FirewallsSlide 2Network layer firewallsSlide 4Stateless FirewallsSlide 6Slide 7Slide 8Stateful FirewallsSlide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Network Address TranslationNat FlavorsNATPFirewall SummaryFirewallsFirewallsNetwork layer firewall works as a packet filterDecides what packets will pass the firewallaccording to rulesdefined by the administratorFiltering rules can act on the basis of:source addressdestination addressportshigher-level network protocols the packet containsNetwork layer firewalls tend to operate very fast, and transparently to users.Network layer firewallsGenerally fall into two sub-categoriesStatefulHold some information on the state of connections as part of their rules for example: established or not, initiation, handshaking, data or breaking down the connectiononly hosts inside the firewall can establish connections on a certain portNon-stateful (stateless)Have packet-filtering capabilitiesCannot make more complex decisions on what stage communications between hosts have reachedoffer less security.Somewhat resemble a router in their ability to filter packetsFirewallsSoftwareExtra software on the hostAny normal computer running an operating system which supports packet filtering and routing can function as a network layer firewall. Appropriate operating systems for such a configuration include Linux, Solaris, BSDs or Windows Server HardwareAn external computer with special softwareCombination of BothStateless FirewallsStateless FirewallsA firewall that treats each network frame (or packet) in isolationIt has no way of knowing if any given packet ispart of an existing connection, trying to establish a new connectionjust a rogue packet.Typical behavior of firewalls before the advent of stateful firewalls Modern firewalls are connection-aware (or state-aware)Allows network administrators finer-grained control of network traffic.Stateless FirewallsProblem:The classic example is the File Transfer ProtocolBy design it opens new connections to random portsSuppose you are the firewall of company X, protecting the company from unauthorized traffic from the Internet You notice a TCP packet coming from some host across the globe, destined for a machine of your internal network, TCP port number 4970. This port number does not correspond to any well-known service that your protected network is supposed to provide (like Web, FTP or SSH),you discard the packet. you just broke a legitimate FTP connection!.Stateless FirewallsFTP, among other protocolsNeeds to be able to open connections to arbitrary high ports to function properly. Since the firewall has no way of knowing that the packet destined to the protected network, to some host's port 4970, is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problemmaintaining a table of open connectionsintelligently associating new connection requests with existing, legitimate connections.Stateful FirewallsStateful FirewallsA firewall that keeps track of the state of network connections traveling across itsuch as TCP streamsPerforms stateful packet inspection or stateful inspectionProgrammed to distinguish legitimate packets for different types of connectionsOnly packets which match a known connection state will be allowed by the firewallOthers will be rejected.Stateful FirewallsEarly attempts at producing firewalls operated at the application level of the seven-layer OSI modelRequired too much CPU power Packet filters operate at the network layer (layer-3)Function more efficiently because they only look at the header part of a packetHowever, pure packet filters Have no concept of state Subject to spoofing attacks and other exploitsStateful FirewallsHow It WorksHolds in memory significant attributes of each connectionfrom start to finishThese attributes, collectively known as the state of the connection, may include such details as:The IP addresses and ports involved in the connectionThe sequence numbers of the packets traversing the connectionThe most CPU intensive checking is performed at the time of setup of the connectionAll packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened sessionOnce the session has ended, its entry in the state-table is discarded.Stateful FirewallsHow It WorksDepends on the three-way handshake of the TCP protocolWhen a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the serverthe service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. The firewall built-in to Windows XP will, for instancepass all outgoing packets throughwill only allow incoming packets if they are part of an ESTABLISHED connectionensuring that hackers cannot start unsolicited connections with the protected machineStateful FirewallsHow it Works (cont)In order to prevent the state table from filling upSessions will time out if no traffic has passed for a certain period These stale connections are removed from the state table Many applications therefore send keepalive messages periodicallyKeeps a firewall from dropping the connection during periods of no user-activitySome firewalls can be instructed to send these messages for applicationsIt is worth noting that the most common Denial of Service attack on the internet these days is the SYN floodA malicious user intentionally sends large amounts of SYN packets to the server in order to overflow its state tableBlocks the server from accepting other connectionsStateful FirewallsHow it Works (cont)Many stateful firewalls are able to track the state of connections in connectionless protocols, like UDPSuch connections usually enter the ESTABLISHED state immediately after the first packet is seen by the firewallSessions in connectionless protocols can only end by time-outBy
View Full Document