Transcript Firewalls

Firewalls
CS432
Overview
 What
are firewalls?
 Types of firewalls






Packet filtering firewalls
Sateful firewalls
Application gateway firewalls
Address Translation firewalls
Host based firewalls
Hybrid firewalls
definition
A
firewall is a device or systems that
control the flow of traffic between different
areas of your network
 One of the main functions of firewalls is to
control access to resources.
 This may be achieved by installing a
firewall on every workstation, or in a
centralized manner (one firewall for the
whole network).
Types of Firewalls
 Packet
filtering firewalls
 Stateful firewalls
 Application gateway firewalls
 Address translation firewalls
 Host-based firewalls
 Hybrid firewalls
Packet Filtering Firewalls (PFF’s)
 The
simplest type of firewall.
 Typically a router that can filter on some
packet content.
 Mainly layer 3 (network) and sometimes
layer 4 (transport) packets are examined.
Filtering Rules
 Packet
filtering rules must be defined on
the firewall.
 These rules indicate which traffic should
be allowed and which traffic should be
denied.
 A decision should also be taken regarding
the notification strategy when packets are
dropped: inform the sender or not.
Filtering information
 Source
and destination layer 3 addresses.
 Layer 3 protocol information (type of
protocol).
 Layer 4 protocol information (port numbers
and flags).
 Interface of sent or received traffic.
A Simple Example
A Typical Rule Table
Rule
Source address
Dest address
IP
protocol
Protocol
information
action
1
any
219.1.1.2
TCP
Port 80
allow
2
any
219.1.1.3
UDP
Port 53
allow
3
any
219.1.1.4
TCP
Port 25
allow
4
any
Any other
address
any
any
deny
Understanding the Rules
 Understanding
the rule set is crucial to the
operation of firewalls.
 For example, if you omit rule 4 in table 1
above, there will be two possibilities: allow
all not matching traffic, or deny all not
matching traffic.
 If the first option is taken, you will be
creating a big hole for your network
An Example of Firewall Rules
Advantages of packet filtering
firewalls
 They
can process packets at high speed.
 They can easily match on most fields in
layer 3 and layer 4, giving flexibility in
implementing security policies.
Disadvantages
 They
can be complex to configure.
 They cannot prevent application layer
attacks.
 They are susceptible to some TCP/IP
attacks (SYN floods, and IP spoofing and
cannot be detected).
 They do not support authentication.
 They have limited logging capabilities.
Stateful Firewalls
 Stateful
firewalls keep track of connection
states at all stages: initiation, data transfer,
or termination.
A Typical Scenario Where PFF’s
Fail
 Assume
that there is an inbound rule
saying that any external traffic to
134.1.1.10 is denied.
 This implies that connection requests
coming from outside will be dropped.
 However, assume that 134.1.1.10 tries to
access a web server on an external
machine, 189.1.2.3, say.
A Typical Scenario …
 The
firewall will allow the initiation of the
connection.
 However, when the reply comes back from
189.1.2.3 it will be dropped.
 Two solutions are possible in PFFs:


Open ports higher than 1023 for inbound
traffic
Examine TCP segment flag bits
Problems with the above solutions
 Opening
ports will cause a lot of problems.
 Examining TCP codes is not a good
solution for this problem, because they
may not be fully supported by all
implementations, May be modified by
hackers, and UDP traffic uses no flags.
A Stateful Solutin
A
stateful firewall solves the above
problem by tracking the states of
connections.
 This is done through dynamic rules that
are added when a connection is
established and deleted after the
connection is torn down.
 The rules are either added to the main rule
table or to new state table.
A Stateful Solution

For example when machine 134.1.1.10 initiates
a connection to external machine 189.1.2.3, the
firewall adds a new rule to the rule table or the
state table indicating that this is a request for a
connection.
 It notes the source and destination ports:
source
destination
protocol
ports
action
134.1.1.0
189.1.2.3
TCP
Source 10000
Dest 80
allow
Sateful solution
 When
189.1.2.3 sends a reply to the
connection request, the firewall notes from
its table that this reply is part of an existing
connection and allows the connection.
 The traffic along this connection will be
allowed as long as the connection is open.
 When the connection is torn down, all
rules relating to the connection will be
removed
Advantages
 Aware
of the state of the connection.
 No need to open a large set of ports.
 Prevents a wider set of DoS attacks (state
table).
 More robust logging (connection states).
limitations
 They
may be difficult to configure.
 Cannot prevent application layer attacks.
 Do not support authentication.
 Not all protocols contain state information.
 Multiple connections with dynamic ports
may cause problems.
 Additional overhead in maintaining state
information.
Application Gateway Firewalls
(AGFs)
 Sometimes
called proxy firewalls.
 They filter information at layers 3,4,5 and
7.
 Most filtering and processing is done in
software which provides more flexibility.
 Sometimes they support only limited
applications, for example e-mail, FTP,
Telnet.
AGF’s and Authentication
 One
of the major advantages of AGF’s is
their abilities to authenticate users.
 A user requesting a connection to the
network is first authenticated by the AGF.
 The authentication database usually
stores authorization information, e.g.
which servers can the user connect to:
 Ahmed
232.1.5.6 allow
Authentication Methods
 User/password.
 Certificates.
 Biometrics
 Token
cards.
Types of AGF’s
 Two


types of AGF’s:
Connection gateway firewalls.
Cut through proxy firewalls
Connection Gateway Firewalls
(CGF’s)
 All
traffic to the web sever passes through
the CGF.
 First the CGF authenticates the user. If
successful, CGF establishes connection to
server.
 CGF examines all packets sent to server
and may control the type of traffic to be
allowed or dropped.
Cut Through Proxies (CTP)
 Only
authenticate user.
 Perform filtering based on layer 3 and 4
information.
Address Translation Firewalls.
 It
is well known that we are running out of
IP addresses (address depletion).
 A long term solution is to deploy IPv6.
 A short term solution is to use Network
Address Translation (NAT).
Private Addresses
 Tow
RFC’s describe how NAT may be
used.
 RFC 1918 specifies private addresses
(reserved addresses that can be used only
inside the organization networks, with no
global meaning).
 Around 17 million addresses are available
for local use
Private addresses
– 10.255.255.255 class A
 172.16.0.0 – 172.31.255.255 class B
 192.168.0.0 – 192.168.255.255 class C
 10.0.0.0
NAT
 RFC1631
defines how network address
translation may be performed.
 Two schemes:


Simple NAT.
Overloaded NAT or PAT (Port Address
Translation).
NAT firewalls
A
NAT firewall is a device configured to
perform network address translation.
Host based firewalls
 Software
packet filtering firewalls.
 Simplified versions that concentrate only
on protecting a single machine.
 Some may provide host-based
authentication.
Hybrid Firewalls
 In
real life firewall solutions are usually
complex and hybrid.
 They involve packet filtering, state
tracking, authentication, address
translation …etc. Many solutions include
even an IDS.
 This dictated by competition.
 A good example is CISCO PIX firewall.
Designing A Firewall Solution
 Develop
a security policy.
 Create a simple design solution.
 Use devices as intended.
 Implement a layered defense.
 Consider solutions to internal threats.
The policy







Define acceptable and unacceptable behavior.
Restrictions to resources.
Adhere to company plans and policies.
Resources that require access from internal and
external users.
Vulnerabilities associated with these resources.
Methods that can be used to protect resources.
Cost-benefit analysis for possible solutions.
Demilitarized zones (DMZ’S)

A demilitarized zone is a segment or segments
that have a higher security level than that of
external segments, but a lower security level
than that of internal segments.
 Grant external users access to web servers,
DNS servers …etc without risking internal
security.
 They act as a buffer between internal and
external networks.
Demilitarized zones (DMZ’S)
 Higher
security levels can send traffic to
lower security levels but not vice versa.
 Same security levels cannot send traffic to
each other.
An Example Solution
many different
topologies can be
considered
router
Internet
Bastion host, here: a
proxy firewall
packet filter
?
Mail server
Web server
internal packet filter
DMZ
De-Militarized Zone
Internal network
Bastion Server
A
special type of proxy servers.
 A single point of contact to the network.
 Well fortified.
 Logging capabilities.