Firewalls and Network Defence

(1)

Harjinder Singh Lallie (September 12) 1

Firewalls and Network Defence

• Learn about traditional perimeter protection

• Understand the way in which firewalls are used to protect networks

• Understand the functions and limitations of the three different types of firewall (Packet Inspection, Stateful and Application/Proxy)

• Consider the use of security zones and topologies to implement network-based security

• Understand the concept of layered approaches to security

• Understand some of the considerations that need to be deployed in the purchase/deployment of a firewall

Assumptions:

• Students know about anti-virus software and how it is used on clients and servers

(2)

• Learn about traditional perimeter protection

• Understand the concept of layered approaches to security • Understand some of the considerations that need to be

deployed in the purchase/deployment of a firewall

Lecture Goals

Let’s draw some analogies from physical

(traditional) security Systems

(3)

(4)

(5)

Where do you think the pass (are you in

the right place) is checked?

(6)

Do you think any ‘logging’ takes place

anywhere?

Layered Security

• Consider the security of a bank

• A layered approach ensures that there is no single point of failure

 The top most layer looks at

ALL the traffic and could never interrogate each packet in intricate detail as that would degrade the performance

 A layered approach ensures

(7)

Firewalls

What is a firewall?

“a network device—hardware, software, or a combination—whose purpose is to enforce a security policy across its connections”

• e.g. A web server connected to the Internet may be configured only to allow traffic on port 80 for HTTP, and have all other ports

blocked. An e-mail server may have only necessary ports for e-mail open, with others blocked.

• Apply “principle of least access”

• Firewalls can make one of three decisions:

– Accept (allow packet through)

– Drop (discard the packet without informing the sender) – Reject (inform the source that the packet is rejected)

Typical Firewall rules

If packet is from inside the network TCP destination port = 80 or TCP destination port = 443, then allow connection

[pass all http traffic to any web server]

If packet is from outside TCP destination port = 25 and IP destination address = 60.47.3.35, then allow connection

[pass all SMTP traffic to a specific host (mail server)]

If packet is from outside IP Protocol = 51 and IP destination address = 60.47.3.77, then allow connection

*pass all encrypted ESP (encapsulating security payload) traffic to the firm’s IPsec gateway]

Deny ALL

[deny all other externally initiated connections; this is the default behaviour]

(8)

• Understand the way in which firewalls are

used to protect networks

• Understand the functions and limitations of the three different types of firewall (Packet

Inspection, Stateful and Application/Proxy)

Lecture Goals

(9)

The Problem with Packet Filtering Firewalls

• Understand the way in which firewalls are

used to protect networks

• Understand the functions and limitations of the three different types of firewall (Packet

Inspection, Stateful and Application/Proxy)

(10)

Stateful Firewalls

• Keeps track of the state of network connections (TCP/UDP) and distinguishes legitimate packets in the context of each connection, illegitimate packets are rejected

• Vista and Windows 7 use ‘TCP window scaling’ for non http based connections, this is incompatible with some firewalls that use Stateful Packet Inspection (SPI) such as Checkpoint NG R55, Cisco PIX earlier than v6.3.1, Netgear WGR614 • TCP connections operate in a ‘stateful’ manner wherein a

connection opens by connecting to a particular port, the port is then switched over to another port

Stateful Firewalls

• A packet can be part of two states – either a packet involved in a new connection (connection opening) or a packet that is part of an ongoing communication

(11)

SPI States

(12)

Stateful Packet Inspection (SPI)

Handling Existing Connections

Response from: 60.55.33.12:4400 To:123.80.5.34:80

(13)

• Understand the way in which firewalls are

used to protect networks

• Understand the functions and limitations of the three different types of firewall (Packet

Inspection, Stateful and Application/Proxy)

Lecture Goals

(14)

• Consider the use of security zones and

topologies to implement network-based

security

Lecture Goals

Security Topologies – Security Zones

• Similar in analogy to a castle, a castle has a moat, an outside

wall, an inside wall, and even a keep

• Outermost layer in a network provides basic protection and the innermost layers providing the highest level of protection. • Accessibility tends to be inversely related to level of

protection

(15)

DMZ

• Typically contains devices accessible to internet traffic (FTP, web, email servers

– Forces user to make at least one hop in the DMZ before accessing information inside the trusted network • Firewall can be used on each side of the DMZ. The area

between these firewalls is accessible from either the inner, secure, network or the Internet.

– Firewalls specifically designed to prevent access across the DMZ directly, from the Internet to the inner, secure, network.

• Special attention should be paid to the security settings of network devices placed in the DMZ, always assumed to be compromised to unauthorized use

• Certain servers should NOT be accessible from the outside – e.g: Domain name servers, database servers, application servers, file servers, print servers etc

(16)

A Dual Homed Firewall

(17)

Three legged firewall

(18)

• Understand the functions and limitations of the three different types of firewall (Packet Inspection, Stateful and

Application/Proxy)

• Understand the concept of layered approaches

to security

• Understand some of the considerations that need to be deployed in the purchase/deployment of a firewall

Lecture Goals

(19)

A VPN attack with two firewalls

(the layered approach)

An example of how a layered

approach works

(20)

Diversity of Defence

• Having added a number of layers, if each of the layers is the ‘same’, then it achieves nothing as perpetrating one layer perpetrates all of them

• E.g. two firewalls which filter for different types of traffic and provide different types of restriction.

– Firewall 1: no FTP, SNMP or Telnet – Firewall 2: no SSL or SSH

• E.g. Use products from different vendors

– Checkpoint firewall is first line of defence (see above) – CISCO PX is second line of defence

Downside is the amount of extra training/administrational time required to service this (upgrades, patches  KNOW THE IMPLICATIONS)

What this configuration achieves

• Separates user from the request for data on a

secure network

• This layered approach allows significant security

levels to be enforced as this filtering process can

put controls in place.

(21)

• Understand the way in which firewalls are used to protect networks • Understand the functions and limitations of the three different

types of firewall (Packet Inspection, Stateful and Application/Proxy) • Consider the use of security zones and topologies to implement

network-based security

• Understand the concept of layered approaches to security

• Understand some of the considerations that

need to be deployed in the

purchase/deployment of a firewall

Lecture Goals

Compliance

For a firewall to be deployed by a data centre

that processes credit card numbers, it must

comply with the PCI DSS requirements

pertaining to the installation and maintenance

of a firewall configuration to protect cardholder

(22)

Considerations to be made when

deploying network defence equipment

• Data throughput – the size of data the firewall

can handle ‘in theory’

• Concurrent connections

• Connections per second

Throughput vs concurrent

connections

• Data throughput is rated in Gbps, e.g. 1 Gbps or 4

Gbps - however, the amount of data that can be

‘throughput’ is not the full story.

• During a distributed denial-of-service (DDoS) attack,

it’s not just bulk throughput that matters; it’s how

the device can handle concurrent connections and

connections per second.

– A typical £32,000 conventional firewall may have a throughput of 10 Gbps, it can probably handle between 1 and 2 million concurrent connections

– The WikiLeaks attackers of 2010 generated more than 2 million concurrent connections using a single botnet

(23)

… vs Connections per second

• The “£32,000 firewall” can typically handle 50,000 to 100,000 new connections per second

• When a firewall performs stateful inspection, there is a performance penalty for each TCP session set up (the time it takes to process the packet, memory requirements etc). This has an adverse affect on the number of new connections per second it can process – exaggerated especially when the attack is very widely distributed (‘very’ DDoS).