Intro to Firewalls

and VPN
Eric Nordin

February 8, 2001

OIT Security and Assurance

So, if I have a firewall,

Im secure, right?

February 8, 2001

WRONG

OIT Security and Assurance

In this session Ill be

discussing theory

February 8, 2001

I will likely discuss this in more

gory detail at next Netpeople

OIT Security and Assurance

The idea behind

firewalling

February 8, 2001

Establish a barrier between the

computers you would like to
protect and the rest of the internet
Deny all traffic, but allow a subset
of it.

OIT Security and Assurance

What is a firewall?

February 8, 2001

A packet filter
A crude Policy enforcement device

OIT Security and Assurance

Firewall flavors

February 8, 2001

Personal BlackIce, Zone Alarm,

IP Filter
Network Based Firewall 1,
Gauntlet
Network Based, ala VPN Lucent
Managed Firewall

OIT Security and Assurance

Packet Filtering

Look at each packets

Direction
Source/Destination address
port number

February 8, 2001

Drop or pass the packet according

to policy.

OIT Security and Assurance

Routers can do Filtering

too

February 8, 2001

Sometimes this is an appropriate

thing to do.
But thats not what a router is for!
For the most part, let routers route
and use other devices to do
firewalling.
Ive seen some hubs and switches
filter by Ethernet address
OIT Security and Assurance

What a firewall is for

February 8, 2001

Perimeter protection
The first barrier a hacker must
cross to get at your payload hosts
Reducing the amount of noise in
your logs
It dictates what packets can go in
or out and which ones get
dropped
OIT Security and Assurance

Where it should be
located

February 8, 2001

Firewalls have 2 or more interfaces

and may connect different parts of
the same subnet or if theyre more
feature rich, they may connect
multiple subnets
One interface is connected to a
less secure network, and the
others to the more private part
OIT Security and Assurance

10

Firewall Loocation is
important
Internet

Workstation

Workstation

Workstation

Fi
re
wa
ll

Computer

Server

Server

Server

secure area

DMZ
February 8, 2001

OIT Security and Assurance

11

Demilitarized zone
defined

My definition

Korean
DMZ
February 8, 2001

OIT Security and Assurance

12

DMZ, in Network Speak

Internet

Workstation

Workstation

Workstation

Fi
re
wa
ll

Computer

Server

Server

Server

secure area

DMZ
February 8, 2001

OIT Security and Assurance

13

DMZ, Other opinion

Internet

Workstation

Workstation

Workstation

Server

February 8, 2001

Fi
re
wa
ll

Computer

Server

OIT Security and Assurance

Server

DMZ

14

Firewall anatomy 101,

The concepts

February 8, 2001

Packets must run a Gauntlet of

rules, called a ruleset, before being
passed on through
Rules are typically stepped though
top to bottom.

OIT Security and Assurance

15

Some firewalls keep

more state than others

February 8, 2001

Most firewalls filter connection

oriented protocols, such as TCP,
by looking at SYN packets,
saving connect info and then
shunting them past the gauntlet of
rules.

OIT Security and Assurance

16

Rules

February 8, 2001

Rules are processed in a top down

manner
Rules can filter by IP, port number,
and protocol (TCP, UDP, ICMP)

OIT Security and Assurance

17

Bad policy:

February 8, 2001

Pass all, then deny what we dont

want
This is almost unworkable from a
security standpoint

OIT Security and Assurance

18

Optimal policy:

February 8, 2001

Deny all, and only pass traffic that

is specifically applicable
Strategy: have a deny all rule at
the bottom with pass rules above

OIT Security and Assurance

19

Environmental
Considerations

Since This is a critical link,

consider a more secure, stable OS

February 8, 2001

NetBSD, OpenBSD, NT

A Firewall should have a securely

configured OS
Should be bastion like
Should not have other network
services installed such as DNS,
email, etc
OIT Security and Assurance

20

Firewall Exploits

Yup, they can be hacked also

This is what I found on a simple
www search

Complements of Packetstorm
February 8, 2001

OIT Security and Assurance

21

Pitfalls

February 8, 2001

Firewalls be can breached.

Theres no excuse to have a relaxed
security policy on the inside of the
firewall. (Blank passwds, wide open
permissions, Poorly or unconfigured
hosts, etc)
Users find them inhibitive and
constraining.
Firewalls will slow connections to and
from the outside.
For this reason its important to keep
rulesets as compact as possible.
OIT Security and Assurance

22

Pitfalls contd

February 8, 2001

Firewalls have a tendency to become too

open to the public after successive
changes to rulesets.
Every well-known service has a number
of exploit associated with it.
We want to avoid allowing traffic from
anywhere access to internal networks
Authentication would be a nice thing
here. . . .

OIT Security and Assurance

23

Time to talk a little about

VPNs

February 8, 2001

That is, Virtual Private Networks

OIT Security and Assurance

24

OK now, what is it, and

why do I want it?

February 8, 2001

It is a way of extending the

services of your network across
the internet while insuring the
privacy and security of the traffic
running between the remote host
and the local network.

OIT Security and Assurance

25

Yeah but, why would I

want this?

February 8, 2001

You have remote users,

Who need access to non-public data,
Who are almost always connecting from
a network running DHCP and cant have
a static IP.
Users with DSL/cable modem at home
Faculty/staff running around with laptops
visiting other institutions.
Creates only a small a pinhole in your
firewall when correctly configured.
OIT Security and Assurance

26

The Holy Grail of VPN

February 8, 2001

Local presence
Just like youre at work
File sharing would be do-able, NFS
Xterms would work fine.
Some U services need a local IP to
allow access. This would also work
fine .

OIT Security and Assurance

27

VPNs: More Features

February 8, 2001

The packets themselves are encrypted

and then encapsulated before they are
passed into the wild.
Encryption is typically Public key, done
with X.509 certificates
Provides for authentication
(username/passwd)
Tunnels can be created to between
LANs

OIT Security and Assurance

28

User experience

February 8, 2001

The user has a client installed on

her machine along with an X.509
certificate.
User fires up client
Signals to connect
Authenticates
VPN client is transparent thereafter

OIT Security and Assurance

29

VPNs DO NOT
DIRECTLY IMPROVE
YOUR SECURITY
POSTURE
However, they do promote a more

restrictive configuration on your

firewall

February 8, 2001

OIT Security and Assurance

30

VPNs: where they are.

February 8, 2001

Many Network based firewall and

several late OS releases have
VPNs wrapped into them.
Note: Youll want to decide on
where and how youll obtain
certificates from.

OIT Security and Assurance

31

Firewall philosophy

February 8, 2001

Network Security should not begin

and end with a firewall.
More measures must be taken
than this to establish a secure
network

OIT Security and Assurance

32

The layers of security

Firewall
Intrusion detection
Host based Security

February 8, 2001

Turning off unnecessary services and

features
Up to date patches, hotfixes, service
packs
Closing unused accts
Logging allow your self the possibility to
audit as much info as possible -- user
logins, use of privileges, traffic
Auditing -- know that something has
changed
OIT Security and Assurance
33

Summing Up

February 8, 2001

Firewalls are what you want when

you need perimeter protection
Firewalls can add an element of
efficiency to security tasks.
VPNs ease the restrictive nature of
firewalls for the remote user
Firewalls are not a security
panecea
OIT Security and Assurance

34

The End

February 8, 2001

In the future Ill give a lower level

talk on firewall implementation
Questions?

OIT Security and Assurance

35