Firewalls
(March 2, 2016)
© Abdou Illia – Spring 2016
Test your Firewall knowledge

Which of the following is true about firewalls?
a) A firewall can be a hardware device
b) A firewall can be a software program
c) Firewalls can be hardware or software

Which of the following is true about firewalls?
a) They are used to protect a whole network against attacks
b) They are used to protect single computers against attacks
c) Both a and b.
2
Test your Firewall knowledge (cont)
 Which of the following is true about firewalls?
a) They are configured to monitor inbound traffic and protect
against attacks by intruders
b) They are configured to monitor outbound traffic and prevent
specific types of messages from leaving the protected
network.
c) Both a and b
3
Firewall: definition
 Hardware or software tool used to protect a single
host1 or an entire network2 by


“sitting” between a trusted network (or a trusted host)
and an untrusted network
Applying preconfigured rules and/or traffic knowledge to
allow or deny access to incoming and outgoing traffic
Trusted network
PC with Hostbased
Firewall
PC with Hostbased
Firewall
Network-Based
Firewall
Untrusted
network
4
1 Host-based or personal firewall
2 network-based firewall
Questions
 What is the main advantage of having a host-based firewall
in addition to having a network-based one?
Answer:_________________________________________
 What kind of security issue could be associated with
having host-based firewall on users PCs?
Answer:__________________________________________
Trusted network
PC with Hostbased
Firewall
PC with Hostbased
Firewall
Network-Based
Firewall
Untrusted
network
5
Most firms have multiple
firewalls. Their arrangement
is called the firm’s
firewall architecture
Firewall Architecture
Internal
Firewall
Screening
Router
Firewall
Internet
172.18.9.x Subnet
Demilitarized Zone (DMZ)
Main Border
Firewall
Host
Firewall
Host
Host
Firewall Firewall
Marketing Accounting
Email
Client on Server on Server on
172.18.5.x 172.18.7.x 172.18.6.x
Subnet
Subnet
Subnet
Public
Webserver
60.47.3.9
SMTP
Application
Proxy Server
60.47.3.10
External
DNS Server
60.47.3.4
HTTP
Application
Proxy Server
60.47.3.1
6
Firewall Architecture
Internal
Firewall
Screening
Router
Firewall
Internet
172.18.9.x Subnet
Demilitarized Zone (DMZ)
Main Border
Firewall
Host
Firewall
Host
Host
Firewall Firewall
Marketing Accounting
Email
Client on Server on Server on
172.18.5.x 172.18.7.x 172.18.6.x
Subnet
Subnet
Subnet
Public
Webserver
60.47.3.9
External
DNS Server
60.47.3.4
The DMZ is a subnet that includes
most vulnerable hosts to attacks; i.e.
hosts that
provide services
to outside
SMTP
HTTP
users.
Common hosts
in DMZ:
Application
Application
PublicProxy
web servers,
DNS
servers,
Server Public
Proxy
Server
public FTP
servers, Email
proxy servers.
60.47.3.10
60.47.3.1
7
Host in DMZ must be heavily protected.
Questions

What is a DMZ?

Why are public web servers usually put in the DMZ?

Why are public DNS servers usually put in the DMZ?

Which of the following may be placed in a DMZ?
a)
b)
c)
d)


A SMTP proxy server
A server that contains files available for downloading by employees
An File Transfer Protocol server
A SQL (Structured Query Language) database server
What IP addresses should a DNS server in the DMZ be able to find?
a)
All company’s IP addresses
b)
Only the IP addresses of the computers in the internal subnet
c)
Only the IP addresses of the computers in the DMZ
You work as the security administrator at King.com. King.com has been receiving a high
volume of attacks on the king.com web site. You want to collect information on the attackers
so that legal action can be taken. Which of the following can you use to accomplish this?
a)
b)
c)
d)
A DMZ (Demilitarized Zone).
A honeypot.
A firewall.
None of the above.
8
Basic Firewall Operation
Passed Legitimate
Packet (Ingress)
Passed Packet
(Egress)
Legitimate Packet 2
Legitimate Packet 1
Attack Packet 1
1. Internet
(Not Trusted)
Legitimate Packet 1
Legitimate Packet 2
Border
Attack Packet 1 Firewall
Dropped Packet
(Ingress)
Log
File
Internal Corporate Network (Trusted)
Attacker
Legitimate
User
Egress filtering:
filtering packets leaving to external networks
Ingress filtering:
filtering packets coming from external networks
9
IP-H
TCP-H
Application Layer Message
IP-H
UDP-H
Application Layer Message
Types of Firewalls
 Static Packet Filtering Firewalls (1st generation)



Inspect TCP, UDP, IP headers to make filtering decisions
Do static filtering of individual packets based on configured ruleset
(or Access Control List)
Prevent attacks that use IP or port spoofing, etc.
 Stateful Packet Filtering Firewalls (2nd generation)





Inspect TCP, UDP, IP headers to make filtering decisions
Do stateful filtering by checking the firewall’s state table for relation
of packets to packets already filtered
If packet does not match existing connect, ruleset (static filt.) is used
If packet matches existing connection, it is allowed to pass
Prevent SYN attacks, teardrops, etc.
State Table
Connection
Source IP
Destination IP
State
Connection 1
123.12.13.4
60.47.3.9:80
TCP opening
Connection 2
213.14.33.56
60.47.3.9:80
Data transfer
……
……….
……….
………
10
IP-H
TCP-H
Application Layer Message
IP-H
UDP-H
Application Layer Message
Types of Firewalls (cont.)
 Application Firewalls (3rd generation)



Also called proxy firewalls
Inspect the Application Layer message (e.g. HTTP requests, emails,
etc.
Specialized proxy firewalls more effective than general-purpose




HTTP proxy firewalls for HTTP requests
SMTP proxy firewalls for SMTP emails
FTP proxy firewall for FTP-based file transfer requests
Prevent malware attacks
1. HTTP Request
Browser
4. Passed inspected
HTTP Response
HTTP
Proxy
2. Passed inspected
HTTP Request
Log
File
3. HTTP
Response
Webserver
Application
11
Types of Firewalls (cont.)
 Network Address Translation Firewall



Replace IP address in outgoing message by a spoof IP address
Hide internal hosts’ IP address to outsiders
Help prevent IP spoofing attacks using internal IP addresses
135.12.20.1
135.12.20.2
135.12.20.3
135.12.23.12
135.12.22.2
Host IP Address
Outgoing IP Address
Request ID
135.12.23.12
135.12.20.1
120121
135.12.22.2
135.12.20.2
120122
135.12.21.3
135.12.20.3
120123
……..
……..
………
12
135.12.21.3
Network Address Translation (Cont)
From 192.168.5.7,
Port 61000
1
From 60.5.9.8,
Port 55380
2
Internet
Client
192.168.5.7
NAT
Firewall
Server
Host
Sniffer
Internal
IP Addr
Translation
Table
External
Port
192.168.5.7 61000
...
...
IP Addr
Port
60.5.9.8
55380
...
...
13
Network Address Translation (Cont)
Internet
Client
192.168.5.7
4
NAT
Firewall
To 192.168.5.7,
Port 61000
Server
Host
3
Sniffer
To 60.5.9.8,
Port 55380
Internal
IP Addr
Translation
Table
External
Port
192.168.5.7 61000
...
...
IP Addr
Port
60.5.9.8
55380
...
...
14
Perspective on NAT
 NAT/PAT



NAT does more than network (IP) address
translation
Also does port number translation
Should be called NAT/PAT, but NAT is the
common term
15
Firewalls configuration
 Default configuration (default Rulesets or ACLs)
 Pass connections initiated by an internal host
 Deny connections initiated by an external host
 Can change default configuration with access control
lists (ACLs) for ingress and egress filtering
 ACLs are sets of IF-THEN rules applied in sequential
order
Automatically Pass Connection Attempt
Router
Internet
Automatically Deny Connection Attempt
16
Trusted network
60.47.3.1
60.47.3.5
Ingress ACL
Firewall
60.47.3.2
Untrusted
network
60.47.3.9
1
If Source IP Address = 10.*.*.*, DENY [Private IP Address Range]
2
If Source IP Address = 172.16.*.*, DENY [Private IP Address Range]
3
If Source IP Address = 192.168.*.*, DENY [Private IP Address Range]
4
If Destination IP Address = 60.47.3.9 AND TCP Destination Port = 80 or 443, PASS
5
If Destination IP Address = 60.47.*.*, DENY
6
If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside]
7
If TCP Destination Port = 20, DENY
8
If TCP Destination Port = 135 Trough 139, DENY
9
If UDP Destination Port = 69, DENY
10
DENY ALL
Port Number
Primary Protocol
Application
20
TCP
FTP Data Traffic
21
TCP
FTP Supervisory Connection. Passwords sent in the clear
23
TCP
Telnet. Passwords sent in the clear
25
TCP
Simple Mail Transfer Protocol (SMTP)
69
UDP
Trivial File Transfer Protocol (TFTP). No login necessary
80
TCP
Hypertext Transfer Protocol (HTTP)
137-139
TCP
NETBIOS service for peer-to-peer file sharing in older versions of Windows
443
TCP
HTTP over SSL/TLS
17
Trusted network
60.47.3.1
60.47.3.5
Ingress ACL
60.47.3.2




Firewall
Untrusted
network
60.47.3.9
1
If Source IP Address = 10.*.*.*, DENY [Private IP Address Range]
2
If Source IP Address = 172.16.*.*, DENY [Private IP Address Range]
3
If Source IP Address = 192.168.*.*, DENY [Private IP Address Range]
4
If Destination IP Address = 60.47.3.9 AND TCP Destination Port = 80 or 443, PASS
5
If Destination IP Address = 60.47.*.*, DENY
6
If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside]
7
If TCP Destination Port = 20, DENY
8
If TCP Destination Port = 135 Trough 139, DENY
9
If UDP Destination Port = 69, DENY
10
DENY ALL
What kind of messages does Rule 7 block?
Why does Rule 5 have to come after Rule 4?
Why does Rule 6 have to come after Rule 4?
You work as the security administrator for the trusted network. Employees often
download files from a FTP (File Transfer Protocol) server located in the untrusted
network. What TCP port do you open in the firewall configuration?
a)
b)
c)
d)
Open port 69 to all inbound connections.
Open port 69 to all outbound connections.
Open port 20/21 to all inbound connections.
Open port 20/21 to all outbound connections.
18
Flag Fields
(6 bits)
URG ACK
SYN FIN RST
PSH
Typical attacks and firewall config.
Attacks
Typical configuration
Comments
Ping of death
Any packet with Total Length more than maximum allowed is dropped
Stateful firewall
IP fragmentationbased attacks
(e.g. Teardrop)
The firewall intercepts all fragments for an IP packet and attempts to
reassemble them before forwarding to destination. If any problems or
errors are found during reassembly, the fragments are dropped.
Stateful firewall
Smurf Attack
The firewall drops any ping responses that are not part of an active
session.
Stateful firewall
Attacks that send
TCP URG
packets
Any TCP packets that have the URG flag set are
discarded by the firewall.
Land Attack
Any packets with the same source and destination IP addresses are
discarded.
IP broadcast
Packets with a broadcast source or destination IP address are
discarded.
TCP SYN/ACK
attack
TCP Opening segments that have SYN and ACK flags set AND
that are not linked to a TCP SYN request are discarded.
Stateful firewall
Invalid TCP
Segment
Number
The sequence numbers for every active TCP session are
maintained in the firewall session database. If the firewall
received a segment with an unexpected (or invalid)
sequence number, the packet is dropped.
Stateful firewall
19
Firewall Principles
 Danger of Overload

If a firewall is overloaded and cannot handle
the traffic, it drops unprocessed packets

This is the safest choice, because attack
packets cannot enter the network

However, this creates a self-inflicted denialof-service attack
20
Firewall Principles (Continued)
 Danger of Overload



So firewalls must have the capacity to handle
the traffic
Some can handle normal traffic but cannot
handle traffic during heavy attacks
Need to regularly check firewalls logs:

If too much unchecked packets are dropped,
then need to upgrade the firewall.
21
Centralized Firewall Management System
Management Console
Remote Management
is needed to
reduce management labor
Internet
Dangerous because
if an attacker compromises
it, they own the network
Site A
Remote PCs
must be actively
managed
centrally
Home PC
Firewall
Site B
22
Firewall Management
 Firewalls are Ineffective without Planning
and Maintenance
 Planning




Asset Assessment: identify all assets and their
relative sensitivities
Threat Assessment: what threats can attack
each asset?
Design a Firewall Policy for Each Asset
Design a Firewall Architecture
23
Firewall Management (Continued)
 Implementation

Firewall Operating System Hardening



Firewall appliances are hardened at the factory
Firewall vendors often sell firewalls that are
general-purpose computers that have prehardened versions of Unix or Windows
If a firm purchases a general purpose
computer and firewall software, strong actions
must be taken to harden the operating system
24
Firewall Management (Continued)
 Implementation

Select Implementation Options


Firewall ACL Rule Configuration



e.g., Turn off remote management if not needed
Complex and therefore error-prone
Driven by firewall policies
Vulnerability Testing After Configuration


Must do vulnerability test even after “trivial” changes
Driven by firewall policies
25
Firewall Management (Continued)
 Maintenance

Constantly change firewall policies and ACLs to
deal with new threats
 Document each change carefully!



Read log files daily to understand the current
threat environment
Read log files daily to detect problems (the
dropping of legitimate traffic, etc.)
Update the firewall software when there are new
releases
26
Firewalls, IDSs, and IPSs
Firewalls
IDSs
IPSs
Drops Packets?
Yes
No
Yes
Logs Packets
Yes
Yes
Yes
Sophistication in
Filtering
Creates Alarms?
Medium
High
High
No
Yes
Sometimes
27
Firewalls, IDSs, and IPSs (Cont)
 Sophistication in Filtering



Message stream analysis, not just individual
packets
Reassemble fragmented application
messages
Deep packet inspection: both internet-level
headers and application headers
28