Firewalls

Fred P. Baker

CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Firewalls are not just for companies any more: the changing home

High Speed Internet Connections Drive the importance of security

The home Network: always on the Net

Always on, all hackers all the time

• For me to attack your system, I must send packets to it

• With dial, you get a different IP address for each call and in relative terms that call is not long

• Big issue is that you will have the same IP address for a long time with persistent connections

• You may have the same IP address ALL the time.• So plenty of time for someone to go after you

Personal PCs have the standard OS vulnerabilities• Private Web servers easy targets

Windows file sharing does not help

• Admin Shares– $c– On by default in Win 9* and older NT

• Browser Service– Network Neighborhood– Could see everyone else's PCs

• Hard to turn it off on Internet facing interfaces interfaces

• Who cares? QDATA.*

Multiple security problems

Defense in Depth

The tradeoffs

Costs

• Dollars for the software

• Download of updates

• Customization– most software out of the box works fine– File and print sharing on your home LAN– special apps

• Checking logs

Example of customization

The firewall: The first line of defense

What a firewall does not do

Firewall technologies

• Network Address Translation

A digression, TCP/IP

Internet Protocol

TCP

TCP connection flow• the syn is unique to session start

TCP Ports Identify the App

IP addresses

‘Private’ IP addresses

• Routable IP addresses are scarce• Not every system in the world needs direct and

always on access to the Internet• Private addresses allows you to address many more

systems than the ‘public’ address space (public addresses can be routed over the internet

• For a private addressed system to access the internet it must be translated to a public address

• Private addresses are defined by RFC 1918– 10.*.*.*, 172.16.*.*-172.31.*.*, 192.168.*.*

Public IP address assignment

• If you are dialing up, you get one for the duration of the call and it will change

• If you are on a ‘always on’ you MAY get a one– Providers charge for more than 1 permanent IP

addresses– Some cable systems change your address so you cant

host a server without them knowing (and of course you paying)

• To address multiple PCs and have them access the internet you must NAT

Network Address Translation

Enterprise NAT• NAT is also used to ‘hide’ addresses

– Remote end can only see the NATed address not the real one

• Both ends use private addresses• And will often have duplicates (10.1.1.1)• So will often ‘dual nat’ that is translate both source

and destination• Can even map ports so 1 address, multiple servers

– 200.200.200.200 port 80; 10.1.1.1– 200.200.200.200 port 25; 10.1.1.2– 200.200.200.200 port 20: 10.1.1.3

Pat

• Port address translation

• Allows many stations to share 1 ip address

• Depends on keeping track what source port and IP address for each connection

• Then select a unique port to associate with the single public IP address

Packet Filtering the basis of a firewall

Packet Filtering• Firewalls will trust inside addresses• Spoofing: attacker makes their address look like an

inside address• Will rely on the TCP ACK bit to determine if a

connection is inbound or outbound– will permit all outbound (you to the Inet) by default

• Can configure what inbound connections you want to allow (home web server)

• Does not work well with certain applications– FTP opens connections from the outside– Media and VOIP use dynamic ports

Stateful Inspection

Stateful inspection

• Look at outbound connection request to the Internet

• Remember the addresses and the ports

• Only permit traffic from the Internet if it saw that it was initiated from the inside network

• All modern firewalls work this way

Proxy Server

Proxy Server

• Since application is intercepted

• Can authenticate by user

• Can log content

• Can block content by looking at the URLs

• All web access is via proxy

Authentication w/o proxy

• Telnet or web to the firewall the login– then can access all other services

• Dedicated client– Firewall-1 has a custom client– Firewall contacts client code when user tries to

access a service– ask for login and if ok grants it.

A firewall:

• Always does packet filters

• Always does stateful packet filtering

• Always logs

• May have a proxy

• May do authentication

Corporate Firewalls• Appliance based

– PIX, FW1 Nokia– more expensive– Dedicated OS– Harder to crack as fewer OS issues– Harder to scale (as based on specific hardware)

• ‘Computer’ based– Runs on NT or Unix– Can leverage existing computers– Easier to learn at home

Home Firewalls

• Device Based– Part of your access box or can get a dedicated appliance– May be ‘free’ with a box you are already getting– Does not touch your OS but then may need more

configuration– Do not have to touch multiple computers– Does not impact ‘inside the house’

• OS based– Tied into the network stack– Can easily deal with custom apps – May need to modify for home access

Linksys Router (appliance)

Linksys Router Filtering

Linksys Router logs

Norton Personal Firewall (part of OS)

Application list

Summary

• If you access the internet at all get an OS based firewall

• If you have always on get an appliance based

• Or even better use both.