Firewalls

Firewalls









1

What is a firewall?



• Device that provides secure connectivity between networks

(internal/external; varying levels of trust)

• Used to implement and enforce a security policy for

communication between networks

Untrusted Networks

Trusted Networks Firewall & Servers

Untrusted Users



Internet

Router

Intranet



DMZ Public Accessible

Servers & Networks

Trusted Users







2

Firewalls



• From Webster‟s Dictionary: a wall

constructed to prevent the spread of fire

• Internet firewalls are more the moat around a

castle than a building firewall

• Controlled access point









3

Firewalls can:



• Restrict incoming and outgoing traffic by IP

address, ports, or users

• Block invalid packets









4

Firewalls Cannot Protect…



• Traffic that does not cross it

– routing around

– Internal traffic

• When misconfigured









5

Access Control



ALERT!!





Internet









Security Requirement

• Control access to network information and resources

• Protect the network from attacks





6

Filtering

• Packets checked then passed – typically route packets

• Inbound & outbound affect when policy is checked

• Packet filtering

– Access Control Lists

• Session filtering

– Dynamic Packet Filtering

– Stateful Inspection

– Context Based Access Control

• Fragmentation/reassembly

• Sequence number checking

• ICMP

7

Packet Filtering



• Decisions made on a per-packet basis

• No state information saved









8

Packet Filter





Applications Applications



Presentations Presentations

Sessions Sessions



Transport Transport



Network Network



DataLink DataLink DataLink



Physical Physical Physical



Router

Session Filtering



• Packet decision made in the context of a

connection

• If packet is a new connection, check against

security policy

• If packet is part of an existing connection,

match it up in the state table & update table







10

Session Filtering

 Screens ALL attempts, Protects All applications

 Extracts & maintains „state‟ information

 Makes an intelligent security / traffic decision

Applications



Applications Presentations Applications



Presentations Sessions Presentations

Sessions Transport Sessions



Transport Network Transport



Network Network



DataLink DataLink DataLink



Physical Physical Physical







Dynamic

Dynamic

Dynamic

State Tables

State Tables

State Tables





11

Proxy Firewalls



• Relay for connections

• Client Proxy Server

• Two flavors

– Application Level

– Circuit Level









12

Application Gateway

• Understand specific applications

– Limited proxies available

– Proxy “impersonate” both sides of the connection

• Resource intensive

– Process per connection

• HTTP proxies may cache we pages

• More appropriate for TCP

• Block all unless specifically allowed

• Must write a new proxy application to support new

applications

– Non Trivial



13

Application Layer GW/proxy

Telnet FTP HTTP







Applications Applications Applications



Presentations Presentations Presentations

Sessions Sessions Sessions



Transport Transport Transport



Network Network Network



DataLink DataLink DataLink



Physical Physical Physical



Application Gateway

Encryption (VPNs)



• Allows trusted users to access sensitive

information while traversing untrusted

networks

• Useful for remote users/sites

• IPSec

• Encrypted Tunnels







15

PGP









16

Pretty Good Privacy (PGP)



• widely used de facto secure email

• developed by Phil Zimmermann

• selected best available crypto algs to use

• integrated into a single program

• available on Unix, PC, Macintosh and Amiga

systems

• originally free, now have commercial versions

available also

17

PGP

• Five services

– Authentication, confidentiality, compression,

email compatibility, segmentation

• Functions

– Digital signature

– Message encryption

– Compression

– Email compatibility

– segmentation



18

PGP Operation – Integrity and Authentication



1. Sender creates a message

2. SHA-1 used to generate 160-bit hash code of

message

3. hash code is encrypted with RSA using the sender's

private key, and result is attached to message

4. receiver uses RSA or DSS with sender's public key

to decrypt and recover hash code

5. receiver generates new hash code for message and

compares with decrypted hash code, if match,

message is accepted as authentic



19

Pretty Good Privacy (PGP) - Message

Integrity and Authentication



Sender identity and message

integrity conf irmed

if checksums match





Calculate MD5 checksum on

Calculate MD5 checksum receiv ed message and compare

ov er message contents against receiv ed v alue





Sign checksum using RSA Decry pt signed checksum

with sender Õs priv ate key with sender Õs public key





Transmitted message





20

PGP Operation – Confidentiality

1. sender generates message and random 128-bit

number to be used as session key for this message

only

2. message is encrypted, using CAST-128 /

IDEA/3DES with session key

3. session key is encrypted using RSA with recipient's

public key, then attached to message

4. receiver uses RSA with its private key to decrypt and

recover session key

5. session key is used to decrypt message

21

PGP Message Encryption

Create a random secret key k Original message









Encrypt message using Decrypt message using

DES with secret key k DES with secret key k









Encrypt k using RSA with Decrypt E ( k ) using RSA with

‘

recipient s public key my private key k









Encode message + E (k ) Convert ASCII message

in ASCII for transmission







Transmitted message









22

PGP Operation – Compression



• by default PGP compresses message after

signing but before encrypting

– so can store uncompressed message & signature

for later verification

– & because compression is non deterministic

• uses ZIP compression algorithm







23

Segmentation & Reassembly



• Email systems impose maximum length

– 50 Kb, for example

• PGP provides automatic segmentation

– Done after all other operations

– Thus only one session key needed









24

PGP

• Alice wants to provide secrecy, sender authentication,

message integrity.

-

KA

-

- . KA(H(m))

m .

H( ) KA( ) KS



+ KS( ).

m + Internet



KS

+ .

K B( ) +

KB(KS )

+

KB



Alice uses three keys: her private key, Bob‟s public key,

newly created symmetric key

25

Folklore









26

Perfect Forward Security

• A protocol property that prevents someone

who records an encrypted conversation from

being able to later decrypt the conversation

• Keep the conversation secret from

– Someone (an escrow agent, attacker..) who knows

the long-term key

• Two ways

– A Diffie-Hellman exchange, then forget DH

information

– Ephemeral public/private key pair

27

Change Keys Periodically



• The more examples of ciphertexts you can see,

the more likely you can break the encryption

and find the key

• Change keys (key rollover)









28

Continue..

• Use different keys in the two directions

• Use different secret keys for encryption vs.

integrity protection

• Use different keys for different purposes









29

Continue..

• Have both sides contribute to the master key

• HMAC rather than Simple MD

• Key expansion

• Randomly Chosen IVs

• Use nonce in protocols

• Compress data before encrypting it

• Do not do encryption only

• Minimal vs. redundant designs



30

Continue…

• Put Checksums at the end of data

• Forward Compatibility

• Negotiating Parameters

– Different Algorithms









31