(c) University of Technology, Sydney 2000 - 20041 Firewall Architectures.

(c) University of Technology, Sydney 2000 - 2004

1

Firewall Architectures


2

Earliest firewalls

?


3

What are we dealing with?

Data Stream on a wire – ‘data in flight’ Sequence of bits Relayed from machine to machine

Will assume using Ethernet


4

Firewall Architectures Packet Filter Application Gateway/Proxy Stateful Inspection

Firewall Deployment Methods Choke Router Bastion Host DMZ

Platform Selection Proprietary, Open Source UNIX vs Windows General Purpose Platform vs Appliance

Faculty of Information Technology

Topics


5

Types of Firewall

Packet Filter Proxy Server Stateful Inspection

Internet

F irewall

Internal Desktop

Internal Server Internal Desktop

In te rna lN etwork

D M ZW eb Server FTP Server


6

Packet Filter

Applications

Presentations

Sessions

Transport

DataLink

Physical

DataLink

Physical

Applications

Presentations

Sessions

Transport

DataLink

Physical

Network Network

Go / No - Go


7

Packet Filters

PRO Cheap (you have to

buy a router anyway). Already sits in the ideal

position for a firewall.

CON Routers are made to be

cheap and fast, so they don’t have memory or time for state information.

Certain things don’t work without state information.

Hard to configure.


8

Packet Filters and FTP

The FTP protocol uses a control connection and a data connection.

The port number for the data connection is passed on the control connection.

Without state tables, packet filters have no way to keep track of the data connection’s port, so they can’t filter it specifically.

Client ServerRouter

FTP Control ConnectionPort

x Port21

USER joePASS blow

220 Who do you think you are?

230 Welcome, sorry I ever doubted

you.

PORT ipc1,ipc2,ipc3,ipc4,y,z"I want to open a data connection tothat port"

FTP Data ConnectionPort20Port

256y+z


9


Solution? Another solution?

Client ServerRouter

FTP Control ConnectionPort

x Port21

USER joePASS blow

220 Who do you think you are?

230 Welcome, sorry I ever doubted

you.

PORT ipc1,ipc2,ipc3,ipc4,y,z"I want to open a data connection tothat port"

FTP Data ConnectionPort20Port

256y+zAllow

connections toany possible

256y+z (all valuesabove 1023)?

Yes

A security risk -somebody

could connectto a vulnerableinternal service(such as X11)from port 20

NoFTP

doesn'twork


10


Another solution? Passive FTP (pasv)

client inside firewall initiates control connection as usual on port x outgoing => port 21 on server

client issues pasv command server replies with port p command (p > 1023) client initiates data connection from port (x + 1)

outgoing => port p on server Both connections start from inside the firewall, so

stateful firewall allows them.


11

Stateful Inspection

Works by sitting in the Kernel, where the packets go naturally.

Uses (in most cases) a general purpose computer, so it’s flexible.

Sits before the TCP/IP protocol stack, so it can be protected.

Internet

User Mode

KernelMode

NIC

NIC

TCP/IP

InternalN

etwork

F irewall-1KernelModule

Firewall-1KernelModule


12

Stateful Packet Filter

Applications

Presentations

Sessions

Transport

DataLink

Physical

DataLink

Physical

Applications

Presentations

Sessions

Transport

DataLink

Physical

Network Network

Network

Presentations

Sessions

Transport

ApplicationsApplications

Tracks the conversation flow

Allows packets based on

Can be fooled by “fiddling” the packet flags


13

Proxy Server/Application Gateway Works by forcing everything

to go through a process on the firewall box (a proxy).

From the client’s perspective, the proxy is the server. From the server’s perspective, it’s the client. Internet

User Mode

KernelMode

NIC

NIC

TCP/IP

InternalN

etwork

Norm alPacket F low

Proxy

ProxyPacket F low


14

Application Gateway / Proxy

Applications

Presentations

Sessions

Transport

DataLink

Physical

DataLink

Physical

Applications

Presentations

Sessions

Transport

DataLink

Physical

Network NetworkNetwork

Presentations

Sessions

Transport

ApplicationsApplications

TelnetTelnetTelnetTelnet HTTPHTTPHTTPHTTPFTPFTPFTPFTP

Screens limited number of applications

Connectivity & Transparency are broken

Performance is poor due to many data copies & context switches

Flexibility & Open-ness lost, dependent on vendor


15

Application Gateway

PRO Easy to program. Can be made as

flexible as you’d like.

CON Performance hit. Usually application

specific. Require changes in

user behavior. Doesn’t protect the

TCP/IP protocol stack itself.


16

Additional Pieces

TCP-Wrapper Provides control at a TCP packet level proxy daemon for inetd, i.e. UNIX only

and others to find out … Socks Circuit Gateways Transparent Proxies


17

State of the Art

Today most firewalls are a combination of technologies

No perfect answer Still only part of the security puzzle


18

Firewall Deployment Methods


19

Philosophies

Hotly debated area Schemes have evolved with the technology Important elements

Availability Maintainability Practicality


20

The Gateway

Only entry point Go / No Go decisions Easy to check

payload


21

Start Point


22

Start Point

Bastion Host


23

Defence in Layers

DMZ


24

Segregate

Bastion HostChoke Router

DMZ


25

Segregate

Dual Homed Bastion Host


26

Segregate

Firewall


27

Segregate

Firewall

DMZ


28

Simple Network

Internet

F irewall

IBM Com patible

IBM Com patible

IBM Com patible

W orkstation

In ternal N etwork(legal IP addresses)


29

Simple Network with NAT

Internet

F irewall

IBM Com patible

IBM Com patible

IBM Com patible

W orkstation

In terna l N etwork(192.168.1.0)

H ide 192.168.1.2 -192.168.1.254 behind

0.0.0.0

.1


30

Network Address Translation

Security by Obscurity

Conscious design? Fortunate result of problem solving

Using limited address spaces Allowing more convoluted designs


31

More Architectural Choices

Design for availability redundant firewalls redundant routes redundant ISPs

Throughput number of hops in path NIC capabilities


32

Platform Selection


33

Completely Secure?

NO!

YES!

Anything else


34

Operating System Choices

Unix Was written to be as flexible as possible. Originated in environments where security

was not an issue.


35


Windows Developed for a business environment,

where security is important. Supposed to be as user friendly as possible.

Security isn’t user friendly.


36


Appliances Hide the details Limited Functionality in

the operating system Full functionality for the

task


37

Open Source

Totally visible to ALL

Support In-house skills Reproducible

Version control


38

Real World

What can or cannot be done


39

Firewalls Cannot

Protect traffic that does NOT flow thru them Protect networks inside the firewall Stop all application based attacks


40


41


42

Firewalls CAN

Control raw traffic flows Provide a point to log and “examine” events Be a Billboard to advertise your security

policy


43

End


44

Circuit Gateway/SOCKS/Proxy

SOCKS - a protocol that includes a set of client libraries for proxy interfaces with clients. “SOCKS, the most popular circuit gateway” (RFC 1928 versions 4 and 5) tcp sessions; client s/w for proxy server, e.g. AnalogX

Circuit (Level) Gateway allows sessions, doesn’t analyze packets. Permission

granted based on port number. More transparent, not as secure, as application gateway (proxy server)

supports sessions based on port no (doesn’t analyze packets) sets up end-to-end session between client and remote server needs SOCKS running on client

Basically, a Circuit Gateway is like a ‘null’ Proxy server


45

Additional Pieces

contrast Circuit Gateway with Application Gateway = Proxy Server

client connects to proxy server no change required to client (except need to point

client at proxy) Transparent proxy (don’t even need to do that)

Transparent Proxies built as part of network architecture, so all o/g port

80 traffic goes through it and the user does not have to configure browser. Includes cache too (caching proxy).

(c) University of Technology, Sydney 2000 - 20041 Firewall Architectures.

Documents

Transcript of (c) University of Technology, Sydney 2000 - 20041 Firewall Architectures.