Firewalling Techniques

Prabhaker Mateti

ACK
Not linux specific Some figures are from 3com

Components of the Firewall System

Bastion Host Packet-filtering router Application-level gateway (or proxy server) Circuit-level gateway

Dual Homed Gateway

A system that has

two or more network interfaces, each of which is connected to a different network.

Acts to block or filter some or all of the traffic trying to pass between the networks.

Bastion Host

Runs general purpose operating system hardened to resist attack

Proxy services

Proxy servers on a bastion host can prohibit direct connections from the outside and reduce data-driven attacks.

Circuit Relay

Determines if the connection is valid according to rules opens a session and permits traffic

only from the allowed source and possibly only for a limited period of time.

Whether a connection is valid is based upon:

destination IP address and/or port source IP address and/or port time of day protocol user password

Demilitarized Zone (DMZ)

a neutral zone between the private LAN and the public Internet. FTP servers, Web servers and the like are located in DMZ.

Location of a Firewall

Untrusted Network

External LAN Firewall Internal LAN

DMZ

www

SMTP

An Application Gateway: Problem

Allow select internal users to telnet outside. Users authenticate themselves to create telnet connection A gateway used in this sense is different from a standard gateway.

An Application Gateway: Solution

Router filter blocks all telnet connections not originating from gateway. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections

host-to-gateway telnet session

application gateway

gateway-to-remote host telnet session

router and filter

Packet Filtering Router

Packet Filtering Router

Decide not only how, but should a packet be forwarded Not best when detail protocol knowledge required for decision

Proxy may be a better choice

Lots of leverage as all hosts behind are protected Can provide unique capabilities

Rejecting forged internal or external packets (address spoofing) Recognition of malformed packets

Packet-Filtering Router

Service-Dependent Filtering Some typical filtering rules include: Permit incoming Telnet sessions only to a specific list of internal hosts Permit incoming FTP sessions only to specific internal hosts Permit all outbound Telnet sessions Permit all outbound FTP sessions Deny all incoming traffic from specific external networks Service-Independent Filtering Source IP Address Spoofing Attacks. Source Routing Attacks. In Tiny Fragment Attacks. Tiny fragment attacks are designed to circumvent userdefined filtering rules; the hacker hopes that a filtering router will examine only the first fragment and allows all other fragments to pass. A tiny fragment attack can be defeated by discarding all packets where the protocol type is TCP and the IP FragmentOffset is equal to 1.

Defining packet filters can be a complex task

Generally, the packet throughput of a router decreases as the number of filters increases.

Filtering by Service

Characteristics of internal to external telnet connection

Source is inside, destination is outside, is TCP, destination port 23, source port > 1023, first packet an outbound SYN

Characteristics of ext to int opposite Risk: trusting the port implies trusting the server on that port

Any service can be run from any port by root Can telnet from port 23, for example

Security Policy

It is important to note that an Internet firewall is not just a router, a bastion host, or a combination of devices that provides security for a network. The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. This security policy must include published security guidelines to inform users of their responsibilities; corporate policies defining network access, service access, local and remote user authentication, dial-in and dialout, disk and data encryption, and virus protection measures; and employee training. All potential points of network attack must be protected with the same level of network security. Setting up an Internet firewall without a comprehensive security policy is like placing a steel door on a tent. [From a web based article]

Security Policy Describes a Perimeter Defense

A Connection Circumventing an Internet Firewall

Benefits of an Internet Firewall

Without a firewall, each host system on the private network is exposed to attacks from other hosts on the Internet. Firewalls offer a convenient point where Internet security can be monitored and alarms generated. An Internet firewall is a logical place to deploy a Network Address Translator (NAT) that can help alleviate the address space shortage and eliminate the need to renumber when an organization changes Internet service providers (ISPs). An Internet firewall is the perfect point to audit or log Internet usage. An Internet firewall can also offer a central point of contact for information delivery service to customers.

Limitations of an Internet Firewall

Creates a single point of failure. Cannot protect against attacks that do not go through the firewall. Cannot protect against the types of threats posed by traitors or unwitting users. Cannot protect against the transfer of virus-infected software or files. Cannot protect against data-driven attacks. A datadriven attack occurs when seemingly harmless data is mailed or copied to an internal host and is executed to launch an attack.

Limitations of firewalls and gateways

IP spoofing

router cant know if data really comes from claimed source

If multiple apps. need special treatment, each has own app. gateway. client software must know how to contact gateway.

e.g., must set IP address of proxy in Web browser

Tradeoff

degree of communication with outside world, level of security Performance problem

Three Myths of Firewalls

Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network. In practice, this is rarely the case, especially for a network which spans a large enterprise. Users may setup their own backdoors, using modems, terminal servers, or use such programs as "PC Anywhere" so that they can work from home. The more inconvenient a firewall is to your user community, the more likely someone will set up their own "back door" channel to their machine, thus bypassing your firewall. Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered trustworthy. This neglects the large number of computer crimes which are committed by insiders. Newly evolving systems are blurring the lines between data and executables more and more. With macros, JavaScript, Java, and other forms executable fragments which can be embedded inside data, a security model which neglects this will leave you wide open to a wide range of attacks.