Firewalls Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000) Firewalls are not just for companies any more: the changing home High Speed Internet Connections Drive the importance of security The home Network: always on the Net Always on, all hackers all the time • For me to attack your system, I must send packets to it • With dial, you get a different IP address for each call and in relative terms that call is not long • Big issue is that you will have the same IP address for a long time with persistent connections • You may have the same IP address ALL the time. • So plenty of time for someone to go after you Personal PCs have the standard OS vulnerabilities • Private Web servers easy targets Windows file sharing does not help • Admin Shares – $c – On by default in Win 9* and older NT • Browser Service – Network Neighborhood – Could see everyone else's PCs • Hard to turn it off on Internet facing interfaces interfaces • Who cares? QDATA.* Multiple security problems Defense in Depth The tradeoffs Costs • Dollars for the software • Download of updates • Customization – most software out of the box works fine – File and print sharing on your home LAN – special apps • Checking logs Example of customization The firewall: The first line of defense What a firewall does not do Firewall technologies • Network Address Translation A digression, TCP/IP Internet Protocol TCP TCP connection flow • the syn is unique to session start TCP Ports Identify the App IP addresses ‘Private’ IP addresses • Routable IP addresses are scarce • Not every system in the world needs direct and always on access to the Internet • Private addresses allows you to address many more systems than the ‘public’ address space (public addresses can be routed over the internet • For a private addressed system to access the internet it must be translated to a public address • Private addresses are defined by RFC 1918 – 10.*.*.*, 172.16.*.*-172.31.*.*, 192.168.*.* Public IP address assignment • If you are dialing up, you get one for the duration of the call and it will change • If you are on a ‘always on’ you MAY get a one – Providers charge for more than 1 permanent IP addresses – Some cable systems change your address so you cant host a server without them knowing (and of course you paying) • To address multiple PCs and have them access the internet you must NAT Network Address Translation Enterprise NAT • NAT is also used to ‘hide’ addresses – Remote end can only see the NATed address not the real one • Both ends use private addresses • And will often have duplicates (10.1.1.1) • So will often ‘dual nat’ that is translate both source and destination • Can even map ports so 1 address, multiple servers – 200.200.200.200 port 80; 10.1.1.1 – 200.200.200.200 port 25; 10.1.1.2 – 200.200.200.200 port 20: 10.1.1.3 Pat • Port address translation • Allows many stations to share 1 ip address • Depends on keeping track what source port and IP address for each connection • Then select a unique port to associate with the single public IP address Packet Filtering the basis of a firewall Packet Filtering • Firewalls will trust inside addresses • Spoofing: attacker makes their address look like an inside address • Will rely on the TCP ACK bit to determine if a connection is inbound or outbound – will permit all outbound (you to the Inet) by default • Can configure what inbound connections you want to allow (home web server) • Does not work well with certain applications – FTP opens connections from the outside – Media and VOIP use dynamic ports Stateful Inspection Stateful inspection • Look at outbound connection request to the Internet • Remember the addresses and the ports • Only permit traffic from the Internet if it saw that it was initiated from the inside network • All modern firewalls work this way Proxy Server Proxy Server • • • • • Since application is intercepted Can authenticate by user Can log content Can block content by looking at the URLs All web access is via proxy Authentication w/o proxy • Telnet or web to the firewall the login – then can access all other services • Dedicated client – Firewall-1 has a custom client – Firewall contacts client code when user tries to access a service – ask for login and if ok grants it. A firewall: • • • • • Always does packet filters Always does stateful packet filtering Always logs May have a proxy May do authentication Corporate Firewalls • Appliance based – – – – – PIX, FW1 Nokia more expensive Dedicated OS Harder to crack as fewer OS issues Harder to scale (as based on specific hardware) • ‘Computer’ based – Runs on NT or Unix – Can leverage existing computers – Easier to learn at home Home Firewalls • Device Based – Part of your access box or can get a dedicated appliance – May be ‘free’ with a box you are already getting – Does not touch your OS but then may need more configuration – Do not have to touch multiple computers – Does not impact ‘inside the house’ • OS based – Tied into the network stack – Can easily deal with custom apps – May need to modify for home access Linksys Router (appliance) Linksys Router Filtering Linksys Router logs Norton Personal Firewall (part of OS) Application list Summary • If you access the internet at all get an OS based firewall • If you have always on get an appliance based • Or even better use both.