Firewalls

modified from slides of Lawrie Brown

 The Need For Firewalls
• Internet connectivity is essential
– however it creates a threat
• effective means of protecting LANs
• inserted between the premises network and
the Internet to establish a controlled link
– can be a single computer or a set of two or more
systems working together
• used as a perimeter defense
– single choke point to impose security and auditing
– insulates internal systems from external networks
 Firewall Characteristics
Design goals
All traffic from inside to outside, and vice versa, must pass
through the firewall
Only authorized traffic as defined by the local security
policy will be allowed to pass
The firewall itself is immune to penetration
 Firewall Access Policy
• A critical component in the planning & implementation
of a firewall is specifying a suitable access policy
– This lists the types of traffic authorized to pass through the
firewall
– Includes address ranges, protocols, applications and content
types
 Firewall Filter Characteristics
• Characteristics that a firewall access policy
could use to filter traffic include:
IP address
Application User Network
and protocol
protocol identity activity
values
This type of
This type of
filtering is used
filtering is used
by packet filter Controls access
by an Typically for
and stateful based on
application- inside users
inspection considerations
level gateway who identify
firewalls such as the
that relays and themselves
time of
monitors the using some
request, rate of
exchange of form of secure
Typically used requests, or
information for authentication
to limit access other activity
specific technology
to specific patterns
application
services
protocols
 Firewall Capabilities And Limits
• capabilities:
– defines a single choke point
– provides a location for monitoring security events
– convenient platform for several Internet functions that are not security
related
– can serve as the platform for IPSec
• limitations:
– cannot protect against attacks bypassing firewall
– may not protect fully against internal threats
– improperly secured wireless LAN can be accessed from outside the
organization
– laptop, PDA, or portable storage device may be infected outside the
corporate network then used internally
Types of Firewalls
 Packet Filtering Firewall
• applies rules to each incoming and outgoing IP packet
– typically a list of rules based on matches in the TCP/IP header
– forwards or discards the packet based on rules match
Filtering rules are based on information contained in a network packet

• Source IP address
• Destination IP address
• Source and destination transport-level address
• IP protocol field
• Interface

• two default policies:

– discard - prohibit unless expressly permitted
• more conservative, controlled, visible to users
– forward - permit unless expressly prohibited
• easier to manage and use but less secure
 Packet-filtering firewall/stateless firewall
• Routers that connect the internal
network to the external network.
• Packet-filtering firewalls work on the
transport layer of the OSI model.
Routers configured with an ACL are
packet-filtering firewalls.
• An ACL can be defined based on the
IP address, protocols, and packet
attributes (IP header), as shown in
the following diagram.
• If a packet does not meet the
configured policies and rules, the
packet is discarded and the routers
will create a log:

9
Packet Filter
Rules
 Packet Filter: Advantages And Weaknesses
• advantages
– simplicity
– typically transparent to users and are very fast
• weaknesses
– cannot prevent attacks that employ application
specific vulnerabilities or functions
– limited logging functionality
– do not support advanced user authentication
– vulnerable to attacks on TCP/IP protocol bugs
– improper configuration can lead to breaches
 Stateful Inspection Firewall
• tightens rules for TCP traffic by creating a directory of
outbound TCP connections
– there is an entry for each currently established connection
– packet filter allows incoming traffic to high numbered ports
• only for those packets that fit the profile of one of the entries

• reviews packet information but also records

information about TCP connections
– keeps track of TCP sequence numbers to prevent attacks that
depend on the sequence number
– inspects data for protocols like FTP, IM and SIPS commands
 Stateful Firewall Connection State

Destination Connection
Source Address Source Port Destination Port
Address State
192.168.1.100 1030 210.9.88.29 80 Established
192.168.1.102 1031 216.32.42.123 80 Established
192.168.1.101 1033 173.66.32.122 25 Established
192.168.1.106 1035 177.231.32.12 79 Established
223.43.21.231 1990 192.168.1.6 80 Established
219.22.123.32 2112 192.168.1.6 80 Established
210.99.212.18 3321 192.168.1.6 80 Established
24.102.32.23 1025 192.168.1.6 80 Established
223.21.22.12 1046 192.168.1.6 80 Established
 Application-Level Gateway
• also called an application proxy
• acts as a relay of application-level traffic
– user contacts gateway using a TCP/IP appl.
– user is authenticated
– gateway contacts application on remote host and relays
TCP segments between server and user
• must have proxy code for each application
– may restrict application features supported
• tend to be more secure than packet filters
• disadvantage is the additional processing overhead
on each connection
Application-Level Gateway

15
 Circuit-Level Gateway
• circuit level proxy
– sets up two TCP connections, one between itself and a TCP
user on an inner host and one on an outside host
– relays TCP segments from one connection to the other
without examining contents
– security function consists of determining which
connections will be allowed
• typically used when inside users are trusted
– may use application-level gateway inbound and
circuit-level gateway outbound
– lower overheads
Circuit Level gateway

17
 SOCKS Circuit-Level Gateway
• SOCKS v5 defined in RFC1928
• provide a framework for client- components
server applications to conveniently
and securely use the services of a
network firewall
SOCKS-ified SOCKS
• client application contacts SOCKS client
applications server
server, authenticates, sends relay
request
– server evaluates and either SOCKS client
establishes or denies the connection library
 Bastion Hosts
• system identified as a critical strong point in the
network’s security
• serves as a platform for an application-level or
circuit-level gateway
• common characteristics:
– runs secure O/S, only essential services
– may require user authentication to access proxy or host
– each proxy can restrict features, hosts accessed
– each proxy is small, simple, checked for security
– each proxy is independent, non-privileged
– limited disk use, hence read-only code
 Host-Based Firewalls
• used to secure an individual host
• available in operating systems
– or can be provided as an add-on package
• filter and restrict packet flows
• common location is a server
• advantages:
– filtering rules can be tailored to the host environment
– protection is provided independent of topology
– provides an additional layer of protection
 Personal Firewall
• controls traffic between a personal computer or
workstation and the Internet or enterprise network
• typically is a software module
• can be housed in a router that connects all of the
home computers to Internet
– such as a DSL or cable modem
• typically much less complex than server-based or
stand-alone firewalls
• primary role is to deny unauthorized remote access
• may also monitor outgoing traffic to detect and block
worms and malware activity
Personal Firewall Interface
 Firewall
Configuration

Double bastion inline

 Distributed
Firewall
Configuration

distributed firewall configuration

Virtual Private Networks (VPNs)
 Intrusion Prevention Systems (IPS)
• a.k.a. Intrusion Detection and Prevention System (IDPS)
• Is an extension of an IDS that includes the capability to
attempt to block or prevent detected malicious activity
• Can be host-based, network-based, or distributed/hybrid
– anomaly detection to identify behavior that is not that of
legitimate users, or
– signature/heuristic detection to identify known malicious
behavior
• can block traffic as a firewall does,
– but uses algorithms developed for IDSs to
determine when to do so
 Host-Based IPS (HIPS)
• identifies attacks using both signature and
anomaly detection techniques
– signature: focus is on the specific content of
application payloads in packets, looking for
patterns that have been identified as malicious
– anomaly: IPS is looking for behavior patterns that
indicate malware
• can be tailored to the specific platform
• can also use a sandbox approach to monitor
behavior
 Host-Based IPS (HIPS)
• Examples of addressed malicious behavior
– modification of system resources
– privilege-escalation
– buffer-overflow
– access to e-mail contact list
– directory traversal
• Advantages
– the various tools work closely together
– threat prevention is more comprehensive
– management is easier
 HIPS
• A set of general purpose tools may be used for a desktop or
server system
• Some packages are designed to protect specific types of
servers, such as Web servers and database servers
– In this case the HIPS looks for particular application attacks
• Can use a sandbox approach
– Sandboxes are especially suited to mobile code such as
Java applets and scripting languages
• HIPS quarantines such code in an isolated system area then runs
the code and monitors its behavior
• Areas for which a HIPS typically offers desktop protection:
• System calls • File system access
• System registry settings • Host input/output
 The Role of HIPS
• Many industry observers see the enterprise endpoint, including desktop
and laptop systems, as now the main target for hackers and criminals
– Thus security vendors are focusing more on developing endpoint
security products
– Traditionally, endpoint security has been provided by a collection of
distinct products, such as antivirus, antispyware, antispam, and
personal firewalls
• Approach is an effort to provide an integrated, single-product suite of
functions
– Advantages of the integrated HIPS approach are that the various tools
work closely together, threat prevention is more comprehensive, and
management is easier
• A prudent approach is to use HIPS as one element in a defense-in-depth
strategy that involves network-level devices, such as either firewalls or
network-based IPSs
 Network-Based IPS (NIPS)
• inline NIDS with the authority to discard packets and
tear down TCP connections
• uses signature and anomaly detection
• may provide flow data protection
– monitoring full application flow content
• can identify malicious packets using:
– pattern matching
– stateful matching
– protocol anomaly
– traffic anomaly
– statistical anomaly
 Digital Immune System
• Comprehensive defense against malicious behavior
caused by malware
• Developed by IBM and refined by Symantec
• Motivation for this development includes the rising
threat of Internet-based malware, the increasing
speed of its propagation provided by the Internet,
and the need to acquire a global view of the situation
• Success depends on the ability of the malware
analysis system to detect new and innovative
malware strains