Firewalling Techniques

1
Firewalling Techniques

• Prabhaker Mateti

2
ACK

• Not linux specific
• Some figures are from 3com

3
(No Transcript)
4
Components of the Firewall System

• Bastion Host
• Packet-filtering router
• Application-level gateway (or proxy server)
• Circuit-level gateway

5
Dual Homed Gateway

• A system that has
• two or more network interfaces, each of which is
  connected to a different network.
• Acts to block or filter some or all of the
  traffic trying to pass between the networks.

6
Bastion Host

• Runs general purpose operating system
• hardened to resist attack

7
Proxy services

• Proxy servers on a bastion host can prohibit
  direct connections from the outside and reduce
  data-driven attacks.

8
Circuit Relay

• Determines if the connection is valid according
  to rules
• opens a session and permits traffic
• only from the allowed source and
• possibly only for a limited period of time.
• Whether a connection is valid is based upon
• destination IP address and/or port
• source IP address and/or port
• time of day
• protocol
• user
• password

9
Demilitarized Zone (DMZ)

• a neutral zone between the private LAN and the
  public Internet.
• FTP servers, Web servers and the like are located
  in DMZ.

10
Location of a Firewall
11
An Application Gateway Problem

• Allow select internal users to telnet outside.
• Users authenticate themselves to create telnet
  connection
• A gateway used in this sense is different from
  a standard gateway.

12
An Application Gateway Solution

• Router filter blocks all telnet connections not
  originating from gateway.
• For authorized users, gateway sets up telnet
  connection to dest host. Gateway relays data
  between 2 connections

13
Packet Filtering Router
14
Packet Filtering Router

• Decide not only how, but should a packet be
  forwarded
• Not best when detail protocol knowledge required
  for decision
• Proxy may be a better choice
• Lots of leverage as all hosts behind are
  protected
• Can provide unique capabilities
• Rejecting forged internal or external packets
  (address spoofing)
• Recognition of malformed packets

15
Packet-Filtering Router

• Service-Dependent Filtering
• Some typical filtering rules include
• Permit incoming Telnet sessions only to a
• specific list of internal hosts
• Permit incoming FTP sessions only to
• specific internal hosts
• Permit all outbound Telnet sessions
• Permit all outbound FTP sessions
• Deny all incoming traffic from specific
• external networks
• Service-Independent Filtering
• Source IP Address Spoofing Attacks. Source
  Routing Attacks. In Tiny
• Fragment Attacks. Tiny fragment attacks are
  designed to circumvent
• userdefined filtering rules the hacker hopes
  that a filtering router
• will examine only the first fragment and allows
  all other fragments to
• pass. A tiny fragment attack can be defeated by
  discarding all packets

16
Filtering by Service

• Characteristics of internal to external telnet
  connection
• Source is inside,
• destination is outside,
• is TCP, destination port 23,
• source port gt 1023,
• first packet an outbound SYN
• Characteristics of ext to int opposite
• Risk trusting the port implies trusting the
  server on that port
• Any service can be run from any port by root
• Can telnet from port 23, for example

17
Security Policy

• It is important to note that an Internet
  firewall is not just a router, a bastion host, or
  a combination of devices that provides security
  for a network.
• The firewall is part of an overall security
  policy that creates a perimeter defense designed
  to protect the information resources of the
  organization.
• This security policy must include published
  security guidelines to inform users of their
  responsibilities corporate policies defining
  network access, service access, local and remote
  user authentication, dial-in and dialout, disk
  and data encryption, and virus protection
  measures and employee training. All potential
  points of network attack must be protected with
  the same level of network security. Setting up an
  Internet firewall without a comprehensive
  security policy is like placing a steel door on a
  tent.
• From a web based article

18
Security Policy Describes a Perimeter Defense
19
A Connection Circumventing an Internet Firewall
20
Benefits of an Internet Firewall

• Without a firewall, each host system on the
  private network is exposed to attacks from other
  hosts on the Internet.
• Firewalls offer a convenient point where Internet
  security can be monitored and alarms generated.
• An Internet firewall is a logical place to deploy
  a Network Address Translator (NAT) that can help
  alleviate the address space shortage and
  eliminate the need to renumber when an
  organization changes Internet service providers
  (ISPs).
• An Internet firewall is the perfect point to
  audit or log Internet usage.
• An Internet firewall can also offer a central
  point of contact for information delivery service
  to customers.

21
Limitations of an Internet Firewall

• Creates a single point of failure.
• Cannot protect against attacks that do not go
  through the firewall.
• Cannot protect against the types of threats posed
  by traitors or unwitting users.
• Cannot protect against the transfer of
  virus-infected software or files.
• Cannot protect against data-driven attacks. A
  data-driven attack occurs when seemingly harmless
  data is mailed or copied to an internal host and
  is executed to launch an attack.

22
Limitations of firewalls and gateways

• IP spoofing
• router cant know if data really comes from
  claimed source
• If multiple apps. need special treatment, each
  has own app. gateway.
• client software must know how to contact gateway.
• e.g., must set IP address of proxy in Web browser
• Tradeoff
• degree of communication with outside world, level
  of security
• Performance problem

23
Three Myths of Firewalls

• Firewalls make the assumption that the only way
  in or out of a corporate network is through the
  firewalls that there are no "back doors" to your
  network. In practice, this is rarely the case,
  especially for a network which spans a large
  enterprise. Users may setup their own backdoors,
  using modems, terminal servers, or use such
  programs as "PC Anywhere" so that they can work
  from home. The more inconvenient a firewall is to
  your user community, the more likely someone will
  set up their own "back door" channel to their
  machine, thus bypassing your firewall.
• Firewalls make the assumption that all of the bad
  guys are on the outside of the firewall, and
  everyone on the inside of the can be considered
  trustworthy. This neglects the large number of
  computer crimes which are committed by insiders.
• Newly evolving systems are blurring the lines
  between data and executables more and more. With 
  macros, JavaScript, Java, and other forms
  executable fragments which can be embedded inside
  data, a security model which neglects this will
  leave you wide open to a wide range of attacks.