FIREWALLS

FIREWALLS

Firewall: isolates organization’s internal net from larger Internet, allowingsome packets to pass, blocking others

FIREWALLS: WHY

Prevent denial of service attacks:

SYN flooding: attacker establishes many bogus TCP connections, noresources left for “real” connections

Prevent illegal modification/access of internal data

e.g., attacker replaces CIA’s homepage with something else

Allow only authorized access to inside network

set of authenticated users/hosts

TYPES

TYPESThree types of firewalls:

1. stateless packet filters

2. stateful packet filters

3. application gateways

STATELESS PACKET FILTERING

STATELESS PACKET FILTERINGinternal network connected to Internet via router firewall

router filters packet-by-packet, decision to forward/drop packet basedon:

source IP address, destination IP address

TCP/UDP source and destination port numbers

ICMP message type

TCP SYN and ACK bits

EXAMPLE 1Block incoming and outgoing datagrams with IP protocol field = 17 and

with either source or dest port = 23

result: all incoming, outgoing UDP flows and telnet connections areblocked

EXAMPLE 2block inbound TCP segments with ACK=0.

result: prevents external clients from making TCP connections withinternal clients, but allows internal clients to connect to outside.

MORE EXAMPLESPolicy Firewall Setting

No outside Web access. Drop all outgoing packets to anyIP address, port 80

No incoming TCP connections,except those for institution’spublic Web server only.

Drop all incoming TCP SYNpackets to any IP except130.207.244.203, port 80

Prevent Web-radios from eatingup the available bandwidth.

Drop all incoming UDP packets -except DNS and routerbroadcasts.

MORE EXAMPLESPolicy Firewall Setting

Prevent your network from beingused for a smurf DoS attack.

Drop all ICMP packets going to a“broadcast” address (e.g.130.207.255.255).

Prevent your network from beingtracerouted

Drop all outgoing ICMP TTLexpired traffic

ACCESS CONTROL LISTS

ACL: Table of rules, applied top to bottom to incoming packets: (action,condition) pairs

ACCESS CONTROL LISTS (1)action source

addressdestaddress

protocol sourceport

destport

flagbit

allow 222.22/16 outside222.22/16

TCP >1023

80 any

allow outside222.22/16

222.22/16 TCP 80 >1023

ACK

allow 222.22/16 outside222.22/16

UDP >1023

80 -

ACCESS CONTROL LISTS (2)action source

addressdestaddress

protocol sourceport

destport

flagbit

allow outside222.22/16

222.22/16 UDP 80 >1023

-

deny all all all all all all

STATEFUL PACKET FILTERINGStateless packet filter: heavy handed tool

Admits packets that "make no sense," e.g., dest port = 80, ACK bit set, eventhough no TCP connection established:

action sourceaddress

destaddress

protocol sourceport

destport

flagbit

allow outside222.22/16

222.22/16 TCP 80 >1023

ACK

STATEFUL PACKET FILTERING

Track status of every TCP connection

track connection setup (SYN), teardown (FIN): determine whetherincoming, outgoing packets "makes sense"

timeout inactive connections at firewall: No longer admit packets

ACLACL augmented to indicate need to check connection state table before

admitting packet

ACL (1)action source

addressdestaddress

ptcl sourceport

destport

flagbit

checkconxion

allow 222.22/16 outside222.22/16

TCP >1023

80 any

allow outside222.22/16

222.22/16 TCP 80 >1023

ACK X

allow 222.22/16 outside222.22/16

UDP >1023

80 -

ACL (2)action source

addressdestaddress

ptcl sourceport

destport

flagbit

checkconxion

allow outside222.22/16

222.22/16 UDP 80 >1023

- X

deny all all all all all all

APPLICATION GATEWAYSFilters packets on application data as well as on IP/TCP/UDP fields.

EXAMPLE: TELNETAllow selected internal users to telnet outside.

Require all telnet users to telnet through gateway.

For authorized users, gateway sets up telnet connection to dest host.Gateway relays data between 2 connections

Router filter blocks all telnet connections not originating from gateway.

EXAMPLE: TELNET

EXAMPLE: TELNET

LIMITATIONS OF FIREWALLS, GATEWAYSIP spoofing: router can’t know if data “really” comes from claimedsource

if multiple app’s. need special treatment, each has own app. gateway

client software must know how to contact gateway.

e.g., must set IP address of proxy in Web browser

filters often use all or nothing policy for UDP

tradeoff: degree of communication with outside world, level of security

many highly protected sites still suffer from attacks

INTRUSION DETECTION SYSTEMS

WHYFor packet filtering:

operates on TCP/IP headers only

no correlation check among sessions

IDS: INTRUSION DETECTION SYSTEMDeep packet inspection: look at packet contents (e.g., check characterstrings in packet against database of known virus, attack strings)

Examine correlation among multiple packets

Port scanning

Network mapping

DoS attack

INTRUSION DETECTION SYSTEMSMultiple IDSs: different types of checking at different locations

INTRUSION PREVENTION SYSTEMSIntrusion detection systems typically raises an alarm by email/sms to thenetwork admin

An Intrusion Prevention Systems simply closes the connection in thefirewall, if something suspicious is detected.

SIGNATURE-BASED IDSMaintains an extensive database of attack signatures

A signature is a set of rules describing an intrusion activity

May simply be a list of characteristics of a single packet (src, dest,portnumbers)

Can be related to a series of packages

Signatures normally made by skilled network security engineers

Local system administrators can customize and add own

SIGNATURE-BASED IDS

SIGNATURE-BASED IDSOperations of a signature based IDS

Sniffs every packet passing by it

Compares packet with each signature in database

If it matches → generate an alert

SIGNATURE-BASED IDS

SIGNATURE-BASED IDSLimitations

Require previous knowledge of attack to generate signature

Can generate false positives

Large processing load, and may fail in detection of malicious packets

ANOMALY-BASED IDS

ANOMALY-BASED IDSCreates a profile of standard network traffic

As observed in normal operation

Then looks for packet streams that are statistically different

Example: Exponention growth in portscans or ping sweeps

ANOMALY-BASED IDSPositive

Does not require prior knowledge to an attack

Limitation

Extremely challenging to distinguis between normal an unusual traffic

Most systems today are signature based

EXAMPLE IDS: SNORT

Multi platform

Open source

https://www.snort.org/

# a l e r t t c p $ H O M E _ N E T 6 6 6 - > $ E X T E R N A L _ N E T a n y ( m s g : " M A L W A R E - B A C K D O O R S a t a n s B a c k d o o r . 2 . 0 . B e t a " ; f l o w : t o _ c l i e n t , e s t a b l i s h e d ; c o n t e n t : " R e m o t e | 3 A | " ; d e p t h : 1 1 ; n o c a s e ; c o n t e n t : " Y o u a r e c o n n e c t e d t o m e . | 0 D 0 A | R e m o t e | 3 A | R e a d y f o r c o m m a n d s " ; d i s t a n c e : 0 ; n o c a s e ; m e t a d a t a : r u l e s e t c o m m u n i t y ; r e f e r e n c e : u r l , w w w . m e g a s e c u r i t y . o r g / t r o j a n s / s / s a t a n z b a c k d o o r / S B D 2 . 0 b . h t m l ; r e f e r e n c e : u r l , w w w 3 . c a . c o m / s e c u r i t y a d v i s o r / p e s t / p e s t . a s p x ? i d = 5 2 6 0 ; c l a s s t y p e : t r o j a n - a c t i v i t y ; s i d : 1 1 8 ; r e v : 1 2 ; )

QUESTIONS?