intsec1 firewalls

1

ITA, 4.02.2007, 10-Firewalls.ppt 1

Internet Security (IntSec)

Prof. Dr. Peter HeinzmannProf. Dr. Andreas Steffen

Institute for Internet Technologies and Applications (ITA)

10 Firewalls

10 Firewalls10.1 Overview

• Network defences – a cascade of security zones• Secure routers, packet filtering firewalls, application gateways (proxies)• Firewall functions

10.2 Technologies• Example firewall – Linux Netfilter• Packet filtering – filter rules• Application gateway• Proxy services• Stateful inspection technology• Network address translation (NAT)• Port address translation (PAT)

10.3 Management• Remote Administration• Examples: Checkpoint FireWall-1 and Linux IPCop• Monitoring and Logging

2


Learning Objectives

• You can explain the major Firewall terms and functions.

• You are able to read and define Firewall rules.

• You are prepared for the lab "Firewall".

3



10.1 Overview

4


KeepLast building incastle to fall

Moat / Main GateOuter perimeter controlling

castle access

Inner PerimeterStronghold, higher wallscreate a containment areabetween Inner & Outer Perimeters

Castle Defences: A Cascade of Security Zones

5


Network Defences: A Cascade of Security Zones

Internet

De-MilitarizedZone (DMZ)

Outer Perimeter

Internal Network(Intranet)

Inner Perimeter Stronghold

Mission Critical

Systems

InternalFirewall

Keep

Ordering, organizing helps to improve security. One way of organizing is the “classification of documents” an other way is the “structuring of the network”. Most companies distinguish several network zones, but there is no generally accepted “zone definition” or “zone naming scheme”. Typically companies distinguish as least three zones:

1. Internet (insecure zone): This zone is insecure by all practical purposes. It has no means of protecting the network from the others. The only security in this zone comes from the machine itself.

2. Demilitarized Zone (DMZ): This zone is separated from the Internet by a first part of a firewall (typically a Filtering Firewall). It has usually those servers which are accessed frequently from the Internet (e.g. Company Web-Server, DNS with the address mapping of the public addresses, Mail-Server)

3. Intranet (secure zone, trusted zone): This zone is separated from the DMZ by a second part of a firewall (typically a proxy server i.e. Application Level Firewall), which processes requests for connections from the internal network to the outside.

There may be further specifically secured zones within the Intranet, which are protected against attacks from hosts on the Intranet. These zones contain mission critical systems or organizations with high security requirements (e.g. the police departementwithin a government organization).

6


Example: HSR

Cisco PIX 515 FW

7


Firewalls can control traffic at various OSI layers

NetworkLayer

TransportLayer

ApplicationLayer

PacketFilter

CircuitLevelProxies

ApplicationLevelProxies

Stat

eful

Insp

ectio

n En

gine

s (e

.g. T

CP S

YN, A

CK, F

IN s

tate

s)

Application Gateways (Proxy)

Packet Filtering Firewall

Secure Router(Screening Router)

The main firewall technologies are:-Packet filtering: check header information of the packets-Deep packet inspection: look at application content of the packets-Application Gateways: terminate connections and look also at application content of the packets

Some firewalls check the packets one by one only. Stateful inspection firewalls look at packet flows, trying to assign a state to the connections.

Most of the modern firewalls are hybrid products that cannot be easily classified into groups.

8


Logging

?

?

Alerting

IDS

• Deny everything that is not explicitly permitted … or • Permit everything that is not explicitly denied.

Firewall FunctionsFiltering, Inspection, Detection, Logging, Alerting

Detection

A firewall may fulfill several functions:

• Filter and inspect traffic• Log events (and traffic)• Perform content screening (virus scan engines, content blocking, url filtering, protocol compliance testing)

• Allow address reuse (perform Network Address Translation, NAT function),Hide internal structure

• Detect Attacks, Send alerts, Communicate with other devices e.g. with an intrusiondetection system (Open Platform for Security, OPSEC)

• Act as a virtual private network (VPN) server• Authenticate Administrators (use of tokens/smart cards or two factor authentication)

9



10.2 Technologies

10


Example Firewall - Linux Netfilter

INPUTINPUT OUTPUTOUTPUT

FORWARDFORWARDRoute

Route

Firewall Hostlocal process

eth0

eth1

eth1

eth0

ChainChain

http://www.netfilter.org

11


Filter Rules – Default Policy

• Permit everything that is not explicitly denied.

iptables –P INPUT ACCEPTiptables –P FORWARD ACCEPTiptables –P OUTPUT ACCEPT

• Deny everything that is not explicitly permitted.

iptables –P INPUT DROPiptables –P FORWARD DROPiptables –P OUTPUT DROP


12


Dst IPAddress

Src IPAddress

Protocol Type

Src Port Number

ApplicationData

• 1 ICMP• 6 TCP• 17 UDP• 50 ESP

• 53 DNS• 80 HTTP• 23 Telnet• ...

152.96.129.3

160.85.128.1

Packet FilteringScreening Router, Deep Packet Inspection

TCPFlags

Application

Transport

Network

Application

Transport

Network

Inbound

Outbound

Dst Port Number

• SYN• ACK• FIN• ...

Outbound

Inbound

Packet-Filtering Firewalls provide network security by filtering network communications based on the information contained in the TCP/IP headers of each packet. Packet-Filtering Firewalls are also known as “Screening Routers” or “Filtering gateway firewalls”. A deep-packet inspection (DPI) firewall checks also the content of the packet.

Packet-Filtering Firewalls use a special rule set to filter IP, TCP, ICMP, and other packets that pass through the network interface. Arriving and outgoing packets are filtered by the type, source address, destination address, and port information contained in each packet. A filtering gateway doesn't require a powerful machine to run on; using an old x468 box and a specialized one-floppy Linux mini-distribution should do the trick.

13


Packet FilteringExamples

• Default Policy: Deny everything that is not explicitly permitted.

iptables –P INPUT DROPiptables –P FORWARD DROPiptables –P OUTPUT DROP

• Allow ssh login to firewall host from outside

iptables –A INPUT –i eth0 –p tcp -–dport ssh –j ACCEPTiptables –A OUTPUT –o eth0 –p tcp -–sport ssh –j ACCEPT

• Allow pings from all interfaces

iptables –A INPUT –p icmp –-icmp-type echo-request –j ACCEPTiptables –A OUTPUT –p icmp –-icmp-type echo-reply –j ACCEPT

• Drop any traffic coming from host 80.63.5.7

iptables –I INPUT 1 –i eth0 –s 80.63.5.7 –j DROP

There are various strategies for implementing packet filters. The following two arerather general:• Build rules from most to least specific. Most packet filters process their rule sets from top to bottom and stop processing oncea match is made.

• Place the most active rules near the top of the rule set.Screening packet is a processor-intensive operation. Hence, placing the popular rulesfirst will save the processor from going through all rules for every packet.

14


Dst IPAddress

Src IPAddress

Protocol Type

Src Port Number

ApplicationData

• 1 ICMP• 6 TCP• 17 UDP• 50 ESP

• 53 DNS• 80 HTTP• 23 Telnet• ...

152.96.129.3

160.85.128.1

Application GatewayApplication Firewall, Proxy

TCPFlags

Application

Transport

Network

Application

Transport

Network

Inbound

Outbound

Dst Port Number

• SYN• ACK• FIN• ...

Outbound

Inbound

• HTTP• SOAP/XML• SQL• ...

Application Gateway has become synonymous with terms such as bastion host, proxy gateway, and proxy server. An application gateway makes access decisions based on packet information at all seven layers of the OSI model. An application gateway may alsobe configured with the ability to remove objectionable content, such as ActiveX or Java scripts from web pages.Some proxies are not „seen“ be the end-systems and therefore are called „transparent proxies“ (as opposed to „visible proxies“).

The proxy must “understand” each service. Proxies for newer services are usually hardto find.

15


Proxy Services

• Circuit-level gateway• establishes a TCP connection according to defined rules

(a security policy)• No content filtering can be defined. No user authentication.

• Application-level gateway• establishes TCP connections with an application-level gateway

in place.• administrator can control access for selected applications/network

services (e.g. HTTP, SOAP/XML, etc.).• can filter content and can provide user authentication.

Application Gateway or Proxy Firewalls usually contain additional security that support software like a VPN server, strong authentication services (tokens, smart cards), or virus scan engines. Proxy Firewalls also known as “Proxy services” work between external and internal networks and provide replacement connections instead of direct connections with remote services. Proxies try to act more or less transparently. Proxy firewalls require powerful machines. It is possible to divide this category into a two groups:•A circuit-level gateway is a proxy service that establishes a TCP connection (or crosswire TCP ports) between internal and external networks according to defined rules (a security policy). No content filtering can be defined. The freely available SOCKS (a standard, generic networking proxy protocol -- see Resources for more information) proxy server is a typical example of this approach. Circuit-level gateways don't provide user authentication. •An application-level gateway is a proxy service that establishes TCP connections between internal and external networks; with an application-level gateway in place, an administrator can control access for selected applications/network services (i.e., HTTP, FTP, NNTP). Application-level gateways can filter content, while packet-filter and circuit-level gateways are unable to determine transmission content. Some application proxies can cache requested data to save bandwidth. Application-level gateways can provide user authentication and implement an access rights policy.

16


S:S:

D:D:

S:S:

D:D:

Internet

Host A

S:S:

D:D:

Host B

FirewallFirewall Port 3000Port 3000

Server XServer X Port 80Port 80

FirewallFirewall Port 3001Port 3001

Server XServer X Port 80Port 80

S:S:

D:D:Host AHost A Port 1024Port 1024

ProxyProxy Port 8080Port 8080

Host BHost B Port 1027Port 1027

ProxyProxy Port 8080Port 8080

TCP Connection 1 TCP Connection 1

TCP Connection 2 TCP Connection 2

Intranet

Server X

Proxy Service Example

17


Stateful Inspection Technology

• Communication- and application-derived state and context information

• Updated dynamically

• Provides full application-layer awareness without requiringa separate proxy for every service

• Check Point Software is credited with coining the termstateful inspection in the use of its FireWall-1 in 1993.

Stateful inspection is an advanced firewall architecture that was invented by Check Point Software Technologies in the early 1990s. Also known as dynamic packet filtering, it has replaced static packet filtering as the industry standard firewall solution for networks. Stateful inspection provides enhanced security by keeping track of communications packets over a period of time. Both incoming and outgoing packets are examined. Outgoing packets that request specific types of incoming packets are tracked; only those incoming packets constituting a proper response are allowed through the firewall. In contrast to static packet filtering, in which only the headers of packets are checked, stateful inspection analyzes packets up to the Application layer. In a firewall that uses stateful inspection, the network administrator can set the parameters to meet specific needs. In a typical network connected to the Internet, ports are normally closed unless an incoming packet requests connection to a specific port, and then only that port is opened to the packet. This prevents port scanning, a well-known technique used by hackers to gain entry to networks and individual computers connected to the Internet. [http://searchnetworking.techtarget.com]

18


virtualdefrag

pre-inspection “connections”

chain of fragments

ACCEPT

virtual machine

ACCEPT DROP/REJECT

“connections”

“pending”

Stateful Inspection I

Sources: Thomas Lopatic, John McDonald, TÜV data protect GmbH,[email protected], [email protected] Song, CITI at the University of Michigan, [email protected]“A Stateful Inspection of Firewall-1”, Black Hat Briefings, 2000.

19


UDP replies accepted

C

C any

internalclient

externalserver

accepted UDP packetS

• UDP “connections”

• from a client, port C

• to a server, port S + wildcard port

• <s-address, s-port, d-address, d-port, protocol>

Stateful Inspection II

20


“PORT 192,168,0,2,4,36”

data connection

2120 1060

“PASV”21

1060 > 1023

> 1023

> 1023

“227 ... (172,16,0,2,4,36)”

FTP server172.16.0.2

FTP server172.16.0.2

FTP client192.168.0.2

FTP client192.168.0.2

data connection

Stateful Inspection III

21


Stateful Inspection with Linux NetfilterExamples

• Allow replies on outbound TCP packets

iptables -A OUTPUT –o eth0 -p tcp -m state--state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -m state--state ESTABLISHED,RELATED -j ACCEPT

• Allow replies on outbound UDP packets

iptables -A OUTPUT –o eth0 -p udp -m state--state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -p udp -m state--state ESTABLISHED,RELATED -j ACCEPT

• Allow replies on outbound ICMP packets

iptables -A OUTPUT –o eth0 -p icmp -m state--state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -m state--state ESTABLISHED,RELATED -j ACCEPT

22


Network Address Translation (NAT)

• NAT goals• Allow use of internal [private] IP-addresses• Hide internal network structure• Disable direct [inbound] Internet connections

• NAT types• Dynamic

For connections from inside to outsideThere may be fewer outside addresses than internal addresses

• StaticFor connections from outside to specific servers inside One-to-one address mapping (fixed)

23


“Local” NetworkSA

10.0.0.1

SA10.0.0.3

Network Address Translation (NAT)

12

“External” NetworkNAT

Internet

SA192.69.1.1

SA192.69.1.2

NAT Table

Local IP Source Address

External IP Source Address

10.0.0.110.0.0.3

192.69.1.1192.69.1.2

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

SA10.0.0.4 ?

Network Address Translation (NAT) is also known as IP masquerading. It provides a mapping between internal IP addresses and officially assigned external addresses. Originally, NAT was suggested as a short-term solution to the problem of IP address depletion. Also, many organizations have, in the past, used locally assigned IP addresses, not expecting to require Internet connectivity. NAT is defined in RFC 3022.When NAT is configured, static mappings and/or dynamic pools of addresses must be configured. Static assignments permanently map a private address to a public address. Dynamic pools consist of a start IP address and the number of addresses in the pool.NAT takes the IP address of an outgoing packet and translates it to an officially assigned global address. For incoming packets it translates the assigned address to an internal address. For each outgoing IP packet, the source address is checked by the NAT configuration rules. If a rule matches the source address, the address is translated to a global address from the address pool. The predefined address pool contains the addresses that NAT can use for translation. For each incoming packet, the destination address is checked if it is used by NAT. When this is true, the address is translated to the original internal address.It should be noted that implementation of NAT for specific applications that have IP information in the application data is more sophisticated than the standard NAT implementations. If NAT translates an address for an IP packet, the checksum is also adjusted. For FTP packets, the task is even more difficult, because the packets can contain addresses in the data of the packet. For example, the FTP PORT command contains an IP address in ASCII. These addresses should also be translated correctly and checksum updates and even TCP sequence and acknowledgement updates should be made accordingly.There is no connection setup or tear-down at the IP level. Therefore, a timeout value should be configured that instructs NAT how long to keep an association in an idle state before returning the external IP address to the free NAT pool. Source: Address Translation Tutorial http://support.3com.com/infodeli/tools/remote/ocremote/brouters/840/C_Cadtrns.htm

24


99

13

“Local” Network “External” Network

10.0.0.1

10.0.0.2NAT Table

Local IP Source Address

ExternalIP Source Address

10.0.0.1:X10.0.0.3:Y10.0.0.3:Z10.0.0.4:X

192.69.1.1:5001192.69.1.1:5002192.69.1.1:5003192.69.1.1:5004

PAT

Internet

SA10.0.0.1

SA192.69.1.1:5001

SA10.0.0.3

SA192.69.1.1:5002

10.0.0.3

10.0.0.4

Port Address Translation (PAT)

PAT is used when several privately addressed workstations share a single public address. PAT uses the TCP and UDP port numbers to map multiple private addresses to the single public address. For normal applications such as web browsing and FTP transfers, PAT can be configured by just enabling the feature. When accesses are originated from the private addressed LAN, a mapping is established between the source port number and the source private address. When the response is received on the public addressed WAN port, the destination port is mapped back to the private address.Static PAT port mappings or the PAT default address need to be configured when an application will initiate a TCP or UDP connection from the public network. If a publicly accessible server resides on a privately addressed LAN, static ports can be defined for the applications they are running. For example, TCP port 80 for a Web Server and TCP port 21 for a FTP server can be statically assigned. The PAT default address can be used with, or instead of, static port assignments, and is set to the private address of a workstation on the local LAN. If an incoming IP data packet is received on a WAN port and there is no existing dynamic or static port mapping, the packet will be translated using the PAT default address.

Source: Port Address Translationhttp://support.3com.com/infodeli/tools/remote/ocremote/brouters/840/C_Cadtrns.htm

25


NAT with Linux Netfilter

INPUTINPUT OUTPUTOUTPUT

FORWARDFORWARDPREROUTINGPREROUTING POSTROUTINGPOSTROUTINGRoute

Route

Firewall Hostlocal process

eth0

eth1

eth1

eth0

Dst NATDst NAT

-t nat

Src NATSrc NAT

-t nat

Dst NATDst NAT

-t natChainChain

TableTable


26


NAT with Linux NetfilterExamples

• Masquerading (with dynamic IP addresses)

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 \-j MASQUERADE

• Source NAT (with static IP addresses)

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 \-j SNAT --to 1.2.3.4-1.2.3.6

• Destination NAT (with static IP addresses)

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \-j DNAT --to 10.1.0.7:8080


27



10.3 Management

28


Administration Example 1: Checkpoint FireWall-1

Define authorization based on multiple

criteria

Support for over 150 applications plus custom services

A firewall’s number one job is to provide access control. By default, FireWall-1 operates under the strictest security policy: “That which is not explicitly permitted is denied.” From this starting point, security managers add rules to allow access as appropriate.

Defining these rules is easy and intuitive with FireWall-1. A broad range of applications and services are supported out of the box, and defining additional network resources (e.g., protocols, services, users, groups, servers, etc.) is easy. These network resources are then used as the basis of security policy rules.

InspectXL is FireWall-1’s enabling technology, providing unparalleled application support and performance beyond 100Mbps. Based on Check Point’s patented Stateful Inspection, it provides the combination of high performance and high security.

http://www.checkpoint.com/products/firewall-1/index.html

29


Administration Example 2: Linux IPCop

http://www.ipcop.org

30


Monitoring and Logging

• Main Problem – Multitude of logging soucres• Operating system logs, network management messages, firewall logs

and alerts, router management messages, intrusion detection alarms, application and server statistics, system integrity checks.

• Automated processing is a prerequisite.

• Central Log Server• All important system components should send their log messages to a

central log server. The analysis and reporting can then be donecentrally in a comprehensive way.

• Logs should be immediately copied to secure, non-erasable storagemedium (e.g. write-once CD-ROMs) because attackers will try to remove their traces from the logs.

• Denial of Service Attacks• An effective denial of service attack might be mounted by flooding the

log server with innumerous messages thus filling up the file space.• Automatic alerting mechanisms must prevent this.

intsec1 firewalls

Documents