1
Firewalls
Chapter 5
Revised March 2004
Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall
2
Figure 5-1: Border Firewall
1. Internet (Not Trusted)
Attacker
1. Internal Corporate Network (Trusted)
2.
Internet Border Firewall
3
Figure 5-1: Border Firewall
3.
Attack Packet 1. Internet (Not Trusted)
Attacker 2.
Internet Border Firewall 4.
Log File 4. Dropped Packet
(Ingress)
4
Figure 5-1: Border Firewall
1. Internet (Not Trusted)
Legitimate User
1. Internal Corporate Network (Trusted)
2.
Internet Border Firewall 5. Passed Legitimate
Packet (Ingress) 5. Legitimate Packet
5
Figure 5-1: Border Firewall
1. Internet (Not Trusted)
Attacker
1. Internal Corporate Network (Trusted)
2.
Internet Border Firewall 4.
Log File 7. Dropped Packet
(Egress)
7. Passed Packet (Egress)
6
Figure 5-1: Border Firewall
1. Internet (Not Trusted)
Attacker 6. Hardened
Client PC
6. Hardened
Server 1. Internal Corporate
Network (Trusted) 2.
Internet Border Firewall 6. Attack Packet that Got Through Firewall
Hardened Hosts Provide Defense
in Depth
7
Figure 5-2: Types of Firewall Inspection
Packet Inspection
{ Examines IP, TCP, UDP, and ICMP headers
Static packet inspection (described later)
Stateful inspection (described later)
Application Inspection
{ Examines application layer messages
8
Figure 5-2: Types of Firewall Inspection
Network Address Translation (NAT)
{ Hides IP addresses and port numbers
Denial-of-Service (DoS) Inspection
{ Detects and stops DoS attacks
Authentication
{ Requires senders to authenticate themselves
9
Figure 5-2: Types of Firewall Inspection
Virtual Private Network (VPN) Handling
{ VPNs are protected packet streams (see Chapter 8)
{ Packets are encrypted for confidentiality, so firewall inspection is impossible
{ VPNs typically bypass firewalls, making border security weaker
10
Figure 5-2: Types of Firewall Inspection
Hybrid Firewalls
{ Most firewalls offer more than one type of filtering
{ However, firewalls normally do not do antivirus filtering
Some firewalls pass packets to antivirus filtering servers
11
Firewalls
Firewall Hardware and Software
{ Screening router firewalls
{ Computer-based firewalls
{ Firewall appliances
{ Host firewalls (firewalls on clients and servers)
Inspection Methods
Firewall Architecture
Configuring, Testing, and Maintenance
12
Figure 5-3: Firewall Hardware and Software
Screening Router Firewalls
{ Add firewall software to router
{ Usually provide light filtering only
{ Expensive for the processing power—usually must upgrade hardware, too
13
Figure 5-3: Firewall Hardware and Software
Screening Router Firewalls
{ Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier
{ Good location for egress filtering—can eliminate scanning responses, even from the router
14
Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls
{ Add firewall software to server with an existing operating system: Windows or UNIX
{ Can be purchased with power to handle any load
{ Easy to use because know operating system
15
Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls
{ Firewall vendor might bundle firewall software with hardened hardware and operating system software
{ General-purpose operating systems result in slower processing
16
Figure 5-3: Firewall Hardware and Software
Computer-Based Firewalls
{ Security: Attackers may be able to hack the operating system
Change filtering rules to allow attack packets in
Change filtering rules to drop legitimate packets
17
Figure 5-3: Firewall Hardware and Software
Firewall Appliances
{ Boxes with minimal operating systems
{ Therefore, difficult to hack
{ Setup is minimal
{ Not customized to specific firm’s situation
{ Must be able to update
18
Figure 5-3: Firewall Hardware and Software
Host Firewalls
{ Installed on hosts themselves (servers and sometimes clients)
{ Enhanced security because of host-specific knowledge
For example, filter out everything but webserver transmissions on a webserver
19
Figure 5-3: Firewall Hardware and Software
Host Firewalls
{ Defense in depth
Normally used in conjunction with other firewalls
Although on single host computers attached to internet, might be only firewall
20
Figure 5-3: Firewall Hardware and Software
Host Firewalls
{ The firm must manage many host firewalls
{ If not centrally managed, configuration can be a nightmare
{ Especially if rule sets change frequently
21
Figure 5-3: Firewall Hardware and Software
Host Firewalls
{ Client firewalls typically must be configured by ordinary users
Might misconfigure or reject the firewall
Need to centrally manage remote employee computers
22
Perspective
Computer-Based Firewall
{ Firewall based on a computer with a full operating system
Host Firewall
{ A firewall on a host (client or server)
23 Figure 5-4: Drivers of Performance Requirements:
Traffic Volume and Complexity of Filtering
Performance Requirements
Traffic Volume (Packets per Second) Complexity
of Filtering:
Number of Filtering Rules, Complexity Of rules, etc.
If a firewall cannot inspect packets fast enough, it will drop unchecked packets rather than pass them
24
Firewalls
Firewall Hardware and Software
Inspection Methods
{ Static Packet Inspection
{ Stateful Packet Inspection
{ NAT
{ Application Firewalls
{ IPSs
Firewall Architecture
Configuring, Testing, and Maintenance
25
Figure 5-5: Static Packet Filter Firewall
IP-H
IP-H TCP-H
UDP-H Application Message Application Message
IP-H ICMP-H
Only IP, TCP, UDP and ICMP Headers Examined Permit
(Pass)
Deny (Drop)
Corporate Network The Internet
Log File
Static Packet Filter Firewall
ICMP Message
26
Figure 5-5: Static Packet Filter Firewall
IP-H
IP-H TCP-H
UDP-H Application Message Application Message
IP-H ICMP-H
Arriving Packets Examined One at a Time, in Isolation;
This Misses Many Arracks Permit
(Pass)
Deny (Drop)
Corporate Network The Internet
Log File
Static Packet Filter Firewall
ICMP Message
27 Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range]
2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]
3. If source IP address = 192.168.*.*, DENY [private IP address range]
4. If source IP address = 60.40.*.*, DENY [firm’s internal address range]
28
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker]
6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]
29
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver]
8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]
30
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
9. If TCP destination port = 20, DENY [FTP data connection]
10. If TCP destination port = 21, DENY [FTP supervisory control connection]
11. If TCP destination port = 23, DENY [Telnet data connection]
12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]
31
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
13. If TCP destination port = 513, DENY [UNIX rlogin without password]
14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]
15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]
16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]
32
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
17. If ICMP Type = 0, PASS [allow incoming echo reply messages]
DENY ALL
33
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
DENY ALL
{ Last rule
{ Drops any packets not specifically permitted by earlier rules
{ In the previous ACL, Rules 8-17 are not needed;
Deny all would catch them
34
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range]
2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]
3. If source IP address = 192.168.*.*, DENY [private IP address range]
4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range]
{ Rules 1-3 are not needed because of this rule
35
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
5. If ICMP Type = 8, PASS [allow outgoing echo messages]
6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages]
7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning]
36
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
8. If source IP address = 60.47.3.9 and TCP source port = 80 OR 443, PERMIT [public webserver responses]
{ Needed because next rule stops all packets from well-known port numbers
9. If TCP source port=0 through 49151, DENY [well-known and registered ports]
10. If UDP source port=0 through 49151, DENY [well-known and registered ports]
37
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections]
12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections]
{ Note: Rules 9-12 only work if all hosts follow IETF rules for port assignments (well-known, registered, and ephemeral). Windows computers do. Unix computers do not
38
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
13. DENY ALL
{ No need for Rules 9-12
39
Firewalls
Firewall Hardware and Software
Inspection Methods
{ Static Packet Inspection
{ Stateful Packet Inspection
{ NAT
{ Application Firewalls
Firewall Architecture
Configuring, Testing, and Maintenance
40
Figure 5-8: Stateful Inspection Firewalls
Default Behavior
{ Permit connections initiated by an internal host
{ Deny connections initiated by an external host
{ Can change default behavior with ACL
Internet Internet Automatically Accept Connection Attempt
Router
Automatically Deny Connection Attempt
New
41
Figure 5-8: Stateful Inspection Firewalls
State of Connection: Open or Closed
{ State: Order of packet within a dialog
{ Often simply whether the packet is part of an open connection
42
Figure 5-8: Stateful Inspection Firewalls
Stateful Firewall Operation
{ If accept a connection…
{ Record the two IP addresses and port numbers in state table as OK (open) (Figure 5-9)
{ Accept future packets between these hosts and ports with no further inspection
This can miss some attacks, but it catches almost everything except attacks based on application message content
New
43
Figure 5-9: Stateful Inspection Firewall Operation I
External Webserver 123.80.5.34 Internal
Client PC 60.55.33.12
1.
TCP SYN Segment From: 60.55.33.12:62600
To: 123.80.5.34:80 2.
Establish
Connection 3.
TCP SYN Segment From: 60.55.33.12:62600
To: 123.80.5.34:80
Stateful Firewall
Type TCP
Internal IP 60.55.33.12
Internal Port 62600
External IP 123.80.5.34
External Port
80 Status
OK Connection Table
Note: Outgoing Connections
Allowed By Default
44
Figure 5-9: Stateful Inspection Firewall Operation I
External Webserver 123.80.5.34 Internal
Client PC 60.55.33.12
6.
TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600
5.
Check Connection OK;
Pass the Packet 4.
TCP SYN/ACK Segment From: 123.80.5.34:80 To: 60.55.33.12:62600 Stateful Firewall
Type TCP
Internal IP 60.55.33.12
Internal Port 62600
External IP 123.80.5.34
External Port
80 Status
OK Connection Table
45
Figure 5-8: Stateful Inspection Firewalls
Stateful Firewall Operation
{ For UDP, also record two IP addresses and port numbers in the state table
Type TCP UDP
Internal IP 60.55.33.12 60.55.33.12
Internal Port 62600 63206
External IP 123.80.5.34
1.8.33.4 External
Port 80 69
Status OK OK Connection Table
46
Figure 5-8: Stateful Inspection Firewalls
Static Packet Filter Firewalls are Stateless
{ Filter one packet at a time, in isolation
{ If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection
{ But stateful firewalls can (Figure 5-10)
47
Figure 5-10: Stateful Firewall Operation II
Attacker Spoofing External Webserver
10.5.3.4 Internal
Client PC 60.55.33.12
Stateful Firewall
2.
Check Connection Table:
No Connection Match: Drop
1.
Spoofed TCP SYN/ACK Segment
From: 10.5.3.4.:80 To: 60.55.33.12:64640
Type TCP UDP
Internal IP 60.55.33.12 60.55.33.12
Internal Port 62600 63206
External IP 123.80.5.34
222.8.33.4 External
Port 80 69
Status OK OK Connection Table
48
Figure 5-8: Stateful Inspection Firewalls
Static Packet Filter Firewalls are Stateless
{ Filter one packet at a time, in isolation
{ Cannot deal with port-switching applications
{ But stateful firewalls can (Figure 5-11)
49
Figure 5-11: Port-Switching Applications with Stateful Firewalls
External FTP Server 123.80.5.34 Internal
Client PC 60.55.33.12
1.
TCP SYN Segment From: 60.55.33.12:62600
To: 123.80.5.34:21 2.
To Establish
Connection 3.
TCP SYN Segment From: 60.55.33.12:62600
To: 123.80.5.34:21
Stateful Firewall
Type TCP
Internal IP 60.55.33.12
Internal Port 62600
External IP 123.80.5.34
External Port
21 Status
OK State Table
Step 2
50
Figure 5-11: Port-Switching Applications with Stateful Firewalls
External FTP Server 123.80.5.34 Internal
Client PC 60.55.33.12
6.
TCP SYN/ACK Segment From: 123.80.5.34:21 To: 60.55.33.12:62600
Use Ports 20 and 55336 for Data Transfers
5.
To Allow, Establish Second Connection
4.
TCP SYN/ACK Segment From: 123.80.5.34:21 To: 60.55.33.12:62600
Use Ports 20 and 55336 for Data Transfers Stateful
Firewall
Type
TCP TCP
Internal IP 60.55.33.12 60.55.33.12
Internal Port 62600 55336
External IP 123.80.5.34 123.80.5.34
External Port
21 20
Status
OK OK State Table
Step 2 Step 5
51
Figure 5-8: Stateful Inspection Firewalls
Stateful Inspection Access Control Lists (ACLs)
{ Primary allow or deny applications (port numbers)
{ Simple because no need for probe packet rules because they are dropped automatically
{ Simplicity of stateful firewall gives speed and therefore low cost
{ Stateful firewalls are dominant today for the main corporate border firewalls
New
52
Firewalls
Firewall Hardware and Software
Inspection Methods
{ Static Packet Inspection
{ Stateful Packet Inspection
{ NAT
{ Application Firewalls
{ IPSs
Firewall Architecture
Configuring, Testing, and Maintenance
53
Figure 5-12: Network Address Translation (NAT)
Server Host Client
192.168.5.7
NAT Firewall 1
Internet 2
Sniffer From 192.168.5.7,
Port 61000 From 60.5.9.8, Port 55380
IP Addr 192.168.5.7
. . . Port 61000
. . . Internal
IP Addr 60.5.9.8 . . .
Port 55380
. . . External Translation
Table
54
Figure 5-12: Network Address Translation (NAT)
Server Host Client
192.168.5.7
NAT Firewall
3
Internet
4 To 60.5.9.8, Sniffer
Port 55380 To 192.168.5.7,
Port 61000
IP Addr 192.168.5.7
. . . Port 61000
. . . Internal
IP Addr 60.5.9.8 . . .
Port 55380
. . . External Translation
Table
55
Figure 5-12: Network Address Translation (NAT)
Sniffers on the Internet cannot learn internal IP addresses and port numbers
{ Only learn the translated address and port number
By themselves, provide a great deal of protection against attacks
{ External attackers cannot create a connection to an internal computers
56
Firewalls
Firewall Hardware and Software
Inspection Methods
{ Static Packet Inspection
{ Stateful Packet Inspection
{ NAT
{ Application Firewalls
{ IPSs
Firewall Architecture
Configuring, Testing, and Maintenance
57
Figure 5-13: Application Firewall Operation
Browser HTTP Proxy Webserver
Application 1. HTTP Request
From 192.168.6.77 2.
Filtering
3. Examined HTTP Request From 60.45.2.6
Client PC 192.168.6.77
Webserver 123.80.5.34 Application Firewall
60.45.2.6 Filtering:
Blocked URLs, Post Commands, etc.
58
Figure 5-13: Application Firewall Operation
Browser HTTP Proxy Webserver
Application 4. HTTP
Response to 60.45.2.6 6. Examined
HTTP Response To 192.168.6.77
5.
Filtering on Hostname, URL, MIME,
etc.
Application Firewall 60.45.2.6 Client PC
192.168.6.77
Webserver 123.80.5.34
59
Figure 5-13: Application Firewall Operation
Application Firewall 60.45.2.6 FTP
Proxy
SMTP (E-Mail) Proxy Client PC
192.168.6.77
Webserver 123.80.5.34 Outbound
Filtering on
PUT Inbound and Outbound
Filtering on Obsolete Commands, Content A Separate Proxy Program is Needed
for Each Application Filtered on the Firewall
60
Figure 5-14: Header Destruction With Application Firewalls
App MSG (HTTP)
Orig.
TCP Hdr
Orig.
IP Hdr
App MSG (HTTP)
New TCP Hdr
New IP Hdr App
MSG (HTTP)
Attacker 1.2.3.4
Webserver 123.80.5.34 Application Firewall
60.45.2.6 Header Removed Arriving
Packet New Packet
Application Firewall Strips Original Headers from Arriving Packets Creates New Packet with New Headers
This Stops All Header-Based Packet Attacks
X
61
Figure 5-15: Protocol Spoofing
Internal Client PC 60.55.33.12
Attacker 1.2.3.4 Trojan
Horse
1.
Trojan Transmits on Port 80 to Get Through
Simple Packet Filter Firewall
2.
Protocol is Not HTTP Firewall Stops The Transmission
X
Application Firewall
62
Relay Operation
{ Application Firewalls Use Relay operation
Act as server to clients, clients to servers
This is slow, so traditionally application firewalls could only handle limited traffic
Browser HTTP Proxy Webserver
Application 1. HTTP Request
From 192.168.6.77 2.
Filtering
3. Examined HTTP Request From 60.45.2.6
63
Automatic Protections in Relay Operation
Protocol Fidelity
{ Application that spoofs the port number of another operation (e.g., Port 80) will not work in relay operation
Header Destruction
{ IP, TCP, UDP, and ICMP headers dropped at firewall so cannot do damage
IP Address Hiding
{ Sniffer on the Internet only learns the application firewall’s IP address
64
Other Application Firewall Protections
Stopping Certain Application Commands
{ HTTP: Stop POST
{ TCP: Stop PUT
{ E-Mail: Stop obsolete commands used by attackers
Blocked IP Addresses and URLs
{ Black lists
Blocking File Types
{ Use MIME and other identification methods
65
Figure 5-16: Circuit Firewall
Webserver 60.80.5.34
Circuit Firewall (SOCKS v5)
60.34.3.31
External Client 123.30.82.5 1. Authentication
2. Transmission
5. Passed Reply: No Filtering 3. Passed Transmission:
No Filtering 4. Reply
Generic Type of Application Firewall
66
Firewalls
Firewall Hardware and Software
Inspection Methods
{ Static Packet Inspection
{ Stateful Packet Inspection
{ NAT
{ Application Firewalls
{ IPSs
Firewall Architecture
Configuring, Testing, and Maintenance
New
67
Intrusion Prevention System (IPS)
Provide More Sophisticated Inspection
Examine Streams of Packets
{ Look for patterns that cannot be diagnosed by looking at individual packets (such as denial-of- service attacks
{ And cannot be diagnosed by simply accepting packets that are part of a connection
Do Deep Packet Inspection
{ Examine all headers at all layers—internet, transport, and application
New
68
Intrusion Prevention System (IPS)
IPSs Act Proactively
{ Once an attack is diagnosed, future packets in the attacks are blocked
{ This frightens many firms because if an IPS acts incorrectly, it effectively generates a self-serve denial of service attack
{ First that use IPSs may only permit the most definitively identifiable attacks to be blocked, such as SYN flood denial of service attacks.
New
69
Firewalls
Types of Firewalls
Inspection Methods
Firewall Architecture
{ Single site in large organization
{ Home firewall
{ SOHO firewall router
{ Distributed firewall architecture
Configuring, Testing, and Maintenance
70 Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
Internet Internet 1. Screening Router
60.47.1.1 Last Rule=Permit All
172.18.9.x Subnet
Marketing Client on 172.18.5.x
Subnet
Accounting Server on 172.18.7.x Subnet
Public Webserver
60.47.3.9
SMTP Relay Proxy 60.47.3.10
HTTP Proxy Server 60.47.3.1
External DNS Server
60.47.3.4 Screening Router Firewall
Uses Static Packet Filtering.
Drops Simple Attacks.
Prevents Probe Replies from Getting Out.
Last Rule is Permit All to Let Main Firewall Handle Everything but
Simple Attacks
71 Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
Internet Internet 2. Main Firewall
Last Rule=Deny All
172.18.9.x Subnet
Marketing Client on 172.18.5.x
Subnet
Accounting Server on 172.18.7.x Subnet
Public Webserver
60.47.3.9
SMTP Relay Proxy 60.47.3.10
HTTP Proxy Server 60.47.3.1
External DNS Server
60.47.3.4 Main Firewall
Uses Stateful Inspection Last Rule is Deny All
72 Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
Internet Internet 172.18.9.x
Subnet 3. Internal
Firewall
4.
Client Host Firewall
Marketing Client on 172.18.5.x
Subnet
Accounting Server on 172.18.7.x Subnet
Public Webserver
60.47.3.9
SMTP Relay Proxy 60.47.3.10
HTTP Proxy Server 60.47.3.1
External DNS Server
60.47.3.4 Internal Firewalls and
Hardened Hosts Provide Defense in Depth
Stop Attacks from Inside Stop External Attacks that Get Past the
Main Firewall
73 Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
Internet Internet 172.18.9.x Subnet
Marketing Client on 172.18.5.x
Subnet
Accounting Server on 172.18.7.x Subnet
5. Server Host Firewall
6. DMZ Public Webserver
60.47.3.9
SMTP Relay Proxy 60.47.3.10
HTTP Proxy Server 60.47.3.1
External DNS Server
60.47.3.4 Servers that must be
accessed from outside are placed in a special subnet called the Demilitarized Zone (DMZ).
Attackers cannot get to Other subnets from there
DMZ servers are specially hardened
74
Figure 5-18: Home Firewall
Internet Service Provider
Home PC Broadband
Modem
PC Firewall Always-On
Connection
UTP Coaxial Cord
Cable
Windows XP has an internal firewall Originally called the Internet Connection Firewall
Disabled by default
After Service Pack 2 called the Windows Firewall Enabled by default
New
75
Figure 5-19: SOHO Firewall Router
Broadband Modem (DSL or Cable)
SOHO Router --- Router DHCP Sever, NAT Firewall, and Limited Application Firewall
Ethernet Switch Internet Service Provider
User PC
User PC
User PC UTP
UTP
UTP
Many Access Routers Combine the Router and Ethernet Switch in a Single Box
76
Figure 5-20: Distributed Firewall Architecture
Internet
Home PC Firewall Management Console
Site A Site B
Remote Management is needed to reduce management labor
Dangerous because if an attacker compromises
it, they own the network
Remote PCs must be actively
managed centrally
77
Figure 5-21: Other Security Architecture Issues
Host and Application Security (Chapters 6 and 9)
Antivirus Protection (Chapter 4)
Intrusion Detection Systems (Chapter 10)
Virtual Private Networks (Chapter 8)
Policy Enforcement System
78
Firewalls
Types of Firewalls
Inspection Methods
Firewall Architecture
Configuring, Testing, and Maintenance
79
Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Firewall Misconfiguration is a Serious Problem
{ ACL rules must be executed in series
{ Easy to make misordering problems
{ Easy to make syntax errors
80
Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Create Policies Before ACLs
{ Policies are easier to read than ACLs
{ Can be reviewed by others more easily than ACLs
{ Policies drive ACL development
{ Policies also drive testing
81
Figure 5-22: Configuring, Testing, and Maintaining Firewalls
Must test Firewalls with Security Audits
{ Attack your own firewall based on your policies
{ Only way to tell if policies are being supported
Maintaining Firewalls
{ New threats appear constantly
{ ACLs must be updated constantly if firewall is to be effective
82
Figure 5-23: FireWall-1 Modular Management Architecture
Log Files
Application Module (GUI) Create, Edit
Policies
Application Module (GUI) Read Log Files
Management Module Stores Policies Stores
Log Files Policy
Log File Data
Policy
Log File Entry
Firewall Module Enforces Policy Sends Log
Entries
Firewall Module Enforces Policy Sends Log Entries
83
Figure 5-24: FireWall-1 Service Architecture
Internal Client
2. Statefully Filtered
Packet 1. Arriving Packet
External Server
4. Content Vectoring Protocol FireWall-
1 Firewall 3. DoS
Protection Optional Authentications
5.
Statefully Filtered Packet Plus Application
Inspection Third-Party
Application Inspection Firewall
84
Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls
Internet Internet
Internal Network Automatically Accept Connection
Security Level Outside=0 Automatically Reject Connection Security Level
Inside=100
Connections Are Allowed from More Secure Networks to Less Secure Networks Security Level=60
Router
85
Topics Covered
Border Firewalls
{ Sit between a trusted and untrusted network
{ Drop and log attack packets
Types of Firewall Inspection
{ Static packet inspection
{ Stateful inspection
{ Application proxy firewalls
{ NAT
{ Denial-of-Service, Authentication, VPNs
86
Topics Covered
Firewall Hardware and Software
{ Screening firewall router
{ Computer-based firewalls
{ Firewall appliances
{ Host firewalls (firewalls on clients and servers)
{ Performance is critical; overloaded firewalls drop packets they cannot filter
87
Topics Covered
Static Packet Inspection
{ Examine IP, TCP, UDP, and ICMP headers
{ Examine packets one at a time
{ Miss many attacks
Used primarily in screening firewall routers
{ Access Control Lists (ACLs)
List of if-then pass/deny statements
Applied in order (sensitive to misordering)
For main firewall, last rule is Deny All
For screening firewall, last rule is Pass All
88
Topics Covered
Stateful Inspection
{ Packets that Attempt to Open Connections
By default, permits all internally initiated connections
By default, denies all externally initiated connections
ACLs can change default behavior
89
Topics Covered
Stateful Inspection
{ Other Packets
Permitted if part of established connection
Denied if not part of established connections
{ Importance
Fast and therefore inexpensive
Catches almost all attacks
Dominates main border firewall market
90
Topics Covered
Network Address Translation (NAT)
{ Operation
Internal host sends a packet to an external host
NAT device replaces source IP address and TCP or UDP port number with stand-in values
When packets are sent back, the stand-in values are replaced with the original value
Transparent to internal and external hosts
91
Topics Covered
Network Address Translation (NAT)
{ Why?
To hide internal host IP addresses and port numbers from sniffers on the Internet
To permit firms to have more hosts than they have assigned public IP addresses
{ Perspective
Often used in other types of firewalls
92
Topics Covered
Application Firewalls
{ Inspect application messages
Catch attacks that other firewalls cannot
Usually do NOT do antivirus filtering
Programs that do filtering are called proxies
Proxies are application-specific
Circuit firewalls are not application-specific;
use required authentication for control
93
Topics Covered
Application Firewalls
{ Relay operation
Application firewall acts as server to clients, clients to servers
This is slow, so traditionally application firewalls could only handle limited traffic
94
Topics Covered
Application Firewalls
{ Automatic Protection from Relay Operation
Protocol fidelity: stops port spoofing
Header destruction: no IP, TCP, UDP, or ICMP attacks
IP address hiding
95
Topics Covered
Application Firewalls
{ Command-based filtering (HTTP POST, etc.)
{ Host or URL filtering (black lists)
{ File type filtering (MIME, etc.)
{ NOT antivirus filtering
96
Topics Covered
Intrusion Prevention Systems (IPSs)
{ Use sophisticated detection methods created for intrusion detection systems
Examine streams of packets, not just individual packets
Deep inspection: filter all layer messages in a packet
{ But unlike IDSs, do not simply report attacks
Stop detected attacks
New
97
Topics Covered
Intrusion Prevention Systems (IPSs)
{ Spectrum of attack detection confidence
Stop attacks detected with high confidence
Do not stop attacks with low detection confidence because doing so can create a self-inflicted DoS Attack
New
98
Topics Covered
Intrusion Prevention Systems (IPSs)
{ Sophisticated filtering in processing-intensive
{ Traditional IDSs could not filter in real-time so could not be placed in-line with traffic
{ ASICs provide higher speeds, allowing IPSs to be placed in-line with traffic
New
99
Firewall Architectures
Site Protection
{ Screening Firewall Router (Static Packet)
{ Main Border Firewall (Stateful)
{ Internal Firewalls
{ Host Firewalls
{ DMZ
{ Defense in Depth
100
Firewall Architectures
Site Protection
{ DMZ
For hosts that must face Internet attack
Must be hardened (bastion hosts)
Public webservers, etc.
Application firewalls
External DNS server
101
Firewall Architectures
Home Firewall
{ Host firewalls are especially needed for always- on broadband connection
SOHO Firewall
{ Separate firewall between the switch and the broadband modem
{ Some broadband modems do NAT, providing considerable protection
102
Firewall Architectures
Distributed Firewall Architecture
{ Most firms have multiple sites
{ Multiple firewalls at many sites
{ A central manager controls them
{ If the manager is hacked, very bad
{ Management traffic must be encrypted
103
Configuring, Testing, and Maintenance
Configuration
{ Firewalls must be configured (ACLs designed, etc.)
Testing
{ Configuration errors are common, so firewalls must be tested
Maintenance
{ Must be reconfigured frequently over time as the threat environment changes