Firewalls and Honeypots

1
Firewalls and Honeypots

• Chapter 14

2
Firewalls

• WHY?
• Reduces risk
• Increases privacy
• Enforces security policies
• WHAT?
• Means to control what is allowed on some part of
  the network and as a mechanism to ensure policy
• Where?
• Between internet and private network
• Between PCs NIC and rest to of the PC

3
Firewalls, contd.

• Firewalls may be implemented as
• Dedicated Network Appliance
• Hardware or Software inserted onto a Network
  appliance such as a router
• Software running on a general purpose computer

4
Firewall Advantages

• Reduce risk by reducing threat of exploits
  (incoming and outgoing)
• Increase privacy difficult for hacker to gather
  intelligence
• Filter communications based on content incoming
  and outgoing
• Encrypt communication for confidentiality
• Traffic analysis / logging
• Noise filter / conserve bandwidth

5
Miscellaneous Firewall Info

• Administrators mistakenly believe they are
  cure-alls or bulletproof Major
  misconception
• Ingress Filtering incoming traffic (packets)
• Egress Filtering outgoing traffic (packets)
• Filtering on Destination Port two byte field in
  the TCP or UDP packet header

6
Common Ports To Know

• TCP 23 (Telnet)
• TCP 143 (IMAP)
• TCP 20 and 21 (FTP)
• TCP 25 (SMTP)
• TCP 79 (Finger)
• TCP 80 (HTTP)
• TCP 443 (HTTPS)
• TCP 53 and UDP 53 (DNS)

7
Types of Firewalls

• Packet Filter low end, very fast
• Doesnt look at data, can be fooled, inspects
  packet headers only
• Proxy or Application Gateway slow, difficult to
  manage, most secure
• Tears down every packet
• Personal packet filter, Application Control and
  OS Control
• Stateful Inspection In-flight Review works
  both as packet filter and peeks at data

8
Network Address Translation (NAT)

• Tool used on firewalls that enables more
  computers to access the internet
• Address Space is scarce
• Security hides internal addresses
• Allows administrators to assign private IP
  addresses (RFC 1918)
• 10...
• 172.16.. - 172.31.255.255
• 192.168..

9
Other NAT RFCs

• RFC 2766 Network Address Translation (NAT-PT)
• RFC 2993 Architectural Implications of NAT
• RFC 3022 Traditional IP Network Address
  Translator (Traditional NAT)
• RFC 3235 Network Address Translator (NAT)
  Friendly Application Design Guidelines
• More info on RFCs can be found at
  http//www.rfc-editor.org/rfc.html

10
Honeypots

• A system setup for victimization by hackers, a
  decoy
• Designed to
• Lure attackers away from production systems
• Learn what attackers are doing
• Can be host traps or network traps
• DNS, Mail and Web Servers make good honeypots
  because they draw the most fire

11
Miscellaneous Honeypot Info

• Why?
• Effective way to learn about hacker techniques
• Firewalls block traffic, preventing analysis,
  Honeypots allow TCP Handshake
• Honeypot Products
• DTK, Mantrap (Symantec), Honeynet

12
Honeypot Disadvantages

• Legal Consequences
• Possible violation of USA Federal Wiretap Act
• Possible litigation if an intruder causes damage
  to a machine downstream from a honeypot
• Could be dangerous if attacker uses the honeypot
  to attack other machines or network