Figure 5-1: Border Firewall Figure 5-1: Border Firewall: Packet Inspection

Figure 5-1: Border Firewall

3. Attack Packet
1. Internet (Not Trusted) 2. Internet Border Firewall 1. Internal Corporate Network (Trusted) Attacker 4. Dropped Packet (Ingress) 4. Log File 2. Internet Border Firewall
1. Internet (Not Trusted) Attacker

5. Passed Legitimate Packet (Ingress) 5. Legitimate Packet 1. Internet (Not Trusted) 2. Internet Border Firewall 1. Internal Corporate Network (Trusted) Legitimate User

7. Passed Packet (Egress)
1. Internet (Not Trusted) 2. Internet Border Firewall 1. Internal Corporate Network (Trusted) Attacker
7. Dropped Packet (Egress) 4. Log File

6. Attack Packet that Got Through Firewall 6. Hardened Client PC Hardened Hosts Provide Defense in Depth 6. Hardened Server 2. Internet Border Firewall 1. Internal Corporate Network (Trusted) 1. Internet (Not Trusted) Attacker
Figure 5-2: Types of Firewall Inspection

Packet Inspection
Examines IP, TCP, UDP, and ICMP headers Static packet inspection (described later) Stateful inspection (described later)
Application Inspection
Examines application layer messages

Network Address Translation (NAT)
Hides IP addresses and port numbers

Virtual Private Network (VPN) Handling
VPNs are protected packet streams (see Chapter 8) Packets are encrypted for confidentiality, so firewall inspection is impossible VPNs typically bypass firewalls, making border security weaker
Denial-of-Service (DoS) Inspection

Detects and stops DoS attacks
Authentication
Requires senders to authenticate themselves

Hybrid Firewalls
Most firewalls offer more than one type of filtering However, firewalls normally do not do antivirus filtering Some firewalls pass packets to antivirus filtering servers
Firewalls
Firewall Hardware and Software
Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers)
Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance

9 10
Figure 5-3: Firewall Hardware and Software

Screening Router Firewalls
Add firewall software to router Usually provide light filtering only Expensive for the processing powerusually must upgrade hardware, too

Screening Router Firewalls
Screens out incoming noise of simple scanning attacks to make the detection of serious attacks easier Good location for egress filteringcan eliminate scanning responses, even from the router
11
12

Computer-Based Firewalls
Add firewall software to server with an existing operating system: Windows or UNIX Can be purchased with power to handle any load Easy to use because know operating system

Firewall vendor might bundle firewall software with hardened hardware and operating system software General-purpose operating systems result in slower processing
13
14

Security: Attackers may be able to hack the operating system Change filtering rules to allow attack packets in Change filtering rules to drop legitimate packets

Firewall Appliances
Boxes with minimal operating systems Therefore, difficult to hack Setup is minimal Not customized to specific firms situation Must be able to update
15
16

Host Firewalls
Installed on hosts themselves (servers and sometimes clients) Enhanced security because of host-specific knowledge For example, filter out everything but webserver transmissions on a webserver

Host Firewalls
Defense in depth Normally used in conjunction with other firewalls Although on single host computers attached to internet, might be only firewall
17
18

Host Firewalls
The firm must manage many host firewalls If not centrally managed, configuration can be a nightmare Especially if rule sets change frequently

Host Firewalls
Client firewalls typically must be configured by ordinary users Might misconfigure or reject the firewall Need to centrally manage remote employee computers
19
20
Perspective
Computer-Based Firewall
Firewall based on a computer with a full operating system
Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering
Host Firewall
A firewall on a host (client or server)
Complexity of Filtering: Number of Filtering Rules, Complexity Of rules, etc.
Performance Requirements
If a firewall cannot inspect packets fast enough, it will drop unchecked packets rather than pass them
Traffic Volume (Packets per Second)
21
22
Firewalls
Firewall Hardware and Software Inspection Methods
Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls IPSs
Figure 5-5: Static Packet Filter Firewall

Corporate Network Permit (Pass) IP-H IP-H Deny (Drop) IP-H The Internet TCP-H Application Message UDP-H Application Message ICMP-H ICMP Message
Firewall Architecture Configuring, Testing, and Maintenance

23
Log File
Static Packet Filter Firewall
Only IP, TCP, UDP and ICMP Headers Examined
24
Figure 5-5: Static Packet Filter Firewall

Corporate Network Permit (Pass) IP-H IP-H Deny (Drop) IP-H The Internet TCP-H Application Message UDP-H Application Message ICMP-H ICMP Message
Figure 5-6: Access Control List (ACL) For Ingress Filtering at a Border Router 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP address range] 4. If source IP address = 60.40.*.*, DENY [firms internal address range]
26
Log File
Static Packet Filter Firewall
Arriving Packets Examined One at a Time, in Isolation; This Misses Many Arracks
25
Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router
5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker] 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]
7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver] 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]
27
28
9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]
29
13. If TCP destination port = 513, DENY [UNIX rlogin without password] 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login] 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure] 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]
30
17. If ICMP Type = 0, PASS [allow incoming echo reply messages] DENY ALL
DENY ALL
Last rule Drops any packets not specifically permitted by earlier rules In the previous ACL, Rules 8-17 are not needed; Deny all would catch them
31
32
Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router
1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP address range] 4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range]
Rules 1-3 are not needed because of this rule 33
5. If ICMP Type = 8, PASS [allow outgoing echo messages] 6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages] 7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning]
34
8. If source IP address = 60.47.3.9 and TCP source port = 80 OR 443, PERMIT [public webserver responses]
Needed because next rule stops all packets from well-known port numbers
11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections] 12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections]
Note: Rules 9-12 only work if all hosts follow IETF rules for port assignments (well-known, registered, and ephemeral). Windows computers do. Unix computers do not 35 36
9. If TCP source port=0 through 49151, DENY [well-known and registered ports] 10. If UDP source port=0 through 49151, DENY [well-known and registered ports]
13. DENY ALL
No need for Rules 9-12
Firewalls
Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls

37 38
Figure 5-8: Stateful Inspection Firewalls

Default Behavior Permit connections initiated by an internal host Deny connections initiated by an external host Can change default behavior with ACL
New

State of Connection: Open or Closed
State: Order of packet within a dialog Often simply whether the packet is part of an open connection
Automatically Accept Connection Attempt Router Internet Internet
Automatically Deny Connection Attempt
39
40

Stateful Firewall Operation
If accept a connection Record the two IP addresses and port numbers in state table as OK (open) (Figure 5-9) Accept future packets between these hosts and ports with no further inspection This can miss some attacks, but it catches almost everything except attacks based on application message content 41
New
Figure 5-9: Stateful Inspection Firewall Operation I

1. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80 Internal Client PC 60.55.33.12 Type TCP 2. Establish Connection 3. TCP SYN Segment From: 60.55.33.12:62600 To: 123.80.5.34:80
Note: Outgoing Stateful Connections Firewall Allowed By Default Connection Table Internal IP 60.55.33.12 Internal Port 62600 External IP 123.80.5.34
External Webserver 123.80.5.34 External Status Port 80 OK
42
Figure 5-9: Stateful Inspection Firewall Operation I

Stateful Firewall 6. Internal TCP SYN/ACK Segment Client PC From: 123.80.5.34:80 60.55.33.12 To: 60.55.33.12:62600 4. TCP SYN/ACK Segment External From: 123.80.5.34:80 Webserver To: 60.55.33.12:62600 123.80.5.34

Stateful Firewall Operation
For UDP, also record two IP addresses and port numbers in the state table
Connection Table Type TCP UDP Internal IP 60.55.33.12 60.55.33.12 Internal Port 62600 63206 External IP 123.80.5.34 1.8.33.4 External Status Port 80 69 OK OK
Connection Table Type TCP Internal IP 60.55.33.12
5. Check Connection OK; Pass the Packet External IP 123.80.5.34
Internal Port 62600
External Status Port 80 OK
43
44

Static Packet Filter Firewalls are Stateless
Filter one packet at a time, in isolation If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection But stateful firewalls can (Figure 5-10)
Figure 5-10: Stateful Firewall Operation II

Stateful Firewall Internal Client PC 60.55.33.12 2. Check Connection Table: No Connection Match: Drop 1. Spoofed Attacker TCP SYN/ACK Segment Spoofing From: 10.5.3.4.:80 External To: 60.55.33.12:64640 Webserver 10.5.3.4 External IP 123.80.5.34 222.8.33.4 External Status Port 80 69 OK OK
Connection Table Type TCP Internal IP 60.55.33.12 60.55.33.12 Internal Port 62600 63206
45
UDP
46

Static Packet Filter Firewalls are Stateless
Filter one packet at a time, in isolation Cannot deal with port-switching applications But stateful firewalls can (Figure 5-11)
Figure 5-11: Port-Switching Applications with Stateful Firewalls

2. To Establish Connection 3. 1. TCP SYN Segment TCP SYN Segment From: 60.55.33.12:62600 From: 60.55.33.12:62600 To: 123.80.5.34:21 To: 123.80.5.34:21 Internal Client PC 60.55.33.12 State Table Type Step 2 TCP Internal IP 60.55.33.12 Internal Port 62600 External IP 123.80.5.34 Stateful Firewall External FTP Server 123.80.5.34 External Status Port 21 OK
47
48
Figure 5-11: Port-Switching Applications with Stateful Firewalls
New
Internal Client PC 60.55.33.12
6. TCP SYN/ACK Segment From: 123.80.5.34:21 To: 60.55.33.12:62600 Use Ports 20 and 55336 for Data Transfers
4. Stateful Firewall TCP SYN/ACK Segment External From: 123.80.5.34:21 FTP To: 60.55.33.12:62600 Server 5. Use Ports 20 To Allow, 123.80.5.34 and 55336 for Establish Data Transfers Second Connection Internal Port 62600 55336 External IP 123.80.5.34 123.80.5.34 External Port 21 20 Status OK
Stateful Inspection Access Control Lists (ACLs)

Primary allow or deny applications (port numbers) Simple because no need for probe packet rules because they are dropped automatically Simplicity of stateful firewall gives speed and therefore low cost Stateful firewalls are dominant today for the main corporate border firewalls 50
State Table Step 2 Step 5
Type TCP TCP
Internal IP 60.55.33.12 60.55.33.12
49
OK
Firewalls
Figure 5-12: Network Address Translation (NAT)

From 192.168.5.7, Port 61000 1 From 60.5.9.8, Port 55380 2 Internet Client 192.168.5.7 NAT Firewall Sniffer Internal IP Addr Port Translation 192.168.5.7 61000 Table ... ... External IP Addr Port 60.5.9.8 55380 ... ... Server Host

51
52

Sniffers on the Internet cannot learn internal IP addresses and port numbers
Server Host
Internet Client 192.168.5.7 NAT Firewall 3 To 60.5.9.8, Port 55380 Sniffer
Only learn the translated address and port number
4 To 192.168.5.7, Port 61000
By themselves, provide a great deal of protection against attacks

External attackers cannot create a connection to an internal computers
Internal Translation Table IP Addr Port 192.168.5.7 61000 ... ...
External IP Addr 60.5.9.8 ... Port 55380 ...
53
54
Firewalls
Figure 5-13: Application Firewall Operation

2. 1. HTTP Request Filtering From 192.168.6.77 3. Examined HTTP Request From 60.45.2.6
Browser
HTTP Proxy
Webserver Application
Application Firewall 60.45.2.6 Client PC 192.168.6.77 Filtering: Blocked URLs, Post Commands, etc. Webserver 123.80.5.34

55
56

A Separate Proxy Program is Needed for Each Application Filtered on the Firewall
Browser 6. Examined HTTP Response To 192.168.6.77
HTTP Proxy
5. Filtering on Hostname, URL, MIME, etc.
4. HTTP Response to Webserver 60.45.2.6 Application Client PC 192.168.6.77
FTP Proxy Outbound Filtering on PUT
SMTP (E-Mail) Proxy
Webserver 123.80.5.34
Client PC 192.168.6.77
Application Firewall 60.45.2.6
Inbound and Outbound Filtering on Obsolete Commands, Content
57
58
Figure 5-14: Header Destruction With Application Firewalls

Header Removed Arriving Packet
Figure 5-15: Protocol Spoofing

Trojan Horse 2. Protocol is Not HTTP Firewall Stops The Transmission 1. Trojan Transmits on Port 80 to Get Through Simple Packet Filter Firewall
App Orig. Orig. MSG TCP IP (HTTP) Hdr Hdr
App MSG (HTTP)
New Packet
App New New MSG TCP IP (HTTP) Hdr Hdr
X
Application Firewall Attacker 1.2.3.4
Attacker 1.2.3.4
Application Firewall Strips Original Headers from Arriving Packets Creates New Packet with New Headers This Stops All Header-Based Packet Attacks
Internal Client PC 60.55.33.12
59
60
Relay Operation
Application Firewalls Use Relay operation Act as server to clients, clients to servers This is slow, so traditionally application firewalls could only handle limited traffic
2. 1. HTTP Request Filtering From 192.168.6.77 3. Examined HTTP Request From 60.45.2.6
Automatic Protections in Relay Operation

Protocol Fidelity
Application that spoofs the port number of another operation (e.g., Port 80) will not work in relay operation
Header Destruction
IP, TCP, UDP, and ICMP headers dropped at firewall so cannot do damage
IP Address Hiding
Browser HTTP Proxy Webserver Application
Sniffer on the Internet only learns the application firewalls IP address 62
61
Other Application Firewall Protections

Stopping Certain Application Commands
HTTP: Stop POST TCP: Stop PUT E-Mail: Stop obsolete commands used by attackers
Figure 5-16: Circuit Firewall

Generic Type of Application Firewall
3. Passed Transmission: No Filtering 4. Reply Webserver 60.80.5.34 Circuit Firewall (SOCKS v5) 60.34.3.31 5. Passed Reply: No Filtering External Client 123.30.82.5 1. Authentication 2. Transmission
Blocked IP Addresses and URLs

Black lists
Blocking File Types

Use MIME and other identification methods 63
64
Firewalls
Types of Firewalls Inspection Methods Firewall Architecture
Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture
Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site
1. Screening Router 60.47.1.1 Last Rule=Permit All Internet Internet 172.18.9.x Subnet
Screening Router Firewall Public Uses Static Packet Filtering. Webserver Drops Simple Attacks. 60.47.3.9 Prevents Probe Replies from Getting Out.
Marketing Accounting to Let Main Firewall Client on Server on 172.18.5.x Handle Everything but 172.18.7.x Simple Subnet Subnet Attacks
External DNS Server 60.47.3.4
Last Rule is Permit All
Configuring, Testing, and Maintenance

65
SMTP Relay Proxy 60.47.3.10
HTTP Proxy Server 60.47.3.1
66
2. Main Firewall Last Rule=Deny All
Internet Internet 172.18.9.x Subnet Public Webserver 60.47.3.9 External DNS Server 60.47.3.4
3. Internal Firewall Internet Internet
4. Client Host Firewall
172.18.9.x Subnet
Public External DNS Server Webserver Internal Firewalls and 60.47.3.4 60.47.3.9 Hardened Hosts Provide Defense in Depth
Main Firewall Uses Stateful Inspection Last Rule is Deny All

Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet SMTP Relay Proxy 60.47.3.10
Stop Attacks from Inside

HTTP Proxy Server 60.47.3.1
67
Marketing Client on 172.18.5.x Subnet
Accounting Server on 172.18.7.x Subnet
SMTP
HTTP
Relay Proxy Stop External Attacks that Get Past the Proxy Server Main Firewall 60.47.3.10 60.47.3.1
68
Servers that must be accessed from outside are placed in a special subnet called the 172.18.9.x Subnet Demilitarized Zone (DMZ). Attackers cannot get to Other subnets from there DMZ servers are specially hardened
Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet Public Webserver 60.47.3.9
Figure 5-18: Home Firewall

PC Firewall
Internet Internet
Internet Service Provider
Always-On Connection Coaxial Cable Broadband Modem UTP Cord
External DNS Server 60.47.3.4
Home PC
Windows XP has an internal firewall

6. DMZ 5. Server Host Firewall SMTP Relay Proxy 60.47.3.10 HTTP Proxy Server 60.47.3.1
Originally called the Internet Connection Firewall Disabled by default After Service Pack 2 called the Windows Firewall Enabled by default
New
69
70
Figure 5-19: SOHO Firewall Router

Internet Service Provider Ethernet Switch UTP Broadband Modem (DSL or Cable) UTP SOHO Router --Router DHCP Sever, NAT Firewall, and Limited Application Firewall UTP User PC
Figure 5-20: Distributed Firewall Architecture

Management Console Remote Management is needed to reduce management labor Dangerous because if an attacker compromises it, they own the network Internet Remote PCs must be actively managed centrally Home PC Firewall
User PC
Many Access Routers Combine the Router and Ethernet Switch in a Single Box
User PC
Site A
Site B
71
72
Figure 5-23: FireWall-1 Modular Management Architecture

Log Files Policy Application Module (GUI) Create, Edit Policies Policy
Figure 5-24: FireWall-1 Service Architecture

2. Statefully Filtered Packet 1. Arriving Packet External Server
Management Module Stores Policies Stores Log Files Log File Entry
Firewall Module Enforces Policy Sends Log Entries
Internal Client
3. DoS FireWallProtection 1 Firewall Optional Authentications
Log File Data Application Module (GUI) Read Log Files
Firewall Module Enforces Policy Sends Log Entries
5. Statefully Filtered Packet Plus Application Inspection
4. Content Vectoring Protocol Third-Party Application Inspection Firewall
73
74
Figure 5-25: Security Level-Based Stateful Filtering in PIX Firewalls

Automatically Accept Connection Security Level Inside=100 Security Level Outside=0 Automatically Reject Connection Security Level=60 Connections Are Allowed from More Secure Networks to Less Secure Networks Router Internet Internet
Internal Network
75

Figure 5-1: Border Firewall Figure 5-1: Border Firewall: Packet Inspection

Uploaded by

Copyright:

Available Formats

You might also like

Figure 5-1: Border Firewall Figure 5-1: Border Firewall: Packet Inspection

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Figure 5-1: Border Firewall Figure 5-1: Border Firewall: Packet Inspection

Uploaded by

Copyright:

Available Formats

Figure 5-1: Border Firewall