270 likes | 286 Views
Learn about different types of firewalls, such as packet filtering, stateful, and application and circuit proxy, their services and limitations, and how to write firewall rules with examples.
E N D
Firewalls II By Dr. Shadi Masadeh
Firewalls (I) • What is a firewall? • Types of firewalls • Packet Filtering • Statefull • Application and Circuit Proxy • Firewall services and limitations • Writing firewall rules • Example 1 • Example 2
What is a Firewall? • A system that enforces access policy between two (or more) networks. • Based on a rules/policies, the firewall: • Blocks prohibited traffic. Note: this can be done silently (just drop) or actively, send back reset or ICMP messages. Usually better to do silently. • Allow authorized traffic. And, (some) check that the traffic for a given application is behaving correctly. • Firewall examines all traffic between the networks. • Firewall may also perform other services: • NAT / PAT • Caching • Web access control/site filtering • VPN/IPSEC • Two main philosophy to setup Firewall either: • Block all that is not explicitly authorized. • Authorize all that is not specifically blocked. • Note: this can be used together on same firewall. Example: a firewall between an organization and the Internet you may at the same time setup: • All inbound traffic except specifically authorized is blocked. • All outbound traffic except specifically blocked is authorized. • Always remember the implied rule. My suggestion: always write it explicitly. For this class: you are required to write it explicitly! … Else I choose which one it is
What is a Firewall? • A firewall is a device that makes the decision on what to do with a packet. The actions a firewall can take: • Forward/accept the packet. • Drop the packet silently. • Drop the packet and send ICMP back to source to notify why it was dropped. This adhere to strict Internet standards but is it wise? • How is it performed? • Packets are evaluated against a list of “rules” and conditions • When the packet matches a rule: the action is triggered (reject or allow). The rest of the rules are not evaluated.
What is a Firewall? • Concretely what is a firewall? Can be many things: • A router that runs traffic filtering rules or a modified version of the routing software (For example Cisco IOS Firewall Feature Set). This is often referred as “Screening Router Firewalls” or “Screening Firewalls”. • Pro: Can use existing router to perform some traffic filtering such as RFC 1918 and RFC 2827 Filtering. • Con: That can kill your router performance! Specially if rules become complex! • A server with 2+ NICS running some traffic filtering or application proxy or specialized software. Usually Unix/Linux or Windows. • Pro: Usually easy to use, nice GUI, use OS that the administrator may already be familiar with. • Con: Using a general-purpose OS to support firewall has lower performance. If there is a security flaw in the OS (I know how likely is that ) the firewall may be compromised!
What is a Firewall? • A specialized hardware piece running a specialized software. Often referred as “Firewall Appliances”. • Pro: Used specialized OS that is stripped down to remove unnecessary services. Higher performance. • Con: Higher Costs. May not have nice GUI. • A “Host-based” firewall. A.K.A. “Personal” Firewall. This is the last firewall piece in a defense in-depth strategy: load firewall software on all hosts. • Pro: Greatly enhanced security because of host-specific knowledge (For example, encrypted traffic can only be firewalled at end points). May allow to detect the presence/addition of unnecessary services at host. • Con: Expensive. May be very hard to manage. • Trends: host firewall or host IDS on all desktops the same way you see (or should see) anti-virus on all desktops today.
Types of Firewalls • Packet Filter • Statefull packet filter • Application and Circuit Proxy
Packet Filtering Firewalls • Control the forwarding or dropping of the data based on the IP header information. • It does not keep track of the connection or session state. • The information and fields that may be taken into consideration are: • IP destination address • IP source address • Protocol type/number (ie: TCP, UDP, ICMP, …etc...) • Source protocol port number (TCP/80, UDP/53, …etc…) • Destination protocol port number (TCP/80, UDP/53, …etc…) • Flags (SYN, ACK, FIN, ..etc..)
Packet Filtering Pros and Cons • Advantages • High performance • Application independent • Provide an economical solution to filter out many threats (SMURF, IP source route, some spoofing) • Can be implemented at “no cost” on existing routers using Access Control Lists (ACL) – Note: need to be careful here: this can very negatively impact routing performance on certain routers. This is specially true for core routers (Usually NEVER enable ACL on core routers). Make sure that: • 1. You understand the impact of enabling ACL on router operation • 2. You know the router can handle the extra load of doing ACL lookups and can still handle traffic in an acceptable manner. • Disadvantages • Only look at Header information • How do you handle incoming or return traffic that use a random/high port for communication – Example when you connect to www/80 what is your source port #? • Can fairly easily be forced to pass traffic that is not proper • Can dramatically lower performance of certain routers if implemented on them
Connection Release: Four-way handshake Closing data stream in this direction only
Statefull Packet Filtering • Perform all the functions of a packet filtering firewall but also keep track of the state of the connection and past packets in the communication. • The firewall will attempt to track all the information in the communication. This can be at all layers of the OSI. Examples: • At layer 4 – If it evaluate a TCP packet from B to A that has a SYN-ACK flag, it will verify that it has seen a corresponding SYN packet from A to B before. • At Layer 7 – If on SMTP, it see “MAIL FROM” message from A to B. It will verify that there has been a proper TCP connection established before and that a “HELO” command was sent and replied by a “2xx” response from B to A. • In other words: the statefull packet filter will keep track of all conversations and ensure that all packets transiting comply with proper protocol rules and operation. • Note: new variation of statefull firewall is starting to be popular: statefull FW with Intrusion Detection System/Intrusion Prevention System. More on that in the IDS unit.
Statefull Packet Filtering • Advantages • Scalable and transparent • High performance • Can handle “pesky” applications that jump ports in the process – Example: FTP in passive mode – H.323 – These are very hard to manage in a packet-filtering fw. • Disadvantages • Weak for “stateless” protocols • Harder to handle UDP return traffic • May not look at certain application layer data as a proxy would
Application and Circuit Proxy • A proxy firewall acts as an intermediate communication point between 2 parties: • Each party “think” they directly communicate to the other. • Actually they communicate to the Proxy Firewall. • A – Proxy – B: A communicates to the proxy, the proxy then “acts” as A when communicating to B and vice-versa. • These proxy firewalls acts either at layer 3-4 (circuit proxy) or layer 7 (application proxy). Most often they act at layer 7.
Application and Circuit Proxy • Advantages • Better security as it looks at all data in the packet up to layer 7. • Can perform other functions such as Email virus scanning. • Disadvantages • Lower performance • L7 - Limited to protocols that are supported • Poor scalability under heavy traffic • May break custom applications • May not support standard applications on non-standard ports.
Other Services Sometime Performed by Firewall • Network Address Translation • Intrusion Detection/Prevention • Denial-of-Service (DOS) Inspection • Authentication • Virtual Private Network Termination • Traffic Logging • URL and/or Content Filtering • Virus Scanning
Firewalls Limitations • Firewalls have limitations. It is VERY important to understand them: • They do not protect against viruses, worms, or trojans (except in Application-level firewalls and new IDS/firewall hybrids.) • Can’t protect traffic that is not sent through them: • Dial-up attacks; modems • Social engineering • Rerouting due to incompatibility with legacy system • Back doors • Cannot protect from danger in authorized traffic. (See Nimda and code red) • Cannot protect from some spoofing.
Firewall Rules Template • The XLS available proposes a template to write firewall rules. This template will be used in the class. Fields are: • Set Name • Rule # • Protocol (IP, UDP, TCP, GRE (General Routing Encapsulation), or protocol number) • A/R (Accept/Reject) • Source IP (Start) • Source IP End or Source Wildcard • Src Port (or protocol number) • Destination IP (start) • Destination IP (End) or Wildcard • Dest Port • Flag • Comments • Always have a last rule that says either: • Deny all • Permit all • Note #1: Often firewalls come with a “default” last rule that is always inserted at the end and invisible. Strong suggestion ALWAYS specify a last rule even if it is the same as the system’s default. • Note #2: Often firewalls have a default “deny all” for ingress traffic and “accept all” for egress traffic. Why? • Class discussion. • The rule must then be applied to a firewall interface and to an interface traffic direction: Inbound or outbound.
Simple Firewall Rule Example • The spreadsheet present full rule set for a packet filtering firewall that do not use statefull inspection. • Discussion in-class • You can notice that some fairly general rules had to be added to allow return traffic. This is a problem and can allow attacker to bypass the firewall • The simplified rule show rule set for a statefull firewall. The firewall will keep track of connection establishment, high port assignment and correspondence to conversation. • This make rule writing simpler and enhance security… But cost more $$$.
Firewall Example #2 • Functional Requirements: • Internal users are Headquarters and remote office. • Internal user do DNS resolution on 202.22.1.3 and can access corporate web and internal mail. • Email between Internal and Internet transit via Email relay for virus scan. • The Internal DNS resolve to ISP DNS for unknown zones. • External web, relay email handles all Internet user access including DNS resolve. • All internal users can access web on 80/443. • A “Bad guy” is 12.55.55.5 – prevent him any access. • Ping and ping responses should be allowed • All firewalls are statefull, return traffic inspection is not required. • OPTIONAL – You should perform RFC 1918 and anti-spoofing filtering. • Please work on it and come up with solutions for next week. We will discuss in class. • How many rule sets should be developed? • 1 • 2 • 4 • 6 • 8 • 10 • 12 • 300.5? • More? • Based on no traffic initiated or terminating at the FW, can we establish how many rules sets we will ever need if written correctly?
Firewall Example #2 (contd.) • Part of Homework #3 (which is due in two weeks) is to write the firewall rules for the above example. Please try to write the rules and bring them to class next week. The initial thinking process, and some additional discussion during next class, will likely help you to do a better job for HW #3! This initial solution is to be included in your final HW #3 submission.