lecture 08 firewalls dr. supakorn kungpisdan [email protected] 1itec4621: network security

Lecture 08 Firewalls

Dr. Supakorn [email protected]

1ITEC4621: Network Security

ITEC4621: Network Security 2

Firewall Overviews Firewall Functions Address Translation at Firewall DMZ IPTables Example

Roadmap


Primary Concerns

Confidentiality of information Unauthorized access External and internal attacks


Defining Access Control Policy

Access Control Policy is a corporate policy that states which type of access is allowed across an organizations’ network perimeter.

For example, Allow SSH request only to the machine with IP 203.148.145.2 from

outside network Reject the request from any hosts inside the network to the web server

that has IP 203.147.23.2 Controlling such accesses mainly relies on FIREWALL

Even has ACLs on router, TCP wrappers on Unix, Intrusion Prevention Systems (IPSs)


Firewall

Firewall is a gateway or access server (HW or SW based) or several gateways or access servers that act as buffers between any connected public network and a private network

It separates a trusted network from an untrusted network Firewall can be a router, a PC running specialized software, or a

combination of devices. It enforces an access control policy on network traffic as it passes

through access points. Firewalls filter traffic mainly based on various factors e.g. src/dest IP

addresses, src/dest port no., interfaces, protocols, etc.


Firewall (cont’d)

Public INTERNET

Administered Network


When Is a Firewall Required?

Dial-in modem pool and client-initiated VPN E.g. allow dial-in or VPN to access only email server

External connections to business partners Used to filter access among permanent link btw business partners

Between departments Internal firewall may be required to specify clearance level

Hosts Software firewall e.g. ZoneAlarm may be used in individual desktop

computers


Firewall Overviews Firewall Functions

Packet Filtering Stateful Firewall Application-level Firewall or Proxy

Address Translation at Firewall DMZ IPTables Example

Roadmap


Packet Filtering

Least-intelligent firewall Control traffic using information stored in packet headers Either passed or dropped The information filtered

Source/destination IP address or subnet TCP/UDP source/destination port Flag (TCP only) Etc.


Filtering TCP Flags

“Our internal users can access any service out on the Internet, but all Internet traffic headed to the internal network should be blocked”

Generally, to establish a TCP connection, a sender sends a packet with SYN=1 and all other flags equal to 0.

Thus, more correctly, “All Internet traffic headed to the internal network with SYN=1

and all other flags equal to 0 should be blocked”

TCP SYN Scan

The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handshake process.

When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as "half open" scanning.


TCP SYN Scan (cont.)


Closed port

Open port

http://www.networkuptime.com/nmap/page3-2.shtml

http://www.networkuptime.com/nmap/page3-2.shtml


TCP SYN Stealth Port Scan

root@REDHATBOX root]#nmap -sS 192.168.0.1

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 05:07 EST

Interesting ports on 192.168.0.4:

(The 1637 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp filtered ftp

22/tcp open ssh

23/tcp open telnet

139/tcp open netbios-ssn

6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 3.194 seconds

TCP SYN Scan (cont.)


SMB, running on top of netbiosRemote desktop


FIN Scanners

Normally a port scanner will check if any services are open on a host by sending SYN=1, ACK=1 packet. This can be blocked by a firewall

Instead, an attacker sends FIN=1, ACK=1 packet to a host with destination to a port number. If ACK=1, RST=1 packet returns, no service on particular port If ACK=1, FIN=1 packet returns, the service is monitoring that port

FIN scan can identify services and OS of remote machine

root@REDHATBOX root]#nmap -sF 192.168.0.1


Packet Filtering ICMP

Internet Control Message Protocol: provides background support for the IP protocol

ICMP does not use ports. Type identifies ICMP packet type Code provides detailed explanation about the current session

E.g. Type 3 = Destination unreachable Type 0 = Echo reply Code 3 = Port unreachable Code 0 = Network Unreachable


Example of Filtering ICMP

Avoid a “Ping Flood” attack…

> iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

As input is default DROP, this allows only 1 ping per second to be accepted.


Packet Filtering - Pros

Fast: operate on IP addresses and TCP/UDP port numbers alone, ignoring the data contents (payload) of packets.

Application independence : ignore packet payload Least expensive of types of firewalls. Packet filtering rules are relatively easy to configure. There are no configuration changes necessary to the

protected workstations.


Packet Filtering - Cons

Allow a direct connection between endpoints through the firewall. Leaves the potential for a vulnerability to be exploited.

No screening of packet payload available. Impossible to block users from visiting web sites deemed off limits, for

example. Logging of network traffic includes only IP addresses and TCP/UDP port

numbers, no packet payload information is available. Complex firewall policies are difficult to implement using filtering rules

alone. Authentication based on IP addresses rather than user


Stateful Firewall

Extend feature of Packet Filtering maintaining a connection table in order to monitor the state of

a communication session Attacker cannot fool the firewall by sending a message with

ACK=1 Can remember state information Suitable for UDP traffic


Packet Filtering VS Stateful Firewall

ACL Allow the protected host to establish any service

sessions with the remote server Allow any session that has already been established to

pass Drop all other traffic


Packet Filtering VS Stateful Firewall (cont’d)

Port 1037

Port 1037

Port 80

Port 80



Port 1037

Port 1037

Port 80

Port 80



Only the protected host can establish a connection with the server



Look up the table and found that the host has not established the connection with the attacker yet

Thought that the attacker has already established a connection with the host

Port 1037 Port 80

Port 1037 Port 80


IPTables Rules Based on Network State

Packets can be in a number of different states: NEW – a packet which starts a new connection RELATED – new connection, but part of an old session ESTABLISHED – connection already running INVALID – something else (?)

> iptables –t filter –A INPUT –i ppp+ state --state RELATED,ESTABLISHED –j ACCEPT


Stateful Firewall - Pros

Offers improved security over basic packet filters due to packet examination

Better logging of activities over basic packet filters Good performance Configuration changes to the protected workstations are

unnecessary


Stateful Firewall - Cons

Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited.

No hiding of your private systems. Setting up stateful packet examination rules is more

complicated. Only supported protocols at the application layer. No user authentication.


Proxy

Also called “application gateway” or “forwarder” Is an application that mediates traffic between two network

segments Used instead of filtering to prevent traffic from passing

directly between networks Source and destination never actually “connect”


How a Proxy Passes Traffic

Proxy does not route traffic, but being “interpreter” Protocol specific: web proxy, email proxy, your app proxy


How a Proxy Passes Traffic (cont’d)

1. Internal host sends an http request to the proxy2. Proxy found that the host has requested a web page. It then

passes the request to an http application inside the proxy3. Check with ACL. If ok, the proxy creates a new request containing

the internal host’s request by setting the proxy as the source4. The web server responds to the proxy. The http application checks

with ACL. If ok, the proxy creates a http response to the internal host


Proxies - Pros

Firewall does not let end points communicate directly with one another.

Has the best content filtering capability. Can hide private systems. Robust user authentication. Offers the best logging of activities. Policy rules are usually easier than packet filtering rules.


Proxies - Cons

Performance problems; much slower than the other two Must have a proxy for every protocol. Failure to have a proxy may

prevent a protocol from being handled correctly by the firewall. TCP is the preferred transport. UDP may not be supported. Limited transparency, clients may need to be modified. Setting up

the proxy server in a browser, for example.



Roadmap


Address Translation

Translate IP address from one to another Hide the system from outside network Using Network Address Translation (NAT)

Map between public IPs and private IPs Range of private IPs

10.0.0.0-10.255.255.255/8 172.16.0.0-172.31.255.255/12 192.168.0.0-192.168.255.255/16

Types of NATs Static NAT Hiding (or Dynamic) NAT Port Address Translation (PAT)


Static NAT

One private IP is mapped to one public IP Can access the internal system from the Internet Allow both inbound and outbound traffic Does not need to change the source port Most NAT devices allow some systems to use static NAT,

while hiding the rest Suitable for assigning to servers in DMZ


Hiding (or Dynamic) NAT

Firewall converts local IP to its IP for outgoing and incoming packets Many-to-many relationship: multiple private IPs are mapped to a

single public IP depending on a list of available IPs Outbound traffic can be mapped into the firewall IP or any other legal

IPs Does not allow inbound connection

Local machines cannot operate as servers Increase security cannot be accessed from outside firewall


Port Address Translation (PAT)

Utilized by most proxies must use firewall IP, not any public IP Also allow inbound traffic For inbound traffic, PAT checks port no. and forwards the

packet to specified internal system


PAT (cont’d)



Roadmap


DMZ

Demilitarized Zone (DMZ) is the subnet that is not in a private or public network.

DMZ provides additional protection since attacker may be able to break in the web server and get inside the internal network

Using static filtering at router to provide multilayer protection

Place proxy behind the firewall to secure internet connection

All the DMZ servers may be statically NATed


DMZ (cont’d)

Public INTERNET

Outer FirewallInner Firewall

DMZ

Internal Server External Server (Public)


Firewall Overviews Firewall Functions Address Translation at Firewall Firewall Deployment IPTables Example

Roadmap


IPtables

Since kernel 2.4, the standard for firewall on Linux is iptables.

It implements its rules using three “tables” Filter – handles standard “firewall” things NAT – rewriting of source/destination IPs Mangle –packet information manipulation


IPTables – Filter Table

The filter table is divided up into three chains. INPUT OUTPUT FORWARD

Chains have a default policy (either ACCEPT, REJECT, or DROP).

Packets will only be dealt with using one of the three chains.


203.148.145.110.1.1.1

DMZ

192.168.1.1

eth0

eth1

eth2

Internal network

Public Network

Web server10.1.1.254

App server192.168.1.254: 6001


Rule Structure Append or Delete Rule: iptables [-t table] -[AD] chain rule-specification [options]

Insert New Rule: iptables [-t table] -I chain [rulenum] rule-specification [options]

Replace Rule: iptables [-t table] -R chain rulenum rule-specification [options]

Delete Rule: iptables [-t table] -D chain rulenum [options]

List Rules, Flush Rules, Zero counters: iptables [-t table] -[LFZ] [chain] [options]

New Chain iptables [-t table] -N chain

Delete Chain: iptables [-t table] -X [chain]

Set Chain Policy (Accept, Drop): iptables [-t table] -P chain target [options]

Rename Chain: iptables [-t table] -E old-chain-name new-chain-name


Adding Rules

Rules can be added, removed, and changed using the iptables command.

> iptables –t filter –A INPUT –i lo –j ACCEPT

Append to the INPUT chain that packets arriving on the LOOPBACK device should be ACCEPTed


IPTables Example

Scenario: Personal Firewall that should allow all outbound connections and restrict all inbound traffic to just an SSH server running on port 22.


IPTables Example (cont’d)

Initial Rules:# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination

Chain FORWARD (policy ACCEPT)target prot opt source destination

Chain OUTPUT (policy ACCEPT)target prot opt source destination


IPTables Example - Initial firewall configuration

# Flush any rules that may still be configured/sbin/iptables -t filter -F INPUT/sbin/iptables -t filter -F OUTPUT/sbin/iptables -t filter -F FORWARD

# Set the default policies for the chains/sbin/iptables -t filter -P INPUT DROP/sbin/iptables -t filter -P OUTPUT ACCEPT/sbin/iptables -t filter -P FORWARD DROP


IPTables Example (cont’d)Add the rule to allow incoming tcp connections on 22:

# iptables -I INPUT -p tcp --dport 22 -j ACCEPT# iptables -L

Chain INPUT (policy DROP)target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy DROP)target prot opt source destination



IPTables Example (cont’d)Add a rule to allow incoming connections from ourself (on the loopback interface only – outside

interface could be spoofed).# iptables –I INPUT –i eth0 –s localhost –j DROP# iptables -I INPUT -i lo -j ACCEPT# iptables -L

Chain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere DROP all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh




Add a rule to allow incoming connections on any port if it is alreadyestablished or related to an established connection.# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -L

Chain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT all -- anywhere anywhere DROP all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh



IPTables Example (cont.)


Add a rule to log all packets before we drop them:# iptables -A INPUT -j LOG --log-level debug --log-prefix "IPTABLES: DROPPED"# iptables -L

Chain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT all -- anywhere anywhere DROP all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG all -- anywhere anywhere LOG level debug prefix `IPTABLES:

DROPPED'

IPTables Example (cont’d)


Questions?

lecture 08 firewalls dr. supakorn kungpisdan [email protected] 1itec4621: network security

Documents

network securityitec4621

network traffic

internal network

connected public network

access points

access servers

firewall contditec4621

internet traffic