Firewalls

1
Firewalls

• Fred P. Baker
• CCIE, CCIP(security), CCSA, MCSEI, MCSE(2000)

2
Firewalls are not just for companies any more
the changing home
3
High Speed Internet Connections Drive the
importance of security
4
The home Network always on the Net
5
Always on, all hackers all the time

• For me to attack your system, I must send packets
  to it
• With dial, you get a different IP address for
  each call and in relative terms that call is not
  long
• Big issue is that you will have the same IP
  address for a long time with persistent
  connections
• You may have the same IP address ALL the time.
• So plenty of time for someone to go after you
  Personal PCs have the standard OS vulnerabilities
• Private Web servers easy targets

6
Windows file sharing does not help

• Admin Shares
• c
• On by default in Win 9 and older NT
• Browser Service
• Network Neighborhood
• Could see everyone else's PCs
• Hard to turn it off on Internet facing interfaces
  interfaces
• Who cares? QDATA.

7
Multiple security problems

• Defense in Depth

8
The tradeoffs
9
Costs

• Dollars for the software
• Download of updates
• Customization
• most software out of the box works fine
• File and print sharing on your home LAN
• special apps
• Checking logs

10
Example of customization
11
The firewall The first line of defense
12
What a firewall does not do
13
Firewall technologies

• Network Address Translation

14
A digression, TCP/IP
15
Internet Protocol
16
TCP
17
TCP connection flow

• the syn is unique to session start

18
TCP Ports Identify the App
19
IP addresses
20
Private IP addresses

• Routable IP addresses are scarce
• Not every system in the world needs direct and
  always on access to the Internet
• Private addresses allows you to address many more
  systems than the public address space (public
  addresses can be routed over the internet
• For a private addressed system to access the
  internet it must be translated to a public
  address
• Private addresses are defined by RFC 1918
• 10..., 172.16..-172.31.., 192.168..

21
Public IP address assignment

• If you are dialing up, you get one for the
  duration of the call and it will change
• If you are on a always on you MAY get a one
• Providers charge for more than 1 permanent IP
  addresses
• Some cable systems change your address so you
  cant host a server without them knowing (and of
  course you paying)
• To address multiple PCs and have them access the
  internet you must NAT

22
Network Address Translation
23
Enterprise NAT

• NAT is also used to hide addresses
• Remote end can only see the NATed address not the
  real one
• Both ends use private addresses
• And will often have duplicates (10.1.1.1)
• So will often dual nat that is translate both
  source and destination
• Can even map ports so 1 address, multiple servers
• 200.200.200.200 port 80 10.1.1.1
• 200.200.200.200 port 25 10.1.1.2
• 200.200.200.200 port 20 10.1.1.3

24
Pat

• Port address translation
• Allows many stations to share 1 ip address
• Depends on keeping track what source port and IP
  address for each connection
• Then select a unique port to associate with the
  single public IP address

25
Packet Filtering the basis of a firewall
26
Packet Filtering

• Firewalls will trust inside addresses
• Spoofing attacker makes their address look like
  an inside address
• Will rely on the TCP ACK bit to determine if a
  connection is inbound or outbound
• will permit all outbound (you to the Inet) by
  default
• Can configure what inbound connections you want
  to allow (home web server)
• Does not work well with certain applications
• FTP opens connections from the outside
• Media and VOIP use dynamic ports

27
Stateful Inspection
28
Stateful inspection

• Look at outbound connection request to the
  Internet
• Remember the addresses and the ports
• Only permit traffic from the Internet if it saw
  that it was initiated from the inside network
• All modern firewalls work this way

29
Proxy Server
30
Proxy Server

• Since application is intercepted
• Can authenticate by user
• Can log content
• Can block content by looking at the URLs
• All web access is via proxy

31
Authentication w/o proxy

• Telnet or web to the firewall the login
• then can access all other services
• Dedicated client
• Firewall-1 has a custom client
• Firewall contacts client code when user tries to
  access a service
• ask for login and if ok grants it.

32
A firewall

• Always does packet filters
• Always does stateful packet filtering
• Always logs
• May have a proxy
• May do authentication

33
Corporate Firewalls

• Appliance based
• PIX, FW1 Nokia
• more expensive
• Dedicated OS
• Harder to crack as fewer OS issues
• Harder to scale (as based on specific hardware)
• Computer based
• Runs on NT or Unix
• Can leverage existing computers
• Easier to learn at home

34
Home Firewalls

• Device Based
• Part of your access box or can get a dedicated
  appliance
• May be free with a box you are already getting
• Does not touch your OS but then may need more
  configuration
• Do not have to touch multiple computers
• Does not impact inside the house
• OS based
• Tied into the network stack
• Can easily deal with custom apps
• May need to modify for home access

35
Linksys Router (appliance)
36
Linksys Router Filtering
37
Linksys Router logs
38
Norton Personal Firewall (part of OS)
39
Application list
40
Summary

• If you access the internet at all get an OS based
  firewall
• If you have always on get an appliance based
• Or even better use both.