1
ITA, 4.02.2007, 10-Firewalls.ppt 1
Internet Security (IntSec)
Prof. Dr. Peter HeinzmannProf. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
10 Firewalls
10 Firewalls10.1 Overview
• Network defences – a cascade of security zones• Secure routers, packet filtering firewalls, application gateways (proxies)• Firewall functions
10.2 Technologies• Example firewall – Linux Netfilter• Packet filtering – filter rules• Application gateway• Proxy services• Stateful inspection technology• Network address translation (NAT)• Port address translation (PAT)
10.3 Management• Remote Administration• Examples: Checkpoint FireWall-1 and Linux IPCop• Monitoring and Logging
2
ITA, 4.02.2007, 10-Firewalls.ppt 2
Learning Objectives
• You can explain the major Firewall terms and functions.
• You are able to read and define Firewall rules.
• You are prepared for the lab "Firewall".
3
ITA, 4.02.2007, 10-Firewalls.ppt 3
Internet Security (IntSec)
10.1 Overview
4
ITA, 4.02.2007, 10-Firewalls.ppt 4
KeepLast building incastle to fall
Moat / Main GateOuter perimeter controlling
castle access
Inner PerimeterStronghold, higher wallscreate a containment areabetween Inner & Outer Perimeters
Castle Defences: A Cascade of Security Zones
5
ITA, 4.02.2007, 10-Firewalls.ppt 5
Network Defences: A Cascade of Security Zones
Internet
De-MilitarizedZone (DMZ)
Outer Perimeter
Internal Network(Intranet)
Inner Perimeter Stronghold
Mission Critical
Systems
InternalFirewall
Keep
Ordering, organizing helps to improve security. One way of organizing is the “classification of documents” an other way is the “structuring of the network”. Most companies distinguish several network zones, but there is no generally accepted “zone definition” or “zone naming scheme”. Typically companies distinguish as least three zones:
1. Internet (insecure zone): This zone is insecure by all practical purposes. It has no means of protecting the network from the others. The only security in this zone comes from the machine itself.
2. Demilitarized Zone (DMZ): This zone is separated from the Internet by a first part of a firewall (typically a Filtering Firewall). It has usually those servers which are accessed frequently from the Internet (e.g. Company Web-Server, DNS with the address mapping of the public addresses, Mail-Server)
3. Intranet (secure zone, trusted zone): This zone is separated from the DMZ by a second part of a firewall (typically a proxy server i.e. Application Level Firewall), which processes requests for connections from the internal network to the outside.
There may be further specifically secured zones within the Intranet, which are protected against attacks from hosts on the Intranet. These zones contain mission critical systems or organizations with high security requirements (e.g. the police departementwithin a government organization).
6
ITA, 4.02.2007, 10-Firewalls.ppt 6
Example: HSR
Cisco PIX 515 FW
7
ITA, 4.02.2007, 10-Firewalls.ppt 7
Firewalls can control traffic at various OSI layers
NetworkLayer
TransportLayer
ApplicationLayer
PacketFilter
CircuitLevelProxies
ApplicationLevelProxies
Stat
eful
Insp
ectio
n En
gine
s (e
.g. T
CP S
YN, A
CK, F
IN s
tate
s)
Application Gateways (Proxy)
Packet Filtering Firewall
Secure Router(Screening Router)
The main firewall technologies are:-Packet filtering: check header information of the packets-Deep packet inspection: look at application content of the packets-Application Gateways: terminate connections and look also at application content of the packets
Some firewalls check the packets one by one only. Stateful inspection firewalls look at packet flows, trying to assign a state to the connections.
Most of the modern firewalls are hybrid products that cannot be easily classified into groups.
8
ITA, 4.02.2007, 10-Firewalls.ppt 8
Logging
?
?
Alerting
IDS
• Deny everything that is not explicitly permitted … or • Permit everything that is not explicitly denied.
Firewall FunctionsFiltering, Inspection, Detection, Logging, Alerting
Detection
A firewall may fulfill several functions:
• Filter and inspect traffic• Log events (and traffic)• Perform content screening (virus scan engines, content blocking, url filtering, protocol compliance testing)
• Allow address reuse (perform Network Address Translation, NAT function),Hide internal structure
• Detect Attacks, Send alerts, Communicate with other devices e.g. with an intrusiondetection system (Open Platform for Security, OPSEC)
• Act as a virtual private network (VPN) server• Authenticate Administrators (use of tokens/smart cards or two factor authentication)
9
ITA, 4.02.2007, 10-Firewalls.ppt 9
Internet Security (IntSec)
10.2 Technologies
10
ITA, 4.02.2007, 10-Firewalls.ppt 10
Example Firewall - Linux Netfilter
INPUTINPUT OUTPUTOUTPUT
FORWARDFORWARDRoute
Route
Firewall Hostlocal process
eth0
eth1
eth1
eth0
ChainChain
http://www.netfilter.org
11
ITA, 4.02.2007, 10-Firewalls.ppt 11
Filter Rules – Default Policy
• Permit everything that is not explicitly denied.
iptables –P INPUT ACCEPTiptables –P FORWARD ACCEPTiptables –P OUTPUT ACCEPT
• Deny everything that is not explicitly permitted.
iptables –P INPUT DROPiptables –P FORWARD DROPiptables –P OUTPUT DROP
http://www.netfilter.org
12
ITA, 4.02.2007, 10-Firewalls.ppt 12
Dst IPAddress
Src IPAddress
Protocol Type
Src Port Number
ApplicationData
• 1 ICMP• 6 TCP• 17 UDP• 50 ESP
• 53 DNS• 80 HTTP• 23 Telnet• ...
152.96.129.3
160.85.128.1
Packet FilteringScreening Router, Deep Packet Inspection
TCPFlags
Application
Transport
Network
Application
Transport
Network
Inbound
Outbound
Dst Port Number
• SYN• ACK• FIN• ...
Outbound
Inbound
Packet-Filtering Firewalls provide network security by filtering network communications based on the information contained in the TCP/IP headers of each packet. Packet-Filtering Firewalls are also known as “Screening Routers” or “Filtering gateway firewalls”. A deep-packet inspection (DPI) firewall checks also the content of the packet.
Packet-Filtering Firewalls use a special rule set to filter IP, TCP, ICMP, and other packets that pass through the network interface. Arriving and outgoing packets are filtered by the type, source address, destination address, and port information contained in each packet. A filtering gateway doesn't require a powerful machine to run on; using an old x468 box and a specialized one-floppy Linux mini-distribution should do the trick.
13
ITA, 4.02.2007, 10-Firewalls.ppt 13
Packet FilteringExamples
• Default Policy: Deny everything that is not explicitly permitted.
iptables –P INPUT DROPiptables –P FORWARD DROPiptables –P OUTPUT DROP
• Allow ssh login to firewall host from outside
iptables –A INPUT –i eth0 –p tcp -–dport ssh –j ACCEPTiptables –A OUTPUT –o eth0 –p tcp -–sport ssh –j ACCEPT
• Allow pings from all interfaces
iptables –A INPUT –p icmp –-icmp-type echo-request –j ACCEPTiptables –A OUTPUT –p icmp –-icmp-type echo-reply –j ACCEPT
• Drop any traffic coming from host 80.63.5.7
iptables –I INPUT 1 –i eth0 –s 80.63.5.7 –j DROP
There are various strategies for implementing packet filters. The following two arerather general:• Build rules from most to least specific. Most packet filters process their rule sets from top to bottom and stop processing oncea match is made.
• Place the most active rules near the top of the rule set.Screening packet is a processor-intensive operation. Hence, placing the popular rulesfirst will save the processor from going through all rules for every packet.
14
ITA, 4.02.2007, 10-Firewalls.ppt 14
Dst IPAddress
Src IPAddress
Protocol Type
Src Port Number
ApplicationData
• 1 ICMP• 6 TCP• 17 UDP• 50 ESP
• 53 DNS• 80 HTTP• 23 Telnet• ...
152.96.129.3
160.85.128.1
Application GatewayApplication Firewall, Proxy
TCPFlags
Application
Transport
Network
Application
Transport
Network
Inbound
Outbound
Dst Port Number
• SYN• ACK• FIN• ...
Outbound
Inbound
• HTTP• SOAP/XML• SQL• ...
Application Gateway has become synonymous with terms such as bastion host, proxy gateway, and proxy server. An application gateway makes access decisions based on packet information at all seven layers of the OSI model. An application gateway may alsobe configured with the ability to remove objectionable content, such as ActiveX or Java scripts from web pages.Some proxies are not „seen“ be the end-systems and therefore are called „transparent proxies“ (as opposed to „visible proxies“).
The proxy must “understand” each service. Proxies for newer services are usually hardto find.
15
ITA, 4.02.2007, 10-Firewalls.ppt 15
Proxy Services
• Circuit-level gateway• establishes a TCP connection according to defined rules
(a security policy)• No content filtering can be defined. No user authentication.
• Application-level gateway• establishes TCP connections with an application-level gateway
in place.• administrator can control access for selected applications/network
services (e.g. HTTP, SOAP/XML, etc.).• can filter content and can provide user authentication.
Application Gateway or Proxy Firewalls usually contain additional security that support software like a VPN server, strong authentication services (tokens, smart cards), or virus scan engines. Proxy Firewalls also known as “Proxy services” work between external and internal networks and provide replacement connections instead of direct connections with remote services. Proxies try to act more or less transparently. Proxy firewalls require powerful machines. It is possible to divide this category into a two groups:•A circuit-level gateway is a proxy service that establishes a TCP connection (or crosswire TCP ports) between internal and external networks according to defined rules (a security policy). No content filtering can be defined. The freely available SOCKS (a standard, generic networking proxy protocol -- see Resources for more information) proxy server is a typical example of this approach. Circuit-level gateways don't provide user authentication. •An application-level gateway is a proxy service that establishes TCP connections between internal and external networks; with an application-level gateway in place, an administrator can control access for selected applications/network services (i.e., HTTP, FTP, NNTP). Application-level gateways can filter content, while packet-filter and circuit-level gateways are unable to determine transmission content. Some application proxies can cache requested data to save bandwidth. Application-level gateways can provide user authentication and implement an access rights policy.
16
ITA, 4.02.2007, 10-Firewalls.ppt 16
S:S:
D:D:
S:S:
D:D:
Internet
Host A
S:S:
D:D:
Host B
FirewallFirewall Port 3000Port 3000
Server XServer X Port 80Port 80
FirewallFirewall Port 3001Port 3001
Server XServer X Port 80Port 80
S:S:
D:D:Host AHost A Port 1024Port 1024
ProxyProxy Port 8080Port 8080
Host BHost B Port 1027Port 1027
ProxyProxy Port 8080Port 8080
TCP Connection 1 TCP Connection 1
TCP Connection 2 TCP Connection 2
Intranet
Server X
Proxy Service Example
17
ITA, 4.02.2007, 10-Firewalls.ppt 17
Stateful Inspection Technology
• Communication- and application-derived state and context information
• Updated dynamically
• Provides full application-layer awareness without requiringa separate proxy for every service
• Check Point Software is credited with coining the termstateful inspection in the use of its FireWall-1 in 1993.
Stateful inspection is an advanced firewall architecture that was invented by Check Point Software Technologies in the early 1990s. Also known as dynamic packet filtering, it has replaced static packet filtering as the industry standard firewall solution for networks. Stateful inspection provides enhanced security by keeping track of communications packets over a period of time. Both incoming and outgoing packets are examined. Outgoing packets that request specific types of incoming packets are tracked; only those incoming packets constituting a proper response are allowed through the firewall. In contrast to static packet filtering, in which only the headers of packets are checked, stateful inspection analyzes packets up to the Application layer. In a firewall that uses stateful inspection, the network administrator can set the parameters to meet specific needs. In a typical network connected to the Internet, ports are normally closed unless an incoming packet requests connection to a specific port, and then only that port is opened to the packet. This prevents port scanning, a well-known technique used by hackers to gain entry to networks and individual computers connected to the Internet. [http://searchnetworking.techtarget.com]
18
ITA, 4.02.2007, 10-Firewalls.ppt 18
virtualdefrag
pre-inspection “connections”
chain of fragments
ACCEPT
virtual machine
ACCEPT DROP/REJECT
“connections”
“pending”
Stateful Inspection I
Sources: Thomas Lopatic, John McDonald, TÜV data protect GmbH,[email protected], [email protected] Song, CITI at the University of Michigan, [email protected]“A Stateful Inspection of Firewall-1”, Black Hat Briefings, 2000.
19
ITA, 4.02.2007, 10-Firewalls.ppt 19
UDP replies accepted
C
C any
internalclient
externalserver
accepted UDP packetS
• UDP “connections”
• from a client, port C
• to a server, port S + wildcard port
• <s-address, s-port, d-address, d-port, protocol>
Stateful Inspection II
20
ITA, 4.02.2007, 10-Firewalls.ppt 20
“PORT 192,168,0,2,4,36”
data connection
2120 1060
“PASV”21
1060 > 1023
> 1023
> 1023
“227 ... (172,16,0,2,4,36)”
FTP server172.16.0.2
FTP server172.16.0.2
FTP client192.168.0.2
FTP client192.168.0.2
data connection
Stateful Inspection III
21
ITA, 4.02.2007, 10-Firewalls.ppt 21
Stateful Inspection with Linux NetfilterExamples
• Allow replies on outbound TCP packets
iptables -A OUTPUT –o eth0 -p tcp -m state--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state--state ESTABLISHED,RELATED -j ACCEPT
• Allow replies on outbound UDP packets
iptables -A OUTPUT –o eth0 -p udp -m state--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m state--state ESTABLISHED,RELATED -j ACCEPT
• Allow replies on outbound ICMP packets
iptables -A OUTPUT –o eth0 -p icmp -m state--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m state--state ESTABLISHED,RELATED -j ACCEPT
22
ITA, 4.02.2007, 10-Firewalls.ppt 22
Network Address Translation (NAT)
• NAT goals• Allow use of internal [private] IP-addresses• Hide internal network structure• Disable direct [inbound] Internet connections
• NAT types• Dynamic
For connections from inside to outsideThere may be fewer outside addresses than internal addresses
• StaticFor connections from outside to specific servers inside One-to-one address mapping (fixed)
23
ITA, 4.02.2007, 10-Firewalls.ppt 23
“Local” NetworkSA
10.0.0.1
SA10.0.0.3
Network Address Translation (NAT)
12
“External” NetworkNAT
Internet
SA192.69.1.1
SA192.69.1.2
NAT Table
Local IP Source Address
External IP Source Address
10.0.0.110.0.0.3
192.69.1.1192.69.1.2
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
SA10.0.0.4 ?
Network Address Translation (NAT) is also known as IP masquerading. It provides a mapping between internal IP addresses and officially assigned external addresses. Originally, NAT was suggested as a short-term solution to the problem of IP address depletion. Also, many organizations have, in the past, used locally assigned IP addresses, not expecting to require Internet connectivity. NAT is defined in RFC 3022.When NAT is configured, static mappings and/or dynamic pools of addresses must be configured. Static assignments permanently map a private address to a public address. Dynamic pools consist of a start IP address and the number of addresses in the pool.NAT takes the IP address of an outgoing packet and translates it to an officially assigned global address. For incoming packets it translates the assigned address to an internal address. For each outgoing IP packet, the source address is checked by the NAT configuration rules. If a rule matches the source address, the address is translated to a global address from the address pool. The predefined address pool contains the addresses that NAT can use for translation. For each incoming packet, the destination address is checked if it is used by NAT. When this is true, the address is translated to the original internal address.It should be noted that implementation of NAT for specific applications that have IP information in the application data is more sophisticated than the standard NAT implementations. If NAT translates an address for an IP packet, the checksum is also adjusted. For FTP packets, the task is even more difficult, because the packets can contain addresses in the data of the packet. For example, the FTP PORT command contains an IP address in ASCII. These addresses should also be translated correctly and checksum updates and even TCP sequence and acknowledgement updates should be made accordingly.There is no connection setup or tear-down at the IP level. Therefore, a timeout value should be configured that instructs NAT how long to keep an association in an idle state before returning the external IP address to the free NAT pool. Source: Address Translation Tutorial http://support.3com.com/infodeli/tools/remote/ocremote/brouters/840/C_Cadtrns.htm
24
ITA, 4.02.2007, 10-Firewalls.ppt 24
99
13
“Local” Network “External” Network
10.0.0.1
10.0.0.2NAT Table
Local IP Source Address
ExternalIP Source Address
10.0.0.1:X10.0.0.3:Y10.0.0.3:Z10.0.0.4:X
192.69.1.1:5001192.69.1.1:5002192.69.1.1:5003192.69.1.1:5004
PAT
Internet
SA10.0.0.1
SA192.69.1.1:5001
SA10.0.0.3
SA192.69.1.1:5002
10.0.0.3
10.0.0.4
Port Address Translation (PAT)
PAT is used when several privately addressed workstations share a single public address. PAT uses the TCP and UDP port numbers to map multiple private addresses to the single public address. For normal applications such as web browsing and FTP transfers, PAT can be configured by just enabling the feature. When accesses are originated from the private addressed LAN, a mapping is established between the source port number and the source private address. When the response is received on the public addressed WAN port, the destination port is mapped back to the private address.Static PAT port mappings or the PAT default address need to be configured when an application will initiate a TCP or UDP connection from the public network. If a publicly accessible server resides on a privately addressed LAN, static ports can be defined for the applications they are running. For example, TCP port 80 for a Web Server and TCP port 21 for a FTP server can be statically assigned. The PAT default address can be used with, or instead of, static port assignments, and is set to the private address of a workstation on the local LAN. If an incoming IP data packet is received on a WAN port and there is no existing dynamic or static port mapping, the packet will be translated using the PAT default address.
Source: Port Address Translationhttp://support.3com.com/infodeli/tools/remote/ocremote/brouters/840/C_Cadtrns.htm
25
ITA, 4.02.2007, 10-Firewalls.ppt 25
NAT with Linux Netfilter
INPUTINPUT OUTPUTOUTPUT
FORWARDFORWARDPREROUTINGPREROUTING POSTROUTINGPOSTROUTINGRoute
Route
Firewall Hostlocal process
eth0
eth1
eth1
eth0
Dst NATDst NAT
-t nat
Src NATSrc NAT
-t nat
Dst NATDst NAT
-t natChainChain
TableTable
http://www.netfilter.org
26
ITA, 4.02.2007, 10-Firewalls.ppt 26
NAT with Linux NetfilterExamples
• Masquerading (with dynamic IP addresses)
iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 \-j MASQUERADE
• Source NAT (with static IP addresses)
iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 \-j SNAT --to 1.2.3.4-1.2.3.6
• Destination NAT (with static IP addresses)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \-j DNAT --to 10.1.0.7:8080
http://www.netfilter.org
27
ITA, 4.02.2007, 10-Firewalls.ppt 27
Internet Security (IntSec)
10.3 Management
28
ITA, 4.02.2007, 10-Firewalls.ppt 28
Administration Example 1: Checkpoint FireWall-1
Define authorization based on multiple
criteria
Support for over 150 applications plus custom services
A firewall’s number one job is to provide access control. By default, FireWall-1 operates under the strictest security policy: “That which is not explicitly permitted is denied.” From this starting point, security managers add rules to allow access as appropriate.
Defining these rules is easy and intuitive with FireWall-1. A broad range of applications and services are supported out of the box, and defining additional network resources (e.g., protocols, services, users, groups, servers, etc.) is easy. These network resources are then used as the basis of security policy rules.
InspectXL is FireWall-1’s enabling technology, providing unparalleled application support and performance beyond 100Mbps. Based on Check Point’s patented Stateful Inspection, it provides the combination of high performance and high security.
http://www.checkpoint.com/products/firewall-1/index.html
29
ITA, 4.02.2007, 10-Firewalls.ppt 29
Administration Example 2: Linux IPCop
http://www.ipcop.org
30
ITA, 4.02.2007, 10-Firewalls.ppt 30
Monitoring and Logging
• Main Problem – Multitude of logging soucres• Operating system logs, network management messages, firewall logs
and alerts, router management messages, intrusion detection alarms, application and server statistics, system integrity checks.
• Automated processing is a prerequisite.
• Central Log Server• All important system components should send their log messages to a
central log server. The analysis and reporting can then be donecentrally in a comprehensive way.
• Logs should be immediately copied to secure, non-erasable storagemedium (e.g. write-once CD-ROMs) because attackers will try to remove their traces from the logs.
• Denial of Service Attacks• An effective denial of service attack might be mounted by flooding the
log server with innumerous messages thus filling up the file space.• Automatic alerting mechanisms must prevent this.
Top Related