Firewalls

CS 772
Fall 2009

Introduction
Any device, software, or arrangement that
limits network access.
Categories:
Packet filtering (Network level)
Circuit gateways
Application gateways
Dynamic packet filter (Packet filter + circuitlevel gateway)

Packet Filters

Runs at the network level

Drop/permit packets based on
their source or destination
addresses or port#s
No context is kept (memory less)--decision solely based on current
packet contents
Filtering ma be done at the
incoming interface, the outgoing
interface, or both.
Ingress filtering: refers to traffic
coming into your organization
Egress filtering: Outbound packet
security is called egress filtering.
Rules are applied from top to
bottom. So the last rule should be
to block all those that dont fit in
the above rules.

action

src

port

dest

Port

block

SPIGOT *

Allow

OURGW

Allow

OURGW

25

Block

Example
Intended policies:

Limited connections are permitted

through thr router between GW and the
outside world
Very limited, but possibly different,
conections are permitted between GW
and anything on NET 2 or NET 3
Any thing can pass between Net 2 and
NET 3
Outgoing calls are allowed between
NET 2 or NET 2 and the external link

Outside world

Router

Gateway

DMZ

Inside Net 3

Inside Net 1
Inside Net 2

Example (cont.)
Rule set for external
interface at the router
(that is filtering
packets coming in
from the outside
world)
Action
Block
Block
Block
Allow
Allow
Allow

Src
{NET 1}
{NET 2}
{NET 3}
*
*
*

Port
*
*
*
*
*
*

Dest
*
*
*
GW
{NET 2}
{NET 3}

Port
*
*
*
25
*
*

Flags comment
flags Block forgeries
Block forgeries
Block forgeries
Legal calls
ACK Replies to our calls
ACK Replies to our calls

Example (cont.)
Rule set on the
routers interface to
NET 1
Action
Allow
Allow
Allow
Block
Block
Allow

Src
GW
GW
GW
GW
GW
GW

Port
*
*
*
*
*
*

Dest
{partners}
{NET 2}
{NET 3}
{NET 2}
{NET 3}
*

Port Flags comment

25
Mail relay
*
ACK Replies to inside calls
*
ACK
*
Stop other calls from GW
*
*
Let GW call the world

Sample Configurations

Packet-filtering Performance
Total degradation due to filtering depends on the
number of rules applied at any point.
It is better to hav eone rule specifying a network
rather than to have several rules enumerating
different hosts on that network.
Also, speed up things by ordering the rules so
that the most common types of traffic are
processed first.

Application-level Filtering
Deal with the details of the particular service
they are checking
Special purpose code needed for each
application
Easy to log and control all incoming and
outgoing traffic---e.g., checking mail message for
specific words.
Web queries can be checked for conformation
with organizational policies
E-mail is generally passed through an
application-level filter

Circuit-level Gateways
Work at TCP level---TCP connections are
relayed through a computer that essentially acts
as a wire
A client wishing to connect to a server, connects
to the relay host supplying the needed info. The
name and IP are not available to the server.
IP packets now flow from server to host, filtered
and then to the client (like NAT)
Circuit relays are generally used to create
specific connections between isolated networks

SOCKS Circuit-level gateway

Protocol
SOCKS is an Internet protocol that allows client-server
applications to transparently use the services of a
network firewall. SOCKS is an abbreviation for
"SOCKetS" [1].
Clients behind a firewall, needing to access exterior
servers, may connect to a SOCKS proxy server instead.
Such proxy server controls the eligibility of the client to
access the external server and passes the request on to
the server. SOCKS can also be used in the opposite
way, allowing the clients outside the firewall ("exterior
clients") to connect to servers inside the firewall (internal
servers).

Distributed Firewalls
Rather than have a separate box on the
edge of the network reject all inbound
packets to port 80, this rule is enforced by
every host.

What Firewalls cannot do

They are not a panacea
Useless against attacks from insiders (legitimate
user with a bad intention)
Firewalls act at a specific layer and are not
concerned about other layers
Transitivity is a problem: If A trusts B, and B
trusts C, then A trusts C whether or not it wants.
Errors in rules or firewall is a serious threat.

Application-Level Filtering
More complex than packet filters---look at the
details of the particular service they are checking
Special code for each desired application
Easy to control and log all incoming and
outgoing traffic
Look for inappropriate or confidential words
Check if web queries are in conformance with
company policies
Strip dangerous attachments
E-mail is usually passed through an application-level
gateway

Circuit-level Gateways
Work at the TCP level

Firewall Problems
(i) Inadvertent problems
Example: Suppose a company has a policy to
drop all e-mail coming through the gateway, to
avoid exposure to mail-borne viruses. If port 80
is left open, Web mail services (e.g., gmail,
hotmail) introduce a new avenue for malicious
cod eto get in, via-e-mail-over-Web tunnels.
Example: Admin errors are the most common
cause of trivial firewall problems. A large set of
complex rules is a cause of such problems.

Firewall Problems
(ii) Intentional subversions
Consciously subversions---more
functionality, malicious parties
Firewalls often allow traffic for port 80 to
pass; Inbound HTTP traffic should be
allowed only to a Web server, and should
not reach other internal machines. Web
server should be on a DMZ network
Httptunnel is a publicly available tool for
transporting IP packets over HTTP.

Handling of IP Fragments

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| Source Port

| Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | |
Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent
Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+
IP fragmentation problems---if the destination port# part is in a different
fragment than the ACK or SYN, then the firewall will not be able to decide
whether or not to allow ACK or SYN packets since it does not know if it is
part of a current conversation.
If initial fragments are at least 16 bytes long, the problem can be avoided.
Alternately, the firewall can do the reassembly. This is expensive.

Firewalking

http://www.packetfactory.net/firewalk/firewalk-final.html

http://vesaria.com/Firewall/Testing/eye_of_hacker.php
Technique of using ICMP echo and ICMP responses and DNS queries to
get information about systems beyond a firewall.
Firewalk is an active reconnaissance network security tool that attempts to
determine what layer 4 protocols a given IP forwarding device will pass.
Firewalk works by sending out TCP or UDP packets with a TTL one
greater than the targeted gateway. If the gateway allows the traffic, it will
forward the packets to the next hop where they will expire and elicit an
ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the
traffic, it will likely drop the packets on the floor and we will see no
response.
To get the correct IP TTL that will result in expired packets one beyond
the gateway we need to ramp up hop-counts. We do this in the same
manner that traceroute works. Once we have the gateway hopcount
(at that point the scan is said to be `bound`) we can begin our scan.
It is significant to note the fact that the ultimate destination host does not
have to be reached. It just needs to be somewhere downstream, on the
other side of the gateway, from the scanning host.