Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Firewalls - IIS Windows Server

advertisement 
Firewalls
Chapter 5
Copyright Prentice-Hall 2003
1
Figure 5-1: Border Firewall
Passed Packet
(Egress)
Passed Packet
(Ingress)
Attack
Packet
Hardened
Client PC
Internet
(Not Trusted)
Attacker
Dropped Packet
(Ingress)
Hardened
Server
Log
File
Internet
Border
Firewall
Internal Corporate
Network (Trusted)
2
Figure 5-2: Types of Firewall
Inspection

Packet Inspection

Examines IP, TCP,UDP, and ICMP header
contents

Static packet filtering looks at individual packets
in isolation. Misses many attacks

Stateful inspection inspects packets in the
context of the packet’s role in an ongoing or
incipient conversation

Stateful inspection is the proffered packet
inspection method today
3
Figure 5-2: Types of Firewall
Inspection


Application Inspection

Examines application layer messages

Stops some attacks that packet inspection
cannot
Network Address Translation

Hides the IP address of internal hosts to thwart
sniffers

Benignly spoofs source IP addresses in
outgoing packets
4
Figure 5-2: Types of Firewall
Inspection


Denial-of-Service Inspection

Recognizes incipient DoS attacks and takes
steps to stop them

Limited to a few common types of attacks
Authentication

Only packets from users who have proven their
identity are allowed through

Not commonly user, but can be valuable
5
Figure 5-2: Types of Firewall
Inspection

Virtual Private Network Handling

Virtual private networks offer message-bymessage confidentiality, authentication,
message integrity, and anti-replay protection

VPN protection often works in parallel with other
types of inspection instead of being integrated
with them
6
Figure 5-2: Types of Firewall
Inspection

Integrated Firewalls

Most commercial products combine multiple
types of filtering

Some freeware and shareware firewall products
offer only one types of filtering
7
Firewalls

Types of Firewalls




Screening router firewalls
Computer-based firewalls
Firewall appliances
Host firewalls (firewalls on clients and servers)

Inspection Methods

Firewall Architecture

Configuring, Testing, and Maintenance
8
Figure 5-3: Firewall Hardware and
Software

Screening Router Firewalls

Add firewall software to router

Usually provide light filtering only

Expensive for the processing power—usually must upgrade
hardware, too


Screens out incoming “noise” of simple scanning attacks to
make the detection of serious attacks easier
Good location for egress filtering—can eliminate scanning
responses, even from the router
9
Figure 5-3: Firewall Hardware and
Software

Computer-Based Firewalls

Add firewall software to server with an existing
operating system: Windows or UNIX

Can be purchased with power to handle any
load

Easy to use because know operating system

Firewall vendor might bundle software with
hardened hardware and operating system
software
10
Figure 5-3: Firewall Hardware and
Software

Computer-Based Firewalls

General-purpose operating systems result in
slower processing

Security: Attackers may be able to hack the
operating system

Change filtering rules to allow attack packets in

Change filtering rules to drop legitimate packets
11
Figure 5-3: Firewall Hardware and
Software

Firewall Appliances

Boxes with minimal operating systems

Therefore, difficult to hack

Setup is minimal

Not customized to specific firm’s situation

Must be able to update
12
Figure 5-3: Firewall Hardware and
Software

Host Firewalls

Installed on hosts themselves (servers and
sometimes clients)

Enhanced security because of host-specific
knowledge

For example, filter out everything but
webserver transmissions on a webserver
13
Figure 5-3: Firewall Hardware and
Software

Host Firewalls

Defense in depth

Normally used in conjunction with other
firewalls

Although on single host computers attached
to internet, might be only firewall
14
Figure 5-3: Firewall Hardware and
Software

Host Firewalls

If not centrally managed, configuration can be a
nightmare


Especially if rule sets change frequently
Client firewalls typically must be configured by
ordinary users

Might misconfigure or reject the firewall

Need to centrally manage remote employee
computers
15
Figure 5-4: Drivers of Performance
Requirements: Traffic Volume and
Complexity of Filtering
Complexity
of Filtering:
Number of
Filtering
Rules,
Complexity
Of rules, etc.
Performance
Requirements
Traffic Volume (Packets per Second)
16
Firewalls

Types of Firewalls

Inspection Methods




Static Packet Inspection
Stateful Packet Inspection
NAT
Application Firewalls

Firewall Architecture

Configuring, Testing, and Maintenance
17
Figure 5-5: Static Packet Filter Firewall
Corporate Network
Permit
(Pass)
Deny
(Drop)
Log
File
Static
Packet
Filter
Firewall
The Internet
IP-H
TCP-H Application Message
IP-H
UDP-H Application Message
IP-H
ICMP Message
Arriving Packets
Examined One at a Time, in Isolation
Only IP, TCP, UDP
and ICMP Headers Examined
18
Figure 5-6: Access Control List (ACL) For
Ingress Filtering at a Border Router






1. If source IP address = 10.*.*.*, DENY [private IP
address range]
2. If source IP address = 172.16.*.* to 172.31.*.*,
DENY [private IP address range]
3. If source IP address = 192.168.*.*, DENY
[private IP address range]
4. If source IP address = 60.40.*.*, DENY [internal
address range]
5. If source IP address = 1.2.3.4, DENY [blackholed address of attacker]
6. If TCP SYN=1 AND FIN=1, DENY [crafted attack
packet]
19
Figure 5-6: Access Control List (ACL)
for Ingress Filtering at a Border Router






7. If destination IP address = 60.47.3.9 AND TCP
destination port=80 OR 443, PASS [connection to a
public webserver]
8. If TCP SYN=1 AND ACK=0, DENY [attempt to
open a connection from the outside]
9. If TCP destination port = 20, DENY [FTP data
connection]
10. If TCP destination port = 21, DENY [FTP
supervisory control connection]
11. If TCP destination port = 23, DENY [Telnet
data connection]
12. If TCP destination port = 135 through 139,
DENY [NetBIOS connection for clients]
20
Figure 5-6: Access Control List (ACL)
for Ingress Filtering at a Border Router

13. If TCP destination port = 513, DENY [UNIX
rlogin without password]

14. If TCP destination port = 514, DENY [UNIX rsh
launch shell without login]

15. If TCP destination port = 22, DENY [SSH for
secure login, but some versions are insecure]

16. If UDP destination port=69, DENY [Trivial File
Transfer Protocol; no login necessary]

17. If ICMP Type = 0, PASS [allow incoming echo
reply messages]

DENY ALL
21
Figure 5-7: Access Control List (ACL)
for Egress Filtering at a Border Router






1. If source IP address = 10.*.*.*, DENY [private IP
address range]
2. If source IP address = 172.16.*.* to 172.31.*.*,
DENY [private IP address range]
3. If source IP address = 192.168.*.*, DENY
[private IP address range]
4. If source IP address NOT = 60.47.*.*, DENY [not
in internal address range]
5. If ICMP Type = 8, PASS [allow outgoing echo
messages]
6. If Protocol=ICMP, DENY [drop all other outgoing
ICMP messages]
22
Figure 5-7: Access Control List (ACL)
for Egress Filtering at a Border Router







7. If TCP RST=1, DENY [do not allow outgoing
resets; used in host scanning]
8. If source IP address = 60.47.3.9 and TCP
source port = 80 OR 443, PERMIT [public
webserver]
9. If TCP source port=0 through 49151, DENY
[well-known and registered ports]
10. If UDP source port=0 through 49151, DENY
[well-known and registered ports]
11. If TCP source port =49152 through 65,536,
PASS [allow outgoing client connections]
12. If UDP source port = 49152 through 65,536,
PERMIT [allow outgoing client connections]
13. DENY ALL
23
Firewalls

Types of Firewalls

Inspection Methods




Static Packet Inspection
Stateful Packet Inspection
NAT
Application Firewalls

Firewall Architecture

Configuring, Testing, and Maintenance
24
Figure 5-8: Stateful Inspection
Firewalls

State of Connection: Open or Closed

State: Order of packet within a dialog

Often simply whether the packet is part of an
open connection
25
Figure 5-8: Stateful Inspection
Firewalls

Stateful Firewall Operation

For TCP, record two IP addresses and port numbers
in state table as OK (open) (Figure 5-9)

By default, permit connections from internal clients
(on trusted network) to external servers (on
untrusted network)


This default behavior can be changed with an
ACL
Accept future packets between these hosts and
ports with little or no inspection
26
Figure 5-9: Stateful Inspection Firewall
Operation I
1.
TCP SYN Segment
From: 60.55.33.12:62600
To: 123.80.5.34:80
Internal
Client PC
60.55.33.12
Note: Outgoing
Connections
Allowed By
Default
2.
Establish
Connection
3.
TCP SYN Segment
From: 60.55.33.12:62600
To: 123.80.5.34:80
Stateful
Firewall
External
Webserver
123.80.5.34
Connection Table
Type
Internal
IP
Internal
Port
External
IP
External
Port
Status
TCP
60.55.33.12
62600
123.80.5.34
80
OK
27
Figure 5-9: Stateful Inspection Firewall
Operation I
Internal
Client PC
60.55.33.12
6.
TCP SYN/ACK Segment
From: 123.80.5.34:80
To: 60.55.33.12:62600
Stateful
4.
Firewall TCP SYN/ACK Segment External
From: 123.80.5.34:80 Webserver
To: 60.55.33.12:62600 123.80.5.34
5.
Check Connection
OK
Connection Table
Type
Internal
IP
Internal
Port
External
IP
External
Port
Status
TCP
60.55.33.12
62600
123.80.5.34
80
OK
28
Figure 5-8: Stateful Inspection
Firewalls

Stateful Firewall Operation

For UDP, also record two IP addresses in port
numbers in the state table
Connection Table
Type
Internal
IP
Internal
Port
External
IP
External
Port
Status
TCP
60.55.33.12
62600
123.80.5.34
80
OK
UDP
60.55.33.12
63206
1.8.33.4
69
OK
29
Figure 5-8: Stateful Inspection
Firewalls

Static Packet Filter Firewalls are Stateless

Filter one packet at a time, in isolation

If a TCP SYN/ACK segment is sent, cannot tell if
there was a previous SYN to open a connection

But stateful firewalls can (Figure 5-10)
30
Figure 5-10: Stateful Firewall
Operation II
Stateful
Firewall
2.
Check
Connection Table:
No Connection
Match: Drop
Internal
Client PC
60.55.33.12
1.
Spoofed
TCP SYN/ACK Segment
From: 10.5.3.4.:80
To: 60.55.33.12:64640
Attacker
Spoofing
External
Webserver
10.5.3.4
Connection Table
Type
Internal
IP
Internal
Port
External
IP
External
Port
Status
TCP
60.55.33.12
62600
123.80.5.34
80
OK
UDP
60.55.33.12
63206
222.8.33.4
69
OK
31
Figure 5-8: Stateful Inspection
Firewalls

Static Packet Filter Firewalls are Stateless

Filter one packet at a time, in isolation

Cannot deal with port-switching applications

But stateful firewalls can (Figure 5-11)
32
Figure 5-11: Port-Switching
Applications with Stateful Firewalls
2.
To Establish
Connection
1.
TCP SYN Segment
From: 60.55.33.12:62600
To: 123.80.5.34:21
3.
TCP SYN Segment
From: 60.55.33.12:62600
To: 123.80.5.34:21
Stateful
Firewall
Internal
Client PC
60.55.33.12
External
FTP Server
123.80.5.34
State Table
Step 2
Type
Internal
IP
Internal
Port
External
IP
External
Port
Status
TCP
60.55.33.12
62600
123.80.5.34
21
OK
33
Figure 5-11: Port-Switching
Applications with Stateful Firewalls
Internal
Client PC
60.55.33.12
State Table
6.
TCP SYN/ACK Segment
From: 123.80.5.34:21
To: 60.55.33.12:62600
Use Ports 20
and 55336 for
Data Transfers
4.
Stateful
Firewall TCP SYN/ACK Segment External
From: 123.80.5.34:21
FTP
To: 60.55.33.12:62600
5.
Server
Use Ports 20
To Allow,
123.80.5.34
and 55336 for
Establish
Data Transfers
Second
Connection
Type
Internal
IP
Internal
Port
External
IP
External
Port
Status
Step 2
TCP
60.55.33.12
62600
123.80.5.34
21
OK
Step 5
TCP
60.55.33.12
55336
123.80.5.34
20
OK
34
Figure 5-8: Stateful Inspection
Firewalls

Stateful Inspection Access Control Lists
(ACLs)

Primary allow or deny applications

Simple because probing attacks that are not part
of conversations do not need specific rules
because they are dropped automatically

In integrated firewalls, ACL rules can specify that
messages using a particular application protocol
or server be authenticated or passed to an
application firewall for inspection
35
Firewalls

Types of Firewalls

Inspection Methods




Static Packet Inspection
Stateful Packet Inspection
NAT
Application Firewalls

Firewall Architecture

Configuring, Testing, and Maintenance
36
Figure 5-12: Network Address
Translation (NAT)
From 192.168.5.7,
Port 61000
1
From 60.5.9.8,
Port 55380
2
Internet
Client
192.168.5.7
4
NAT
Firewall
To 192.168.5.7,
Port 61000
Server
Host
3
To 60.5.9.8,
Port 55380
Sniffer
Internal
IP Addr
Translation
Table
External
Port
192.168.5.7 61000
...
...
IP Addr
Port
60.5.9.8
55380
...
...
37
Firewalls

Types of Firewalls

Inspection Methods




Static Packet Inspection
Stateful Packet Inspection
NAT
Application Firewalls

Firewall Architecture

Configuring, Testing, and Maintenance
38
Figure 5-13: Application Firewall
Operation
1. HTTP Request
From 192.168.6.77
6. Examined
Browser
HTTP
Response To
192.168.6.77
3. Examined
HTTP Request
From 60.45.2.6
HTTP Proxy
5.
Filtering on Post Out,
Hostname, URL, MIME,
etc. In
FTP
Proxy
Client PC
192.168.6.77
2.
Filtering
Outbound
Filtering on Put
4. HTTP
Response to Webserver
Application
60.45.2.6
SMTP
(E-Mail)
Proxy
Application Firewall
60.45.2.6
Webserver
123.80.5.34
Inbound and Outbound
Filtering on Obsolete
Commands, Content 39
Figure 5-14: Header Destruction With
Application Firewalls
Header Removed
Arriving Packet
New Packet
X
App
Orig. Orig.
MSG TCP
IP
(HTTP) Hdr Hdr
Attacker
1.2.3.4
App
MSG
(HTTP)
App
New
MSG TCP
(HTTP) Hdr
Application Firewall
60.45.2.6
New
IP
Hdr
Webserver
123.80.5.34
Application Firewall Strips Original Headers from Arriving Packets
Creates New Packet with New Headers
This Stops All Header-Based Packet Attacks
40
Figure 5-15: Protocol Spoofing
Trojan
Horse
Internal
Client PC
60.55.33.12
2. Protocol is Not HTTP
Firewall Stops
The Transmission
1. Trojan Transmits
on Port 80
to Get Through
Simple Packet
Filter Firewall
X
Application
Firewall
Attacker
1.2.3.4
41
Figure 5-16: Circuit Firewall
3. Passed Transmission:
No Filtering
1. Authentication
2. Transmission
4. Reply
Webserver
60.80.5.34
Circuit Firewall
(SOCKS v5)
60.34.3.31
5. Passed
Reply: No
Filtering
External
Client
123.30.82.5
42
Firewalls

Types of Firewalls

Inspection Methods

Firewall Architecture





Single site in large organization
Home firewall
SOHO firewall router
Distributed firewall architecture
Configuring, Testing, and Maintenance
43
Figure 5-17: Single-Site Firewall Architecture
for a Larger Firm with a Single Site
3. Internal Firewall
2. Main Firewall
Last Rule=Deny All
1. Screening Router
60.47.1.1 Last
Rule=Permit All
Internet
172.18.9.x Subnet
4.
Client
Host
Firewall
Public
Webserver
60.47.3.9
External
DNS Server
60.47.3.4
6. DMZ
Marketing
Client on
172.18.5.x
Subnet
Accounting
Server on
172.18.7.x
Subnet
5. Server
Host
Firewall
SMTP
Relay
Proxy
60.47.3.10
HTTP
Proxy
Server
60.47.3.1
44
Figure 5-18: Home Firewall
PC
Firewall
Internet
Service Provider
Always-On
Connection
Coaxial
Cable
Broadband
Modem
UTP
Cord
Home PC
45
Figure 5-19: SOHO Firewall Router
Internet Service Provider
Ethernet Switch
UTP
UTP
User PC
UTP
Broadband
Modem
(DSL or
Cable)
SOHO
Router
--Router
DHCP Sever,
NAT Firewall, and
Limited Application Firewall
Many Access Routers Combine the Router
and Ethernet Switch in a Single Box
User PC
User PC
46
Figure 5-20: Distributed Firewall
Architecture
Management Console
Internet
Home PC
Firewall
Site A
Site B
47
Figure 5-21: Other Security
Architecture Issues

Host and Application Security (Chapters 6
and 9)

Antivirus Protection (Chapter 4)

Intrusion Detection Systems (Chapter 10)

Virtual Private Networks (Chapter 8)

Policy Enforcement System
48
Firewalls

Types of Firewalls

Inspection Methods

Firewall Architecture

Configuring, Testing, and Maintenance
49
Figure 5-22: Configuring, Testing, and
Maintaining Firewalls

Firewall Misconfiguration is a Serious
Problem

ACL rules must be executed in series

Easy to make misordering problems

Easy to make syntax errors
50
Figure 5-22: Configuring, Testing, and
Maintaining Firewalls

Create Policies Before ACLs

Policies are easier to read than ACLs

Can be reviewed by others more easily than
ACLs

Policies drive ACL development

Policies also drive testing
51
Figure 5-22: Configuring, Testing, and
Maintaining Firewalls


Must test Firewalls with Security Audits

Only way to tell if policies are being supported

Must be driven by policies
Maintaining Firewalls

New threats appear constantly

ACLs must be updated constantly if firewall is to
be effective
52
Figure 5-23: FireWall-1 Modular
Management Architecture
Log Files
Policy
Policy
Application Module
(GUI)
Create, Edit
Policies
Management
Module Stores
Policies Stores
Log Files
Log File
Data
Application Module
(GUI)
Read Log Files
Firewall Module
Enforces Policy
Sends Log
Entries
Log File
Entry
Firewall Module
Enforces Policy
Sends Log
Entries
53
Figure 5-24: FireWall-1 Service
Architecture
2. Statefully Filtered
Packet
Internal
Client
1. Arriving Packet
3. DoS
FireWall-1
Protection
Firewall
Optional
Authentications
External
Server
4. Content Vectoring Protocol
5.
Statefully Filtered Packet
Plus Application
Inspection
Third-Party
Application
Inspection
Firewall
54
Figure 5-25: Security Level-Based
Stateful Filtering in PIX Firewalls
Automatically Accept
Connection
Security Level
Inside=100
Security Level
Outside=0
Router
Automatically
Reject Connection
Security Level=60
Internal Network
Internet
Connections Are Allowed
from More Secure
Networks to Less Secure
Networks
55
Related documents
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
Why we all care: the changing home
Why we all care: the changing home
Palo Alto Networks offers a full line of purpose
Palo Alto Networks offers a full line of purpose
WS#5solution - WordPress.com
WS#5solution - WordPress.com
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Firewalls - Brian Kiehl
Firewalls - Brian Kiehl
SOHO Firewall
SOHO Firewall
Firewalls
Firewalls
Download
advertisement