Week14.

Firewalls

Lecture slides by Zhanbolat Seitkulov

April IITU, Information Security 1

A Bigger Picture for Network Defense
•  Commonly used network defenses:
–  Perimeter defenses – Firewall, IDS (Intrusion Detection
System)
•  Protect local area network and hosts
•  Keep external threats out of internal/protected networks
–  Internal defenses – Virus Scanning
•  Protect hosts from threats that get through the perimeter
defenses
–  Extend the “perimeter” – VPN
•  There are more threats, e.g. internal threats are
significant
–  Unhappy employees
–  Compromised hosts

April IITU, Information Security 2

Overview
•  Standard perimeter defense mechanisms
–  Firewall
•  Firewall overview
•  Firewall types
–  Packet filtering
–  Application layer proxies
•  Network designs/configurations with firewalls
–  Intrusion detection
•  Anomaly and misuse detection
•  Methods applicable to networks or host

April IITU, Information Security 3

Firewall Overview - Motivations
•  More services visible to the outside world, the greater
the risks.
•  So we want to reduce the number of services that are
visible to the outside world à Network Access Policy
•  Security (network access) policy:
–  Risk assessment and cost benefit analysis -> specification
of a list of “allowed services” that are accessible by
external users (permitted/forbidden traffics)
–  Interpretation of security policy:
•  User’s view: Anything not explicitly forbidden is permitted
•  Security’s view: Anything not explicitly permitted is forbidden
–  The default-deny philosophy

April IITU, Information Security 4

Firewall Overview
•  Protect a networked system from outside
attack
•  Firewalls are effective
–  Protect local systems
–  Protect network-based security threats
–  Provide secured and controlled access to Internet
–  Provide restricted and controlled access from the
Internet to local servers

April IITU, Information Security 5

Firewall Characteristics
•  Design goals:
–  All traffic from inside to outside must pass
through the firewall
–  Only authorized traffic will be allowed to pass
•  Defined by local security policy
–  The firewall itself is immune to penetration
•  Use of trusted system with secure operating system

April IITU, Information Security 6

Firewall Terminology
•  Types of Firewalls:
–  Packet filter – works at network layer
–  Stateful packet filter – transport layer
–  Application proxy – application layer

April IITU, Information Security 7

Packet Filter
•  Operates at network layer
•  Examine packet headers
•  So filters based on …
–  Source IP address
–  Destination IP address
–  Source port
–  Destination port
–  Flag bits (SYN, ACK, etc.)
–  Egress or ingress (leave or enter)
April IITU, Information Security 8
Packet Filter

Source: http://cecs.wright.edu/~pmateti/InternetSecurity/Lectures/Firewalls/

•  2 Rules: Access Rule and Deny Rule

•  Store rules in a table inside a router
April IITU, Information Security 9
Packet Filter
•  Configured via Access Control Lists (ACLs)
Example – SMTP Filtering
•  Rule A and B allow inbound SMTP connections (incoming email)
•  Rule C and D allow outbound SMTP connections (outgoing email)
•  Rule E is the default rule that applies to all other cases; Here the
default-deny policy is used.

April IITU, Information Security 10

Packet Filtering – SMTP Example

April IITU, Information Security 11

Packet Filters
•  Advantages:
–  Speed
•  Disadvantages:
–  No concept of state
–  Cannot see TCP connections
–  Blind for application data (viruses)

April IITU, Information Security 12

TCP ACK Scan Attack on Packet Filters
•  Attacker scans for open ports through firewall
–  Port scanning is the first step in many attacks
•  Attacker sends packet with ACK bit set,
without prior 3-way handshake:
–  Violates TCP/IP protocol
–  ACK packet pass through packet filter firewall
–  Appears to be part of ongoing connection
–  RST sent by recipient of such packet

April IITU, Information Security 13

•  Attacker knows port 1209 open through firewall
•  A stateful packet filter can prevent this
–  Since scans not part of established connections

April IITU, Information Security 14

Stateful Packet Filter
•  Adds state to packet filter
•  Operates at transport layer
•  Firewall stores state for every active TCP
connection (src IP, src port, dst IP, dst port)
–  Only forwards “legal” packets for current state
•  E.g. if connection unknown, only allow outbound packets
with SYN flag set, but not ACK flag
•  E.g. if connection known, only allow inbound packets with
data after SYN/ACK seen
–  Time out connection state for long-idle connections
•  Risk: state memory exhaustion on firewall

April IITU, Information Security 15

Stateful Packet Filter

April IITU, Information Security 16

Stateful packet filter
•  Advantages:
–  Can do everything a packet filter, (can do plus …)
–  Keep track of ongoing connections (so prevents
TCP ACK scan)
•  Disadvantages:
–  Cannot see application data
–  Slower than packet filtering

April IITU, Information Security 17

Application Proxy
•  A proxy is something that acts on your behalf
•  Application proxy looks at incoming
application data
•  Verifies that data is safe before letting it in
•  This is usually not a router, but a computer

April IITU, Information Security 18

Application Proxy
•  Advantages:
–  Higher security than packet filters
•  Complete view of connections and application data
•  Filter bad data at application layer (viruses, macros,
etc.)
•  Disadvantages:
–  Speed (additional processing overhead on each
connection)

April IITU, Information Security 19

Application Proxy
•  Creates a new packet before sending it
through to internal network
•  Attacker must talk to proxy and convince it to
forward message
•  Proxy has complete view of connection
•  Prevents some scans stateful packet filter
cannot – next slides

April IITU, Information Security 20

Firewalk
•  Tool to scan open ports through firewall
•  Attacker knows IP address of firewall and IP
address of one system inside firewall
•  If firewall allows data on port N, you will get
time exceeded error message
•  Otherwise, no response

April IITU, Information Security 21

Firewalk and Proxy Firewall

•  This will not work through an application proxy

(why?)
•  The proxy creates a new packet, destroys old TTL
April IITU, Information Security 22
Bastion Host
•  It is a system identified by a firewall
administrator as a critical point in the
network’s security
–  It executes a secure version of its OS and is
trusted
–  It consists of services which are essential
–  Required additional authentication before access
is allowed

April IITU, Information Security 23

Firewall Configurations
•  In addition to the use of simple configuration
of a single system, more complex
configuration are possible
•  Three common configurations are in popular
use:
–  Single-homed host
–  Dual-homed host
–  Screened subnet

April IITU, Information Security 24

Single-homed Host

April IITU, Information Security 25

Single-homed Host
•  Firewall consists of two systems:
–  A packet filtering router
–  A bastion host
•  Configuration for the packet-filtering router:
–  Only packets from and to the bastion host are
allowed to pass through the router
•  The bastion host performs authentication and
proxy functions

April IITU, Information Security 26

Single-homed Host
•  Drawback:
–  If the packet filter router gets compromised then
the entire network will be compromised

•  Dual-home Bastion host solves the problem

–  As it has two network interfaces:
•  One for internal connection
•  Second for connection with the router
–  Internal Network is in the separate network zone
April IITU, Information Security 27
Dual-homed Host

April IITU, Information Security 28

Dual-homed Host
•  The packet-filtering router is not completely
compromised
•  Traffic between the internet and other hosts
on the private network has to flow through
the bastion host

•  The separate network, that consists of packet-

filter, Information Server and Bastion host, is
called DMZ (Demilitarized zone)
April IITU, Information Security 29
Screened Subnet

April IITU, Information Security 30

Screened Subnet
•  Most secure connection of the three
•  Two-packet filtering routers are used
•  Bastion host is located in between the two
routers
•  Creation of an isolated sub-network

April IITU, Information Security 31

Screened Subnet
•  Advantages:
–  3 levels of Defense to Intruders
–  The outside router advertises only the existence
of the screened subnet to the Internet
•  Internal network is invisible to the Internet
–  The inside router advertises only the existence of
screened subnet to the internal network
•  The systems on the inside network cannot construct
direct routes to the Internet

April IITU, Information Security 32

Screened Subnet

April IITU, Information Security 33

Summary – What Firewalls can/cannot do?

•  Control access into and from your site, thus

protecting against attacks on vulnerable
services
•  Isolation of semi-public resources from
private resources
•  Maintain the privacy of network infrastructure
– limit your exposure
•  Audit trail and statistics – log Internet
activities effectively
April IITU, Information Security 34
Summary – What Firewalls can/cannot do?

•  Cannot protect you against malicious insiders

•  Cannot protect you against connections that do
not go through it, e.g. what if the site allows dial-
in access to internal systems behind the firewall?
•  Cannot protect against completely new threats
•  Cannot fully protect against viruses
•  Cannot set itself up correctly – correct
configuration is absolutely essential.

April IITU, Information Security 35

Questions?

April IITU, Information Security 36

 Firewalls

Lecture slides by Zhanbolat Seitkulov

April IITU, Information Security 37