Firewalls

Mark Clements

Last Week ...

Three main methods for cryptography

Symmetric, asymmetric, hash
Used in unique combinations
Allow Bob and Alice to communicate without
Eve knowing

ENS

This week ...

Firewalls

in general
Stateful vs. Stateless Firewalls
Application Proxies
Firewall Architectures
3

ENS

Protecting the Network Perimeter

Possible reasons for attacking a network:
Extortion
Fraud
Espionage
Sabotage
Simple curiosity
4

ENS

What is a Firewall?

A firewall acts as a control barrier between a

trusted and an un-trusted computer network

For example between a company network and the

Internet

It is able to make a decision whether to allow a

packet to pass or not
It can be a dedicated system or a router too

ENS

Policy and Connections

Trusted
Network

Untrusted
Network
Firewall

-enforces a security policy

-allows only connections matching security settings

ENS

Example Policy

For example, a firewall might be configured to

pass all http (www) traffic to TCP port 80, but
to block any TELNET datagrams to TCP port 23

TELNET is known to have some security weaknesses

such as sending username and password in plain-text
you do not wish to allow external clients to TELNET onto
your servers and clients

ENS

Policy in action
Telnet (to TCP port 23) Blocked

Trusted
Network

Untrusted
Network
Firewall

HTTP (to TCP port 80) Passed

ENS

IP Datagram Overview

ENS

Source: http://dimitar.me/

Firewall Components

There are two principal firewall components

10

Packet filtering routers

Application proxies

These work at different layers of the network

stack
We shall now consider each of these in more
detail

ENS

Packet Filtering Routers

Packet filtering routers decide whether to pass an IP

datagram by viewing data in both the network and
transport layer headers
In particular, packet filtering routers can consider the
following information:

11

Source and destination IP address (or subnet)

Source and destination TCP or UDP port number
Direction of datagram flow
State of connection (new or established)
So in summary, packet filtering routers operate at the
network (IP) and transport (TCP/UDP) layersENS
of the stack

OSI Layers for firewalling

Packet Filtering Router
Transport (TCP/UDP) Layer

Network (IP) Layer

Link Layer

Physical Layer

12

Untrusted Network

Link Layer

Physical Layer

Trusted Network

ENS

Packet Filtering Routers

Packet filtering routers can operate in one of

two ways:

13

Stateless packet filtering

Stateful packet filtering

Using an access control list to check for traffic is

an example of stateless filtering
Stateful packet filtering takes note of the TCP 3way handshake and ensures packets that pass
are part of an agreed stream
ENS

Stateless Firewalls

Stateless packet filtering routers make

forwarding decisions based on the contents of
the network (IP) layer header and the transport
(TCP/UDP) layer header
Their forwarding decision are therefore based
on:

14

The source and destination IP address (or subnet)

The direction of datagram travel
The source and destination TCP or UDP port number
Transport layer data such as SYN and ACK flags
ENS

Stateful Packet Filtering Routers

Stateful packet filtering routers also make

forwarding decisions based on the contents of
the Network (IP) layer datagram header and the
Transport (TCP/UDP) layer segment header
In addition they maintain a connection state
table

15

Holds the current state of a given connection,

No need to rely solely on the SYN and ACK flag
values for each packet to learn this information (the
flag values can be spoofed)
ENS

Stateful Firewall Decisions

16

Forwarding decision are therefore based on:

The source and destination IP address (or
subnet)
The direction of datagram travel
The source and destination TCP or UDP port
number
Whether the datagram is part of a new or
established connection (as indicated by
information in the state table as indicated by the
SYN and ACK flags in the TCP segment header)
ENS

Performance vs. Cost

17

90% of the firewalls today are stateful

Stateful packet filtering routers are more
reliable than stateless packet filtering routers
Provide a greater level of protection than
stateless packet filtering routers
However, for similar cost, stateful packet
filtering routers are generally slower than
stateless packet filtering routers
ENS

Packet Filtering Routers

Performance Summary

18

ENS

Application Proxies

19

10% of firewalls are application proxies

Application Proxies operate on all layers of the
OSI stack from the application layer down
rather than just the network and transport
layers
Makes them slower
Makes them more specific
ENS

Application Proxy and OSI

Application Proxy
Application Layer

Transport (TCP/UDP)
Layer

Network (IP) Layer

Link Layer

Physical Layer

20

Transport (TCP/UDP)
Layer

Network (IP) Layer

Link Layer

Physical Layer

Trusted Network

Untrusted Network

ENS

Proxies and Decisions

21

Application proxies can see and manipulate all

data which the full application can see
A separate application proxy is required for
each applications traffic

i.e. HTTP, SMTP, FTP, etc

There are a number of other types of proxies. However, in

firewall terminology, it is not unusual to refer to application
proxies simply as proxies

ENS

Application Proxy Examples

22

HTTP proxy: Java applets and ActiveX

components which are coming in from TCP
port 80 can be dropped, while plain HTML files
and graphics files coming in from the same
port can be passed
SMTP proxy: An executable file attached to an
e-mail can be scanned for known viruses

ENS

Application Proxy Performance

23

Application proxies are more reliable in detecting

malicious content than packet filtering routers
They are generally considered to provide a much
greater level of protection than packet filtering
routers
However, proxies require considerably more
memory and processor cycles than any of the types
of packet filtering routers outlined
ENS

Firewall Performance Summary

Processing
Cost
(processor
cycles and
memory)

Proxying

Stateless
Packet
Filtering

24

Stateful
Packet
Filtering

Security
ENS

Network Address Translation

Network address translation (NAT) is a technique

which allows a router to change the IP addresses of
datagrams as they pass through (RFC1631)
Hostile datagrams cannot be routed to target systems,
if the IP address of the target system is unknown, or is
illegal for use on the Internet (RFC 1918) e.g.:

25

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

ENS

NAT Example
Client

10.0.0.1

Firewall

10.0.0.2

155.198.5.83

Client

Internet

26

-Static NAT
-Dynamic NAT
-PAT(Port Address Translation)

10.0.0.3

Company
Network

Client
10.0.0.4

ENS

Firewall Architectures

Most real firewalls make use of a number of

components connected together, to form an overall
firewall solution
It is possible to build a wide range of firewall
architectures, with each having a range of applications
Some examples are:

27

The Classic architecture

The Belt and Braces architecture
The Chapman architecture

ENS

Firewall Architectures - Classic

DMZ
DNS
Server
FTP
Server

WWW
Server

Internet

Application
Proxy
Packet
Filtering
Router

28

DNS
Server

Company
Network
ENS

Classic Architecture

The packet filtering router prevents datagrams not

addressed to the DMZ hosts or the proxy from entering
the DMZ
Externally visible services (www, FTP, etc) are easily
available
Datagrams traveling to the company network are sent
via the application proxy for maximum security
If any of the DMZ hosts are compromised, they can be
re-configured quickly

29

no adverse effect on company network

ENS

Belt and Braces Architecture

Company
Network

DMZ

Internet

Application
Proxy
Packet
Filtering
Router

30

Packet
Filtering
Router

ENS

Belt and Braces Security

31

The additional packet filtering router provides

an additional level of security
If the proxy is compromised, the company
network is still protected

ENS

Chapman Architecture
WWW
Server

Company
Network

FTP
Server

Internet
Packet
Filtering
Router

32

Application
Proxy

Packet
Filtering
Router

ENS

Chapman Architecture

33

Outgoing traffic can by-pass the proxy

Allows external access to services not
supported by the proxy
NAT not possible
If external router is compromised, internal
router is vulnerable to attack

ENS

Firewall Security

Remember that firewalls themselves are

vulnerable to attack, so the following
precautions should be taken:

34

Remove all Telnet and SSH access to firewall

components
Operate firewall components only from the console
Remove all unnecessary software and services from
firewall components
Remove all unnecessary user accounts from firewall
components
ENS

What Firewall Cannot Do

35

A firewall cannot protect against poor server,

client or network configuration
A firewall cannot configure itself, or prevent the
firewall administrator from configuring it badly
A firewall should be considered as part of a
network security solution, not as the network
security solution

ENS

Conclusion

36

Firewalls prevent malicious traffic from

entering a network by filtering
Traffic defined in a policy
Stateful and stateless architectures
Application proxies better but slower
Allows for several architectures
NAT obfuscates inside addresses
ENS

Professional Qualifications in Information Security

There are a number of professional certifications in

the field of information security
Some of the most commonly recognized are those
offered by:

The International Information Systems Security Certification

Consortium, generally known as (ISC)2

ISACA, the Information Systems Audit and Controls

Association

The SANS Institute

See the following web site screen shots

37

ENS

38

ENS

39

ENS