INLS 566
September 18, 2008
Network Firewalls
Housekeeping
Any questions about material so far?
Any interesting security news? (5 min)
Firewall
Access control for the network
Inbound and/or outbound
Need not be a standalone box
Can be hardware or software
May allow / deny at various levels
Term “Firewall” not very specific!
Examples
Cisco PIX
Built in WindowsTM firewall
ZoneAlarm
Wireless AP
Military communications
Home router
Network Levels
(7-layer) OSI Reference Model
Web, SQL
Application
Presentation
Session
Transport TCP, UDP
Network IP, ICMP
Data Link packet, mac address
Physical wires, radio
Layer 1 Filters
Unplug (or don’t plug)
E.g., scan laptop before plugging in
(Or WiFi wallpaper)
Layer 2 Filters
Filter on MAC address
Subsystem of many devices
Wireless AP
Military communications
Home router
Commercial switch or router
Layer 3 Filters
One of the most common
Filter IP address, port number, flags
“Packet filter”
NAT “firewall”
“NAT Firewall”
“Network Address Translation”
One (public) IP address outside
RFC 1918 private IP addresses inside
10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255,
192.168.0.0 – 192.168.255.255
Router translates back and forth
Puts inside ID information in outgoing source port number
Private addresses don’t work outside
Packet Filter
List of Allow & Deny rules (typical)
Looks at only one packet at a time
Source IP address & port number
Destination IP address & port number
Protocol type, flags (e.g., inbound/outbound)
Easy to build, hard to program
A lot like assembly language programming
Example (ICMP)
Example (IOS)
access-list fred permit tcp any host 10.1.1.42 eq www
access-list fred permit tcp any host 10.1.1.42 eq smtp
access-list fred permit tcp any host 10.1.1.42 eq pop3
access-list fred permit tcp any host 10.1.1.42 eq https
access-list fred permit tcp any host 10.1.1.42 eq 1443
access-list fred deny ip any any
Application Layer
Often referred to as Layer 7
The services you want
SMTP, POP3 (email)
HTTP, HTTPS (web)
ssh (command line)
FTP, telnet, etc.
Application Gateway
Intercepts and parses application traffic
“Understand” transactions at application level
E.g., HTTP proxy, email gateway
Inspects each transaction for no-no’s
HTTP buffer overflow
Email attachment with a virus
Complex application, complex filter
Firewalls
If threat easily recognized by a filter
If threat has to go through the firewall
One element of layered protection
Firewalls
Threats outside their logic
E.g., port 80 (need application gateway)
Firewall errors
Administrator mistakes (e.g., bad rules)
Bugs in the firewall software
Hardware failure
Firewalls
Threats from inside
People making mistakes and/or violating policy
Inside machines compromised by other attacks
Perimeter mistakes
Rogue modems, rogue wireless AP’s
Infected laptops, kids using the VPN
Firewalls
Have software firewall on your laptop
Especially if you connect to different networks
(Be aware there is still some risk – Blackhat ’08)
Have software firewall on your PC
Unexpected traffic out – surprise, you’re infected
Have hardware firewall at home
Another layer, harder for malware to turn off
(But find out details of what they do)
Suggested Reading
Schneier:
ch. 11-12 (pp. 147-180)
Dhillon:
ch. 5 (pp. 64-93)
McClure:
ch. 7 (pp. 352-405)
ch. 9 (pp. 464-485)