Firewalls, etc.

1
Firewalls, etc.

• (Some of the slides in this file were adapted
  from Oppligers online slides at
  http//www.ifi.unizh.ch/oppliger/Presentations/WW
  WSecurity2e/index.htm.)

2
Chapter 3

• Intro
• Various firewall technologies
• Static Packet Filtering
• Dynamic Packet Filtering (or Stateful inspection)
• Circuit-level gateways
• Application-level gateways (aka. Proxy servers)
• Firewall configurations
• NAT
• Browser configurations

3
Firewalls

• A firewall, in the real world, is built between
  buildings to prevent a fire started in one
  building from spreading to another
• A digital firewall serves similar purpose, by
  preventing security breaches that occur in one
  zone from spreading to another zone
• In a way, firewalls can be considered as
  delimiters that together define the perimeter of
  a network
• A firewall prevents unwanted and/or unauthorized
  traffic from entering into or getting out of a
  given network (the protected network)
• Also called secure Internet gateways or
  security gateways

4
RFC2828 Internet Security Glossary (by R. Shirey,
May 2000)

• filtering router
• An internetwork router that selectively prevents
  the passage of data packets according to a
  security policy.
• A filtering router may be used as a firewall or
  part of a firewall.
• A router usually receives a packet from a network
  and decides where to forward it on a second
  network. A filtering router does the same, but
  first decides whether the packet should be
  forwarded at all, according to some security
  policy.
• The policy is implemented by rules (packet
  filters) loaded into the router. The rules mostly
  involve values of data packet control fields
  (especially IP source and destination addresses
  and TCP port

5
RFC2828 Internet Security Glossary (by R. Shirey,
May 2000)

• bastion host
• A strongly protected computer that is in a
  network protected by a firewall (or is part of a
  firewall) and is the only host (or one of only a
  few hosts) in the network that can be directly
  accessed from networks on the other side of the
  firewall.
• Filtering routers in a firewall typically
  restrict traffic from the outside network to
  reaching just one host, the bastion host, which
  usually is part of the firewall.
• Since only this one host can be directly
  attacked, only this one host needs to be very
  strongly protected, so security can be maintained
  more easily and less expensively.
• However, to allow legitimate internal and
  external users to access application resources
  through the firewall, higher layer protocols and
  services need to be relayed and forwarded by the
  bastion host. Some services (e.g., DNS and SMTP)
  have forwarding built in other services (e.g.,
  TELNET and FTP) require a proxy server on the
  bastion host.

6
Firewalls

• According to RFC2828 Internet Security
  Glossary (by R. Shirey, May 2000)
• firewall
• An internetwork gateway that restricts data
  communication traffic to and from one of the
  connected networks (the one said to be "inside"
  the firewall) and thus protects that network's
  system resources against threats from the other
  network (the one that is said to be "outside" the
  firewall).
• A firewall typically protects a smaller, secure
  network (such as a corporate LAN, or even just
  one host) from a larger network (such as the
  Internet). The firewall is installed at the point
  where the networks connect, and the firewall
  applies security policy rules to control traffic
  that flows in and out of the protected network.

7
Firewalls

• A firewall is not always a single computer. For
  example, a firewall may consist of a pair of
  filtering routers and one or more proxy servers
  running on one or more bastion hosts, all
  connected to a small, dedicated LAN between the
  two routers. The external router blocks attacks
  that use IP to break security (IP address
  spoofing, source routing, packet fragments),
  while proxy servers block attacks that would
  exploit a vulnerability in a higher layer
  protocol or service. The internal router blocks
  traffic from leaving the protected network except
  through the proxy servers.
• The difficult part is defining criteria by which
  packets are denied passage through the firewall,
  because a firewall not only needs to keep
  intruders out, but usually also needs to let
  authorized users in and out.

8
Firewalls- a more precise definition

• According to Cheswick Bellovin (1994)
• A firewall system is a collection of components
  placed btwn two networks that collectively have
  the following 3 properties
• All traffic (inside out, or outside in) must pass
  through the firewall.
• Only authorized traffic (as defined by the local
  security policy) are allowed to pass. ? firewall
  policy
• The firewall itself is immune to penetration.

9
Firewalls- additional, stronger features

• A firewall is able to
• enforce strong authentication for users who wish
  to establish inbound or outbound connections
• associate data streams that are allowed to pass
  through the firewall with previously
  authenticated and authorized users
• Use of application gateways is needed to support
  these higher-level features.

10
Compare Various Firewall Technologies
Types Packet filters Application gateways
Sub-types Static Dynamic Circuit-level Application-level
OSI layers Network layer (or Internet layer in TCP/IP) Transport layer or higher
11
(No Transcript)
12
Static Packet Filtering

• Aka screening routers
• Stateless, meaning that each IP packet must be
  examined in isolation from what has happened in
  the past (and what may happen in the future),
  forcing the filter to make a decision to permit
  or deny each packet individually based on the
  packet-filtering rules
• ? no concept of session
• ? lead to problems when more than one connection
  is created in a protocol such as FTP

13
(No Transcript)
14
Dynamic Packet Filtering

• Aka stateful inspection
• A dynamic packet filter maintains state
  information about past IP packets to make more
  intelligent decisions about the legitimacy of
  present and future IP packets
• State information are stored in an internal
  database
• Subsequent packets belonging to the same
  association can pass quickly through the stateful
  inspection device

15
Circuit-level Gateways

• A proxy server for TCP or UDP (at the transport
  layer)
• Goal To allow a TCP/IP application to traverse
  (i.e., securely use) a firewall
• Is Located and running on a firewall
• Relays TCP connections
• It does not interfere with the data stream. ?
  Making it different from an application-level
  gateway
• Example SOCKS (RFC1928SOCKS Protocol Version
  5. By M. Leech, M. Ganis, Y. Lee, R. Kuris, D.
  Koblas, L. Jones. March 1996)

16
SOCKS

• The implementation of the SOCKS protocol
  typically involves the recompilation or relinking
  of TCP-based client applications to use the
  appropriate encapsulation routines in the SOCKS
  library. ? socksified clients
• Procedure for TCP-based clients
• When a TCP-based client wishes to establish a
  connection to an object that is reachable only
  via a firewall, it must open a TCP connection to
  the appropriate SOCKS port on the SOCKS server
  system. The SOCKS service is conventionally
  located on TCP port 1080.
• If the connection request succeeds, the client
  enters a negotiation for the authentication
  method to be used, authenticates with the chosen
  method, then sends a relay request.
• The SOCKS server evaluates the request, and
  either establishes the appropriate connection or
  denies it.

17
(No Transcript)
18
Application-level Gateways

• A proxy server that allows a specific application
  protocol to traverse a firewall.
• A scenario The packet filter of a firewall
  blocks all inbound Telent and FTP sessions,
  unless the sessions are terminated by a bastion
  host.
• Multiple application gateways may be running on
  the bastion host ? a proxy server for FTP, a
  proxy server for Telent,
• A user who wishes to connect inbound to an
  intranet server must have his Telnet or FTP
  client connect to the application gateway

19
(No Transcript)
20
Application-level Gateways

• To properly authenticate the user, an application
  gateway must have access to authentication and
  authorization information, either locally or
  remotely
• User-level authentication info may be stored
  locally on the firewall
• User-level authentication info may be stored in a
  centralized authentication server (e.g., RADIUS,
  TACACS)

21
Trade-offs of Firewalls

• Advantages
• Provides basic access control services for an
  intranet
• Provides a centralized filtering/gateway function
• (To some degree) Relieves individual hosts the
  responsibility of having a filter or firewall
  itself
• Centralized management of filtering rules
• Limitations next

22
Trade-offs of Firewalls

• Limitations
• Cannot protect sites and corporate intranets
  against insider attacks ? internal / intranet
  firewalls
• Can be circumvented by tunneling unauthorized
  application protocols in authorized ones
• Little protection against attacks embedded in the
  data field of a packet (e.g., virus-infected
  programs or data files, malicious Java applets,
  malicious ActiveX controls, )
• May foster a false sense of security ? lax
  security within the firewall perimeter

23
Dual-Homed Firewalls

• A dual-homed host is a host with two network
  interfaces, each of which is connected to a
  different network.
• A dual-homed firewall is a dual-homed host on
  which IP routing and forwarding are disabled.
• IP packets can no longer be routed or forwarded
  between the two networks.
• Data can only be transferred from one network to
  the other if there is an application gateway
  running on the firewall to do that.
• See diagram next.

24
outer screening router
inner screening router
25
Dual-Homed Firewalls

• The outer screening router makes sure that
• All incoming packets have the bastion host as the
  destination address.
• All outgoing packets have the bastion host as the
  source address.
• The inner screening router makes sure that
• All incoming packets have the bastion host as the
  source address.
• All outgoing packets have the bastion host as the
  destination address.
• Packet filtering rules need to be configured.

26
Screened Subnet Firewalls

• Two separate screening routers outer, inner (see
  diagram next)
• DMZ the subnet in between the two screening
  routers
• The bastion host is part of the DMZ.
• A packet must pass both screening routers before
  it reach the intranet.
• When configured properly (e.g., using NAT), only
  the bastion host and other servers in the DMZ can
  be seen from the Internet.

27
outer screening router
inner screening router
the DMZ
28
NAT and Security

• Network Address Translation (NAT) is useful
• Hide internal private IP addresses
• Conserve routable IP addresses on the Internet
• RFC1918 Address Allocation for Private Internets.
  Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de
  Groot, E. Lear. February 1996.
• Reserved IP addresses for private networks in RFC
  1918 addressing scheme
• The Internet Assigned Numbers Authority (IANA)
  has reserved the following three blocks of the IP
  address space for private internets
• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

29
An Example- a firewall supporting NAT
Also a router ?
S 67.64.10.1 ? 192.168.4.1
F 192.168.4.1
IP addresses
67.64.10.3
C
f
Port numbers
c
21
30
Other Examples- the DCSL network

• Network diagram for the UHCL Distributed Computer
  Security Lab (D140, D158)
• http//www.dcsl-uhcl.net/public/experiments.html

31
Advantages of using NAT

• The obvious advantage of using private address
  space for the Internet at large is to conserve
  the globally unique address space by not using it
  where global uniqueness is not required.
• Enterprises themselves also enjoy a number of
  benefits from their usage of private address
  space They gain a lot of flexibility in network
  design by having more address space at their
  disposal than they could obtain from the globally
  unique pool. This enables operationally and
  administratively convenient addressing schemes as
  well as easier growth paths.

32
Drawbacks of using NAT

• Renumbering of IP addresses may be needed in some
  cases
• Once one commits to using a private address, one
  is committing to renumber part or all of an
  enterprise, should one decide to provide IP
  connectivity between that part (or all of the
  enterprise) and the Internet.
• Another drawback to the use of private address
  space is that it may require renumbering when
  merging several private internets into a single
  private internet.

33
Is NAT sufficient for network security?

• No. Its mainly a convenience measure.
• It cannot replace the functionalities of a
  firewall
• NAT does not track packet sequence numbers, TCP
  handshake, and UDP progress-based timers, etc.
• It cannot replace a intrusion detection system
• NAT does not concern itself with protecting the
  hosts from malicious data being sent on the NAT
  connections.
• It cannot replace an access control mechanism.