Firewalls
Topics
 Firewall design principles
 Characteristics
 Types
 Configurations
 Trusted systems
 Common Criteria for Information Technology Security
Evaluation
Firewalls
 Internet connectivity has become a necessity in
corporations and organizations
 However, this allows outsiders to interact with network
assets
 An organization may own thousands of computers
 Could install strong security software on every
computer…
 A security patch is released
 Now thousands of computers need to be patched
Firewalls
 Easier solution?
 Place a firewall between the Internet and the
organization’s network
 Protects a network from Internet-based attacks
 Impose security and auditing on one choke point
 Special hardware, a computer, or many computers can
function as a firewall
Firewall characteristics
 Goals:
 All traffic is directed towards the firewall. There must
be no way to access the network without going through
the firewall first
 Only authorized traffic is allowed to pass through the
firewall, as defined by local security policies
 The firewall is immune to penetration. Implies use of a
trusted system and a secure operating system
Firewall characteristics
 Four techniques used to control access:
 Service control




Determine what Internet services are allowed to be accessed
May filter traffic based on IP address or port
May act as proxy software (receive and interpret services
before passing them on)
May host service software itself
 Direction control

Determine what direction service requests may be initiated or
allowed to pass through
Firewall characteristics
 User control

Control which services can be accessed by particular users
(inside or outside the network)
 Behaviour control

Control how services are used (e.g., spam firewall or website
filter)
Firewall characteristics
 Other features:
 Monitoring of security-related events
 Non-security-related Internet functions


Network address translation (NAT)
Log Internet usage
 Platform for IPSec
Firewall characteristics
 Limitations:
 Cannot protect against attacks that bypass the firewall
 Cannot protect against internal threats


For example, an angry employee deleting files
Or, an employee cooperating with an outside attacker
 Cannot protect against the transfer of viruses


Different operating systems and applications inside the
network
Need to scan all incoming data…impractical, perhaps
impossible
Types of firewalls
 Packet-filtering router
 Application-level gateway
 Circuit-level gateway
Packet-filtering router
 Applies a set of rules to each incoming and outgoing packet
 Possible rules:
 Source or destination IP address
 Port number
 Transport protocol (TCP or UDP)
 Other information contained in a network packet
 Filters are a list of rules
 If a rule is matched, either forward or discard the packet
 Default action may be either forward or discard
 Happens when a packet is not filtered
Packet-filtering router
Packet-filtering router
 Advantages:
 Fast, simple, transparent
 Disadvantages:
 Cannot prevent attacks on specific application
weaknesses
 Limiting logging capabilities
 Typically no support for user authentication
 Vulnerable to exploits that take advantage of problems
in the TCP/IP specification
 Easy to make mistakes when creating rules
Application-level gateway
 Also called a proxy server
 Usage:
 User contacts gateway through an application (e.g., telnet or
FTP)
 User must authenticate and provide name of remote host
 Gateway connects to remote host and relays data back to the
user
 If code for an application is not implemented, gateway will
not support that application
 May be configured to support only certain features of an
application
Application-level gateway
 Advantages:
 Tend to be more secure than packet filters
 Whole applications can be allowed or blocked, rather
than many possible combinations of packets
 Easy to log and audit traffic at the application level
 Disadvantage:
 Additional overhead due to splicing every connection
Circuit-level gateway
 Does not permit end-to-end connections
 Sets ups two TCP connection (inner host to gateway,
gateway to outer host)
 Gateway relays segments from one connection to the
other
 Does not examine contents of segments
 Security function is to determine what connections are
allowed
 Could be a standalone system or function performed
by application-level gateway for some applications
Circuit-level gateway
 Example implementation: SOCKS
 Consists of a server, client library, and client programs
that have been linked with or are compatible with
SOCKS
 A client wants to access an object beyond the firewall
 A TCP connection is opened on port 1080 on the SOCKS
server
 Client is authenticated
 Client makes relay request
 SOCKS either accepts (and establishes connection) or
rejects
Bastion host
 A system identified to be a critical strong point in a
network’s security
 Typically used as platform for application-level or circuitlevel gateways
 Characteristics:
 Runs a secure version of an operating system
 Only essential services are installed
 Requires user authentication to access proxy services
 Each proxy is a tiny software package that runs independently
and requires little configuration
 Each proxy may only support a subset of application features,
may only access specific hosts, and maintains detailed logs
Firewall configurations
 A single router or gateway are simple configurations
 More complex configurations are possible and are
more common:
 Screened host firewall, single-homed bastion
 Screened host firewall, dual-homed bastion
 Screened subnet firewall
Screened host firewall, singlehomed bastion
 A packet-filtering router with a bastion host
 Router’s configuration:
 Only packets destined for the bastion host may pass
 Only packets from the bastion host may leave
 Bastion host performs authentication and proxy
functions
 Internal network is protected by two systems
Screened host firewall, singlehomed bastion
 Allows for flexibility:
 For example, a web server does not need strong security;
router can be configured to allow traffic directly to it
 Problem:
 A compromised router will allow traffic to flow directly
through to the internal network, bypassing the bastion
Screened host firewall, dual-homed
bastion
 All of the same features and functionality of a single-
homed bastion setup
 However, physically prevents traffic from going
anywhere but through the bastion first
 Solves problem with single-homed bastion setup
Screened subnet firewall
 Two packet-filtering routers and one bastion host
 One router between Internet and bastion
 Another between bastion and internal network
 Creates an isolated, screened sub-network
 Besides bastion, could also contain servers, modems,
etc.
 Three levels of defense
 Internet only sees the screened sub-network
 Internal network cannot construct direct routes to the
Internet
Trusted systems
 Trusted system technologies enhance the ability to
defend against intruders and malicious programs
Data access control
 Need a way to state what sort of permissions a user
may have in a system (e.g., file access, database access,
etc.)
 Access matrix
 A general model of access control used by file or
database management systems
Data access control
 Elements:



Subject: An entity that can access objects. Usually a user or
application is represented by a process, since a process gains
access to an object
Object: Anything to which access is controlled (e.g., files or
memory)
Access right: The way in which an object is accessed (e.g.,
read, write, or execute)
 One axis lists the subject, the other lists objects
 Each entry consists of access rights of a subject on an
object
Data access control
Data access control
 Access matrix is usually implemented by decomposing
it
 Access control list (ACL)
 Decomposition by column
 Lists subjects and their access rights for each object
 May include a default set of rights
 Capability tickets
 Decomposition by row
 Lists objects and associated access rights for each
subject
Concept of trusted systems
 Multilevel security
 Multiple groups (or levels) of data are defined
 Idea is a high level subject cannot convey information to
a lower level subject
 Two rules need to be enforced:


No read up: A subject only reads objects less or equal to their
security level
No write down: A subject only writes into an object equal or
greater than their security level
Concept of trusted systems
 Reference monitor
 Element of hardware or operating system
 Regulates the access of objects by subjects on the basis of security
parameters
 A security kernel database stores all access privileges and object
levels
 Properties:



Complete mediation: Security rules are enforced on every single access
to an object
Isolation: No unauthorized modification to reference monitor and
database
Verifiability: The reference monitor’s correctness must be
mathematically provable
 An audit file may be used to log security violations or changes to the
kernel database
Concept of trusted systems
 A trusted system provides the amount of verification
as seen in the reference monitor
 Trojan horse defense
 A trusted operating system can prevent Trojan horse
attacks
 A user’s documents and programs are classified under a
high security level
 A Trojan horse is planted by a user who has gained
access, but under a low security level
 The Trojan horse can read the documents, but cannot
copy them to a low security level file
Common Criteria for Information
Technology Security Evaluation
 Defines a set of potential security requirements for use in
evaluating part of a system
 Requirements:
 Functional: Defines desired security behaviour
 Assurance: Basis for gaining confidence that security
measures are effective and implemented correctly
 Profiles that can be generated:
 Protection: Defines a set of security requirements and
objectives of a category of systems
 Security: Contains security requirements and objectives of a
target system and functional and assurance measures offered
to meet those requirements