Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on...

Pattern Recognition and Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic Engineering

FIREWALLS

Spring Semester 2019/2020

Giorgio Giacinto

[email protected]

http://pralab.diee.unica.it

Firewall – Perimeter defence

INTERNET

A firewall is either a device or a set of devices intended to ensure control of the traffic

flowing across different networks

Firewall

2


Firewall - DefinitionSingle point

of accessKeeps attackers

away from defenses

3


Functionalities• A Firewall analyses network traffic and check if it complies

with the organisation policies– Policies are defined from the organization’s information security risk

assessment– Should be developed from a broad specification of which traffic types

the organization needs to support– Then refined to detail the filter elements which can then be

implemented within an appropriate firewall topologyAn example• HTTP traffic is allowed for all the machines connected to the network• Access the the following domains is forbidden

– Youtube.com, Facebook.com, Twitter.com• IMAP/POP/SMTP traffic is allowed only to machines on the

172.16.20/24 subnet

4


Firewall Capabilities And LimitsCapabilities• Defines a single choke point• Provides a location for monitoring security events• Convenient platform for several Internet

functions that are not security related• Can serve as the platform for IPSec

Limitations• Cannot protect against attacks bypassing firewall• May not protect fully against internal threats• Improperly secured wireless LAN can be accessed from

outside the organization• Laptop, PDA, or portable storage device may be infected

outside the corporate network then used internally

5


Functionalities

INTERNET

Firewall

Filtered trafficNot

Filte

red

Traf

fic

6


Functionalities• Firewalls act as “brokers” that

– manage and control the network traffic – protect resources behind the firewall

• This allows Firewalls to record events and activities– log files may turn useful for forensic purposes

• Firewalls also allow managing authentication– still this increments both protection and logging capabilities

7


Firewall Filter Characteristics IP address

and protocol values

This type of filtering is

used by packet filter and statefulinspection firewalls

Typically used to limit access

to specific services

Application protocol

This type of filtering is used by an

application-level gateway

that relays and monitors the exchange

of information for specific application protocols

User identity

Typically for inside users who identify themselves using some

form of secure authentication

technology

Network activity

Controls access based

on considerations

such as the time or

request, rate of requests, or other activity

patterns

8


Stack TCP & Firewall LayersFirewalls can operate on different layers of the TCP/IP stack

Application

Transport

Network (Internet)

Link

If access must be restricted to certain users or resources, filtering has to be done at the Application

Layer

If access must be disciplined on a per IP basis firewall must work at the Internet Layer

If access must be limited to certain applications, filtering has to be done at the Transport Layer

9


Types of Firewalls

10


Firewalls

PersonalFirewalls

NetworkFirewalls

Packet Filter

Firewalls

Application Level

Firewalls

NATFirewalls

Packet Filter

Firewalls

StatefulFirewalls

StatefulFirewalls

Firewall - Taxonomy

11


Network Firewalls

Firewalls

NetworkFirewalls

PacketFilter

Firewalls

Application Level

Firewalls

NATFirewalls

StatefulFirewalls

12


Firewall Appliances

13


Feature Summary (Palo Alto PA-7080)

• Firewall throughput – 600/700 Gbps FW

• New Sessions per Second– 4.56 M

• Maximum Number of Sessions (no inspection) – 320M

• Threat prevention throughput– 270/330 Gbps

• IPSec VPN Throughput– 280 Gbps

https://www.paloaltonetworks.com/network-security/next-generation-firewall/pa-7000-series 14


Gartner Magic Quadrant

15


Packet Filter Firewalls

16


Stateless Packet Filter• It is one of the simplest firewalling mechanisms

– Often integrated in the router

• Filtering at layer 3 (Network) and/or 4 (Transport)– A typical implementation is a router with Access Control Lists (ACL)

• Filtering criteria– Source IP Address– Destination IP address– Protocol (ICMP, TCP, UDP, …)– Protocol-specific information

• ICMP Echo, ICMP Reply, ICMP Error– TCP/UDP Ports– etc

• Two default policies– Discard - prohibit unless expressly permitted (more conservative)– Forward - permit unless expressly prohibited (easier to manage but less secure)

17


Stateless Packet Filter

Source: Network WarriorGary A. Donoue - O’Reilly

18


Discard the packetNO

What’s the action defined by the policy rule?

Yes

Allow the packet Allow Discard the

packetDeny

Stateless Packet Filter

Allow the packet NO

Do an ACL exists in that direction?

Is there a policy rule for that kind of packet?

Yes

19


Stateless Packet Filter - Clarifications

• It is worth to remind that:– Once the FW receives a packet it inspects the ACL to check whether a

rule matches the packet– For efficiency, more specific rules must be on top the list

access-list In deny udp any host 192.168.1.101

– The order of the rules is important.One rule can make the following ones useless.

access-list In deny udp any host 192.168.1.101access-list In allow udp any host 192.168.1.101 eq 53

This rule is never activated since the previous one is always matched first

20


Stateless Packet Filter• Pros

– Fast– High Flexibility in the definition of the Policy Rules

• Cons– Can’t stop application layer attacks (malicious FTP commands,

malware)– No User Authentication– Limited Logging Capabilities– Vulnerable to TCP/IP weaknesses (e.g. Ip spoofing, Syn flood, DOS). – It might be difficult to configure

21


About Transport Port Status (Nmap Results)• open

– Port is open and accepts TCP connections and UDP packets

• closed– A which can be reached and behind which there is not a listening

application

• filtered– It is not possible to determine whether the port is open because

packet filtering prevents its probes from reaching the port.

• Other NMAP results– open|filtered / unfiltered/ closed|filtered

22


Stateful Packet Filter• Processes packets at the Network and Transport Layers

as in the case of Stateless Packet Filter but it also traces the Transport Layer connections

– Packets are thus analysed in the context of the connection• e.g., by keeping track of sequence numbers

– Connectionless protocols such as UDP are inspected as well. Here the Packet Filter checks that the exchange of messages is coherent with the protocol logic.

23


1. Host A begins a connection with Host B2. Host B replies to the A request3. Host A finalises the connection. A is ready to send data. 4. Host A sends Host B data.5. Host B acknowledges it has received data.

How can I prevent Host B initiating a connection?

Stateful Packet Filter – An example

24


Stateful Packet Filter• Pros

– Higher consciousness of the Layer 4 traffic à higher security

• Cons– Can’t stop application layer attacks (malicious FTP commands,

malicious HTTP requests, malware)– No User Authentication– Connections management requires CPU & RAM resources

25


Packet Filter Evasion• Packet filters can be evaded leveraging on the IP

fragmentation mechanism– Hackers can play with the offset values

• Several variants of the attack do exist http://www.ouah.org/fragma.html– e.g., Tiny Fragment Attack

• http://tools.ietf.org/html/rfc3128

26


Packet Filter Evasion

27


Review problems

28


Firewall rulesThe following table shows a sample of a packet filter firewall ruleset for an imaginary network of IP address that range from 192.168.1.0 to 192.168.1.254. Describe the effect of each rule.

29


Firewall rules - SMTPSMTP (Simple Mail Transfer Protocol) transfers mails between hosts over TCP. The server listens on TCP port 25 for incoming connection requests. The user is on a TCP port number above 1023. Suppose you wish to build a packet filter rule set allowing inbound and outbound SMTP traffic:

Describe the effect of each rule30


Firewall rules - SMTP

If the server IP address is 172.16.1.1, which of the following packets will be allowed and which will be denied?

31


Firewall rules - SMTP

Someone from the outside world (10.1.2.3) attempts to open a connection from port 5150 on a remote host to the Web proxy server on port 8080 in order to carry out an attack.

Will the attack succeed?

32


Application Level Gateways

33


Application Level Gateway (aka Proxy)

• Combines Packet Layer functionalities with the capability of inspecting the activities at the application level

• Requires user-authentication before any activity

• It can be used for different services:– Email– Web– FTP– DNS– Telnet

34



35



• Authentication Mechanisms– Username and Password– Token HW/SW– Biometrics

• Authentication somehow prevents spoofing attacks– Different authentication mechanisms can be foreseen according to the

users’ privileges

• 2 different types of proxy mechanisms– Connection oriented (circuit level proxy)– Cut-through

36


Connection Oriented Proxies1. A Client makes a connection with the proxy

2. The Proxy authenticates the client

3. The Proxy checks authorisations for the client

4. The Proxy opens a second connection toward the resource (e.g. a server) requested by the client

5. The Proxy manages two connections– The connection between the client and the proxy– The connection between the proxy and the server behind the proxy

37



• Pros– Very high logging capabilities– Very high filtering capability

• Granular permissions can be defined

• Cons– Very high Overhead

• Slow– Ad-hoc firewall and client

38


Cut-through Proxy1. Client makes a connection with the proxy

2. Proxy authenticates the client

3. Proxy checks authorisations for the client

4. Proxy opens a second connection toward the resource (e.g. a server) which is then merged with the previous one

5. Proxy acts as an intermediary, by managing one single connection

39


Cut-through Proxy• Pros

– Higher throughput with respect to a Connection Proxy– Higher flexibility (possibility to handle a higher number of

applications)

• Cons– Smaller logging capabilities (with respect to Connection Proxy)– Filtering only on layers 3 and 4

40


Web Application Firewalls (WAF)

Web application

Web server

OS

Network

Web application vulnerability attack

DoS (service interrumptions) attacks

Network vulnerability attacks

Firewall IDS/IPS WAF

Firewall and Intrusion Detection/Prevention Systems (IDS/IPS) are not effective against Web Application Attacks

Web application

41


Attacking Web Services

http://www.vulnerableserver.com/components/com_hbssearch/longDesc.php?h_id=1&id=3

legitimate

Normal traffic

42


http://www.vulnerableserver.com/components/com_hbssearch/longDesc.php?h_id=1&id=-2%20union%20select%20concat%28username,0x3a,password%29%20from[…]

malicious

Attack

Attacking Web Services (WAF Protection)

WAFs are commonly based on rules / signatures thatdetect the presence of specific attack patterns into HTTP requests

e.g.: IF‘union%20select*’ in param-input STOP request

Easily evaded in several wayse.g. by replacing a “%20” with a comment (“/**/”)

43


WAF (and rule-based systems) Limitations• Easy-to-evade signatures / rules

– changing even a single character may evade detection– several rules required to detect attack variants

• Explosion of the number of Signatures– for computational reasons, only most common rules are used– rare attack patterns (even if known) may evade detection!

• False alarms tend to increase with the number of signatures

• Signatures can not intrinsically detect– Attacks which exploit vulnerabilities in custom applications– Advanced attacks like Phishing, User-Impersonation, Information Leakage– 0-day / never-before-seen attacks (e.g., advanced injection)

WAF and rule-based systems (such as Layer 3-4 protection devices) are thus ineffective to deal with the increasing sophistication

and variability of attacks44


Other types of firewalls

45


Personal Firewall• Controls traffic between a personal computer or workstation

and the Internet or enterprise network

• Typically much less complex than server-based or stand-alone firewalls– e.g., a software module on a personal computer– can be housed in a router that connects all of the home

computers to a DSL, cable modem, or other Internet interface

• Primary role is to deny unauthorized remote access

• May also monitor outgoing traffic to detect and block worms and malware activity

46


Host-Based Firewalls• Used to secure an individual host

• Available in operating systems or can be provided as an add-on package

• Filter and restrict packet flows

• Common location is a server

Advantages

• Filtering rules can be tailored to the host environment

• Protection is provided independent of topology• Provides an additional layer of protection

47


DMZ and VPN

48


Firewall Configuration

49


DMZ – Demilitarized Zone• DMZ is a physical or logical subnetwork between the internal

network (TRUSTED) and the external network (UNTRUSTED)– It usually hosts public company services

50


DMZ – Demilitarized Zone• DMZ allows protecting the private network through two

layers of firewalling– the front-end firewall is directly exposed to the network

• Servers (e.g. Mail, Web) are located just behind this firewall– back-end firewall stands behind the front-end firewall and in

front of the internal network

• Rules– The private network can initiate connections toward the DMZ

and the Internet, and doesn’t accept any kind of incoming connection

– Hosts on the DMZ accept connections from both the private network and from the Internet but can not initiate any kind of connection

• A router connecting the three different zones can perform both tasks.

51


Virtual Private Network (VPN)• A VPN is a virtual network through which is possible to

establish a secure communication channel over an “insecure” medium (the Internet) without the need of a dedicated link

• VPN management mechanisms ensure security– Confidentiality– Integrity– Authenticity

52


Remote Access VPN

Firewall (VPN Concentrator)

Company network

53


Site-to-Site VPN

54


VPN - Advantages• Cheap– Possibility to build large overlaid networks without the

need of a dedicated infrastructure

• Security– Authentication and Cryptography ensure the security of

the data

• Scalability– Adding branches to the VPN doesn’t require costly

infrastructures

55


Network Segmentation and the cloud

• Network segmentation is becoming a complex task– Virtualisation– Cloud applications, services, storage

• The physical deployment of a network barely represents the actual data flow

• A deep logical map of all the enterprise activities is needed in order to define the routing and firewalling policies

• The firewall itself is not required to be a physical appliance, as it can be deployed as a virtual application

56


OT Networks

57


Operational Technology Networks• The network connecting all Industrial Control Systems

(ICS) devices – PLCs– SCADA– DCS

• In the past, OT used proprietary protocols, and no connection with the external world was available

• Currently, the IT-OT convergence allows ICS to share data, to realise remote control.

• Network segmentation through firewalls is mandatory to avoid those devices to be exposed (ISA99 – IEC 62443)

58


Purdue model (ISA99)

59

Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on...

Documents

Transcript of Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on...