firewalls and network defence - university of warwick · pdf file7 firewalls what is a...

1

Harjinder Singh Lallie (September 12) 1

Firewalls and Network Defence

• Learn about traditional perimeter protection

• Understand the way in which firewalls are used to protect networks • Understand the functions and limitations of the three different types of

firewall (Packet Inspection, Stateful and Application/Proxy)

• Consider the use of security zones and topologies to implement network-based security

• Understand the concept of layered approaches to security

• Understand some of the considerations that need to be deployed in the purchase/deployment of a firewall

Assumptions:

• Students know about anti-virus software and how it is used on clients and servers


Lecture Goals

2

• Learn about traditional perimeter protection • Understand the way in which firewalls are used to protect

networks

• Understand the functions and limitations of the three different types of firewall (Packet Inspection, Stateful and Application/Proxy)





Lecture Goals

Let’s draw some analogies from physical (traditional) security Systems

What do you notice here?


3



4



5


Where do you think the pass (are you in the right place) is checked?


Where do you think Malware (bombs) are detected?

6


Do you think any ‘logging’ takes place anywhere?

Layered Security

• Consider the security of a bank

• A layered approach ensures that there is no single point of failure


The top most layer looks at ALL the traffic and could never interrogate each packet in intricate detail as that would degrade the performance

A layered approach ensures that there is no single point of failure

7

Firewalls What is a firewall?

“a network device—hardware, software, or a combination—whose purpose is to enforce a security policy across its connections”

• e.g. A web server connected to the Internet may be configured only to allow traffic on port 80 for HTTP, and have all other ports blocked. An e-mail server may have only necessary ports for e-mail open, with others blocked.

• Apply “principle of least access”

• Firewalls can make one of three decisions: – Accept (allow packet through)

– Drop (discard the packet without informing the sender)

– Reject (inform the source that the packet is rejected)


Typical Firewall rules If packet is from inside the network TCP destination port = 80 or TCP destination port = 443,

then allow connection [pass all http traffic to any web server] If packet is from outside TCP destination port = 25 and IP destination address = 60.47.3.35,

then allow connection [pass all SMTP traffic to a specific host (mail server)] If packet is from outside IP Protocol = 51 and IP destination address = 60.47.3.77, then

allow connection *pass all encrypted ESP (encapsulating security payload) traffic to the firm’s IPsec gateway] Deny ALL [deny all other externally initiated connections; this is the default behaviour]


In the first example, the rule allows connection to any web server, in the second example, the rule allows a connection to a specific mail server, the second rule is therefore safer

8


• Understand the way in which firewalls are used to protect networks • Understand the functions and limitations of the

three different types of firewall (Packet Inspection, Stateful and Application/Proxy)





Lecture Goals

Packet Filtering Firewalls


9

The Problem with Packet Filtering Firewalls









Lecture Goals

10

Stateful Firewalls

• Keeps track of the state of network connections (TCP/UDP) and distinguishes legitimate packets in the context of each connection, illegitimate packets are rejected

• Vista and Windows 7 use ‘TCP window scaling’ for non http based connections, this is incompatible with some firewalls that use Stateful Packet Inspection (SPI) such as Checkpoint NG R55, Cisco PIX earlier than v6.3.1, Netgear WGR614

• TCP connections operate in a ‘stateful’ manner wherein a connection opens by connecting to a particular port, the port is then switched over to another port


Stateful Firewalls

• A packet can be part of two states – either a packet involved in a new connection (connection opening) or a packet that is part of an ongoing communication

• The former is a more expensive packet to deal with as an SPI firewall has to create entries in the state table, the latter is much cheaper to deal with – in fact most packets tend to belong to the latter – therefore making an SPI firewall cost effective


11

SPI States


Stateful Packet Inspection (SPI) New connections


12

Stateful Packet Inspection (SPI) Handling Existing Connections


Response from: 60.55.33.12:4400 To:123.80.5.34:80


SPI, dealing with attacks

13








Lecture Goals

Application/Proxy Firewall


14


• Understand the way in which firewalls are used to protect networks






Lecture Goals

Security Topologies – Security Zones

• Similar in analogy to a castle, a castle has a moat, an outside wall, an inside wall, and even a keep

• Outermost layer in a network provides basic protection and the innermost layers providing the highest level of protection.

• Accessibility tends to be inversely related to level of protection

• The outermost zone is the Internet, a free area, beyond any specific controls and an area where machines are considered at risk, often referred to as the demilitarized zone (DMZ)


15

DMZ

• Typically contains devices accessible to internet traffic (FTP, web, email servers – Forces user to make at least one hop in the DMZ before

accessing information inside the trusted network • Firewall can be used on each side of the DMZ. The area

between these firewalls is accessible from either the inner, secure, network or the Internet. – Firewalls specifically designed to prevent access across

the DMZ directly, from the Internet to the inner, secure, network.

• Special attention should be paid to the security settings of network devices placed in the DMZ, always assumed to be compromised to unauthorized use

• Certain servers should NOT be accessible from the outside – e.g: Domain name servers, database servers, application servers, file servers, print servers etc


Demilitarised Zones


16

A Dual Homed Firewall


Two legged firewall with fully exposed DMZ


17

Three legged firewall


How a DMZ works


18


• Understand the way in which firewalls are used to protect networks • Understand the functions and limitations of the three different

types of firewall (Packet Inspection, Stateful and Application/Proxy)





Lecture Goals

A VPN attack with just one firewall


19

A VPN attack with two firewalls (the layered approach)


An example of how a layered approach works

As an example, consider the steps an intruder might have to take to access critical data held within a company’s back-end database. The intruder will first need to penetrate the firewall and use packets and methods that will not be identified and detected by the intrusion detection system. The attacker will then have to circumvent an internal router performing packet filtering and possibly penetrate another firewall that is used to separate one internal network from another. From here, the intruder must break the access controls that are on the database, which means having to do a dictionary or brute-force attack to be able to authenticate to the database software. Once the intruder has gotten this far, the data still needs to be located within the database. This may in turn be complicated by the use of access control lists outlining who can actually view or modify the data. That is a lot of work.


20

Diversity of Defence • Having added a number of layers, if each of the layers is

the ‘same’, then it achieves nothing as perpetrating one layer perpetrates all of them

• E.g. two firewalls which filter for different types of traffic and provide different types of restriction. – Firewall 1: no FTP, SNMP or Telnet – Firewall 2: no SSL or SSH

• E.g. Use products from different vendors – Checkpoint firewall is first line of defence (see above) – CISCO PX is second line of defence


Downside is the amount of extra training/administrational time required to service this (upgrades, patches KNOW THE IMPLICATIONS)

What this configuration achieves

• Separates user from the request for data on a secure network

• This layered approach allows significant security levels to be enforced as this filtering process can put controls in place.

• Scalability is more easily realized. The multiple-server solution can be made to be very scalable to literally millions of users, without slowing down any particular layer.


21


• Understand the way in which firewalls are used to protect networks






Lecture Goals

Compliance

For a firewall to be deployed by a data centre that processes credit card numbers, it must

comply with the PCI DSS requirements pertaining to the installation and maintenance

of a firewall configuration to protect cardholder data. These requirements are built into the

Firewall tests conducted by ICSA Labs.


22

Considerations to be made when deploying network defence equipment

• Data throughput – the size of data the firewall can handle ‘in theory’

• Concurrent connections

• Connections per second


Throughput vs concurrent connections

• Data throughput is rated in Gbps, e.g. 1 Gbps or 4 Gbps - however, the amount of data that can be ‘throughput’ is not the full story.

• During a distributed denial-of-service (DDoS) attack, it’s not just bulk throughput that matters; it’s how the device can handle concurrent connections and connections per second. – A typical £32,000 conventional firewall may have a throughput of 10 Gbps, it can

probably handle between 1 and 2 million concurrent connections

– The WikiLeaks attackers of 2010 generated more than 2 million concurrent connections using a single botnet

– The next level of firewall (between £64,000 and £96,000) can handle around 4 to 10 million connections per second


23

… vs Connections per second

• The “£32,000 firewall” can typically handle 50,000 to 100,000 new connections per second

• When a firewall performs stateful inspection, there is a performance penalty for each TCP session set up (the time it takes to process the packet, memory requirements etc). This has an adverse affect on the number of new connections per second it can process – exaggerated especially when the attack is very widely distributed (‘very’ DDoS).


firewalls and network defence - university of warwick · pdf file7 firewalls what is a...

Documents