510 likes | 518 Views
Learn about the types of firewalls, how to develop a firewall configuration, and design a firewall rule set. Understand the origins of the term "firewall" and the importance of using firewalls to prevent unauthorized access and attacks.
E N D
Firewall Technology - Outline • Defining the types of firewalls. • Developing a firewall configuration. • Designing a firewall rule set.
Firewall: Origin of the Term Since old days, brick walls were built between buildings in apartment complexes so that if a fire broke out, it would not spread from one building to another. Quite naturally, the walls were called " firewalls ".
Castle and Moat Analogy • A network firewalls is more like the moat around a castle than a firewall • Restricts access from the outside • Restricts outbound connections (i.e. filter out undesirable activity from internal hosts)
Overview • A firewall is a network access control device. • It can perform a centralized security management function. • It denies all traffic except that which is explicitly allowed. • It can be configured based on services, source or destination IP address, User ID, … etc.
Why use Firewalls? • Prevent denial of service attacks: • SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections. • Prevent illegal modification/access of internal data. • e.g., attacker replaces Company's homepage with something else • Allow only authorized access to inside network (set of authenticated users/hosts) • Prevent insider attacks on critical systems: • Critical systems (human resources, payroll, etc.) can be hidden behind their own firewalls to prevent attacks from the inside.
Web Server Internet Router The Unprotected Network What could possibly be wrong with this setup? Hackers paradise & administrators nightmare!
What Can We Do? • Firewalls give good protection against attacks from the Internet. • The problem is that there are various firewall techogies and deployment strategies. • To choose the right solution, we need to know a bit more about the underlying TCP/IP protocols used on the Internet.
The IP-protocol Important fields:Source Address, Destination Address, Protocol
The TCP-protocol Important fields:Source Port and Destination Port ACK and SYN flags
The UDP-protocol Important fields:Source Port and Destination Port
Common Ports and Services • Windows: %windir%\System32\drivers\etc\services • Linux:/etc/services • Examples: SMTP = port 25 HTTP = port 80 POP3 = port 110 PPTP = port 1723
Types of Firewalls • Packet filtering firewall (network layer) • Statefull Inspection firewall (connection state of the transport layer protocol) • Application layer firewall (known as Application Gateway or Proxy) • Hybrid: combination of the above or a generic service proxy (i.e. a Socks Proxy work for all TCP-based apps).
They are IP routers restricting flow of packets betweenan internal network and external networks. packet-by-packet decision to forward/drop based on: Source/Destination IP Addresses Protocol Value (i.e. drop ICMP packets) TCP/UDP Source Port/Destination Port TCP SYN and ACK bits Packet Filter Firewalls (Chokes) Should arriving packet be allowed in? Departing packet let out? Internet
Packet Filtering Examples • Example 1: Block incoming and outgoing datagrams with IP protocol field = 17 or with either source or destination port = 23. • All incoming and outgoing UDP flows and telnet connections are blocked. • Example 2: Block inbound TCP segments with (SYN=1 & ACK=0). • Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.
Packet Filter Firewall - Pros • They are fast because they operate on IP addresses and TCP/UDP port numbers alone, ignoring the data part of packets. • Due to the fact that packet payload is ignored, application independence exists. • Least expensive of the three types of firewalls. • Packet filtering rules are relatively easy to configure. • There are no configuration changes necessary to the protected workstations.
Packet Filter Firewall - Cons • Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. • There is no screening of packet payload available. It is impossible to block users from visiting web sites deemed off limits, for example. • Logging of network traffic includes only IP addresses and TCP/UDP port numbers, no packet payload information is available. • Complex firewall policies are difficult to implement using filtering rules alone. • Rely on IP addresses for authentication rather than user authentication.
Stateful packet inspection • It is an advanced packet filter that keeps track of the state of the network connections going through it. • Take into account the state of the connection; an incoming packet is matched to its outbound request for the packet to be allowed in. • Examine and filter based on packet content; for example, drop incoming mail with certain type of attachments
Stateful packet inspection - Pros • Offers improved security over basic packet filters due to packet examination. • Offers a degree of application independence, based on level of stateful packet examination. • Better logging of activities over basic packet filters. • Good performance. • Configuration changes to the protected workstations are unnecessary.
Stateful packet inspection - Cons • Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. • No hiding of your private systems. • Setting up stateful packet examination rules is more complicated. • Only supported protocols at the application layer. • No user authentication.
Application Gateway (Proxy) Firewalls Typically, an application proxy is a program that runs on a MULTI-HOMED HOST and emulates both client and server ends of some application protocol. For example, an HTTP proxy (web proxy) acts as an HTTP server for local users and an HTTP client for web servers on the Internet.
Application Gateway (Proxy) Firewall Application Gateway (Proxy) Firewall connections
Characteristics of Proxy Firewalls • Outbound connections terminate on the firewall. • A set of policy rules defines how traffic from one network is transported to any other. • If no rule exists, firewalls deny or drop the data packets. • Policy rules are enforced through the use of proxies. • Each protocol on a firewall must have its own proxy.
Example: allow select internal users to telnet outside. host-to-gateway telnet session application gateway router and filter Proxy/Gateway Firewall Example 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to destination host. Gateway relays data between the two connections. 3. Router packet filter blocks all telnet connections not originating from gateway.
Application proxies - Pros • end points do not communicate directly with one another. A vulnerability in a protocol which could slip by a packet filter or stateful packet inspection firewall could be overcome by the proxy program. • Provide content filtering capability. • Hide internal addresses. • Web Proxy often do caching to improve response and reduce load on the Internet link • Robust user authentication. • Offers logging and auditing of user’s activities on the Internet . • Policy rules are usually easier than packet filtering rules. (i.e. amount and timing of communication)
Application proxies - Cons • Performance problems; much slower than the other two • Must have a proxy for every protocol. Failure to have a proxy may prevent a protocol from being handled correctly by the firewall. • TCP is the preferred transport. UDP may not be supported. • Limited transparency, clients may need to be modified. Setting up the proxy server in a browser, for example. • No protection from all protocol weaknesses.
Hybrids • Hybrid firewalls provide a way for handling protocols for which specific proxies do not exist. • The generic services proxy (GSP) allows application layer proxies to handle other protocols. • In a hybrid system, the GSP behaves like packet filtering firewalls.
Developing a Firewall Configuration • Screened Host Configuration. • Screened Subnet Configuration. • Dual Firewall Configuration.
Gateway/Proxy firewall Internet Packet filter firewall Screened Host Configuration • Built using a packet filter firewall and a gateway/proxy firewall • The gateway is a specially chosen computer running network servers and proxy servers. • Only external packets destined for the gateway are allowed through the packet filter firewall. • All internal packets destined for outside must go through a proxy server; otherwise, they are dropped by the packet filter firewall. internalnetwork
Use a single packet filtering firewall with three network interface cards Place systems that need to be accessed from outside on a network separate from the internal network internalnetwork Internet Packet filter firewall Screened Subnet Configuration SMTP Server Proxy firewall
gateway Internet DMZnetwork FW 2 FW 1 Dual Firewall Configuration • For higher security, two chokes and a gateway are used • The external choke and gateway are configured as in a screened host firewall. • The second choke is a failsafe – if an attacker gains access to the gate, the internal choke prevents further attacks against the internal network. • Internet accessible servers are placed in the DMZ (De-Militarized Zone) network between FW1 and FW2.
Ethernet Switch SOHO Configuration Internet Service Provider UTP UTP User PC UTP Broadband Modem (DSL or Cable) SOHO Router --- Router DHCP Sever, NAT Firewall, and Limited Application Firewall User PC User PC Many Access Routers Combine the Router and Ethernet Switch in a Single Box
Developing a Firewall Configuration • Organization’s Internet policy allows users to use services such as HTTP, HTTPS, FTP, Telnet, and SSH. • Based on the Internet policy, a set of policy rules for various architectures can be constructed.
Designing a Firewall Rule Set When designing a firewall rule set, the first match algorithm dictates: • The most specific rules to be placed at the top of the rule set. • The least specific rules to be placed at the bottom of the rule set.
Designing a Firewall Rule Set To define a general rule set, examine: • The expected traffic load of the firewall. • Rank the traffic types in order. The Internet service with the largest traffic at the top of the rule set. • Place any deny rules pertaining to the protocol.
Firewall Rule Set: Special Rules To define a general rule set, examine: • Cleanup Rule – deny everything not explicitly allowed: • Fom anyany To anyany– Deny • Cleanup rule is always the last (bottommost) rule • Stealth Rule : to protect firewall itself • From any any To firewallany– Deny • Stealth Rule is placed first (topmost) rule
Internet Accessible Systems Firewall Rules for Internet Systems Accessible Outside the Firewall.
Single Firewall Architecture #2: Single firewall.
Single Firewall - Rule Set Firewall Rules for the Single Firewall Architecture.
Dual Firewalls Architecture #3: Dual Firewalls.
Dual Firewalls Firewall Rules for Firewall #1 in the Dual Firewall Architecture.
Dual Firewalls Firewall Rules for Firewall #2 in the Dual Firewall Architecture.
NAT and PAT • Because the firewall keeps track of all live connections through it, the firewall is able to make both NAT and PAT, or any combination thereof. • NAT: Network Address Translation • PAT: Port Address Translation • A firewall performing NAT or PAT is often referred to as a masquerading firewall.
NAT Explained • A NAT firewall hides internal IP addresses by replacing internal source IP address of an outgoing packet to that of the firewall device (e.g. – see figure - 200.24.5.8). • Allow hosts with private IP addresses (not-Internet-registered) to access the Internet.
NAT Explained The NAT device replaces the source IP address in an outgoing packet by its own address and saves some information to enable reverse translation for the reply packet that come back from the Internet
2 1 Network Address Translation (NAT) From 172.47.9.6, Port 31789 From 192.168.34.2, Port 13472 Internet Client NAT Firewall Server Host Internal External Translation Table IP Addr Port IP Addr Port 172.47.9.6 31789 192.168.34.2 13472 … … … …
4 3 Network Address Translation (NAT) Internet Client NAT Firewall Server Host To 192.168.34.2, Port 13472 To 172.47.9.6, Port 31789 Internal External Translation Table IP Addr Port IP Addr Port 172.47.9.6 31789 192.168.34.2 13472 … … … …
NAT used by ISPs A large group of internal clients share a small set of Internet addresses for the purpose of hiding their identities or expanding the internal network address space.