Firewalls

References
1. Mark Stamp, Information Security: Principles and Practice, Wiley
Interscience, 2006.
2. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 –
29.
3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors,
IEEE Computer, June 2004, p 62 – 67.

Access Control
Coming up: Firewall as Network
4. Steven Bellovin and William Cheswick, Network Firewalls, IEEE
Communications Magazine, Sept 1994, p 50 – 57.
5. William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer,
June 2003, p 112 – 113.
6. Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and
Efficiency of Firewall Policy Deployment, IEEE Symposium on
Security and Privacy, 2007.
7. Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its
Properties, Proc of the 2005 International Conference on
Dependable Systems and Networks, 2005. 2
Firewall as Network Access
Control
• Access Control
• Authentication
• Authorization
• Single Sign On
• Firewall

Coming up: Firewall

• Interface between networks
• Usually external (internet) and internal
• Allows traffic flow in both directions

3
Firewall

Internal
Internet

Coming up: Firewall

– Interface between networks
• Usually external (internet) and internal
– Allows traffic flow in both directions
4
– Controls the traffic
 Firewall as Secretary
• A firewall is like a secretary
• To meet with an executive
– First contact the secretary

Coming up: Security Strategies

– Secretary decides if meeting is reasonable
– Secretary filters out many requests
• You want to meet chair of CS department?
– Secretary does some filtering
• You want to meet President of US?
– Secretary does lots of filtering!
5
[1]
Security Strategies
• Least privilege
• Objects have the lowest privilege to perform assigned task

• Defense in depth

2
Coming up: Security Strategies -
• Use multiple mechanisms
• Best if each is independent: minimal overlap

• Choke point
• Facilitates monitoring and control

6
[2]
Security Strategies - 2
• Weakest link -
• Fail-safe
• If firewall fails, it should go to fail-safe that denies access to avoid
intrusions

3
Coming up: Security Strategies -
• Default deny
• Default permit
• Universal participation
• Everyone has to accept the rules

7
[2]
Security Strategies - 3
• Diversity of defense
• Inherent weaknesses
• Multiple technologies to compensate for inherent weakness of
one technology
• Common heritage

4
Coming up: Security Strategies -
• If systems configured by the same person, may have the same
weakness
• Simplicity
• Security through obscurity

8
[2]
Security Strategies - 4
• Configuration errors can be devastating
• Testing is not perfect
• Ongoing trial and error will identify weaknesses
• Enforcing a sound policy is critical

Coming up: Types of Firewall

9
[2]
Types of Firewall
No Standard Terminology

•Packet Filtering (network layer)

• Simplest firewall
• Filter packets based on specified criteria

Coming up: Types of Firewall - 2

• IP addresses, subnets, TCP or UDP ports
• Does NOT read the packet payload
• Vulnerable to IP spoofing

•Stateful inspection (transport layer)

• In addition to packet inspection
• Validate attributes of multi-packet flows
• Keeps track of connection state (e.g. TCP streams, active connections,
etc…) 10
[2]
Types of Firewall - 2
• Application Based Firewall (application layer)
• Allows data into/out of a process based on that process’ type
• Can act on a single computer or at the network layer
• e.g. allowing only HTTP traffic to a website
• Log access – attempted access and allowed access

Coming up: Types of Firewall - 3

• Personal firewall – single user, home network

11
[2]
Types of Firewall - 3
• Proxy
• Intermediate connection between servers on internet and
internal servers.
• For incoming data
• Proxy is server to internal network clients

Coming up: Types of Firewall - 4

• For outgoing data
• Proxy is client sending out data to the internet

No IP packets pass through firewall. Firewall creates new packets.

• Very secure
12
• Less efficient versus packet filters
[2]
Types of Firewall - 4
• Network Address Translation
• Hides internal network from
external network
• Private IP addresses –
expands the IP address space

Coming up: Packet Filter

• Creates a choke point

• Virtual Private Network

• Employs encryption and integrity protection
• Use internet as part of a private network
• Make remote computer “act like” it is on local network
13
[2]
Packet Filter
• Advantages
• Simplest firewall architecture
• Works at the Network layer – applies to all systems
• One firewall for the entire network

Example
Coming up: Packet Filter -
• Disadvantages
• Can be compromised by many attacks
• Source spoofing

14
 Packet Filter - Example

[2]

Coming up: Packet Filter -

15

Example
 Packet Filter - Example

[2]

Coming up: Packet Filter -

16

Example
Packet Filter - Example

Example
Coming up: Packet Filter -
• Attack succeeds because of rules B and D
• More secure to add source ports to rules
17
 Packet Filter - Example

[2]

Coming up: Packet Filter -

18

Example
Packet Filter - Example

Example
Coming up: Packet Filter -
• These packets would be admitted. To avoid this add an ACK bit to
the rule set

19
[2]
Packet Filter - Example

Scanning
Coming up: TCP Ack for Port
• Attack fails, because the ACK bit is not set. ACK bit is set if the connection
originated from inside.
• Incoming TCP packets must have ACK bit set. If this started outside, then 20
no matching data, and packet will be rejected.
• Note: This rule means we allow no services other than request that we
originate.
TCP Ack for Port Scanning
• Attacker sends packet with ACK set (without prior
handshake) using port p
• Violation of TCP/IP protocol

Coming up: TCP Ack Port Scan

• Packet filter firewall passes packet
• Firewall considers it part of an ongoing connection
• Receiver sends RST
• Indicates to the sender that the connection should be
terminated
• Receiving RST indicates that port p is open!! 21
[1]
TCP Ack Port Scan

Filter
Coming up: Stateful Packet
• RST confirms that port 1209 is open
• Problem: packet filtering is stateless; the firewall should track the
entire connection exchange
22
[1]
Stateful Packet Filter
• Remembers packets in the TCP
connections (and flag bits) application
• Adds state info to the packet filter
firewalls. transport

Coming up: Application Proxy

• Operates at the transport layer. network

• Pro: Adds state to packet filter and link

keeps track of ongoing connection
• Con: Slower, more overhead. Packet physical
content info not used 23
[1]
Application Proxy
• A proxy acts on behalf the system being
protected.
• Application proxy examines incoming app data –
verifies that data is safe before passing it to the
system.

Scanning
Coming up: Firewalk – Port
• Pros
• Complete view of the connections and app data
• Filter bad data (viruses, Word macros)
• Incoming packet is terminated and new packet is sent
to internal network
• Con
• Speed 24
[1]
Firewalk – Port Scanning
• Scan ports through firewalls
• Requires knowledge of
• IP address of firewall
• IP address of one system in internal network

Firewall
Coming up: Firewalk and Proxy
• Number of hops to the firewall
• Set TTL (time to live) = Hops to firewall +1
• Set destination port to be p
• If firewall does not pass data for port p, then no
response
• If data passes thru firewall on port p, then time
exceeded error message
25
[1]
Lets try it Applications->Utilities->Network Utility
 Firewalk and Proxy Firewall
Packet
filter
Trudy Router Router Router

Dest port 12343, TTL=4

Defense in Depth
Coming up: Firewalls and
Dest port 12344, TTL=4
Dest port 12345, TTL=4
Time exceeded

• Attack would be stopped by proxy firewall

• Incoming packet destroyed (old TTL value also destroyed)
• New outgoing packet will not exceed TTL. 26
[1]
Firewalls and Defense in Depth
• Example security architecture

DMZ

FTP server

Policy Verification
Coming up: Research: Firewall
WWW server

DNS server

Intranet with
Packet Application Personal
Internet Filter Proxy Firewalls 27
[1]
Research: Firewall Policy
Verification
• Firewall design: consistency, completeness, and compactness
• Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness,"
Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol.,
no., pp.320,327, 2004

• Lesson: Practical firewalls have complex rulesets. They

examples
Coming up: Lets do some
are hard to get right. Research in place to help validate
the configuration for errors

• Lets see some simple ones

28
Lets do some examples
iptables is a common tool to build firewalls

Well supported in Linux:

iptables –A INPUT –p tcp –dport 22 –j ACCEPT
-A: append to list of rules
-p:match protocol tcp

Coming up: iptables - chains

--dport 22: match destination port 22 (ssh)
-j ACCEPT: if rule matches, ACCEPT the packet.

1st matching rule wins… order matters!

Final rule typically rejects anything that doesn’t match: security

says deny all, and only allow in who you want. 29
iptables - chains
• INPUT – anything with a destination of the firewall box
• OUTPUT – anything with a source of the firewall box
• FORWARD – anything going through the firewall box (neither
source or dest is the firewall box)

rules
Coming up: iptables – matching
• iptables –A INPUT –p tcp –dport 22 –j ACCEPT
• # This allows SSH TO THE FIREWALL BOX!

30
iptables – matching rules
Jump targets – what to do upon match?
-j ACCEPT – allow it
-j REJECT -- send a rejection message
-j DROP – drop it, don’t send any message
-j logaccept, logdrop, logreject
(there are others)

rules
Coming up: iptables – more
Protocol matching rules
-p tcp , udp, icmp, all (0 means all)

Port matching rules

--dport destination port
--sport source port 31
iptables – more rules
Physical device interface:
-i vlan0 # Packets coming in on that physical interface
-o eth1 # packets going out on that physical interface
-i only valid for INPUT, FORWARD chain
-o only valid for OUTPUT, FORWARD chain
(Note: Specific interface differs by hardware)

Coming up: iptables - examples

Time-based Limiting
--limit 5/minute (rule matches a maximum of 5 times per
minute (or second or hour, or day, etc…)

Syn-flood protection:
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT 32
iptables - examples
• Lets stop all http access

• Lets stop ping

rules
Coming up: iptables – more
• Lets allow www.gmu.edu though (but only GMU!)
• --destination www.gmu.edu

• Lets allow only my IP to get to HTTP

• --source 192.168.3.10

33
 iptables – more rules
State matching:
-m state –state ESTABLISHED, RELATED

NEW - A packet which creates a new connection.

ESTABLISHED - A packet which belongs to an existing connection (i.e., a

rules
Coming up: iptables – more
reply packet, or outgoing packet on a connection which has seen
replies).
RELATED - A packet which is related to, but not part of, an existing
connection, such as an ICMP error, or (with the FTP module inserted), a
packet establishing an ftp data connection.
INVALID - A packet which could not be identified for some reason: this
includes running out of memory and ICMP errors which don't
34
correspond to any known connection. Generally these packets should
be dropped.
 iptables – more rules
TCP bit matching:

iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

--tcp-flags <string 1> <string2>

Coming up: Would a GUI help?

string 1 = the set of bits to look at
string 2 = the subset of 1 which should be ones

Above command says look at all the bits (‘ALL’ is synonymous with
`SYN,ACK,FIN,RST,URG,PSH’) and verify that only the SYN and ACK bits
are set.
35
34
iptables - Tunneling
• In our network we have one outward facing server, so to get in
from home we must travel (tunnel) through that server.

• We really use SSH tunnels:

• ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p
10024 localhost

• However if everyone needed to use it we could use a firewall

based tunnel:
• iptables -t nat -A PREROUTING -p tcp -d dslsrv.gmu.edu --dport 10024
-j DNAT --to-destination sr1s4.mesa.gmu.edu:22
Would a GUI help?

Coming up: Lessons

36
Lessons
• There are many firewall types
• Each provides a different level of security versus performance
• Multiple firewalls can be used to segment networks into
security zones

End of presentation
• iptables is a powerful example of how to create/manage
firewalls

37
35
29