CSCE 522 Firewalls. CSCE 522 - Farkas2 Readings Pfleeger: 7.4

CSCE 522

Firewalls

CSCE 522 - Farkas 2

Readings

Pfleeger: 7.4

CSCE 522 - Farkas 3

Traffic Control – Firewall Brick wall placed between apartments to

prevent the spread of fire from one apartment to the next

Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it

CSCE 522 - Farkas 4

Firewall

security wall between private (protected) network and outside word

Private Network

External Network

Firewall

CSCE 522 - Farkas 5

Firewall Objectives

Keep intruders, malicious code and

unwanted traffic or

information out

Keep proprietary and sensitive

information in

Private Network

External Network

Proprietary data

External attacks

CSCE 522 - Farkas 6

Without firewalls, nodes: Are exposed to insecure services Are exposed to probes and attacks from outside Can be defenseless against new attacks Network security totally relies on host security

and all hosts must communicate to achieve high level of security – almost impossible

CSCE 522 - Farkas 7

Common firewall features

Routing information about the private network can't be observed from outside

traceroute and ping -o can't “see” internal hosts Users wishing to log on to an internal host must

first log onto a firewall machine

CSCE 522 - Farkas 8

Trade-Off between accessibility and Security

Accessibility Security

Service Access Policy

CSCE 522 - Farkas 9

Firewall Advantages Protection for vulnerable services Controlled access to site systems Concentrated security Enhanced Privacy Logging and statistics on network use,

misuse Policy enforcement

CSCE 522 - Farkas 10

Controlled Access A site could prevent outside access to its

hosts except for special cases (e.g., mail server).

Do not give access to a host that does not require access

Some hosts can be reached from outside, some can not.

Some hosts can reach outside, some can not.


Concentrated Security Firewall less expensive than securing all

hosts All or most modified software and additional

security software on firewall only (no need to distribute on many hosts)

Other network security (e.g., Kerberos) involves modification at each host system.


Enhanced Privacy Even innocuous information may contain

clues that can be used by attackers E.g., finger:

information about the last login time, when e-mail was read, etc.

Infer: how often the system is used, active users, whether system can be attacked without drawing attention


Logging and Statistics on Network Use, Misuse

If all access to and from the Internet passes through the firewall, the firewall can theoretically log accesses and provide statistics about system usage

Alarm can be added to indicate suspicious activity, probes and attacks – double duty as IDS on smaller networks


Policy enforcement Means for implementing and enforcing a

network access policy Access control for users and services Can’t replace a good education/awareness

program, however: Knowledgeable users could tunnel traffic to

bypass policy enforcement on a firewall


Firewall Disadvantages Restricted access to desirable services Large potential for back doors No protection from insider attacks No protection against data-driven attacks Cannot protect against newly discovered

attacks – policy/situation dependent Large learning curve


Restricted Access to Desirable Services

May block services that users want E.g., telnet, ftp, X windows, NFS, etc. Need well-balanced security policy Similar problems would occur with host access

control Network topology may not fit the firewall design

E.g., using insecure services across major gateways Need to investigate other solutions (e.g., Kerberos)


Back Doors Firewalls DO NOT protect against back

doors into the site e.g., if unrestricted modem access is still

permitted into a site the attacker could jump around the firewall

Legacy network topology in large networks


Little Protection from Insider Attacks

Generally does not provide protection from insider threats

Sneaker Net - insider may copy data onto tape or print it and take it out of the facility


Data-Driven Attacks Viruses:

users downloading virus-infected personal computer programs

Executable Content: Java applets ActiveX Controls JavaScript, VBScript

End to End Encryption Tunneling/Encapsulation


Other Issues

Throughput: potential bottleneck (all connections must pass through firewall)

Single point of failure: concentrates security in one spot => compromised firewall is disaster

Complexity - feature bloat Some services do not work well with firewalls Lack of standard performance measurements

or techniques


Firewall Components Firewall Administrator Firewall policy Packet filters

transparent does not change traffic, only passes it

Proxies Active Intercepts traffic and acts as an intermediary


Firewall Administrator Knowledge of underpinnings of network

protocols (e.g., TCP/IP, ICMP) Knowledge of workings of applications that

run over the lower level protocols Knowledge of interaction between firewall

implementation and traffic Vendor specific knowledge


Firewall Policy

High-level policy: service access policy

Low-level policy: firewall design policy

Firewall policy should be flexible!


Service Access Policy Part of the Network Security Policy Goal: Keep outsiders out Must be realistic and reflect required

security level Full security vs. full accessibility


Firewall Design Policy Refinement of service access policy for specific firewall configuration

Defines:

– How the firewall achieves the service access policy

– Unique to a firewall configuration

– Difficult!


Firewall Design Policy

Approaches: Open system: Permit any service unless explicitly denied (maximal accessibility)

Closed system: Deny any service unless explicitly permitted (maximal security)


Simple Packet Filters Applies a set of rules to each incoming IP packet

to decide whether it should be forwarded or discarded.

Header information is used for filtering ( e.g, Protocol number, source and destination IP, source and destination port numbers, etc.)

Stateless: each IP packet is examined isolated from what has happened in the past.

Often implemented by a router (screening router).


Simple Packet Filter

Placing a simple router (or similar hardware) between internal network and “outside”

Allow/prohibit packets from certain services

Private Network

PacketFilter

PacketFilter

Outside

Packet-level rules


Simple Packet Filters

Advantages: Does not change the traffic flow or

characteristics –passes it through or doesn’t Simple Cheap Flexible: filtering is based on current rules


Simple Packet Filters

Disadvantages:

– Direct communication between multiple hosts and internal network

– Unsophisticated (protects against simple attacks)

– Calibrating rule set may be tricky

– Limited auditing

– Single point of failure


Stateful Packet Filters Called Stateful Inspection or Dynamic Packet Filtering Checkpoint patented this technology in 1997 Maintains a history of previously seen packets to make

better decisions about current and future packets Check out:

CheckPoint, Stateful Inspection Technology, http://www.checkpoint.com/products/downloads/Stateful_Inspection.pdf


Proxy Firewalls

BastionHost

ViewPrivate Network

Outside

Private Network

Outside

Proxy Server

Reality


Proxy Firewalls Application Gateways

Works at the application layer must understand and implement application protocol

Called Application-level gateway or proxy server

Circuit-Level Gateway Works at the transport layer E.g., SOCKS


Application Gateways Interconnects one network to another for a specific

application Understands and implements application protocol Good for higher-level restrictions

Client ServerApplication Gateway


Application Gateways

Advantages: by permitting application traffic directly to internal hosts

Information hiding: names of internal systems are not known to outside systems

Can limit capabilities within an application Robust authentication and logging: application traffic can be pre-

authenticated before reaching host and can be logged Cost effective: third-party software and hardware for

authentication and logging only on gateway Less-complex filtering rules for packet filtering routers: need to

check only destination Most secure


Application Gateways Disadvantages:

Keeping up with new applications Need to know all aspects of protocols May need to modify application

client/protocols


Circuit-Level Gateways Is basically a generic proxy server for TCP Works like an application-level gateway,

but at a lower level SOCKS – most widely know circuit-level

gateway


Circuit-Level Gateways Advantages:

Don’t need a separate proxy server for each application

Provides an option for applications for which proxy servers don’t yet exist

Simpler to implement than application specific proxy servers

Most Open-Source packages can be easily extended to use SOCKS


Circuit-Level Gateways Disadvantages:

No knowledge of higher level protocols – can’t scan for active content or disallowed commands

Can only handle TCP connections – new extensions proposed for UDP

Proprietary packages, TCP/IP stacks must be modified by vendor to use circuit-level gateways


Home Users

Home routers: Come with built-in firewall Generally simple packet filters

Can block all incoming connections on all ports if desired Open connections as needed Examples:

Download files from outside using FTP: allow incoming connections on Port 21

Windows Firewall


Functionality: Help block computer viruses and worms from reaching

your computer Ask for your permission to block or unblock certain

connection requests Allow to create a record (a security log), if you want

one, that records successful and unsuccessful attempts to connect to your computer

Windows Firewall

What it does not support: Detect or disable computer viruses and worms if they

are already on your computer Stop you from opening e-mail with dangerous

attachments Block spam or unsolicited e-mail from appearing in your

inbox



Third Party Firewall

Ranging in price between FREE and $50 on average ZoneAlarm Pro 5 PC-Cillin 2004 Internet Security Norton Personal Firewall 2005 McAfee Personal Firewall 6.0 2005


Firewall Evaluation

Level of protection on the private network ? Prevented attacks Missed attacks Amount of damage to the network

How well the firewall is protected? Possibility of compromise Detection of the compromise Effect of compromise on the protected network

Ease of use Efficiency, scalability, redundancy Expense

NEXT CLASS:

INTRUSION DETECTION


Documents

CSCE 522 Firewalls. CSCE 522 - Farkas2 Readings Pfleeger: 7.4