L2, Firewalls

HI1023 - Ntverksskerhet, gk

KTH STH

Outline of Lecture 2
Firewall Characteristics NAT (Network Address Translation) Port Forwarding Types of firewalls Firewall Configuration Trusted systems

Slide 2

Micael Lundvall

KTH STH

Firewall Characteristics
All traffic between inside and outside must pass through the firewall. Only authorized traffic, as defined by local security policy, will be allowed to pass. The firewall itself is immune to penetration.
Firewall

Untrusted public network

Trusted private network

Slide 3

Micael Lundvall

KTH STH

Four general techniques

Service control Type of Internet service that can be accessed Direction control Direction of service request that may pass User control User access to specified service Behavior control Controls how particular services are used

Slide 4

Micael Lundvall

KTH STH

Firewall example, DMZ

Internet

ip_ext 194.1.1.1/32

Router 194.1.1.1

ip_dmz 194.1.1.3 intnet 192.168.123.0/24 ip_int 192.168.123.1 dmznet 194.1.1.0/24 ISDN

int-sql

int-proc

int-mail

websrv

dmz-proz

Slide 5

Micael Lundvall

KTH STH

NAT (Network Address Translation)

NAT is used by a device that sits between an internal network and the rest of the world. NAT solves IPv4 lack of IP-addresses (232). NAT has many forms and can work in sereval ways.

Slide 6

Micael Lundvall

KTH STH

Static NAT
Static NAT - Mapping an unregistered IP address to a registered IP address on a one-toone basis. Particularly useful when a device needs to be accessible from outside the network

Slide 7

Micael Lundvall

KTH STH

Port Forwarding, Static NAT

Port Forwarding allows the router/firewall to publish one or more internal IP-addresses on the external interface.
132.168.27.32:80 10.0.0.11:80 10.0.0.11 10.0.0.12

Internet
132.168.27.32 10.0.0.1

10.0.0.13 10.0.0.14 10.0.0.15

Slide 8

Micael Lundvall

KTH STH

Dynamic NAT
Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.

Slide 9

Micael Lundvall

KTH STH

Overloading, PAT (Port Address Translation)

Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports.

Slide 10

Micael Lundvall

KTH STH

Port-mapped NAT (NAPT, PAT, )

Can be implemented in most routers. Hides private net from public net. All outgoing trafik seems to come from one single address, the routers external.
10.0.0.11 10.0.0.12 NAT Router

Internet
132.168.27.32

10.0.0.13 10.0.0.14

10.0.0.1 10.0.0.15

Slide 11

Micael Lundvall

KTH STH

Port-mapped NAT (NAPT, PAT, )

NAT works with blocks of port numbers. Every internal PC gets a NAT port number when connecting to an external address.
Private address 10.0.0.5 10.0.0.1 10.0.2.1 10.0.0.3 Private port 2123 1862 2660 1274 External address 128.10.19.20 128.10.19.20 207.200.75.200 128.210.1.5 External port 80 80 21 53 NAT port 14003 14010 14012 14007 Used protocol TCP TCP TCP UDP

Slide 12

Micael Lundvall

KTH STH

Overlaping
Overlapping - IP addresses used on a internal network are registered IP addresses in use on another network.

Slide 13

Micael Lundvall

KTH STH

Type of firewalls
Packet filter (PF) Also referred to as Static/Stateless Packet Filter Stateful Inspection Also referred to as Dynamic Packet Filter Cirquit-Layer Gateway, (CLG) Also referred to as proxy server Application-Layer Gateway, (ALG)

Slide 14

Micael Lundvall

KTH STH

Packet Filtering Firewall

Set of rules in ACL to allow or deny packets based on source and destination. Packet is filtered only on info in header. Payload is NOT examed.
Internet Firewall Router LAN Packet filtering in router

Slide 15

Micael Lundvall

KTH STH

Packet Filter
A packet at the Network Layer will encapsulate headers for the layers above. No information is held about packets that have been previously checked.
IP header TCP header Application data Src address Src address Dst address Dst address IP Layer TCP Layer

Slide 16

Micael Lundvall

KTH STH

Filtering rules
Rules are contained in a filter table or list Access Control List (ACL) Rules are processed top-down. As soon as a rule matches, the action associated with this rule is performed and processing terminated.
Action Allow Allow Deny Source Our net * * Src port >1023 80 * Dst * Our net * Dst port 80 >1023 * flags * ACK *

Slide 17

Micael Lundvall

KTH STH

Analysis of Stateless Filtering

Works well when all the information needed to open connection is held within the individual packets. E.g. to allow outgoing connections to any Web server, you must: allow outgoing requests to establish a connection. allow all subsequent packets that are part of this connection.

Slide 18

Micael Lundvall

KTH STH

TCP connection
TCP can destinguish a packet that is about to open a connection from a packet that is part of an existing connection.
Open connection Port > 1023 Port 80 Existing connection Port > 1023 Port 80

Slide 19

Micael Lundvall

KTH STH

Fragmentation
Somtimes IP packets arrive fragmented. The original packet may have been to large for a link. Fragmented packets are a problem for stateless filtering. Not all fragments contain the TCP header.

Slide 20

Micael Lundvall

KTH STH

10

Fragmentation
3. Packet received and reassembled at the destination IP
Network Layer

TCP

Data
Network Layer

IP

TCP

Data

IP2

Data

IP1

TCP

Data

1. Packet sent

2. Packet is fragmented at a router.

Slide 21

Micael Lundvall

KTH STH

UDP
UDP headers do not hold enough information for effective stateless filtering. An incomming packet may be either a request, or response to a previous outgoing packet.
Port > 1023 Port 53 Port 53 New Port > 1023

Server

Client

Slide 22

Micael Lundvall

KTH STH

11

Stateful Packet Filter

Can allow or deny packets based on Information in the current packet. Information in previous transmitted packets Remembers state information about the communication from previous packets.

Slide 23

Micael Lundvall

KTH STH

Stateful Packet Filter

Maintains a table of active TCP sessions and UDP "pseudo" sessions. Each entry records the session's: source and destination IP address source and destination port numbers the current TCP sequence number

Slide 24

Micael Lundvall

KTH STH

12

Connection State Table

Src Addr
192.168.1.10 192.168.1.11 192.168.1.12

Src Port
1054 1055 1056

Dst Addr
210.9.88.23 216.32.42.12 173.32.42.89

Dst Port
80 80 25

Connection
Established Established Established

Entries are created for TCP connections or UDP streams that pass rules in ACL. Packets associated with these sessions are permitted to pass without ACL check.

Slide 25

Micael Lundvall

KTH STH

Stateful Packet filter

Resolve of a DNS query
3. Stateful filter checks packet going out and create a rule allowing replies within limited time DNS server 1. Resolve a DNS query 4. DNS reply allowed

2. Packet to UDP port 53 on DNS server Client

Slide 26

Micael Lundvall

KTH STH

13

Fragmentation
Fragments reassembled for inspection Unexpected fragments can be detected and dropped of the filter.
2. Inspect and attempt to reassemble fragments into a packet. If it fails, deny the fragment. 1. Denial-of-service attack floods network with fragments Fragment 1 Fragment 2 Fragment n Internal network No filtering on fragments at the router

Slide 27

Micael Lundvall

KTH STH

Firewall Builder

Slide 28

Micael Lundvall

KTH STH

14

Juniper firewall

Slide 29

Micael Lundvall

KTH STH

Stateful Inspection Packet Filter

SPF with Inspection Modules. Checks if the session opened really seems to be the protocol corresponding to used port. If not, the session is terminated.
E.g. HTTP inspection module checks if the first line of a TCP request on port 80 starts with the characters PUT, POST or GET.

Slide 30

Micael Lundvall

KTH STH

15

Circuit-Level Gateway
Hides the internal network by providing a communication endpoint for clients and servers. Normaly added as a service on a well-known port number All connection through the firewall must be relayed through this port.

Slide 31

Micael Lundvall

KTH STH

Operation of a CLG

1. Client connects to the CLG and specifies the destination host

3. Data is copied between the two connections 2. CLG connects to the destination host if allowed by the policy

Transport Layer Network Layer (disable routing) 10.1.1.1 130.1.2.1

10.1.1.4

123.1.2.3

Slide 32

Micael Lundvall

KTH STH

16

CLG Connections
Information is stored within the circuit-level gateway about the connections. Each client connection gets a unique port number. Can destinguish connections for all clients.

Connection A
Client 10.1.1.4 CLG 10.1.1.1 port 1080

Connection B
CLG 130.1.2.1 port 4711 123.1.2.3 port 80

Slide 33

Micael Lundvall

KTH STH

CLG Connections
Can be used for both incomming and outgoing connections. Require special client configuration Can use any port number SOCKS is the standard implementation for a circuit-level gateway

Slide 34

Micael Lundvall

KTH STH

17

Application-Level Gateway
Acts as a relay of application-level traffic between clients an servers for specifik applications. Require a separate ALG for each protocol. Does not provide the service itself. It acts as the client to the real server.

Slide 35

Micael Lundvall

KTH STH

ALG content filtering

Can check or filter protocol content. Can filter HTML tag to block JavaScript, Java or ActiveX. Checks for viruses. Checks for illegal content and usage Could affekt performance. Provides integration with content and URLfiltering software.

Slide 36

Micael Lundvall

KTH STH

18

Operation of an ALG
3. Data can be processed before being passed between the two connections. 1. Client connects to the ALG and specifies the destination host ALG Transport Layer Network Layer (disable routing) 10.1.1.1 130.1.2.1

2. The ALG acts as the client to make a connection to the server depending on its policy

10.1.1.4

123.1.2.3

Slide 37

Micael Lundvall

KTH STH

Bastion Host
A system identified by the firewall administrator as a critical strongpoint in the networks security. Typically a platform with hardened OS for ALG or CLG.

Slide 38

Micael Lundvall

KTH STH

19

Screened host firewall system

(single homed)

From Internet: Only IP packets destined for the bastion host are allowed in. From internal Network: Only packets from bastion host are allowed out. Direct Internet access with IS may be allowed
Packet filter Internet First line of defence Information server Bastion Host Private network

Slide 39

Micael Lundvall

KTH STH

Screened host firewall system

(dual homed)

From Internet: Only IP packets destined for the bastion host are allowed in. From internal Network: Only packets from bastion host are allowed out. Direct Internet access with IS may be allowed
Packet filter Internet First line of defence Information server Bastion Host Private network

Slide 40

Micael Lundvall

KTH STH

20

Screened subnet firewall system

(Three levels of defense)

Both Internet and Private network have access to hosts on screened subnet. Private network are hidden for Internet. Traffic across the screened network is blocked in both directions.
Packet filter Internet First line of defence Information server Bastion Host Packet filter Private network

Slide 41

Micael Lundvall

KTH STH

Trusted Systems
Defence against intruders and malicious programs. Data access control User Access Control Permissions to operations and file access All access data is saved in an access matrix Critical operations are logged

Slide 42

Micael Lundvall

KTH STH

21

Access Control Structure

Elements of access matrix Subject: Users, groups, applications Object: Files, programs, segments of memory Access rights: Read, write, execute

Slide 43

Micael Lundvall

KTH STH

Summary
To get a secure system you need to disign a combination of different components. Defence on the depth. There are no standard solution for every company. Price/Performance

Slide 44

Micael Lundvall

KTH STH

22