1

Network Security
Firewalls
2
Firewalls
Access lists
Ingress filtering
Egress filtering
NAT
3
Driversof Performance
RequirementsTrafficVolume and
Complexity of Filtering
Performance
Requirements
Traffic Volume (Packets per Second)
Complexity
of Filtering:
Number of
Filtering
Rules,
Complexity
Of rules, etc.
4
StaticIP Packet Filter Firewall
IP-H
IP-H
TCP-H
UDP-H Application Message
Application Message
IP-H ICMP Message
Arriving Packets
Examined One at a Time, in Isolation
Only IP, TCP, UDP
and ICMP Headers Examined
Permit
(Pass)
Deny
(Drop)
Corporate Network The Internet
Log
File
Static
Packet
Filter
Firewall
5
IngressFiltering
Prevent attack packets from entering
the protected network
Rules are applied in order
See Figure 5.6 for generic rule format
6
IngressFiltering
Deny Known Fallacious Source Addresses
Private addresses
10.*.*.*
172.16.*.* to 172.31.*.*,
192.168.*.*
Internal Address Ranges
Other obvious or known common addresses
1.2.3.4, 0.0.0.0, 0.0.0.1, etc.
2
7
IngressFiltering
Deny Known TCP Vulnerabilities
Syn flood (TCP SYN=1 AND FIN=1)
FTP (TCP destination port =20)
Supervisory control connection (TCP destination port =21)
Telnet (TCP destination port =23)
NetBIOS (TCP destination port =135 through 139)
UNIX rlogin (TCP destination port =513)
UNIX rsh launch shell without login (TCP port 514)
8
1. If UDP destination port=69,
DENY [Trivial File Transfer
Protocol; no login necessary]
2. If ICMP Type =0, PASS
[allow incoming echo reply
messages]
3. DENY ALL
Ingress Filtering
9
EgressFiltering
Deny Destinations
private IP address range =
10.*.*.*
172.16.*.* to 172.31.*.*
192.168.*.*
not in internal address range
60.47.*.*
10
Allow
ICMP Type =8, PASS [outgoing echo messages]
Deny
Protocol=ICMP [all other outgoing ICMP]
Deny
TCP RST=1[outgoing resets; used in host scanning]
EgressFiltering
11
EgressFiltering
Deny Connections to Well-known
ports
TCP source port=0 through 49151
UDP source port=0 through 49151
Allow Outgoing Client Connections
UDP source port =49152 65,536
TCP source port =49152 through 65,536
12
Firewalls
Types of Firewalls
Inspection Methods
Static Packet Inspection
Stateful Packet Inspection
NAT
Application Firewalls
Firewall Architecture
Configuring, Testing, and Maintenance
3
13
Stateful Inspection Firewalls
State of Connection
Openor Closed
State
Order of packet within a dialog
Often simply whether the packet is
part of an open connection
14
Stateful Inspection Firewalls
Bydefault, permit connections openings
from internal clients toexternal servers
By default, deny connection openings from
the outside to inside servers
Default behaviors can be changed with ACLs
Accept future packets between hosts and
ports in open connections with little or no
more inspection
15
Stateful Inspection Firewalls
Can prevent
Syn flood
Port switching
Session hijacking
Etc. 16
Network Address Translation
Hidesthe IP address of internal
hosts to thwart sniffers
Benignly spoofs source IP
addresses in outgoing packets
17
Network Address Translation
(NAT)
Server
Host
Client
192.168.5.7
NAT
Firewall
1
3
Internet
2
4
Sniffer
From 192.168.5.7,
Port 61000 From 60.5.9.8,
Port 55380
To 60.5.9.8,
Port 55380
To 192.168.5.7,
Port 61000
IP Addr
192.168.5.7
. . .
Port
61000
. . .
Internal
IP Addr
60.5.9.8
. . .
Port
55380
. . .
External
Translation
Table
18
ApplicationFirewall Operation
Browser HTTP Proxy Webserver
Application
1. HTTP Request
From 192.168.6.77
2.
Filtering
Application Firewall
60.45.2.6
FTP
Proxy
SMTP
(E-Mail)
Proxy Client PC
192.168.6.77
Webserver
123.80.5.34
Outbound
Filtering on Put
Inbound and Outbound
Filtering on Obsolete
Commands, Content
4
19
ApplicationFirewall Operation
Browser HTTP Proxy Webserver
Application
3. Examined
HTTP Request
From 60.45.2.6
4. HTTP
Response to
60.45.2.6
5.
Filtering on Post Out,
Hostname, URL, MIME,
etc. In
Application Firewall
60.45.2.6
FTP
Proxy
SMTP
(E-Mail)
Proxy Client PC
192.168.6.77
Webserver
123.80.5.34
Outbound
Filtering on Put
Inbound and Outbound
Filtering on Obsolete
Commands, Content
20
ApplicationFirewall Operation
Browser HTTP Proxy Webserver
Application
6. Examined
HTTP
Response To
192.168.6.77
5.
Filtering on Post Out,
Hostname, URL, MIME,
etc. In
Application Firewall
60.45.2.6
FTP
Proxy
SMTP
(E-Mail)
Proxy Client PC
192.168.6.77
Webserver
123.80.5.34
Outbound
Filtering on Put
Inbound and Outbound
Filtering on Obsolete
Commands, Content
21
13ApplicationFirewall Operation
Browser HTTP Proxy Webserver
Application
Application Firewall
60.45.2.6
FTP
Proxy
SMTP
(E-Mail)
Proxy Client PC
192.168.6.77
Webserver
123.80.5.34
Outbound
Filtering on Put
Inbound and Outbound
Filtering on Obsolete
Commands, Content
Need one Proxy Program
On the Application Firewall
For Each Protocol Filtered
22
Header Destruction With
Application Firewalls
App
MSG
(HTTP)
Orig.
TCP
Hdr
Orig.
IP
Hdr
App
MSG
(HTTP)
New
TCP
Hdr
New
IP
Hdr
App
MSG
(HTTP)
Attacker
1.2.3.4
Webserver
123.80.5.34
Application Firewall
60.45.2.6
Header Removed
Arriving Packet New Packet
Application Firewall Strips Original Headers from Arriving Packets
Creates New Packet with New Headers
This Stops All Header-Based Packet Attacks
X
23
Protocol Spoofing
Internal
Client PC
60.55.33.12
Attacker
1.2.3.4
Trojan
Horse
1. Trojan Transmits
on Port 80
to Get Through
Simple Packet
Filter Firewall
2. Protocol is Not HTTP
Firewall Stops
The Transmission
X
Application
Firewall
24
Circuit Firewall
Webserver
60.80.5.34
Circuit Firewall
(SOCKS v5)
60.34.3.31
External
Client
123.30.82.5
1. Authentication
2. Transmission
5. Passed
ReplyNo
Filtering
3. Passed
TransmissionNo
Filtering
4. Reply
5
25
Single-SiteFirewall Architecture for
a Larger Firm with a Single Site
Internet
1. Screening Router
60.47.1.1 Last
Rule=Permit All
172.18.9.x Subnet
Marketing
Client on
172.18.5.x
Subnet
Accounting
Server on
172.18.7.x
Subnet
Public
Webserver
60.47.3.9
SMTP
Relay
Proxy
60.47.3.10
HTTP
Proxy
Server
60.47.3.1
External
DNS Server
60.47.3.4
2. Main Firewall
Last Rule=Deny All
3. Internal Firewall
Traffic Between Subnets
4.
Client
Host
Firewall
DMZ
26
DMZ
Demilitarized Zone
For Servers That Must be Accessed From the
Outside
Public webservers
Application (proxy) firewalls
DNS server that only knows the IP addresses of hosts
in the firewall
Hosts must be specially hardened because they
certainly will be attacked
27
HomeFirewall
Internet
Service Provider
Home PC
Broadband
Modem
PC
Firewall
Always-On
Connection
UTP
Cord
Coaxial
Cable
28
SOHOFirewall Router
Broadband
Modem
(DSL or
Cable)
SOHO
Router
---
Router
DHCP Sever,
NAT Firewall, and
Limited Application Firewall
Ethernet Switch
Internet Service Provider
User PC
User PC
User PC
UTP
UTP
UTP
Many Access Routers Combine the Router
and Ethernet Switch in a Single Box
SOHO: Small officeor homeowner
29
DistributedFirewall Architecture
Internet
Home PC
Firewall
Management Console
Site A Site B
30
21Other Security Architecture
Issues
Host and Application Security (Chapters 6
and 9)
Antivirus Protection (Chapter 4)
Intrusion Detection Systems (Chapter 10)
Virtual Private Networks (Chapter 8)
Policy Enforcement System
6
31
22Configuring, Testing, and
Maintaining Firewalls
Firewall Misconfiguration is a Serious
Problem
ACL rules must be executed in series
Easy to make misordering problems
Easy to make syntax errors
32
22Configuring, Testing, and
Maintaining Firewalls
Create Policies Before ACLs
Policies are easier to read than ACLs
Can be reviewed by others more easily than
ACLs
Policies drive ACL development
Policies also drive testing
33
22Configuring, Testing, and
Maintaining Firewalls
Must test Firewalls with Security Audits
Only way to tell if policies are being supported
Must be driven by policies
Maintaining Firewalls
New threats appear constantly
ACLs must be updated constantly if firewall is
to be effective
34
23FireWall-1Modular
Management Architecture
Log Files
Application Module
(GUI)
Create, Edit
Policies
Application Module
(GUI)
Read Log Files
Management
Module Stores
Policies Stores
Log Files
Policy
Log File
Data
Policy
Log File
Entry
Firewall Module
Enforces Policy
Sends Log
Entries
Firewall Module
Enforces Policy
Sends Log
Entries
35
24FireWall-1Service
Architecture
Internal
Client
2. Statefully Filtered
Packet 1. Arriving Packet
External
Server
4. Content Vectoring Protocol
FireWall-1
Firewall
3. DoS
Protection
Optional
Authentications
5.
Statefully Filtered Packet
Plus Application
Inspection
Third-Party
Application
Inspection
Firewall
36
25SecurityLevel-Based Stateful
Filtering in PIX Firewalls
Internet
Internal Network
Automatically Accept
Connection
Security Level
Outside=0
Automatically
Reject Connection
Security Level
Inside=100
Connections Are Allowed
from More Secure
Networks to Less Secure
Networks
Security Level=60
Router
7
37
Questions?