p2 l3 - firewalls page 1 - amazon s3-+firewalls.pdf · p2_l3 - firewalls page 1 gatech omscs – cs...

P2_L3 - Firewalls

GaTech OMSCS – CS 6035: Introduction to Information Security

Reference: Computer Security by Stallings and Brown, Chapter 9

Firewalls a part of the network defensive-in-

depth mechanisms. If allow malicious

packets, so that they can prevent intrusions

to a network. In this lesson, we're going to

cover the firewall filtering techniques, as

well as Deployment Strategies.

When it comes to defense against attacks, the most important principle is to employ defense-in-depth. In other words, we should deploy multiple layers of defense mechanisms. The first line is a prevention mechanism that stops attacks from getting in our networks and systems. Inevitably though, some attacks can defeat the prevention mechanisms. That is, there are holes or weaknesses

in the prevention mechanisms that allow some attacks to get through. For example, an attack can be a JavaScript that can only be triggered by a specified time in a future, and so it'll be hard for the prevention system to stop this attack now because it does not know or see the attack behavior yet. The second line of defense is detection and response mechanisms that watch activities on our systems and networks to detect attacks and repair the damages. Again, there will be attacks that can go undetected, at least for a while. For example, attacks that blend in with normal activities such as the ATP malware that is a malicious browser plugin would be hard to detect initially, not until its effects such as data loss due to stolen credentials manifest sometime later. The third line of defense is attack resilient technologies. The enable the core elements or the most valuable systems on the network to survive attacks and continue to function. For example, a server is actually a collection of diversified systems. Varies with different implementations so that at least one of them will not be susceptible to the attack because an attack typically exploits specific vulnerabilities that only exist in some, but not all, implementations. To summarize, we need to deploy defensive in-depth mechanisms, or multiple layers of security mechanisms to protect our networks.

P2_L3 - Firewalls


Firewall is a widely deployed

prevention technology. To motivate

the need for firewalls, let's look at a

typical enterprise network at a high

level.

An enterprise network is part of the

Internet. It typically has an internal

or trusted part, where only the

company's employees can access to.

For example, if this is a bank, the

trusted part of the enterprise

network has the internal email servers and systems that process financial transactions. And only the

authorized staff can access such systems.

The enterprise network can also have a public face, in part. For example, the bank has a web server for

its customers to log in, or for the public to just learn about the bank. This public facing service or in the

so-called demilitarized zone or DMZ, that while it is part of the enterprise network, it is separated from

the trusted network. For example, while customers can interact with the web service in the DMZ to log

in and submit transaction requests, they cannot directly access the servers in the trusted network that

are authorizing and processing the transactions.

When a company has multiple physical sites, for example a bank can have different branches in several

cities, then each site can have its own local and trusted network, but the sites need to communicate

with each other. For example, employees in one city or one branch, these are the trusted users, need to

access the corporate network at the headquarters in another city. And such access or traffic is from

across the Internet, which is not trusted.

How do we get traffic to its destination correctly across the Internet? We need routers. Each local or

enterprise network has at least one router at its perimeter. And there are core routers on the Internet

backbone. Together, these routers transport packets from one local area network, to the Internet

backbone, and on to the destination, local area network and to the specific host on the network.

The routers can send traffic to the correct destination on the Internet, but as we have discussed,

whether the network should allow such traffic, depends on security considerations. For example, traffic

from another trusted network such as a branch office should be allowed to the trusted network of the

headquarter. Another example, traffic from untrusted network should only be allowed to the web

service in the DMZ and access from the DMZ to the trusted network is again restricted.

In short, we need a device that can enforce these different security restrictions on traffic. A firewall is

such a device. More precisely, a firewall is a device that provide secure connectivity between networks.

For example, between internal trusted network to extended untrusted network. It is used to implement

and enforce a security policy for communication between the networks.

P2_L3 - Firewalls


Instructor Notes: Firewalls

Although, virtually, all companies

have firewalls in place, the number

of security breaches continues to

increase. The reason for this is that

a firewall is not all things to all

malware. There are some security

breaches that cannot be stopped by

a firewall. Let's do a quiz on

firewalls. Look at this list of items,

and check all those items that

firewall can stop. The first one, hackers breaking into your system. The second one, Internet traffic that

appears to be from a legitimate source. The third one, viruses and worms that spread through the

Internet. The fourth one, spyware being put on your system. The fifth one, viruses and worms that are

spread through email. Check all those items that a firewall can stop.

*** No transcript ***

Or attacks can be considered a result

of violation of security policies,

therefore, as a prevention

mechanism, a firewall should be

designed to enforce security policies.

So what is a policy? At a high level a

security policy specifies what’s

allowed and whatever is not

specified is by default not allowed. In

other words, what is allowed means

what is good or acceptable to the organization. Obviously, policy is organization specific, and we will

come back to this point later.

So specific to firewalls, a firewall is designed to enforce security policies on network traffic. That is, all

traffic, inbound and outbound, meaning, from internal network to the internet or vice versa, must pass

through the firewall. And the firewall will enforce policy on a traffic. In other words, only traffic

authorized by the security policies is allowed to pass through the firewall.

http://www.utexas.edu/its/secure/articles/firewalls.php

P2_L3 - Firewalls


In addition to gravity enforcing the security policies, a firewall also must be dependable. This means that

the firewall must not be easily to crash or disabled by an attack. The reason is obvious, because if the

firewall is disabled by an attack, then all subsequent attacks can get into our network.

A critical component in the planning

and implementation of a firewall is

specifying a suitable access policy. So

what does the policy say?

Simply put, the network access policy

specifies what types of traffic can pass

through the firewall. The types of

traffic are typically defined by the

address ranges, meaning, what are

their machines, the protocols, the

applications and the contents. We will give some examples of access policy, later.

How do we decide on the policies? A

policy should be developed through

the security and risk assessment on

the organization. The topic of risk

assessment is discussed in another

lecture.

Essentially this risk assessment and

policy exercise will tell us what types

of traffic the organization must

support. And what security risks are

associated with these traffics. And therefore how the firewall should be implemented to mitigate such

risks.

Firewalls have limitations. That is,

there are situations where a

firewall provides no protection. If

traffic does not pass through a

firewall, then a firewall cannot

examine said traffic and provide

protection.

For example, if traffic is routing

around the firewall, meaning that

the traffic does not pass through

the firewall, then there is no

protection. Or for traffic that's internal to the network meaning that the traffic does not go across the

boundary between internal and external networks, then there's no protection by the firewall that sits

between internal and external networks. If the firewall is misconfigured, the traffic that passes through,

the firewall cannot examine it correctly.

P2_L3 - Firewalls


Firewalls also provide additional

features.

Firewalls can log all traffic that

passes through. And the log can be

analyzed later to learn about the

traffic such as the traffic volume to a

specific part of the network.

Firewall can also provide network

address translation. This is useful

when multiple machines in the

internal network has to share an IP address to the external networks on the Internet. The firewall

translates the source IP address of an internal host through this shared IPv4 address for outbound

traffic. And for inbound traffic, the firewall translates the destination IP address to the IP address of an

internal host. It can also provide encryption services. For example, when traffic goes out from one

internal trusted network to another trusted network across the Internet, the firewall can automatically

encrypt the traffic so that the untrusted networks on the Internet cannot learn the contents of such

traffic.

Let's do a quiz on firewall features.

First, can malware disable a software

firewall? Can a malware disable a

hardware firewall? Likewise, can a

malware disable an antivirus checker?

Second one, can firewall stop pings,

packet sniffing, outbound network

traffic?

*** No Transcript ***

P2_L3 - Firewalls


The main mechanism in firewalls is

traffic filtering.

Firewall filtering means that the

traffic gets to the firewall and the

firewall will decide whether to let

the traffic through or not.

In other words, each packet is

stopped at the firewall and is

checked against security policy. And

then the firewall will decide

whether to allow the packet or

discard the packet. And both the inbound and outbound traffic is filtered or checked by the security

policy of the firewall.

There are two main types of

filtering.

The first type is filtering based on

per packet. Essentially, the firewall

policy is a set of access control lists

based on the packet types.

The second type of filtering is based

on per session. In this type of

filtering, a packet is examined based

on its context within a session. And

in order to do so, the firewall maintains information about a session or connection, and performs a so-

called stateful inspection

In a packet filtering firewall,

decisions are made on a per-packet

basis meaning that decisions are

made based exclusively on the

current packet, and not on any

other packet.

Therefore, the firewall does not

need to keep any state information

about other packets. As we can

see, packet filtering is the simplest

and the most efficient, but it is not robust against attacks that span multiple packets, where each packet

by itself is not indicative of an attack.

P2_L3 - Firewalls


A packet filtering firewall is relatively

simple. It basically applies a list of

rules to match the IP or TCP header of

a packet, and based on the rules

match, the firewall will then decide to

forward or discard the packet.

Here are examples of IP or TCP

header information that a firewall can

use to filter a packet.

Source IP address, where the

packet's from,

Destination IP address, where a

packet's going to.

Source and destination

transport level address, this means

the transport level port number,

which defines applications such as

SNMP or HTTP. Basically, this tells what application the packet belongs to. For example, is it for

email or web traffic?

IP protocol field. This defines the transport protocol, such as TCP, UDP, or ICMP.

Interface, for firewall with three or more ports, which interface of the firewall the packet came

from, or which interface of the firewall the packet is going to. This is useful when there are

multiple ports in the interface network that are quite different security policies.

A packet filtering firewall is typically

set up as a list of rules based on

matches to fields in the IP or TCP

header:

If there's a match to one of the

rules, that rule is invoked to

determine whether to forward or

discard a packet.

If there's no match to any rule,

then a default action must be taken.

There are two default policies. The default discard policy means that if there's no rule that matches the

packet, then the packet will be discarded. This is a more secure or conservative policy because it

provides more control about what traffic is allowed to the network. On the other hand, it can be a

P2_L3 - Firewalls


hindrance to users who see that some traffic are not allowed, and they have to tell the system admin to

enable the traffic.

The alternative is the default forward policy, which means that if there's no rule that matches the

packet, the packet is allowed. Compared with the default discard policy, this policy is more user friendly,

but it's less secure. The security admin must react to each new security threat add rules to the firewall.

Now, let's have an exercise on firewall

policies by considering user convenience

and security. We're going to rate these

policies on its user convenience and

security. We use number one for the

best and three for the worst.

We have three policies here. The first

one accepts only packets it knows are

safe. The second one drops packets it

knows are unsafe. Third one queries user

about questionable packet.

You can think of, the first one is the default

discard policy. The second one, is similar to

default allowed policy or default forward

policy. The third one is in between the two.

The first one accepts only packets it knows

are safe. It is similar to default, discard policy.

In terms of security, it is the best among the

three. In terms of ease of use, it is the worst,

because it may stop traffic that is actually safe

and useful to user, but the firewall does not know it yet.

The second one, drops packets it knows are unsafe. In terms of security, this is the worse because of our

knowledge about packets or what traffic is unsafe is limited. Because attackers are constantly

implementing new methods. But in terms of ease of use, it is the best. Because the users will have

access to most of the traffic that they want.

The third one, queries user about questionable packets. This is in between the two. Therefore, its

security is in between a two, and ease of use is also in between a two.

P2_L3 - Firewalls


Instructor Notes - Packet Filtering

The following is a student discussion on this topic that you might find interesting:

Student 1: Querying users about packets is not convenient. I'd much rather a packet be

dropped than asked every time the firewall isn't sure.... I mean, you can log it if you want, but

don't ask me, I'm busy.

Student 2: I'd agree that establishing the baseline is not convenient, but in the long run after

your basics have been established it can become much more convenient as it would only be

flagging items for which a rule did not already exist. Another item for the user perspective is

that it improves security awareness for the user. Letting them know about what types of

connections the system is making and demonstrating that the firewall is actively monitoring.

Student 1: At the packet level? Feels more likely that the user would just train themselves to

click accept without reading. Similar to the UI tenant of don't prompt to confirm reversible

actions. You can retransmit when FW is updated.

Student 3: While it may seem inappropriate for the environments that you have experience

with, remember the goal is to learn strategies for securing a wide range of information

systems. For example, the DoD probably runs their firewalls quite a bit differently than a

startup company.

Student 1: I hope most all DoD systems are default drop. In my experience, they have been.

As for startups, I hope they understand security and also default drop. I'm not saying it's not

a strategy. I'm saying confirming packets is ludicrous busy work, and not convenient.

http://searchnetworking.techtarget.com/definition/packet-filtering

P2_L3 - Firewalls


Let's discuss typical firewall

configuration. First, let's provide some

background.

Most standard applications that run on

top of TCP follow a client and server

model. For example, for a simple mail

transfer protocol or SMTP, email is

transmitted from a client system to a

server system. The client system

generates new email messages,

typically from user input. The server

system accepts incoming email messages, and places them in appropriate user mailboxes. SMTP

operates by setting up a TCP connection between client and server, in which the TCP server port

number, which identifies the SMTP server, is port 25. The TCP port number for the SMTP client is a

number between 1,024 and 65,535.

From this example, the port numbers less than 1,024 are so called well known port numbers and are

assigned permanently to particular applications. Such as port 25 for server SMTP or port 80 for HTTP.

The port numbers between 1,024 and 65,535 are generated dynamically and have temporary

significance only for the duration of a TCP connection from a client to the server.

Therefore, a packet filtering firewall must permit inbound network traffic on all these high number ports

vorticity base connections. For the so-called, well-known ports that are below 1,024, there are protocols

that use the entire range of ports. And in such case, the entire range must be allowed in order for the

protocol to work.

Let's go over an example of packet

filtering. This is a simplified example

of a rule set for SMTP traffic.

The goal is to allow inbound and

outbound e-mail traffic, but to block

all other traffic. The rules apply top

to bottom for each packet. That is,

for each packet, the firewall is

screened up high, each rule, one by

one, from top to bottom, until there

is a match.

So let's explain the intent of each

rule. As we can see, each rule here has a rule number, has a direction of the traffic, has a source, and a

destination IP addresses of the packet. The protocol, the destination port, and the decision, whether it's

permit or deny.

P2_L3 - Firewalls


The first rule is to allow inbound

email traffic from an external host,

therefore it says the direction is in,

meaning inbound. The source IP

address is an external IP address,

because we are talking about

inbound traffic. The destination IP

address is an internal IP address. The

protocol is TCP, the destination port

is 25, which is for SMTP. Again, this

permits inbound email traffic from

an external source.

Second rule, it's intended to allow a response to an inbound SMTP connection. Because here, in the first

rule, we allow inbound email traffic, so we should allow outbound response to the email traffic.

The third rule allows outbound email to an external source. That is, we allow outbound traffic to

external email server, SMTP server, port 25 on an external destination IP address.

And since we allowed outbound email to an external email server, rule number four allows the inbound

response. That is rule number four is intended to allow an inbound email response.

Rule number five, this is an explicit statement of the default policy, which is denied. This means that if a

packet does not match any of the previous rules, then the packet will be discarded.

There are several problems with this

rule set.

For example, let's look at rule

number four. This rule allows

inbound traffic to any destination

port above 1023, whereas, the

original intent is to allow an inbound

traffic, that is part of the email

connection. In other words, it is

more permissive than its original

intent.

For security purposes, we want to make these rules more specific. Therefore we can add another

condition to the rules. This condition is on the source port of the packet. For example for rule number

four, our intent is to allow inbound traffic that is part of an email connection. Therefore the source port

should be 25.

We can make these rules even more precise. For example, because the intent of rule number four, is to

allow inbound traffic, there's part of an established email connection. We will want to check the ackbit

of the packet, and make sure that it is set. This is because in TCP, once a connection is set up, the TCP

flag in the TCP header is set. So we can check this bit, to make sure that the inbound packet is part of an

establish connection.

P2_L3 - Firewalls


The main advantage of packet

filtering is simplicity. That is, it is very

easy to implement packet filtering

rules. Packet filtering is also very

efficient, therefore it imposes

minimal overhead. That is, the users

typically would not notice any

performance slowdown. In addition,

these rules are typically very general

because they apply to all packets,

meaning that they are not specific to

any application or uses, and therefore it is very transparent to the user experience.

However, packet filtering also has

weaknesses.

Since packet filtering firewalls do not

examine upper layer data, they

cannot prevent attacks that employ

application-specific vulnerabilities or

functions. For example, a packet

filtering firewall cannot block specific

application commands or contents

because, if the firewall allows a given

application, then all functions, all commands, all contents within the application must be permitted. For

example, once Web traffic is allowed, the firewall cannot block certain offensive page contents.

The logging capabilities of packet filtering firewall is also limited. Again, this is because packet filtering

firewall does not examine upper layer data. For example, the packet filtering firewall may allow FTP

traffic but cannot log the actual FTP data, such as which files are being transmitted.

And, since packet filtering firewall makes decisions on per packet basis, it cannot prevent attacks that

span multiple packets. That is, it cannot see attacks that require multiple packets of a connection.

Finally, as our example shows, packet filtering firewalls tend to have rules that have a small number of

variables or conditions. That is, these rules may not be specific enough, and attacks can bypass the

firewall.

P2_L3 - Firewalls


Let's discuss some attacks on packet

filtering firewalls and the appropriate

countermeasures.

The first attack is source IP address

spoofing. Here the attacker transmits

packets from an outside host, but

with a source IP address field

containing the address of an internal

host. That is, the attacker spoofs the

packets source IP address as if it is from an internal host. The attacker hopes that the use of a spoofed

internal source IP address will allow the firewall to let the packet pass. The firewall is typically

configured to let traffic from one internal host to another to pass through.

The countermeasure is to discard packets with an inside source IP address if the packet arrives on an

external interface. In fact, this kind of measure is often implemented at the router, external to the

firewall. That is, when the router receives the packet from the Internet, it would check whether the

source IP address is correct. If the source IP address is an internal IP address, the router should know

that this IP address is spoofed, because the router just received this packet from the Internet, meaning

an external host.

A related attack, is a source routing attacks. Here, the attacker specifies the route the attack should take

as it crosses the internet. And the attacker hopes that this will bypass security measures and checks

along the way.

A countermeasure is for the firewall or the router to discard all packets that use this option.

Another attack is a tiny fragment attack. Here, the attacker uses the IP fragmentation option to create

extremely small fragments, and forces the TCP header information into separate packet fragments. This

attack is designed to circumvent filtering rules that depend on TCP header information. Typically, a

packet filter will make a filtering decision based on the first fragment of a packet. The attacker here

hopes that the filtering firewall examines only the first fragment and that the remaining fragments are

passed through.

This attack can be defeated by enforcing that the first fragment of a packet must contain a predefined

minimum amount of transport header information. If the first fragment is rejected, then all the

subsequent fragments should also be rejected.

P2_L3 - Firewalls


Let's do a quiz. This quiz is on the

rules on IP fragmentation. You can

imagine that we can implement

these rules in a packet filtering

firewall to check valid IP fragments.

Here, please mark all answers that

are true. First, each fragment must

not share a common fragment

identification number. Second, each

fragment must say what its place or

offset it is in the original fragmented

packet. Third, each fragment must tell the length of the data carried in the fragment. Fourth, the

fragment does not need to know whether more fragments follow this one. Please mark all answers that

are true.

Instructor Notes - Analysis of Fragmentation Attacks

First, each fragment must not share

a common fragment identification

number. This is false because each

fragment of the same IP packet

must share the same identification

number.

Second, each fragment must say

what it's place or offset it is in the

original un-fragmented packet. This is true because otherwise we cannot correctly reassemble the

fragments into the original IP packet.

Third, each fragment must tell the length of the data carried in the fragment. This is true. Again, this has

the correct assembly of the fragments into the original packet.

Fourth, the fragment does not need to know whether more fragments follow this one. This is false.

Because each fragment must know whether there are more fragments to follow. Again, this information

is necessary for correct reassembly of the fragments.

http://www.ouah.org/fragma.htm

P2_L3 - Firewalls


Now, let's discuss Stateful

Inspection Firewall. This is different

from Packet Filtering Firewall.

In a Stateful Inspection Firewall, a

packet is analyzed and a decision is

made based on the context of other

related packets. Typically, this

means the connection this packet

belongs to.

Therefor we need to record and

maintain information about

connections. And then decisions are made on each packet based on the current state of the connection

and the context of the packet within this connection.

More specifically as the packet arrives at the firewall, the firewall updates the information about a

connection accordingly and then decides whether the packet is allowed in the context of the

connection. For example, for inbound packet, there is part of an established email connection. The

firewall can check that the inbound packet is a response to a previously outbound packet.

In addition, the firewall can resemble multiple packets of the connection and inspect the connection

data such as the exact FTP commands or which file the FTP is transmitting. Or the firewall can actually

look into the page contents received from a web server.

Here's an example of a connection

table.

As we can see each record contains the

most basic information about

connection. In particular the source IP

address, source port, destination IP

address, destination port, and most

importantly the current connection

state. For example whether it's

established or not.

Internally to the firewall, there could be another data structure that is linked to the connection table.

For example, for web traffic, since a page can spend multiple packets, this internal data structure of the

firewall can maintain the contents of a page that it has received so far. That is, this data structure which

is linked to the connection table will allow the firewall to perform more specific analysis of the

connection.

P2_L3 - Firewalls


The packet filtering or the state fill

inspection firewalls on a two main or

more traditional types of firewalls.

There are other more modern firewalls.

In particular, an application-level

gateway, or sometimes called an

application proxy, is an application-

specific firewall.

It essentially acts as a relay of

application-level traffic, or a man or

system in the middle. That is, to the external server, this gateway acts as the client, and to the internal

client, this gateway acts as the external server. For example, many organizations have a web proxy, and

that is a application-level gateway.

Let's discuss a typical workflow of an

application-level gateway.

1. First, the user contacts the

gateway using an application such as

FTP or the browser.

2. The gateway then asks

information such as the name of the

remote server, the user login

information, and so on.

3. The user then provides the valid

authentication information to the

gateway.

4. The gateway then contacts the external server and provides the valid user authentication

information. In other words, the gateway acts as the user to the external server.

5. When the external server sends back a response, the gateway is going to analyze it, and if the

traffic is allowed, it's going to forward it to the user, but in order for the gateway to be able to

correctly analyze the server response, the gateway must implement the correct application

logic. For example, if this is a web proxy, you must be able to process web traffic, just like a

browser.

P2_L3 - Firewalls


As we can see, if you want to use

application-level firewalls, we must

implement proxy code for each

application that we want to

protect. The advantage is that we

can then restrict certain

application features. For example,

a web proxy can prevent active

scripts in web pages. This can be

accomplished by the proxy

removing the scripts in the pages

returned by the remote server, and

therefore application-level gateways tend to be more secure.

On the other hand, application-level gateway does incur additional overhead. This is easy to see,

because each connection from the user to the external server is actually spliced into two connections.

One is from the user to the gateway, and the other one is from the gateway to the external server. And

the gateway must examine and forward all traffic in both directions.

To review the different firewall

types, let's do a quiz. Here, please

mark each statement as either T for

true or F for False. The first

statement. A packet filtering firewall

is typically configured to filter

packets going in both directions. The

second statement. A prime

disadvantage of an application-level

gateway is the additional processing

overhead on each connection. The third statement. A packet filtering firewall can decide if the current

packet is allowed based on another packet that it has just examined. The fourth statement. A stateful

inspection firewall needs to keep track of information of an active connection in order to decide the

current packet. Please mark each statement as either T for true of F for false.

*** No Trancscript ***

P2_L3 - Firewalls


Now let's discuss firewall deployment

strategy. That is, where in the network

do we put a firewall?

Typically, we put an application level

gateway, such as a web proxy, to a

dedicated machine and we call these

machines the bastion hosts.

These machines are made to be very

secure. Here are some measures that

we can take to make this bastion host

very secure:

First, these machines execute a

secure version of the operating

system.

In addition, only the services

that the admin consider essential are

installed on the host. For example, a

bastion host may only allow DNS and web traffic.

A bastion host can also require that, even for traffic coming from an internal host, the user must

authenticate himself to the bastion host.

Each proxy running on the bastion host is configured to allow access only to specific host

systems in the internal network. This is important because we don't want compromised proxy

lead to attacks to the entire internal network.

Each proxy module is a very small software package, designed with security in mind. That is, we

want each proxy to be as small and simple program as possible so that we can check for

security. For example, a typical Unix email application may contain over a couple hundred

thousand lines of code, while an email proxy may contain fewer than one thousand lines of

code.

A proxy typically performs no disk access other than reading its initial configuration file. This

makes it difficult for an attacker to install a Trojan horse on the bastion host and affect the

proxy.

Proxies are typically non-privileged and they're isolated from each other. The security benefit is

that if a proxy is compromised by an attack, it cannot easily compromise the entire bastion host

or affect other proxies.

P2_L3 - Firewalls


Firewalls are typically deployed in

network perimeters. But, in addition

to network firewalls, there are also

host-based firewalls.

A host-based firewall is a software

module, used to secure an individual

host that is to enforce the host

specific security policy. Similar to a

network firewall, a host-based

firewall can filter and restrict traffic

to and from the host. Typically, a

host-based firewall is installed on an internal, important server.

There are several advantages of

deploying host based firewalls.

For example, specific security

policies for service can be

incremented with different filters

for servers used for different

applications.

Since the firewall is not at the

network parameter, both internal

and external attacks can be stopped

by the host based firewall. That is, while an attack coming from the internal network is missed by the

firewall at the network perimeter, it can be stopped by the host based firewall.

We typically deploy host based firewall in addition to network firewall, so therefore, host based firewalls

provides an additional layer of protection.

Personal firewall is similar to a host

based firewall. It controls traffic

between a personal computer and

the rest of the network.

P2_L3 - Firewalls


Personal firewalls are also often

deployed at home routers to protect

home networks.

These firewalls tend to be simpler

because the home networks are less

complex than the enterprise networks.

Similar to firewalls at corporate

networks, the main function of

personal firewalls is to track traffic in

both directions. For example, the

personal firewall on the home router

can stop attacks from reaching the internal home computers.

It can also monitor outgoing traffic. For example, it can detect connection to an extended server as

known for performing botnet command control and it can block such connection. Therefore, even when

a home computer has been compromised, it cannot participate in botnet activities.

As an example, these services are typically not

allowed, but a personal firewall can selectively

enable any of these services.

In addition to disabling and enabling

certain services, personal firewalls can

also provide advanced features.

For example, a personal firewall can be

configured to hide the system from the

Internet. This is accomplished by the

firewall dropping unsolicited packets from

the Internet.

The firewall can also drop all UDP packets

or ICMB packets and only allow TCB

packets to certain ports. A personal

firewall can also support logging. For

example, recording all unwanted traffic and activities.

It can also allow the user to specify only certain applications to subconnections from the Internet. For

example, the user can specify that only the applications signed by public keys, issued by a valid

certificate authority can connect to the Internet.

P2_L3 - Firewalls


Let's do a quiz. Suppose that a

company already has a conventional

network firewall in place. Which of

the following situations would

require an additional personal

firewall? The first one, an employee

uses a laptop on the company

network and at home. The second

one, an employee uses a desktop on

the company network to access

websites worldwide. The third case,

a remote employee uses a desktop to create a VPN on the company's secure network. The last one,

none of the above. Which of the following situations would require an additional personal firewall?

The first one an employee uses a laptop

on the company network and at home.

In this case a personal firewall is

required because when the employee

takes the laptop to his home it needs

protection. That is when the laptop is at

home it is not protected by the

conventional network firewall at a

company, so it requires a personal firewall. The second one, an employee uses a desktop on the

company network to access websites worldwide. In this case, it does not require a personal firewall

because the desktop is within the company's network. The third case, a remote employee uses a

desktop to create a VPN on the company's secure network. In this case, a personal firewall is required.

In fact, a personal firewall on a desktop is typically used to create a VPN, so that the remote desktop can

access the company's secure network. And obviously, this last statement is false.

P2_L3 - Firewalls


Let's look at how firewalls should be

deployed to protect a network.

Here's a figure that illustrates a

common firewall configuration that

includes an additional network

between the external and internal

firewalls.

An external firewall is placed at the

edge of the local area network, just

inside the boundary router. The

boundary router connects the

complete network to the Internet.

One or more internal firewalls protect the bulk of the enterprise network.

Between the external firewall and the internal firewall is typically the DMZ, systems that are externally

accessible, but need some protections are usually located in the DMZ. These systems require or foster

external connectivity, such as the public facing corporate web server, an email server, and a DNS server.

The external firewall provides some basic or first line defense, but allows access to these public facing

systems.

The internal firewall provides additional protection. In particular, it protects traffic from a DMZ to the

internal trusted network.

Comparing with the external firewall,

an internal firewall performs more

stringent filtering.

This is because the internal network

would require more protection, than

the public facing systems on a DMZ.

The internal firewall protects the

remainder of the enterprise network

from attacks launched from the DMZ.

For example, if the public facing web server in the DMZ is compromised, the internal firewall is to stop

attacks from that compromised web server. In addition, the internal firewall also controls access to the

DMZ from internal network. For example, only the authorized traffic from the internal network can

reach to the DMZ to change the settings of a public facing web server. For example, such activities must

be from a sys admin's work station.

In addition, multiple internal firewalls can be used to protect different parts of the internal network

from each other. That is, even if one part of the internal network has been compromised, the other

parts are still being protected by their own internal firewalls.

P2_L3 - Firewalls


A distributed firewall configuration

typically includes standalone network

firewalls, host based firewalls, and

personal firewalls.

That is, the standalone network

firewalls protect the internal network

from attacks from the Internet.

In addition, host based firewalls are

placed at workstations and servers.

These host based firewalls protect

against internal attacks and provide

protection tailored to specific machines and server applications. For example, with host based firewalls

providing server specific protection, we can have one public facing, external web server and an internal

facing web server.

In addition, personal firewalls can be used to protect personal computers, regardless of where they are

in the network.

An important issue here is the need to

coordinate the multiple firewalls for

security monitoring. This typically

involves aggregating the logs from

multiple firewalls and perform

correlation analysis. For example, if

multiple host based firewalls see the

same attack, this may suggest that

there's a worm spreading inside the

internal network.

Let's do a quiz on firewall

deployment. The question is, typically

the systems in which of the following

will require or foster external

connectivity such as a corporate web

site, an email server, or a DNS server?

Are these systems in a DMZ, IP

protocol field, boundary firewall, or

VPN?

The answer is DMZ. We typically put these public facing servers in a DMZ, but also

protect the internal network from these servers.

P2_L3 - Firewalls


Here's another quiz on firewall

deployment. Which of the following

configurations involves stand-alone

network firewall plus host-based

firewalls working together? Is it

packet filtering firewall, distributed

firewall, boundary firewall or VPN?

The answer is distributed firewall. Typically, a distributed firewall

includes stand-alone network firewall, host-based firewalls, plus

personal firewalls.

We can now, summarize a spectrum

of Firewall locations and Topologies.

The first are the host-based

firewalls that include, also, personal

firewalls. These can be placed on

servers or personal computers.

We can place a network firewall

on a router to protect the internal

network from the external network.

Or, a network firewall can also

be placed on a dedicated device,

such as a bastion host.

A bastion host can also have a third interface through DMZ.

We can also have an external firewall on a bastion host and a separate internal firewall on a

different bastion host.

We can then put the DMZ in between these two firewalls.

All the external firewall bastion host can have a third interface to the DMZ.

We can also use a distributed firewall configuration that includes network firewalls, and host

based fire walls.

P2_L3 - Firewalls


Firewalls prevents intrusion by way

of traffic filtering. The filtering

techniques include packet filtering,

session filtering, and application

level gateway. Firewalls can be

deployed at network perimeter, end

hosts, servers, and they can be used

to create a DMZ.

p2 l3 - firewalls page 1 - amazon s3-+firewalls.pdf · p2_l3 - firewalls page 1 gatech omscs – cs...

Documents