Transcript Chapter 4

Guide to Network Defense
and Countermeasures
Chapter 5
1
Chapter 5 - Configuring Firewalls




Describe the difference between stateless
and stateful packet filtering
Create different packet filter rules for realworld situations
Set up Network Address Translation
Decide when to use user, session, or client
authentication
2
Approaches to Packet Filtering


Packet filters filter incoming network traffic
Stateless packet filters allow or block packets
based on protocol header data, such as:



IP address, each packet filter rule specifies a source
and destination IP address
Ports, which give a finer level of control over what is
allowed and what is blocked; and sockets, which are
software connections that enable applications to
send and receive data using a network protocol
ACK bits, part of the TCP header used to indicate
whether a packet has reached its destination
3
Approaches to Packet Filtering

Stateless packet filters (cont.):



Stateless packet filters tend to have fairly simple
rules that hackers can get around easily; they are
typically not sufficient for most security needs
The main advantage to stateless packet filters is
cost, they tend to be inexpensive and many are free;
some packet filters are included with routers
Disadvantages to stateless packet filters are that
they can become cumbersome to maintain in a
complex network; they are vulnerable to IP spoofing
attacks, and they offer no form of authentication
4
5
Approaches to Packet Filtering

Stateful packet filters go beyond stateless in
that they keep a record of the connections
that the host has made with other
computers



The record of connections is maintained in a file
called the state table
The packet filter allows incoming packets to pass
through it only from external hosts that are already
connected and that have a record in the table
One of the simplest packet filters in use is built into
Windows XP
6
7
8
9
Approaches to Packet Filtering

The type of filtering that a firewall, router, or
other packet filtering device performs
depends on its firewall perimeter
configuration position



A packet filter (providing the only network protection)
positioned between the Internet and the network,
must handle all traffic in- and outbound
If between the Internet and a proxy server (which
can perform stateful packet filtering itself), then it
shields internal users from external hosts
Another configuration type is to place packet filtering
devices at either end of the DMZ
10
11
12
Creating Packet Filter Rules

The packet filtering rule base is the primary
security tool used by many routers, and is
the fundamental security provided by all
firewalls




Firewalls or packet filters should begin by blocking
all traffic, and then selectively allow services
The rule base should keep everyone except the
network administrator from connecting to the firewall
Firewalls should filter all inbound traffic
The rule base should permit access to all public
servers in the DMZ and enable user Internet access13
14
Creating Packet Filter Rules

Packet filters provide fine-grained traffic
control via elements of packet header
information



IP addresses allow data to reach the right device;
port numbers allow data to reach the right server or
client program on that device
Filtering by TCP or UDP port number is called port
filtering or protocol filtering; everything can be
filtered out except TCP Port 80 for Web, TCP Port
25 for e-mail, or TCP Port 21 for FTP
When two computers exchange data, they use two
15
port numbers: the source and the destination
16
17
Creating Packet Filter Rules

Port filtering is a complicated process:



The source and destination ports are different; the
destination port is dynamically determined on a perconnection basis and therefore impossible to predict
Port numbers are allocated by the Internet Assigned
Numbers Authority (IANA) and span 0 to 65535;
0-1023 is reserved for common services and 4915265535 is for dynamic port numbers
Traditionally, packet filters would be configured to
filter ports below 1024, however, nowadays ports
above 1024 are the ones that need monitoring
18
19
20
Creating Packet Filter Rules

Firewalls/packet filters must determine
whether an ICMP packet should be allowed
to pass


Because ICMP packets have no authentication
method to verify the recipient of a packet, hackers
can attempt man-in-the-middle attacks, or they can
cause ICMP Redirect message type to direct traffic
to an external computer they control
Some firewalls filter by services specified

Filtering can be based on the IP protocol ID field in
the header which can allow or deny an entire type of
21
service, such as TCP, UDP, IGMP, ICMP
22
23
Creating Packet Filter Rules

Firewalls can filter by the TCP header ACK
bit


Every packet that is sent must be responded to with
a packet with the ACK bit set to 1 before further
transmission can take place; a packet filter rule that
blocks all packets that do not have the ACK bit set to
1 effectively prevents external hosts from initiating
connections with network computers
Firewalls can filter by IP option settings

Both hosts and routers can set the Options field in
an IP header to cause additional packet information;
24
access to these options is tempting for hackers
Network Address Translation (NAT)

The firewall or router that performs NAT,
receives requests from outside the internal
network at its own IP address, and forwards
each one to the correct in-house IP address



Using NAT means that public IP addresses do not
have to be assigned to each internal computer
NAT is one of the essential functions performed by
many firewalls or routers
The security-related reason for NAT is to shield the
IP addresses of internal hosts, therefore greatly
reducing the likelihood of an attack
25
Network Address Translation (NAT)

Hide-mode mapping NAT:



The process of hiding multiple private IP addresses
behind one public IP address
The computers on the Internet only see the IP
address of the NAT device; packets from internal
hosts all seem to be coming from the NAT device
Hide-mode NAT has significant limitations in that
external hosts on the Internet might occasionally
need to make connections with internal hosts; and
NAT does not always work, such as when a VPN is
in place (use the static form of NAT in this case)
26
27
Network Address Translation (NAT)

Static mapping NAT:



The process by which internal IP addresses are
mapped to external, routable IP addresses
Internal IP addresses are hidden, but the devices
that have them appear to have public, routable IP
addresses; public and private IP addresses are
static, they do not change dynamically
The external hosts think they are making a direct
connection to an internal computer, but in reality,
they are still connecting directly to the NAT device,
which forwards requests to the internal system
28
29
Authenticating Users

Authentication is an important element in a
network defense program and is performed
by the more full-featured firewalls and IDSs


Authentication depends on the exchange of
information that tells one entity that another is
recognized as authorized and can be trusted
The information exchanged can be a password, an
encrypted block of code called a key, a formula used
to verify digital information called a checksum, a smart
card, or from biometrically reading fingerprints,
retinas, or voiceprints
30
Authenticating Users

Deciding what to authenticate



User authentication is the process of identifying a user
who has been authorized for network access
The user who presents proper credentials can log
onto the network from any location; it is not required to
have users enter their passwords every time they
access the firewall; rather, the authentication can be
configured to be transparent and based on the
exchange of keys
In addition, some firewalls allow the specification of
time-based restrictions that control user access
31
32
33
Authenticating Users

Deciding what to authenticate (cont.)



Client authentication is the process of granting access
to network resources based on source IP address or
computer name
As with user authentication, the identification process
can be either transparent or manual
Even if a hacker steals an individual’s user name
and/or password, having that user log on with client
authentication means that access could be gained
only by using the computer with the required IP
address, or by spoofing the address
34
35
Authenticating Users

Deciding what to authenticate (cont.)


Session authentication is the process of authorizing a
user/computer on a per-connection basis using
special authentication software installed on the client
computer
The client computer and the firewall authenticate in
the background, however, the user making the
connection does need to enter a password; the
authentication can be configured so that the user must
enter a password every time a file/resource is
requested, once per session, or after a specified
number of minutes of inactivity
36
37
Authenticating Users

Deciding how to authenticate


Password-based authentication is the process of
comparing a user’s name and password against a
database of approved users
Firewalls can use a number of password systems,
including: OS password, where the firewall refers to
the user’s password stored on the operating system of
the host computer; firewall password is used by
firewalls that provide their own password system;
S/Key password, where a one-time password is
generated and then encrypted, the user enters it once
to authenticate
38
39
Authenticating Users

Deciding how to authenticate (cont.)



When physical objects such as smart cards and
tokens are combined with passwords, they create
secure two-factor authentication
Tokens enable network authentication; smart cards
(ATM cards) are tokens, as are electronic devices that
generate a random number that is entered with a
PIN/password to authenticate users
Smart cards and tokens are easy to lose or have
stolen, but the fact that they require a PIN or a
password makes it difficult for a thief to use them
40
Authenticating Users

Deciding how to authenticate (cont.)



Keys are blocks of encrypted code generated by
algorithms; computers use keys to authenticate
themselves to servers, firewalls, or other devices
Exchanging keys, or public key cryptography, is a
popular and secure form of Internet authentication
Private keys are never exchanged, you generate them
after a Certificate of Authority (CA) provides it to you;
public keys are what you create with your private key
and that you issue to those with whom you want to
conduct secure communications
41
42
Authenticating Users

Deciding how to authenticate (cont.)



Digital signatures are attachments to messages that
enable recipients to authenticate senders
Digital signatures deal with two security issues that
encryption and decryption do not address: tampering
and impersonation
The signing software creates a one-way hash by
processing data to be sent with a mathematical
formula; the software then uses the private key to
encrypt the hash; the encrypted hash, along with other
information, creates the digital signature
43
Authenticating Users

Putting it all together



Firewalls must be able to process and recognize a
variety of authentication methods
Secure Hypertext Transport Protocol (HTTPS) uses
security protocols like Secure Sockets Layer (SSL) or
Transport Layer Security (TLS) to encrypt
communications; SSL involves public key
cryptography and it uses a digital certificate
Internet Protocol Security (IPSec) encrypts
communications at the OSI Network layer; IPSec
provides secure tunnels between two devices
44
Authenticating Users

Putting it all together (cont.)

Some special authentication systems designed
especially for use with dial-in users can be used by
firewalls: Terminal Access Controller Access Control
System (TACACS+) uses the MD5 algorithm to
produce an encrypted digest version of transmitted
data; Remote Authentication Dial-In User Service
(RADIUS) transmits authentication packets
unencrypted across the network, which means they
are vulnerable to attacks from packet sniffers; special
TACACS+ and RADIUS servers perform
authentication in these systems
45
Chapter Summary

This chapter examined the various firewall
components and functions that need to be
configured in order to create a network defense
perimeter. The basic function performed by
firewalls is packet filtering, and much of this
chapter was devoted to the establishment of a
rule base. However, these days, firewalls are
being called on to perform more and more
security-related functions, and the most common
ones were examined in this chapter as well
46
Chapter Summary


There are two general approaches to packet filtering:
stateless and stateful. Stateless packet filters decide
whether to allow or deny packets based on the
information in the TCP, IP, or UDP headers. Filtering
is usually done by IP address, port number, or ACK
flag. Stateless filtering does not take into account
established external/internal connections
Stateful packet filtering maintains a state table, which
keeps a record of the connections that have been
made between internal and external computers. Such
a packet filter only allows incoming packets to pass
through the firewall from external hosts that are
already connected and listed in the state table
47
Chapter Summary

Both stateless and stateful packet filters depend on a
set of rules called a rule base that enables them to
perform security functions. Although the exact rules in
the rule base depend on the network being protected,
some general practices should be observed: the
firewall should be protected from all users except
administrators, and it should be blocked from making
connections on its own; the rule base should block
direct access from external computers to computers
inside the firewall; it should enable internal users
access to the Internet; and both internal and external
users should be able to gain access to the servers in
the DMZ
48
Chapter Summary

Packets can be filtered by TCP or UDP port
numbers as well as IP addresses. Such port
filtering can be used to block access by services
that are not needed and that would not be used
in the inbound direction. Keep in mind, though,
that the source port and destination port are
different when a connection is made. Services
that are used by Windows and UNIX for internal
communications should be blocked if connection
attempts are made from the Internet using their
ports. Inbound connection attempts using one of
the ICMP message types should be blocked as
well
49
Chapter Summary

Another basic firewall function, Network Address
Translation (NAT), is performed by many
firewalls. It is used to conceal the IP address of
computers on the internal network so that
hackers cannot locate them and initiate intrusion
attempts. NAT also has the benefit of enabling
network administrators to assign private IP
addresses to computers inside the network, thus
conserving scare public IP addresses. Hidemode NAT conceals multiple IP addresses
behind a single IP address, while static NAT
maps each internal IP address to a public IP
address
50
Chapter Summary

Many firewalls also perform the essential function of
authenticating individuals who access network
resources. Firewalls can perform user, client, or
session authentication. They can authorize by
accepting one-time, or multiple-use passwords; by
using two-factor authentication systems such as
SecurID; by exchanging public and private keys; and
by issuing digital signatures. Many enterprise-level
firewalls can operate with encryption schemes such
as Secure Sockets Layers (SSL) and Internet
Protocol Security (IPSec). In addition, firewalls can
work with a server configured to enable dial-in access
for remote employees
51