Download CENT 305 Information Security

Firewalls & VPNs
Principles of Information Security
Chapter 6 Part 1
References

Circuit-level Gateways vs Application Gateways
◦ http://www.pcstats.com/articleview.cfm?articleid=1450&page=5

Introduction to Network Firewalls
◦ http://www.more.net/technical/netserv/tcpip/firewalls/

Firewalls Explained
◦ http://www.dmccormick.org/firewalls.htm

Firewall Architectures
◦ http://docstore.mik.ua/orelly/networking/firewall/ch04_02.htm

Introduction to Firewalls (on-line report)
◦ http://www2.hawaii.edu/~sdunan/ics623/Dunan.FirewallReport.html
2
Topic Objectives



Describe categories of firewalls.
Describe firewall architectures.
Discuss considerations for selecting architectures
3
Firewalls

Goal is to prevent specific types of
information from moving between
external networks and internal
networks.

In general, the arrangement of
security devices placed at the
perimeter of a computer network
to guard the entry is collectively
called a firewall, or firewall
perimeter.
At least one of those devices is a
program or a hardware device
called a firewall.

So, this
“wall” can
be several
devices,
including
firewall
itself
4
Create an integrated security
system
firewall perimeter = firewall+ IDS +
antivirus
 Also use access control and auditing


Create many firewall perimeters, at
strategic entry points

Keep patching and updating them!
5
Categorizing Firewalls




Processing mode
◦ Packet filtering, aka filtering (e.g. a router)
◦ Application gateways
◦ Circuit gateways
◦ MAC layer firewalls,
◦ hybrid
Development Era (generation)
◦ Which level of technology is used
Structure
◦ Commercial-grade, residential-grade
Implementation
◦ Software, hardware, hybrid
6
Many different firewalls to pick from
Basic personal use: ZoneAlarm, Norton
Personal, Sygate
 More commercial: e.g Check Point Next
Generation
 http://directory.google.com/Top/Computers/Sec
urity/Firewalls/Products/ Many!
 Cisco firewall appliance (i.e. hardware firewall)

http://tools.cisco.com/search/JSP/searchresults.get?strQueryText=pix+firewall&Search+All+cisco.com=cisco.com&l
anguage=en&country=US&thissection=f&accessLevel=Guest&autosuggest=
true

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.h
tml Performance tables
7
Pros and Cons
Type of firewall
Pros
Cons
Software - freeware Easy and free
minimal
Software –
commercial
personal firewalls
Simple, cheap,
Not too many
features, not robust
Software –
commercial
enterprise firewalls
Typically installed on a
dedicated host; real time
monitoring and other admin
features
$$$, not too easy to
setup
Hardware
appliances
Faster and more scalable than
software firewalls
$$$$$$, difficult to
patch if bugs are
discovered
Hybrid firewall
Provides throughput and
security of appliance with
features of a software firewall
$$$$$$$$$$
8
Packet Filtering Firewalls

Examine packet headers
◦ Use Access Control Lists (ACLs) to examine and control packet flow
based on source/destination IP addresses in the network
◦ Simple firewalls examine IP network layer headers
 source/destination IP address, protocol (udp, tcp), inbound or outbound
traffic
 can reject (deny), discard, or forward packets
◦ 3 types of packet filtering firewalls
 static filtering - rules must be configured in advance
 dynamic filtering
 firewall can modify rules dynamically in response to traffic
 opens and closes doors to allow only specified packet wiht source,
destination, and port to pass through the firewall
 stateful inspection – firewall keeps track of the state of connection and if
the packet “makes sense” in the context. It can check incoming packets that
are responses to internal requests. If it cannot figure it out, it checks ACL
tables.
9
IP Packet Structure
10
Sample ACL table for a stateless
packet filtering firewall
Rule SourceIP
Source DestIP
port
Dest port
Action
1
any
any
192.168.120.0
Above 1023
Allow
2
192.168.120.1 any
any
any
Deny
3
any
192.168.120.1
any
Deny
4
192.168.120.0 any
any
any
Allow
5
any
any
192.168.120.2
25
Allow
6
any
any
192.168.120.3
80
Allow
7
any
any
any
any
deny
any
Discussion: how do we read such a table? (Look at the Review
of TCP and Logic file)
Discussion: what do these rules mean? Do you see why an IDS
is necessary?
11
Stateful Inspection Firewalls



Examine transport layer headers
Track the state of transport layer connections using a state table.
◦ Able to track TCP and UDP source/destination ports and TCP
flags in particular
Dynamic stateful inspection firewalls
◦ Maintain dynamic state tables to modify filtering rules based on
network events
12
TCP and
UDP
Packet
Structure
13
Sample ACL table for a statefull
packet filtering firewall
SourceIP
Source
port
DestIP
Dest
port
Connection
state
192.168.120.101
1037
209.233.19.22
80
Established
192.168.120.104
1022
165.66.28.22
80
Established
192.168.120.107
1010
65.66.122.101
25
Established
192.168.120.102
1035
212.33.19.4
79
Established
233.54.33.5
1899
192.168.120.101
80
Established
306.33.21.3
3558
192.168.120.101
80
Established
Discussion: how do we read such a table? (Should we look at
the Review of TCP and Logic file ?)
Discussion: what do these lines mean?
15
Where do we put packet filters?
Cloud, packet filter, proxy server, inside
net
 Cloud, packet filter, DMZ, packet filter,
inside net

16
Application Gateways









AKA, application-level firewall, application firewall, or proxy server
Frequently installed on a separate computer but used in conjunction
with the filtering router
Examines application layer information to determine service type, etc.
Acts as a proxy for a service request
◦ Web server proxy receives requests for web pages, accesses the web
server, and returns the pages to the client
◦ Able to store recently accessed pages in a local cache. May be
referred to as cache servers.
Frequently placed in an unsecured network location, or a DMZ network
Can be used to route all internal traffic for web pages via the
intermediate proxy server
Still widely used for e-commerce, but DMZ networks becoming more
commonly used.
Can be slower than other types of firewalls.
Designed for one or a few protocols; cannot be easily reconfigured.
17
Proxy Server (also called application gateway,
or application-level firewall, or application firewall)
E.g. web proxy receives traffic meant for/from the web
server and then delivers them to/from the web server.
The web server is protected by a firewall, in the figure
above. There can be a packet-filter firewall in front of the
proxy too.
18
Circuit Gateways




AKA, circuit gateway firewall or circuit-level gateway
Operates at transport layer
Create tunnels connecting specific processes or systems and allow
only authorized traffic in tunnels
Only examines address and port information; does not examine
application layer data.
19
MAC Layer & Hybrid Firewalls

MAC Layer filtering
◦ Operates at Layer 2 and examines MAC addresses
◦ Typically included as a feature of packet filtering firewalls,
or hardware firewalls.

Hybrid Firewalls
◦ Contain components of different types of firewalls
 packet filtering + MAC layer filtering
 packet filtering + circuit gateway
 packet filtering + proxy server
20
Firewall Generations





First Generation
◦ static packet filtering
Second Generation
◦ Proxy servers or application-level firewalls
Third Generation
◦ Stateful inspection firewalls
Fourth Generation
◦ Dynamic packet filtering firewalls
Fifth Generation
◦ kernel proxy - operates at multiple layers of the protocol stack
◦ Windows NTEXEC kernel
◦ Cisco Centri Firewall kernel
21
Firewall Structures

Commercial-Grade Firewall Appliances
◦ standalone, self-contained hardware & software
◦ firmware-based instructions increase reliability and performance and
reduce compromise
◦ rule sets stored in nonvolatile RAM

Commercial-Grade Firewall Systems
◦ Application software running on general-purpose computers

Small Office/Home Office-Grade (SOHO) Firewall Appliances
◦ Protection for always-on high speed Internet connections
◦ Support stateful inspection, MAC filtering, port forwarding and NAT
◦ May provide intrusion detection capability

Residential-Grade Firewall Software
◦ Frequently available as free or inexpensive software packages that run on
individual hosts.
22
SOHO Hardware vs Software Firewall

Suggestion --- use BOTH
◦ Implements the strategy of defense in depth
◦ Hardware firewalls reduce/eliminate exposure of individual systems
from scanning and probes
 Very likely to eliminate 100% of pre-attack probes
 May improve system performance by reducing unnecessary traffic on
local network
 SOHO hardware firewalls are not especially expensive and well worth
the investment
◦ Software firewalls provide an alternative, secondary firewall as a backup
if someone breaks through the perimeter firewall.
23
Firewall Architectures

4 common implementations
◦
◦
◦
◦
Packet Filtering Routers
Screened Host Firewalls
Dual-Home Host Firewalls
Screened Subnet Firewalls (with DMZ)
24
Packet Filtering Routers

Basic Border Firewall
25
Untrusted Host





Exposed hosts outside border
firewall
Host is configured for minimal
services
Both incoming and outgoing traffic
goes through the external host
◦ E.g., proxy server
Internal hosts cannot trust the
external host
If all traffic routes through the
untrusted host, it may also be a
dual-homed host.
26
Screened Host






Untrusted host on separate network and
inside firewall
Still untrusted by internal hosts
Other untrusted hosts can be on same
network
Creates a public access network (e.g.,
web access)
aka DMZ
aka perimeter network, service network
27
Dual-Homed Host


All traffic enters/leaves internal
network via proxy server.
Proxy server may or may not be
the firewall. Not required to be
the same device.
28
Screened Subnet Firewall




Traffic between internal network and Internet
traverses two firewalls and DMZ network
Hosts in DMZ act as publically accessible servers
Traffic entering inner firewally must originate from
a host in the DMZ
Internal firewalls provide protection between
internal subnets
29
Firewall Configuration Advantages/Disadvantages
Configuration Advantages
Disadvantages
Screening router
Simple, cheap; stateful packet filter
good for home use
Min protection; viruses, trojans, etc might get
through
Dual-homed host
Simple, cheap, can work well if
configured well
Single point of failure and entry, depends
entirely on the host computer
Screened host
2 layers of protection for home and
small biz
Single point of failure and entry, depends
entirely on the host computer and the router
that protects it
Screened subnet
DMZ
Isolates public servers from the
Servers in DMZ are highly vulnerable, must be
internal LAN and thus protects them hardened
Multiple
DMZ/firewalls
Layers of protection for a biz net
$$$
SingleDMZ/two
firewalls
Balances heavy traffic load
$$$
Branch offices/
multiple firewalls
Each office is protected
Each location has to be set up
Reverse firewall
Monitors internal users’ access to
external nets
Can slow down access to external nets (even
parts of internal LAN)
30
SOCKS Servers

SOCKS
◦ Protocol for handling TCP traffic through a proxy server.
◦ Proprietary, circuit-level proxy server.
 Uses special client-side SOCKS agents on each workstation.
 Filtering occurs in workstations, vice the proxy server.
 Each workstation must be managed as a firewall detection and
protection device.
◦ May require extra support and management resources, since
individual clients must also be managed.
31
SOCKS Server

Note: depicts dual-homed host configuration with inner and
outer firewalls.
32
Firewall Selection

Factors to consider
◦ Which firewall design provides the desired protection?
◦ What type of firewall technology offers the right balance between
protection and cost and meets the needs of the organization?
◦ What features are included?
 In the base price, as add-ons?
 Are all cost factors known?
◦ How easy is it to set up and configure?
 How accessible are knowledgeable staff to support the firewall?
◦ Can the proposed firewall adapt to projected network growth in
the organization?
33