Docstoc

Firewall

Document Sample
Firewall Powered By Docstoc
					Firewalls


        Chapter 3




                    1
    Border Firewall
                                   Passed Packet
                                     (Egress)
            Passed Packet
                                                        Attack
              (Ingress)
                                                        Packet

Hardened                                        Internet
Client PC                                     (Not Trusted)
                                                                 Attacker
                                   Internet
                                   Border
              Dropped Packet       Firewall
                 (Ingress)
Hardened
                            Log    Internal Corporate
 Server
                            File   Network (Trusted)
                                                                       2
Types of Firewall Inspection

  Packet Inspection
    Examines IP, TCP,UDP, and ICMP header
    contents
    Static packet filtering looks at individual packets
    in isolation. Misses many attacks
    Stateful inspection inspects packets in the
    context of the packet’s role in an ongoing or
    incipient conversation
       Stateful inspection is the proffered packet
       inspection method today

                                                      3
Types of Firewall Inspection

  Application Inspection
    Examines application layer messages
    Stops some attacks that packet inspection
    cannot

  Network Address Translation
    Hides the IP address of internal hosts to thwart
    sniffers
    Benignly spoofs source IP addresses in
    outgoing packets
                                                       4
Types of Firewall Inspection

  Denial-of-Service Inspection
    Recognizes incipient DoS attacks and takes
    steps to stop them
    Limited to a few common types of attacks

  Authentication
    Only packets from users who have proven their
    identity are allowed through
    Not commonly user, but can be valuable

                                                    5
Types of Firewall Inspection

  Virtual Private Network Handling

    Virtual private networks offer message-by-
    message confidentiality, authentication,
    message integrity, and anti-replay protection

    VPN protection often works in parallel with other
    types of inspection instead of being integrated
    with them



                                                    6
Types of Firewall Inspection

  Integrated Firewalls
    Most commercial products combine multiple
    types of filtering

    Some freeware and shareware firewall products
    offer only one types of filtering




                                                7
Firewalls

  Types of Firewalls
    Screening router firewalls
    Computer-based firewalls
    Firewall appliances
    Host firewalls (firewalls on clients and servers)
  Inspection Methods
  Firewall Architecture
  Configuring, Testing, and Maintenance

                                                        8
Firewall Hardware and Software

Screening Router Firewalls
  Add firewall software to router

  Usually provide light filtering only

  Expensive for the processing power—usually must
  upgrade hardware, too




                                                    9
Firewall Hardware and Software

Screening Router Firewalls
  Screens out incoming “noise” of simple scanning
  attacks to make the detection of serious attacks
  easier

  Good location for egress filtering—can eliminate
  scanning responses, even from the router




                                                     10
Firewall Hardware and Software

  Computer-Based Firewalls
    Add firewall software to server with an existing
    operating system: Windows or UNIX

    Can be purchased with power to handle any
    load

    Easy to use because know operating system




                                                       11
Firewall Hardware and Software

  Computer-Based Firewalls
    Firewall vendor might bundle software with
    hardened hardware and operating system
    software

    General-purpose operating systems result in
    slower processing




                                                  12
Firewall Hardware and Software

Computer-Based Firewalls
   Security: Attackers may be able to hack the
   operating system
     Change filtering rules to allow attack packets in
     Change filtering rules to drop legitimate packets




                                                    13
Firewall Hardware and Software

  Firewall Appliances
    Boxes with minimal operating systems
    Therefore, difficult to hack
    Setup is minimal
    Not customized to specific firm’s situation
    Must be able to update



                                                  14
Firewall Hardware and Software

  Host Firewalls
    Installed on hosts themselves (servers and
    sometimes clients)

    Enhanced security because of host-specific
    knowledge
       For example, filter out everything but
       webserver transmissions on a webserver


                                                 15
Firewall Hardware and Software

  Host Firewalls
    Defense in depth

       Normally used in conjunction with other
       firewalls

       Although on single host computers attached
       to internet, might be only firewall




                                                 16
Firewall Hardware and Software

  Host Firewalls
    If not centrally managed, configuration can be a
    nightmare
       Especially if rule sets change frequently




                                                   17
Firewall Hardware and Software

  Host Firewalls
    Client firewalls typically must be configured by
    ordinary users

       Might misconfigure or reject the firewall

       Need to centrally manage remote employee
       computers




                                                       18
  Drivers of Performance Requirements:
  Traffic Volume and Complexity of Filtering



 Complexity
                           Performance
 of Filtering:
                           Requirements
  Number of
     Filtering
      Rules,
 Complexity
Of rules, etc.



                     Traffic Volume (Packets per Second)

                                                       19
Firewalls

  Types of Firewalls
  Inspection Methods
    Static Packet Inspection
    Stateful Packet Inspection
    NAT
    Application Firewalls
  Firewall Architecture
  Configuring, Testing, and Maintenance

                                          20
       Static Packet Filter Firewall
Corporate Network                   The Internet

   Permit                  IP-H   TCP-H Application Message
   (Pass)
                           IP-H   UDP-H Application Message

        Deny
       (Drop)              IP-H         ICMP Message


                                     Arriving Packets
Log              Static     Examined One at a Time, in Isolation
File            Packet
                                    Only IP, TCP, UDP
                 Filter
                               and ICMP Headers Examined
                Firewall

                                                             21
Access Control List (ACL) For Ingress
Filtering at a Border Router

  1. If source IP address = 10.*.*.*, DENY
  [private IP address range]
  2. If source IP address = 172.16.*.* to
  172.31.*.*, DENY [private IP address range]
  3. If source IP address = 192.168.*.*, DENY
  [private IP address range]
  4. If source IP address = 60.40.*.*, DENY
  [internal address range]

                                              22
Access Control List (ACL) for Ingress
Filtering at a Border Router

  5. If source IP address = 1.2.3.4, DENY
  [black-holed address of attacker]
  6. If TCP SYN=1 AND FIN=1, DENY
  [crafted attack packet]
  7. If destination IP address = 60.47.3.9 AND
  TCP destination port=80 OR 443, PASS
  [connection to a public webserver]



                                            23
Access Control List (ACL) for Ingress
Filtering at a Border Router

  8. If TCP SYN=1 AND ACK=0, DENY
  [attempt to open a connection from the
  outside]
  9. If TCP destination port = 20, DENY [FTP
  data connection]
  10. If TCP destination port = 21, DENY
  [FTP supervisory control connection]



                                           24
Access Control List (ACL) for Ingress
Filtering at a Border Router

  11. If TCP destination port = 23, DENY
  [Telnet data connection]
  12. If TCP destination port = 135 through
  139, DENY [NetBIOS connection for clients]
  13. If TCP destination port = 513, DENY
  [UNIX rlogin without password]
  14. If TCP destination port = 514, DENY
  [UNIX rsh launch shell without login]

                                            25
Access Control List (ACL) for Ingress
Filtering at a Border Router

  15. If TCP destination port = 22, DENY
  [SSH for secure login, but some versions
  are insecure]
  16. If UDP destination port=69, DENY
  [Trivial File Transfer Protocol; no login
  necessary]
  17. If ICMP Type = 0, PASS [allow
  incoming echo reply messages]
  DENY ALL

                                              26
Access Control List (ACL) for Egress
Filtering at a Border Router

  1. If source IP address = 10.*.*.*, DENY
  [private IP address range]
  2. If source IP address = 172.16.*.* to
  172.31.*.*, DENY [private IP address range]
  3. If source IP address = 192.168.*.*, DENY
  [private IP address range]
  4. If source IP address NOT = 60.47.*.*,
  DENY [not in internal address range]

                                             27
Access Control List (ACL) for Egress
Filtering at a Border Router

  5. If ICMP Type = 8, PASS [allow outgoing
  echo messages]
  6. If Protocol=ICMP, DENY [drop all other
  outgoing ICMP messages]
  7. If TCP RST=1, DENY [do not allow
  outgoing resets; used in host scanning]
  8. If source IP address = 60.47.3.9 and TCP
  source port = 80 OR 443, PERMIT [public
  webserver]

                                            28
Access Control List (ACL) for Egress
Filtering at a Border Router

  9. If TCP source port=0 through 49151,
  DENY [well-known and registered ports]
  10. If UDP source port=0 through 49151,
  DENY [well-known and registered ports]
  11. If TCP source port =49152 through
  65,536, PASS [allow outgoing client
  connections]



                                            29
Access Control List (ACL) for Egress
Filtering at a Border Router

  12. If UDP source port = 49152 through
  65,536, PERMIT [allow outgoing client
  connections]
  13. DENY ALL




                                           30
Firewalls

  Types of Firewalls
  Inspection Methods
    Static Packet Inspection
    Stateful Packet Inspection
    NAT
    Application Firewalls
  Firewall Architecture
  Configuring, Testing, and Maintenance

                                          31
Stateful Inspection Firewalls

  State of Connection: Open or Closed
    State: Order of packet within a dialog
    Often simply whether the packet is part of an
    open connection




                                                    32
Stateful Inspection Firewalls

Stateful Firewall Operation
  For TCP, record two IP addresses and port numbers
  in state table as OK (open) (Figure 5-9)
  By default, permit connections from internal clients
  (on trusted network) to external servers (on
  untrusted network)
     This default behavior can be changed with an
     ACL
  Accept future packets between these hosts and
  ports with little or no inspection
                                                    33
        Stateful Inspection Firewall Operation I
                                             2.
                                         Establish
                          1.            Connection               3.
                 TCP SYN Segment                        TCP SYN Segment
              From: 60.55.33.12:62600                From: 60.55.33.12:62600
                 To: 123.80.5.34:80                     To: 123.80.5.34:80

               Note: Outgoing
                                         Stateful
  Internal      Connections
                                         Firewall                              External
 Client PC      Allowed By
60.55.33.12       Default                                                     Webserver
                                                                              123.80.5.34
                                Connection Table
                Internal    Internal       External       External
     Type                                                            Status
                   IP         Port            IP            Port

     TCP      60.55.33.12       62600     123.80.5.34       80        OK
                                                                                 34
        Stateful Inspection Firewall Operation I



                           6.           Stateful             4.
  Internal
               TCP SYN/ACK Segment      Firewall TCP SYN/ACK Segment External
 Client PC
                From: 123.80.5.34:80              From: 123.80.5.34:80 Webserver
60.55.33.12
                To: 60.55.33.12:62600             To: 60.55.33.12:62600 123.80.5.34
                                           5.
                                    Check Connection
                                          OK
   Connection Table

                Internal    Internal     External      External
    Type                                                          Status
                   IP         Port          IP           Port

    TCP       60.55.33.12   62600       123.80.5.34      80        OK
                                                                           35
 Stateful Inspection Firewalls

 Stateful Firewall Operation
        For UDP, also record two IP addresses in port
        numbers in the state table


Connection Table
            Internal    Internal    External     External
 Type                                                       Status
               IP         Port         IP          Port

 TCP      60.55.33.12   62600      123.80.5.34     80        OK

 UDP      60.55.33.12   63206       1.8.33.4       69        OK


                                                                     36
Stateful Inspection Firewalls

  Static Packet Filter Firewalls are Stateless
    Filter one packet at a time, in isolation
    If a TCP SYN/ACK segment is sent, cannot tell if
    there was a previous SYN to open a connection
    But stateful firewalls can (Figure 5-10)




                                                 37
     Stateful Firewall Operation II

                              Stateful
                              Firewall

                                                         1.
  Internal                   2.
                                                     Spoofed                Attacker
 Client PC                Check
                                             TCP SYN/ACK Segment           Spoofing
60.55.33.12          Connection Table:
                                                From: 10.5.3.4.:80          External
                      No Connection
                                              To: 60.55.33.12:64640        Webserver
                       Match: Drop
                                                                            10.5.3.4
Connection Table

              Internal     Internal       External     External
  Type                                                            Status
                 IP          Port            IP          Port

  TCP    60.55.33.12       62600         123.80.5.34     80        OK

  UDP    60.55.33.12       63206         222.8.33.4      69        OK         38
Stateful Inspection Firewalls

  Static Packet Filter Firewalls are Stateless
    Filter one packet at a time, in isolation
    Cannot deal with port-switching applications
    But stateful firewalls can (Figure 5-11)




                                                   39
         Port-Switching Applications with
         Stateful Firewalls
                                            2.
                                       To Establish
                          1.           Connection                3.
                 TCP SYN Segment                        TCP SYN Segment
              From: 60.55.33.12:62600                From: 60.55.33.12:62600
                 To: 123.80.5.34:21                     To: 123.80.5.34:21


  Internal                                Stateful
 Client PC                                Firewall                             External
60.55.33.12                                                                   FTP Server
                                                                              123.80.5.34
              State Table

                            Internal    Internal      External     External
              Type                                                              Status
                               IP         Port           IP          Port
Step 2         TCP     60.55.33.12      62600        123.80.5.34     21          OK
                                                                                 40
          Port-Switching Applications with
          Stateful Firewalls


                          6.             Stateful            4.
  Internal
              TCP SYN/ACK Segment       Firewall TCP SYN/ACK Segment External
 Client PC
               From: 123.80.5.34:21               From: 123.80.5.34:21    FTP
60.55.33.12
               To: 60.55.33.12:62600        5.    To: 60.55.33.12:62600 Server
                    Use Ports 20        To Allow,      Use Ports 20    123.80.5.34
                    and 55336 for       Establish     and 55336 for
                   Data Transfers       Second        Data Transfers
                                       Connection

State Table             Internal       Internal    External     External
               Type                                                        Status
                           IP            Port         IP          Port
 Step 2        TCP    60.55.33.12      62600      123.80.5.34     21        OK

 Step 5        TCP    60.55.33.12      55336      123.80.5.34     20        OK
                                                                           41
Stateful Inspection Firewalls

  Stateful Inspection Access Control Lists
  (ACLs)
    Primary allow or deny applications
    Simple because probing attacks that are not part
    of conversations do not need specific rules
    because they are dropped automatically

    In integrated firewalls, ACL rules can specify
    that messages using a particular application
    protocol or server be authenticated or passed to
    an application firewall for inspection
                                                  42
Firewalls

  Types of Firewalls
  Inspection Methods
    Static Packet Inspection
    Stateful Packet Inspection
    NAT
    Application Firewalls
  Firewall Architecture
  Configuring, Testing, and Maintenance

                                          43
      Network Address Translation (NAT)
        From 192.168.5.7,
           Port 61000         From 60.5.9.8,
               1                Port 55380
                                      2
                                                    Internet


  Client                 NAT               3                                          Server
192.168.5.7            Firewall                                                        Host
                4                   To 60.5.9.8,
                                    Port 55380                   Sniffer
          To 192.168.5.7,
            Port 61000
                                               Internal                    External
                                          IP Addr         Port      IP Addr           Port
                      Translation
                         Table       192.168.5.7 61000              60.5.9.8      55380
                                            ...           ...         ...             ...
                                                                                        44
Firewalls

  Types of Firewalls
  Inspection Methods
    Static Packet Inspection
    Stateful Packet Inspection
    NAT
    Application Firewalls
  Firewall Architecture
  Configuring, Testing, and Maintenance

                                          45
        Application Firewall Operation
                                            2.         3. Examined
                1. HTTP Request         Filtering     HTTP Request
               From 192.168.6.77                      From 60.45.2.6


             6. Examined                                    4. HTTP
     Browser                        HTTP Proxy             Response to Webserver
                 HTTP                      5.               60.45.2.6  Application
             Response To        Filtering on Post Out,
             192.168.6.77      Hostname, URL, MIME,
                                         etc. In

                           FTP                        SMTP
                           Proxy                     (E-Mail)
 Client PC                                            Proxy                   Webserver
192.168.6.77                                                                 123.80.5.34
                   Outbound
                                                          Inbound and Outbound
                Filtering on Put
                                   Application Firewall    Filtering on Obsolete
                                        60.45.2.6          Commands, Content 46
     Header Destruction With Application
     Firewalls
                             Header Removed
           Arriving Packet                          New Packet
                                     App
                                    MSG
             App  Orig. Orig.      (HTTP)        App  New New
            MSG TCP      IP                     MSG TCP    IP
           (HTTP) Hdr Hdr                      (HTTP) Hdr Hdr



Attacker                     Application Firewall             Webserver
1.2.3.4                           60.45.2.6                   123.80.5.34


    Application Firewall Strips Original Headers from Arriving Packets
                 Creates New Packet with New Headers
               This Stops All Header-Based Packet Attacks
                                                                    47
    Protocol Spoofing


      Trojan                  2. Protocol is Not HTTP
      Horse                       Firewall Stops
                                 The Transmission



               1. Trojan Transmits
                                                    X
                                     Application
                    on Port 80
                                      Firewall
  Internal       to Get Through                         Attacker
 Client PC        Simple Packet                         1.2.3.4
60.55.33.12       Filter Firewall




                                                           48
    Circuit Firewall


      3. Passed Transmission:          1. Authentication
            No Filtering               2. Transmission
              4. Reply
                                            5. Passed
Webserver                                   Reply: No       External
                         Circuit Firewall
60.80.5.34                                   Filtering       Client
                          (SOCKS v5)
                           60.34.3.31                      123.30.82.5




                                                                  49
Firewalls

  Types of Firewalls
  Inspection Methods
  Firewall Architecture
    Single site in large organization
    Home firewall
    SOHO firewall router
    Distributed firewall architecture
  Configuring, Testing, and Maintenance

                                          50
       Single-Site Firewall Architecture for a
       Larger Firm with a Single Site
                         2. Main Firewall      1. Screening Router
 3. Internal Firewall   Last Rule=Deny All        60.47.1.1 Last
                                                  Rule=Permit All
                                                                     Internet
               172.18.9.x Subnet

   4.
 Client                                      Public                   External
 Host                                       Webserver                DNS Server
Firewall                                    60.47.3.9                 60.47.3.4


                                   6. DMZ

 Marketing     Accounting                          SMTP         HTTP
                             5. Server
  Client on    Server on                           Relay        Proxy
                                Host
 172.18.5.x    172.18.7.x                          Proxy        Server
                              Firewall
   Subnet       Subnet                           60.47.3.10    60.47.3.1
                                                                            51
   Home Firewall

                                                  PC
                                               Firewall

                   Always-On
    Internet       Connection
Service Provider                            UTP
                    Coaxial     Broadband
                    Cable                   Cord
                                 Modem
                                                    Home PC




                                                          52
     SOHO Firewall Router

Internet Service Provider
                                           Ethernet Switch   UTP

                 UTP                                               User PC
                                     UTP
    Broadband             SOHO
     Modem                Router
     (DSL or                ---
      Cable)              Router
                                                                   User PC
                       DHCP Sever,
                     NAT Firewall, and
                Limited Application Firewall


                                                                   User PC
           Many Access Routers Combine the Router
             and Ethernet Switch in a Single Box
                                                                       53
Distributed Firewall Architecture

           Management Console




                       Internet

                                    Home PC
                                     Firewall




Site A        Site B
                                         54
Other Security Architecture Issues

  Host and Application Security
  Antivirus Protection
  Intrusion Detection Systems
  Virtual Private Networks
  Policy Enforcement System




                                     55
Firewalls

  Types of Firewalls
  Inspection Methods
  Firewall Architecture
  Configuring, Testing, and Maintenance




                                          56
Configuring, Testing, and Maintaining
Firewalls

  Firewall Misconfiguration is a Serious
  Problem
    ACL rules must be executed in series
    Easy to make misordering problems
    Easy to make syntax errors




                                           57
Configuring, Testing, and Maintaining
Firewalls

  Create Policies Before ACLs
    Policies are easier to read than ACLs
    Can be reviewed by others more easily than
    ACLs
    Policies drive ACL development
    Policies also drive testing



                                                 58
Configuring, Testing, and Maintaining
Firewalls

  Must test Firewalls with Security Audits
    Only way to tell if policies are being supported
    Must be driven by policies

  Maintaining Firewalls
    New threats appear constantly
    ACLs must be updated constantly if firewall is to
    be effective


                                                       59
       FireWall-1 Modular Management
       Architecture

                                   Log Files
                                                   Policy
                     Policy                                    Firewall Module
Application Module                                             Enforces Policy
       (GUI)                                                      Sends Log
   Create, Edit                                                    Entries
                                 Management
      Policies
                                Module Stores
                                Policies Stores
                                  Log Files

                                                  Log File
                     Log File
                                                   Entry
                      Data                                   Firewall Module
Application Module
                                                             Enforces Policy
      (GUI)
                                                                Sends Log
  Read Log Files
                                                                 Entries
                                                                               60
     FireWall-1 Service Architecture

            2. Statefully Filtered
                   Packet                     1. Arriving Packet

                   3. DoS                                          External
Internal                       FireWall-1
                 Protection                                         Server
 Client                         Firewall
                  Optional
               Authentications
                                      4. Content Vectoring Protocol

                   5.
      Statefully Filtered Packet
          Plus Application                  Third-Party
             Inspection                     Application
                                            Inspection
                                             Firewall
                                                                        61
Security Level-Based Stateful Filtering
in PIX Firewalls
         Automatically Accept
             Connection

  Security Level     Security Level       Router       Internet
   Inside=100         Outside=0

                        Automatically
                      Reject Connection
                                          Internal Network
                      Security Level=60



                                          Connections Are Allowed
                                             from More Secure
                                          Networks to Less Secure
                                                 Networks

                                                              62

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:87
posted:11/11/2010
language:English
pages:62