Transcript Completeness

Firewall
Ge Zhang
Karlstad University
A typical network topology
• Threats example
– Back door
– Port scanning
–…
Karlstad University
Karlstad University
What is Firewall?
A single checking point that reacts traffic to and from a
network (pass, discard, block, log)
• Design goals
– All traffic from inside to outside and vice versa must
pass through the firewall
Internet
Karlstad University
Services by a firewall
•
•
•
•
Service control
Direction control
User Control (internal network)
Behavior control (the firewall needs to know the
application protocol)
• Logging flow information
• Hidden internal topology
Karlstad University
Capabilities and limitations
• Capabilities
–
–
–
–
Prevent unauthorized traffics
Monitoring security-related events
The platform for Network address translator (NAT)
The platform for IPSec tunnel mode (VPN)
• Limitations
– Attacks the bypass the firewall (over other channels)
– Internal threats (internal employees cooperate with external
attackers)
– Transferring virus-infected programs
Karlstad University
The working flow of a Firewall
if {condition_1} then {action_1}
else if{condition_2} then {action_2}
else if{condition_3} then {action_3}
else if{condition_4} then {action_4}
…
else if{condition_n} then {action_n}
How to define the conditions?
Karlstad University
Layered TCP/IP model
Karlstad University
Types of firewalls
• Packet-Filtering router
• Application-level gateway
• Circuit-level gateway
Karlstad University
Packet-Filtering router (1)
Security perimeter
External
network
Internal
network
TCP/UDP headers
IP headers
• Packet-Filtering Firewall
– Applies a set of rules
– Decides forwarding or discarding the packet
– Only examine the header, do not “see inside” a packet
Karlstad University
Packet-Filtering router (2)
source
destination
protocol
dest. port
action
Ane_home
Ane_work
any
any
Allow
any
SIP proxy
Tcp, udp
5060, 5061
Allow
any
Mail server
Tcp, udp
25
Allow
any
Web server
tcp
80, 8080
Allow
any
any
any
any
Deny
source
destination
protocol
dest. port
action
mal1
any
any
any
Deny
mal2
any
any
any
Deny
mal1
any
any
any
Deny
mal3
any
any
any
Deny
any
any
any
any
Allow
Karlstad University
Requirements on rule set design
• Consistency: The rules are ordered correctly
• Completeness: every packet satisfies at least one
rule in the firewall
• Compactness: firewall has no redundant rules
Karlstad University
An example
Internet
0
Web Server
1
Malicious
Host
Interface
source
destination
protocol
dest. port
action
0
any
Web server
tcp
80
Allow
0
any
Web server
any
any
Deny
0
malicious
any
any
any
Deny
1
host
any
any
any
Allow
1
any
any
any
any
Allow
0
Not malicious
Karlstad University
host
any
any
????
Consistency
error
Compactness
error
Completeness
error
Improvement
Internet
0
1
Malicious
Web Server
Host
Interface
source
destination
protocol
dest. port
action
0
malicious
any
any
any
Deny
0
any
Web server
tcp
80
Allow
0
any
Web server
any
any
Deny
0
any
any
any
any
Allow
1
any
any
any
any
Allow
Karlstad University
Efficiency of rule set
source
destination
protocol
dest. port
action
192.163.0.1
any
tcp
80, 8080
Deny
192.163.0.2
any
tcp
80, 8080
Deny
192.163.0.3
any
tcp
80, 8080
Deny
10.1.1.2
any
tcp
80, 8080
Allow
10.1.1.3
any
tcp
80, 8080
Allow
source
destination
protocol
dest. port
action
192.163.0.*
any
tcp
80,8080
Deny
10.1.1.*
any
tcp
80,8080
Allow
Karlstad University
Stateful PF
• For TCP connections
– Server ports are mostly fixed (<1024)
– Client ports are dynamically used ( from 1024 to 65535)
• Stateful: tightens up the rules for TCP traffic by creating a directory of
outbound TCP connections
src
Src port
des
Des port
state
192.168.1.100
1030
210.9.88.29
80
established
192.168.1.102
3331
216.32.1.122
25
established
Karlstad University
Pro and cons in PF
• Pro:
– Simple, high efficient
– Transparent to users
• Con:
–
–
–
–
Karlstad University
Does not work with application-specific vulnerabilities
Limited log information
No user authentication
Difficulty to configure rulesets
Attacks on a PF
• IP address spoofing: (use spoofed IP address which
can be trusted)
• Fragment attacks
– Tiny fragment
– Overlapping fragment
Karlstad University
IP fragment
• A firewall only inspects the first fragmented one.
Sender
intermediaries
IP h.
recipient
Karlstad University
IP h.
TCP/UDP h.
data
IP h.
IP h.
TCP/UDP h.
IP h.
data
Tiny fragment attack
Sender
IP h.
TCP/UDP h.
data
Not enough
information
intermediaries
IP h.
recipient
Karlstad University
IP h.
IP h.
IP h.
TCP/UDP h.
data
Overlapping fragment
Sender
IP h.
Offset 0
intermediaries
TCP/UDP h.
Offset 20
IP h.
data
Offset 16
IP h.
IP h.
Offset 16
recipient
IP h.
TCP/UDP h.
Rewrite the
overlapped part
Karlstad University
data
Application-level Gateway (mainly for
inbound requests)
Outside host
SIP
HTTP
Inside host
FTP
Outside host
• Have more checking parameters (user names, message format,
client software version, etc)
• Only deal with allowable applications
• More useful log information
• Con: high processing overhead
Karlstad University
Circuit level gateway (mainly for outbound
requests)
•
•
•
•
Based on connections instead of packets
Similar to stateful PF
Perform authentication
Implementations: Socks server
out
in
out
in
out
Outside host
Karlstad University
in
Inside host
Bastion Host
• A secure version of its operating system
• A platform for an application-level gateway or
circuit-level gateway
• Only support allowed applications
• Only support a subset of the standard applications
• Needs additional authentication
Karlstad University
Demilitarized Zone (DMZ)
• Demilitarized zone is a subnet that contains and
exposes an organization's public services to an
external network
• DNS, web server, VoIP server
• Internal network, work stations
Karlstad University
Setup Firewalls in a network
• Screened host firewall (single-homes bastion)
Bastion host
Work station
External
network
PF
Work stationWork station
Information server (web, DNS...)
Karlstad University
• Sceened host firewall (dual-homed bastion host)
Bastion host
Work station
External
network
PF
Work stationWork station
Information server (web, DNS...)
Karlstad University
• Screened subnet firewall
Bastion host
External
network
Internal
network
PF
Information server (web, DNS...)
Karlstad University
PF
Practical experiences on firewall itself
• Stealth rule: drop any packet from outside to the
firewall
• Insecure firewall management: drop packets to the
firewall over insecure protocols (telnet, ftp, x11)
• Limited management machines: firewalls should be
managed from a small number of machines
Karlstad University
High-throughput firewall (1)
• Application Specific Integrated Circuit (ASIC)
• e.g., netscreen 100 (100Mbps firewall)
Karlstad University
High-throughput firewall (2)
• Load balance
Firewall 1
Firewall 2
Internal router
...
Firewall n
Karlstad University
External router
Key points
• Types of firewall
• Pros and cons of the three types
• Ruleset of PF (consistency, completeness, compactness,
efficiency)
• Stateful PF
• Attack on PF
• Bastion host
• DMZ
• Setup firewalls in a network
Karlstad University