Firewall

1
Firewall

• Ge Zhang

2
A typical network topology

• Threats example
• Back door
• Port scanning

3
(No Transcript)
4
What is Firewall?

• A single checking point that reacts traffic to
  and from a network (pass, discard, block, log)
• Design goals
• All traffic from inside to outside and vice
  versa must pass through the firewall

Internet
5
Services by a firewall

• Service control
• Direction control
• User Control (internal network)
• Behavior control (the firewall needs to know the
  application protocol)
• Logging flow information
• Hidden internal topology

6
Capabilities and limitations

• Capabilities
• Prevent unauthorized traffics
• Monitoring security-related events
• The platform for Network address translator (NAT)
  
• The platform for IPSec tunnel mode (VPN)
• Limitations
• Attacks the bypass the firewall (over other
  channels)
• Internal threats (internal employees cooperate
  with external attackers)
• Transferring virus-infected programs

7
The working flow of a Firewall

• if condition_1 then action_1
• else ifcondition_2 then action_2
• else ifcondition_3 then action_3
• else ifcondition_4 then action_4
• else ifcondition_n then action_n
• How to define the conditions?

8
Layered TCP/IP model
9
Types of firewalls

• Packet-Filtering router
• Application-level gateway
• Circuit-level gateway

10
Packet-Filtering router (1)

• Packet-Filtering Firewall
• Applies a set of rules
• Decides forwarding or discarding the packet
• Only examine the header, do not see inside a
  packet

11
Packet-Filtering router (2)
source destination protocol dest. port action
Ane_home Ane_work any any Allow
any SIP proxy Tcp, udp 5060, 5061 Allow
any Mail server Tcp, udp 25 Allow
any Web server tcp 80, 8080 Allow
any any any any Deny
source destination protocol dest. port action
mal1 any any any Deny
mal2 any any any Deny
mal1 any any any Deny
mal3 any any any Deny
any any any any Allow
12
Requirements on rule set design

• Consistency The rules are ordered correctly
• Completeness every packet satisfies at least one
  rule in the firewall
• Compactness firewall has no redundant rules

13
An example
Interface source destination protocol dest. port action
0 any Web server tcp 80 Allow
0 any Web server any any Deny
0 malicious any any any Deny
1 host any any any Allow
1 any any any any Allow
0 Not malicious host any any ????
14
Improvement
Interface source destination protocol dest. port action
0 malicious any any any Deny
0 any Web server tcp 80 Allow
0 any Web server any any Deny
0 any any any any Allow
1 any any any any Allow
15
Efficiency of rule set
source destination protocol dest. port action
192.163.0.1 any tcp 80, 8080 Deny
192.163.0.2 any tcp 80, 8080 Deny
192.163.0.3 any tcp 80, 8080 Deny
10.1.1.2 any tcp 80, 8080 Allow
10.1.1.3 any tcp 80, 8080 Allow
source destination protocol dest. port action
192.163.0. any tcp 80,8080 Deny
10.1.1. any tcp 80,8080 Allow



16
Stateful PF

• For TCP connections
• Server ports are mostly fixed (lt1024)
• Client ports are dynamically used ( from 1024 to
  65535)
• Stateful tightens up the rules for TCP traffic
  by creating a directory of outbound TCP
  connections

src Src port des Des port state
192.168.1.100 1030 210.9.88.29 80 established
192.168.1.102 3331 216.32.1.122 25 established
17
Pro and cons in PF

• Pro
• Simple, high efficient
• Transparent to users
• Con
• Does not work with application-specific
  vulnerabilities
• Limited log information
• No user authentication
• Difficulty to configure rulesets

18
Attacks on a PF

• IP address spoofing (use spoofed IP address
  which can be trusted)
• Fragment attacks
• Tiny fragment
• Overlapping fragment

19
IP fragment

• A firewall only inspects the first fragmented
  one.

20
Tiny fragment attack
21
Overlapping fragment
22
Application-level Gateway (mainly for inbound
requests)

• Have more checking parameters (user names,
  message format, client software version, etc)
• Only deal with allowable applications
• More useful log information
• Con high processing overhead

23
Circuit level gateway (mainly for outbound
requests)

• Based on connections instead of packets
• Similar to stateful PF
• Perform authentication
• Implementations Socks server

24
Bastion Host

• A secure version of its operating system
• A platform for an application-level gateway or
  circuit-level gateway
• Only support allowed applications
• Only support a subset of the standard
  applications
• Needs additional authentication

25
Demilitarized Zone (DMZ)

• Demilitarized zone is a subnet that contains and
  exposes an organization's public services to an
  external network
• DNS, web server, VoIP server
• Internal network, work stations

26
Setup Firewalls in a network

• Screened host firewall (single-homes bastion)

27

• Sceened host firewall (dual-homed bastion host)

28

• Screened subnet firewall

29
Practical experiences on firewall itself

• Stealth rule drop any packet from outside to the
  firewall
• Insecure firewall management drop packets to the
  firewall over insecure protocols (telnet, ftp,
  x11)
• Limited management machines firewalls should be
  managed from a small number of machines

30
High-throughput firewall (1)

• Application Specific Integrated Circuit (ASIC)
• e.g., netscreen 100 (100Mbps firewall)

31
High-throughput firewall (2)

• Load balance

32
Key points

• Types of firewall
• Pros and cons of the three types
• Ruleset of PF (consistency, completeness,
  compactness, efficiency)
• Stateful PF
• Attack on PF
• Bastion host
• DMZ
• Setup firewalls in a network