Transcript Lecture Notes

CSCE 201
Network Security
Firewalls
Fall 2015
Traffic Control – Firewall

Brick wall placed between apartments to
prevent the spread of fire from one
apartment to the next
 Single, narrow checkpoint placed between
two or more networks where security and
audit can be imposed on traffic which
passes through it
CSCE 201 - Farkas
2
Firewall
Private Network
Firewall
security wall between
private (protected)
network and outside word
External Network
CSCE 201 - Farkas
3
Firewall Objectives
Private Network
Keep intruders,
malicious code and
unwanted
traffic or
information out

Proprietary data
Keep proprietary
and sensitive
information in
External attacks
External Network
CSCE 201 - Farkas
4
Without firewalls, nodes:
– Are exposed to insecure services
– Are exposed to probes and attacks from outside
– Can be defenseless against new attacks
– Network security totally relies on host security
and all hosts must communicate to achieve high
level of security – almost impossible
CSCE 201 - Farkas
5
Network Address Translation (NAT)
Organization uses private IP addresses on its network
 increase address space
Send packet to Internet: convert private IP address to
globally assigned IP address
Receive packer from Internet: globally assigned IP
addresses converted to private IP addresses
Firewalls may
Establish connections on behalf of the client
Support NAT
CSCE 201 - Farkas
6
Common firewall features

Routing information about the private network
can't be observed from outside
 traceroute and ping -o can't `see' internal hosts
 Users wishing to log on to an internal host must
first log onto a firewall machine (or else start
`behind' the firewall).
CSCE 201 - Farkas
7
Trade-Off between accessibility
and Security
Service Access Policy
Accessibility
CSCE 201 - Farkas
Security
8
Firewall Advantages

Protection for vulnerable services
 Controlled access to site systems
 Concentrated security
 Enhanced Privacy
 Logging and statistics on network use,
misuse
 Policy enforcement
CSCE 201 - Farkas
9
Controlled Access

A site could prevent outside access to its
hosts except for special cases (e.g., mail
server).
 Do not give access to a host that does not
require access.
 Some hosts can be reached from outside,
some can not.
 Some hosts can reach outside, some can not.
CSCE 201 - Farkas
10
Concentrated Security

Firewall less expensive than securing all
hosts
– All or most modified software and additional
security software on firewall only (no need to
distribute on many hosts)

Other network security (e.g., Kerberos)
involves modification at each host system.
CSCE 201 - Farkas
11
Enhanced Privacy

Even innocuous information may contain
clues that can be used by attackers
– E.g., finger:
 information about the last login time, when e-mail
was read, etc.
 Infer: how often the system is used, active users,
whether system can be attacked without drawing
attention
CSCE 201 - Farkas
12
Logging and Statistics on
Network Use, Misuse

If all access to and from the Internet passes
through the firewall, the firewall can
theoretically log accesses and provide
statistics about system usage
 Alarm can be added to indicate suspicious
activity, probes and attacks – double duty as
IDS on smaller networks
CSCE 201 - Farkas
13
Policy enforcement

Means for implementing and enforcing a
network access policy
 Access control for users and services
 Can’t replace a good education/awareness
program, however:
– Knowledgeable users could tunnel traffic to
bypass policy enforcement on a firewall
CSCE 201 - Farkas
14
Firewall Disadvantages

Restricted access to desirable services
 Large potential for back doors
 No protection from insider attacks
 No protection against data-driven attacks
 Cannot protect against newly discovered
attacks – policy/situation dependent
 Large learning curve
CSCE 201 - Farkas
15
Firewall Components

Firewall Administrator
 Firewall policy
 Packet filters
– transparent
– does not change traffic, only passes it

Proxies
– Active
– Intercepts traffic and acts as an intermediary
CSCE 201 - Farkas
16
Firewall Administrator

Knowledge of underpinnings of network
protocols (ex. TCP/IP, ICMP)
 Knowledge of workings of applications that
run over the lower level protocols
 Knowledge of interaction between firewall
implementation and traffic
 Vendor specific knowledge
CSCE 201 - Farkas
17
Firewall Policy

High-level policy: service access policy

Low-level policy: firewall design policy
Firewall policy should be flexible!
CSCE 201 - Farkas
18
Service Access Policy

Part of the Network Security Policy
 Defines:
– TCP/IP protocols
– Services that are allowed or denied
– Service usage
– Exception handling
CSCE 201 - Farkas
19
Service Access Policy

Goal: Keep outsiders out
 Must be realistic and reflect required
security level
 Full security v.s. full accessibility
CSCE 201 - Farkas
20
Firewall Design Policy

Refinement of service access policy for specific
firewall configuration
Defines:
– How the firewall achieves the service access
policy
– Unique to a firewall configuration
– Difficult!
CSCE 201 - Farkas
21
Firewall Design Policy
Approaches:
Open system: Permit any service unless
explicitly denied (maximal accessibility)

Closed system: Deny any service unless
explicitly permitted (maximal security)

CSCE 201 - Farkas
22
Simple Packet Filters

Applies a set of rules to each incoming IP packet
to decide whether it should be forwarded or
discarded.
 Header information is used for filtering ( e.g,
Protocol number, source and destination IP, source
and destination port numbers, etc.)
 Stateless: each IP packet is examined isolated
from what has happened in the past.
 Often implemented by a router (screening router).
CSCE 201 - Farkas
23
Simple Packet Filter
Private Network
Placing a simple router (or
similar hardware) between
internal network and
“outside”
Allow/prohibit packets from
certain services
Packet
Filter
Packet-level
rules
Outside
CSCE 201 - Farkas
24
Simple Packet Filters

Advantages:
– Does not change the traffic flow or
characteristics –passes it through or doesn’t
– Simple
– Cheap
– Flexible: filtering is based on current rules
CSCE 201 - Farkas
25
Simple Packet Filters

Disadvantages:
– Direct communication between multiple hosts and internal
network
–Unsophisticated (protects against simple attacks)
– Calibrating rule set may be tricky
– Limited auditing
– Single point of failure
CSCE 201 - Farkas
26
Stateful Packet Filters

Called Stateful Inspection or Dynamic
Packet Filtering
 Checkpoint patented this technology in
1997
 Maintains a history of previously seen
packets to make better decisions about
current and future packets
CSCE 201 - Farkas
27
Proxy Firewalls
View
Private Network
Reality
Private Network
Bastion
Host
Proxy Server
Outside
CSCE 201 - Farkas
Outside
28
Proxy Firewalls

Application Gateways
– Works at the application layer  must
understand and implement application protocol
– Called Application-level gateway or proxy
server

Circuit-Level Gateway
– Works at the transport layer
– E.g., SOCKS
CSCE 201 - Farkas
29
Application Gateways



Interconnects one network to another for a specific
application
Understands and implements application protocol
Good for higher-level restrictions
Client
CSCE 201 - Farkas
Application Gateway
Server
30
Application Gateways

Advantages: by permitting application traffic directly to
internal hosts
– Information hiding: names of internal systems are not known to
–
–
–
–
–
outside systems
Can limit capabilities within an application
Robust authentication and logging: application traffic can be preauthenticated before reaching host and can be logged
Cost effective: third-party software and hardware for authentication
and logging only on gateway
Less-complex filtering rules for packet filtering routers: need to
check only destination
Most secure
CSCE 201 - Farkas
31
Application Gateways

Disadvantages:
– Keeping up with new applications
– Need to know all aspects of protocols
– May need to modify application
client/protocols
CSCE 201 - Farkas
32

Firewall Evaluation
Level of protection on the private network ?
– Prevented attacks
– Missed attacks
– Amount of damage to the network

How well the firewall is protected?
– Possibility of compromise
– Detection of the compromise
– Effect of compromise on the protected network

Ease of use
 Efficiency, scalability, redundancy
 Expense
CSCE 201 - Farkas
33