Firewalls
Reading Material
•
Text chapter 9
Firewall Goal
• Insert a"er the fact security by wrapping or interposing a filter on network traffic
Firewall Requirements
•
All traffic between network secTon A and
network secTon B (and visa versa) must pass
through the firewall (or a consistently
controlled set of firewalls)
•
Only authorized traffic (as specified by the
security policy) is allowed to pass
“Typical” corporate network
Web Server
Mail forwarding
Mail server DNS (internal)
DNS (DMZ)
Internet File Server
Packet Filter Firewall
• Operates at Layer 3 in router or HW firewall
• Has access to the Layer 3 header and Layer 4 header
• Can block traffic based on source and desTnaTon
address, ports, and protocol
• Does not reconstruct Layer 4 payload, so cannot do
Example Packet Filter Rules
•
Rules a^ached to outside interface
•
Rules a^ached to inside interface
Ac#on Source
Addr Src port Dest Addr Dest Port Protocol Comment
Block Outside host * * * * Don’t trust Allow * * Our Mail
Server 25 Tcp Allow mail traffic
Ac#on Source
Addr Source Port Dest Addr Dest Port Protocol Comment
Block * * Outside
host * * Don’t trust Allow Our Mail
Same Rules in iptables
• Rules in the filter table
• -A FORWARD –p ip -s outside_host –j REJECT -A FORWARD –p ip –d outside_host –j REJECT
-A FORWARD –i outside –p tcp –d our_mail_server –m tcp --dport 25 –j ACCEPT
-A FORWARD –i inside –p tcp –s our_mail_server –m tcp --sport 25 –j ACCEPT
More Example Pack Filter Rules
•
Rules a^ached to inside interface
•
Rules a^ached to outside interface
Ac#on Source
Addr Source Port Dest Addr Dest Port Proto Comment
Allow * * * 25 TCP Allow traffic to all mail servers
Ac#on Source
Addr Source Port Dest Addr Dest Port Proto Comment
A Be^er Example
•
Rules a^ached to inside interface
•
Rules a^ached to outside interface
Ac#on Source
Addr Source Port Dest Addr Dest Port Proto Comment
Allow Inside
networks * * 25 TCP Allow traffic to all mail servers
Ac#on Source
Addr Source Port Dest Addr Dest Port Proto Flags Comment
Allow * 25 Inside
FTP Example
•
Rules a^ached to inside interface
•
Rules a^ached to outside interface
Ac#on Source
Addr Source Port Dest Addr Dest Port Proto Flags Comment
Allow Inside
networks * * 21 TCP Allow Control channel traffic out Allow Inside
networks > 1024 * * TCP ACK Allow data traffic back
Ac#on Source
Addr Source Port Dest Addr Dest Port Proto Flags Comment
Allow * 21 Inside
networks * TCP ACK Allow return traffic for FTP control channel Allow * * Inside
Stateful InspecTon Firewall
• Evolved as packet filters aimed for proxy funcTonality
• In addiTon to Layer 3 reassembly, it can reconstruct layer 4 traffic • Some applicaTon layer analysis exists, e.g., for HTTP, FTP, H.323
– Called context-‐based access control (CBAC) on IOS – Configured by fixup command on PIX
• Some of this analysis is necessary to enable address translaTon and dynamic access for negoTated data channels
• ReconstrucTon and analysis can be expensive. – Must be configured on specified traffic streams
– At a minimum the user must tell the Firewall what kind of traffic to expect on a port
Circuit Firewall
•
Actually creates two separate TCP connecTons
– Completely reconstructs TCP connecTons
Example Stateful Rules
•
Rules a^ached to outside interface
•
Rules a^ached to inside interface
Ac#on Source
Addr Src port Dest Addr Dest Port Protocol Comment
Block Outside host * * * * Don’t trust Allow * * Our Mail
Server 25 Tcp Allow mail traffic
Ac#on Source
Addr Source Port Dest Addr Dest Port Protocol Comment
Block * * Outside
Same Rules in iptables
• Rules in the filter table
• -A FORWARD –p ip -s outside_host –j REJECT -A FORWARD –p ip –d outside_host –j REJECT
-A FORWARD –m state --state ESTABLISHED, RELATED – j ACCEPT
-A FORWARD –i outside –m state –state NEW –p tcp – d our_mail_server –m tcp --dport 25 –j ACCEPT
ApplicaTon Proxy Firewall
• Firewall sogware runs in applicaTon space on the
firewall
• The traffic source must be aware of the proxy and
add an addiTonal header
• Now transparent proxy support is available (TPROXY)
• Leverage basic network stack funcTonality to saniTze
applicaTon level traffic
– Block java or acTve X – Filter out “bad” URLs
Traffic reconstrucTon
X Y
FTP: X to Y GET /etc/passwd GET command causes
firewall to dynamically open data channel initiate
from Y to X
Ingress and Egress Filtering
• Ingress filtering
– Filter out packets from invalid addresses before entering your network • Egress filtering
– Filter out packets from invalid addresses before leaving your network
Inside Outside
Owns network X
Egress Filtering
Block outgoing traffic not sourced from network X
Ingress Filtering
Block incoming traffic from one of the set of invalid
Denial of Service
•
Example a9acks
– Smurf A9ack
– TCP SYN A9ack
– Teardrop
•
DoS general exploits resource limita#ons
– Denial by ConsumpTon
– Denial by DisrupTon
Teardrop A^ack
•
Send series of fragments that don't fit together
– Poor stack implementaTons would crash
– Early windows stacks
Offset 0, len 60
Offset 30, len 90
Address TranslaTon
• TradiTonal NAT RFC 3022 Reference RFC • Map real address to alias address
– Real address associated with physical device, generally an unroutable address
– Alias address generally a routeable associated with the translaTon device
• Originally moTvated by limited access to publicly routable IP addresses
– Folks didn’t want to pay for addresses and/or hassle with gemng official addresses
• Later folks said this also added security
– By hiding structure of internal network – Obscuring access to internal machines
• Adds complexity to firewall technology
– Must dig around in data stream to rewrite references to IP addresses and ports
Address Hiding (NAPT)
• Many to few dynamic mapping
– Packets from a large pool of private addresses are mapped to a small pool of public addresses at runTme
• Port remapping makes this sharing more scalable
– Two real addresses can be rewri^en to the same alias address
– Rewrite the source port to differenTate the streams
• Traffic must be iniTated from the real side
• Called masquerading in iptables if the interface IP is
NAT example
Enforcing Device 192.168.1.0/24 10.10.10.0/24 InternetHide from inside to outside 192.168.1.0/24 behind 128.274.1.1
StaTc Mapping
•
One-‐to-‐one fixed mapping
– One real address is mapped to one alias address at
configuraTon Tme
– Traffic can be iniTated from either side
•
Used to staTcally map out small set of servers
from a network that is otherwise hidden
NAT example
Enforcing Device 192.168.1.0/24 10.10.10.0/24 InternetHide from inside to outside 192.168.1.0/24 behind 128.274.1.1
Deployment
•
Hardware Firewall
– Buy firewall from vendor
• They provide sogware and hardware
• Depending on cost, may include hardware accelerators
•
Sogware Firewall on hardened basTon server
– Buy sogware from vendor or use open source – Harden server to reduce a^ack surface
•
Host-‐based firewall
– AddiTonal layer of defense for applicaTon server
•
Personal firewall
DMZ Network
Web Server
Mail forwarding
Mail server DNS (internal)
DNS (DMZ)
Internet File Server
Intrusion PrevenTon
•
Discussed in the Intrusion DetecTon lecture
•
Enables more dynamic rules and access rules
that rely on more communicaTon details
– Can download new signatures or adapt anomaly
rules on a daily basis
Unified Threat Management (UTM)
•
Firewalls at the border provide a nice point for
analysis
– Might as well perform other analysis as long as flows have been tracked
– Deploy one box instead of N boxes
•
AddiTonal acTons could be
– Virus scanning – URL filtering
Limits to firewalls
• Cannot analyze encrypted traffic
– Beyond header informaTon
• Everything is driven through port 80
– Relies on port as indicator of service
– Newer firewalls dynamically analyze traffic to determine protocol
• Cannot react to new a^acks on protocols that must be
allowed
– IPS can help
• Tracking IP addresses instead of people
Summary
•
Different types of firewalls for different needs
– Packet filtering/stateful/applicaTon
– Network/Host/personal
•
Firewalls have been a stalwart element of
network security for decades
– Not the end all soluTon
