Firewall Design Principles, Trusted Systems Introductior Firewalls are seen evolution of information systems and now everyone want to be on the Internet and to. interconnect networks .It has persistent security concerns and can't easily secure every system in org jand so typically use a Firewall to provide perimeter defense as part of comprehensive security strategy. |What is a Firewall? | — A firewall is inserted between the premises network and the Internet to establish a controlled link and to jerect an outer security wall or perimeter, forming a single choke point where security and audit can be imposed. A firewall is defined as a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and pro\ protection from various kinds of IP spoofing and routing attacks. It provides a location for monitoring [security-related events and is a convenient platform for several Intemet functions that are not security related, such as NAT and Internet usage audits or logs. A firewall can serve as the platform for IPSec to implement virtual private networks. The firewall itself must be immune to penetration, since it will be a target of attack. The Figure below illustrates the general model of firewall use on the security perimeter, as a choke point for traffic between the external less-trusted Inteet and the internal more trusted private network. Internal (protected) network External (antrusted) network (eg enterprise network) Fireveall (eg. Internet) Fig 8.1 general model of Firewall wall characteris ics: All traffic from inside to outside, and vice versa, must pass through the! firewall, This is achieved by physically blocking all access to the local network except via a firewall : [Only authorized traffic, as defined by the local security policy, will be allowed to pass. The firewall itself is immune to penetration. This implies that use of a trusted system with a secure Joperating system. Dept of ECE,SVIT saFour general techniques that firewalls use to control access and enforce the site's security policy. 1. Service control: Determine the types of intemet services that can be accessed, inbound and outbound. The firewall may filter traffic on the basis of IP address and TCP port number; may provide proxy software that receives and intercepts each service request before passing it on. 2. Direction Control: determines the direction in which particular service requests may be initiated and allowed to flow through the firewall. 3. User controt: Controls access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter. It may also be applied to incoming traffic from external users. 4. Behavior control: Controls how particular services are used for examples, the firewall may filter e- mail to eliminate spam. |Capabilities of firewall: 1. Firewall defines a single choke point that keeps unauthorized users out of the protected network, pro its potentially vulnerable services from entering or leaving network and provides protection from various kinds of IP spoofing and routing attacks. 2. A firewall provides a location for monitoring security related events. Audits and alarms can be implemented on the firewall system 3. A firewall is a convenient platform for several internet functions that 2 re not security related. These include a network address translator, which maps local addresses to internet addresses. 4. A firewall can serve as the platform for IPSec. Limitations of firewall: 1 The firewall cannot protect against attacks that bypass the firewall 2. The firewall does not protect against internal attacks, such as an employee who unwittingly cooperates with an external attacker. 3. The firewall cannot protect against the transfer of virus-infected programs. Because of the variety of operating systems and applications supported inside the perimeter, it would be impractical for the firewall to scan all incoming files, email, and messages for viruses. [Dept of ECE,SVIT. 2|Types of Firewalls ve Three common types of firewalls: packet filters, application-level gateways, & circull-level gateways. 1. packel-fltering router: It applies a set of rules to each incoming and outgoing IP packet to forward or discard the packet. Filtering rules are based on information contained in a network packet such as src & dest IP addresses, ports, transport protocol & interface. Some advantages are simplicity, transparency & speed. If there is no match to any rule, then one of two default policies are applied that which is not expressly permitted is prohibited (default action is discard packet), conservative policy and that which is not expressly prohibited is permitted (default action is forward packet), permissive policy. Fig 8.2 Packet filter firewall Figure 8.2 illustrates the packet filter firewall role as utilising information from the transport, network & ldata link layers to make decisions on allowable traffic flows, and its placement in the border router between the external less-trusted Internet and the internal more trusted private network, The below are some examples of packet filtering router rule sets JA . Inbound mail is allowed{port 25 is for SMTP incoming), but the only to a gateway host. B. this is an exploit statement of the default policy. All rule sets include this rule implicitly as the last rule. IC. this rule set is intended to specify that any inside host can send mail to outside. A TCP packet with a ldestination port of port 25 is routed to the SMTP server on the destination machine. The problem with this rule is that the use of port 25 for SMTP receipt is only a default Dept of ece,sviT 3D. this rule set achieves the intended result that was not achieved in C. the rule takes advantage of a Heature of TCP connections. Once a connection is set up, the ACK flag of a TCP segment is set to lacknowledge segments sent from the other side.thus, this rule set states that it allows IP packets where Ithe source IP Address is one of a list of designated internal hosts and the destination TCP port number is. 125. IE. this rule is one approach to handling FTP connections. With FTP,two TCP connections are used: a [control connection to set up the file transfer and a data connection for the actual file transfer. A 5 © ‘ D b ies ee Bk Neeser SS z AE TOT LT ail ei) ae mee] DRASSLS [ee Are Table 8.1 Packel-filtering examples [Attacks on Packet Filters: |Some of the attacks that can be made on packet-fillering routers & countermeasures are + IP address spoofing: where intruder transmits packets from the outside with intemal host source IP laddr, need to filter & discard such packets + Source routing attacks here source specifies the route that a packet should take to bypass security measures, should discard all source routed packets + Tiny fragment attacks: intruder uses the IP fragmentation option to create extremely small fragments land force the TCP header information into a separate fragments to circumvent fitering rules needing full header info, can enforce minimum fragment size to include full header. f" of ECE,SVIT 4In IP address spoofing fake source address to be trusted and we can add fiters on router to block .In Source routing attacks attacker sets a route other than default and block source routed packets.n tiny fragment attacks split header info over several tiny packets either discard or reassemble before check . Firewalls — Stateful Packet Filters A traditional packet fiter makes filtering decisions on an indi lual packet basis and does not take into [Consideration any higher layer context. In general, when an application that uses TCP creates a session Jwith a remote host, it creates a TCP connection in which the TCP port number for the remote (server) jappiication is a number less than 1024 and the TCP port number for the local (cient) application is a number between 1024 and 65535. A simple packet filtering firewall must permit inbound network traffic on all these high- numbered ports for TCP-based traffic to occur. This creates a vulnerability that can be exploited by unauthorized users. A stateful inspection packet iter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, and will allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Hence they are better able fo detect bogus packets sent out of context. stateful packet inspection firewall reviews the same packet information as a packet fitering firewall, but also records information about TCP connections. Some stateful firewalls also Keep track of TCP sequence numbers to prevent attacks that depend on the [Sequence number, such as session hijacking. Some even inspect limited amounts of application data for some well-known protocols like FTP, IM and SIPS commands, in order to identify and track related lconnections. A traditional packet filters do not examine higher layer context ie matching return packets with outgoing iow stateful packet filters address this need they examine each IP packet in context and keep track of client- server sessions and check each packet validly belongs to one . Hence are better able to detect bogus packets out of context and may even inspect limited application data. 2. Firewalls - Application Level Gateway (or Proxy): [These have application specific gateway / proxy and has full access to protocol and the user requests service from proxy . The proxy validates request as legal and then actions request and returns result to luser so that can log / audit traffic at application level. We need separate proxies for each service and [some services naturally support proxying and others are more problematic [Application level gateway are more secure than packet filters. Rather than trying to deal with the humerous possible combinations that are to be allowed and forbidden at the TCP and IP level, the japplication level gateway need only scrutinize a few allowable applications. Dept of Ece,sviT 5 =JA prime disadvantage of this type of gateway is the additional processing overhead on each connection. Application level Fig 8.3 Application Level gateway Firewalls - Circuit Level Gateway [A fourth type of firewall is the circuit-level gateway or circuitlevel proxy. This can be a stand-alone system or it can be a specialized function performed by an application-level gateway for certain applications. ireurtevel gateway Outside conection _ Outside host Inside host Fig 8.4 Circuit Level gateway A circuit-level gateway relays two TCP connections, one between itself and an inside TCP user, and the Jother between itself and a TCP user on an outside host. Once the two connections are established, it relays TCP data from one connection to the other without examining its contents, The security function consists of determining which connections will be allowed, It is typically used when internal users are trusted to decide what external services to access. JOne of the most common circuit-level gateways is SOCKS, defined in RFC 1928, It consists of a SOCKS server on the firewall, and a SOCKS library & SOCKS-aware applications on internal clients. When a ITCP-based client wishes to establish a connection to an object that is reachable only via a firewall (such ]determination is left up to the implementation), it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system. If the connection request succeeds, the client enters a negotiation for the authentication method to be used, authenticates with the chosen method, and then sends a relay Dept of EcE,SvIT 6request. The SOCKS server evaluates the request and either establishes the appropriate connection or Jéenies it. UDP exchanges are handled in a similar fashion. It relays two TCP connections which imposes security by limiting which such connections are allowed fand once created usually relays traffic without examining contents. These typically used when trust internal users by allowing general outbound connections and SOCKS is commonly used BASTION HOST: It is common to base a firewall on a stand-alone machine running a common operating system, such as JUNIX or Linux. Firewall functionality can also be implemented as a software module in a router or LAN |switch, A bastion host is a critical strong point in the network's security, serving as a platform for an application- level or circuit-level gateway, or for external services. It is thus potentially exposed to “hostile” elements fand must be secured to withstand this. |Common characteristics of Bastion host include the followin. * The bastion host hardware platform executes a secure version of its operating system, making it a trusted system, * Only the services that the network administrator considers essential are installed on the bastion host. Examples of proxy applications are Telnet, DNS, FTP etc * The bastion host may require additional authentication before a user is allowed access to the proxy services. * Each proxy is configured to support only a subnet of the standard applications command set. + Each proxy is configured to allow access only to specific host systems. * Each proxy maintains detailed default audit information by logging all traffic, each connection, and the duration of each connection, + Each proxy module is very small software package specifically designed for network security. * Each proxy is independent of other proxies on the bastion host. if there is a problem with the operation of any proxy.or if @ future vulnerability is discovered, it can be uninstalled without affecting the operation of the other proxy applications. + Aproxy generally performs no disk access other than to read its initial configuration file. * Each proxy runs as a non privileged user in a private and secured directory on the bastion host Firewall configurations: a 1. Screened host firewall ‘system (single-homed bastion host) 2. Screened host firewall system (dual-homed bastion host) P" of ECE,SVIT 73. Screened subnet firewall system In the screened host firewall ,single homed packet filtering router and a bastion host. bastion configuration , the firewall consists of two systems: t Private Information ee Fig 8.5 Screened host firewall system (single-homed bastion host) Typically the router is configured so that, For traffic from the internet, only IP packets destined for the bastion host are allowed in. For traffic from the internal network, only IP packets from the bastion host are allowed out, This configurarion has greater security than simply a packet filtering router first, this configuration implements both packet level and application level filtering, [Second, an intruder must generally penetrate two separate systems before the security of the internal network is compromised. [This configuration affords flexibility in providing direct internet access. Bering router eS Fig 8.6 Screened host firewall system (dual -homed bastion host) ‘The screened host frewall,dual homed bastion configuration physically prevents such as a security breach. [The advantages of dual layers of security that were present in the previous configurat Nn are present here as well. again , an information server can be allowed direct communication with the router if this is in accord with lthe security policy. Dept of ECE,SvIT[The screened subnet firewall configuration is the most secure of those we have considered. In this |configuration, two packet-fllering routers are used, one between the bastion host and internet and other between the bastion host and the internal network. Information Modem Fig 8.7 Screened subnet firewall system This configurations offers several advantages: There are now three levels of defense to thwart intruders. pies eves The outside router advertises only the existence of the screened subnet to the intemet; therefore the internal network is invisible to the internet. ‘Similarly, the inside router advertises only the existence of the screened subnet to the internal network, therefore the systems on the inside network cannot construct direct routes to the intern rect fous to.the infemel Trusted Systems: In the security engineering subspecialty of computer science, a trusted system is a system that is relied lupon to a specified extent to enforce a specified security policy. As such, a trusted system is one whose failure may break a specified security policy. Trusted systems are used for the processing, storage and retrieval of sensitive or classified information. Central to the concept of U.S. Department of Defense-style usted Systems" io lof the system and is responsible for all access control decisions. Ideally, the reference monitor is (a) s the notion of a "reference monitor", which is an entity that occupies the logical heart |tamperproof, (b) always invoked, and (c) small enough to be subject to independent testing, the Icompleteness of which can be assured. Per the U.S. National Security Agency's 1983 Trusted Computer |system Evaluation Criteria (TCSEC), or "Orange Book", a set of "evaluation classes" were defined that ldescribed the features and assurances that the user could expect from a trusted system. The highest levels of assurance were guaranteed by significant system engineering directed toward minimization of the size of the trusted computing base (TCB), defined as that combination of hardware, software, and firmware that is responsible for enforcing the system's security policy. Because failure of ithe TCB breaks the trusted system, higher assurance is provided by the minimization of the TCB. An inherent engineering conflict arises in higher-assurance systems in that, the smaller the TCB, the larger Dept of ECE,SVIT 9the set of hardware, software, and firmware that lies outside the TCB, This may lead to some philosophical arguments about the nature of trust, based on the notion that a "trustworthy" implementation may not necessarily be a "correct" implementation from the perspective of users’ lexpectations. JOne way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology. Data Access Control Through the user access contro! procedure (log on), user is identified to the system. Associated with leach user, there is a profile that specifies permissible operations and file accesses. The operating system ican enforce rules based on the user profile. [Access Control List: An access control list lists users and their permitted access right. The list may contain a default or public entry. This is how Unix handles security, and is the onlymechanism available in Unix. Everything in Unix looks like a text fle, ll iles have 9-bit permissions in the inode pointer [Trusted Systems Concept: Trusted Systems protect data and resources on the basis of levels of security (e.g. military). Users can be granted clearances to access certain categories of data. Trusted systems need not discern levels of permissions; they can operate system high Telephone systems. [Security Levels: Multilevel security: multiple categories or levels of data. Multilevel secure system must Jenforce. No read up: A subject can only read an object of lower or equal security level (BLP Simple [Security Property). No write down: A subject can only write into an object of greater or equal security level (BLP *Property). May enforce discretionary security (BLP DS property). Security levels may be linear or latticed. Dept of ECE,svIT 10[Reference Monitor: Subjects Objects Fig 8.8 Reference Monitor jconcept, not a thing lenforces the security rules (no read up, no write down) Reference Monitor Properties: and database protected from unauthorized modification. we bend the rules! trusted system Dept of ECE, SvIT Reference Monitor provides multilevel security for a data processing system. Reference Monitor is a [Controlling element in the security kemel of a computer that regulates access of subjects to objects on basis of security parameters. The monitor has access to a file (security kemel database). The monitor Complete mediation: Security rules are enforced on every access Isolation: Reference monitor Verifiability: reference monitor's correctness must be mathematically provable this may be where Trusted Systems: A system that can provide such verifications (properties) is referred to as a a