FirewallsWhat is a Firewall?Classification of FirewallFirewalls – Packet FiltersSlide 5Usage of Packet FiltersHow to Configure a Packet FilterSlide 8Slide 9Slide 10Slide 11Slide 12Security & Performance of Packet FiltersSlide 14Port NumberingFirewalls – Stateful Packet FiltersStateful FilteringFirewall OutlinesFirewall GatewaysFirewalls - Application Level Gateway (or Proxy)Application-Level FilteringApp-level Firewall ArchitectureEnforce policy for specific protocolsWhere to Deploy App-level FirewallScreened Host ArchitectureScreened Subnet Using Two RoutersFirewalls Aren’t Perfect?QuizBackup SlidesFirewalls - Circuit Level GatewaySlide 31Dynamic Packet FiltersSlide 33Slide 34Slide 35Address-SpoofingExternal Interface RulesetNet 1 Router Interface RulesetHow Many Routers Do We Need?Routing FiltersRouting Filters (cont)Slide 42Slide 43Slide 44Dual Homed Host ArchitectureAsymmetric RoutesAre Dynamic Packet Filters Safe?Distributed FirewallsDistributed Firewalls DrawbackWhere to Filter?Dynamic Packet Filter ImplementationPer-Interface Tables Consulted by Dynamic Packet FilterFirewallsFirewallsWhat is a Firewall?What is a Firewall?A A choke pointchoke point of control and monitoring of control and monitoring Interconnects networks with differing Interconnects networks with differing trusttrustImposes restrictions on network servicesImposes restrictions on network servicesonly authorized traffic is allowed only authorized traffic is allowed Auditing and controlling accessAuditing and controlling accesscan implement alarms for abnormal behaviorcan implement alarms for abnormal behaviorItself immune to penetrationItself immune to penetrationProvides Provides perimeter defenceperimeter defenceClassification of FirewallClassification of FirewallCharacterized by protocol level it Characterized by protocol level it controls incontrols inPacket filteringPacket filteringCircuit gatewaysCircuit gatewaysApplication gatewaysApplication gatewaysFirewalls – Packet FiltersFirewalls – Packet FiltersFirewalls – Packet FiltersFirewalls – Packet FiltersSimplest of components Simplest of components Uses transport-layer information onlyUses transport-layer information onlyIP Source Address, Destination AddressIP Source Address, Destination AddressProtocol/Next Header (TCP, UDP, ICMP, etc)Protocol/Next Header (TCP, UDP, ICMP, etc)TCP or UDP source & destination portsTCP or UDP source & destination portsTCP Flags (SYN, ACK, FIN, RST, PSH, etc)TCP Flags (SYN, ACK, FIN, RST, PSH, etc)ICMP message typeICMP message typeExamplesExamplesDNS uses port 53DNS uses port 53No incoming port 53 packets except known trusted No incoming port 53 packets except known trusted serversserversUsage of Packet FiltersUsage of Packet FiltersFiltering with incoming or outgoing Filtering with incoming or outgoing interfacesinterfacesE.g., Ingress filtering of spoofed IP E.g., Ingress filtering of spoofed IP addressesaddressesEgress filteringEgress filteringPermits or denies certain servicesPermits or denies certain servicesRequires intimate knowledge of TCP and Requires intimate knowledge of TCP and UDP port utilization on a number of UDP port utilization on a number of operating systemsoperating systemsHow to Configure a How to Configure a Packet FilterPacket FilterStart with a security policyStart with a security policySpecify allowable packets in terms of Specify allowable packets in terms of logical expressions on packet fieldslogical expressions on packet fieldsRewrite expressions in syntax Rewrite expressions in syntax supported by your vendorsupported by your vendorGeneral rules - least privilegeGeneral rules - least privilegeAll that is not expressly permitted is All that is not expressly permitted is prohibitedprohibitedIf you do not need it, eliminate itIf you do not need it, eliminate itEvery ruleset is followed by an Every ruleset is followed by an implicit rule reading like this.implicit rule reading like this.Example 1: Example 1: Suppose we want to allow inbound Suppose we want to allow inbound mail (SMTP, port 25) but only to our mail (SMTP, port 25) but only to our gateway machine. Also suppose gateway machine. Also suppose that traffic from some particular that traffic from some particular site SPIGOT is to be blocked.site SPIGOT is to be blocked.Solution 1: Solution 1: Example 2: Example 2: Now suppose that we want to Now suppose that we want to implement the policy “any inside implement the policy “any inside host can send mail to the outside”.host can send mail to the outside”.Solution 2: Solution 2: This solution allows calls to come This solution allows calls to come from any port on an inside machine, from any port on an inside machine, and will direct them to port 25 on and will direct them to port 25 on the outside. Simple enough…the outside. Simple enough…So why is it wrong?So why is it wrong?Our defined restriction is based solely Our defined restriction is based solely on the outside host’s port number, which on the outside host’s port number, which we have no way of controlling.we have no way of controlling.Now an enemy can access any internal Now an enemy can access any internal machines and port by originating his machines and port by originating his call from port 25 on the outside call from port 25 on the outside machine.machine. What can be a better solution ?What can be a better solution ?The ACK signifies that the packet is The ACK signifies that the packet is part of an ongoing conversationpart of an ongoing conversationPackets without the ACK are Packets without the ACK are connection establishment messages, connection establishment messages, which we are only permitting from which we are only permitting from internal hostsinternal hostsSecurity & Performance of Security & Performance of Packet FiltersPacket FiltersTiny fragment attacksTiny fragment attacksSplit TCP header info over several tiny Split TCP header info over several tiny packetspacketsEither discard or reassemble before checkEither discard or reassemble before checkDegradation depends on number of rules Degradation depends on number of rules applied at any pointapplied at any pointOrder rules so that most common traffic Order rules so that most common traffic is dealt with firstis dealt with firstCorrectness is more important than Correctness is more important
View Full Document