Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

(1)

1

Firewalls

Chapter 5

Revised March 2004

2

Figure 5-1: Border Firewall

1. Internet (Not Trusted)

Attacker

1. Internal Corporate Network (Trusted)

2.

Internet Border Firewall

3

3.

Attack Packet 1. Internet (Not Trusted)

Attacker 2.

Internet Border Firewall 4.

Log File 4. Dropped Packet

(Ingress)

4

Legitimate User

2.

Internet Border Firewall 5. Passed Legitimate

Packet (Ingress) 5. Legitimate Packet

5

Attacker

2.

Internet Border Firewall 4.

Log File 7. Dropped Packet

(Egress)

7. Passed Packet (Egress)

6

Attacker 6. Hardened

Client PC

6. Hardened

Server 1. Internal Corporate

Network (Trusted) 2.

Internet Border Firewall 6. Attack Packet that Got Through Firewall

Hardened Hosts Provide Defense

in Depth

(2)

7

Figure 5-2: Types of Firewall Inspection

Packet Inspection

{ Examines IP, TCP, UDP, and ICMP headers

Static packet inspection (described later)

Stateful inspection (described later)

Application Inspection

{ Examines application layer messages

8

Network Address Translation (NAT)

{ Hides IP addresses and port numbers

Denial-of-Service (DoS) Inspection

{ Detects and stops DoS attacks

Authentication

{ Requires senders to authenticate themselves

9

Virtual Private Network (VPN) Handling

{ VPNs are protected packet streams (see Chapter 8)

{ Packets are encrypted for confidentiality, so firewall inspection is impossible

{ VPNs typically bypass firewalls, making border security weaker

10

Hybrid Firewalls

{ Most firewalls offer more than one type of filtering

{ However, firewalls normally do not do antivirus filtering

Some firewalls pass packets to antivirus filtering servers

11

Firewalls

Firewall Hardware and Software

{ Screening router firewalls

{ Computer-based firewalls

{ Firewall appliances

{ Host firewalls (firewalls on clients and servers)

Inspection Methods

Firewall Architecture

Configuring, Testing, and Maintenance

12

Figure 5-3: Firewall Hardware and Software

Screening Router Firewalls

{ Add firewall software to router

{ Usually provide light filtering only

{ Expensive for the processing power—usually must upgrade hardware, too

(3)

13

Screening Router Firewalls

{ Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier

{ Good location for egress filtering—can eliminate scanning responses, even from the router

14

Computer-Based Firewalls

{ Add firewall software to server with an existing operating system: Windows or UNIX

{ Can be purchased with power to handle any load

{ Easy to use because know operating system

15

{ Firewall vendor might bundle firewall software with hardened hardware and operating system software

{ General-purpose operating systems result in slower processing

16

{ Security: Attackers may be able to hack the operating system

Change filtering rules to allow attack packets in

Change filtering rules to drop legitimate packets

17

Firewall Appliances

{ Boxes with minimal operating systems

{ Therefore, difficult to hack

{ Setup is minimal

{ Not customized to specific firm’s situation

{ Must be able to update

18

Host Firewalls

{ Installed on hosts themselves (servers and sometimes clients)

{ Enhanced security because of host-specific knowledge

For example, filter out everything but webserver transmissions on a webserver

(4)

19

Host Firewalls

{ Defense in depth

Normally used in conjunction with other firewalls

Although on single host computers attached to internet, might be only firewall

20

Host Firewalls

{ The firm must manage many host firewalls

{ If not centrally managed, configuration can be a nightmare

{ Especially if rule sets change frequently

21

Host Firewalls

{ Client firewalls typically must be configured by ordinary users

Might misconfigure or reject the firewall

Need to centrally manage remote employee computers

22

Perspective

Computer-Based Firewall

{ Firewall based on a computer with a full operating system

Host Firewall

{ A firewall on a host (client or server)

23 Figure 5-4: Drivers of Performance Requirements:

Traffic Volume and Complexity of Filtering

Performance Requirements

Traffic Volume (Packets per Second) Complexity

of Filtering:

Number of Filtering Rules, Complexity Of rules, etc.

If a firewall cannot inspect packets fast enough, it will drop unchecked packets rather than pass them

24

Firewalls

Inspection Methods

{ Static Packet Inspection

{ Stateful Packet Inspection

{ NAT

{ Application Firewalls

{ IPSs

(5)

25

Figure 5-5: Static Packet Filter Firewall

IP-H

IP-H TCP-H

UDP-H Application Message Application Message

IP-H ICMP-H

Only IP, TCP, UDP and ICMP Headers Examined Permit

(Pass)

Deny (Drop)

Corporate Network The Internet

Log File

Static Packet Filter Firewall

ICMP Message

26

Figure 5-5: Static Packet Filter Firewall

IP-H

IP-H TCP-H

UDP-H Application Message Application Message

IP-H ICMP-H

Arriving Packets Examined One at a Time, in Isolation;

This Misses Many Arracks Permit

(Pass)

Deny (Drop)

Corporate Network The Internet

Log File

Static Packet Filter Firewall

ICMP Message

27 Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router

1. If source IP address = 10.*.*.*, DENY [private IP address range]

2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

3. If source IP address = 192.168.*.*, DENY [private IP address range]

4. If source IP address = 60.40.*.*, DENY [firm’s internal address range]

28

Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router

5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker]

6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]

29

7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver]

8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]

30

9. If TCP destination port = 20, DENY [FTP data connection]

10. If TCP destination port = 21, DENY [FTP supervisory control connection]

11. If TCP destination port = 23, DENY [Telnet data connection]

12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]

(6)

31

13. If TCP destination port = 513, DENY [UNIX rlogin without password]

14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]

15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]

16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]

32

17. If ICMP Type = 0, PASS [allow incoming echo reply messages]

DENY ALL

33

DENY ALL

{ Last rule

{ Drops any packets not specifically permitted by earlier rules

{ In the previous ACL, Rules 8-17 are not needed;

Deny all would catch them

34

Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router

1. If source IP address = 10.*.*.*, DENY [private IP address range]

2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]

3. If source IP address = 192.168.*.*, DENY [private IP address range]

4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range]

{ Rules 1-3 are not needed because of this rule

35

5. If ICMP Type = 8, PASS [allow outgoing echo messages]

6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages]

7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning]

36

8. If source IP address = 60.47.3.9 and TCP source port = 80 OR 443, PERMIT [public webserver responses]

{ Needed because next rule stops all packets from well-known port numbers

9. If TCP source port=0 through 49151, DENY [well-known and registered ports]

10. If UDP source port=0 through 49151, DENY [well-known and registered ports]

(7)

37

11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections]

12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections]

{ Note: Rules 9-12 only work if all hosts follow IETF rules for port assignments (well-known, registered, and ephemeral). Windows computers do. Unix computers do not

38

13. DENY ALL

{ No need for Rules 9-12

39

Firewalls

Inspection Methods

{ Static Packet Inspection

{ Stateful Packet Inspection

{ NAT

40

Figure 5-8: Stateful Inspection Firewalls

Default Behavior

{ Permit connections initiated by an internal host

{ Deny connections initiated by an external host

{ Can change default behavior with ACL

Internet Internet Automatically Accept Connection Attempt

Router

Automatically Deny Connection Attempt

New

41

State of Connection: Open or Closed

{ State: Order of packet within a dialog

{ Often simply whether the packet is part of an open connection

42

Stateful Firewall Operation

{ If accept a connection…

{ Record the two IP addresses and port numbers in state table as OK (open) (Figure 5-9)

{ Accept future packets between these hosts and ports with no further inspection

This can miss some attacks, but it catches almost everything except attacks based on application message content

New

(8)

43

Figure 5-9: Stateful Inspection Firewall Operation I

External Webserver 123.80.5.34 Internal

Client PC 60.55.33.12

1.

TCP SYN Segment From: 60.55.33.12:62600

To: 123.80.5.34:80 2.

Establish

Connection 3.

To: 123.80.5.34:80

Stateful Firewall

Type TCP

Internal IP 60.55.33.12

Internal Port 62600

External IP 123.80.5.34

External Port

80 Status

OK Connection Table

Note: Outgoing Connections

Allowed By Default

44

Figure 5-9: Stateful Inspection Firewall Operation I

External Webserver 123.80.5.34 Internal

Client PC 60.55.33.12

6.

TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600

5.

Check Connection OK;

Pass the Packet 4.

TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Stateful Firewall

Type TCP

Internal Port 62600

External Port

80 Status

OK Connection Table

45

Stateful Firewall Operation

{ For UDP, also record two IP addresses and port numbers in the state table

Type TCP UDP

Internal IP 60.55.33.12 60.55.33.12

Internal Port 62600 63206

1.8.33.4 External

Port 80 69

Status OK OK Connection Table

46

Static Packet Filter Firewalls are Stateless

{ Filter one packet at a time, in isolation

{ If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection

{ But stateful firewalls can (Figure 5-10)

47

Figure 5-10: Stateful Firewall Operation II

Attacker Spoofing External Webserver

10.5.3.4 Internal

Client PC 60.55.33.12

Stateful Firewall

2.

Check Connection Table:

No Connection Match: Drop

1.

Spoofed TCP SYN/ACK Segment

From: 10.5.3.4.:80 To: 60.55.33.12:64640

Type TCP UDP

Internal IP 60.55.33.12 60.55.33.12

222.8.33.4 External

Port 80 69

Status OK OK Connection Table

48

Static Packet Filter Firewalls are Stateless

{ Filter one packet at a time, in isolation

{ Cannot deal with port-switching applications

{ But stateful firewalls can (Figure 5-11)

(9)

49

Figure 5-11: Port-Switching Applications with Stateful Firewalls

External FTP Server 123.80.5.34 Internal

Client PC 60.55.33.12

1.

To: 123.80.5.34:21 2.

To Establish

Connection 3.

To: 123.80.5.34:21

Stateful Firewall

Type TCP

Internal Port 62600

External Port

21 Status

OK State Table

Step 2

50

Figure 5-11: Port-Switching Applications with Stateful Firewalls

External FTP Server 123.80.5.34 Internal

Client PC 60.55.33.12

6.

Use Ports 20 and 55336 for Data Transfers

5.

To Allow, Establish Second Connection

4.

Use Ports 20 and 55336 for Data Transfers Stateful

Firewall

Type

TCP TCP

Internal IP 60.55.33.12 60.55.33.12

External IP 123.80.5.34 123.80.5.34

External Port

21 20

Status

OK OK State Table

Step 2 Step 5

51

Stateful Inspection Access Control Lists (ACLs)

{ Primary allow or deny applications (port numbers)

{ Simple because no need for probe packet rules because they are dropped automatically

{ Simplicity of stateful firewall gives speed and therefore low cost

{ Stateful firewalls are dominant today for the main corporate border firewalls

New

52

Firewalls

Inspection Methods

{ NAT

{ IPSs

53

Figure 5-12: Network Address Translation (NAT)

Server Host Client

192.168.5.7

NAT Firewall 1

Internet 2

Sniffer From 192.168.5.7,

Port 61000 From 60.5.9.8, Port 55380

IP Addr 192.168.5.7

. . . Port 61000

. . . Internal

IP Addr 60.5.9.8 . . .

Port 55380

. . . External Translation

Table

54

Server Host Client

192.168.5.7

NAT Firewall

3

Internet

4 To 60.5.9.8, Sniffer

Port 55380 To 192.168.5.7,

Port 61000

IP Addr 192.168.5.7

. . . Port 61000

. . . Internal

IP Addr 60.5.9.8 . . .

Port 55380

. . . External Translation

Table

(10)

55

Sniffers on the Internet cannot learn internal IP addresses and port numbers

{ Only learn the translated address and port number

By themselves, provide a great deal of protection against attacks

{ External attackers cannot create a connection to an internal computers

56

Firewalls

Inspection Methods

{ NAT

{ Application Firewalls

{ IPSs

57

Figure 5-13: Application Firewall Operation

Browser HTTP Proxy Webserver

Application 1. HTTP Request

From 192.168.6.77 2.

Filtering

3. Examined HTTP Request From 60.45.2.6

Client PC 192.168.6.77

Webserver 123.80.5.34 Application Firewall

60.45.2.6 Filtering:

Blocked URLs, Post Commands, etc.

58

Application 4. HTTP

Response to 60.45.2.6 6. Examined

HTTP Response To 192.168.6.77

5.

Filtering on Hostname, URL, MIME,

etc.

Application Firewall 60.45.2.6 Client PC

192.168.6.77

Webserver 123.80.5.34

59

Application Firewall 60.45.2.6 FTP

Proxy

SMTP (E-Mail) Proxy Client PC

192.168.6.77

Webserver 123.80.5.34 Outbound

Filtering on

PUT Inbound and Outbound

Filtering on Obsolete Commands, Content A Separate Proxy Program is Needed

for Each Application Filtered on the Firewall

60

Figure 5-14: Header Destruction With Application Firewalls

App MSG (HTTP)

Orig.

TCP Hdr

Orig.

IP Hdr

App MSG (HTTP)

New TCP Hdr

New IP Hdr App

MSG (HTTP)

Attacker 1.2.3.4

Webserver 123.80.5.34 Application Firewall

60.45.2.6 Header Removed Arriving

Packet New Packet

Application Firewall Strips Original Headers from Arriving Packets Creates New Packet with New Headers

This Stops All Header-Based Packet Attacks

X

(11)

61

Figure 5-15: Protocol Spoofing

Internal Client PC 60.55.33.12

Attacker 1.2.3.4 Trojan

Horse

1.

Trojan Transmits on Port 80 to Get Through

Simple Packet Filter Firewall

2.

Protocol is Not HTTP Firewall Stops The Transmission

X

Application Firewall

62

Relay Operation

{ Application Firewalls Use Relay operation

Act as server to clients, clients to servers

This is slow, so traditionally application firewalls could only handle limited traffic

Application 1. HTTP Request

From 192.168.6.77 2.

Filtering

3. Examined HTTP Request From 60.45.2.6

63

Automatic Protections in Relay Operation

Protocol Fidelity

{ Application that spoofs the port number of another operation (e.g., Port 80) will not work in relay operation

Header Destruction

{ IP, TCP, UDP, and ICMP headers dropped at firewall so cannot do damage

IP Address Hiding

{ Sniffer on the Internet only learns the application firewall’s IP address

64

Other Application Firewall Protections

Stopping Certain Application Commands

{ HTTP: Stop POST

{ TCP: Stop PUT

{ E-Mail: Stop obsolete commands used by attackers

Blocked IP Addresses and URLs

{ Black lists

Blocking File Types

{ Use MIME and other identification methods

65

Figure 5-16: Circuit Firewall

Webserver 60.80.5.34

Circuit Firewall (SOCKS v5)

60.34.3.31

External Client 123.30.82.5 1. Authentication

2. Transmission

5. Passed Reply: No Filtering 3. Passed Transmission:

No Filtering 4. Reply

Generic Type of Application Firewall

66

Firewalls

Inspection Methods

{ NAT

{ IPSs

New

(12)

67

Intrusion Prevention System (IPS)

Provide More Sophisticated Inspection

Examine Streams of Packets

{ Look for patterns that cannot be diagnosed by looking at individual packets (such as denial-of- service attacks

{ And cannot be diagnosed by simply accepting packets that are part of a connection

Do Deep Packet Inspection

{ Examine all headers at all layers—internet, transport, and application

New

68

Intrusion Prevention System (IPS)

IPSs Act Proactively

{ Once an attack is diagnosed, future packets in the attacks are blocked

{ This frightens many firms because if an IPS acts incorrectly, it effectively generates a self-serve denial of service attack

{ First that use IPSs may only permit the most definitively identifiable attacks to be blocked, such as SYN flood denial of service attacks.

New

69

Firewalls

Types of Firewalls

Inspection Methods

{ Single site in large organization

{ Home firewall

{ SOHO firewall router

{ Distributed firewall architecture

70 Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site

Internet Internet 1. Screening Router

60.47.1.1 Last Rule=Permit All

172.18.9.x Subnet

Marketing Client on 172.18.5.x

Subnet

Accounting Server on 172.18.7.x Subnet

Public Webserver

60.47.3.9

SMTP Relay Proxy 60.47.3.10

HTTP Proxy Server 60.47.3.1

External DNS Server

60.47.3.4 Screening Router Firewall

Uses Static Packet Filtering.

Drops Simple Attacks.

Prevents Probe Replies from Getting Out.

Last Rule is Permit All to Let Main Firewall Handle Everything but

Simple Attacks

Internet Internet 2. Main Firewall

Last Rule=Deny All

172.18.9.x Subnet

Subnet

Public Webserver

60.47.3.9

External DNS Server

60.47.3.4 Main Firewall

Uses Stateful Inspection Last Rule is Deny All

Internet Internet 172.18.9.x

Subnet 3. Internal

Firewall

4.

Client Host Firewall

Subnet

Public Webserver

60.47.3.9

External DNS Server

60.47.3.4 Internal Firewalls and

Hardened Hosts Provide Defense in Depth

Stop Attacks from Inside Stop External Attacks that Get Past the

Main Firewall

(13)

Internet Internet 172.18.9.x Subnet

Subnet

5. Server Host Firewall

6. DMZ Public Webserver

60.47.3.9

External DNS Server

60.47.3.4 Servers that must be

accessed from outside are placed in a special subnet called the Demilitarized Zone (DMZ).

Attackers cannot get to Other subnets from there

DMZ servers are specially hardened

74

Figure 5-18: Home Firewall

Internet Service Provider

Home PC Broadband

Modem

PC Firewall Always-On

Connection

UTP Coaxial Cord

Cable

Windows XP has an internal firewall Originally called the Internet Connection Firewall

Disabled by default

After Service Pack 2 called the Windows Firewall Enabled by default

New

75

Figure 5-19: SOHO Firewall Router

Broadband Modem (DSL or Cable)

SOHO Router --- Router DHCP Sever, NAT Firewall, and Limited Application Firewall

Ethernet Switch Internet Service Provider

User PC

User PC UTP

UTP

Many Access Routers Combine the Router and Ethernet Switch in a Single Box

76

Figure 5-20: Distributed Firewall Architecture

Internet

Home PC Firewall Management Console

Site A Site B

Remote Management is needed to reduce management labor

Dangerous because if an attacker compromises

it, they own the network

Remote PCs must be actively

managed centrally

77

Figure 5-21: Other Security Architecture Issues

Host and Application Security (Chapters 6 and 9)

Antivirus Protection (Chapter 4)

Intrusion Detection Systems (Chapter 10)

Virtual Private Networks (Chapter 8)

Policy Enforcement System

78

Firewalls

Types of Firewalls

Inspection Methods

(14)

79

Figure 5-22: Configuring, Testing, and Maintaining Firewalls

Firewall Misconfiguration is a Serious Problem

{ ACL rules must be executed in series

{ Easy to make misordering problems

{ Easy to make syntax errors

80

Create Policies Before ACLs

{ Policies are easier to read than ACLs

{ Can be reviewed by others more easily than ACLs

{ Policies drive ACL development

{ Policies also drive testing

81

Must test Firewalls with Security Audits

{ Attack your own firewall based on your policies

{ Only way to tell if policies are being supported

Maintaining Firewalls

{ New threats appear constantly

{ ACLs must be updated constantly if firewall is to be effective

82

Figure 5-23: FireWall-1 Modular Management Architecture

Log Files

Application Module (GUI) Create, Edit

Policies

Application Module (GUI) Read Log Files

Management Module Stores Policies Stores

Log Files Policy

Log File Data

Policy

Log File Entry

Firewall Module Enforces Policy Sends Log

Entries

Firewall Module Enforces Policy Sends Log Entries

83

Figure 5-24: FireWall-1 Service Architecture

Internal Client

2. Statefully Filtered

Packet 1. Arriving Packet

External Server

4. Content Vectoring Protocol FireWall-

1 Firewall 3. DoS

Protection Optional Authentications

5.

Statefully Filtered Packet Plus Application

Inspection Third-Party

Application Inspection Firewall

84

Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls

Internet Internet

Internal Network Automatically Accept Connection

Security Level Outside=0 Automatically Reject Connection Security Level

Inside=100

Connections Are Allowed from More Secure Networks to Less Secure Networks Security Level=60

Router

(15)

85

Topics Covered

Border Firewalls

{ Sit between a trusted and untrusted network

{ Drop and log attack packets

Types of Firewall Inspection

{ Static packet inspection

{ Stateful inspection

{ Application proxy firewalls

{ NAT

{ Denial-of-Service, Authentication, VPNs

86

Topics Covered

{ Screening firewall router

{ Computer-based firewalls

{ Firewall appliances

{ Host firewalls (firewalls on clients and servers)

{ Performance is critical; overloaded firewalls drop packets they cannot filter

87

Topics Covered

Static Packet Inspection

{ Examine IP, TCP, UDP, and ICMP headers

{ Examine packets one at a time

{ Miss many attacks

Used primarily in screening firewall routers

{ Access Control Lists (ACLs)

List of if-then pass/deny statements

Applied in order (sensitive to misordering)

For main firewall, last rule is Deny All

For screening firewall, last rule is Pass All

88

Topics Covered

Stateful Inspection

{ Packets that Attempt to Open Connections

By default, permits all internally initiated connections

By default, denies all externally initiated connections

ACLs can change default behavior

89

Topics Covered

Stateful Inspection

{ Other Packets

Permitted if part of established connection

Denied if not part of established connections

{ Importance

Fast and therefore inexpensive

Catches almost all attacks

Dominates main border firewall market

90

Topics Covered

{ Operation

Internal host sends a packet to an external host

NAT device replaces source IP address and TCP or UDP port number with stand-in values

When packets are sent back, the stand-in values are replaced with the original value

Transparent to internal and external hosts

(16)

91

Topics Covered

{ Why?

To hide internal host IP addresses and port numbers from sniffers on the Internet

To permit firms to have more hosts than they have assigned public IP addresses

{ Perspective

Often used in other types of firewalls

92

Topics Covered

Application Firewalls

{ Inspect application messages

Catch attacks that other firewalls cannot

Usually do NOT do antivirus filtering

Programs that do filtering are called proxies

Proxies are application-specific

Circuit firewalls are not application-specific;

use required authentication for control

93

Topics Covered

{ Relay operation

Application firewall acts as server to clients, clients to servers

This is slow, so traditionally application firewalls could only handle limited traffic

94

Topics Covered

{ Automatic Protection from Relay Operation

Protocol fidelity: stops port spoofing

Header destruction: no IP, TCP, UDP, or ICMP attacks

IP address hiding

95

Topics Covered

{ Command-based filtering (HTTP POST, etc.)

{ Host or URL filtering (black lists)

{ File type filtering (MIME, etc.)

{ NOT antivirus filtering

96

Topics Covered

Intrusion Prevention Systems (IPSs)

{ Use sophisticated detection methods created for intrusion detection systems

Examine streams of packets, not just individual packets

Deep inspection: filter all layer messages in a packet

{ But unlike IDSs, do not simply report attacks

Stop detected attacks

New

(17)

97

Topics Covered

{ Spectrum of attack detection confidence

Stop attacks detected with high confidence

Do not stop attacks with low detection confidence because doing so can create a self-inflicted DoS Attack

New

98

Topics Covered

{ Sophisticated filtering in processing-intensive

{ Traditional IDSs could not filter in real-time so could not be placed in-line with traffic

{ ASICs provide higher speeds, allowing IPSs to be placed in-line with traffic

New

99

Firewall Architectures

Site Protection

{ Screening Firewall Router (Static Packet)

{ Main Border Firewall (Stateful)

{ Internal Firewalls

{ Host Firewalls

{ DMZ

{ Defense in Depth

100

Site Protection

{ DMZ

For hosts that must face Internet attack

Must be hardened (bastion hosts)

Public webservers, etc.

Application firewalls

External DNS server

101

Home Firewall

{ Host firewalls are especially needed for always- on broadband connection

SOHO Firewall

{ Separate firewall between the switch and the broadband modem

{ Some broadband modems do NAT, providing considerable protection

102

Distributed Firewall Architecture

{ Most firms have multiple sites

{ Multiple firewalls at many sites

{ A central manager controls them

{ If the manager is hacked, very bad

{ Management traffic must be encrypted

(18)

103

Configuration

{ Firewalls must be configured (ACLs designed, etc.)

Testing

{ Configuration errors are common, so firewalls must be tested

Maintenance

{ Must be reconfigured frequently over time as the threat environment changes