firewalls original slides prepared by theo benson
TRANSCRIPT
![Page 1: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/1.jpg)
Firewalls
Original slides prepared by Theo Benson
![Page 2: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/2.jpg)
![Page 3: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/3.jpg)
![Page 4: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/4.jpg)
![Page 5: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/5.jpg)
![Page 6: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/6.jpg)
![Page 7: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/7.jpg)
![Page 8: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/8.jpg)
![Page 9: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/9.jpg)
Unix Firewalls• FreeBSD: ipfw• Linux: ipfw → ipchains → iptables• MacOS X: ipfw
ipfw example rules:
# SSH# Allow ssh from unc.edu hosts/sbin/ipfw -f add allow tcp from 152.2.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.19.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.23.0.0/16 to any 22 setup
![Page 10: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/10.jpg)
![Page 11: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/11.jpg)
![Page 12: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/12.jpg)
Stateful Firewalls• A bit more complicated• Keep track of transport layer
connections (e.g., TCP, UDP) that may comprise multiple packets
• Often allow only connections initiated from behind the firewall
![Page 13: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/13.jpg)
How are they deployed?
“circle of trust”
The InternetAKA “Everything evil”
The firewall isthe gatekeeper
Only one way in or out into the circle
![Page 14: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/14.jpg)
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
![Page 15: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/15.jpg)
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
![Page 16: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/16.jpg)
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
![Page 17: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/17.jpg)
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
![Page 18: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/18.jpg)
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
![Page 19: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/19.jpg)
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
![Page 20: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/20.jpg)
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
![Page 21: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/21.jpg)
Allowing Outbound Connections Only
“circle of trust”
The InternetAKA “Everything evil”
SYN
• Why would someone from the outside want to start a connection?
![Page 22: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/22.jpg)
Allowing Outbound Connections Only
“circle of trust”
The InternetAKA “Everything evil”
SYN
• Why would someone from the outside want to start a connection?– They would if you were running a web-server, an email-server, a gaming
server …. Pretty much any ‘server’ service.– Firewall configuration may allow “punching holes” to specific
addresses/ports
![Page 23: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/23.jpg)
![Page 24: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/24.jpg)
Traversing Firewalls
• Two hosts behind separate firewalls may try to fool their firewalls by simultaneously establishing outbound connections.
• An external server may help coordinate which source ports, sequence numbers, to use. (E.g., STUN protocol.)
![Page 25: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/25.jpg)
Network Address Translation (NAT)
• For outbound packets, the translator replaces (typically) private address with it’s own public address, and rewrites the source port.
• Translator remembers the mapping.• For inbound packets, the reverse translation is performed.
192.168.1.100
128.2.205.42
Src: 192.168.1.100:32532
Src: 128.2.205.42:45323
![Page 26: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/26.jpg)
NAT versus Firewall
• A network address translator is not intrinsically a firewall, but– Often the two are combined in one device– Traffic cannot be sent directly to private addresses
used behind a NAT from the public Internet– A NAT may block incoming connections by
necessity because it does not know which private address to forward the traffic to
![Page 27: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/27.jpg)
![Page 28: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/28.jpg)
What Happens When you Connect to a Website?
Browser NetworkLoading SoundCloud
HTTP RequestsGet: image.png
HTTP RequestsGet: sound.mp3
What happens if the virus/worm is hidden in an email? Picture? Or if the security exploit is in an HTML page?
![Page 29: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/29.jpg)
Deep Packet Inspection
• Examine payload (data) portion of packet as well as headers
IP Header
TCP/UDP Header
Payload
![Page 30: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/30.jpg)
Application Level Firewall
• Why are they needed?
• Attackers are tricky– When exploiting security vulnerabilities– Attacks span multiple packets
• Need a system to scan across multiple packets for Virus/Worm/Vulnerability exploits
![Page 31: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/31.jpg)
Application Level Firewalls
• Similar to Packet-filters except:– Supports regular expression– Search across different packets for a match– Reconstructs objects (images,pictures) from
packets and scans objects.
![Page 32: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/32.jpg)
Application Level Firewalls
• Similar to Packet-filters except:– Supports regular expression– Searches across different packets for a match– Reconstructs objects (images,pictures) from
packets and scans objects.
HTTP RequestsGet: image.png
Appy reg-ex to the object:
![Page 33: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/33.jpg)
Application Level Firewalls
• Similar to Packet-filters except:– Supports regular expression– Searches across different packets for a match– Reconstructs objects (images,pictures) from
packets and scans objects.
HTTP RequestsGet: image.png
![Page 34: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/34.jpg)
Why doesn’t everyone use App level firewalls?
• Object re-assembly requires a lot of memory• Regular-expressions require a lot of CPU
• App level firewalls are a lot more expensive– And also much slower – So you need more -- a lot more.
![Page 35: Firewalls Original slides prepared by Theo Benson](https://reader034.vdocuments.mx/reader034/viewer/2022052603/5697bfc01a28abf838ca3e6f/html5/thumbnails/35.jpg)
How do you Attack the Firewall?
• Most Common: Denial-of-Service attacks – Figure out a bug in the Firewall code– Code causes it to handle a packet incorrectly– Send a lot of ‘bug’ packets and no one can use the
firewall