Perimeter Security

Firewall Fundamentals
Types of Firewall Implementation
 Perimeter Security
Why Firewalls?
• Mitigate Risks
– Mitigate threats to assets from known vulnerabilities
– Reduce services open to Internet
– Mitigate trust attacks
Fundamentals

• Segregation/Privacy
– Segregate organisational traffic from Internet
– Hide organisations assets, systems/services from attackers
• Harder to perform reconnaissance
• Apply Organisation’s Security Policy
– Create choke points that traffic has to pass through –
perimeter and internal – apply filtering
Firewalls

• Monitoring
– Logging traffic passing through for analysing attacks
• F/W term comes from buildings
• Network Firewalls
• Gateways between 2
networks
• Allow Good traffic to pass
• Reject Bad traffic
• Walls funnel people to the gate
• Guard on the gate - decides who passes
through
• Choke point – all traffic should pass here
- Firewall built into most OS - Routers with firewalling S/w running
- Proxy/Application Firewalls – firewalling
specific applications

- Hardware firewalling
- Custom OS/Hardware
Q. Where is the perimeter f/w(s) implemented?
Trusted & Untrusted Network – Perimeter Between

• Firewall Deployed at trust boundary

• Perimeter between trusted/untrusted networks

• Bob inside his trusted network – private network

connected to the Internet
• Under Bobs organisations control
• Eve out on the Internet – the untrusted network
Segmentation of Internal Networks
• Using multiple layered firewalls, at the perimeters -
between more and less trusted networks
• More/Less trusted – risk to assets
• Different firewall filtering rules
• Internal hosts access to Internet – higher risk
 • Started as trusted network - closed research community
• Morris worm – same time firewall invented
• Mid 1990s – commercialisation
• <1000 to >15 billion systems

AT&T AT&T
Stateful Stateful
Firewall Firewall
Network Perimeters
• Perimeter could be the Webserver for HTTP traffic
• Depending on firewall capabilities
• Important to know where perimeters are for all traffic
• Traffic should be forced to cross perimeter through a
choke point
• Where security policy can be applied/logging done
• Reduce paths into Network!
• Fox in the Hen house

“Perimeter Firewall – like a crunchy shell round a soft chewy centre”

-- Bill Cheswick
Network/Zone Trust Levels
• Firewalls can be deployed within various Topologies
• Based on Idea that Networks to be segregated - have different
Trust Levels/Risk Levels
• Create different Security Zones
• Untrusted Internet highest Risk = lowest Trust Level
• Internal Network might browse Internet = higher risk
than local server network
Firewall Deployment Topologies
Single Firewall
• Small Organisation/Home User
• No Services to provide
• Segregating internal networks
• 2 security zones
Single Firewall – Web Server
• Providing Services to external network
• Server Placed outside the trusted network
• Bastion Host – Server Hardened
• Provide Static Web pages
• No trust relationship with internal network
Single Firewall - DMZ
• Providing Services to external network
• Server Placed on DMZ network
• Firewall creates 3 Security Zones
• External/DMZ/Internal
Enterprise Firewall – Multiple DMZs
• Different Services provided to external network on different DMZs
• Firewall creates different Security Zones for different services
 Single Firewall
Why Not?
• Single Point of Failure
– Defence in Depth – use layered security
– Use range of different
defences/architectures/technologies
Overview

• Different Type of Firewall – stateful filtering

• Proxies – Content Filtering
• Intrusion Detection/Prevention Systems – Deep Packet
Analysis
– Use different brands/vendors
• Vendor Firewalls have different functionality
• Vendor Firewalls may have specific vulnerabilities
Threats

• Different Perimeter Zones may allow different

traffic
Dual Firewalls – Multiple DMZs
• Many Security Zones
• Layered protection
using different rules
for e-Commerce servers
traffic between zones.
Firewall Traffic Flows
• Understand traffic flows through firewalls
• Based on security zones/firewall implementations

• Typically default is only Higher trust zone to lower allowed to initiate connection
• Stateful also allows return traffic
• Lower to higher trust zone not allowed to initiate connection – packets dropped
• Windows Firewall – lab problems – Ping from GNS3 Router to local host
• Allows ICMP out + return traffic
• Drops ICMP by default incoming
• Default Rules the same:
• Higher trust zone to lower allowed to initiate connection + allows
return traffic
• Lower to higher trust zone not allowed to initiate connection
• Firewall Rules Out -> DMZ have been added to allow
access to web server
http://www.ranum.com/index.html
• Basic Firewalls operate at the lower levels, 3 & 4
• Advanced Firewalls can filter at all the layers
• As firewalls evolved filtering on more layers
 Packet Filtering
Stateless Packet Filtering
• Oldest/most basic filtering firewalls
– Easily deployed on existing routers – Cisco in lab
– Cheap
• Very fast
– Only examine lower network layer headers IP/TCP
Overview

– Can handle simplest filtering efficiently

• Each packet examined/filtered individually
– No concept of connection state
– Easy to bypass by attackers
• Attacker can spoof connected state by crafting packet
Threats

• Data Content of Packet not examined

• Can be used in front of more advanced firewalls

Firewalls are routers - de-capsulate packets + compare IP/TCP header values to rules

Q. What could IP Addresses be used to filter?

Q. What can we use Protocols/Ports to filter?
 Packet Filtering Process
Stateless Packet Filtering
• Firewall de-capsulates each packet
– Reads fields of IP/TCP packet header field values
– Src/Dest IP Address
– Src/Dest TCP/UDP Port
• Compare values against filtering rules in the firewall
Overview

– Each rule checked against packet values

– If values match rule – rule determines what to do with
packet
– Packet passed through firewall or dropped depending on
rule action
Threats

• Each packet is filtered individually

– No idea of Conversation – or TCP Session
Packet Filtering Process
Alice’s Web browser sends web traffic (port 80)
addressed to the Web servers IP Address
Open or closed firewall?
 Packet Filtering Problems
• Each packet is filtered individually
– No concept of ‘state’ or context of connection packet is part of
– Most traffic uses TCP Session/Conversation
– Have to open large range of ports for return traffic
– Can use TCP Flags – Check if ACK flag for established connection
– Easily Spoofed nmap -sA –p1-65000 IP_Address[range]
Overview

• Does not look into Payload

– Application layer attacks

• Cannot deal with complex protocols

– FTP uses fixed port number for command session
FTP uses dynamic port numbers for data sessions
Threats

–
– Negotiated and passed in data payload of packet
– Would have to open up large range of ports – security hole
Policy allows Bob to browse the web
- Firewall Rule to allow traffic out ok
- Return rule - Only server port known in advance
 Firewall Filtering Ruleset Ordering
• Firewall Rules
– Permit 192.168.10.0/24 HTTP outgoing to Internet
– Permit 192.168.20.0/24 HTTP outgoing to Internet
– Permit 192.168.30.0/24 HTTP outgoing to Internet
– Permit 192.168.40.1-30 HTTP outgoing to Internet
Overview

– Drop 192.168.20.1-10 outgoing to Internet

– Drop all other packets and log

192.168.20.0/24

192.168.20.4
Threats
 Packet Filtering Uses
• Fast basic filtering
• Help take load off more complex filtering firewalls/security devices

• Ingress Filtering
– Filter source IP = private addresses from Internet
• RFC 1918 filtering – block entire address space
– Filter source IP = internal addresses from Internet
Overview

• Mitigates spoofed traffic

– ICMP – some types
• Egress Filtering
– Filter source IP != internal addresses from inside network
– Or allow only organisation’s own addresses
– Mail from any addresses other then Mail servers, ICMP, IRC
• Bad Domain/Address Filtering
Threats

– Known problem address spaces/Addresses

– Block/suspicious address/domain name lists – SANS dshield.org
https://www.dshield.org/suspicious_domains.html
 Stateful Firewalls
Stateful Packet Filtering
• Packet Filtering firewall using rules same as stateless,
but additionally track connection state
• Checks packet in context of connection
– State of traffic flows tracked
• Maintains cache about current connections
Stateful

– State Table used to record initiated connections (once they

have been passed by firewall rules)
– State Table checked for return traffic matching stored
connection
– Match allowed through
– No match – check packet against firewall rules
Firewalls

• Application Data Content of Packet still not examined

Alice’s return data traffic automatically
allowed through firewall, without
specific return rule
 Stateful Filtering Process
SrcIP=AlicePC, DestIP=WebServer,
SrcPort=1777, DestPort=80

TCP flags checked to check if part of a current connection

Alice’s packet has SYN flag set so NEW Connection
Match against firewall ruleset:
SrcIP=AlicePC, DestIP=WebServer,
SrcPort=1777, DestPort=80
Connection: SrcIP=AlicePC, DestIP=WebServer,
SrcPort=1777, DestPort=80, + State, SeqNos?
Connection: SrcIP=AlicePC, DestIP=WebServer,
SrcPort=1777, DestPort=80, + State, SeqNos?
 Connection: SrcIP=AlicePC, DestIP=WebServer,
SrcPort=1777, DestPort=80, + State, SeqNos?

Firewall Ruleset not consulted!

SrcIP=WebServer, DestIP=AlicePC,
SrcPort=80, DestPort=1777
 Crafted ACK Packet
Alice# nmap -sA –p1-65000 Bob_IPAddress

Match against firewall ruleset and is dropped

SrcIP=EvePC, DestIP=BobPC,
SrcPort=80, DestPort=666

SrcIP=EvePC, DestIP=BobPC,
SrcPort=80, DestPort=666
 Stateful Firewalls
Removing Connections from Cache
• Standard connection teardown handshake
– RST packet received
– FIN/ACK packets exchanged correctly
• Timeouts
Stateful

– Typically configurable
– Balancing act between availability and removing valid sessions
– Seconds to days depending on Vendor/Firewall
– Various Timeouts: Connection setup timer/Idle connection timer
• UDP
Firewalls

– Connectionless – no state flags like TCP

– Firewall may use its own state flags – created/replied
– Timeout removes connection
 Stateful Firewalls
Stateful Firewall Benefits
• Better protection can be provided than static return rules
• Pinhole created in firewall rather then large security hole
• Protect against crafted spoofed packets
• Shorter, less complex firewall rulesets
- Less complicated to understand/administer
- Difficult to understand/build/change firewall rulesets
- Interesting research area – ruleset validation/error correlation – Wool and other papers on
Stateful

Moodle

Stateful Limitations
• Similar to static packet filtering
- No evaluation of application layer data
- No payload evaluation - Attacks/Unwanted traffic could be hidden in Payload
- No service validation
- Assumes port 80 is HTTP traffic – could be other service or tunnelled traffic
Firewalls

• State table cache fills up - packets typically dropped

- Large traffic loads
- DoS attacks
• Some vendor firewalls only stateful for certain services (port numbers)
– Typically not ICMP – difficult to deal with – reply may come from intermediate device
 Application Inspection Firewalls
Application Inspection
• Typically Stateful Packet Filtering firewall, but
additionally inspects the application payload
• Can analyse problematic protocols
AI

– Multi channel connections

• Can Validate Application protocol
– Check commands
• Can Validate Application layer content
Firewalls

– Match attacks in payload

 Application Inspection Firewalls
Application Inspection
• Deal with complex protocols
– FTP, VoIP protocols
• Multi channel protocol support
• FTP outgoing control session packet payload contains
AI

negotiated data channel port number (PORT command)

• Inspection Firewall can read this and allow traffic from the
server to the data channel port number on the client system
– ICMP
• ICMP error packets returned from intermediate network
Firewalls

devices, or which do not match outgoing packet

• ICMP Time exceeded/host unreachable packets
 Application Inspection Firewalls
Application Inspection
• Can validate protocol content/commands
– Check for valid commands for protocols
• SMTP commands only in sessions on TCP/25
– Enforce security policy
AI

• Certain protocol commands not permitted

• Drop SMTP packets with VRFY command
• Typically pattern matching payload text
– Entire pattern may have to be in single packet
Firewalls

– Fragmented packets
– Signature based – can be bypassed by altering commands
slightly – add a space, or encode characters
 Application Inspection Firewalls
• Stateful packet filtering + inspection of Application
payload
• More Secure than Standard Packet Filtering
– Validation of application protocols
– Some content filtering
Stateful

• Fast
– Not as fast as Static Packet Filtering
– Faster than a Proxy
• Up to Gb range depending on vendor
• Can be used as main perimeter connection on large pipe to Internet
Firewalls

• Support many protocols

– More complex protocols which use payload to communicate
• Video/Audio/Multi channel protocols
 Proxy Firewall
Proxy/Application Gateway
• Proxy acts as an intermediary between the networks
• Accepts connections to a service from one network and pass
requests to a system on other network
• Maintains 2 connections
– User to Proxy
– Proxy to Destination Server
Proxy

– Maintain connection state and sequencing table – 2 connections

– Hide Server details
– Proxy decapsulates packet layer by layer including payload
– Filter on any/all layers against firewall rules
– Drop or Rebuild packet and send
• Often a Proxy is dedicated to one service, but can be general
purpose firewall controlling all traffic
Firewalls

• Most Powerful firewalling as can filter traffic based on all layers

including the application payload
• Proxy decapsulates packet, layer by
layer, on incoming interface
• Filter on any/all of the layers
including payload – validate HTTP
• Build packet back up on outgoing
interface

Check for valid

HTTP cmds, and
data content, and
scan for attacks
 Inbound Mail Proxy
• Proxy typically dedicated to single application
• Can help take load from main firewall
• Often non time sensitive protocols – SMTP, HTTP
• No direct connection to internal mail server
• SMTP protocol validation before gets to mail server
 Proxy
• Best Security of all the firewall types
– Proxy can perform full application protocol validation/content filtering
– Checks contents of the applications data
– Decides what application commands are allowed
• e.g. . FTP put command would not be passed through proxy
• example of a CLOSED SECURITY STANCE
– No problem with services running on non-standard ports
• Trade speed for security
Proxy

– Managing 2 connections for every conversation takes lot of processing

power
– Much slower than other firewalls
– Load balancing often needed
• Need proxy agent for every protocol to be proxied
– Difficult to manage
– New application, new proxy needed
• Harder to harden as open listening ports
Firewalls

– Vulnerability to direct attack – unlike other firewalls

• Typically not used as main perimeter firewall
– Used in parallel or behind main firewall
 Proxy
Web Application Firewall (WAF)
• Specific Type of Proxy Firewall
• Mitigates attacks against Web Applications running on a Web
Server
• Monitors, filters or blocks the HTTP traffic to and from a Web
Proxy

application
• Validation of HTTP protocol
– e.g. drop HTTP POST commands
• Can mitigate XSS, SQL injection, session hijacking, and in some
cases zero-day threats, as only valid HTTP allowed – closed
Firewalls

security stance
• Commonly used for compliance – PCI-DSS
 Common Proxy – Outbound Web Proxy
• Content filtering - Black/white list URL
filtering of Web traffic, web script filtering
• Cache Web pages
• User Authentication
Tiered Proxy Servers
• Web caching/user authentication
• Web content filtering/URL Black/White listing
Hybrid Firewalls
 Hybrid Firewalls
Hybrid/Unified Threat Management (UTM)
• Move from firewalling to all inclusive security devices
• Combine multiple defenses into one box
• Powerful devices possibly including Stateful Inspection
Firewalling, Proxy Firewalling, Intrusion Prevention
Proxy

System(IPS), Antivirus filtering, Virtual Private Network

(VPN) Termination
• Can be less complex to administer/manage
• Single point of failure
Firewalls

• If vulnerable to attack – single point of compromise