Firewalls

CIT304

University of Sunderland

Harry R. Erwin, PhD

Resources

• Garfinkel and Spafford, 1996, Practical UNIX and Internet Security, O’Reilly, ISBN: 1-56592-148-8

• Schneier, 2000, Secrets and Lies, Wiley, ISBN: 0-471-25311-1.

• Anderson, 2001, Security Engineering, Wiley, ISBN:0-471-38922-6.

• Zwicky, Cooper & Chapman, 2001, Building Internet Firewalls, O’Reilly.

Definition

• Firewall (Schneier)– Originally an iron wall that protected train passengers

from engine fires. Didn’t protect the engineer—there may be a lesson for sysadmins here.

– In early networks, a device that protected a segment of a network from failures in other segments

– Now a device that protects an internal network from malicious intruders.

• Does not deal with the 70+% of attacks that come from inside. • Does not deal with most vulnerabilities (see next slide)—only

those associated with network connections.

Top 20 Vulnerabilities (www.sans.org, 4 Dec 2006)

Operating Systems• Internet Explorer• Windows Libraries• Microsoft Office and Outlook

Express• Windows Services• Internet Explorer (IE)• Windows Configuration Weaknesses• Mac OS X• Unix Configuration WeaknessesNetwork Devices• VoIP Servers and Phones• Network and Other Devices

Common Configuration Weaknesses

Cross-Platform Applications• Web Applications• Database Software• P2P File Sharing Applications• Instant Messaging• Media Players• DNS Servers• Backup Software• Security, Enterprise, and Directory

Management ServersSecurity Policy and Personnel• Excessive User Rights and Unauthorized

Devices• Users (Phishing/Spear Phishing)Special Section• Zero Day Attacks and Prevention

Strategies

Perimeter Defense

• No good against internal uprisings

• Denial of service will remains threat

• Must be complete—otherwise the hacker will go around it.

• Must still contain gateways, which become the main vulnerabilities.

Boundary Protection

• The careful use of boundary mechanisms allows the designer to segment the network into protected domains, isolated from the internet and telephone service.

• This limits damage and prevents malicious attackers from gaining entry.

Hub and Ring Architectures

• Hub architecture—packets transmitted by one device are reflected to all devices. Can be digital or analog. Analog hubs reduce signal strength, limiting the number of devices. Speed of light delays also limit the spatial extent of the LAN.

• Ring architecture—each device connects to a ring of connections. One packet at a time circulates around the ring. If it arrives back at the device unchanged, it is deemed to have been successfully transmitted. Otherwise it is retransmitted.

Gateway

• Typically a router connected to the hub or ring. Has external connections.

• Uses routing tables to find a route to a server. Sends the packet out that route.

• If a server isn’t reachable, an ICMP DEST_UNREACH packet is generated and eventually returns to the source.

Switch

• ‘Smart’ hubs that transfer packets between networks. Fast switches are based on state machine architectures.

• Can block a sniffer from accessing local traffic.• Virtual LANs can be isolated and connected via

switches• Not a security mechanism. Performance is too

important for switches to do much processing.

Virtual Private Network (VPN)

• Encrypted tunneling (stunnel or ssh) can be used to link distant LANs via switches.

• Usually handled peer-to-peer with the routers and firewalls passing encrypted packets. This is message-level encryption.

• Can also be handled using link-level or packet-level encryption. Link-level uses military COMSEC devices and has a high maintenance overhead.

Boundary Mechanisms Used to Secure Networks

Note: Firewalls and routers are basic tools of network security.

• Filtering routers• Firewalls:

– Packet Filters– Proxies– NAT (network address translation)– Screens

• Personal firewalls• “Demilitarized Zones” (DMZs)

Attacks on Boundary Mechanisms

Three approaches:1. Go around it.

– Internet connections from photocopiers, soft drink machines, and other devices

– Maintenance ports on network devices– Unauthorized modems– Attack trusted peers instead

2. Sneak past it.3. Take the firewall over.

– Buggy software– Insecure operating systems

Filtering Router

• A basic router that provides stateless protection:– Only passes legitimate packets, which is good. What

packets are legitimate is a policy decision. Two basic strategies:

• Default permit—easier to configure but riskier

• Default deny—safer but inflexible (UoS policy)

Neither is a panacea.

– A filtering router doesn’t connect SYN ACKs to the related SYN packets or other packets involved in the connection. This can be exploited by a smart attacker.

Firewall

• Smarter than a simple filtering router. Enforces your chosen policies. May sniff traffic.

• Blocks access as part of a defense in depth strategy. • Can serve as a proxy for the clients behind it.• Can encrypt traffic between separate locations.• Can even be stateful, tracking connections, not just packets—

reducing throughput, but harder to fool. (Remains vulnerable to slow attacks.)

• Note however, a filtering router plus strong endpoint security (hardened workstations) is more secure than an isolated firewall.

Firewall Anatomy

Based on chokes and gates (Garfinkel and Spafford):• Choke

– A component that restricts the free flow of packets between networks based on some policy.

• Gate– Handles port connections.– Single machines that handle all ports are “bastion hosts”– Programs that might be supported include

• network clients (undesirable), • proxy servers, and • network servers.

How to Program a Simple Packet Filtering Choke

• Block all packets for services not used.

• Block all packets with IP source routing options

• Allow incoming TCP connections to predetermined network servers.

• Allow outgoing TCP connections. (You might want to some used by malware.)

Pros and Cons of Packet Filtering

• Pros– Cheap and easy– Flexible

• Cons– Usually lacks logging– Complex rulesets that are hard to configure and untestable– ftp not handled well unless passive mode is set (due to the high

port numbers used by ftp)– Security can be silently compromised– Remote administration can be compromised– Insider attacks are easy– Packet contents are not monitored

Firewall Types

• Packet filters– Usually based on a filtering router, but stateful

• Proxy-based firewalls– Services are provided by the visible firewall

• Packet-rewriting firewalls (NAT)– Transparent to applications

• Screens– No IP address; run in stealth mode

How Network Address Translation (NAT) Works

• A server anonymises traffic by replacing the true address on the LAN with its own address and vice versa.

• Incoming packets from inside addresses can be quietly dropped.

• Aka “proxying with network address translation”.• Can also cache data received to save on network

bandwidth

Personal Firewalls

• This is a router/firewall installed on your personal PC.• Usually a simple packet filter.• Now available for most modern operating systems.• MacOS X, BSD Unix, and Linux use ipfw.• Windows XP has a proprietary firewall. Mediocre.• Commercial firewalls either manage the firewall

provided by the OS or replace it with their own.• Watch out for snake oil.

Personal Firewalls for Windows Machines

• Some Free Ones– Microsoft Internet Connection Firewall (XP default)– ZoneAlarm (good, better than ipfw)– Tiny Firewall (good, USAF uses)– Sygate® Personal Firewall™ (good)

• More Expensive– Black Ice Defender (well-regarded)– ZoneAlarm Pro (good)– Norton Personal Firewall (OK)– McAfee Personal Firewall (subscription)

“Demilitarized Zone” (DMZ)

• A place on your network where you put your public services.

• Reduces the external threat, but protects your private network.

• External firewall (to the internet) has a limited number of restrictions.

• Internal firewall (to your private network) has more restrictions.

Running a Windows Firewall• If you are responsible for a Windows firewall (incomplete):

– Enable auditing, accounting, and full logging. Monitor them.– Use strong authentication. Install a logon banner.– Rename the Administrator account. – No user or guest accounts. Generally, block all user access.– Manually configure the machine. Install all security patches.– Use NTFS.– Protect the bios configuration.– Block removable devices and unused ports.– Support only TCP/IP. You may need to enable SMNP. – Disable unneeded services, in particular WINS TCP/IP, Computer Browser,

NetBIOS, RPC, Server, and Workstation. Check that patches/ hotfixes/updates don’t reenable them.

Running a UNIX Firewall• If you are responsible for a UNIX firewall:

– Enable auditing, accounting, and full logging. Monitor them.– Use strong authentication. – Firewall machines should not have user accounts.– Block X11 server ports.– Do not mount NFS (etc.). Export databases read-only. Disks should be

mounted read-only where possible.– Remove binaries not needed for the firewall. Disable unneeded network

services.– chmod all system directories to 711.– Remove /etc/hosts.equiv and /etc/hosts.lpd – Use process and disk quotas and monitor them.

Conclusions

• You may need a firewall, but you will need a lot more and probably more urgently:– Start by ensuring you have strong end-point security.

Make sure you have the latest service pak installed. – Install/enable personal firewalls on all machines.– Use a filtering router as a minimum.– Finally consider using a firewall.

• Watch for snake oil!• Manage your security actively!• Good luck!