453 Network Security Section 5: Firewalls Dr. E.C. Kulasekere Sri Lanka Institute of Information Technology - 2006 Introduction • Evolution of information systems • Now everyone want to be on the Internet and to interconnect networks • This will generate persistent security concerns – can’t easily secure every system in organization • Organizations need "harm minimisation" • a Firewall usually part of this What is a Firewall? • a choke point of control and monitoring • interconnects networks with differing trust • imposes restrictions on network services – only authorized traffic is allowed • auditing and controlling access – can implement alarms for abnormal behavior • is itself immune to penetration • provides perimeter defence What is a Firewall? … • Firewalls essentially keeps problems of other networks from getting into yours. • All firewalls do some kind of packet filtering. • Firewalls once detected by type can be penetrated using weak link security. • Firewalls on software like what Linux has can be effective in terms of easy configuration. eg gfcc. Firewall Limitations • cannot protect from attacks bypassing it – eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) • cannot protect against internal threats – eg disgruntled employee • cannot protect against transfer of all virus infected programs or files – because of huge range of O/S & file types How Firewalls Function • Two approaches to control access – Everything not specifically permitted is denied. – Everything not specifically denied is permitted. • Most often recommended is everything not specifically permitted is denied. • This is restrictive but provides more security with the downside of legitimate users also getting blocked. Firewall Types • Mainly two+one types – Application Gateways – Packet filters – Stateful Inspection screening systems. • The application can be modeled by where it operates in the OSI layers. • Hybrid packet screening methods can be implemented by combining two or more of these together. Firewalls and OSI Model Firewalls – Packet Filters Firewalls – Packet Filters (1) • simplest of components • foundation of any firewall system • examine each IP packet (no context) and permit or deny according to rules • hence restrict access to services (ports) • Hence a service can be disallowed but a function within the service cannot be disallowed. • Example: FTP can be stopped but mget function cannot be stopped. Firewalls – Packet Filters (2) • The most common implementation is on a router or dual-homed gateway. • Packet filtering can be done based on – Source IP address – Destination IP address – Protocol type (TCP/UDP) – Source port – Destination port Firewalls – Packet Filters (3) Strengths of a Packet Filter Firewall • Faster since the screening of packets are done at a lower level. • If implemented properly this type of firewall will have little effect on network performance. • This is less expensive and most of the hardware and software these days have some form of a packet filter built in. • This type of firewall can also scale up very easily. • Packet filtering firewalls are application independent. Decisions are based on information contained in the packet's header and not on information that relates to a specific application. Weaknesses of a Packet Filter Firewall • Packet filtering firewalls allow a direct connection to be made between the two endpoints. • Even though the filtering is fast it is a all-ornothing approach hence if a port is open all traffic for the port is open and in effect it’s a security hole. • Hard to match the access of a client and requirements of an organization. • Testing of a rule set is near impossible. • Open to attacks that use the packet header information. • Packet filtering firewalls do not perform user authentication. Attacks on Packet Filters • IP address spoofing – fake source address to be trusted – add filters on router to block • source routing attacks – attacker sets a route other than default – block source routed packets • tiny fragment attacks – split header info over several tiny packets – either discard or reassemble before check Firewalls – Stateful Packet Inspection (1) • This uses the same technique as packet filtering firewall with additional header checking from the network layer to the application layer to see if this packet is a part of a legitimate connection. • i.e. examine each IP packet in context – keeps tracks of client-server sessions – checks each packet validly belongs to one • better able to detect bogus packets out of context Firewalls – Stateful Packet Inspection (2) • packet header information is examined and fed into a dynamic state table where it is stored. • The packets are compared to preconfigured rules or filters and allow or deny decisions are made based on the results of the comparison. • The data in the state table is then used to evaluate subsequent packets to verify that they are part of the same connection. Firewalls – Stateful Packet Inspection (3) • This method can make decisions based on one or more of the following: – – – – – – Source IP address Destination IP address Protocol type (TCP/UDP) Source port Destination port Connection state • By having the ability to "remember" the status of a connection, this method of packet screening is better equipped to guard against attacks than standard packet filtering. Firewalls – Stateful Packet Inspection (4) Strengths of a Stateful Packet Filter • Like packet filtering firewalls, have very little impact on network performance, can be implemented transparently and are application independent. • Since it digs deeper into the header information this is more secure than normal packet filter firewalls. • These have some logging capabilities. Logging can help identify and track the different types of traffic that pass though the firewall. Weaknesses of a Stateful Packet Filter • Like packet filtering, this does not break the client/server model and therefore allows a direct connection to be made between the two endpoints. • Rules and filters in this packet screening method can become complex, hard to manage, prone to error and difficult to test. Application Level Gateway (or Proxy) Firewall – Application Gateway/Proxy (1) • This is considered to be the most complex packet screening method. • This type of firewall is usually implemented on a secure host system configured with two network interfaces where the firewall acts as an intermediately between the two interfaces. • Operates at the application level of the OSI model. Hence the proxy service must be implemented for each application protocol. Firewall – Application Gateway/Proxy (2) • These can be made very reliable since this is the only connection point between the two networks. • Another strength of this method of packet screening is that the interfaces on the host system do not forward packets. • There is no direct connection between the host and the client. Firewall – Application Gateway/Proxy (3) • The operation is as follows – The client issues a request from an untrusted network and a connection is established with the application/proxy. – The proxy will determine if the request is valid by comparing rules etc. – Then a new request is generated by the proxy on behalf of the client and sent to the destination. – The request thus sent to the destination is also answered in the same manner. The Proxy/Gateway View Firewall – Application Gateway/Proxy (4) • Unlike packet filtering and stateful packet inspection, an application gateway/proxy can see all aspects of the application layer so it can look for more specific pieces of information. • Eg. the difference between a piece of e-mail containing text and a piece of e-mail containing a graphic image, or the difference between a webpage using Java and a webpage without can be determined. • Method is far superior to the others but not the most practical to apply. Strengths of an Application Level Gateway/Proxy (1) • No direct connection; breaks the client server model; keeps the internal and external networks separate. • No routing is done. Hence this method of packet screening inherently provides a form of Network Address Translation. • They can permit or deny specific applications or specific features of an application. Many security experts believe that application gateways / proxies are more secure because of this granular control. Strengths of an Application Level Gateway/Proxy (2) • Enhanced filtering capabilities. Since they have the ability to examine the payload of the packet, they are capable of making decisions based on content. • These offer tight user administration that can be coupled with systems databases. • It is capable of logging user activity and different types of traffic. This ability can provide a valuable resource when dealing with security incidents and policy implementation. Weaknesses of an Application Level Gateway/Proxy (1) • When packets are screened at application level the system performance is affected. This can sometimes be a bottleneck. • Each protocol (HTTP, SMTP, etc.) requires its own gateway/proxy application. If one does not exist, then the corresponding protocol will not be allowed through the firewall. In addition, since each protocol requires its own gateway/proxy, support for new applications can become a problem. Weaknesses of an Application Level Gateway/Proxy (2) • Clients on the network may require specialized software or configuration changes to be able to connect to the application gateway/proxy. This can have quite an impact on larger networks with numerous clients. • Performance typically degrades when the number of clients increases or the number of gateways/proxies located on any one host system increases. Hence low scalability. Weaknesses of an Application Level Gateway/Proxy (3) • When installed on general-purpose operating systems are vulnerable to the security loopholes of the underlying system. If the underlying system is not secure, the firewall is not secure. • It is also more susceptible to DDS attacks. If enough data is forced on the application gateway/proxy, it can cease to operate. • The enhanced security of application gateways/proxies may require the purchase of additional hardware, software, expertise, or support, which in turn drives up the cost of the firewall solution. Other Hybrid Type of Firewalls • There are several other hybrid types. – Adaptive proxies: Enhanced form of application level gateways/proxies. – Circuit level gateways: Works on sessions rather than screening packets. • The capabilities can be improved by hybrid firewalls. Adaptive Proxies • Constructed by combining the merits of both application gateways/proxies and packet filtering firewalls. • These work by inspecting the first part of a connection at the application layer to make allow or deny decisions. • Then subsequent packets are inspected at the network layer and allowed or denied at that layer. • If the subsequent packets are deemed new then they are passed back into the application layer for inspection. • This will enhance performance since it is faster. Firewalls - Circuit Level Gateway (1) • Unlike the packet filtering firewall, this does not examine individual packets. • This will monitor TCP/UDP sessions instead. • Once a session has been established, it leaves the port open to allow all other packets belonging to that session to pass. The port is closed when the session is terminated. • This method of packet screening resembles application gateways/proxies and adaptive proxies, but circuit-level gateways operate at the transport layer (layer 4) of the OSI model. Firewalls - Circuit Level Gateway (2) Important Aspects of Effective Firewalls • First, the device or host system on which the firewall solution resides must be secure. If the system can be compromised, then the firewall can also be compromised. If the firewall you choose is based on a well-known network operating system, make sure the operating system is fully patched and all security updates have been applied. • Second, for a firewall to be effective, all traffic to and from your network must pass through it. If a firewall can be physically or logically bypassed, there is no guarantee that your trusted network is safe. The architecture used for your firewall solution is very important. Discuss the security issues in a LAN. • The difference between the levels of security comes from the degree of control you have on what is happening in the network. For a LAN you have complete control over the hosts, however in a WAN you have little or no control over the other hosts and services. • User authentication: Restricting access using passwd file and shadow passwords. The passwd files should not be world readable. Specially the shadow passwd file. Use pwconv to update. • Resource protection: This can be used to restrict which users can • access objects, and which ones as well as do auditing to track usage as well as abuse of privileges. • Physical safeguards: securing the physical unit itself is essential for security. Eg. Linux single user mode penetrates a firewall. Discuss the security issues in a WAN. • In WANs you are open to an infinite number of security risks. • Using a firewall one can reduce the security risks by having only a single point of control for Internet connections. • In TCP applications, buffer over flow can crash the service opening a hole, by not trapping unexpected behavior (recover by patching or updating). • IP forging can get a stray packet into your network which can initiate a legal connection to the outside world. • Password theft. Use encryption and crack protocol to set up passwords. • Viruses and Trojan Horses. • Forged Emails: Use digital signature to identify. What are the firewall architectures? • Firewall implementations can be simple or complex based on the architecture used. • Traffic to and fro must pass through the Firewall. • There are several types of architectures – A packet filtering router. – Screened host (Bastion host) – Dual homed gateway – Screened subnet of demilitarized zone (DMZ) – Firewall appliance. Packet Filtering Router • This is a router configured to screen packets between two networks. • It will route packets between the two networks and uses packet filtering rules to accept or deny traffic. • Implementing this is not easy since routers are not meant for this purpose and the command interface is neither simple or intuitive. Screened Host (Bastion Host) (1) • This is generally located in the trusted network shielded from the untrusted network by a packet filtering router. • All the traffic coming from the packet filter is directed to the screened host. Screened Host (Bastion Host) (2) • Outbound traffic may or may not be going through the screen host. • It is most often software based and runs on a general-purpose computer that is running a secure version of the operating system. • Security is usually implemented at the application level. Dual Homed Gateway (1) • A dual-homed gateway typically sits behind the gateway (usually a router) to the untrusted network and most often is a host system with two network interfaces. • Traffic forwarding on this system is disabled, thereby forcing all traffic between the two networks to pass through some kind of application gateway or proxy. Dual Homed Gateway (2) • Only gateways or proxies for the services that are considered essential are installed on the system. • This particular architecture will usually require user authentication before access to the gateway/proxy is allowed. • Each proxy is independent of all other proxies on the host system. Screened Subnet or Demilitarized Zone (DMZ) (1) • A screened subnet or DMZ is typically created between two packet filtering routers. • When using this architecture, the firewall solution is housed on this screened subnet segment along with any other services available to the untrusted network. • Conceptually, this architecture is similar to that of a screened host, except that an entire network rather than a single host is reachable from the outside. Firewall Appliance (1) • A firewall appliance typically sits behind the gateway (usually a router) to the untrusted network. • This architecture resembles the packet filtering router and dual-homed Gateway architectures in that all traffic must pass through the appliance. In most instances these appliances come pre-configured on their own box. Firewall Appliance (2) • They may also have other services built in, such as Web servers and e-mail servers. • No extensive configurations required hence easy to use. Selecting and Implementing a Firewall • In order to pick the best architecture and packet screening method for a firewall solution, the following questions should be considered: – What does the firewall need to do? – What additional services would be desirable? – How will it fit in the existing network? – How will it effect existing services and users? • Note that a firewall implemented with little thought may be worse than having no firewall at all Access Control • given system has identified a user • determine what resources they can access • general model is that of access matrix with – subject - active entity (user, process) – object - passive entity (file or resource) – access right – way object can be accessed • can decompose by – columns as access control lists – rows as capability tickets Access Control Matrix