Title: Firewalls 2
1Cryptography and Network SecurityChapter 20,
Fourth Editionby William Stallings
Firewalls
- BSIT-7th
- Instructor Inam ul Haq
- Inam.bth_at_gmail.com
- University of Okara
2Table of Contents
- Introduction
- Limitations
- 3 Generations (Packet Filter, Stateful,
Application level Gateway) - 2 broad categories (network firewall, host
firewall) - Adv / Disadvantages
- Firewall Configuration
- Firewall and Malware
- IP Table and Rules
3Firewalls
- The function of a strong position is to make the
forces holding it practically unassailable - On War, Carl Von Clausewitz
- A firewall is a network security system that
monitors and controls the incoming and outgoing
network traffic based on predetermined security
rules. (Wikipedia)
4Introduction
- New evolution of information systems
- establishes a barrier between a trusted and non
trusted network - Firewalls are often categorized as either network
firewalls or host-based firewalls - now everyone want to be on the Internet
- and to interconnect networks
- has persistent security concerns
- cant easily secure every system in org
- typically use a Firewall
- to provide perimeter defence
- as part of comprehensive security strategy
5What is a Firewall?
- a choke point of control and monitoring
- interconnects networks with differing trust
- imposes restrictions on network services
- only authorized traffic is allowed
- auditing and controlling access
- can implement alarms for abnormal behavior
- provide NAT usage monitoring
- NAT Firewall
- implement VPNs using IPSec (explore yourself)
- must be immune to penetration
6Firewall Limitations
- cannot protect from attacks bypassing it
- eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH) - cannot protect against internal threats
- eg disgruntled or colluding employees
- cannot protect against transfer of all virus
infected programs or files - because of huge range of O/S file types
7Firewalls 1 Packet Filters
- 3 Generations of Firewall Packet Filter,
Stateful Firewall, Application Layer Firewall - It looks at network addresses and ports of the
PACKETS and determines if that packet should be
allowed or blocked. Also called stateless
firewall. - Simplest, fastest firewall component
- Foundation of any firewall system
- E.g. Ipfirewall (a software)
- Restricts access to services (ports)
- Possible default policies
- that not expressly permitted is prohibited
- that not expressly prohibited is permitted
8Firewalls Packet Filters
9Screeing policy actions
- Forward
- The package is forwarded to the intended
recipient - Drop
- The packages is dropped (without notification)
- Reject
- The package is rejected (with notification)
- Log
- The packages appearance is logged (to be
combined) - Alarm
- The packages appearance triggers an alarm (to be
combined)
10Screening policies
- There should always be some default rules
- The last rule should be Drop everything from
everyone which enforce a defensive strategy - Network monitoring and control messages should be
considered
11Firewalls Packet Filters
12Stallings Table 20.1 Packet Filtering Examples
- In each set, the rules are applied top to bottom.
- A. Inbound mail is allowed to a gateway host only
(port 25 is for SMTP incoming - B. explicit statement of the default policy
- C. tries to specify that any inside host can send
mail to the outside, but has problem that an
outside machine could be configured to have some
other application linked to port 25 - D. properly implements mail sending rule, by
checking ACK flag of a TCP segment is set - E. this rule set is one approach to handling FTP
connections
13Attacks on Packet Filters
- IP Spoofing
- fake source address to be trusted
- add filters on router to block
- source routing attacks
- attacker sets a route other than default
- block source routed packets
- tiny fragment attacks
- split header info over several tiny packets
- either discard or reassemble before check
14Firewalls 2 Statefull Packet Filters
- traditional packet filters do not examine higher
layer context, also called Circuit Level Gateway - i.e. matching return packets with outgoing flow
- Operates on first four OSI layers, to confirm its
state - It checks connection status (flow control)
- Fake connections are attacked using DDOS
- Statefull packet filters address this need
- They examine each IP packet in context
- keep track of client-server sessions
- check each packet validly belongs to one
- Hence are better able to detect bogus packets out
of context
15Firewall Example
16Advantage/Disadvantage
-
- One screening router can protect a whole network
- Packet filtering is extremely efficient
- Packet filtering is widely available
- Current filtering tools are not perfect
- Some policies are difficult to enforce
- Packet filtering generates extra load for the
router
17Firewalls 3 - Application Level Firewall
- It can "understand" certain applications and
protocols (such as (FTP), (DNS), or (HTTP)). This
is useful as it is able to detect if an unwanted
application or service is attempting to bypass
the firewall using proxy. (Wikipedia) - user requests service from proxy
- proxy validates request as legal
- then actions request and returns result to user
- can log / audit traffic at application level
- need separate proxies for each service
- some services naturally support proxying
- others are more problematic
18Firewalls - Application Level Gateway (or Proxy)
19Advantage/Disadvantage
-
- Proxies can do intelligent filtering
- Proxies can provide logging and caching
- Proxies can provide user-level authentication
- Proxies cause a delay
- Proxies can require modifications to clients
- Proxies may require a different server for each
service
Proxy Server is a server (a computer system or an
application) that acts as an intermediary for
requests from clients seeking resources from
other servers (Wikipedia)
20Firewall Configurations
21Firewall Configurations
22Firewall Configurations
232 Broad Categories
- Network Firewall
- It filters traffic between two or more networks.
- Can be either hardware or software
- Host Firewall
- It provides a layer of software on one host that
controls network traffic in and out of that
single machine.
24Evaluating a Firewall
- Scalability
- Reliability and Redundancy
- Auditability
- Price (Hardware, Software, Setup, Maintenance)
- Management and Configuration
25Firewalls and Malware
- Should preferably control both ingoing and
outgoing traffic - Windows XP firewall controls only ingoing traffic
- Trojans can start up servers on the inside
- Firewall should preferable inspect packets on the
application layer - Network layer based packet filters do not provide
adequate protection
26Firewalls and Malware
- New worms/viruses often tries to kill firewall
and anti virus processes - Tunneled Worms
- Tunnel IP packet within other IP packet to hide
real IP header - Tunneling program can be built in in Trojans
Tunneled IP packet
27IP- Tables
- IP Tables is the standard kernel firewall system
for Linux since Kernel 2.4.x - Packet Filtering and NAT for linux
28Rule
iptables -t table command match traget/jump
- -t table
- Nat (PREROUTING, POSTROUTING)
- Mangle (PREROUTING, POSTROUTING)
- Filter (default) (FORWARD, INPUT, OUTPUT)
29Rule
iptables -t table command match traget/jump
- Command
- -P, --policy
- -A, --append
- -D, --delete
- -R, --replace
- -L, --list
- ...
30Rule
iptables -t table command match traget/jump
- Match (generic)
- -p, --protocoll (TCP, UDP, ICMP)
- -s, --source (IP Adresse/port)
- -d, --destination (IP Adresse/port)
- -i, --in-interface (eth0, eth1, ppp1)
- -o, --out-interface (eth0, eth1, ppp1)
- -m, --match (special commands)
31Example Rules
- iptable P FORWARD DROP
- Introduce the general policy to drop all packages
- Iptable t nat P PREROUTING ACCEPT
- Accept prerouting nat traffic
- iptable A FORWARD -i eth1 p TCPd
193.10.221.184 -dport 80 j ACCEPT - Accept all tcp connections to port 80 coming in
at my second network interface to my ip - iptables A FORWARD m limit -limit 3/minutes
j LOG - Log all refused connections but max. 3 per minute