Firewalls Network Security • Access lists • Ingress filtering • Egress filtering Firewalls • NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Filtering Complexity of Filtering: Number of Filtering Rules, Complexity Of rules, etc. Static IP Packet Filter Firewall Corporate Network Permit (Pass) Performance Requirements Deny (Drop) Log File Traffic Volume (Packets per Second) Static Packet Filter Firewall The Internet IP-H TCP-H Application Message IP-H UDP-H Application Message IP-H ICMP Message Arriving Packets Examined One at a Time, in Isolation Only IP, TCP, UDP and ICMP Headers Examined 3 4 Ingress Filtering Ingress Filtering • Deny Known Fallacious Source Addresses • Prevent attack packets from entering the protected network • Rules are applied in order • See Figure 5.6 for generic rule format 5 – Private addresses • 10.*.*.* • 172.16.*.* to 172.31.*.*, • 192.168.*.* – Internal Address Ranges – Other obvious or known common addresses • 1.2.3.4, 0.0.0.0, 0.0.0.1, etc. 6 1 Ingress Filtering Ingress Filtering 1. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] • Deny Known TCP Vulnerabilities – Syn flood (TCP SYN=1 AND FIN=1) – FTP (TCP destination port = 20) • Supervisory control connection (TCP destination port = 21) – – – – Telnet (TCP destination port = 23) NetBIOS (TCP destination port = 135 through 139) UNIX rlogin (TCP destination port = 513) UNIX rsh launch shell without login (TCP port 514) 7 Egress Filtering 2. If ICMP Type = 0, PASS [allow incoming echo reply messages] 3. DENY ALL 8 Egress Filtering • Allow • Deny Destinations – ICMP Type = 8, PASS [outgoing echo messages] – private IP address range = • Deny • 10.*.*.* • 172.16.*.* to 172.31.*.* • 192.168.*.* • Deny – Protocol=ICMP [all other outgoing ICMP] – TCP RST=1[outgoing resets; used in host scanning] – not in internal address range • 60.47.*.* 9 10 Egress Filtering Firewalls • Deny Connections to Well-known ports • Types of Firewalls • Inspection Methods – TCP source port=0 through 49151 – UDP source port=0 through 49151 • Allow Outgoing Client Connections – UDP source port = 49152 … 65,536 – TCP source port =49152 through 65,536 11 – – – – Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls • Firewall Architecture • Configuring, Testing, and Maintenance 12 2 Stateful Inspection Firewalls Stateful Inspection Firewalls • By default, permit connections openings from internal clients to external servers • State of Connection – Open or Closed • By default, deny connection openings from the outside to inside servers • State • Default behaviors can be changed with ACLs – Order of packet within a dialog – Often simply whether the packet is part of an open connection 13 • Can prevent • Hides the IP address of internal hosts to thwart sniffers – Syn flood • Benignly spoofs source IP addresses in outgoing packets – Port switching – Session hijacking – Etc. 15 Network Address Translation (NAT) 1 14 Network Address Translation Stateful Inspection Firewalls From 192.168.5.7, Port 61000 • Accept future packets between hosts and ports in open connections with little or no more inspection 16 Application Firewall Operation 1. HTTP Request From 192.168.6.77 From 60.5.9.8, Port 55380 2. Filtering 2 Internet Client 192.168.5.7 4 NAT Firewall To 192.168.5.7, Port 61000 To 60.5.9.8, Port 55380 IP Addr Webserver Application Sniffer FTP Proxy External Port 192.168.5.7 61000 ... HTTP Proxy Server Host Internal Translation Table Browser 3 ... IP Addr Port 60.5.9.8 55380 ... . .17 . Client PC 192.168.6.77 Outbound Filtering on Put SMTP (E-Mail) Proxy Application Firewall 60.45.2.6 Webserver 123.80.5.34 Inbound and Outbound Filtering on Obsolete 18 Commands, Content 3 Application Firewall Operation Application Firewall Operation 3. Examined HTTP Request From 60.45.2.6 4. HTTP HTTP Proxy Response to Webserver 5. Application 60.45.2.6 Filtering on Post Out, Hostname, URL, MIME, etc. In Browser FTP Proxy Client PC 192.168.6.77 Outbound Filtering on Put SMTP (E-Mail) Proxy Application Firewall 60.45.2.6 Webserver 123.80.5.34 Inbound and Outbound Filtering on Obsolete 19 Commands, Content Browser 6. Examined HTTP Response To 192.168.6.77 HTTP Proxy 5. Filtering on Post Out, Hostname, URL, MIME, etc. In FTP Proxy Client PC 192.168.6.77 Outbound Filtering on Put Webserver Application SMTP (E-Mail) Proxy Webserver 123.80.5.34 Inbound and Outbound Filtering on Obsolete 20 Commands, Content Application Firewall 60.45.2.6 Header Destruction With Application Firewalls 13Application Firewall Operation Header Removed Arriving Packet Browser HTTP Proxy Webserver Application X Orig. Orig. App IP MSG TCP (HTTP) Hdr Hdr Need one Proxy Program On the Application Firewall For Each Protocol Filtered FTP Proxy Client PC 192.168.6.77 Outbound Filtering on Put Webserver 123.80.5.34 Inbound and Outbound Filtering on Obsolete 21 Commands, Content 22 Internal Client PC 60.55.33.12 Circuit Firewall 2. Protocol is Not HTTP Firewall Stops The Transmission 1. Trojan Transmits on Port 80 to Get Through Simple Packet Filter Firewall 3. Passed TransmissionNo Filtering 4. Reply 1. Authentication 2. Transmission X Application Firewall Webserver 123.80.5.34 Application Firewall Strips Original Headers from Arriving Packets Creates New Packet with New Headers This Stops All Header-Based Packet Attacks Protocol Spoofing Trojan Horse App New New MSG TCP IP (HTTP) Hdr Hdr Application Firewall 60.45.2.6 Attacker 1.2.3.4 SMTP (E-Mail) Proxy Application Firewall 60.45.2.6 New Packet App MSG (HTTP) Attacker 1.2.3.4 23 Webserver 60.80.5.34 Circuit Firewall (SOCKS v5) 60.34.3.31 5. Passed ReplyNo Filtering External Client 123.30.82.5 24 4 Single-Site Firewall Architecture for a Larger Firm with a Single Site 2. Main Firewall 3. Internal Firewall Last Rule=Deny All Traffic Between Subnets DMZ 1. Screening Router 60.47.1.1 Last Rule=Permit All Internet • Demilitarized Zone • For Servers That Must be Accessed From the Outside 172.18.9.x Subnet – Public webservers 4. Client Host Firewall External DNS Server 60.47.3.4 Public Webserver 60.47.3.9 – DNS server that only knows the IP addresses of hosts in the firewall DMZ Marketing Client on 172.18.5.x Subnet HTTP Proxy Server 60.47.3.1 SMTP Relay Proxy 60.47.3.10 Accounting Server on 172.18.7.x Subnet – Hosts must be specially hardened because they certainly will be attacked 25 Internet Service Provider PC Firewall Ethernet Switch UTP Always-On Connection Coaxial Cable 26 SOHO Firewall Router Home Firewall Internet Service Provider – Application (proxy) firewalls UTP User PC UTP Broadband Modem UTP Cord Home PC 27 Broadband Modem (DSL or Cable) SOHO Router --Router DHCP Sever, NAT Firewall, and Limited Application Firewall Many Access Routers Combine the Router and Ethernet Switch in a Single Box User PC User PC 28 SOHO: Small office or home owner Distributed Firewall Architecture Management Console Internet Home PC Firewall Site A 21Other Security Architecture Issues • Host and Application Security (Chapters 6 and 9) • Antivirus Protection (Chapter 4) • Intrusion Detection Systems (Chapter 10) • Virtual Private Networks (Chapter 8) • Policy Enforcement System Site B 29 30 5 22Configuring, Testing, and Maintaining Firewalls 22Configuring, Testing, and Maintaining Firewalls • Firewall Misconfiguration is a Serious Problem • Create Policies Before ACLs – Policies are easier to read than ACLs – ACL rules must be executed in series – Easy to make misordering problems – Can be reviewed by others more easily than ACLs – Easy to make syntax errors – Policies drive ACL development – Policies also drive testing 31 22Configuring, Testing, and Maintaining Firewalls 32 23FireWall-1 Modular Management Architecture Log Files • Must test Firewalls with Security Audits – Only way to tell if policies are being supported – Must be driven by policies Application Module (GUI) Create, Edit Policies – ACLs must be updated constantly if firewall is 33 to be effective 24FireWall-1 Service Architecture Internal Client 34 Connection External Server 4. Content Vectoring Protocol 5. Statefully Filtered Packet Plus Application Inspection Firewall Module Enforces Policy Sends Log Entries Application Module (GUI) Read Log Files 25Security Level-Based Stateful Filtering in PIX Firewalls Automatically Accept 1. Arriving Packet 3. DoS FireWall-1 Protection Firewall Optional Authentications Log File Entry Log File Data – New threats appear constantly Firewall Module Enforces Policy Sends Log Entries Management Module Stores Policies Stores Log Files • Maintaining Firewalls 2. Statefully Filtered Packet Policy Policy Security Level Inside=100 Security Level Outside=0 Router Automatically Reject Connection Security Level=60 Internal Network Internet Connections Are Allowed from More Secure Networks to Less Secure Networks Third-Party Application Inspection Firewall 35 36 6 Questions? 37 7