CSC 474/574 Information Systems Security Topic 7.4 Firewalls CSC 474/574 Dr. Peng Ning 1 Outline What are firewalls? Types Filtering Packet filtering Session filtering Proxy Circuit Level Application Level Brief introduction to Linux firewall CSC 474/574 Dr. Peng Ning 2
What is a firewall? Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement and enforce a security policy for communication between networks Trusted s Firewall Untrusted s & Servers Internet Untrusted Users Intranet Router DMZ Public Accessible Servers & s Trusted Users CSC 474/574 Dr. Peng Ning 3 Firewalls From Webster s Dictionary: a wall constructed to prevent the spread of fire Internet firewalls are more the moat around a castle than a building firewall Controlled access point CSC 474/574 Dr. Peng Ning 4
Firewalls can: Restrict incoming and outgoing traffic by IP address, ports, or users Block invalid packets CSC 474/574 Dr. Peng Ning 5 Convenient Give insight into traffic mix via logging Address Translation Encryption CSC 474/574 Dr. Peng Ning 6
Firewalls Cannot Protect traffic that does not cross it routing around Internal traffic when misconfigured CSC 474/574 Dr. Peng Ning 7 Access Control Corporate ALERT!! ALERT!! ALERT!! Internet DMZ Net Web Server Pool Security Requirement Control access to network information and resources Protect the network from attacks CSC 474/574 Dr. Peng Ning 8
Filtering Typically route packets Packets checked then passed Inbound & outbound affect when policy is checked Client Server CSC 474/574 Dr. Peng Ning 9 Filtering Packet filtering Access Control Lists Session filtering Dynamic Packet Filtering Stateful Inspection Smart packet filtering Context Based Access Control CSC 474/574 Dr. Peng Ning 10
Filtering Fragmentation/reassembly Sequence number checking ICMP CSC 474/574 Dr. Peng Ning 11 Packet Filtering Decisions made on a per-packet basis No state information saved CSC 474/574 Dr. Peng Ning 12
Typical Configuration Ports > 1024 left open If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work. CSC 474/574 Dr. Peng Ning 13 Packet Filter Applications Presentations Sessions Transport Router Applications Presentations Sessions Transport CSC 474/574 Dr. Peng Ning 14
Session Filtering Packet decision made in the context of a connection If packet is a new connection, check against security policy If packet is part of an existing connection, match it up in the state table & update table CSC 474/574 Dr. Peng Ning 15 Typical Configuration All denied unless specifically allowed Dynamic protocols (FTP, H323, RealAudio, etc.) allowed only if supported CSC 474/574 Dr. Peng Ning 16
Session Filtering Screens ALL attempts, Protects All applications Extracts & maintains state information Makes an intelligent security / traffic decision Applications Presentations Sessions Transport Applications Presentations Sessions Transport Applications Presentations Sessions Transport Dynamic Dynamic State Dynamic State Tables State Tables Tables CSC 474/574 Dr. Peng Ning 17 Proxy Firewalls Relay for connections Client Proxy Server Two flavors Application level Circuit level CSC 474/574 Dr. Peng Ning 18
Application Gateways Understands specific applications Limited proxies available Proxy impersonates both sides of connection Resource intensive process per connection HTTP proxies may cache web pages CSC 474/574 Dr. Peng Ning 19 Application Gateways More appropriate to TCP ICMP difficult Block all unless specifically allowed Must write a new proxy application to support new protocols Not trivial! CSC 474/574 Dr. Peng Ning 20
Application Gateways Clients configured for proxy communication Transparent Proxies CSC 474/574 Dr. Peng Ning 21 Application Layer GW/proxy Telnet FTP HTTP Applications Presentations Sessions Transport Applications Presentations Sessions Transport Applications Presentations Sessions Transport Application Gateway CSC 474/574 Dr. Peng Ning 22
Circuit-Level Gateways Support more services than Application-level Gateway less control over data Hard to handle protocols like FTP Clients must be aware they are using a circutlevel proxy Protect against fragmentation problem CSC 474/574 Dr. Peng Ning 23 SOCKS Circuit level Gateway Support TCP SOCKS v5 supports UDP, earlier versions did not See http://www.socks.nec.com CSC 474/574 Dr. Peng Ning 24
Comparison Service Support Performance Security Packet Filter 3 1 No dynamic w/o holes Session Filter Circuit GW 2 2 2 3 Dependent on vendor for dynamic support App. GW 1 4 Typically < 20 Lower is better for security & performance CSC 474/574 Dr. Peng Ning 25 Comparison (Cont d) Modify Client Applications? Packet Filter Session Filter Circuit GW No No Typical, SOCKS-ify client applications App. GW Unless transparent, client application must be proxy-aware & configured CSC 474/574 Dr. Peng Ning 26
Comparison (Cont d) Fragmentation ICMP Packet Filter Session Filter Circuit GW App. GW Yes Yes (SOCKS v5) No No Maybe Yes Yes CSC 474/574 Dr. Peng Ning 27 Linux Firewall: iptables History ipfw ipfwadm ipchains iptables Based on the netfilter framework CSC 474/574 Dr. Peng Ning 28
The Netfilter Framework A framework for packet mangling Kernel Kernel modules Protocol stack netfilter hooks User space CSC 474/574 Dr. Peng Ning 29 The Netfilter Framework (Cont d) Current protocols IPv4, IPv6, and DECnet. Five hooks for IPv4 [1]: Pre-routing hook; [2]: Local-in hook; [3]: Forward hook; [4]: Local-out hook; [5]: Post-routing hook A packet traversing the netfilter system: [1] [ROUTE] [2] [3] [4] [ROUTE] [5] CSC 474/574 Dr. Peng Ning 30
Packet Filtering A packet traversing the netfilter system: [1] [ROUTE] [2] [3] [4] [ROUTE] [5] Packet filtering only uses these three hooks CSC 474/574 Dr. Peng Ning 31 IP Tables A packet selection system Direct descendent of ipchains Used for Packet filtering Address Translation (NAT) Masquerading, port forwarding, transparent proxying Packet mangling Actual changing of packet information CSC 474/574 Dr. Peng Ning 32
User Space Tool: iptables iptables Command to configure and communicate with the kernel modules iptables for packet filtering Three chains INPUT OUTPUT FORWARD CSC 474/574 Dr. Peng Ning 33 Iptables for Packet Filtering You need three things to configure a firewall rule Which chain? What packet pattern? What action to apply? Example Drop all packets from 200.200.200.1 iptables -A INPUT -s 200.200.200.1 -j DROP Use man iptables on Linux to get more information. CSC 474/574 Dr. Peng Ning 34