Firewalls: General Firewalls: General Principles & Principles &

Configuration (in Linux)Configuration (in Linux)

Bruhadeshwar BezawadaBruhadeshwar Bezawada

International Institute of International Institute of Information Technology, Information Technology,

HyderabadHyderabad

OverviewOverview

General Principles of FirewallsGeneral Principles of Firewalls TypesTypes Issues in design and deploymentIssues in design and deployment

Rules, conflicts and performance issuesRules, conflicts and performance issues ConfigurationConfiguration

IPTables IPTables IPChains IPChains

Relevant OSI Layers for Relevant OSI Layers for Firewall OperationFirewall Operation

General Principles of General Principles of FirewallsFirewalls

Network firewalls are devices or systems that control the Network firewalls are devices or systems that control the flow of network traffic between networks employing flow of network traffic between networks employing different security posturesdifferent security postures One usage is to limit/control connectivity to the InternetOne usage is to limit/control connectivity to the Internet Another usage in corporate networks is to restrict connectivity Another usage in corporate networks is to restrict connectivity

to and from internal networks servicing more sensitive to and from internal networks servicing more sensitive functions, like accounting or personnel departmentfunctions, like accounting or personnel department

Firewalls operate at different layers in networkFirewalls operate at different layers in network Firewalls that can examine information at more than one layer Firewalls that can examine information at more than one layer

is more thorough and effectiveis more thorough and effective A firewall that works with layers 2 and 3 does deal with specific A firewall that works with layers 2 and 3 does deal with specific

usersusers A firewall at application layer like an application-proxy gateway A firewall at application layer like an application-proxy gateway

firewall firewall can enforce user authentication as well as logging events to can enforce user authentication as well as logging events to

specific users.specific users.

Add-ons Supported by Add-ons Supported by FirewallsFirewalls

NAT, DHCP, encryption for VPNs, and application NAT, DHCP, encryption for VPNs, and application content filteringcontent filtering Firewalls support DHCP so as to allocate IP addresses for Firewalls support DHCP so as to allocate IP addresses for

those systems that will be the subject of firewall's those systems that will be the subject of firewall's security control and to simplify network managementsecurity control and to simplify network management

Firewalls can act as VPN gateways, where the gateway is Firewalls can act as VPN gateways, where the gateway is responsible for encrypting traffic that is leaving its responsible for encrypting traffic that is leaving its boundary and destined to other systems in the VPNboundary and destined to other systems in the VPN

Active content filtering, firewall is capable of filtering Active content filtering, firewall is capable of filtering actual application data at layer 7 actual application data at layer 7

For example, scanning email attachments for viruses, For example, scanning email attachments for viruses, filtering out active content in technologies like Java, filtering out active content in technologies like Java, JavaScript, ActiveXJavaScript, ActiveX

Can filter on content or key words to restrict access to Can filter on content or key words to restrict access to inappropriate sites or domains.inappropriate sites or domains.

Types of FirewallsTypes of Firewalls

Packet FiltersPacket Filters Stateful Inspection FirewallsStateful Inspection Firewalls Application-proxy Gateway FirewallsApplication-proxy Gateway Firewalls Dedicated proxy serversDedicated proxy servers Hybrid FirewallsHybrid Firewalls Network Address Translation (NAT)Network Address Translation (NAT)

Packet FiltersPacket Filters

Packet Filter FirewallsPacket Filter Firewalls

Packet filters operate at layer 2/3 of OSIPacket filters operate at layer 2/3 of OSI The basic functionality is designed to provide network The basic functionality is designed to provide network

access control based on the information at network layeraccess control based on the information at network layer source address of packet, the IP address from which the source address of packet, the IP address from which the

packet originatedpacket originated destination address of the packet, i.e., the IP address where destination address of the packet, i.e., the IP address where

it is goingit is going Type of traffic, i.e., the type of specific network protocol Type of traffic, i.e., the type of specific network protocol

being used to communicate between source and destinationbeing used to communicate between source and destination Source and destination portsSource and destination ports Incoming, outgoing interfaces for the packetIncoming, outgoing interfaces for the packet filter type of traffic e.g., ICMP traffic the layer 3 protocol is filter type of traffic e.g., ICMP traffic the layer 3 protocol is

ICMPICMP Prevent attacks that exploit weaknesses in TCP/IP suitePrevent attacks that exploit weaknesses in TCP/IP suite

The access control functionality of a packet filter is The access control functionality of a packet filter is decided by a set of directives called as a rulesetdecided by a set of directives called as a ruleset

Boundary RouterBoundary Router

Packet filters also called boundary routersPacket filters also called boundary routers Packet filter gateways have both speed and flexibility as Packet filter gateways have both speed and flexibility as

they examine a limited amount of data, they can they examine a limited amount of data, they can operate very quicklyoperate very quickly

The ability to block attacks, filter unwanted protocol, The ability to block attacks, filter unwanted protocol, perform access control, block denial-of-service and perform access control, block denial-of-service and related attacks, makes it ideal to be placed at the related attacks, makes it ideal to be placed at the outermost boundary with an un-trusted network.outermost boundary with an un-trusted network.

E.g., the boundary router accepts packets from un-trusted E.g., the boundary router accepts packets from un-trusted networks, performs access control according to the policy networks, performs access control according to the policy in place, say, block SNMP, permit HTTP, block ICMP etc.in place, say, block SNMP, permit HTTP, block ICMP etc.

The boundary router will pass the packets to a The boundary router will pass the packets to a more powerful firewall that can perform access more powerful firewall that can perform access control and filtering at higher layers of the OSI control and filtering at higher layers of the OSI stackstack

Boundary RouterBoundary Router

Sample Packet Filter RulesetSample Packet Filter Ruleset

Examining the Rule SetExamining the Rule Set

Some notes on the rulesetSome notes on the ruleset 192.168.1.0 indicates all addresses in the range 102.168.1.0 to 192.168.1.0 indicates all addresses in the range 102.168.1.0 to

192.168.1.254 (Firewall has interface: 192.168.1.1)192.168.1.254 (Firewall has interface: 192.168.1.1) Examines source port, destination port, source address, destination Examines source port, destination port, source address, destination

address, basically all information that is necessary for examining the address, basically all information that is necessary for examining the rules in the rulesetrules in the ruleset

Actions taken areActions taken are Accept: firewall passes the packet through the firewall as requestedAccept: firewall passes the packet through the firewall as requested Deny: drops packet. An error message is returned to the sending systemDeny: drops packet. An error message is returned to the sending system Discard: drops the packet and does not return an error to the source Discard: drops the packet and does not return an error to the source

systemsystem ExampleExample

Rule 1 allows any TCP connections from outsideRule 1 allows any TCP connections from outside Rule 3 says deny any attempts to connect to firewall from outsideRule 3 says deny any attempts to connect to firewall from outside Rule 5, 6 say allow packets going to SMTP (192.168.1.2) and HTTP Rule 5, 6 say allow packets going to SMTP (192.168.1.2) and HTTP

(192.168.1.3) servers(192.168.1.3) servers Last rule is default, if packets don’t match any of the above they are Last rule is default, if packets don’t match any of the above they are

denieddenied

WeaknessesWeaknesses

As they don't examine upper-layer data, they cannot prevent As they don't examine upper-layer data, they cannot prevent attacks that employ application specific vulnerabilities or functionsattacks that employ application specific vulnerabilities or functions

For example, it cannot block specific application commands: if a For example, it cannot block specific application commands: if a packet filter firewall allows a given application, all functions available packet filter firewall allows a given application, all functions available from that application will be permittedfrom that application will be permitted

Logging functionality is limited as packet firewalls work on a small Logging functionality is limited as packet firewalls work on a small amount of data amount of data

Most packet filters do not support advanced user authentication Most packet filters do not support advanced user authentication schemesschemes

Vulnerable to attacks and exploits that take advantage of problems Vulnerable to attacks and exploits that take advantage of problems within TCP/IP specification and protocol stack, such as IP spoofingwithin TCP/IP specification and protocol stack, such as IP spoofing

Due to small number of variables used in access control decisions, Due to small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused packet filter firewalls are susceptible to security breaches caused by improper configuration by improper configuration

These firewalls are suitable for high-speed environments where These firewalls are suitable for high-speed environments where logging and user authentication with network resources are not logging and user authentication with network resources are not importantimportant

Stateful Inspection FirewallsStateful Inspection Firewalls

Stateful Inspection FirewallsStateful Inspection Firewalls

Address some functionalities of the TCP layerAddress some functionalities of the TCP layer Many clients connect to remote systems from Many clients connect to remote systems from

high-numbered portshigh-numbered ports E.g., client port is >1023 in most casesE.g., client port is >1023 in most cases Packet filter firewall must allow all communication to Packet filter firewall must allow all communication to

happen above this porthappen above this port Allowing so many ports leaves the network vulnerableAllowing so many ports leaves the network vulnerable

Stateful inspection firewall solves this problem by Stateful inspection firewall solves this problem by adding the state information of the relevant TCP adding the state information of the relevant TCP connectionconnection Only ports having legitimate TCP connections are allowedOnly ports having legitimate TCP connections are allowed State table is maintained for every connectionState table is maintained for every connection

Sample State TableSample State Table

Application-Proxy Gateway Application-Proxy Gateway FirewallsFirewalls

Application-proxy Gateway Application-proxy Gateway FirewallsFirewalls

Combine application layer information with lower Combine application layer information with lower layer information for filtering purposeslayer information for filtering purposes

Application proxies take over the routing task of Application proxies take over the routing task of packets from inside and outside the networkpackets from inside and outside the network If it fails no packets can pass through the firewallIf it fails no packets can pass through the firewall All network packets must traverse the firewall under All network packets must traverse the firewall under

software controlsoftware control Each individual application-proxy (proxy agent) Each individual application-proxy (proxy agent)

interfaces directly with the firewall access control interfaces directly with the firewall access control ruleset to determine whether a given traffic ruleset to determine whether a given traffic should be permitted to transit the firewallshould be permitted to transit the firewall Authentication of each user is possible based on login-Authentication of each user is possible based on login-

password, source address, bio-metrics etcpassword, source address, bio-metrics etc

Advantages Over Previous Advantages Over Previous FirewallsFirewalls

They have more extensive logging They have more extensive logging capabilities as the entire packet is examinedcapabilities as the entire packet is examined E.g., malicious commands like su – root from E.g., malicious commands like su – root from

outside can be loggedoutside can be logged They allow administrators to enforce the They allow administrators to enforce the

required authentication based on the required authentication based on the security policy of the organizationsecurity policy of the organization IP spoofing can be detected as the attackers IP spoofing can be detected as the attackers

need to know more information such as login and need to know more information such as login and passwordpassword

Typical Proxy AgentsTypical Proxy Agents

DisadvantagesDisadvantages

Needing to read entire packet makes Needing to read entire packet makes these firewalls slowthese firewalls slow Not suited for high-bandwidth or real-time Not suited for high-bandwidth or real-time

applicationsapplications Some work is often offloaded to dedicated Some work is often offloaded to dedicated

proxy serversproxy servers They are not flexible in supporting new They are not flexible in supporting new

network applications and protocolsnetwork applications and protocols They ship with generic supportThey ship with generic support This can allow malicious traffic to tunnel This can allow malicious traffic to tunnel

through these generic application without through these generic application without checkcheck

Dedicated Proxy ServersDedicated Proxy Servers

Proxy servers are deployed behind traditional firewallsProxy servers are deployed behind traditional firewalls Main firewall will accept inbound traffic and forward the Main firewall will accept inbound traffic and forward the

traffic to proxy, if that application is handled by proxytraffic to proxy, if that application is handled by proxy E.g., email proxy serverE.g., email proxy server

Proxy servers can also accept outbound traffic from internal Proxy servers can also accept outbound traffic from internal systemssystems Filter or log the traffic accordinglyFilter or log the traffic accordingly E.g., HTTP proxy that is behind firewallE.g., HTTP proxy that is behind firewall

Dedicated proxies allow enforcement of user authentication Dedicated proxies allow enforcement of user authentication requirements in addition to filtering and loggingrequirements in addition to filtering and logging Prevent email virusesPrevent email viruses Protect web server updates from internal usersProtect web server updates from internal users

Email and Content ScanningEmail and Content Scanning

Java applet or application filtering (based on digital Java applet or application filtering (based on digital signature availability)signature availability)

ActiveX control filtering (same as above)ActiveX control filtering (same as above) JavaScript filtering (eliminating cross-site scripting JavaScript filtering (eliminating cross-site scripting

attacks)attacks) Blocking specific Multipurpose Internet Multimedia Blocking specific Multipurpose Internet Multimedia

Extensions typesExtensions types Virus scanning and removalVirus scanning and removal Application-specific commands like HTTP “delete” Application-specific commands like HTTP “delete”

andand User-specific controls, including blocking content User-specific controls, including blocking content

types for certain userstypes for certain users Caching of web pages to reduce incoming trafficCaching of web pages to reduce incoming traffic

Sample Proxy ConfigurationSample Proxy Configuration

Hybrid Firewall Hybrid Firewall TechnologiesTechnologies

Combining basic packet filters with Combining basic packet filters with application-proxy gateway firewallsapplication-proxy gateway firewalls

Combining stateful inspection Combining stateful inspection firewalls with application-proxy firewalls with application-proxy functionality to offset weaknesses of functionality to offset weaknesses of existing stateful inspection firewallsexisting stateful inspection firewalls

Network Address Network Address TranslationTranslation

Two reasons for NAT:Two reasons for NAT: Hiding the real IP addresses in the network Hiding the real IP addresses in the network

prevents many attackers from attacking prevents many attackers from attacking individual systemsindividual systems

Depletion of IP address space has made NAT Depletion of IP address space has made NAT necessary for most organizationsnecessary for most organizations

Three techniquesThree techniques Static Address TranslationStatic Address Translation Hiding Network Address TranslationHiding Network Address Translation Port Address TranslationPort Address Translation

Static Address TranslationStatic Address Translation

Every internal IP has a different Every internal IP has a different routable IP (fixed)routable IP (fixed)

Not very frequently used due lack of Not very frequently used due lack of IPsIPs

Very fast and scalableVery fast and scalable

Sample TableSample Table

Hiding NATHiding NAT

All Internal IP addresses share the All Internal IP addresses share the SAME external IP addressSAME external IP address E.g., All systems connecting to Internet E.g., All systems connecting to Internet

through a proxythrough a proxy For those addresses that need For those addresses that need

mapping from outside will require mapping from outside will require their external addresses for their external addresses for efficiency purposesefficiency purposes

Port Address TranslationPort Address Translation

Forward inbound connections based on Forward inbound connections based on portsports

Client port is used to identify connection, Client port is used to identify connection, unlike NAT where IP address is used to unlike NAT where IP address is used to identify connectionidentify connection Each connection internal connection gets a port Each connection internal connection gets a port

from the firewall based on the connectionfrom the firewall based on the connection When response comes from outside, the firewall When response comes from outside, the firewall

looks up the destination port and identifies the looks up the destination port and identifies the clientclient

Sample PAT TableSample PAT Table

Other FirewallsOther Firewalls

Host-based firewalls in Linux based systems Host-based firewalls in Linux based systems for application serversfor application servers Server application is protected betterServer application is protected better A separate hardware/software is not necessaryA separate hardware/software is not necessary

Personal Firewalls to protect PCsPersonal Firewalls to protect PCs Personal Firewall Appliance for protecting Personal Firewall Appliance for protecting

small networks like ISP-client connections etcsmall networks like ISP-client connections etc Integrates with the following devices, cable Integrates with the following devices, cable

modem, routing modules, DHCP servers, hubs, modem, routing modules, DHCP servers, hubs, switches, SNMP agents, application-proxy agentsswitches, SNMP agents, application-proxy agents

DMZDMZ

Created out of a network connecting Created out of a network connecting two firewallstwo firewalls

Specifically, for nodes that should not Specifically, for nodes that should not be put in protected internal networksbe put in protected internal networks

DMZDMZ