Document Sample
firewalls Powered By Docstoc
      Mark Clements
    Last Week ...

       Three main methods for cryptography
       Symmetric, asymmetric, hash
       Used in unique combinations
       Allow Bob and Alice to communicate without
        Eve knowing

2                                         ENS
    This week ...

     Firewalls in general
     Stateful vs. Stateless Firewalls
     Application Proxies
     Firewall Architectures

3                               ENS
    Protecting the Network Perimeter

    Possible reasons for attacking a network:

         Simple curiosity
    What is a Firewall?

       A firewall acts as a control barrier between a
        trusted and an un-trusted computer network
        –   For example between a company network and the
       It is able to make a decision whether to allow a
        packet to pass or not
       It can be a dedicated system or a router too

5                                                ENS
    Policy and Connections

     Untrusted                                              Trusted
      Network                                               Network

                 -enforces a security policy
                 -allows only connections matching security settings

6                                                          ENS
    Example Policy

       For example, a firewall might be configured to
        pass all http (www) traffic to TCP port 80, but
        to block any TELNET datagrams to TCP port 23

        –   TELNET is known to have some security weaknesses
            such as sending username and password in plain-text
        –   you do not wish to allow external clients to TELNET onto
            your servers and clients

7                                                       ENS
    Policy in action
                  Telnet (to TCP port 23) Blocked

      Untrusted                                      Trusted
       Network                                       Network


                  HTTP (to TCP port 80) Passed

8                                                   ENS
    IP Datagram Overview


9                    Source:
     Firewall Components

        There are two principal firewall components
         –   Packet filtering routers
         –   Application proxies
        These work at different layers of the network
        We shall now consider each of these in more

10                                             ENS
     Packet Filtering Routers
        Packet filtering routers decide whether to pass an IP
         datagram by viewing data in both the network and
         transport layer headers
        In particular, packet filtering routers can consider the
         following information:
         –   Source and destination IP address (or subnet)
         –   Source and destination TCP or UDP port number
         –   Direction of datagram flow
         –   State of connection (new or established)

         –   So in summary, packet filtering routers operate at the
11           network (IP) and transport (TCP/UDP) layers of the stack
     OSI Layers for firewalling

                                             Packet Filtering Router

                                              Transport (TCP/UDP) Layer

                                                  Network (IP) Layer

                                Link Layer                                Link Layer

                          Physical Layer                                      Physical Layer

12    Untrusted Network
                                                                                               Trusted Network
     Packet Filtering Routers

        Packet filtering routers can operate in one of
         two ways:
         –   Stateless packet filtering
         –   Stateful packet filtering
        Using an access control list to check for traffic is
         an example of stateless filtering
        Stateful packet filtering takes note of the TCP 3-
         way handshake and ensures packets that pass
         are part of an agreed stream
13                                                 ENS
         Stateless Firewalls
        Stateless packet filtering routers make
         forwarding decisions based on the contents of
         the network (IP) layer header and the transport
         (TCP/UDP) layer header
        Their forwarding decision are therefore based
          –   The source and destination IP address (or subnet)
          –   The direction of datagram travel
          –   The source and destination TCP or UDP port number
          –   Transport layer data such as SYN and ACK flags

14                                                   ENS
     Stateful Packet Filtering Routers
        Stateful packet filtering routers also make
         forwarding decisions based on the contents of
         the Network (IP) layer datagram header and the
         Transport (TCP/UDP) layer segment header
        In addition they maintain a connection state
         –   Holds the current state of a given connection,
         –   No need to rely solely on the SYN and ACK flag
             values for each packet to learn this information (the
             flag values can be spoofed)

15                                                     ENS
         Stateful Firewall Decisions
        Forwarding decision are therefore based on:
          – The source and destination IP address (or
          – The direction of datagram travel
          – The source and destination TCP or UDP port
          – Whether the datagram is part of a new or
            established connection (as indicated by
            information in the state table as indicated by the
            SYN and ACK flags in the TCP segment header)

16                                                  ENS
     Performance vs. Cost

        90% of the firewalls today are stateful
        Stateful packet filtering routers are more
         reliable than stateless packet filtering routers
        Provide a greater level of protection than
         stateless packet filtering routers
        However, for similar cost, stateful packet
         filtering routers are generally slower than
         stateless packet filtering routers
17                                               ENS
     Packet Filtering Routers
     Performance Summary

18                              ENS
     Application Proxies

        10% of firewalls are application proxies
        Application Proxies operate on all layers of the
         OSI stack from the application layer down
         rather than just the network and transport
        Makes them slower
        Makes them more specific

19                                              ENS
     Application Proxy and OSI
                                                            Application Proxy

                                                              Application Layer

                                      Transport (TCP/UDP)                         Transport (TCP/UDP)
                                             Layer                                       Layer

                                 Network (IP) Layer                                      Network (IP) Layer

                               Link Layer                                                         Link Layer

                         Physical Layer                                                                 Physical Layer

     Untrusted Network                                                                                                   Trusted Network

20                                                                                                              ENS
     Proxies and Decisions

        Application proxies can see and manipulate all
         data which the full application can see
        A separate application proxy is required for
         each application’s traffic
         –   i.e. HTTP, SMTP, FTP, etc
         –   There are a number of other types of proxies. However, in
             firewall terminology, it is not unusual to refer to application
             proxies simply as proxies

21                                                                ENS
     Application Proxy Examples

        HTTP proxy: Java applets and ActiveX
         components which are coming in from TCP
         port 80 can be dropped, while plain HTML files
         and graphics files coming in from the same
         port can be passed
        SMTP proxy: An executable file attached to an
         e-mail can be scanned for known viruses

22                                            ENS
     Application Proxy Performance

        Application proxies are more reliable in detecting
         malicious content than packet filtering routers
        They are generally considered to provide a much
         greater level of protection than packet filtering
        However, proxies require considerably more
         memory and processor cycles than any of the types
         of packet filtering routers outlined

23                                               ENS
     Firewall Performance Summary

     cycles and
     memory)                                      Proxying

                       Stateless   Filtering

24                                             Security
     Network Address Translation

        Network address translation (NAT) is a technique
         which allows a router to change the IP addresses of
         datagrams as they pass through (RFC1631)
        Hostile datagrams cannot be routed to target systems,
         if the IP address of the target system is unknown, or is
         illegal for use on the Internet (RFC 1918) e.g.:

25                                                    ENS
     NAT Example






     -Static NAT                          Network                        Client
     -Dynamic NAT
        -PAT(Port Address Translation)
26                                                                 ENS
     Firewall Architectures
        Most real firewalls make use of a number of
         components connected together, to form an overall
         firewall solution
        It is possible to build a wide range of firewall
         architectures, with each having a range of applications
        Some examples are:
         –   The Classic architecture
         –   The Belt and Braces architecture
         –   The Chapman architecture

27                                                   ENS
     Firewall Architectures - Classic

                             WWW                FTP
                             Server            Server

      Internet                                          Application

                 Filtering             DNS
                  Router              Server

28                                                          ENS
     Classic Architecture

        The packet filtering router prevents datagrams not
         addressed to the DMZ hosts or the proxy from entering
         the DMZ
        Externally visible services (www, FTP, etc) are easily
        Datagrams traveling to the company network are sent
         via the application proxy for maximum security
        If any of the DMZ hosts are compromised, they can be
         re-configured quickly
         –   no adverse effect on company network

29                                                   ENS
     Belt and Braces Architecture


      Internet                     Application

                  Packet                          Packet
                 Filtering                       Filtering
                  Router                          Router

30                                                 ENS
     Belt and Braces Security
        The additional packet filtering router provides
         an additional level of security
        If the proxy is compromised, the company
         network is still protected

31                                               ENS
     Chapman Architecture

                             WWW                 FTP                 Network
                             Server             Server


                  Packet                                  Packet
                 Filtering                               Filtering
                  Router                                  Router

32                                                              ENS
     Chapman Architecture
        Outgoing traffic can by-pass the proxy
        Allows external access to services not
         supported by the proxy
        NAT not possible
        If external router is compromised, internal
         router is vulnerable to attack

33                                             ENS
     Firewall Security
        Remember that firewalls themselves are
         vulnerable to attack, so the following
         precautions should be taken:
         –   Remove all Telnet and SSH access to firewall
         –   Operate firewall components only from the console
         –   Remove all unnecessary software and services from
             firewall components
         –   Remove all unnecessary user accounts from firewall
34                                                   ENS
     What Firewall Cannot Do
        A firewall cannot protect against poor server,
         client or network configuration
        A firewall cannot configure itself, or prevent the
         firewall administrator from configuring it badly
        A firewall should be considered as part of a
         network security solution, not as the network
         security solution

35                                               ENS

        Firewalls prevent malicious traffic from
         entering a network by filtering
        Traffic defined in a policy
        Stateful and stateless architectures
        Application proxies better but slower
        Allows for several architectures
        NAT obfuscates inside addresses

36                                             ENS
     Professional Qualifications in Information Security

        There are a number of professional certifications in
         the field of information security
        Some of the most commonly recognized are those
         offered by:
         –   The International Information Systems Security Certification
             Consortium, generally known as (ISC)2
         –   ISACA, the Information Systems Audit and Controls
         –   The SANS Institute
         –   See the following web site screen shots

37                                                                  ENS
38   ENS
39   ENS

Shared By: