Firewalls

DEFINITION
FIREWALL is a combination of hardware, software and management activities that are used to effect the internet security policy decided upon. A FIREWALL is any one of the several ways of protecting one network from other untrustworthy networks.

 Hence a FIREWALL is a collection of components placed between two networks that collectively have the following properties:
All traffic from inside to outside, and vice versa, must pass through the firewall. Only authorized traffic, as defined by the local security policy, will be allowed to pass.

The placement of a firewall system with respect to the internal network is as follows.

Firewall
Firewall Internet

Company Network

SOURCE: ADAM COLDWELL

Aim of the Firewall

The firewall, inserted between the premises network and the Internet aims to
Establish a controlled link Protect the premises network from Internet-based attacks Provide a single choke point, simplify management Provide a location for monitoring or auditing Divide network into independently administrated segments

Design Goals

All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) Only authorized traffic (defined by the local security police) will be allowed to pass

Design Goals
The firewall itself is immune to penetration (use of trusted system with a secure operating system)

General Techniques
Service control
Determines the types of Internet services that can be accessed, inbound or outbound

Direction control
Determines the direction in which particular service requests are allowed to flow

General Techniques
User control
Controls access to a service according to which user is attempting to access it

Behavior control
Controls how particular services are used (e.g. filter e-mail or restricted access to web pages)

The primary components of a firewall are:

Network policy There are two levels of network policy that directly influence the design, installation and use of a firewall system. They are as follows.

 Service access policy

network access policy that defines:
those services that will be allowed or explicitly denied from the restricted network, how these services will be used, and, the conditions for exceptions to this policy.

Firewall design policy

This lower-level policy defines the rules used to implement the service access policy at
host level, application level, and, user level.

 Host level filtering This component implements the firewall design policy at the host level, thus allowing or denying specific external hosts from accessing the internal hosts and vice versa. This can be done by
router itself, or software.

This filtering is done by IP Packet Filtering, based on some or all of the following fields
source host IP address, destination host IP address, TCP/UDP source host port, and, TCP/UDP destination host port.

Firewall Architecture

SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS

 Application level gateways This component uses software applications to forward and filter connections for services such as
telnet, ftp, http, etc.

Such a software application which provides these services, is referred to as a proxy service, while the host running the proxy service is referred to as an application gateway.

 Application gateways and packet filtering modules can be combined to provide higher levels of security and flexibility than if either were used alone. An example of such a system is shown in following figure

Proxy Server

SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS

 User authentication The basic function of any firewall is to

deny access to anyone without proper authorization, along with, permitting users with correct authorization to pass through the firewall.

These two tasks are specifically achieved using this component of the firewall, called user authentication . There are various methods by which authentication can be achieved. Some of them are as follows.
Passwords Smartcards Session encryption, etc.

Types of Firewalls
Common types of Firewalls:
Packet-filtering routers Application-level gateways Circuit-level gateways Bastion host

Types of Firewalls
Packet-filtering Router

Types of Firewalls
Packet-filtering Router
Applies a set of rules to each incoming IP packet and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header Two default policies (discard or forward)

Example

Types of Firewalls
Advantages:
Simplicity Transparency to users High speed

Disadvantages:
Difficulty of setting up packet filter rules Lack of Authentication

Types of Firewalls
Possible attacks on packet filtering firewalls and appropriate countermeasures
IP address spoofing Source routing attacks Tiny fragment attacks

Standard packet filter

allows connections as long as the ports are OK denies new inbound connections, using the SYN flag Examples: Cisco & other routers, Karlbridge, Unix hosts, steelhead.

Packet filter weaknesses

Its easy to botch the rules. Good logging is hard. Stealth scanning works well. Packet fragments, IP options, and source routing work by default. Routers usually cant do authentication of end points.

Stateful packet filters

SPFs track the last few minutes of network activity. If a packet doesnt fit in, they drop it. Stronger inspection engines can search for information inside the packets data. SPFs have to collect and assemble packets in order to have enough data. Examples: Firewall One, ON Technologies, SeattleLabs, ipfilter

Weaknesses in SPF
All the flaws of standard filtering can still apply. Default setups are sometimes insecure. The packet that leaves the remote site is the same packet that arrives at the client. Data inside an allowed connection can be destructive. Traditionally SPFs have poor logging.

Types of Firewalls
Application-level Gateway

Types of Firewalls
Application-level Gateway
Also called proxy server Acts as a relay of application-level traffic

Types of Firewalls
Advantages:
Higher security than packet filters Only need to scrutinize a few allowable applications Easy to log and audit all incoming traffic

Disadvantages:
Additional processing overhead on each connection (gateway as splice point)

Types of Firewalls
Circuit-level Gateway

Types of Firewalls
Circuit-level Gateway
Stand-alone system or Specialized function performed by an Application-level Gateway Sets up two TCP connections The gateway typically relays TCP segments from one connection to the other without examining the contents

Types of Firewalls
Circuit-level Gateway
The security function consists of determining which connections will be allowed Typically use is a situation in which the system administrator trusts the internal users An example is the SOCKS package (RFC 1928)

Types of Firewalls
Bastion Host
A system identified by the firewall administrator as a critical strong point in the networks security The bastion host serves as a platform for an applicationlevel or circuit-level gateway A bastion host may require additional authentication before a user is allowed access to the services. Each service may require its own authentication before granting user access.

Firewall Configurations
In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible Three common configurations

Firewall Configurations
Screened host firewall system (singlehomed bastion host)

Firewall Configurations
Screened host firewall, single-homed bastion configuration Firewall consists of two systems:
A packet-filtering router A bastion host

Firewall Configurations
Configuration for the packet-filtering router:
Only packets from and to the bastion host are allowed to pass through the router

The bastion host performs authentication and proxy functions

Firewall Configurations
Greater security than single configurations because of two reasons:
This configuration implements both packetlevel and application-level filtering (allowing for flexibility in defining security policy) An intruder must generally penetrate two separate systems

Firewall Configurations
This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)

Firewall Configurations
Screened host firewall system (dual-homed bastion host)

Firewall Configurations
Screened host firewall, dual-homed bastion configuration
Compromising the packet-filtering router does not lead to direct access to internal hosts Traffic between the Internet and other hosts on the private network has to flow through the bastion host

Firewall Configurations
Screened-subnet firewall system

Firewall Configurations
Screened subnet firewall configuration
Most secure configuration of the three Two packet-filtering routers are used Creation of an isolated sub-network

Firewall Configurations
Advantages:
Three levels of defense to thwart intruders The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)

Firewall Configurations
Advantages:
The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)

Policy/Settings
No outside Web access. Outside connections to Public Web Server Only. Prevent Web-Radios from eating up the available bandwidth. Prevent your network from being used for a Smuft DoS attack. Prevent your network from being tracerouted or scanned. Drop all outgoing packets to any IP, Port 80 Drop all incoming TCP SYN packets to any IP except Web Server, port 80 Drop all incoming UDP packets except DNS and Router Broadcasts. Drop all ICMP packets going to a broadcast address Drop all incoming ICMP, UDP, or TCP echo-request packets, drop all packets with TTL < 5.

Attacks/Defense
IP Internal-Address Spoofing. Drop all incoming packets with local address.

Source Routing (External Spoof).

Drop all IP packets with SourceRouting Option.

Tiny Fragment Attacks.

Drop all incoming packets with small offset. Assemble IP fragments (hard work).

2nd-Fragment Probes.

SYN-ACK Probes.

Be Stateful -keep track of TCP outgoing SYN packets (start of all TCP connections) (hard work).

Modern Firewall/Network Defends

Honey Pot Network Monitoring Software/Hardware/Device. Auto-alerting. System/Network Scanning. May detect intruders Access Control based on combination of parameters: OS, User, Machine, Connection hub/ports, Connection path, Services, Privileges, and other parameters.

LIMITATIONS
The firewall model mentioned, has various limitations, some of which are as follows. A firewall offers no protection against viruses contained in files transferred via ftp or other services provided by the application level gateway.

 A firewall can't protect against malicious insiders if the network access policy is not sound. A firewall can't protect against connections that don't go through it. A firewall can't protect against completely new threats at all times. A firewall cant protect against internal threats

LOGGING Why?
Identify suspicious activity Evidence to prosecute attackers To verify that the firewall is configured correctly

How?
Secure log host, near firewall
SYSLOG facility

Optimally out of band

Separate interface for log traffic for high-risk networks

Offsite backups

What to look for?

Sequential scans Non-routable network addresses Invalid TCP flags Commonly attacked ports (portmap, RPC, etc.) Traffic preceding security incidents and breakins

When to look at them?

After a break in Under normal conditions (know what normal looks like) Just to see whats going on BEFORE the users start complaining that I cant do XXX anymore

How long to keep them?

Volume
Dont exceed your disk space. Thats bad. If you keep too many, its a real pain to analyze

Prosecution
If you prosecute, youll have to keep them until at least the trial is over. It could be a while.

Firewall Drawbacks
Firewalls can become a bottleneck Certain protocols (FTP, Real-Audio) are difficult for firewalls to process Assumes inside users are trusted Multiple entry points make firewalls hard to manage

Distributed Firewall Concept

Security policy is defined centrally Enforcement of policy is done by network endpoint(s)

Standard Firewall Example

External Internal
Webserver

Intranet Webserver (company private)

Internet

Corporate Firewall

Corporate Network

External Host

Internal Host 1

Internal Host 2 (untrusted)

Standard Firewall Example Connection to web server

External Internal
Webserver Intranet Webserver (company private)

Internet

Corporate Firewall

Corporate Network

External Host

Internal Host 1

Internal Host 2 (untrusted)

Standard Firewall Example Connection to intranet

External Internal blocked by firewall
Webserver Intranet Webserver (company private)

connection allowed, but should not be

Corporate Network

Internet

Corporate Firewall

External Host

Internal Host 1

Internal Host 2 (untrusted)

Distributed Firewall Example

Internal Host (telecommuting)

External

Internal

Webserver

Intranet Webserver (company private)

Internet

Corporate Network

External Host

Internal Host 1

Internal Host 2 (untrusted)

Distributed Firewall Example to web server

Internal Host (telecommuting)

External

Internal

Webserver

Intranet Webserver (company private)

Internet

Corporate Network

External Host

Internal Host 1

Internal Host 2 (untrusted)

Distributed Firewall Example to intranet

Internal Host (telecommuting)

External

Internal

Webserver

Intranet Webserver (company private)

Internet

Corporate Network

External Host

Internal Host 1

Internal Host 2 (untrusted)

Distributed Firewall Implementation

Language to express policies and resolving requests (KeyNote system) Mechanisms to distribute security policies (web server) Mechanism that applies security policy to incoming packet (Policy daemon and kernel updates)

Traditional Firewalls

Problems:
Complexity of domain rules of all the nodes in the topology May lead to security compromises. Filtering is centralized at a single node point. Unscalable at a single node point of failure.

Distributed Firewalls

Distributed Firewalls (cont)

Advantages:
Control remains centralized Does not rely on the topology

Can be implemented by:

IPSEC

General Philosophy

System manager uses high end language to describe endpoints and specify the security policy Compiler translates the policy into filter rules Management tool distributes the policy to all endpoints Endpoints accept or reject packets, based on filter rules and cryptographically verified identities.

Why Build A FIREWALL, when it can be bought?

The main advantage of building a FIREWALL is that in-house personnel understand the specifics of the design and use of the FIREWALL. This knowledge may not exist in-house with the vendor supported FIREWALL.

 Almost all commercial FIREWALLS support most of the standard protocols because they are commercial. But an inhouse developed FIREWALL can be evolved to support in-house developed protocols also. When we talk of developing a TRUSTED OS, a commercial FIREWALL sitting on such an OS, might defeat the purpose of the FIREWALL.

Planning Steps
Know the details of how client-server connections are made Determine physical location of equipment Decide who gets access in either direction
Screening router is on basis of IP/port not user

Determine a strategy for logging activity

What to write How to monitor Under what conditions do you take specific actions

Must develop a failure plan if firewall breaks Develop a thorough testing procedure

Firewalls: Management Concerns

Firewall management issues are more complex and thorny than the technical issues Economic issues: How will it cost to implement and maintain?
In-house or outsource How large and how fast should be the firewall?

Operations issues:
How much capacity and supporting personnel ?

Who administers the firewall?

Who control the content on the firewall - marketing or MIS? Liability: What do you do if there is a security breach?
77

Selecting a firewall system

Operating system Protocols handled Filter types Logging Administration Simplicity Tunneling

Commercial Firewall Systems

45% 40% 35% 30% 25% 20% 15% 10% 5% 0%

A xe nt

Po in t

C isc

ss oc

er G

C he ck

N et w or

C yb

th er s

te s

ua r

ia

Widely used commercial firewalls

AltaVista BorderWare (Secure Computing Corporation) CyberGurad Firewall (CyberGuard Corporation) Eagle (Raptor Systems) Firewall-1 (Checkpoint Software Technologies) Gauntlet (Trusted Information Systems) ON Guard (ON Technology Corporation)

A real-life firewall example

Case Study
Existing network
100baseT switched ethernet segment

Additions needed
Administratively independent work group and servers

Policy decisions
Servers protected but publicly visible and accessible to well known protocols Internal network invisible to outside, but must allow internal user to access Internet

Case Study
New topology
DMZ for servers behind firewall Internal network with IP Masquerading

Rules
Public services: Internet DMZ Outgoing services: Internal Internet Internal services: Internal DMZ

Case Study Firewall Policy

The Internet to Internal Network Relationship
Internal hosts are assigned private network addresses (DHCP or manually) Connections initiated by internal hosts appears to come from one IP address (IPMasq) Connections cannot be initiated from hostile network

Case Study Firewall Policy

The Internet to DMZ Network Relationship
Hostile network may only initiate access to wellknown public services DMZ hosts have public internet IP addresses

Case Study Firewall Policy

The Internal to DMZ Network Relationship

DMZ hosts can initiate connections to internal hosts if allowed in policy Internal hosts can directly connect (not masqueraded) to DMZ hosts

Case Study Firewall Policy

Rules that apply to All firewall segments
Anti-spoofing protection
Checks to make sure that local traffic isnt coming from outside the network segment

Denial of service protection

Packet validity Packet flooding

Thank You