1 / 84

TDC 311 - Firewalls

Learn about firewalls, network security devices that control access to traffic between untrusted and trusted zones. Understand the different types of firewalls, their functions, and how they enhance network security.

akendall
Download Presentation

TDC 311 - Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TDC 311 -Firewalls Laura McFall DePaul University School of Computing and Digital Media

  2. What is a Firewall? • A network security device that grants or rejects network access to traffic flows between an untrusted zone (e.g., the Internet) and a trusted zone (e.g., a private or corporate network) • Acts as the demarcation point or “traffic cop” in the network; all communication should flow through it and it is where traffic is granted or rejected access • Firewalls enforce access controls through a positive control model, which states that only traffic defined in the firewall policy is allowed onto the network • All other traffic is denied (known as “default deny”)

  3. Access Control Lists • Early on, the firewall function was initially performed by Access Control Lists (ACLs), often on routers • ACLs are essentially rules written out that determine whether network access should be granted or rejected to specific IP addresses • So, an ACL can have a line that states all traffic from IP 172.168.2.2 must be rejected, or to allow all traffic on port 80 from 172.168.2.2 to a web server at 10.10.10.201 • ACLs are advantageous due to scalability and high-performance, but can’t read beyond packet headers, which provide only rudimentary information about the traffic • Thus, ACL packet filtering alone does not have the capacity to keep threats out of the network

  4. What is a Firewall? • A firewall can be many things: • A router that runs traffic filtering rules or a modified version of the routing software • A server with 2+ NICS running some traffic filtering or application proxy or specialized software. Often Unix/Linux servers • A firewall appliance - specialized hardware device running a specialized software • A host-based firewall or personal/desktop firewall. A software application used to protect a single Internet-connected computer from intruders. Especially useful for users with "always-on". This is the last firewall piece in an in-depth defense strategy: load firewall software on all hosts

  5. What is a Firewall? • A firewall is a device that makes the decision on what to do with a packet of information sent across the Internet. The actions a firewall can take: • Forward/accept the packet • Drop the packet silently • Drop the packet and send ICMP back to source to notify why it was dropped. (Is this wise?) • How is it performed? • Packets are evaluated against a list of “rules” and conditions • When the packet matches a rule, the action is triggered (reject or allow). The rest of the rules are not evaluated

  6. What are proxy firewalls? • Proxy firewalls are the most secure types of firewalls, but this comes at the expense of speed and functionality, as they can limit which applications your network can support • The enhanced security of a proxy firewall is because, unlike with other types of firewall, information packets don’t pass through a proxy. Instead the proxy acts as an intermediary - computers make a connection to the proxy which then initiates a new network connection based on the request; effectively a mirror of the information transfer • This prevents direct connections and packet transfer between either sides of the firewall, which makes it harder for intruders to discover where the location of the network is from packet information 

  7. What are proxy firewalls? • So firewall proxies provide Internet access to computers on a network but are mostly deployed to provide safety or security by controlling the information going in and out of the network. Firewall proxy servers filter, cache, log, and control requests coming from a client to keep the network secure and free of intruders and viruses  • In essence, proxies are gateway applications used to route Internet and web access from within a firewall • Proxy servers work by opening a socket on the server and allowing the connection to pass through. There is often only one computer in a proxy firewall network with a direct Internet connection – other computers have access to the Internet using that computer as gateway

  8. What are proxy firewalls? • A proxy gateway receives a request from a client inside the firewall, and then sends this request to the remote server outside of the firewall • The response from the server is then read and sent back to the client • Usually, the same proxy is used by all client computers within a network – this enables the proxy to efficiently cache documents that are requested by multiple clients

  9. What are proxy firewalls? • Proxy firewalls act as middlemen, accepting all traffic requests coming into the network by impersonating the true recipient of the traffic within the network • After an inspection, if it decides to grant access, the proxy firewall sends the information to destination computer • The destination computer’s reply is sent to the proxy, which repackages the information with the source address of the proxy server • Through this process, the proxy firewall breaks (terminates) the connection between two computers so that it is the only machine on the network that talks to the outside world

  10. What are proxy firewalls? • Proxy firewalls can inspect content fully and make access decisions based on more specific levels of information • Access control this nuanced is attractive to network administrators, however each application needs its own proxy at the application-level • Proxy-firewalled networks also suffer degraded traffic performance and many limitations in application support and general functionality • This ultimately leads to scalability issues that make a successful implementation tricky to pull off • For this reason, proxy firewalls have not been widely adopted. In fact, even at the peak of the proxy firewall's popularity, performance and scalability issues limited adoption to select verticals in niche deployments

  11. What are proxy firewalls? • Considered to be the most secure type of firewall because they prevent direct network contact with other systems. (Because a proxy firewall has its own IP address, an outside network connection will never receive packets from the sending network directly) • Having the ability to examine the entire network packet, rather than just the network address and port number, also means that a proxy firewall will have extensive logging capabilities, a valuable resource for security administrators who are dealing with security incidents • Per Marcus Ranum, (credited with conceiving the proxy firewall, the goal is to create a single point that allows a security-conscious programmer to assess threat levels represented by application protocols and put error detection, attack detection and validity checking in place

  12. What are proxy firewalls? • The added security offered by a proxy firewall has its drawbacks, however • Because a proxy firewall establishes an additional connection for each outgoing and incoming packet, the firewall can become a bottleneck, causing a degradation of performance or becoming a single point of failure • Additionally, proxy firewalls may only support certain popular network protocols, thereby limiting which applications the network can support

  13. Stateful Inspection Firewalls • Stateful inspection, or stateful filtering, is regarded as the third generation of firewalls • Stateful filtering does two things: first, it classifies traffic by looking at the destination port (e.g., tcp/80 = HTTP) • Second, it tracks the state of the traffic by monitoring every interaction of each particular connection until that connection is closed

  14. Stateful Inspection Firewalls • These properties add more functionality to access control: stateful inspection firewalls have the ability to grant or reject access based not only on port and protocol, but also the packet’s history in the state table • When stateful firewalls receive a packet, they check the state table to find if a connection has already been established or if a request for the incoming packet has been made by an internal host • If neither is found, the packet’s access becomes subject to the ruling of the firewall security policy

  15. Stateful Inspection Firewalls • Though stateful filtering is scalable and transparent to users, the extra layer of protection adds complexity to network security infrastructure, and stateful firewalls face difficulty in handling dynamic applications such as SIP or H.323 • SIP - Session Initiation Protocol; a communications protocol for signaling and controlling multimedia communication sessions. Most common applications of SIPare in Internet telephony for voice and video calls, as well as instant messaging, over Internet Protocol (IP) networks • H.323: standard approved by the ITU - International Telecommunication Union to promote compatibility in videoconference transmissions over IP networks

  16. SIP SIP was designed to setup a "session" between two points and to be a modular, flexible component of the Internet architecture It has a loose concept of a call (that being a "session" with media streams), has no support for multimedia conferencing, and the integration of sometimes disparate standards is largely left up to each vendor As a result, SIP is a protocol with a vast number of interoperability problems While SIP has been successfully deployed in some environments, those are generally "closed" environments where the means of interoperability has been PSTN (Publically Switched Telephone Network) gateways

  17. H.323 • Designed with a good understanding of the requirements for multimedia communication over IP networks, including audio, video, and data conferencing. Defines an entire, unified system for performing these functions, leveraging the strengths of the IETF and ITU-T protocols • H.323 was designed to scale to add new functionality. The most widely deployed use of H.323 is "Voice over IP" followed by "Videoconferencing", both of which are described in the H.323 specifications

  18. Unified Threat Management (UTM) solutions • Initially defined as the consolidation of stateful inspection firewalls, antivirus, and IPS into a single appliance; over time, UTM definition has expanded to include many other network security functions • Success of UTMs relies on effectiveness of stateful inspection-based firewall decision that precedes all of its component functions, because UTM components, while in a single device, are effectively downstream security services • Thus, the workload of all security components behind the firewall (inside the network) will be determined by the strength of its access control • Though UTMs provide a number of security functions in one product, the fundamental access control technology of the firewall remains unchanged

  19. Next-generation Firewalls • NGFWs created in response to evolving sophistication of applications and malware. Application and malware developers have largely outwitted the long-standing port-based classification of traffic by building port evasion techniques into their programs • Malware piggybacks these applications to enter networks and became increasingly networked themselves (connected to each other on the computers they individually infected) • NGFWs act as a platform for network security policy enforcement and network traffic inspection

  20. Next-generation Firewalls • Per technology research firm Gartner Inc. NGFWs are defined by the following attributes: • Standard capabilities of the first-generation firewall: This includes packet filtering, stateful protocol inspection, network-address translation (NAT), VPN connectivity, etc. (Note: A virtual private network (VPN) extends a private network across a public network (Internet). Enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, thus benefiting from the functionality, security and management policies of the private network • Truly integrated intrusion prevention: Includes support for both vulnerability-facing and threat-facing signatures, and suggesting rules (or taking action) based on IPS activity. The sum of these two functions collaborating via the NGFW is greater than the individual parts • Full stack visibility and application identification: ability to enforce policy at the application layer independently from port and protocol

  21. Next-generation Firewalls • Extra firewall intelligence: Ability to take information from external sources and make improved decisions. Examples include creating blacklists or whitelists and being able to map traffic to users and groups using active directory • Adaptability to the modern threat landscape: Support upgrade paths for integration of new information feeds and new techniques to address future threats • In-line support with minimum performance degradation or disruption to network operations

  22. So you know… • Blacklist: basic access control mechanism that allows through all elements (email addresses, users, passwords, URLs, IP addresses, domain names, file hashes, etc.), except those explicitly mentioned. Items on list are denied access • Opposite is a whitelist, which means only items on the list are let through whatever gate is being used. A graylist contains items that are temporarily blocked (or temporarily allowed) until an additional step is performed • Blacklists can be applied at various points in a security architecture, such as a host network, a web proxy, DNS servers, an Email server, a computing firewall, directory servers or application authentication gateways

  23. So you know… • The type of element blocked is influenced by the access control location • DNS servers may be well-suited to block domain names, for example, but not URLs. A firewall is well-suited for blocking IP addresses, but less so for blocking malicious files or passwords • Example uses include a company that might prevent a list of software from running on its network, a school that might prevent a list of web sites from being accesses on its computers, or a business that wants to ensure their computer users are not choosing easily-guessed, poor passwords

  24. What’s ICMP? • Internet Control Message Protocol – a Transport Layer control protocol • ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route • Not designed to be absolutely reliable; purpose is to provide feedback about problems in the communication environment, not to make IP reliable • There are still no guarantees that a datagram will be delivered or a control message will be returned

  25. What’s ICMP? • Some datagrams may still be undelivered without any report of their loss, so the higher level protocols that use IP must implement their own reliability procedures if reliable communication is required • ICMP messages typically report errors in the processing of datagrams. To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages themselves • IP implementations are required to support this protocol • ICMP is considered an integral part of IP, although it is architecturally layered upon IP • ICMP provides error reporting, flow control and first-hop gateway redirection

  26. Other Firewall Services • Firewalls may also perform other services: • NAT / PAT (Network/Port Address Translation) • Caching (see next slide) • Web access control/site filtering • VPN services (VPN tunnel termination) • What’s a VPN tunnel? • The set of information that allows two entities (networks, PCs, routers, firewalls, gateways) to "trust each other" and communicate securely as they pass information over the Internet

  27. Other Firewall Services - Caching • Caching refers to the strategy of keeping a copy of a page or image you have already seen • Web browsers typically cache files that they display for you, and simply ask the server if the page has actually changed rather than always downloading the entire thing • This speeds up your next visit to the page • Since caching everything forever would take up too much space, web browsers typically delete the least recently used file in the cache when a certain total cache size is reached

  28. Other Firewall Services - Caching • Caching also occurs in other places. You may be using a proxy server, in which case the proxy server is probably caching pages on behalf of you and other users to save trips to the real Internet • Users typically become aware of caching when things don't work as expected. For instance, you might make a change to your own web page, open up your web page in your web browser, and not see the change until you click the "reload" button, telling your browser to discard the cached copy of that page

  29. Other Firewall Services - Caching • Some things (credit card transactions) should not be cached • Fortunately, the HTTP protocol that web browsers and servers use to communicate includes ways for the web server to specify how long a page may be safely cached, if at all • Sometimes browsers don’t perfectly obey such directives. The problem is made worse by the tendency of websites built in PHP, ASP or other dynamic web programming languages to tell the web browser not to cache anything This problem is not inherent to those languages, but it is a common result of poorly-thought-out site design • Caching can potentially be a privacy issue for those who share their computers; cached copies of pages on your hard drive can reveal information about your browsing habits

  30. Firewall Setup • Philosophy for Firewall setup - either: • Block all that is not explicitly authorized • Authorize all that is not specifically blocked • Note: These can be used together on same firewall. Example: For a firewall between an organization and the Internet you may: • Block all inbound traffic except specifically authorized application traffic for publicly accessible services • Allow all outbound traffic except traffic that is specifically blocked based on known virus/worm/DOS patterns or other corporate security policies

  31. Some Types of Firewalls • Packet Filter • Stateful packet filter • Circuit Proxy • Application Proxy

  32. Packet Filtering Firewalls • Control the forwarding or dropping of the data based on the IP header information • Each packet is analyzed independently of all other packets – no track of the connection or session state is kept

  33. Packet Filtering Firewalls The information and fields that may be taken into consideration are: IP destination address IP source address Protocol type/number (ie: TCP, UDP, ICMP, …etc...) Source protocol port number (TCP/80, UDP/53, …etc…) Destination protocol port number (TCP/80, UDP/53, …etc…) Flags (SYN, ACK, FIN, ..etc..)

  34. Packet Filtering Pros/Cons • Advantages • High performance • Application independent • Filters out many threats (SMURF, IP source route, some spoofing) • Can be implemented at “no cost” on existing routers using Access Control Lists (ACL) – Note: You need to be careful here: this can very negatively impact routing performance on certain routers. This is specially true for core routers (Usually NEVER enable ACL on core routers)

  35. Packet Filtering Pros/Cons Disadvantages Only uses TCP/UDP/IP Header information How do you handle incoming or return traffic that uses a random/high port to communicate? Can dramatically lower performance of certain routers if implemented on them

  36. Stateful Packet Filtering • Stateful inspection, aka dynamic packet filtering, is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall • Stateful inspection has largely replaced an older technology, static packet filtering, where only the headers of packets are checked, which means that an attacker can sometimes get information through the firewall simply by indicating "reply" in the header • Stateful inspection analyzes packets down to the application layer

  37. Stateful Packet Filtering By recording session information such as IP addresses and port numbers, a dynamic packet filter can implement much tighter security posture than static packet filter can Stateful inspection monitors communications packets over a period of time and examines both incoming and outgoing packets Outgoing packets that request specific types of incoming packets are tracked and only the incoming packets that constitute a proper response are allowed through the firewall

  38. Stateful Packet Filtering • In a firewall that uses stateful inspection, the network administrator can set the parameters to meet specific needs • In a typical network, ports are closed unless an incoming packet requests connection to a specific port and then only that port is opened • This practice prevents port scanning, a well-known hacking technique

  39. Port Scan Attacks • Port scan attacks are one of the most popular reconnaissance techniques hackers use to discover services they can break into • All machines connected to a network run many services that use TCP or UDP ports and there are more than 6000 defined ports available • Normally port scan does not make direct damage just by port scanning • Potentially, a port scan helps the attacker find which ports are available to launch various attacks

  40. Port Scan Attacks • Essentially, a port scan consists of sending a message to each port, one at a time • The kind of response received indicates whether the port is used and can therefore be probed further for weakness • Port scanning usually happens for TCP ports, which are connection-oriented and therefore give good feedback to the attacker • The main port scan attacks are listed as follows:Stealth scanSOCKS portBounce ScansUDP

  41. Port Scan Attacks • Stealth scan : a kind of scan designed to go undetected by auditing tools. Scanning very slowly becomes a stealth technique. Other techniques such FIN scanning and SYN scanning can be used as wellSOCKS port probe : SOCKS is a system that allows multiple machines to share a common Internet connection. The reason that attackers scan for this is because a large percentage of users misconfigure SOCKS which permits arbitrary the sources and destinations. It may allow a attacker access to other Internet machines through your system to hide his/her true location.

  42. Port Scan Attacks • Bounce Scans : Attackers scour the Internet looking for systems they can bounce their attacks through • FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. Other applications such as EMAIL server, HTTP Proxy, Finger etc. all have vulnerabilities for attackers to do bounce scansUDP Scanning : Scan UDP ports to find the open ports. This is not often used by attackers since it is easily blocked

  43. Port Scanning Tools • Freeware for port scanning is available for anyone to use • Three common tools: SAINT, nmap , and nessus • Nmap is clearly and primarily a port scanner and it is a utility for port scanning large networks, although it works fine for single hosts • Port Scanning Tools can be used legitimately for admins and users to learn network vulnerabilities

  44. Port Scan Attack Mitigation • Port scan attacks can be effectively reduced (if not completely resolved) by deploying firewalls at critical locations of a network to filter un-wanted traffic and from iffy sources • Many Port Scan detecting tools and products available on the market • For Linux systems, the open source program Port Scan Attack Detector (PSAD) is available for free

  45. Stateful Packet Filtering Performs all the functions of a regular packet filtering firewall but also keeps track of the state of the connection and past packets in the communication The firewall will attempt to track all the information in each communication session at all protocol layers Examples: At layer 4 – If it sees a TCP packet from B to A that has a SYN-ACK flag, it will verify that it has seen a corresponding SYN packet from A to B before At Layer 7 – For SMTP, if it sees a “MAIL FROM” message from A to B, then it will verify that there has been a proper TCP connection established before and that a “HELO” command was sent and a “2xx” response received from B to A In other words, the stateful packet filter will keep track of all conversations and insure that all packets transiting comply with proper protocol rules and operation

  46. Stateful Packet Filtering • Advantages • Scalable and transparent • High performance • Can handle “pesky” applications that jump ports in the process – Example: FTP in passive mode – H.323 – These are very hard to manage by regular packet filtering

  47. Stateful Packet Filtering Disadvantages Requires more firewall CPU time for analysis Weak for “stateless” protocols Harder to handle UDP return traffic May not look at certain application layer data as a true proxy would

  48. Application and Circuit Proxy • A proxy firewall acts as an intermediate communication point between 2 parties: • Each party “thinks” they are directly communicating to the other • Actually each communicates to the Proxy Firewall • A – Proxy – B: A communicates to the proxy, the proxy then “acts” as A when communicating to B and vice-versa • Proxy firewalls act either at layer 3-4 (circuit proxy) or layer 7 (application proxy). Most often they act at layer 7

  49. Application and Circuit Proxy • Advantages • Better security as it fully examines all data in the packet up to layer 7 • Can perform other functions such as Email virus scanning • Disadvantages • Lower performance • Limited to protocols that are supported by firewall • Poor scalability under heavy traffic • May break custom applications • May not support standard applications on non-standard ports

  50. Other Services Sometimes Performed by Firewalls • Network Address Translation • Intrusion Detection/Prevention • Denial-of-Service (DOS) Inspection • Authentication • Virtual Private Network Termination • Traffic Logging • URL and/or Content Filtering • Virus Scanning

More Related