection maintains state information
about past IP packages. - If the first packet in TCP connection is
permitted, state information is added to the
state table on an internal database. - Then the other packets of this connection can
pass quickly trough the firewall.
16PERIMETER FIREWALLS
- Traditional firewall in a box
- Inserted between trusted and untrusted network
segments - Can support multiple networks (e.g. a Server farm
and a separate DMZ) - Mature product, many vendors to choose from
- Local control over firewall policy
- Support VPNs and user authentication
- All devices behind firewall are protected
- but only from stuff on the outside!
- Users dont need to manage anything
- An outage affects only the systems behind the
firewall
17PERIMETER FIREWALLS (cont.)
Perimeter Firewall Structure
18INTERNAL FIREWALLS
You may also be protecting parts of your internal
network from other parts.
Like the perimeter firewalls they allow a
limited set of traffic through the network
segments.
19PERSONAL FIREWALLS
- Personal firewalls are software-only firewalls
that run on the computer they protect. - Designed for individual users or small networks.
- (eg.Windows XP comes with a personal firewall)
- Inexpensive and easy to install and use, would
offer clearly explained configuration options. - Allow the user to access all necessary network
and web resources, protect from external
"hacking" and alert the user to malicious
activity.
20PERSONAL FIREWALLS (cont.)
Personal Firewall Structure
DEMO
21DISTRIBUTED FIREWALLS
- With distributed firewalls, each individual host
enforces the security policy however the policy
itself is set by a central management node. - Rather than have a separate box on the edge of
the network, a rule to reject such connection
attempts is created by the admininistrator and
shipped out to every host within its management
domain. - Advantages
- Eliminates the risk of central failure
- Suitable for mobile users
- Easy to customize some special connections
22DEPLOYEMENT OF FIREWALLS
- Firewalls can be deployed in different structures
- Screening router structure
- Screening host structure with Bastion host
- Screening host structure with dual-homed Bastion
host - DMZ structure
- Bastion host A bastion host is a secured
computer that allows an untrusted network (such
as the Internet) access to a trusted network
(your internal network). It is typically placed
between the two networks and is often referred to
as an application level gateway. - Demilitarized zone (DMZ)A DMZ sits between an
internal network and the outside world, and it's
the best place to put your public servers.
Examples of systems to place on a DMZ include Web
servers, FTP servers, SMTP servers and log
servers.
23DEPLOYEMENT OF FIREWALLS (cont.)
Screening router
24DEPLOYEMENT OF FIREWALLS (cont.)
Screening host structure with Bastion host
25DEPLOYEMENT OF FIREWALLS (cont.)
Screening host structure with dual-homed Bastion
host
26DEPLOYEMENT OF FIREWALLS
DMZ Demilitarized Zone structure
27CONFIGURING FIREWALLS
- Standart rules for firewalls
- Clean up rule (None of the above rule) This rule
drops all the all communation attemps that are
not allowed by an upper rule. - Stealth rule (Lockdown rule) This rule is the
rule that prevents any users from connecting
directly to the firewall. - Always place the most frequently used rules in
the top to bottom order in the policy - Always place the lockdown rule in the top and the
cleanup rule in the bottom. - Always enable the application intelligence/intrusi
on prevention rules - Always log the access rules, anti-spoof rules and
cleanup rule - Always place a subset rule above the superset rule
DEMO
28NAT OPERATION on FIREWALLS
- NAT - Network Address Translation effectively
hides all TCP/IP level information about your
internal hosts from hackers on the Internet by
making all your traffic appear to come from a
single IP address. - This operation enables
- To overcome IP addressing limitations
- To allow private IP-address allocation
- Unregistered internal addressing schemes.
- As the packets routed through firewall, all the
internal host addresses are converted to the
address of the firewall. - NAT is fundamentally a proxy a single host makes
requests on behalf of local hosts. - NAT is implemented at transport layer.
29NAT OPERATION on FIREWALLS (cont)
- To perform NAT operation, firewall maintain a
table of interior sockets matched to exterior
sockets. - Many firewalls support different types of NAT
modes - Static Translation An internal network resource
has a fixed translation. - Dynamic Translation A group of internal
clients share a single or a small group of IP
adresses. - Load Balancing Translation A single IP address
and port is translated to a pool of identically
configured servers so that a single public
address can be served by a number of servers. - Network Redundancy Translation Multiple
Internet connections are attached to a single NAT
firewall and client requests are routed through
an Internet connection based on load and
availability.
30VPNs
- The Internet offers the potential for IP
connectivity between almost any pair of
computers, however communicating parties need a
connectivity platform that is not only fast,
scalable, and resilient but also provides
confidentiality, authentication and integrity - A Virtual Private Network (VPN) is a secure
connectivity platform that both connects networks
and protects the data passing between them. For
example, an organization may have geographically
spaced networks connected via the Internet the
company has connectivity but no privacy. - VPN provides privacy by encrypting those
connections - that need to be secure.
- VPN offers an easy connectivity solution by
connecting the different parts of the network via
the public Internet.
31VPNs (cont.)
- VPN provides privacy by encrypting those
connections - that need to be secure.
- VPN offers an easy connectivity solution by
connecting the different parts of the network via
the public Internet. - A Virtual Private Network is a network that
employs encrypted tunnels to exchange securely
protected data. VPN-1 creates encrypted tunnels
by using the Internet Key Exchange (IKE) and
security protocols. IKE creates the VPN tunnel,
and this tunnel is used to transfer IPSec or SSL
encoded data.
32VPNs (cont.)
- Host 1 and host 6 need to communicate.
- Path is as follows
- Host 1 Gateway 1 Internet
- Gateway 2 Host 6
33VPNs (cont.)
- A packet leaves the source host and reaches the
Gateway. - The Gateway encrypts the packet.
- The packet goes down the VPN tunnel to the second
Gateway. In actual fact, the packets are standard
IP packets passing through the Internet. However,
because the packets are encrypted, they can be
considered as passing through a private virtual
tunnel. - The second Gateway decrypts the packet.
- The packet is delivered in the clear to the
destination host. From the hosts perspective,
they are connecting directly.
34VPNs (cont.)
- VPNs are mostly service independent, so all kind
information exchaged between two hosts is
transmitted along this enrypted channel. - VPNs require some issues
- Each site should have VPN-capable device or
program - Each site must know their IP subnet addresses
- Both sites must agree on a method of
authentication and exchange digital certificates
if required. - Both sites must agree on a method of encryption
and exchange keys
35IPSEC and SSL BASED VPNs
- Initially, Internet Protocol Security (IPSec)
Virtual Private Networks (VPNs) were developed
and have been widely used. - New kind of VPNSSL VPNs, based on the Secure
Sockets Layer (SSL) protocol that secures the
world of e-commercehas emerged as the leading
solution for remote access and extranet VPNs. - SSL VPNs are replacing IPSec VPNs for remote
access, leaving IPSec VPNs for their original
purposesite-to-site VPNs.
36IPSEC and SSL BASED VPNs
- IPSec works by establishing a tunnel over the
Internet to connect users outside a corporate
firewall or gateway to internal corporate
resources. It requires compatible hardware or
software, almost always from a single vendor, on
both ends of the tunnel.
IPSec based VPN structure
37IPSEC and SSL BASED VPNs
- An SSL VPN uses SSL and proxies to provide
authorized and secure access for end-users to
HTTP, client/server, and file sharing resources. - Adding proxy technology to SSL offers companies
greater security, because it prevents users from
making a direct connection into a secured
network. - SSL VPNs deliver user-level authentication,
ensuring that only authorized users have access
to the specific resources as allowed by the
security policies. - A key benefit of choosing an SSL VPN solution is
its ability to provide clientless access. - Because SSL is included in standard browsers like
Microsoft Internet Explorer and Netscape, SSL
VPNs eliminates some difficulties like managing
IPSec clients.
38IPSEC and SSL BASED VPNs
SSL based VPN structure
39OPERATING SYSTEMS and FIREWALLS
- Historically, firewalls ran on top of a
general-purpose operating system such as Windows
NT or Unix. They functioned by modifying the
system kernel and TCP/IP stack to monitor
traffic. Therefore, these firewalls were at the
mercy of problems present in the operating
systems they ran on top of. - To achieve a high level of security, it was
necessary to harden, patch, and maintain the
operating system (as described in the previous
section). This could be a time-consuming and
difficult task especially if there was a lack of
expertise or time to adequately secure and
maintain a fully functional operating system. - Appliances integrate the operating system and the
firewall software to create a fully hardened,
dedicated firewall device. The integration
process removes any and all functionality not
required to screen and firewall packets. In
addition, a fully functional administrative
interface is provided to further simplify
configuration and maintenance of the firewall.
Firewall appliances do not require a significant
amount of host hardening when being deployed
(usually changing default passwords is all that
is required).
40FIREWALL ATTACK TECHNIQUES
- Attacks through external systems
- The goal to use some trust relationship between
the internal networks systems and systems from
the outside in order to get access to the
internal network. - Attacks through content (passive attacks)
- The goal to provide user with a content that
when dealt with (opened) will execute attackers
provided code - Man in the middle attacks
- The goal to inject content into user traffic in
such a way so that attack through content will
occur
41FIREWALL ATTACK TECHNIQUES (cont)
- Attacks through external systems
- Getting in through trusted external systems can
be accomplished by first compromising the
machines from which access to the internal
network is permitted. - This might include
- home machine of the workers of the company
- the network of the 3rd party that does remote
administration/outsourcing for the attacked
company - the network of the companys office in some other
location/country - Getting in through non trusted external systems
can be accomplished in several ways - throughout the exploitation of a vulnerability in
a client software (SecureCRT, ftp, ...) - by obtaining user credential information/other
sensitive data from the user X screen grabbing - throughout the combination of the above,
Netscape/Mozilla remote control capabilities and
a JVM vulnerability
42FIREWALL ATTACK TECHNIQUES (cont)
- Attacks through content
- Sending mail to the victim user containing
- an executable file
- Microsoft Office document exploiting the macro
bypass vulnerability - HTML mail body exploiting a flaw in Internet
Explorer/Outlook Express or Netscape leading to
the code execution - There are many file formats used for holding
text, graphics or multimedia data that can be
used as a carrier of a malicious content.
43FIREWALL ATTACK TECHNIQUES (cont)
- Attacks through content (cont.)
- Hacking some highly popular WWW/FTP server and
putting a trojan horse file on it - software installation files (RealPlayer, Winamp,
web browsers, ...) - software for mobile phones
- screen savers
- funny content in an executable form
- Backdooring source code of some very popular and
critical Internet service (apache, bind,
sendmail, ...)
44FIREWALL ATTACK TECHNIQUES (cont)
- Man in the middle attacks
- You cannot look at the security of your network
only from the LAN/firewall perspective - There are also many other things you should take
into account because they may influence the
security of your network - DNS service
- routing/security of routes
45COMMERCIAL PUBLIC DOMAIN FIREWALLS
- Public-Domain Firewalls
- ZoneAlarm Free v5.5
- Sygate Personal Firewall v5.6
- WyvernWorks Firewall v1.15
- AnalogX PortBlocker
- Commercial Firewalls
- CheckPoint VPN-1/Firewall-1
- Cisco PIX 7.0
- NetGuard GuardianPro
- Nai Gauntlet
- Axent Raptor
- Microsoft Proxy Server
- AltaVista Firewall
- Unicenter TNG Network Security Option
46RISKS with FIREWALLS
- They are pretty complex piece of software!!!
- Commercial firewall systems are closed software,
which means that no one has really put them under
the glass in a search for security problems... - Over the last couple of years there has been just
several bugs found in them... - They just filter traffic coming from/to your
network - They can handle dozens of application protocols,
but unfortunately cannot protect you against
malicious content - Security level of a network protected by a
firewall system depends on many factors (DNS,
routing infrastructure, security of client
software...) - There is always a great risk associated with the
so called human error
47WEAKNESSES of FIREWALLS
- Common firewall weaknesses include
- Firewalls cannot protect against what is
authorized. Firewalls protect applications and
permit the normal communications traffic to those
applications. If the applications themselves have
flaws, a firewall will not stop the attack
because, to the firewall, the communication is
authorized. - Firewalls are only as effective as the rules they
are configured to enforce. An overly permissive
rule set will diminish the effectiveness of the
firewall. - Firewalls cannot fix poor administrative
practices or a poorly designed security policy. - Firewalls cannot stop attacks in which traffic
does not pass through them. - Firewalls are bottlenecks, Internet connections
are getting faster, and the techniques for
detecting potential issues are getting more
complicated. More and more processing power is
required just to stand still and the technologies
already exist to do all this stuff. So it may
just be the way forward, for large enterprise
security systems at least.
48presented by Gökhan AYDIN
- Thank you for your attention !
- Questions
- ?????????????????????????????????????