Cryptography and Network

Security

Chapter 20 – Firewalls
 Introduction
 Ongoing evolution of information systems
 Interconnecting networks: Mainframe + terminals, Local area
networks (LANs), premises networks, enterprise-wide area
networks (WANs), Internet
 Causes persistent security concerns
 Can hardly secure every system in an organization individually
 Call for harm minimisation
 A firewall
 provides effective means of protecting local system or network from
network-based threats while still affording access to WANs and Internet
 is inserted between premise network and Internet to establish controlled link
and to erect outer security wall or perimeter
 protects premise network from Internet-based attacks and provides single
choke point where security and audit can be imposed

2
 Control Mechanisms
 Service control:
 types of accessible Internet services,
 filters on basis of IP address and TCP port number
 provides proxies for interpreting service requests
 hosts server software such as Web or mail service
 Direction control:
 determines direction in which service requests allowed to flow
 User control:
 controls access to service depending on who requests it
 typically applied to local users (with IPSec also to externals)
 Behavior control:
 controls how particular services are used (e.g. eliminate spam)

3
 Capabilities and Limitations
 Defines single choke point that
 keeps unauthorised users out of protected network,
 prohibits potentially vulnerable services,
 provides protection from IP spoofing, routing attacks
 Platform for
 monitoring security-related events,
e.g., audits and alarms can be implemented
 various Internet functions,
e.g., network address translator, network management function
 IP security (tunnel mode)
 However, a firewall cannot protect against
 attacks bypassing it, e.g., dial-out capabilities to connect to ISP, dial-
in capabilities for travelling employees
 internal threats, e.g. disgruntled employee
 transfer of all virus infected programs or files
4
 Types of Firewalls
 There are three common types of firewalls:
 Packet-filtering routers:
Filters out packets that pass through it
 Application-level gateway:
Proxy for remote services
 Circuit-level gateway:
Allows only certain TCP connections

5
 Packet Filters

 Foundation of any firewall system

 Examines each IP packet and permits/denies access
 According to rules based on matches in IP/TCP header
 Filters packets going in both directions
 Possible default policies
 everything that not explicitly permitted is prohibited
 everything that not explicitly prohibited is permitted 6
 Packet Filters – Examples
 based on matches to fields in IP or TCP header
 mail from SPIGOT blocked
 inbound mail allowed (port 25 for SMTP incoming), only to
gateway host

 explicit statement of default policy

 included implicitly as last rule

7
 Packet Filters – Examples
 any inside host can send mail to outside
 TCP packet with destination port 25 is routed to SMTP server on
destination machine

 attacker could gain access to internal machines by sending packets

with a TCP port number 25

8
 Packet Filters – Examples
 IP packets allowed where source address is one of a list of
designated internal hosts and destination TCP port number
is 25
 also allows incoming packets with source port number 25
that have ACK flag in TCP segment
 set ACK flag acknowledges that segments sent from other
side
 source and destination address designated explicitly:

9
 Packet Filters – Examples
 one approach to handling FTP connections
 control connection to set up file transfer plus data
connection for actual file transfer
 allows packets originating internally, reply packets to
connection initiated by internal machine, destined for high-
numbered port (non-servers)

10
 Attacks on Packet Filters
 IP address spoofing
 fake source address to be trusted
 discard packets with internal source address arriving on
external surface
 Source routing attacks
 attacker sets a route other than default
 block source routed packets
 Tiny fragment attacks
 split header info over several tiny packets
 either discard or reassemble before check

11
 Stateful Inspection Filters
 Traditional packet filters make decision independently from
higher-layer context
 Stateful inspection keeps track of state of each outbound
connection passing through firewall
 Only allow incoming packets corresponding to outbound
connection

12
Application Level Gateway (or Proxy)

13
 Application Level Gateway (Proxy)
 Relay of application-level traffic:
 user requests service from proxy (via TCP/IP application)
 proxy validates request as legal
 proxy contacts remote host, relays TCP segments containing
application data
 service not supported if proxy code not implemented
 may support only specific features of application
 Advantage:
 just concerned with allowable applications
 easy to log and audit incoming traffic
 Disadvantage:
 conditional processing overhead on each connection

14
Circuit Level Gateway

15
 Circuit Level Gateway
 Stand-alone system or specialized function performed by
proxy for certain applications
 No end-to-end TCP connection
 One to inner host, one to outer host
 Traffic relayed without examining contents
 Security function determines which connections allowed
 Typically used when internal users trusted
 support proxy service on inbound connections

 support circuit-level functions for outbound

 examines only incoming data for forbidden functions

 less processing overhead

16
 Bastion Host
 Critical strong point in network’s security
 Typical platform for proxy or circuit-level gateway
 Characteristics:
 Executes secure version of its OS
 Only essential services are installed: Telnet, SSH/FTP, SMTP,…
 May require additional authentication for access
 Each proxy supports subset of normal command set
 Each proxy allows access to specific host systems
 Each proxy maintains detailed audit logging
 Each proxy module tailored for network security
 Each proxy is independent of other proxies
 No disk access other than reading initial configuration

17
 Single-Homed Bastion Host
 Packet-filtering router plus bastion host
 Only packets destined for bastion host allowed in
 Only packets from bastion host allowed out

18
 Dual-homed Bastion Host
 If packet-filtering router compromised:
 traffic still can’t flow directly through router between
internet and other hosts in private network
 Information server or other hosts can directly communicate
with router if allowed

19
 Screened Subnet Firewall
 Two packet-filtering routers creating isolated sub-network
 Internet and internal network can access subnet, but
traffic across screened subnet is blocked
 Three levels of defense, internal network invisible to
Internet, systems on inside cannot construct direct routes
to Internet

20
 Summary
 Topics discussed:
 firewalls
 types of firewalls
 configurations

21