CS 6262 Fall 02CS 6262 Fall 02

Firewalls

Firewall Technologies

Julie SchneiderJulie Schneider

What is a firewall?

• Device that provides secure connectivity between Device that provides secure connectivity between networks (internal/external; varying levels of trust)networks (internal/external; varying levels of trust)

• Used to implement and enforce a security policy for Used to implement and enforce a security policy for communication between networkscommunication between networks

Trusted Networks

Untrusted Networks & ServersFirewall

Router

Internet

Intranet

DMZ Public Accessible Servers & Networks

Trusted Users

Untrusted Users

Firewalls

• From Webster’s Dictionary: From Webster’s Dictionary: a wall a wall constructed to prevent the spread of fireconstructed to prevent the spread of fire

• Internet firewalls are more the moat around Internet firewalls are more the moat around a castle than a building firewalla castle than a building firewall

• Controlled access pointControlled access point

Firewalls can:

Restrict incoming and outgoing traffic by IP Restrict incoming and outgoing traffic by IP address, ports, or usersaddress, ports, or users

Block invalid packetsBlock invalid packets

Convenient

Give insight into traffic mix via loggingGive insight into traffic mix via logging Network Address TranslationNetwork Address Translation EncryptionEncryption

Firewalls Cannot Protect…

Traffic that does not cross itTraffic that does not cross it routing around routing around Internal trafficInternal traffic

When misconfiguredWhen misconfigured

InternetInternet

DMZ NetWeb Server Pool

Corporate

Network

ALERT!!ALERT!!ALERT!!

Security Requirement• Control access to network information and resources• Protect the network from attacks

Access Control

Filtering

Packets checked then passedPackets checked then passed Inbound & outbound affect when policy is Inbound & outbound affect when policy is

checkedchecked

Filtering

Packet filtering Packet filtering Access Control ListsAccess Control Lists

Session filteringSession filtering Dynamic Packet FilteringDynamic Packet Filtering Stateful InspectionStateful Inspection Context Based Access ControlContext Based Access Control

Filtering

Fragmentation/reassemblyFragmentation/reassembly Sequence number checkingSequence number checking ICMPICMP

Packet Filtering

Decisions made on a per-packet basisDecisions made on a per-packet basis No state information savedNo state information saved

Typical Configuration

Ports > 1024 left openPorts > 1024 left open If dynamic protocols are in use, If dynamic protocols are in use, entire entire

ranges of ports must be allowed ranges of ports must be allowed for the for the protocol to workprotocol to work..

ApplicationsApplications

PresentationsPresentations

SessionsSessions

TransportTransport

DataLinkDataLink

PhysicalPhysical

DataLinkDataLink

PhysicalPhysical

RouterRouter

ApplicationsApplications

PresentationsPresentations

SessionsSessions

TransportTransport

DataLinkDataLink

PhysicalPhysical

NetworkNetwork NetworkNetwork

Packet Filter

Session Filtering

Packet decision made in the context of a Packet decision made in the context of a connection connection

If packet is a new connection, check against If packet is a new connection, check against security policysecurity policy

If packet is part of an existing connection, If packet is part of an existing connection, match it up in the state table & update tablematch it up in the state table & update table

Typical Configuration

All denied unless specifically allowedAll denied unless specifically allowed Dynamic protocols (FTP, H323, RealAudio, Dynamic protocols (FTP, H323, RealAudio,

etc.) allowed only if supportedetc.) allowed only if supported

Session Filtering

Applications

Presentations

Sessions

Transport

DataLink

Physical

DataLink

Physical

Applications

Presentations

Sessions

Transport

DataLink

Physical

Network Network

Network

Presentations

Sessions

Transport

ApplicationsApplications

Dynamic Dynamic State TablesState Tables

Dynamic Dynamic State TablesState Tables

Dynamic State Tables

Screens ALL attempts, Protects All applications

Extracts & maintains ‘state’ information

Makes an intelligent security / traffic decision

Telnet

“PORT 1234”

“ACK”

Telnet ClientTelnet Server

23 1234

Client opens channel to server; tells server its port number. The ACK bit is not set while establishing the connection but will be set on the remaining packets.

Server acknowleges.

Format:

access-list <rule number> <permit|deny> <protocol> <SOURCE host with IP address| any|IP address and mask> [<gt|eq port number>] <DEST host with IP address| any|IP address and mask> [<gt|eq port number>]

The following allows user to telnet from an IP address (172.168.10.11) to any destination, but not vice-versa:

access-list 100 permit tcp host 172.168.10.11 gt 1023 any eq 23 ! Allows packets out to remote Telnet serversaccess-list 101 permit tcp any eq 23 host 172.168.10.11 established ! Allows returning packets to come back in. It verifies that the ACK bit is set

interface Ethernet 0 access-list 100 out ! Apply the first rule to outbound traffic access-list 101 in ! Apply the second rule to inbound traffic!

Note: anything not explicitly permitted in an access-list is denied.

Example: Telnet

“PORT 5151”

“OK”

DATA CHANNEL

TCP ACK

FTP ClientFTP Server

20Data

21Command 5150 5151

Client opens command channel to server; tells server second port number.

Server acknowleges.

Server opens data channel to client’s second port.

Client Acknowledges.

FTP

Example FTP – Packet FilterFormat:

access-list <rule number> <permit|deny> <protocol> <SOURCE host with IP address| any|IP address and mask> [<gt|eq port number>] <DEST host with IP address| any|IP address and mask> [<gt|eq port number>]

The following allows a user to FTP (not passive FTP) from any IP address to the FTP server (172.168.10.12) :

access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20 ! Allows packets from any client to the FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023 ! Allows the FTP server to send packets back to any IP address with TCP ports > 1023

interface Ethernet 0 access-list 100 in ! Apply the first rule to inbound traffic access-list 101 out ! Apply the second rule to outbound traffic!

“PASV”

“OK 3267”

TCP ACK

DATA CHANNEL

FTP ClientFTP Server

20Data

21Command 5150 5151

Client opens command channel to server; requests passive mode.

Server allocates port for data channel; tells client port number.

Client opens data channel to server’s second port. Server Acknowledges.

FTP – Passive Mode

Example FTP : Session Filter

Proxy Firewalls

Relay for connectionsRelay for connections Client Client Proxy Proxy ServerServer Two flavorsTwo flavors

Application level Application level Circuit levelCircuit level

Application Gateways

Understands specific applicationsUnderstands specific applications Limited proxies availableLimited proxies available Proxy ‘impersonates’ both sides of connectionProxy ‘impersonates’ both sides of connection

Resource intensiveResource intensive process per connectionprocess per connection

HTTP proxies may cache web pagesHTTP proxies may cache web pages

Application Gateways

More appropriate to TCPMore appropriate to TCP ICMP difficultICMP difficult Block all unless specifically allowedBlock all unless specifically allowed Must write a new proxy application to Must write a new proxy application to

support new protocolssupport new protocols Not trivial!Not trivial!

Application Gateways

Clients configured for proxy Clients configured for proxy communicationcommunication

Transparent ProxiesTransparent Proxies

ApplicationsApplications

PresentationsPresentations

SessionsSessions

TransportTransport

DataLinkDataLink

PhysicalPhysical

NetworkNetwork

DataLinkDataLink

PhysicalPhysical

ApplicationsApplications

PresentationsPresentations

SessionsSessions

TransportTransport

DataLinkDataLink

PhysicalPhysical

Application GatewayApplication Gateway

ApplicationsApplications

PresentationsPresentations

SessionsSessions

TransportTransport

NetworkNetwork NetworkNetwork

TelnetTelnetTelnetTelnet HTTPHTTPHTTPHTTPFTPFTPFTPFTPApplication Layer GW/proxy

Circuit-Level Gateways

Support more services than Application-Support more services than Application-level Gatewaylevel Gateway less control over dataless control over data

Hard to handle protocols like FTPHard to handle protocols like FTP Clients must be aware they are using a Clients must be aware they are using a

circuit-level proxycircuit-level proxy Protect against fragmentation problemProtect against fragmentation problem

SOCKS

Circuit level GatewayCircuit level Gateway Support TCP Support TCP SOCKS v5 supports UDP, earlier versions SOCKS v5 supports UDP, earlier versions

did notdid not See See http://http://www.socks.nec.comwww.socks.nec.com

Comparison

Security

Security

Perform

anceP

erformance

Service S

upportS

ervice Support

Packet FilterPacket Filter 33 11 No dynamic w/o holesNo dynamic w/o holes

Session FilterSession Filter 22 22 Dependent on vendor Dependent on vendor for dynamic supportfor dynamic supportCircuit GWCircuit GW 22 33

App. GWApp. GW 11 44 Typically < 20 Typically < 20

Lower is better for security & performance

Comparison

Modify Client Applications?Modify Client Applications?

Packet FilterPacket Filter NoNo

Session FilterSession Filter NoNo

Circuit GWCircuit GW Typical, SOCKS-ify client Typical, SOCKS-ify client applicationsapplications

App. GWApp. GW Unless transparent, client Unless transparent, client application must be proxy-aware application must be proxy-aware & configured& configured

Comparison

ICM

PIC

MP

Fragm

en-F

ragmen-

tationtation

Packet FilterPacket Filter YesYes NoNo

Session FilterSession Filter YesYes MaybeMaybe

Circuit GWCircuit GW (SOCKS v5)(SOCKS v5) YesYes

App. GWApp. GW NoNo yesyes

Proxying UDP/ICMP

Why isn’t UDP or ICMP proxied as much Why isn’t UDP or ICMP proxied as much as TCP?as TCP?

TCP’s connection-oriented nature easier to TCP’s connection-oriented nature easier to proxyproxy

UDP & ICMP harder (but not impossible) UDP & ICMP harder (but not impossible) since each packet is a separate transactionsince each packet is a separate transaction

Session filters determine which packets Session filters determine which packets appear to be repliesappear to be replies

Circuit Level GW

Operate at user level in OSOperate at user level in OS Have circuit program ‘route’ packets Have circuit program ‘route’ packets

between interfaces instead of OS routing between interfaces instead of OS routing codecode

NAT

Useful if organization does not have enough Useful if organization does not have enough real IP addressesreal IP addresses

Extra security measure if internal hosts do Extra security measure if internal hosts do not have valid IP addresses (harder to trick not have valid IP addresses (harder to trick firewall)firewall)

Only really need real IP addresses for Only really need real IP addresses for services outside networks will originate services outside networks will originate connections toconnections to

NAT

Many-to-1 (n-to-m) mappingMany-to-1 (n-to-m) mapping 1-to-1 (n-to-n) mapping1-to-1 (n-to-n) mapping Proxies provide many-to-1Proxies provide many-to-1 NAT not required on filtering firewallsNAT not required on filtering firewalls

Encryption (VPNs)

Allows trusted users to access sensitive Allows trusted users to access sensitive information while traversing untrusted information while traversing untrusted networksnetworks

Useful for remote users/sitesUseful for remote users/sites IPSecIPSec

Encrypted Tunnels

What kind of traffic allowed? Only IP?What kind of traffic allowed? Only IP? Can the tunnel traffic be examined? Or are Can the tunnel traffic be examined? Or are

firewalls blind to internal tunnel traffic?firewalls blind to internal tunnel traffic? Can services and users be limited in their Can services and users be limited in their

tunnel traffic?tunnel traffic?

Attacks

Take advantage of allowed client-server Take advantage of allowed client-server communicationscommunications

Get around connectionsGet around connections

IP Spoofing

Intruder attempts to gain access by altering Intruder attempts to gain access by altering a packet’s IP address to make it appear as a packet’s IP address to make it appear as though the packet originated in a part of the though the packet originated in a part of the network with higher access privilegesnetwork with higher access privileges

Anti-Spoofing

Must have network level access to packetsMust have network level access to packets Match up packets with allowed addresses Match up packets with allowed addresses

per interfaceper interface With proxies, the IP headers are lost and With proxies, the IP headers are lost and

never reach the application levelnever reach the application level

Anti-Spoofing

Internet

130.207.5.0 130.207.3.0

130.207.4.0

e1

e2e3

e4

Allowed Networks:E1: 130207.4.0/24E2: 130.207.3.0/24E3: 130.207.5.0/24E4: All except E1,E2,E3

Mitnick & Shimomura

IP spoofing IP spoofing Sequence number predictionSequence number prediction See http://www.takedown.comSee http://www.takedown.com

Telnet ClientTelnet Server

23 1234

Allow only if ACK bit set, Send 2 fragments with the ACK bit set; when the server re-assembles the packet, the fragment offset are chosen so the full datagram forms a packet with the SYN bit set (the fragment offset of the second packet overlaps into the space of the first packet)

All following packets will have the ACK bit set

FRAG1 (with ACK)

FRAG2 (with ACK)

SYN packet (no ACK)

ACK

Fragmentation: The 1st Wave

Data Link Layer HeaderData Link Layer Header

Ver/IHLVer/IHL Type of ServiceType of Service Total LengthTotal Length

IdentifierIdentifier FlagsFlags Fragment OffsetFragment Offset

Time To LiveTime To Live ProtocolProtocol Header ChecksumHeader Checksum

Source AddressSource Address

Destination AddressDestination Address

Options + PaddingOptions + Padding

Source PortSource Port Destination PortDestination Port

Sequence NumberSequence Number

Acknowledgement NumberAcknowledgement Number

Offset/ReservedOffset/Reserved U U AA P R S F P R S F WindowWindow

ChecksumChecksum Urgent PointerUrgent Pointer

Options + PaddingOptions + Padding

DataData

Data Link Layer TrailerData Link Layer Trailer

IP D

atag

ram

IP H

eade

rT

CP

Hea

der

Fragmentation

Fragemtation: 2nd Wave

Instead fragmenting TCP header, fragment Instead fragmenting TCP header, fragment data portion or ICMP to attack OS of clientsdata portion or ICMP to attack OS of clients

OS – not all do bounds checking ‘early OS – not all do bounds checking ‘early Friday bug’ Friday bug’ oversized ICMP reassembled on client too oversized ICMP reassembled on client too

large, caused buffer overrun and BSODlarge, caused buffer overrun and BSOD Fragment a URL or ftp put commandFragment a URL or ftp put command

Proxy would catch Proxy would catch

Chargen Service

Character Generation, debugging toolCharacter Generation, debugging tool Make a connection & receive a stream of dataMake a connection & receive a stream of data

Trick machine into making a connection to Trick machine into making a connection to itself itself CPU locksCPU locks

Anti-spoofing will catch Anti-spoofing will catch

Sendmail

Typically handled by a proxyTypically handled by a proxy Almost never want the outside world to Almost never want the outside world to

have direct access to sendmailhave direct access to sendmail