Unit 4: Firewalls (I)

Transcription

1 Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2

2 What is a Firewall? A system that enforces access policy between two (or more) networks. Based on a rules/policies, the firewall: Blocks prohibited traffic. Note: this can be done silently (just drop) or actively, send back reset or ICMP messages. Usually better to do silently. Allow authorized traffic. And, (some) check that the traffic for a given application is behaving correctly. Firewall examines all traffic between the networks. Firewall may also perform other services: NAT / PAT Caching Web access control/site filtering VPN/IPSEC Two main philosophy to setup Firewall either: Block all that is not explicitly authorized. Authorize all that is not specifically blocked. Note: this can be used together on same firewall. Example: a firewall between an organization and the Internet you may at the same time setup: All inbound traffic except specifically authorized is blocked. All outbound traffic except specifically blocked is authorized. Always remember the implied rule. My suggestion: always write it explicitly. For this class: you are required to write it explicitly! Else I choose which one it is

3 What is a Firewall? A firewall is a device that makes the decision on what to do with a packet. The actions a firewall can take: Forward/accept the packet. Drop the packet silently. Drop the packet and send ICMP back to source to notify why it was dropped. This adhere to strict Internet standards but is it wise? How is it performed? Packets are evaluated against a list of rules and conditions When the packet matches a rule: the action is triggered (reject or allow). The rest of the rules are not evaluated.

4 What is a Firewall? Concretely what is a firewall? Can be many things: A router that runs traffic filtering rules or a modified version of the routing software (For example Cisco IOS Firewall Feature Set). This is often referred as Screening Router Firewalls or Screening Firewalls. Pro: Can use existing router to perform some traffic filtering such as RFC 1918 and RFC 2827 Filtering. Con: That can kill your router performance! Specially if rules become complex! A server with 2+ NICS running some traffic filtering or application proxy or specialized software. Usually Unix/Linux or Windows. Pro: Usually easy to use, nice GUI, use OS that the administrator may already be familiar with. Con: Using a general-purpose OS to support firewall has lower performance. If there is a security flaw in the OS (I know how likely is that ) the firewall may be compromised!

5 What is a Firewall? A specialized hardware piece running a specialized software. Often referred as Firewall Appliances. Pro: Used specialized OS that is stripped down to remove unnecessary services. Higher performance. Con: Higher Costs. May not have nice GUI. A Host-based firewall. A.K.A. Personal Firewall. This is the last firewall piece in a defense in-depth strategy: load firewall software on all hosts. Pro: Greatly enhanced security because of host-specific knowledge (For example, encrypted traffic can only be firewalled at end points). May allow to detect the presence/addition of unnecessary services at host. Con: Expensive. May be very hard to manage. Trends: host firewall or host IDS on all desktops the same way you see (or should see) anti-virus on all desktops today.

6 Types of Firewalls Packet Filter Statefull packet filter Application and Circuit Proxy

7 Packet Filtering Firewalls Control the forwarding or dropping of the data based on the IP header information. It does not keep track of the connection or session state. The information and fields that may be taken into consideration are: IP destination address IP source address Protocol type/number (ie: TCP, UDP, ICMP, etc...) Source protocol port number (TCP/80, UDP/53, etc ) Destination protocol port number (TCP/80, UDP/53, etc ) Flags (SYN, ACK, FIN,..etc..)

8 Packet Filtering Pros and Cons Advantages High performance Application independent Provide an economical solution to filter out many threats (SMURF, IP source route, some spoofing) Can be implemented at no cost on existing routers using Access Control Lists (ACL) Note: need to be careful here: this can very negatively impact routing performance on certain routers. This is specially true for core routers (Usually NEVER enable ACL on core routers). Make sure that: 1. You understand the impact of enabling ACL on router operation 2. You know the router can handle the extra load of doing ACL lookups and can still handle traffic in an acceptable manner. Disadvantages Only look at Header information How do you handle incoming or return traffic that use a random/high port for communication Example when you connect to www/80 what is your source port #? Can fairly easily be forced to pass traffic that is not proper Can dramatically lower performance of certain routers if implemented on them

9 Connection establishment: Three-way handshake

10 Connection Release: Four-way handshake Closing data stream in this direction only

11 State transition diagram

12 Client states

13 Server states

14 Statefull Packet Filtering Perform all the functions of a packet filtering firewall but also keep track of the state of the connection and past packets in the communication. The firewall will attempt to track all the information in the communication. This can be at all layers of the OSI. Examples: At layer 4 If it evaluate a TCP packet from B to A that has a SYN-ACK flag, it will verify that it has seen a corresponding SYN packet from A to B before. At Layer 7 If on SMTP, it see MAIL FROM message from A to B. It will verify that there has been a proper TCP connection established before and that a HELO command was sent and replied by a 2xx response from B to A. In other words: the statefull packet filter will keep track of all conversations and ensure that all packets transiting comply with proper protocol rules and operation. Note: new variation of statefull firewall is starting to be popular: statefull FW with Intrusion Detection System/Intrusion Prevention System. More on that in the IDS unit.

15 Statefull Packet Filtering Advantages Scalable and transparent High performance Can handle pesky applications that jump ports in the process Example: FTP in passive mode H.323 These are very hard to manage in a packet-filtering fw. Disadvantages Weak for stateless protocols Harder to handle UDP return traffic May not look at certain application layer data as a proxy would

16 Application and Circuit Proxy A proxy firewall acts as an intermediate communication point between 2 parties: Each party think they directly communicate to the other. Actually they communicate to the Proxy Firewall. A Proxy B: A communicates to the proxy, the proxy then acts as A when communicating to B and vice-versa. These proxy firewalls acts either at layer 3-4 (circuit proxy) or layer 7 (application proxy). Most often they act at layer 7.

17

18 Application and Circuit Proxy Advantages Better security as it looks at all data in the packet up to layer 7. Can perform other functions such as virus scanning. Disadvantages Lower performance L7 - Limited to protocols that are supported Poor scalability under heavy traffic May break custom applications May not support standard applications on nonstandard ports.

19 Other Services Sometime Performed by Firewall Network Address Translation Intrusion Detection/Prevention Denial-of-Service (DOS) Inspection Authentication Virtual Private Network Termination Traffic Logging URL and/or Content Filtering Virus Scanning

20 Firewalls Limitations Firewalls have limitations. It is VERY important to understand them: They do not protect against viruses, worms, or trojans (except in Application-level firewalls and new IDS/firewall hybrids.) Can t protect traffic that is not sent through them: Dial-up attacks; modems Social engineering Rerouting due to incompatibility with legacy system Back doors Cannot protect from danger in authorized traffic. (See Nimda and code red) Cannot protect from some spoofing.

21 Firewall Rules Template The XLS available proposes a template to write firewall rules. This template will be used in the class. Fields are: Set Name Rule # Protocol (IP, UDP, TCP, GRE, or protocol number) A/R (Accept/Reject) Source IP (Start) Source IP End or Source Wildcard Src Port (or protocol number) Destination IP (start) Destination IP (End) or Wildcard Dest Port Flag Comments Always have a last rule that says either: Deny all Permit all Note #1: Often firewalls come with a default last rule that is always inserted at the end and invisible. Strong suggestion ALWAYS specify a last rule even if it is the same as the system s default. Note #2: Often firewalls have a default deny all for ingress traffic and accept all for egress traffic. Why? Class discussion. The rule must then be applied to a firewall interface and to an interface traffic direction: Inbound or outbound.

22 Simple Firewall Rule Example My-AC-store.com E-Commerce Infrastructure Internet Users Internet ISP DNS Router Intruder, threat, opponent Outside Interface Note: all subnets are 24 bits Server Firewall 1 Inside Interface E-Comm - Web Inside Users Administrator

23 Simple Firewall Rule Example The spreadsheet present full rule set for a packet filtering firewall that do not use statefull inspection. Discussion in-class You can notice that some fairly general rules had to be added to allow return traffic. This is a problem and can allow attacker to bypass the firewall The simplified rule show rule set for a statefull firewall. The firewall will keep track of connection establishment, high port assignment and correspondence to conversation. This make rule writing simpler and enhance security But cost more $$$.

24 Firewall Example #2 Note: all subnets are 24 bits Internet Users My-ac-corporate.com E-Commerce Infrastructure Internet Intruder, threat, opponent ISP DNS Router Remote Office Headquarters Relay External Web External DNS Outside Interface Firewall 2Inside Interface Router Outside Interface Server Internal DNS Firewall 1 Outside Interface Inside Interface Firewall 3 Inside Interface Corporate Web Inside Users Inside Users

25 Firewall Example #2 Functional Requirements: Internal users are Headquarters and remote office. Internal user do DNS resolution on and can access corporate web and internal mail. between Internal and Internet transit via replay for virus scan. The Internal DNS resolve to ISP DNS for unknown zones. External web, relay handles all Internet user access including DNS resolve. All internal users can access web on 80/443. A Bad guy is prevent him any access. Ping and ping responses should be allowed All firewalls are statefull, return traffic inspection is not required. OPTIONAL You should perform RFC 1918 and anti-spoofing filtering. Please work on it and come up with solutions for next week. We will discuss in class. How many rule sets should be developed? ? More? Based on no traffic initiated or terminating at the FW, can we establish how many rules sets we will ever need if written correctly?

26 Firewall Example #2 (contd.) Part of Homework #3 (which is due in two weeks) is to write the firewall rules for the above example. Please try to write the rules and bring them to class next week. The initial thinking process, and some additional discussion during next class, will likely help you to do a better job for HW #3! This initial solution is to be included in your final HW #3 submission.