Firewalls: Computer/Information Security Drmysiyal P9-1

DR M Y Siyal
Computer/Information Security
P9-1
FIREWALLS
DR M Y Siyal
P9-2
FIRE WALLS
A firewall is hardware or software (or a combination of hardware and
software) that monitors the transmission of packets of digital information that
attempt to pass through the perimeter or a network.
HARDWARE FIREWALLS
Protect an entire network
Implemented on the router level
Usually more expensive, harder to configure
SOFTWARE FIREWALLS
Protect a single computer
Usually less expensive, easier to configure
HOW DOES A SOFTWARE FIREWALL WORK?
Inspects each individual packet of data as it arrives at either side of the
firewall (Inbound to or outbound from your computer)
Determines whether it should be allowed to pass through or if it should be
blocked
DR M Y Siyal
P9-3
KEEPING WORMS AND CRACKERS OUT

When you request something from the internet, the firewall pretends that it
made the request, not your computer.
Since the internet never even sees your computer, theres nothing for the
worms or crackers to probe or attack other than your firewall.
And your firewall is just a dumb box.
DR M Y Siyal
P9-4
PERIMETER DEFENSE
A firewall is said to provide perimeter security because it sits on the outer
boundary, or perimeter, or a network. The network boundary is the point at
which one network connects to another.
DR M Y Siyal
P9-5
BASIC FIREWALL OPERATION
DR M Y Siyal
P9-6

1.
Legitimate hosts send innocent packets.
Attackers send attack packets.
2.
Ingress packets come into a site.
Egress packets go out from a site.
DR M Y Siyal
P9-7
Firewalls drop and log

provable attack packets
DR M Y Siyal
P9-8
Firewalls do not drop packets unless

they are provably attack packets.
This means that some attack packets
that are not provably attack packets get
through the firewall.
DR M Y Siyal
P9-9
FIREWALL POLICIES
To protect private networks and individual machines from the dangers of the
greater Internet, a firewall can be employed to filter incoming or outgoing
traffic based on a predefined set of rules called firewall policies.
Trusted Internal Network
FIREWALL POLICIES
Un-trusted
Internet
DR M Y Siyal
P9-10
POLICY ACTIONS
FIREWALL RULES
ALLOW: Traffic that flows automatically because it has been deemed as
safe
BLOCK: Traffic that is blocked because it has been deemed dangerous to
your computer
ASK: Asks the user whether or not the traffic is allowed to pass through
There are two approaches to creating firewall policies
1. BLACK LIST APPROACH
All packets are allowed through except those that fit the rules defined
specifically in a blacklist.
This configuration is flexible, but naive as it assumes the network
administrator can enumerate all of the properties of malicious traffic.
2. WHITE LIST APPROACH
A safer approach to defining a firewall rule set is the default-deny
policy, in which packets are dropped or rejected unless they are
specifically allowed by the firewall.
DR M Y Siyal
P9-11
PERSONAL FIREWALL
A personal firewall (sometimes called a desktop firewall) is a software
application used to protect a single Internet-connected computer from
intruders
WHAT A PERSONAL FIREWALL CAN DO
Stop hackers from accessing your computer
Protects your personal information
Blocks pop up ads and certain cookies
Determines which programs can access the Internet
WHAT A PERSONAL FIREWALL CANNOT DO
Cannot prevent e-mail viruses
Only an antivirus product with updated definitions can prevent e-mail
viruses
After setting it initially, you can forget about it
The firewall will require periodic updates to the rule sets and the
software itself
DR M Y Siyal
P9-12
FIREWALLS PROCESSING MODES

Five processing modes by which firewalls can be categorized
1. Packet filtering
2. Application gateways
3. Circuit gateways
Packet filtering firewalls examine header information of data
packets
Most often based on combination of:
Internet Protocol (IP) source and destination address
Direction (inbound or outbound)
Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) source and destination port requests
Simple firewall models enforce rules designed to prohibit
packets with certain addresses or partial addresses
DR M Y Siyal
P9-13
PACKET FILTERING FIREWALLS

Packet filtering firewalls is low cost and low impact on network performance
Three subsets of packet filtering firewalls
STATIC FILTERING: If a packet matches the packet filter's set of rules,
the packet filter will drop or accept it.
DYNAMIC FILTERING: Allows firewall to react to emergent event and
update or create rules to deal with event by understanding how the
protocol functions, based on information in the packet header.
STATEFUL INSPECTION: Firewalls that keep track of each network
connection between internal and external systems using a state table.
Sample Firewall Rule and Format
DR M Y Siyal
P9-14
PACKET FILTERING FIREWALLS
DR M Y Siyal
P9-15
STATIC PACKET FILTERING FIREWALL

A stateless firewall doesnt maintain any remembered context (or state) with
respect to the packets it is processing. Instead, it treats each packet
attempting to travel through it in isolation without considering packets that it
has processed previously.
SYN
Seq = x
Port=80
SYN-ACK
Seq = y
Ack = x + 1
Client
Trusted internal
network
ACK
Seq = x + 1
Ack = y + 1
Server
Firewall
Allow outbound SYN packets, destination port=80

Allow inbound SYN-ACK packets, source port=80
DR M Y Siyal
P9-16

Stateless firewalls may have to be fairly restrictive in order to prevent most
attacks.
Client
SYN
(blocked)
Trusted internal
network
Attacker
Seq = y
Port=80
Firewall
Allow outbound SYN packets, destination port=80

Drop inbound SYN packets,
Allow inbound SYN-ACK packets, source port=80
DR M Y Siyal
P9-17
This was the earliest firewall filtering mechanism.

Examines packets one at a time, in isolation.
Only looks at some internet and transport headers.
Consequently, unable to stop many types of attacks.
It can stop attacks Packets with spoofed IP addresses.
No longer used as the main filtering mechanism for border firewalls.
May be used as a secondary filtering mechanism on main border firewalls.
DR M Y Siyal
P9-18
18
SPI FIREWALL
Stateful Packet Inspection Firewalls (SPI): Reviews the same packet
information but also records information about TCP connections.
Keeps track of each network connection established between internal and
external systems using a state table.
Tracks the state and context of each packet in the conversation by
recording which station sent what packet and when.
SPI firewalls can tell when packets are part of legitimate sessions originating
within a trusted network.
SPI firewalls maintain tables containing information on each active
connection, including the IP addresses, ports, and sequence numbers of
packets.
Using these tables, SPI can allow only inbound TCP packets that are in
response to a connection initiated from within the internal network.
Primary disadvantage: Additional processing requirements of managing
and verifying packets against the state table which can possibly expose the
system to a DoS attack.
DR M Y Siyal
P9-19
STATES IN CONNECTION
Connections have distinct states or stages
Different states are subject to different attacks
SPI firewalls use different filtering rules for different states
Connection
Opening
State
DR M Y Siyal
Ongoing
Communication
State
20SECURITY
COMPUTER
Computer/Information
Security
Connection
Closing
State
P9-20
SPI RULES WITH TWO STATES
DR M Y Siyal
21SECURITY
COMPUTER
Security
P9-21
SPI for a Packet that Does Not Attempt to

Open a Connection 1
DR M Y Siyal
COMPUTER SECURITY
Security
P9-22
SPI for a Packet that Does Not Attempt to

Open a Connection 2
DR M Y Siyal
23SECURITY
COMPUTER
Security
P9-23
PERSPECTIVE ON SPI FIREWALL

LOW COST
Most packets are not part of packet-opening attempts
These can be handled very simply and therefore inexpensively
Connection-opening attempt packets are more expensive process
but are rare
SAFETY
Attacks other than application-level attacks usually fail to get
through SPI firewalls
In addition, SPI firewalls can use other forms of filtering when
needed
DOMINANCE
The combination of high safety and low cost makes SPI firewalls
extremely popular
Nearly all main border firewalls today use stateful packet inspection
DR M Y Siyal
P9-24
APPLICATION GATEWAYS
Frequently installed on a dedicated computer; also known as a proxy server
Since proxy server is often placed in unsecured area of the network (e.g.,
DMZ), it is exposed to higher levels of risk from less trusted networks
With this configuration the proxy server, rather than the Web server, is
exposed to the outside world.
Additional filtering routers can be implemented behind the proxy server.
Gateway that is configured to be a web proxy will not allow any ftp, gopher,
telnet or other traffic through
Has full access to protocol
User requests service from proxy.
Proxy validates request as legal.
Then actions request and returns result to user.
Tends to be more secure than packet filters
Need only scrutinize a few allowable apps.
Easy to log and audit all incoming traffic.
DR M Y Siyal
P9-25
PROXY FIREWALL
APPLICATION
GATEWAYS
DR M Y Siyal
P9-26
APPLICATION PROXY FIREWALL OPERATION
DR M Y Siyal
P9-27
ROLES FOR APPLICATION PROXY

FIREWALLS TODAY
DR M Y Siyal
P9-28
APPLICATION PROXY FIREWALL PROTECTION

Protections for Internal Clients against Malicious Web Servers
URL blacklists for known attack sites
Protection against some or all scripts in webpages
Protections against Misbehaving Internal Clients
Disallowing the HTTP POST method, which can be use to send out
sensitive files
Protections for Internal Web Servers against Malicious Clients
Disallow HTTP POST methods, which could allow malware files to be
placed on the server
Indications of SQL injection attacks
Automatic Protections
The hiding of internal host IP addresses from sniffers
The data link, internet, and transport headers are discardedalong with
any attacks they may have contained
If the client or server does not follow the protocol of the indicated port
number, communication with the firewall automatically breaks down
DR M Y Siyal
P9-29
CIRCUIT GATEWAY S
Circuit level gateways work at the session layer of the OSI model, or
the TCP layer of TCP/IP
They monitor TCP handshaking between packets to determine
whether a requested session is legitimate
Like filtering firewalls, do not usually look at data traffic flowing
between two networks, but prevent direct connections between one
network and another
Accomplished by creating tunnels connecting specific processes or
systems on each side of the firewall, and allow only authorized traffic in
the tunnels
Circuit level gateways are
Inexpensive
Have the advantage of hiding information about the private network
they protect.
DR M Y Siyal
P9-30
CIRCUIT LEVEL FIREWALLS
DR M Y Siyal
P9-31
GENERAL PERFORMANCE
TECHNOLOGY
Packet Filtering
SPEED
V Good
FLEXIBILITY INTELLIGENCE
V Good
Low
Application Proxy
Stateful Inspection
Circuit Level Proxy
Low
Good
Low
Low
Good
Low
V Good
Good
Low
LOWER IS BETTER FOR SECURITY & PERFORMANCE
Packet Filter
SPI
Circuit GW
App. GW
DR M Y Siyal
SECURITY
PERFORMANCE
3
2
2
1
1
2
3
4
P9-32
FIREWALLS CATEGORIZED BY GENERATION

FIRST GENERATION
Static packet filtering firewalls
SECOND GENERATION
Application-level firewalls or proxy servers
THIRD GENERATION
Stateful inspection firewalls
FOURTH GENERATION
Dynamic packet filtering firewalls; allow only packets with
particular source, destination, and port addresses to enter
FIFTH GENERATION
Kernel proxies; specialized form working under kernel of
Windows NT
DR M Y Siyal
P9-33
FIREWALL ARCHITECTURES
Firewall devices can be configured in a number of network connection
architectures
Best configuration depends on three factors:
Objectives of the network
Organizations ability to develop and implement architectures
Budget available for function
Four common architectural implementations of firewalls: packet filtering
routers, screened host firewalls, dual-homed firewalls, screened subnet
firewalls
PACKET FILTERING ROUTERS

Most organizations with Internet connection have a router serving as
interface to Internet
Many of these routers can be configured to reject packets that organization
does not allow into network
Drawbacks include a lack of auditing and strong authentication
DR M Y Siyal
P9-34
PACKET FILTERING ROUTER
Packet filtering router

used as a first generation
firewall
TRUSTED NETWORK
Unrestricted
Data Packets
Untrusted
Network
Blocked
Data Packets
DR M Y Siyal
Filtered
Data Packets
P9-35
SCREENED HOST FIREWALLS

Combines packet filtering router with separate, dedicated firewall such as
an application proxy server
Allows router to prescreen packets to minimize traffic/load on internal
proxy
Separate host (referred to as bastion host or sacrificial host) and can be
rich target for external attacks and should be very thoroughly secured
BASTION HOST
The bastion host is the system that any outsiders - friends or possible
foes - must ordinarily connect with to access a system or a service that's
inside your firewall.
Only services that the network administrator considers essential are
installed on the bastion host (e.g. Telnet, DNS, FTP, and user
authentication).
The system could have single, dual or multiple bastion hosts.
DR M Y Siyal
P9-36
SCREENED-HOST FIREWALL
Bastion-host
Trusted network
Filtered
Data
Packets
Unrestricted
Data Packets
Proxy access
Untrusted
Network
Blocked
Data Packets
DR M Y Siyal
Application Level
Firewall
P9-37
BASTION HOST
There are single homed-bastion and dual homed-bastion based firewalls.
SINGLE-HOMED BASTION: ADVANTAGES
Has greater security than simply a packet filtering router or an application
level gateway alone.
Implements both packet-level and application-level filtering, allowing for
considerable flexibility in defining security policy.
An intruder must generally penetrate two separate systems before the
security of the internal network is compromised.
Affords flexibility in providing direct Internet access.
DUAL-HOMED BASTION
The bastion-host contains two NICs (network interface cards).
One NIC connected to the external network, and one connected to the
internal network.
With two NICs all traffic must physically go through the firewall to move
between the internal and external networks.
A technology known as network-address translation (NAT) is
implemented with this architecture, creating another barrier to intrusion
from external attackers
DR M Y Siyal
P9-38
SINGLE-HOMED BASTION
DR M Y Siyal
P9-39
DUAL-HOMED BASTION
DR M Y Siyal
P9-40
DUAL-HOMED HOST FIREWALL

Dual-homed Host
Internal
used as a firewall providing
filtering router
Network Address Translation
(NAT)
Trusted network
External
Proxy Access
filtering router
Unrestricted
Data Packets
Untrusted
Network
Blocked External
Data Packets
Blocked Internal
Data Packets
Public IP Addresses
DR M Y Siyal
NAT assigned local addresses
P9-41
SCREENED-SUBNET FIREWALLS
Consists of two or more internal bastion-hosts, behind a packet-filtering router,
with each host protecting the trusted network.
The first general model consists of two filtering routers, with one or more dualhomed bastion-host between them.
The second general model involves the connection from the outside or untrusted network going through this path:
Through an external filtering router.
Into and then out of a routing firewall to the separate network segment
known as the DMZ
Connections into the trusted internal network are allowed only from the DMZ
bastion-host servers.
ADVANTAGES
There are now three levels of defense to thwart intruders.
The outside router advertises only the existence of the screened subnet to the
Internet; therefore, the internal network is invisible to the Internet.
Similarly, the inside router advertises only the existence of the screened subnet
to the internal network; therefore, the systems on the inside network cannot
construct direct routes to the Internet.
DR M Y Siyal
P9-42
SCREENED-SUBNET FIREWALLS
Demilitarized zone
(DMZ)
Servers
Trusted network
Controlled access
Proxy access
Untrusted
Network
Blocked
Data Packets
DR M Y Siyal
External
filtering router
Internal
filtering router
P9-43
THE DEATH OF THE PERIMETER

PROTECTING THE PERIMETER IS NO LONGER POSSIBLE
There are too many ways to get through the perimeter
AVOIDING THE BORDER FIREWALL
Internal attackers are inside the firewall already
Compromised internal hosts are inside the firewall
Wireless LAN drive-by hackers enter through access points that are inside
the site
Home notebooks, mobile phones, and media brought into the site
Internal firewalls can address some of these threats
EXTENDING THE PERIMETER
Remote employees must be given access
Consultants, outsourcers, customers, suppliers, and other subsidiaries
must be given access
Essentially, all of these tend to use VPNs to make external parties
internal to your site
DR M Y Siyal
P9-44
SELECTING THE RIGHT FIREWALL

What type of firewall technology offers the right balance of protection
features and cost for the needs of the organization?
What features are included in the base price? What features are available at
extra cost? Are all cost factors known?
How easy is it to set up and configure the firewall? How accessible are staff
technicians with the mastery to do it well?
Can the candidate firewall adapt to the growing network in the target
organization?
CONFIGURING AND MANAGING FIREWALLS
Each firewall device will have its own set of configuration rules that regulate
its actions.
Simple mistakes can turn the device into a choke point.
When security rules conflict with the performance of business, security loses
since organizations are much more willing to live with a potential risk than a
certain failure.
DR M Y Siyal
P9-45
RECOMMENDED PRACTICES
All traffic from the trusted network is allowed out.
The firewall device is always inaccessible directly from the public network.
Allow Simple Mail Transport Protocol (SMTP) data to pass through your
firewall, but insure it is all routed to a well-configured SMTP gateway to filter
and route messaging traffic securely.
All Internet Control Message Protocol (ICMP) data should be denied.
Block telnet (terminal emulation) access to all internal servers from the
public networks.
When Web services are offered outside the firewall, deny HTTP traffic from
reaching your internal networks by using some form of proxy access or DMZ
architecture.
TRADEOFF
Degree of communication with outside world, level of security!
Remember many highly protected sites still suffer from attacks.
DR M Y Siyal
P9-46

Firewalls: Computer/Information Security Drmysiyal P9-1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firewalls: Computer/Information Security Drmysiyal P9-1

Uploaded by

Copyright:

Available Formats

DR M Y Siyal

KEEPING WORMS AND CRACKERS OUT

BASIC FIREWALL OPERATION

BASIC FIREWALL OPERATION

BASIC FIREWALL OPERATION

Firewalls drop and log

BASIC FIREWALL OPERATION

Firewalls do not drop packets unless

FIREWALLS PROCESSING MODES

PACKET FILTERING FIREWALLS

Sample Firewall Rule and Format

PACKET FILTERING FIREWALLS

STATIC PACKET FILTERING FIREWALL

Allow outbound SYN packets, destination port=80

STATIC PACKET FILTERING FIREWALL

Allow outbound SYN packets, destination port=80

STATIC PACKET FILTERING FIREWALL

This was the earliest firewall filtering mechanism.

SPI RULES WITH TWO STATES

SPI for a Packet that Does Not Attempt to

SPI for a Packet that Does Not Attempt to

PERSPECTIVE ON SPI FIREWALL

APPLICATION PROXY FIREWALL OPERATION

ROLES FOR APPLICATION PROXY

APPLICATION PROXY FIREWALL PROTECTION

CIRCUIT LEVEL FIREWALLS

LOWER IS BETTER FOR SECURITY & PERFORMANCE

FIREWALLS CATEGORIZED BY GENERATION

PACKET FILTERING ROUTERS

PACKET FILTERING ROUTER

Packet filtering router

SCREENED HOST FIREWALLS

DUAL-HOMED HOST FIREWALL

NAT assigned local addresses

THE DEATH OF THE PERIMETER

SELECTING THE RIGHT FIREWALL

You might also like