Spring 2005
© 2000-2005, Richard A. Stanley
8: Firewalls
Prof. Richard A. Stanley
EE579T/8 #1

• Review last week’s lesson
• Security in the news
• Firewalls
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #2

• TCP/IP was not intended as a secure protocol; as a result, it has vulnerabilities that can be exploited
– Many highly effective attacks target the very basis of the protocol, making them hard to stop
• There are many ways to get access to info
• There are many types of attacks that can be mounted over network connections in order to gain unauthorized access to resources
• Never forget, the best access is hands-on
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #3

• The average number of formidable Internetbased attacks currently are twice as likely to affect power utilities in the United States than financial firms
• Overall number of these attacks is growing
“very rapidly”
• Data shows steady increase in attacks against electronic infrastructure
Source: Securities Industry News
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #4

• Most threats still from inside the firm
• Outside attacks still dominated by hackers
• Government or group sponsored attacks on the rise
• “...for the first time, empirical evidence has led to profiles of attacks that appear to be sponsored by governments or other organizations...”
[Tim Belcher, CEO, Riptech]
Source: Securities Industry News
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #5

• Origin of attacks:
– USA 30%
– South Korea 9%
– China 8%
• Based on number of Internet users, Israel leads the list as a source of attacks
• Beware jumping to conclusions--an attack from Country X may just be using their servers as a jumping-off point
Source: Securities Industry News
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #6

• Firewall Design Principles
– Firewall Characteristics
– Types of Firewalls
– Firewall Configurations
• Trusted Systems
– Data Access Control
– The Concept of Trusted systems
– Trojan Horse Defense
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #7

Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #8

• A router with attitude?
• A device to implement an access control policy?
• A physical device?
• A logical device?
• The preferred solution for network protection?
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #9

• Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet
• Despite common opinion, not a panacea or an “out-of-the-box” security solution
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #10

Firewall means a fire separation of noncombustible construction that subdivides a building or separates adjoining buildings to resist the spread of fire that has a fire-resistance rating as prescribed in the Building Code and that has structural stability to remain intact under fire conditions for the required fire-rated time . (Italics added)
Source: The Ontario Fire Code, § 1.2.1.2
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #11

• Information systems undergo a steady evolution (from small LAN`s to Internet connectivity)
• Strong security features for all workstations and servers not established
• Segregating “inside” from “outside” can offer security advantages
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #12

• The firewall is inserted between the premises network and the Internet or another external network
• Aims:
– Establish a controlled link
– Protect the premises network from Internetbased or “outside” attacks
– Provide a single choke point (good or bad?)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #13

• Design goals:
– All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall)
– Only authorized traffic (defined by the local security policy) will be allowed to pass
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #14

• Design principles:
– The firewall itself is immune to penetration
(use of trusted system with a secure operating system)
– Although this is a noble goal, it is virtually impossible to achieve!
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #15

• Service control
– Determines the types of external services that can be accessed, inbound or outbound
• Direction control
– Determines the direction in which particular service requests are allowed to flow
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #16

• User control
– Controls access to a service according to which user is attempting to access it
• Behavior control
– Controls how particular services can be used
(e.g. filter e-mail)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #17

• Three common types of Firewalls:
– Packet-filtering routers
– Application-level gateways
– Circuit-level gateways
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #18

• Packet-filtering Router
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #19

• Applies a set of rules to each incoming IP packet and then forwards or discards the packet based on conformance to the rules
• Filters packets going in both directions
• The packet filter is typically set up as a list of rules based on matches to fields in the IP and/or TCP header
• Two default policies (discard or forward)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #20

• Advantages:
– Simple
– Transparent to users
– High speed
• Disadvantages:
– Difficult to set up packet filter rules
– Lack of authentication
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #21

• Possible attacks and appropriate countermeasures
– IP address spoofing
– Source routing attacks
– Tiny fragment attacks
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #22

• Application-level Gateway
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #23

• Also called proxy server
• Acts as a relay of application-level traffic
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #24

• Advantages:
– Higher security than packet filters
– Only need to scrutinize a few allowable applications
– Easy to log and audit all incoming traffic
• Disadvantages:
– Additional processing overhead on each connection (gateway as splice point)
– Speed
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #25

• Circuit-level Gateway
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #26

• Stand-alone system, or
• Specialized function performed by an application-level gateway
• Sets up two TCP connections
• The gateway typically relays TCP segments from one connection to the other without examining the contents
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #27

• Security function consists of determining which connections will be allowed
• Typically used where the system administrator trusts the internal users
• An example is the SOCKS package
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #28

• Bastion Host
– Sometimes called a DMZ
– A system identified by the firewall administrator as a critical strong point in the network´s security
– The bastion host serves as a platform for an application-level or circuit-level gateway
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #29

• In addition to using simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible
• Three common configurations
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #30

• Screened host firewall system (singlehomed bastion host)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #31

• Firewall consists of two systems:
– A packet-filtering router
– A bastion host
• Configuration for the packet-filtering router:
– Only packets from and to the bastion host are allowed to pass through the router
• The bastion host performs authentication and proxy functions
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #32

• Greater security than single configurations :
– Implements both packet-level and applicationlevel filtering (allowing for flexibility in defining security policy)
– An intruder must generally penetrate two separate systems (but if outside router compromised, what then?)
• Affords flexibility in providing direct
Internet access (public information server, e.g. Web server)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #33

• Screened host firewall system (dual-homed bastion host)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #34

• Even if the packet-filtering router is completely compromised
– Traffic between the Internet and other hosts on the private network has to flow through the bastion host
– Provides two layers of security
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #35

• Screened-subnet firewall system
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #36

• Most secure configuration of the three
• Two packet-filtering routers are used
– One between bastion host and external network
– One between bastion host and internal network
• Creates an isolated sub-network
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #37

• Advantages:
– Three levels of defense to thwart intruders
– Outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)
– Inside router advertises only the existence of the screened subnet to the internal network
(systems on the inside network cannot construct direct routes to the Internet)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #38

• Useful to enforce security policy at the network edges
– Don’t help against inside threats
• Popularly believed to provide “hardened” security as they come out of the box
• If not properly configured, can introduce more problems than they solve
• Come in both hardware and software flavors, but all have software inside
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #39

• One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology
• Be careful whom you trust!
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #40

• Through the user access control procedure
(log on), user is identified to the system
• Associated with each user, there is a profile that specifies permissible operations and file accesses
• The operating system can enforce rules based on the user profile
– This is why Win9x cannot be used here
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #41

• General models of access control:
– Access matrix
– Access control list
– Capability list
• We saw all these in Computer Security, in the implementation of security models like
Bell-LaPadula
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #42

• Access Matrix
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #43

• Access Matrix: Basic elements of the model
– Subject: An entity capable of accessing objects, the concept of subject equates with that of process
– Object: Anything to which access is controlled
(e.g. files, programs)
– Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #44

• Access Control List: Decomposition of the matrix by columns
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #45

• Access Control List
– An access control list lists users and their permitted access right
– The list may contain a default or public entry
– This is how Unix handles security, and is the only mechanism available in Unix
• Everything in Unix looks like a text file
• All files have 9-bit permissions in the inode pointer
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #46

• Capability list: Decomposition of the matrix by rows
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #47

• Capability list
– A capability ticket specifies authorized objects and operations for a user
– Each user has a number of tickets
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #48

• Trusted Systems
– Protect data and resources on the basis of levels of security (e.g. military)
– Users can be granted clearances to access certain categories of data
– Trusted systems need not discern levels of permissions; they can operate “system high”
• cf. Telephone systems
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #49

• Multilevel security: multiple categories or levels of data
• Multilevel secure system must enforce:
– No read up: A subject can only read an object of lower or equal security level (BLP Simple Security Property)
– No write down: A subject can only write into an object of greater or equal security level (BLP *-Property)
– May enforce discretionary security (BLP DS property)
• Security levels may be linear or latticed
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #50

• Reference Monitor provides multilevel security for a data processing system
– Reference Monitor is a concept, not a thing
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #51

Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #52

• Controlling element in the security kernel of a computer that regulates access of subjects to objects on basis of security parameters
• The monitor has access to a file (security kernel database)
• The monitor enforces the security rules (no read up, no write down)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #53

• Complete mediation: Security rules are enforced on every access
• Isolation: Reference monitor and database protected from unauthorized modification
• Verifiability: reference monitor’s correctness must be mathematically provable
– this may be where we bend the rules!
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #54

• A system that can provide such verifications
(properties) is referred to as a trusted system
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #55

• Secure, trusted operating systems are one way to secure against Trojan Horse attacks
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #56

Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #57

Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #58

• Firewalls are useful tools to mediate access from internal networks to external networks
• Firewalls are not a single-point security solution
• Firewalls cannot protect against a malicious user on the internal network
• Trusted computing systems are needed to enforce security policy
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #59

• Find a copy of the U.S. Code on the ‘Net, and read Title 18, Section 1030
• Choose a firewall product, and describe how you would implement the following security policy:
– Anyone on the inside network may establish any connection they desire from outside
– No one on the outside network may initiate a connection to the inside
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/8 #60