1.

Firewalls
Firewalls

Internet connection is a business requirement for almost all
organizations

A computer connected directly to the Internet is a potential
target for attackers

Any computer dysfunction costs money (directly or indirectly)

Protection mechanisms for defending internal networks
against external attacks are required

2
Firewall’s role

A physical manifestation of the network security policy

Check point and traffic monitoring, between two networks

A mechanism for controlling access to internal network
resources/services

Similar to a “protection wall”

3
Firewall’s role (cont.)

Who ? When ?
What ? How ?

PC
INTERNET

Private Network
Firewall
4
Firewall requirements
1. All traffic from inside to outside and vice-versa must pass
through the firewall

uncontrolled network access points (backdoors) must not exist
2. Only authorized network traffic, set by the security policy,
may pass through the firewall

strict access rules
3. The firewall itself must be immune to attacks. This assumes
using a trust system which was previously configured for
security (hardening)

dedicated machines that do not run other services

5
Terminology

Packet – data unit created by a network protocol for transporting
data and control information. In the TCP/IP stack context it is also
called datagram.

DMZ (DeMilitarized Zone) – a network segment between outside
(unprotected network, Internet) and the internal network (protected),
having the role of relaying the information exchange. It is the
network in which, usually, the public services and application
gateways are located

Protected and unprotected networks
– Protected networks are located behind a firewall, being protected by its
policies
– Unprotected networks, like Internet, sit in front of a firewall and are not
protected by its policies

Traffic directions
– Inbound = to the interior of the firewall protected zone
– Outbound = to the exterior of the firewall protected zone

6
Terminology (cont.)

Inbound vs Outbound
– Inbound = to the interior of the firewall protected zone

Internal External
Network FW
Network

– Outbound = to the exterior of the firewall protected zone

7
Firewall example

Internal
Network
FW R Internet

Protected DMZ Unprotected

8
Firewall example (cont.)

C
Policy 1 o
Serv1 FW r N
SW FW R
Policy 2
p e
o t
Serv2 FW r w
Policy 3
a o
Serv3 FW t r
Serv4 e k

9
Access control parameters

Policy (firewall rules) examples:

At the Data Link Layer
– Drop all packets from MAC address 00-1c-bf-01-02-03
– Don't ask for authentication if the MAC address is 00-1c-2b-aa-bb-cc

At the Network Layer
– Deny all traffic, except outbound packets coming from 10.10.10.0/24 network
– Allow only ESP (IPSec) traffic
– Deny all traffic, except traffic from 172.16.30.0/24 network to 192.168.10.0/24 network

10
Parametri de control al accesului (cont.)

Policy (firewall rules) examples:

At the Transport Layer
– Allow web traffic from everywhere (including Internet), as long as the destination address
is 192.168.0.10
– Allow FTP traffic from everywhere to 192.168.0.11

At the Application Layer
– Deny all "peer-to-peer" traffic
– Do not allow HTTP traffic that has the "POST" subcommand in it's header
– Do not allow the "DEBUG" option in SMTP commands (e-mail)

11
Firewall types
1. Packet filtering firewall
2. Stateful inspection firewall
3. Proxy firewall
4. Personal firewall

12
Packet filtering firewall

Allows or denies packets based on the source/destination IP
address or port number
– filtering rules (ACL - Access Control List)

Packet inspection is done in both directions (inbound and
outbound traffic)

Packet payload is not inspected

It doesn't store state information; packets are treated
individually, disregarding the context

Function supported by almost all routers

Advantages
– simple, fast, transparent for end users

Disadvantages
– it can't block all types of traffic
– inefficient against some types of attacks (e.g. IP address spoofing)
13
Packet filtering firewall (cont.)

Stateless packet filter – two access control lists are necessary:

1. Allow HTTP traffic from de la 10.0.0.0/24 to www.yahoo.com
2. Allow HTTP traffic from www.yahoo.com to 10.0.0.0/24

14
Stateful inspection firewall

Uses also packet filtering

Inspects packets and stores state information for each
connection
– once a packet is identified as being part of an established connection,
it's processing can be optimized (take a shorter path)
– state information stored by the firewall is different from vendor to
vendor

The most popular type of firewall

Great performance

15
Stateful inspection firewall (cont.)

One access control list is enough:

1. Allow HTTP traffic from 10.0.0.0/24 to www.yahoo.com

16
Proxy firewall

Application Level Gateway – protocol level control

All requests and responses pass through the proxy server where they are
validated

There are two separate connections: client-proxy, proxy-server

Each service needs a separate proxy
– not all services support proxy servers

Circuit Level Gateway is the most simple implementation of a proxy
– relay between two TCP connections
– security is assured by limiting the number of allowed connections
– once the connections are created, traffic flows without content checking
– the most known implementation is SOCKS 5

17
Personal firewall

Simplified version of a network firewall used by workstations

Denies inbound connections if they were not explicitly allowed

Inspects inbound/outbound traffic and protects workstations
against attacks

Personal firewall examples:
– Windows XP Firewall (SP2)
– ZoneAlarm (www.zonelabs.com)
– Norton Personal Firewall (www.symantec.com)
– Comodo Firewall (www.comodo.com)

18
Firewall implementation

Specialized, secured operating system

Different levels of performance/price

Easy to install and maintain

Runs on general purpose systems

Medium performance level

High level of performance

Integrates with the existent network infrastructure

Protection of existing investment

Dedicated to WAN/Internet connections

Affects router's packet forwarding performance

19
Key characteristics for a firewall

Performance
– processing speed (bps, pps, cps)
– scalability
– ASIC vs NP vs CPU (general purpose)

Availability
– active-pasive
– active-active

Content filtering
– ActiveX and Java applets
– URL filtering

VPN
– Site-to-Site
– Remote Access
– SSL VPN (WebVPN or Client-less VPN)

Integration with existing infrastructure
– AAA (Authentication, Authorization, Accounting) services
– PKI (Public Key Infrastructure) services
– Logging services

20
Firewall limitations

Does not offer protection against internal attacks
– 70 % of the attacks are from inside!

Does not offer protection against viruses sent by e-mail or Web
– SMTP and HTTP traffic is always permitted by firewall!

Complex systems
– configuring and maintaining a firewall is not simple task!

21
Firewall products

Cisco ASA

Check Point FireWall-1

Juniper NetScreen

Palo Alto Networks PA/VM

Fortinet FortiGate

McAfee Firewall Enterprise

Stonesoft NGFW

Linux netfilter/iptables

22
Gartner Magic Quadrant for Enterprise Network Firewalls, 2010

23
24