Firewall Security 101

Firewall Security 101

Laura Jeanne Knapp

Technical Evangelist

1-919-224-2205

Satan and other scanning tools allow hacker to probe network for entry points Mail trails and seeing internal IP addresses allow deciphering internal network Have their own web sites, magazines, and trade shows

Hacker tools readily available on the web

What Interests a Hacker?

What type of device is it?

What operating system is being used?

Does it have a network management agent?

Is the device a good target for Trojan horse, virus, or worm? Is the network running web, FTP, Telnet, … servers?

Whose protocol stack is the device running? Is the IP address permanently assigned?

Is port 23 open?

Hackers’ Philosophy

They use your system as an intermediary

Phase 1: Network Recon Phase 2: “Own” the system Phase 3: Exploit trust

Phase 4: Reach for the gold Phase 5: “Own” the network

Allows or blocks passage based on security policies

Control all external connections and traffic

Enforce inter-network security policy

Repel and report on attacks and policy violations

Prevent intrusion from the Internet

Internal address masking

Key Role of a Firewall

Organization

Open Perimeter Network Organization Secure Network

Firewall

What Can’t a Firewall Protect Against?

Malicious insiders

Connections that don’t go through the firewall

Viruses

Operating system exposures

Mail attachments with malicious content

Eavesdroppers intercepting normal traffic

Security Tradeoffs

Cost x Probability

(of security success)

Cost x Probability

(of incident)

What is the impact of an incident? World War

Financial loss Minor inconvenience

Embarrassment Internet

Multiple Problems

Threat

_{Security Solution}

Unauthorized access

User misrepresents identity Access to unauthorized data

Data intercepted, read or modified

Virus attacks

Hacker exploits OS holes

Firewall...Filters and blocks certain traffic Authentication...Validates identity

Access control software...Assigns and manages user privileges

Encryption...Encodes data to prevent tampering

Virus detection...Recognizes and eliminates Operating system...Plug known holes

Firewall Technologies

NAT - Network Address Translation (stateful packet filtering)

Secure domain name server

IP tunneling

Mail handling

Authentication

Domain Name Services

VPN - Encrypted tunnel

Proxy server (proxy firewall)

Socks server (circuit level firewall)

Stateful Packet Filtering Firewalls

Simple but rigorous method of access control

If the incoming transmission appears to be a legitimate reply to a previous request it is allowed to pass

Relatively unrestricted transmission

Selective and flexible access from outside Relatively unrestricted access from inside Simple ACL (access control lists)

Easy to administer

Opens doors in firewalls and monitors to track connections Return packets pass only if associated with a valid request

Stateful Packet Filtering Firewalls

Stateful connection security Tracks

source and destination ports

source and destination addresses TCP sequences

TCP flags

Tracks TCP and UDP session state

Supports authentication, authorization, syslog accounting

Builds artificial connection state for UDP traffic timeouts

IP fragmentation protection by reassembly Special handling like rejection of ICMP

NAT - Network Address Translation

Organization

Open Perimeter Network Organization Secure Network Firewall Internet Router Network 172.26.0.0 Network 204.35.4.0 172.26.2.5 _172.26.2.4 204.35.4.6 204.35.4.2 www.mycom.com 172.26.2.1 _204.35.4.1

Hides internal addresses and systems from outsiders Use Private IP Addresses internally

Higher performance than proxy or socks server Transparent to clients

Configuration options on mapping internal to external addresses Implemented by either firewall or router

First level of protection

Use NAT Network Address Translation and port address translation Allows Private IP addresses for internal secure network

Protect console with access and privilege passwords Delete or configure all Telnet ports

Automate Syslog to generate alerts on intrusion Allow incoming access to specific devices

Web server, mail server, ?

Block SNMP from the outside and change community strings Explicitly direct SNMP traffic to a management station

Internet

Router

Organization Open Perimeter Network Organization

Secure Network

Firewall

Internet WWW servers

TCP Header IP Header 10.0.0.3 •• -64.236.24.20 No Data

Private Network Public Network

64.236.24.20 DNS Lookup www .cnn.com # 2 64.236.24.20 192.168.0.10 49769 Syn 1026 23 # 1 Source Port Destination Addr Source Addr Initial Sequence # Destination Port Flag Ack 64.236.24.20 10.0.0.3 1026 23 49091 Syn # 3 192.168.0.10 64.236.24.20 23 1026 92513 Syn-Ack 49770 # 4 10.0.0.3 64.236.24.20 23 1026 92513 Syn-Ack 49092

Stateful Packet Filtering : TCP Initialization

Checks for translation slot

Create translation slot after verifying NAT, global, access control, authentication, authorization Check for source IP address and port, destination IP address and port, translation

Stateful Firewall TCP Inside to Outside

10.0.0.3 198.133.219.25

Private Network Public Network

Data Flows # 5 64.236.24.20 10.0.0.3 1026 23 49092 Ack 92514 172.30.0.50 64.236.24.20 1026 23 49770 Ack 92514 TCP Header IP Header Check for Truncated command

Incorrect command termination Reply spoofing

Command spoofing TCP stream editing Invalid port negotiation

Command pipeling

Stateful Packet Filtering : UDP

10.0.0.3

24.93.67.64

Private Network Public Network

# 3 192.168.0.10 24.93.67.64 53 1028 Source Port Destination Addr Source Addr Destination Port # 1 24.93.67.64 10.0.0.3 1028 53 # 2 24.93.67.64 192.168.0.10 1028 53 # 4 10.0.0.3 24.93.67.64 53 1028 UDP Header IP Header

Checks for translation slot

Create one after verifying NAT, global access control, authentication, authorization Must receive responses within user configuration timeout (normally 2 minutes) Checks source IP address and port, destination IP address and port

Stateful Packet Filtering : UDP

Firewall Technology : Proxy Server

Application specific support (http, FTP, Gopher, WAIS, and News) Good for efficient applications like Telnet and FTP

Hides internal network from public Internet Everything appears to be coming from

the firewall/proxy server

Requires configuration of client browser Allows caching to reduce network traffic

Limitations

Configuration required

Application level implementation Performance impact

Application must reside on firewall Resource intensive for firewall

Internet Organization Network Secure Firewall Clients

Servers (WWW and others)

Organization Network Not-secure Public WWW Server Telnet HTTP FTP ...

Proxy Server : HTTP Example

HTTP: --- Hypertext Transfer Protocol

---HTTP:

HTTP: Line 1: HTTP/1.0 302 Found HTTP: Line 2: Server: Netscape -Enterprise/2.01

HTTP: Line 3: Date: Sun, 27 April 2003 14:52:11 GMT

64.236.24.20

DNS Lookup www.cnn.com

Internet Organization Network Secure Firewall Clients

Servers (WWW and others)

Organization Network Not-secure

Public WWW Server

Firewall Technology : Socks Server

Limitations

Some browsers have 'out of band' configuration

Not all applications 'socksified' Client/browser must use socks API

Circuit level gateway

Verify legitimate UDP or TCP session Does not verify application

Verify traffic up to session layer Standardization underway

"Socksified" version of application required

Reduces firewall load for resource intensive applications

Telnet HTTP

FTP ...

Firewall Technology :

Domain Name Services

Internal only DNS

No interaction outside the firewall ISP keeps external DNS

External only DNS

Only DNS outside the firewall

Both internal and external DNS

Use internal DNS for private network name resolution Use external DNS for Internet

Internal DNS queries external DNS through proxy server

Organization Open Perimeter Network Organization Secure Network Firewall Internet Router DNS? DNS?

Physical connection to Internet/ISP Building the tunnel

Security Device authentication Data encryption Address management User authentication Key management Data integrity Accounting

Your ISP

Firewall Technology:

Employee’s Need Protection at Home

Mini firewall

Internet

DSL, Cable Modem or other high speed persistent connection

Persistent connection allows hackers access to system

(Some access vendors frequently change your IP address) Protection similar to that of firewall at work

Mini firewall

1) Network address translation (use private IP addresses for home network)

2) Filter and don’t allow any queries originating from outside (ingress/egress filtering) 3) Hardware -- Linksys, WatchGuard, Netgear, others

ZoneAlarm, WinGate Home, CA EZArmor, Norton Personal Firewall, Tiny Personal Firewall, McAfee Internet Guard ... 4) Check your logs often (if your firewall has them)

Organization

Open Perimeter Network Organization Secure Network Firewall Internet WWW servers Internet Router

Access to Legacy Data

Request for order update

Order database

Browser HTTP request

CGI (Common Gateway

Interface) converts

to database protocol

Internet Multihoming

Organization

Open Perimeter Network Organization Secure Network Firewall Internet Router Router Recommend because

Internet performance fluctuates ISPs feel growing pains

High availability is required

Receive full or partial Internet routes from ISPs and do not redistribute

Only advertise nets to ISPs

Primary ISP

Secondary ISP

Organization

Open Perimeter Network Organization

Secure Network

Firewall

Internet

WWW, mail, news, etc. servers

Internet

Router

Perimeter Network - Variation

Put external servers on separate LAN segment

Private network to Internet access doesn’t contend for LAN resources with WEB servers

Organization

Open Perimeter Network Organization

Secure Network

2

Firewalls Internet

WWW, mail, news, etc. servers

Internet

Router

Put external servers on separate LAN segment and through firewall

Additional security for public web servers

Firewall Redundancy

Organization Open Perimeter Network Organization Secure Network Internet Router Firewall Open Perimeter Network ISP #1 Internet ISP #2 Organization Secure Network Organization Secure Network Organization Secure Network Open Perimeter Network

Firewall Factors

Design

Needs to be part of overall security policy Security administrators assigned

Explicitly permit access and deny as default Limit access points into network

Utilize all logging available

Turn off known problems and nonessential daemons

Problems

Need to test and audit on a regular schedule Log file handling complex and time consuming Filtering logic is rather basic

Leaks due to other connections

Tunnels thru the firewall for special purposes Capacity of proxy servers

Strengthening Your Security Strategy

Isolate internal secure networks from the outside with firewalls Harden your Internet security with a firewall and security policy Lock your firewall in a secure room

Limit remote dial-in access, use smart cards Track back-door dial-in ports

Plug holes in all operating systems

CERT Coordination Centers

Computer Emergency Response Team (CERT) Created in 1988 in response to the Morris Worm Headquartered at Carnegie Mellon University Assists in responding to security events

Serves as focal point for security issues Issues advisories

Mail [email protected] Phone 412-268-7090

ftp ftp.cert.org/pub

Resources

Watchguard ...www.watchguard.com Symantec...www.symantec.com Black Ice Defender ...www.networkice.com ZoneAlarm...www.zonelabs.com Linksys...www.linksys.com

Internet Security System ... www.iss.net JAVA Security FAQ ... www.javasoft.com Network Associates ... www.nai.com Secure Computing Corp. ...www.sctc.com

Network Security, Private Communication in a Public World: Prentice Hall : ISBN-0-13-061466-1

Applied Cryptography : Wiley: ISBN-0-471-11709-9

Computer Emergency Response ...www.sei.cmu.edu/products/services/ Computer Security Institute ...www.gocsi.com ICSA ... www.icsa.net

RSA Data ...www.rsa.com Silicon Toad’s Hacking Resources ... www.hackers.com/index2.htm