Firewall Implementation and DesignFirewall Implementation and Design

Term: January 2005Term: January 2005

Dana EppDana Eppdana@scorpionsoft.comdana@scorpionsoft.comhttp://silverstr.ufies.org/blog/http://silverstr.ufies.org/blog/

COMP 4706COMP 4706

AgendaAgendaAgendaAgenda

Discuss why firewalls are importantDiscuss why firewalls are important Learning OutcomesLearning Outcomes Discuss Final ExamDiscuss Final Exam Basic firewall fundamentalsBasic firewall fundamentals TCP/IP fundamentalsTCP/IP fundamentals Introduction to threat modeling for network servicesIntroduction to threat modeling for network services Introduction to STRIDEIntroduction to STRIDE Hands on - group threat modelingHands on - group threat modeling

Impact of W32.Blaster.WormImpact of W32.Blaster.WormImpact of W32.Blaster.WormImpact of W32.Blaster.Worm

Remediation cost $475,000 per company (median average - including hard, soft and Remediation cost $475,000 per company (median average - including hard, soft and productivity costs) with larger node-count companies reporting losses up to productivity costs) with larger node-count companies reporting losses up to $4,228,000$4,228,000

Entered company networks most often through infected laptops, then through VPNs, Entered company networks most often through infected laptops, then through VPNs, and finally through mis-configured firewalls or routersand finally through mis-configured firewalls or routers

Source: TruSecure / ICSA Labs, 29 August 2003Source: TruSecure / ICSA Labs, 29 August 2003

A small survey including 882 respondents A small survey including 882 respondents determined that the MS Blaster worm:determined that the MS Blaster worm:

Learning OutcomesLearning OutcomesLearning OutcomesLearning Outcomes

Identify various types of firewalls and their functions, Identify various types of firewalls and their functions, including which firewalls operate at which OSI protocol including which firewalls operate at which OSI protocol layer, and the basic variations of firewall architectureslayer, and the basic variations of firewall architectures

Describe risk mitigation techniques to varying threats Describe risk mitigation techniques to varying threats with the use of different firewall architectureswith the use of different firewall architectures

Demonstrate the ability to design and deploy policies on Demonstrate the ability to design and deploy policies on a firewall a firewall

On successful completion of this course, students will be On successful completion of this course, students will be able to:able to:

The Final ExamThe Final ExamThe Final ExamThe Final Exam

Written portion closed book. Practical portion open Written portion closed book. Practical portion open book, use any information you learned in this class. book, use any information you learned in this class.

No external help!No external help! 20% - Written test on theory20% - Written test on theory 20% - policy decisions on Windows deployment20% - policy decisions on Windows deployment 20% - policy decisions on Linux deployment20% - policy decisions on Linux deployment 20% - working Windows firewall (against open scan)20% - working Windows firewall (against open scan) 20% - working Linux firewall (against open scan)20% - working Linux firewall (against open scan) Exam is 1.5 hours longExam is 1.5 hours long

What is the “Pain”?What is the “Pain”?What is the “Pain”?What is the “Pain”?

The risk of unauthorized access to privileged The risk of unauthorized access to privileged and/or confidential resources on a private and/or confidential resources on a private network.network.

Security StrategiesSecurity StrategiesSecurity StrategiesSecurity Strategies

Least PrivilegeLeast Privilege Defense in DepthDefense in Depth Thinking in ZonesThinking in Zones ChokepointsChokepoints

What is a “firewall”?What is a “firewall”?What is a “firewall”?What is a “firewall”? A firewall is simply a system or group of systems A firewall is simply a system or group of systems

that enforces an access control policy between that enforces an access control policy between two or more networks. two or more networks.

Basic Types of FirewallsBasic Types of FirewallsBasic Types of FirewallsBasic Types of Firewalls

Packet filtering firewallsPacket filtering firewalls Stateful packet inspection firewallsStateful packet inspection firewalls Application proxiesApplication proxies HybridsHybrids

Packet filterPacket filterPacket filterPacket filter

Source IP address Source IP address Destination IP address Destination IP address TCP/UDP source port TCP/UDP source port TCP/UDP destination port TCP/UDP destination port

A packet filter firewall is the simplest type of firewall. Dealing with each individual packet, the firewall applies its rule set to determine which packet to allow or disallow. The firewall examines each packet based on the following criteria:

Packet Filter - ProsPacket Filter - ProsPacket Filter - ProsPacket Filter - Pros

They are fast because they operate on IP addresses They are fast because they operate on IP addresses and TCP/UDP port numbers alone, ignoring the data and TCP/UDP port numbers alone, ignoring the data contents (payload) of packets. contents (payload) of packets.

Due to the fact that packet payload is ignored, Due to the fact that packet payload is ignored, application independence exists. application independence exists.

Least expensive of the three types of firewalls. Least expensive of the three types of firewalls. Packet filtering rules are relatively easy to configure. Packet filtering rules are relatively easy to configure. There are no configuration changes necessary to the There are no configuration changes necessary to the

protected workstations. protected workstations.

Packet filters - ConsPacket filters - ConsPacket filters - ConsPacket filters - Cons Allow a direct connection between endpoints through the firewall. Allow a direct connection between endpoints through the firewall.

This leaves the potential for a vulnerability to be exploited. This leaves the potential for a vulnerability to be exploited. There is no screening of packet payload available. It is impossible to There is no screening of packet payload available. It is impossible to

block users from visiting web sites deemed off limits, for example. block users from visiting web sites deemed off limits, for example. Logging of network traffic includes only IP addresses and TCP/UDP Logging of network traffic includes only IP addresses and TCP/UDP

port numbers, no packet payload information is available. port numbers, no packet payload information is available. Complex firewall policies are difficult to implement using filtering Complex firewall policies are difficult to implement using filtering

rules alone. rules alone. There is a reliance on the IP address for authentication rather than There is a reliance on the IP address for authentication rather than

user authentication. user authentication. Dynamic IP addressing schemes such as DHCP may complicate Dynamic IP addressing schemes such as DHCP may complicate

filtering rules involving IP addresses. filtering rules involving IP addresses.

Stateful packet inspectionStateful packet inspectionStateful packet inspectionStateful packet inspection

Examines the contents of packets rather than just filtering them; that is, they consider their contents as well as their addresses.

Stateful packet inspection firewalls also take into account the state of the connections they handle so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in.

Stateful packet inspection - ProsStateful packet inspection - ProsStateful packet inspection - ProsStateful packet inspection - Pros

Offers improved security over basic packet filters Offers improved security over basic packet filters due to packet examination. due to packet examination.

Offers a degree of application independence, Offers a degree of application independence, based on level of stateful packet examination. based on level of stateful packet examination.

Better logging of activities over basic packet Better logging of activities over basic packet filters. filters.

Good performance. Good performance. Configuration changes to the protected Configuration changes to the protected

workstations are unnecessary. workstations are unnecessary.

Stateful packet inspection - ConsStateful packet inspection - ConsStateful packet inspection - ConsStateful packet inspection - Cons

Allow a direct connection between endpoints Allow a direct connection between endpoints through the firewall. This leaves the potential for through the firewall. This leaves the potential for a vulnerability to be exploited. a vulnerability to be exploited.

No hiding of your private systems. No hiding of your private systems. Setting up stateful packet examination rules is Setting up stateful packet examination rules is

more complicated. more complicated. Only supported protocols at the application layer. Only supported protocols at the application layer. No user authentication.No user authentication.

Application proxiesApplication proxiesApplication proxiesApplication proxiesAn application proxy is a program running on the firewall that emulates both ends of a network connection. One can think of it as a sort of "translator" in-between the two computers communicating.

Application proxies - ProsApplication proxies - ProsApplication proxies - ProsApplication proxies - Pros Firewall does not let end points communicate directly Firewall does not let end points communicate directly

with one another. Thus a vulnerability in a protocol with one another. Thus a vulnerability in a protocol which could slip by a packet filter or stateful packet which could slip by a packet filter or stateful packet inspection firewall could be overcome by the proxy inspection firewall could be overcome by the proxy program. program.

Has the best content filtering capability. Has the best content filtering capability. Can hide private systems. Can hide private systems. Robust user authentication. Robust user authentication. Offers the best logging of activities. Offers the best logging of activities. Policy rules are usually easier than packet filtering rules.Policy rules are usually easier than packet filtering rules.

Application proxies - ConsApplication proxies - ConsApplication proxies - ConsApplication proxies - Cons

Performance problems; much slower than the other two Performance problems; much slower than the other two Must have a proxy for every protocol. Failure to have a Must have a proxy for every protocol. Failure to have a

proxy may prevent a protocol from being handled proxy may prevent a protocol from being handled correctly by the firewall. correctly by the firewall.

TCP is the preferred transport. UDP may not be TCP is the preferred transport. UDP may not be supported. supported.

Limited transparency, clients may need to be modified. Limited transparency, clients may need to be modified. Setting up the proxy server in a browser, for example. Setting up the proxy server in a browser, for example.

No protection from all protocol weaknesses. No protection from all protocol weaknesses.

OSI – Open System InterconnectOSI – Open System InterconnectOSI – Open System InterconnectOSI – Open System Interconnect

TCP/IP Protocol ArchitectureTCP/IP Protocol ArchitectureTCP/IP Protocol ArchitectureTCP/IP Protocol Architecture

IP data encapsulationIP data encapsulationIP data encapsulationIP data encapsulation

TCP HeaderTCP HeaderTCP HeaderTCP Header

Three way TCP handshakeThree way TCP handshakeThree way TCP handshakeThree way TCP handshake

UDP HeaderUDP HeaderUDP HeaderUDP Header

Common Ports and ServicesCommon Ports and ServicesCommon Ports and ServicesCommon Ports and Services

Windows: %windir%\System32\drivers\etc\Windows: %windir%\System32\drivers\etc\servicesservices

Linux:Linux:/etc/services/etc/services

Examples:Examples: SMTP = port 25SMTP = port 25 HTTP = port 80HTTP = port 80 POP3 = port 110POP3 = port 110 PPTP = port 1723PPTP = port 1723

LUNCHLUNCHLUNCHLUNCH

You cannot build secure systems unless you know the threats to which you

are susceptible

Introduction to Threat ModelingIntroduction to Threat ModelingIntroduction to Threat ModelingIntroduction to Threat Modeling

Threat modeling allows you to apply a structured Threat modeling allows you to apply a structured approach to security and to address the top approach to security and to address the top threats that have the greatest potential impact to threats that have the greatest potential impact to your network first. your network first.

Although typically thought of as a methodology Although typically thought of as a methodology for secure software engineering, parts can be for secure software engineering, parts can be applied to network engineering as well.applied to network engineering as well.

The Steps in Threat ModelingThe Steps in Threat ModelingThe Steps in Threat ModelingThe Steps in Threat Modeling

Brainstorm the known threats to the system.Brainstorm the known threats to the system. Rank the threats by decreasing risk.Rank the threats by decreasing risk. Choose how to respond to the threats.Choose how to respond to the threats. Choose techniques to mitigate the threats.Choose techniques to mitigate the threats. Choose the appropriate technologies from the Choose the appropriate technologies from the

identified techniques.identified techniques.

Threat, Vulnerabilities, Attacks and Threat, Vulnerabilities, Attacks and MotivesMotivesThreat, Vulnerabilities, Attacks and Threat, Vulnerabilities, Attacks and MotivesMotives A A threatthreat to a system is a potential event that will to a system is a potential event that will

have an unwelcome consequence if it becomes have an unwelcome consequence if it becomes an attack. an attack.

A A vulnerabilityvulnerability is a weakness in a system, such is a weakness in a system, such as a coding bug or a design flaw.as a coding bug or a design flaw.

An An attackattack occurs when an attacker has a occurs when an attacker has a motivemotive, or a reason to attack, and takes , or a reason to attack, and takes advantage of a vulnerability.advantage of a vulnerability.

Things to consider when Things to consider when BrainstormingBrainstormingThings to consider when Things to consider when BrainstormingBrainstorming Which assets need protecting?Which assets need protecting? What value are the assets?What value are the assets? To what threats are the assets susceptible?To what threats are the assets susceptible? How should you prioritize the threats?How should you prioritize the threats? How do you mitigate the threats?How do you mitigate the threats? Address architecture Address architecture andand implementation implementation

Core assets to considerCore assets to considerCore assets to considerCore assets to consider

Configuration dataConfiguration data Authentication dataAuthentication data Persistent dataPersistent data Data ‘on the wire’Data ‘on the wire’ State dataState data Temporary dataTemporary data

Asset

Vulnerability

Threat

loot

* Artwork stolen from Jason Garms (SBU Microsoft)

MitigationTechniques

Patrolled!loot ggrr!

* Artwork stolen from Jason Garms (SBU Microsoft)

The STRIDE Threat ModelThe STRIDE Threat ModelThe STRIDE Threat ModelThe STRIDE Threat Model Spoofing identitySpoofing identity

Attacker obtains something that enables authenticationAttacker obtains something that enables authentication Tampering with dataTampering with data

Unauthorized change made to stored or in-transit informationUnauthorized change made to stored or in-transit information RepudiationRepudiation

Performing an illegal operation in a system that lacks the ability to trace such Performing an illegal operation in a system that lacks the ability to trace such operationsoperations

Information disclosureInformation disclosure Exposing critical information to unauthorized individualsExposing critical information to unauthorized individuals

Denial of Service (DoS)Denial of Service (DoS) Denies service to othersDenies service to others

Elevation of privilegesElevation of privileges Attacker exploits a weakness to gain greater privileges on a system than were intendedAttacker exploits a weakness to gain greater privileges on a system than were intended

A Server ExampleA Server ExampleA Server ExampleA Server Example

Persistent dataPersistent data

Configuration dataConfiguration data

Authentication dataAuthentication data

Insecure networkInsecure network

STRI

STRIDDEE

SSTTRRIDIDEE

SSTRITRIDEDE

SSTTRRIIDEDE

Ranking and Prioritizing ThreatsRanking and Prioritizing ThreatsRanking and Prioritizing ThreatsRanking and Prioritizing Threats

Chance of attack occurringChance of attack occurring 1 = high1 = high 10 = low10 = low How much effort/cost/time is needed to launch the How much effort/cost/time is needed to launch the

attack?attack? What is the cost/damage if it occurs?What is the cost/damage if it occurs?

1 = little1 = little 10 = massive10 = massive RISK = Damage / ChanceRISK = Damage / Chance Goal is to reduce riskGoal is to reduce risk Do high risk items firstDo high risk items first

How to Respond to ThreatsHow to Respond to ThreatsHow to Respond to ThreatsHow to Respond to Threats

1.1. Do nothing.Do nothing.2.2. Inform the user of the threat.Inform the user of the threat.3.3. Remove the problem.Remove the problem.4.4. Fix the problem.Fix the problem.

Threat Mitigation Techniques:Threat Mitigation Techniques:SpoofingSpoofingThreat Mitigation Techniques:Threat Mitigation Techniques:SpoofingSpoofing AuthenticationAuthentication Protect secretsProtect secrets Don’t store secretsDon’t store secrets

Threat Mitigation Techniques:Threat Mitigation Techniques:TamperingTamperingThreat Mitigation Techniques:Threat Mitigation Techniques:TamperingTampering AuthorizationAuthorization HashesHashes Message Authentication Codes (MAC)Message Authentication Codes (MAC) Digital signaturesDigital signatures Tamper-resistant protocolsTamper-resistant protocols

Threat Mitigation Techniques:Threat Mitigation Techniques:RepudiationRepudiationThreat Mitigation Techniques:Threat Mitigation Techniques:RepudiationRepudiation Digital signaturesDigital signatures TimestampsTimestamps Audit trailsAudit trails

Threat Mitigation Techniques:Threat Mitigation Techniques:Information disclosureInformation disclosureThreat Mitigation Techniques:Threat Mitigation Techniques:Information disclosureInformation disclosure AuthorizationAuthorization Privacy-enhanced protocolsPrivacy-enhanced protocols EncryptionEncryption Protect secretsProtect secrets Don’t store secretsDon’t store secrets

Threat Mitigation Techniques:Threat Mitigation Techniques:Denial of ServiceDenial of ServiceThreat Mitigation Techniques:Threat Mitigation Techniques:Denial of ServiceDenial of Service AuthenticationAuthentication AuthorizationAuthorization FilteringFiltering ThrottlingThrottling Quality of Service (QoS)Quality of Service (QoS)

Threat Mitigation Techniques:Threat Mitigation Techniques:Elevation of privilegesElevation of privilegesThreat Mitigation Techniques:Threat Mitigation Techniques:Elevation of privilegesElevation of privileges Run with least privilegesRun with least privileges

Security Techniques:Security Techniques:AuthenticationAuthenticationSecurity Techniques:Security Techniques:AuthenticationAuthentication BasicBasic DigestDigest Forms-basedForms-based PassportPassport Windows AuthWindows Auth

NTLMNTLM Kerberos v5Kerberos v5 X.509 certsX.509 certs IPSecIPSec RADIUSRADIUS

Security Techniques:Security Techniques:AuthorizationAuthorizationSecurity Techniques:Security Techniques:AuthorizationAuthorization Access Control Lists (ACL)Access Control Lists (ACL) PrivilegesPrivileges IP restrictionsIP restrictions Server-specific permissionsServer-specific permissions

Security Techniques:Security Techniques:Tamper resistance Tamper resistance Security Techniques:Security Techniques:Tamper resistance Tamper resistance SSL/TLSSSL/TLS IPSecIPSec DCOM and RPCDCOM and RPC EFS (Encrypted File System)EFS (Encrypted File System)

Security Techniques:Security Techniques:PrivacyPrivacySecurity Techniques:Security Techniques:PrivacyPrivacy EncryptionEncryption HashesHashes MACsMACs Digital SignaturesDigital Signatures

Security Techniques:Security Techniques:DoS MitigationDoS MitigationSecurity Techniques:Security Techniques:DoS MitigationDoS Mitigation FilteringFiltering

Similar to packet filteringSimilar to packet filtering ThrottlingThrottling

Limiting the number of connectionsLimiting the number of connections Quality of ServiceQuality of Service

Provide preferential treatment for specific types of Provide preferential treatment for specific types of traffictraffic

Security Techniques:Security Techniques:Least PrivilegeLeast PrivilegeSecurity Techniques:Security Techniques:Least PrivilegeLeast Privilege Have applications run with JUST enough Have applications run with JUST enough

privileges to get the job done, and no more.privileges to get the job done, and no more. As long as the job gets done, users will never As long as the job gets done, users will never

know you are using least privilege unless they know you are using least privilege unless they do something they aren’t SUPPOSED to do!do something they aren’t SUPPOSED to do!

Defense in DepthDefense in DepthDefense in DepthDefense in Depth Assume external systems are insecureAssume external systems are insecure

““We’re secure, we have a firewall” *ugh*We’re secure, we have a firewall” *ugh* Assume your system(s) is the last thing Assume your system(s) is the last thing

standingstanding Plan on failurePlan on failure

More layers of security means more work to More layers of security means more work to compromise a targetcompromise a target Threat risk goes down as threat difficulty goes upThreat risk goes down as threat difficulty goes up

Never depend on security through obscurityNever depend on security through obscurity

Don’t trust user inputDon’t trust user inputDon’t trust user inputDon’t trust user input Must validate data Must validate data as it crossesas it crosses between between

untrusted and trusted environmentsuntrusted and trusted environments Most vulnerabilities rely on malicious inputMost vulnerabilities rely on malicious input

Don’t rely on client side validationDon’t rely on client side validation Hacker tools exist to bypass client validationHacker tools exist to bypass client validation

All user input is bad until proven otherwiseAll user input is bad until proven otherwise Use regular expressions to checkUse regular expressions to check Don’t check for invalid data, check for valid data Don’t check for invalid data, check for valid data

and reject anything elseand reject anything else

Secure Failures and DefaultsSecure Failures and DefaultsSecure Failures and DefaultsSecure Failures and Defaults

Plan on Failure (Fail securely)Plan on Failure (Fail securely) Failure code path should be most secureFailure code path should be most secure Verify success, not failureVerify success, not failure Don’t log detailed failure errors to the clientDon’t log detailed failure errors to the client

Plan on Ignorance (Use secure defaults)Plan on Ignorance (Use secure defaults) Create solutions in their most secure state, and let Create solutions in their most secure state, and let

users turn off security as neededusers turn off security as needed Don’t rely on a user to turn off a feature they don’t Don’t rely on a user to turn off a feature they don’t

needneed

A Web server exampleA Web server exampleA Web server exampleA Web server example

Good readingGood readingGood readingGood reading

Building Internet FirewallsBuilding Internet FirewallsISBN:1-56592-124-0ISBN:1-56592-124-0

Linux FirewallsLinux FirewallsISBN: 0-7357-0900-9ISBN: 0-7357-0900-9

Threat ModelingThreat ModelingISBN: 0-7356-1991-3ISBN: 0-7356-1991-3

Any Questions?Any Questions?