Computer Security:

Principles and Practice

Chapter 9 – Firewalls and Intrusion
Prevention Systems

First Edition
by William Stallings and Lawrie Brown

Lecture slides by Lawrie Brown

 Firewalls and Intrusion
Prevention Systems
 Effective means of protecting LANs
 internet connectivity essential

For organization and individuals

But creates a threat
 Could secure workstations and servers
 Also use firewall as perimeter defence

Single choke point to impose security
Firewall Capabilities & Limits
 capabilities:

defines a single choke point

provides a location for monitoring security events

convenient platform for some Internet functions such
as NAT, usage monitoring, IPSEC VPNs
 limitations:

cannot protect against attacks bypassing firewall
dialup

may not protect fully against internal threats

improperly secure wireless LAN

laptop, PDA, portable storage device infected outside
then used inside
 TCP Connection

https://www.researchgate.net/publication/243464926_SYN_Flooding_Attacks_and_Countermeasures_A_Survey/figures?lo=1
 TCP Communication

http://www.tcpipguide.com/free/t_TCPIPClientEphemeralPortsandClientServerApplicatio-3.htm
Types of
Firewalls
 Packet Filtering Firewall
 Applies rules to packets in/out of firewall
 based on information in packet header

src/dest IP addr & port, IP protocol, interface
 typically a list of rules of matches on fields

if match rule says if forward or discard packet
 two default policies:

discard - prohibit unless expressly permitted
• more conservative, controlled, visible to users

forward - permit unless expressly prohibited
• easier to manage/use but less secure
Packet
Filter
Rules
 Packet Filter

interface ethernet0 interface ethernet0

ip access-group 1 in ip access-group 1 in
! !
access-list 1 permit host 192.168.10.1 access-list 1 deny host 192.168.10.1
access-list 1 permit any
 Packet Filter Weaknesses
 weaknesses

cannot prevent attack on application bugs

limited logging functionality

do no support advanced user authentication

vulnerable to attacks on TCP/IP protocol bugs

improper configuration can lead to breaches
 attacks

IP address spoofing, source route attacks,
tiny fragment attacks
 Stateful Inspection Firewall
 reviews packet header information but also
keeps info on TCP connections

ACL Rules +
 Stateful Inspection Firewall

https://documentation.nokia.com/html/0_add-h-f/93-0267-HTML/7X50_Advanced_Configuration_Guide/images/AA-FW.51.1.1.jpg
 Stateful Inspection Firewall
 reviews packet header information but also
keeps info on TCP connections

typically have low, “known” port no for server(1024)

and high(1024-65535), dynamically assigned client
port no

simple packet filter must allow all return high port
numbered packets back in
 Stateful Inspection Firewall
 reviews packet header information but also
keeps info on TCP connections

stateful inspection packet firewall tightens rules for
TCP traffic using a directory of TCP connections

only allow incoming traffic to high-numbered ports for
packets matching an entry in this directory

may also track TCP seq numbers as well
 Application-Level Gateway
 Acts as a relay of application-level traffic

user contacts gateway with remote host name

authenticates themselves

gateway contacts application on remote host
and relays TCP segments between server
and user
 must have proxy code for each application

may restrict application features supported
 more secure than packet filters
 but have higher overheads
Application-Level Gateway

https://miro.medium.com/max/700/0*70QEhe5XesOQUmPs
 Circuit-Level Gateway
 sets up two TCP connections, to an inside
user and to an outside host
 relays TCP segments from one connection
to the other without examining contents

hence independent of application logic

just determines whether relay is permitted
 typically used when inside users trusted

may use application-level gateway inbound
and circuit-level gateway outbound

hence lower overheads
Circuit-Level Gateway

https://miro.medium.com/max/700/0*oaH5SArrOnUp-kEA
SOCKS Circuit-Level Gateway
 SOCKS v5 defined as RFC1928 to allow
TCP/UDP applications to use firewall
 components:

SOCKS server runs on Unix-Based firewall

SOCKS client library, runs on internal protected hosts

SOCKS-ified client applications such as FTP,Telnet
 client app contacts SOCKS server,
authenticates, sends relay request
 server evaluates & establishes relay connection
SOCKS Circuit-Level Gateway
 TCP connection is opened to authenticate
a user to send and receive UDP
segments, and the UDP segments are
forwarded as long as the TCP connection
is open.
 UDP handled with parallel TCP control
channel
 Firewall Basing
 several options for locating firewall:
 bastion host
 individual host-based firewall
 personal firewall
 Bastion Hosts
 critical strongpoint
in network
 hosts application/circuit-level gateways
 common characteristics:

runs secure O/S, only essential services

may require user auth to access proxy or host

each proxy is configured to support only a subset of
the application’s command set.

each proxy is configured to allow access only to
specific host systems.

each proxy maintains detailed audit information by
logging all traffic, each connection, and the duration
of each connection.
 Bastion Hosts

each proxy module is a very small software package
specifically designed for network security, hence is
easier to check such modules for security flaws.

each proxy is independent of other proxies on the
bastion host, and can be uninstalled without
affecting the operation of the other proxy
applications.

generally performs no disk access other than to
read its initial configuration file.

each proxy runs as a non privileged user in a private
and secured directory on host
Dual Homed Bastion Hosts
 Host-Based Firewalls
 used to secure individual host
 available in/add-on for many O/S
 filter packet flows
 often used on servers
 advantages:

taylored filter rules for specific host needs

protection from both internal / external attacks

additional layer of protection to org firewall
 Personal Firewall
 controls traffic flow to/from PC/workstation
 for both home or corporate use
 may be software module on PC
 or in home cable/DSL router/gateway
 typically much less complex
 primary role to deny unauthorized access
 may also monitor outgoing traffic to
detect/block worm/malware activity
 Firewall
Locations
Virtual Private Networks
Distributed
Firewalls
 Firewall Topologies
 host-resident firewall
 screening router
 single bastion inline
 single bastion T
 double bastion inline
 double bastion T
 distributed firewall configuration
Firewall Topologies

https://i.stack.imgur.com/OawSQ.png
Intrusion Prevention Systems
(IPS)
 recent addition to security products which

inline net/host-based IDS that can block traffic

functional addition to firewall that adds IDS
capabilities
 can block traffic like a firewall
 using IDS algorithms
 may be network or host based
 Host-Based IPS
 identifies attacks using both:

signature techniques
• malicious application packets

anomaly detection techniques
• behavior patterns that indicate malware
 can be tailored to the specific platform

e.g. general purpose, web/database server specific
 can also sandbox applets to monitor behavior
 may give desktop file, registry, I/O protection
 Network-Based IPS
 inline NIDS that can discard packets or
terminate TCP connections
 uses signature and anomaly detection
 may provide flow data protection

monitoring full application flow content
 can identify malicious packets using:

pattern matching, stateful matching, protocol
anomaly, traffic anomaly, statistical anomaly
 e.g. SNORT inline can drop/modify packets
 Network-Based IPS
 Pattern matching: Scans incoming packets for specific
byte sequences (the signature) stored in a database of
known attacks.
 Stateful matching: Scans for attack signatures in the
context of a traffic stream rather than individual packets.
 Protocol anomaly: Looks for deviation from standards set
forth in RFCs.
 Traffic anomaly: Watches for unusual traffic activities,
such as a flood of UDP packets or a new service
appearing on the network.
 Statistical anomaly: Develops baselines of normal traffic
activity and throughput, and alerts on deviations from
those baselines
 Unified
Threat
Management
Products
 Summary
 introduced need for & purpose of firewalls
 types of firewalls

packet filter, stateful inspection, application
and circuit gateways
 firewall hosting, locations, topologies
 intrusion prevention systems