Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Firewall - An Important Component in Computer Systems Security 1

advertisement 
Firewall - An Important Component in Computer Systems Security
1.
Introduction
Firewalls are an important component in securing not only networks, but also individual
computers. Furthermore, with the widespread events of computer intrusions, firewalls
have received even more attention not only from system and network administrators, but
also from home-users. Although many companies offer free and fully functional personal
software firewalls, and have tried to make them as user-friendly as possible, using and
configuring a software firewall to secure a system is not as instinctive as it seems. Thus,
this paper attempts to explain how a firewall works, and the common pitfalls in using one.
2.
What is a Firewall
A firewall is a hardware, software, or a combination of both, that isolates an
organization’s internal network from the Internet, filtering information, allowing some
packets to pass and blocking others. It allows a network administrator to control access
between the outside world and resources within the network, by managing the traffic flow
to and from these resources.
Traditionally, firewalls used to protect internal networks from the outside world.
However, such a set up (as seen from the above picture) does not protect a computer from
an intruder within the network itself! To get around this problem, one can add another
layer of security by installing a personal software firewall on each and every individual
computer within the network.
Page 1 of 18
3.
Why Use a Firewall
A Firewall can:
a.
prevent denial of service attacks (e.g. SYN flooding):
In a SYN flooding attack, an attacker attempts to establish many bogus TCP
connections with the target. The target computer will be busy returning ACK
messages for each connection to the source, leaving no resources left for other
valid connections. This situation is aggravated when the source IP address is
spoofed or invalid, and the target system is left waiting for return messages from
the “source” of the TCP connections. However, with a firewall, bogus
connections can be detected and filtered out.
b.
prevent unauthorized access to internal network:
By maintaining a list of trusted or blocked IP addresses, a firewall can filter out
unauthorized connections, and allow only authorized computers to connect to the
computers in the internal network.
c.
Block Trojans / Application backdoors:
Some programs have special features that allow for remote access. Others contain
bugs that provide a backdoor or hidden access that provides some level of control
of the program. A firewall may protect a system by preventing unauthorized
access.
d.
Plug Operating system bugs:
Like applications, some operating systems have backdoors. Others provide
remote access with insufficient security controls or have bugs that an experienced
hacker can take advantage of. For instance, the recent Sasser worm took
advantage of a loophole in the Microsoft Windows operating system to propagate,
causing hundreds of thousands of computers to shut down in matter of hours.
However, even a simple firewall (which unfortunately many end-users failed to
implement), can prevent that, as it blocks the TCP ports (445, 9996, 5554) by
default.
e.
Stealth the ports of a computer:
The ports of a computer can essentially be classified under “open, close, or
stealth”. When a port is open on a system, internet packets requesting a
connection with the machine are being accepted and connections are being
created. Open ports are the result of something in the system or network
deliberately preparing to accept unsolicited incoming connections from unknown
Page 2 of 18
and anonymous machines on the Internet. Due to the inherent difficulty of
writing completely secure programming code, a high percentage of open ports are
"exploitable" by malicious Internet hackers. Open ports may also be the result of
default Operating system configuration, running unnecessary services.
With closed ports, anyone doing a port-scan on the machine’s IP address will
detect that machine, but "closed" ports will quickly refuse connection attempts.
Since it's much faster for a scanner to re-scan a machine that's known to exist, the
presence of that machine might be logged for further scrutiny at a later time. For
example, when a new operating system vulnerability is discovered, and before the
potential for exploitation has been repaired.
Unfortunately, many hackers detect an available target by scan the ports of a
random IP address. By putting the computer in a “stealth mode”, the computer
does not respond to port scans and will seem “invisible” to the internet. A
"Stealth" port completely ignores and simply drops any incoming packets without
telling the sender whether the port is "open" or "closed". When all of the system's
ports are stealth, the system will be completely invisible to random port scans,
leading any attacker to believe that the machine is turned off, disconnected, or
does not exist.
4.
Hardware vs. Software Firewalls
Hardware Firewall
Software Firewall
- Expensive. Prices increases
exponentially with each additional feature.
- Basic firewalls available for free. Even
those with extra features are relatively
cheap.
- Good performance (speed).
- Dependent on CPU power and can slow
down network due to overhead.
- Extremely secure and reliable
- Runs on top of OS. Vulnerabilities in OS
may compromise the firewall.
5.
How Firewalls Work
There are basically 2 types of firewalls: packet filtering, and application-level. However,
modern firewalls (especially software-based) are typically hybrid and use a combination
of the following techniques. Some even offer additional features that overlap other
products, like Intrusion Detection Systems (IDS), cookies control, and spam and webcontent filtering, that are not within the scope of this paper.
Page 3 of 18
a. Network Address Translation (NAT), Packet Filtering
The basic purpose of NAT is to multiplex traffic from the internal network and
present it to the Internet as if it was coming from a single computer having only one
IP address. This allows home users and small businesses to share a single internet
connection. This technology is most commonly implemented in routers, which thus
naturally provide a natural firewall that will protect the computers behind it from
access by unauthorized users.
In this example, the 3 computers in the local network have different internal IP
addresses. However, all the datagrams leaving the local network have the same
source NAT IP address 138.76.29.7 and the outside world can only see that IP
address, thus protecting the rest of the network.
The TCP/IP protocols include a multiplexing facility so that any computer can
maintain multiple simultaneous connections with a remote computer. To multiplex
several connections to a single destination, client computers label all packets with
unique "port numbers". Each IP packet starts with a header containing the source and
destination addresses and port numbers:
An IP Packet:
Source address
Source port
Destination address
Destination port
This combination of numbers completely defines a single TCP/IP connection. The
addresses specify the two machines at each end, and the two port numbers ensure that
each connection between this pair of machines can be uniquely identified. Each
separate connection is originated from a unique source port number in the client, and
all reply packets from the remote server for this connection contain the same number
as their destination port, so that the client can relate them back to its correct
connection. In this way, for example, it is possible for a web browser to ask a web
server for several images at once and to know how to put all the parts of all the
responses back together.
Page 4 of 18
A NAT gateway (e.g. router) must change the source address on every outgoing
packet to be its single public address. It therefore also re-numbers the Source Ports to
be unique, so that it can keep track of each client connection. The NAT gateway uses
a port mapping table to remember how it renumbered the ports for each client's
outgoing packets. The port mapping table relates the client's real local IP address and
source port plus its translated source port number to a destination address and port.
The NAT gateway can therefore reverse the process for returning packets and route
them back to the correct clients. When any remote server responds to an NAT client,
incoming packets arriving at the NAT gateway will all have the same Destination
address, but the destination Port number will be the unique Source Port number that
was assigned by the NAT. The NAT gateway looks in its port mapping table to
determine which "real" client address and port number a packet is destined for, and
replaces these numbers before passing the packet on to the local client. When an
incoming packet is received on the NAT port, and the destination port number is not
found in the port mapping table, the packet is deemed invalid, and rejected. This way,
bogus packets will not be received by any of the computers in the internal network.
Thus, the router / NAT gateway filters packet-by-packet, and forward/drop a packet
based on:
- source IP address, destination IP address
- TCP/UDP source and destination port numbers
- ICMP message type
- TCP SYN and ACK bits
This is also known as Packet Filtering, whereby packets are analyzed against a set of
filters. Packets that make it through the filters are sent to the requesting system and all
others are discarded.
Advantages:
- security is naturally provided by a router
- Because the port mapping table relates source and destination addresses and port
numbers, it is possible to validate any or all of this information before passing
incoming packets back to the client. This checking helps to provide effective
firewall protection against Internet-launched attacks on the private LAN.
- Slower network performance due to overhead in translating destination addresses
and port numbers in the port mapping table.
Disadvantages:
- NAT only allows connections that are originated on the inside network. For
instance, an internal client can connect to an outside FTP server, but an outside
client will not be able to connect to an internal FTP server because it would have
to originate the connection, and NAT will block that connection. This can be
worked around by configuring the NAT gateway to open a port or do a portforwarding. However, this would mean that part of the internal network will be
exposed to the internet, and poses both inconvenience and a security risk on
networks that run server programs.
Page 5 of 18
-
Does not provide outbound connection protection (connections originating from
inside the network)! While NAT provides protection from inbound connections
(connections originating from outside a network), it does not prevent a malicious
program (e.g. Trojan horse) inside the internal network from connecting and
sending confidential data to the outside world.
b. Stateful Packet Inspection (SPI)
As explained previously, all NAT firewalls already perform a simple form of "stateful
inspection" of the packets that flow through them, by analyzing the various
components of an IP packet. However, SPI-based routers implement some form of
advanced "stateful inspection" in their firewalls, and can provide additional protection
such as:
- blocking Java, ActiveX, and Cookie portions of downloaded web pages
- blocking access to WAN Proxy servers
- blocking "IP Spoofing" attacks
- blocking malformed IP packet attacks such as "Ping of Death", and variants such
as "Teardrop", "Bonk", and "Nestea"
- blocking SYN flood and LAND attacks
Stateful inspection does not examine the contents of each packet but instead compares
certain key parts of the packet to a database of trusted information. Information
traveling from inside the firewall to the outside is monitored for specific defining
characteristics, and incoming information is then compared to these characteristics. If
the comparison yields a reasonable match, the information is allowed through.
Otherwise it is discarded.
One example where stateful inspection comes useful is the FTP service. FTP is a
TCP based service exclusively, with no UDP component to it. FTP is an unusual
service in that it utilizes two ports, a 'data' port and a 'command' port (also known as
the control port). Traditionally these are port 21 for the command port and port 20
for the data port. However, depending on the mode (active or passive), the data port
is not always on port 20 and this can cause a problem not only for someone, who is
behind a NAT firewall, trying to connect to an FTP server, but also for one running
the server behind a NAT firewall.
Active-mode FTP:
-
In an active mode FTP, the client connects from a random unprivileged port (N >
1024) to the FTP server's command port, port 21. Then, the client starts listening
to port N+1 and sends the FTP command PORT N+1 to the FTP server. The
server will then connect back to the client's specified data port from its local data
port, which is port 20.
Page 6 of 18
-
From the server-side firewall's standpoint, to support active mode FTP the
following communication channels need to be opened:




FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control
port)
FTP server's port 20 to ports > 1024 (Server initiates data connection to
client's data port)
FTP server's port 20 from ports > 1024 (Client sends ACKs to server's
data port)
-
In step 1, the client initiates a connection. Its command port contacts the server's
command port and sends the command PORT 1027. The server then sends an
ACK back to the client's command port in step 2. In step 3, the server initiates a
connection on its local data port to the data port the client specified earlier.
Finally, the client sends an ACK back as shown in step 4.
-
The main problem with active mode FTP actually falls on the client side. The
FTP client doesn't make the actual connection to the data port of the server. It
simply tells the server what port it is listening on and the server connects back to
the specified port on the client. From the client side firewall’s point of view, this
appears to be an outside system initiating a connection to an internal client, and is
something that is usually blocked by the client side NAT. Of course, a user on the
client side can overcome this by configuring his NAT firewall to open all port
numbers that is 1024 and above (as the listening port is random). However, that
will leave his system open and defeat the purpose of the firewall. The server side
faces no problem as its firewall only needs to open up port 20 and 21.
Page 7 of 18
Passive-Mode FTP:
-
In order to resolve the issue of the server initiating the connection to the client, a
different method for FTP connections was developed. This was known as passive
mode, or PASV, the command used by the client to tell the server it is in passive
mode.
-
In passive mode FTP, the client initiates both connections to the server, solving
the problem of firewalls filtering the incoming data port connection to the client
from the server. When opening an FTP connection, the client opens two random
unprivileged ports locally (N > 1024 and N+1). The first port contacts the server
on port 21, but instead of then issuing a PORT command and allowing the server
to connect back to its data port, the client will issue the PASV command. The
result of this is that the server then opens a random unprivileged port (P > 1024)
and sends the PORT P command back to the client. The client then initiates the
connection from port N+1 to port P on the server to transfer data.
-
From the server-side firewall's standpoint, to support passive mode FTP the
following communication channels need to be opened:




FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's ports > 1024 from anywhere (Client initiates data connection to
random port specified by server)
FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and
data) to client's data port)
Page 8 of 18
-
In step 1, the client contacts the server on the command port and issues the PASV
command. The server then replies in step 2 with PORT 2024, telling the client
which port it is listening to for the data connection. In step 3, the client then
initiates the data connection from its data port to the specified server data port.
Finally, the server sends back an ACK in step 4 to the client's data port.
-
While passive mode FTP solves many of the problems from the client side, it
opens up a whole range of problems on the server side. The biggest issue is the
need to allow any remote connection to high numbered ports on the server. The
server-side NAT firewall does not only need to open up port 21, but also ports
from 1024 to 65535, posing a huge security risk! Although many modern FTP
daemons allow the administrator to specify a range of ports which the FTP server
will use, do so restricts the number of connections the FTP server is allowed to
handle.
Where Stateful Packet Inspection Comes in:
-
From the above scenario, we can see the inflexibility of NAT firewalls, causing
inconvenience and restriction of communications on both the client and server
side. Such scenario is where stateful packet inspection turns useful!
-
In passive-mode FTP, a server-side firewall with SPI features only needs to open
port 21. As in the above example, when a client connects to the server at port 21,
the server replies with PORT 2024, telling the client which port it is listening to
for the data connection. However, this time, connections from the client to port
2024 of the server will not be blocked. Stateful packet inspection will be able to
determine that port 2024 is opened due to FTP activity, initiating from port 21.
By “inspecting” the packets, it automatically allows inbound connections to port
2024 temporarily, and will resume the state of blocking it when the TCP session
is terminated.
-
As we can see in this case, only one single port needs to be officially opened, and
the rest are dynamically opened and close based on the activity on this port. This
solves the issue of server-side NAT firewalls having to open up numerous ports,
thus decreasing security risks.
Disadvantage:
-
Due to the need to analyze the type of packets flowing through, there is additional
performance overhead.
Page 9 of 18
c. Application-based Firewalls
To overcome the limitations of NAT firewalls, application-based firewalls offer even
more fine-grained control over the IP packets. For instance, a network administrator
can control what applications are allowed to access the internet, and through which
port numbers. In addition to that, he can control what IP addresses are allowed /
disallowed to make a connection to each individual application, as opposed to the
entire network. It does not only filter packets based on application data, but also
based on the IP and protocol fields, and most significantly, the direction of the traffic
(inbound or outbound).
Most modern software firewalls offer this solution. For instance, in the “wizard
mode”, when an application attempts to connect to the internet for the first time, the
firewall will ask for permission to do so.
In addition, a user can fine-tune the rule-set for a particular application, or define
rule-sets that apply to the entire system. Rule sets can be based on local/remote IP
addresses, protocols used, port numbers, direction (inbound/outbound).
Page 10 of 18
Page 11 of 18
Advantages:
-
Provides application-based outbound traffic protection, in addition to inbound
traffic protection. As illustrated, an application connecting to the internet requires
explicit permission from the user. As such, if the system is infected with a Trojan
horse program, the firewall may be able stop it from connecting to the internet.
-
More flexible than NAT-based firewalls.
Disadvantages:
-
6.
Secure settings are still dependent on the knowledge and prudence of the user.
While the firewall may temporarily stop a malicious program from connecting to
the internet, the user may simply grant it permission to do so due to ignorance.
While most firewalls are user-friendly and provide default rule-sets for various
applications, the default rule-sets may not be entirely secure. Users still require
some basic knowledge and need to exercise caution when granting applications
permission to access the internet.
Limitations of a Firewall
a.
IP Spoofing:
Many firewalls examine the source IP addresses of packets to determine if they are
legitimate, and a firewall may be instructed to allow traffic through if it comes from a
specific trusted host. However, a malicious cracker may try to get through the
firewall by spoofing the source IP address of packets sent to the firewall. If the
firewall thought that the packets originated from a trusted host, it may let them
through unless other criteria failed to be met.
b.
Communication vs. Performance vs. Security:
Due to the overhead from inspecting individual packets, firewalls can hinder the
performance of a network. Moreover, the degree of communication of the computer
and the outside world is inversely proportionate to the degree of its security.
c.
Content Attack:
While firewalls guard against unauthorized connections, there are things that firewalls
cannot guard against, and one of them is content attack - dangerous data transported
into the network through permitted connections. An example is a PC program
containing a virus which is sent by FTP or by email. Another example of a problem
that the firewall cannot detect very easily is an outgoing email message containing
confidential company data. In both cases it is not the connection itself that is the
problem, but the data that is being transported via the connection.
Page 12 of 18
d.
Social Engineering:
The weakest link in security is unfortunately, the user. While application-based
firewalls can attempt to prevent a malicious program from connecting to the internet,
uninformed users may still be tricked into allowing the program the access and
privilege to do so.
e.
“Spoofed” Applications
Malicious programs may attempt to communicate through the same port as legitimate
applications and be allowed to do so (especially in the case of NAT/packet-filtering
firewalls). In the case of application-based firewall, a malicious program can pretend
to be another legitimate program and trick the firewall into giving it access to connect
to the internet. This is further explored in the following section, “Leak Tests”.
7.
Leak Tests
While hardware firewalls are extremely secure, they are much more expensive too, when
compared to their software counterparts that offer many enticing features. However,
software firewalls has their own flaws too. The main problem with software firewalls is
that they run on top of an Operating System, and thus may be susceptible to whatever
flaws the Operating System may have. For instance, it is possible for a virus to disable
not only the antivirus software, but the firewall as well. There are many “Proof of
Concept” programs (commonly known as “Leak Tests”) attempts to illustrate the
vulnerabilities of software firewalls. In this section, we shall look at some of such
programs so as to better understand how a firewall works and its vulnerabilities.
Although most of the modern firewalls have been patched against such exploits, it should
be kept in mind that there may still be flaws in firewalls that are currently unknown. It
should also be noted that such demonstrations are not meant to show that software
firewalls are worthless. At the minimum, it does provide some form of protection,
particularly for outbound traffic that traditional NAT firewalls do not provide.
a.
FireHole
This is perhaps one of the most significant “proof of concept” programs that resulted
in a major re-design of software firewalls. One significant advantage of most
software firewalls over NAT-based routers is the ability to monitor outbound traffic.
However, created 2 years ago, firehole crushed the pride of software firewalls, and
caused a commotion in the security community. It managed to bypass outbound
firewall control through an extremely simple method, essentially by “riding” on top
of another application. In this case, it chooses to pretend to be part of the system’s
Page 13 of 18
browser, and attempts to connect to the internet through it. To the firewall, the
connection will appear to be coming from the browser (which most users will grant it
permission to connect), and no foul play will be detected. Application-based will
simply grant connection without prompting the user, as long as the browser is given
permission to connect to the internet (which it usually is). In a worse case scenario,
although this program launches the browser in its attempt to connect to the internet, it
does have the option of hiding the infected application, and the victim will be totally
unaware of any transmission of data that takes place.
NAT-based firewalls are totally defenseless against this program as it initiates an
outbound connection from within the network, while software firewalls have already
corrected the issue by introducing a feature called “Components Control”. The
Components Control (Anti-Leak) feature works by monitoring components of each
application you run, preventing Trojan horses to be injected as a module of a
legitimate application (e.g. browser) and thus gain the privileges to go online. Each
time a new component is detected, the firewall will notify the user to check if it is
legitimate.
Page 14 of 18
As demonstrated, the rogue program was prevented from connecting to the internet
(after I chose to block the application). However, this also demonstrates another
weakness of any security system, that is, the security depends on the prudence of the
user to not allow unknown or suspicious application from accessing the internet. In
this case, it is not exactly clear to a user whether to “update the components” of the
browser and an uninformed user would most likely allow the rogue program to run.
b.
Application-Masquerading
This is perhaps one of the oldest tricks used by malicious programs to connect to the
internet. In essence, it works by overwriting a legitimate program or giving itself the
same filename, and use the same ports to communicate with the outside world. This
highlights the importance of outbound traffic control. While NAT-based firewalls
Page 15 of 18
have no defense against this, modern software firewalls have been updated to prevent
this. I’ve tested this old vulnerability by renaming an application to my browser’s
name and try to run it.
Counter-measure: Most firewalls have fixed this problem by keep a database of
legitimate applications that are given permission to connect to the internet, along with
their MD5 signatures. Whenever the application is started, the firewall will check it
against its MD5 signature in the database. If the MD5 signature does not tally, it will
warn the user that the file has been modified, and to verify if it is legitimate.
MD5 Signatures:
8.
-
Developed by Professor Ronald L. Rivest of MIT, the MD5 algorithm “takes as
input a message of arbitrary length and produces as output a 128-bit "fingerprint"
or "message digest" of the input. It is conjectured that it is computationally
infeasible to produce two messages having the same message digest, or to
produce any message having a given pre-specified target message digest. The
MD5 algorithm is intended for digital signature applications, where a large file
must be "compressed" in a secure manner before being encrypted with a private
(secret) key under a public-key cryptosystem such as RSA.”
-
MD5 signatures are now part and parcel of security that a firewall provides. In
the past, many software companies tried to get around the problem of applicationmasquerading by checking the applications against their checksums. However,
that can be circumvented if a malicious program has exactly the same filename
and the same filesize. As MD5 signatures are unique, firewall programs can now
verify if an application is really legitimate.
Conclusion
A firewall is an integral part of any security program, but it is not an end-all solution. As
illustrated by the leak tests, firewalls have their own vulnerabilities too. Nothing can be
absolutely secure. Thus, it is essential to have a multi-layered approach in computer
security, and have other tools like a hardware router and an antivirus program in
additional to a software firewall. As such, the other components of the defense system
will still work when one fails.
Page 16 of 18
Bibliography
Firewall White Paper. Vicomsoft Ltd.
http://www.firewall-software.com/firewall_white_paper.html
How do Firewalls Work. Practically Networked.
http://www.practicallynetworked.com/sharing/firewall.htm
How Firewall Software Works. Australian Consumers' Association.
http://www.choice.com.au/viewArticle.aspx?id=103809&catId=100274&tid=100
008&p=1
James F. Kurose and Keith W. Ross. Computer Networking: A Top-Down
Approach Featuring the Internet (2nd Edition).
Addison Wesley. (2003): 103 – 106, 133, 566 – 570, 640 – 645
Jeff Tyson. How Firewalls Work.
http://computer.howstuffworks.com/firewall1.htm
John Walker. MD5: Command Line Message Digest Utility.
http://www.fourmilab.ch/md5/
Network Address Translation FAQ. Vicomsoft Ltd.
http://www.vicomsoft.com/knowledge/reference/nat.html
Outpost Personal Firewall Pro Features. Agnitum, Ltd.
http://www.agnitum.com/products/outpost/features.html
Robin Keir. FireHole: How to bypass your personal firewall outbound detection.
http://keir.net/firehole.html
Steve Gibson. Internet Port Status Definitions. Gibson Research Corporation.
http://grc.com/su/portstatusinfo.htm
Page 17 of 18
Steve Gibson. LeakTest – Firewall Leakage Tester. Gibson Research Corporation.
http://www.grc.com/lt/leaktest.htm
Steve Gibson. Personal Firewalls. Gibson Research Corporation.
http://grc.com/su-firewalls.htm
ZoneAlarm Pro Firewall. Zone Labs Inc.
http://www.zonelabs.com:80/store/application?namespace=zls_catalog&origin=c
atalog_main.jsp&event=link1.skuList&&zl_catalog_view_id=201
Page 18 of 18
Related documents
KRRC MSPowerPoint Prop Template 2008
KRRC MSPowerPoint Prop Template 2008
Parallel Port Commands In Turing
Parallel Port Commands In Turing
ANNEX C: JURONG PORT`S GREEN INITIATIVES Since starting
ANNEX C: JURONG PORT`S GREEN INITIATIVES Since starting
07-WAS Firewalls and Port Forwarding
07-WAS Firewalls and Port Forwarding
Resetting COM PORT NUMBER ASSIGNMENTS - Probe-TEC
Resetting COM PORT NUMBER ASSIGNMENTS - Probe-TEC
Notes from Feb 19, 2014 “Toolkit Brainstorming Session”, San Diego
Notes from Feb 19, 2014 “Toolkit Brainstorming Session”, San Diego
WIRELESS MOD 2
WIRELESS MOD 2
Terminology Assignment
Terminology Assignment
Download
advertisement