Chapter%2020:%20Firewalls

1
Chapter 20 Firewalls
Special Thanks to our friends at The Blekinge
Institute of Technology, Sweden for providing the
basis for these slides.

2
Outline

• Firewall Design Principles
• Firewall Characteristics
• Types of Firewalls
• Firewall Configurations
• Trusted Systems
• Data Access Control
• The Concept of Trusted systems
• Trojan Horse Defense

3
Firewalls

• Effective means of protection a local system or
  network of systems from network-based security
  threats while affording access to the outside
  world via WANs or the Internet
• Information systems undergo a steady evolution
  (from small LANs to Internet connectivity)
• Strong security features for all workstations and
  servers not established

4
Why?

• Systems provide many services by default
• Many workstations provide remote access to files
  and configuration databases (for ease of
  management and file sharing)
• Even if configured only for specific users, they
  can sometimes be tricked into providing services
  they shouldnt
• E.g. missing bounds check in input parsers
• Also, users sometimes forget to close temporary
  holes
• E.g. leaving file system remote mountable for
  file sharing

5
Why?

• Firewalls enforce policies that centrally manage
  access to services in ways that workstations
  should, but dont
• Which services?
• Finger
• telnet requires authentication, but password
  sent in clear
• rlogin similar to telnet, but uses IP address
  based authentication (Bad!)
• ftp Tricky because two connections, control
  channel from sender, and data connection from
  receiver. (passsive ftp has both sender
  originated)
• X Windows
• ICMP

6
Firewall DesignPrinciples

• The firewall is inserted between the premises
  network and the Internet
• Aims
• Establish a controlled link
• Protect the premises network from Internet-based
  attacks
• Provide a single choke point

7
Firewall Characteristics

• Design goals
• All traffic from inside to outside must pass
  through the firewall (physically blocking all
  access to the local network except via the
  firewall)
• Only authorized traffic (defined by the local
  security police) will be allowed to pass
• The firewall itself is immune to penetration (use
  of trusted system with a secure operating system)

8
Firewall Characteristics

• Four general techniques
• Service control
• Determines the types of Internet services that
  can be accessed, inbound or outbound
• Direction control
• Determines the direction in which particular
  service requests are allowed to flow

9
Firewall Characteristics

• User control
• Controls access to a service according to which
  user is attempting to access it
• Behavior control
• Controls how particular services are used (e.g.
  filter e-mail)

10
Firewall Limitations

• Cannot protect against attacks that bypass the
  firewall
• E.g. an internal modem pool
• Firewall does not protect against internal
  threats
• Firewall cannot protect against transfer of virus
  infected programs
• Too many different apps and operating systems
  supported to make it practical to scan all
  incoming files for viruses

11
Types of Firewalls

• Three common types of Firewalls
• Packet-filtering routers
• Application-level gateways
• Circuit-level gateways
• (Bastion host)

12
Types of Firewalls

• Packet-filtering Router

13
Types of Firewalls

• Packet-filtering Router
• Applies a set of rules to each incoming IP packet
  and then forwards or discards the packet
• Filter packets going in both directions
• The packet filter is typically set up as a list
  of rules based on matches to fields in the IP or
  TCP header
• Two default policies (discard or forward)

14
Types of Firewalls

• Advantages
• Simplicity
• Transparency to users
• High speed
• Disadvantages
• Difficulty of setting up packet filter rules
• Lack of Authentication
• Who really sent the packet?

15
Firewalls Packet Filters
16
Firewalls Packet Filters

• Can be clever
• Allow connections initiated from inside network
  to outside, but not initiated from outside.
• Traffic flows both way, but if firewall only
  allows incoming packets with ACK set in TCP
  header, this manages the issue.
• Problem some apps require outside node to
  initiate connection with inside node (e.g. ftp,
  Xwindows), even if original request initiated by
  inside node.
• Solution (sort of) allow packets from outside if
  they are connecting to high port number.

17
Stateful Packet Filter

• Changes filtering rules dynamically (by
  remembering what has happened in recent past)
• Example Connection initiated from inside node s
  to outside IP address d. For short time allow
  incoming connections from d to appropriate ports
  (I.e. ftp port).
• In practice, much more caution
• Stateful filter notices the incoming port
  requested by s and only allows connections from d
  to that port. Requires parsing ftp control
  packets

18
Types of Firewalls

• Possible attacks and appropriate countermeasures
• IP address spoofing
• Discard packet with inside source address if it
  arrives on external interface
• Source routing attacks
• Discard all source routed packets

19
Types of Firewalls

• Possible attacks and appropriate countermeasures
• Tiny fragment attacks
• Intruder uses IP fragment option to create
  extremely small IP packets that force TCP header
  information into separate packet fragments
• Discard all packets where protocol type is TCP
  and IP fragment offset is small

20
Types of Firewalls

• Application-level Gateway

21
Types of Firewalls

• Application-level Gateway
• Also called proxy server
• Acts as a relay of application-level traffic
• Can act as router, but typically placed between
  two packet filtering firewalls (for total of
  three boxes)
• Two firewalls are routers that refuse to forward
  anything from the global net that is not to
  gateway, and anything to global net that is not
  from gateway.
• Sometimes called a bastion host (we use the term
  differently)

22
Types of Firewalls

• Advantages
• Higher security than packet filters
• Only need to scrutinize a few allowable
  applications
• Easy to log and audit all incoming traffic
• Disadvantages
• Additional processing overhead on each connection
  (gateway as splice point)

23
Types of Firewalls

• Circuit-level Gateway

24
Types of Firewalls

• Circuit-level Gateway
• Stand-alone system or
• Specialized function performed by an
  Application-level Gateway
• Sets up two TCP connections
• The gateway typically relays TCP segments from
  one connection to the other without examining the
  contents

25
Types of Firewalls

• Circuit-level Gateway
• The security function consists of determining
  which connections will be allowed
• Typically use is a situation in which the system
  administrator trusts the internal users
• An example is the SOCKS package

26
Types of Firewalls

• Bastion Host
• A system identified by the firewall administrator
  as a critical strong point in the networks
  security
• The bastion host serves as a platform for an
  application-level or circuit-level gateway

27
Firewall Configurations

• In addition to the use of simple configuration of
  a single system (single packet filtering router
  or single gateway), more complex configurations
  are possible
• Three common configurations

28
Firewall Configurations

• Screened host firewall system (single-homed
  bastion host)

29
Firewall Configurations

• Screened host firewall, single-homed bastion
  configuration
• Firewall consists of two systems
• A packet-filtering router
• A bastion host

30
Firewall Configurations

• Configuration for the packet-filtering router
• Only packets from and to the bastion host are
  allowed to pass through the router
• The bastion host performs authentication and
  proxy functions

31
Firewall Configurations

• Greater security than single configurations
  because
• This configuration implements both packet-level
  and application-level filtering (allowing for
  flexibility in defining security policy)
• An intruder must generally penetrate two separate
  systems

32
Firewall Configurations

• This configuration also affords flexibility in
  providing direct Internet access (public
  information server, e.g. Web server)

33
Firewall Configurations

• Screened host firewall system (dual-homed bastion
  host)

34
Firewall Configurations

• Screened host firewall, dual-homed bastion
  configuration
• If the packet-filtering router is completely
  compromised, youre still OK
• Traffic between the Internet and other hosts on
  the private network has to flow through the
  bastion host

35
Firewall Configurations

• Screened-subnet firewall system

36
Firewall Configurations

• Screened subnet firewall configuration
• Most secure configuration of the three
• Two packet-filtering routers are used
• Creation of an isolated sub-network

37
Firewall Configurations

• Advantages
• Three levels of defense to thwart intruders
• The outside router advertises only the existence
  of the screened subnet to the Internet (internal
  network is invisible to the Internet)

38
Firewall Configurations

• Advantages
• The inside router advertises only the existence
  of the screened subnet to the internal network
  (the systems on the inside network cannot
  construct direct routes to the Internet)
• Reduces chewyness of inside

39
Why Firewalls Dont Work

• Assume all bad guys are on outside, and everyone
  inside can be trusted.
• Firewalls can be defeated if malicious code can
  be injected into corporate network
• E.g. trick someone into launching an executable
  from an email message or into downloading
  something from the net.
• Often make it difficult for legitimate users to
  get their work done.
• Misconfiguration, failure to recognize new app

40
Why Firewalls Dont Work

• If firewall allows anything through, people
  figure out how to do what they need by disguising
  their traffic as allowed traffic
• E.g. file transfer by sending it through email.
  If size of emails limited, then user breaks them
  into chunks, etc.
• Firewall friendly traffic (e.g. using http for
  other purposes)
• Defeats effort of sysadmin to control traffic
• Less efficient than not using http

41
Trusted Systems

• One way to enhance the ability of a system to
  defend against intruders and malicious programs
  is to implement trusted system technology

42
Data Access Control

• Through the user access control procedure (log
  on), a user can be identified to the system
• Associated with each user, there can be a profile
  that specifies permissible operations and file
  accesses
• The operation system can enforce rules based on
  the user profile

43
Data Access Control

• General models of access control
• Access matrix
• Access control list
• Capability list

44
Data Access Control

• Access Matrix

45
Data Access Control

• Access Matrix Basic elements of the model
• Subject An entity capable of accessing objects,
  the concept of subject equates with that of
  process
• Object Anything to which access is controlled
  (e.g. files, programs)
• Access right The way in which an object is
  accessed by a subject (e.g. read, write, execute)

46
Data Access Control

• Access Control List Decomposition of the matrix
  by columns

47
Data Access Control

• Access Control List
• An access control list lists users and their
  permitted access right
• The list may contain a default or public entry

48
Data Access Control

• Capability list Decomposition of the matrix by
  rows

49
Data Access Control

• Capability list
• A capability ticket specifies authorized objects
  and operations for a user
• Each user have a number of tickets

50
The Concept ofTrusted Systems

• Trusted Systems
• Protection of data and resources on the basis of
  levels of security (e.g. military)
• Users can be granted clearances to access certain
  categories of data

51
The Concept ofTrusted Systems

• Multilevel security
• Definition of multiple categories or levels of
  data
• A multilevel secure system must enforce
• No read up A subject can only read an object of
  less or equal security level (Simple Security
  Property)
• No write down A subject can only write into an
  object of greater or equal security level
  (-Property)

52
The Concept ofTrusted Systems

• Reference Monitor Concept Multilevel security
  for a data processing system

53
The Concept ofTrusted Systems
54
The Concept ofTrusted Systems

• Reference Monitor
• Controlling element in the hardware and operating
  system of a computer that regulates the access of
  subjects to objects on basis of security
  parameters
• The monitor has access to a file (security kernel
  database)
• The monitor enforces the security rules (no read
  up, no write down)

55
The Concept ofTrusted Systems

• Properties of the Reference Monitor
• Complete mediation Security rules are enforced
  on every access
• Isolation The reference monitor and database are
  protected from unauthorized modification
• Verifiability The reference monitors
  correctness must be provable (mathematically)

56
The Concept ofTrusted Systems

• A system that can provide such verifications
  (properties) is referred to as a trusted system

57
Trojan Horse Defense

• Secure, trusted operating systems are one way to
  secure against Trojan Horse attacks

58
Trojan Horse Defense
59
Trojan Horse Defense
60
Recommended Reading

• Chapman, D., and Zwicky, E. Building Internet
  Firewalls. OReilly, 1995
• Cheswick, W., and Bellovin, S. Firewalls and
  Internet Security Repelling the Wily Hacker.
  Addison-Wesley, 2000
• Gasser, M. Building a Secure Computer System.
  Reinhold, 1988
• Pfleeger, C. Security in Computing. Prentice
  Hall, 1997