p2 l3 - firewalls page 1 - amazon s3-+firewalls.pdf · p2_l3 - firewalls page 1 gatech omscs – cs...
TRANSCRIPT
P2_L3 - Firewalls Page 1
GaTech OMSCS – CS 6035: Introduction to Information Security
Reference: Computer Security by Stallings and Brown, Chapter 9
Firewalls a part of the network defensive-in-
depth mechanisms. If allow malicious
packets, so that they can prevent intrusions
to a network. In this lesson, we're going to
cover the firewall filtering techniques, as
well as Deployment Strategies.
When it comes to defense against attacks, the most important principle is to employ defense-in-depth. In other words, we should deploy multiple layers of defense mechanisms. The first line is a prevention mechanism that stops attacks from getting in our networks and systems. Inevitably though, some attacks can defeat the prevention mechanisms. That is, there are holes or weaknesses
in the prevention mechanisms that allow some attacks to get through. For example, an attack can be a JavaScript that can only be triggered by a specified time in a future, and so it'll be hard for the prevention system to stop this attack now because it does not know or see the attack behavior yet. The second line of defense is detection and response mechanisms that watch activities on our systems and networks to detect attacks and repair the damages. Again, there will be attacks that can go undetected, at least for a while. For example, attacks that blend in with normal activities such as the ATP malware that is a malicious browser plugin would be hard to detect initially, not until its effects such as data loss due to stolen credentials manifest sometime later. The third line of defense is attack resilient technologies. The enable the core elements or the most valuable systems on the network to survive attacks and continue to function. For example, a server is actually a collection of diversified systems. Varies with different implementations so that at least one of them will not be susceptible to the attack because an attack typically exploits specific vulnerabilities that only exist in some, but not all, implementations. To summarize, we need to deploy defensive in-depth mechanisms, or multiple layers of security mechanisms to protect our networks.
P2_L3 - Firewalls Page 2
GaTech OMSCS – CS 6035: Introduction to Information Security
Firewall is a widely deployed
prevention technology. To motivate
the need for firewalls, let's look at a
typical enterprise network at a high
level.
An enterprise network is part of the
Internet. It typically has an internal
or trusted part, where only the
company's employees can access to.
For example, if this is a bank, the
trusted part of the enterprise
network has the internal email servers and systems that process financial transactions. And only the
authorized staff can access such systems.
The enterprise network can also have a public face, in part. For example, the bank has a web server for
its customers to log in, or for the public to just learn about the bank. This public facing service or in the
so-called demilitarized zone or DMZ, that while it is part of the enterprise network, it is separated from
the trusted network. For example, while customers can interact with the web service in the DMZ to log
in and submit transaction requests, they cannot directly access the servers in the trusted network that
are authorizing and processing the transactions.
When a company has multiple physical sites, for example a bank can have different branches in several
cities, then each site can have its own local and trusted network, but the sites need to communicate
with each other. For example, employees in one city or one branch, these are the trusted users, need to
access the corporate network at the headquarters in another city. And such access or traffic is from
across the Internet, which is not trusted.
How do we get traffic to its destination correctly across the Internet? We need routers. Each local or
enterprise network has at least one router at its perimeter. And there are core routers on the Internet
backbone. Together, these routers transport packets from one local area network, to the Internet
backbone, and on to the destination, local area network and to the specific host on the network.
The routers can send traffic to the correct destination on the Internet, but as we have discussed,
whether the network should allow such traffic, depends on security considerations. For example, traffic
from another trusted network such as a branch office should be allowed to the trusted network of the
headquarter. Another example, traffic from untrusted network should only be allowed to the web
service in the DMZ and access from the DMZ to the trusted network is again restricted.
In short, we need a device that can enforce these different security restrictions on traffic. A firewall is
such a device. More precisely, a firewall is a device that provide secure connectivity between networks.
For example, between internal trusted network to extended untrusted network. It is used to implement
and enforce a security policy for communication between the networks.
P2_L3 - Firewalls Page 3
GaTech OMSCS – CS 6035: Introduction to Information Security
Instructor Notes: Firewalls
Although, virtually, all companies
have firewalls in place, the number
of security breaches continues to
increase. The reason for this is that
a firewall is not all things to all
malware. There are some security
breaches that cannot be stopped by
a firewall. Let's do a quiz on
firewalls. Look at this list of items,
and check all those items that
firewall can stop. The first one, hackers breaking into your system. The second one, Internet traffic that
appears to be from a legitimate source. The third one, viruses and worms that spread through the
Internet. The fourth one, spyware being put on your system. The fifth one, viruses and worms that are
spread through email. Check all those items that a firewall can stop.
*** No transcript ***
Or attacks can be considered a result
of violation of security policies,
therefore, as a prevention
mechanism, a firewall should be
designed to enforce security policies.
So what is a policy? At a high level a
security policy specifies what’s
allowed and whatever is not
specified is by default not allowed. In
other words, what is allowed means
what is good or acceptable to the organization. Obviously, policy is organization specific, and we will
come back to this point later.
So specific to firewalls, a firewall is designed to enforce security policies on network traffic. That is, all
traffic, inbound and outbound, meaning, from internal network to the internet or vice versa, must pass
through the firewall. And the firewall will enforce policy on a traffic. In other words, only traffic
authorized by the security policies is allowed to pass through the firewall.
P2_L3 - Firewalls Page 4
GaTech OMSCS – CS 6035: Introduction to Information Security
In addition to gravity enforcing the security policies, a firewall also must be dependable. This means that
the firewall must not be easily to crash or disabled by an attack. The reason is obvious, because if the
firewall is disabled by an attack, then all subsequent attacks can get into our network.
A critical component in the planning
and implementation of a firewall is
specifying a suitable access policy. So
what does the policy say?
Simply put, the network access policy
specifies what types of traffic can pass
through the firewall. The types of
traffic are typically defined by the
address ranges, meaning, what are
their machines, the protocols, the
applications and the contents. We will give some examples of access policy, later.
How do we decide on the policies? A
policy should be developed through
the security and risk assessment on
the organization. The topic of risk
assessment is discussed in another
lecture.
Essentially this risk assessment and
policy exercise will tell us what types
of traffic the organization must
support. And what security risks are
associated with these traffics. And therefore how the firewall should be implemented to mitigate such
risks.
Firewalls have limitations. That is,
there are situations where a
firewall provides no protection. If
traffic does not pass through a
firewall, then a firewall cannot
examine said traffic and provide
protection.
For example, if traffic is routing
around the firewall, meaning that
the traffic does not pass through
the firewall, then there is no
protection. Or for traffic that's internal to the network meaning that the traffic does not go across the
boundary between internal and external networks, then there's no protection by the firewall that sits
between internal and external networks. If the firewall is misconfigured, the traffic that passes through,
the firewall cannot examine it correctly.
P2_L3 - Firewalls Page 5
GaTech OMSCS – CS 6035: Introduction to Information Security
Firewalls also provide additional
features.
Firewalls can log all traffic that
passes through. And the log can be
analyzed later to learn about the
traffic such as the traffic volume to a
specific part of the network.
Firewall can also provide network
address translation. This is useful
when multiple machines in the
internal network has to share an IP address to the external networks on the Internet. The firewall
translates the source IP address of an internal host through this shared IPv4 address for outbound
traffic. And for inbound traffic, the firewall translates the destination IP address to the IP address of an
internal host. It can also provide encryption services. For example, when traffic goes out from one
internal trusted network to another trusted network across the Internet, the firewall can automatically
encrypt the traffic so that the untrusted networks on the Internet cannot learn the contents of such
traffic.
Let's do a quiz on firewall features.
First, can malware disable a software
firewall? Can a malware disable a
hardware firewall? Likewise, can a
malware disable an antivirus checker?
Second one, can firewall stop pings,
packet sniffing, outbound network
traffic?
*** No Transcript ***
P2_L3 - Firewalls Page 6
GaTech OMSCS – CS 6035: Introduction to Information Security
The main mechanism in firewalls is
traffic filtering.
Firewall filtering means that the
traffic gets to the firewall and the
firewall will decide whether to let
the traffic through or not.
In other words, each packet is
stopped at the firewall and is
checked against security policy. And
then the firewall will decide
whether to allow the packet or
discard the packet. And both the inbound and outbound traffic is filtered or checked by the security
policy of the firewall.
There are two main types of
filtering.
The first type is filtering based on
per packet. Essentially, the firewall
policy is a set of access control lists
based on the packet types.
The second type of filtering is based
on per session. In this type of
filtering, a packet is examined based
on its context within a session. And
in order to do so, the firewall maintains information about a session or connection, and performs a so-
called stateful inspection
In a packet filtering firewall,
decisions are made on a per-packet
basis meaning that decisions are
made based exclusively on the
current packet, and not on any
other packet.
Therefore, the firewall does not
need to keep any state information
about other packets. As we can
see, packet filtering is the simplest
and the most efficient, but it is not robust against attacks that span multiple packets, where each packet
by itself is not indicative of an attack.
P2_L3 - Firewalls Page 7
GaTech OMSCS – CS 6035: Introduction to Information Security
A packet filtering firewall is relatively
simple. It basically applies a list of
rules to match the IP or TCP header of
a packet, and based on the rules
match, the firewall will then decide to
forward or discard the packet.
Here are examples of IP or TCP
header information that a firewall can
use to filter a packet.
Source IP address, where the
packet's from,
Destination IP address, where a
packet's going to.
Source and destination
transport level address, this means
the transport level port number,
which defines applications such as
SNMP or HTTP. Basically, this tells what application the packet belongs to. For example, is it for
email or web traffic?
IP protocol field. This defines the transport protocol, such as TCP, UDP, or ICMP.
Interface, for firewall with three or more ports, which interface of the firewall the packet came
from, or which interface of the firewall the packet is going to. This is useful when there are
multiple ports in the interface network that are quite different security policies.
A packet filtering firewall is typically
set up as a list of rules based on
matches to fields in the IP or TCP
header:
If there's a match to one of the
rules, that rule is invoked to
determine whether to forward or
discard a packet.
If there's no match to any rule,
then a default action must be taken.
There are two default policies. The default discard policy means that if there's no rule that matches the
packet, then the packet will be discarded. This is a more secure or conservative policy because it
provides more control about what traffic is allowed to the network. On the other hand, it can be a
P2_L3 - Firewalls Page 8
GaTech OMSCS – CS 6035: Introduction to Information Security
hindrance to users who see that some traffic are not allowed, and they have to tell the system admin to
enable the traffic.
The alternative is the default forward policy, which means that if there's no rule that matches the
packet, the packet is allowed. Compared with the default discard policy, this policy is more user friendly,
but it's less secure. The security admin must react to each new security threat add rules to the firewall.
Now, let's have an exercise on firewall
policies by considering user convenience
and security. We're going to rate these
policies on its user convenience and
security. We use number one for the
best and three for the worst.
We have three policies here. The first
one accepts only packets it knows are
safe. The second one drops packets it
knows are unsafe. Third one queries user
about questionable packet.
You can think of, the first one is the default
discard policy. The second one, is similar to
default allowed policy or default forward
policy. The third one is in between the two.
The first one accepts only packets it knows
are safe. It is similar to default, discard policy.
In terms of security, it is the best among the
three. In terms of ease of use, it is the worst,
because it may stop traffic that is actually safe
and useful to user, but the firewall does not know it yet.
The second one, drops packets it knows are unsafe. In terms of security, this is the worse because of our
knowledge about packets or what traffic is unsafe is limited. Because attackers are constantly
implementing new methods. But in terms of ease of use, it is the best. Because the users will have
access to most of the traffic that they want.
The third one, queries user about questionable packets. This is in between the two. Therefore, its
security is in between a two, and ease of use is also in between a two.
P2_L3 - Firewalls Page 9
GaTech OMSCS – CS 6035: Introduction to Information Security
Instructor Notes - Packet Filtering
The following is a student discussion on this topic that you might find interesting:
Student 1: Querying users about packets is not convenient. I'd much rather a packet be
dropped than asked every time the firewall isn't sure.... I mean, you can log it if you want, but
don't ask me, I'm busy.
Student 2: I'd agree that establishing the baseline is not convenient, but in the long run after
your basics have been established it can become much more convenient as it would only be
flagging items for which a rule did not already exist. Another item for the user perspective is
that it improves security awareness for the user. Letting them know about what types of
connections the system is making and demonstrating that the firewall is actively monitoring.
Student 1: At the packet level? Feels more likely that the user would just train themselves to
click accept without reading. Similar to the UI tenant of don't prompt to confirm reversible
actions. You can retransmit when FW is updated.
Student 3: While it may seem inappropriate for the environments that you have experience
with, remember the goal is to learn strategies for securing a wide range of information
systems. For example, the DoD probably runs their firewalls quite a bit differently than a
startup company.
Student 1: I hope most all DoD systems are default drop. In my experience, they have been.
As for startups, I hope they understand security and also default drop. I'm not saying it's not
a strategy. I'm saying confirming packets is ludicrous busy work, and not convenient.
P2_L3 - Firewalls Page 10
GaTech OMSCS – CS 6035: Introduction to Information Security
Let's discuss typical firewall
configuration. First, let's provide some
background.
Most standard applications that run on
top of TCP follow a client and server
model. For example, for a simple mail
transfer protocol or SMTP, email is
transmitted from a client system to a
server system. The client system
generates new email messages,
typically from user input. The server
system accepts incoming email messages, and places them in appropriate user mailboxes. SMTP
operates by setting up a TCP connection between client and server, in which the TCP server port
number, which identifies the SMTP server, is port 25. The TCP port number for the SMTP client is a
number between 1,024 and 65,535.
From this example, the port numbers less than 1,024 are so called well known port numbers and are
assigned permanently to particular applications. Such as port 25 for server SMTP or port 80 for HTTP.
The port numbers between 1,024 and 65,535 are generated dynamically and have temporary
significance only for the duration of a TCP connection from a client to the server.
Therefore, a packet filtering firewall must permit inbound network traffic on all these high number ports
vorticity base connections. For the so-called, well-known ports that are below 1,024, there are protocols
that use the entire range of ports. And in such case, the entire range must be allowed in order for the
protocol to work.
Let's go over an example of packet
filtering. This is a simplified example
of a rule set for SMTP traffic.
The goal is to allow inbound and
outbound e-mail traffic, but to block
all other traffic. The rules apply top
to bottom for each packet. That is,
for each packet, the firewall is
screened up high, each rule, one by
one, from top to bottom, until there
is a match.
So let's explain the intent of each
rule. As we can see, each rule here has a rule number, has a direction of the traffic, has a source, and a
destination IP addresses of the packet. The protocol, the destination port, and the decision, whether it's
permit or deny.
P2_L3 - Firewalls Page 11
GaTech OMSCS – CS 6035: Introduction to Information Security
The first rule is to allow inbound
email traffic from an external host,
therefore it says the direction is in,
meaning inbound. The source IP
address is an external IP address,
because we are talking about
inbound traffic. The destination IP
address is an internal IP address. The
protocol is TCP, the destination port
is 25, which is for SMTP. Again, this
permits inbound email traffic from
an external source.
Second rule, it's intended to allow a response to an inbound SMTP connection. Because here, in the first
rule, we allow inbound email traffic, so we should allow outbound response to the email traffic.
The third rule allows outbound email to an external source. That is, we allow outbound traffic to
external email server, SMTP server, port 25 on an external destination IP address.
And since we allowed outbound email to an external email server, rule number four allows the inbound
response. That is rule number four is intended to allow an inbound email response.
Rule number five, this is an explicit statement of the default policy, which is denied. This means that if a
packet does not match any of the previous rules, then the packet will be discarded.
There are several problems with this
rule set.
For example, let's look at rule
number four. This rule allows
inbound traffic to any destination
port above 1023, whereas, the
original intent is to allow an inbound
traffic, that is part of the email
connection. In other words, it is
more permissive than its original
intent.
For security purposes, we want to make these rules more specific. Therefore we can add another
condition to the rules. This condition is on the source port of the packet. For example for rule number
four, our intent is to allow inbound traffic that is part of an email connection. Therefore the source port
should be 25.
We can make these rules even more precise. For example, because the intent of rule number four, is to
allow inbound traffic, there's part of an established email connection. We will want to check the ackbit
of the packet, and make sure that it is set. This is because in TCP, once a connection is set up, the TCP
flag in the TCP header is set. So we can check this bit, to make sure that the inbound packet is part of an
establish connection.
P2_L3 - Firewalls Page 12
GaTech OMSCS – CS 6035: Introduction to Information Security
The main advantage of packet
filtering is simplicity. That is, it is very
easy to implement packet filtering
rules. Packet filtering is also very
efficient, therefore it imposes
minimal overhead. That is, the users
typically would not notice any
performance slowdown. In addition,
these rules are typically very general
because they apply to all packets,
meaning that they are not specific to
any application or uses, and therefore it is very transparent to the user experience.
However, packet filtering also has
weaknesses.
Since packet filtering firewalls do not
examine upper layer data, they
cannot prevent attacks that employ
application-specific vulnerabilities or
functions. For example, a packet
filtering firewall cannot block specific
application commands or contents
because, if the firewall allows a given
application, then all functions, all commands, all contents within the application must be permitted. For
example, once Web traffic is allowed, the firewall cannot block certain offensive page contents.
The logging capabilities of packet filtering firewall is also limited. Again, this is because packet filtering
firewall does not examine upper layer data. For example, the packet filtering firewall may allow FTP
traffic but cannot log the actual FTP data, such as which files are being transmitted.
And, since packet filtering firewall makes decisions on per packet basis, it cannot prevent attacks that
span multiple packets. That is, it cannot see attacks that require multiple packets of a connection.
Finally, as our example shows, packet filtering firewalls tend to have rules that have a small number of
variables or conditions. That is, these rules may not be specific enough, and attacks can bypass the
firewall.
P2_L3 - Firewalls Page 13
GaTech OMSCS – CS 6035: Introduction to Information Security
Let's discuss some attacks on packet
filtering firewalls and the appropriate
countermeasures.
The first attack is source IP address
spoofing. Here the attacker transmits
packets from an outside host, but
with a source IP address field
containing the address of an internal
host. That is, the attacker spoofs the
packets source IP address as if it is from an internal host. The attacker hopes that the use of a spoofed
internal source IP address will allow the firewall to let the packet pass. The firewall is typically
configured to let traffic from one internal host to another to pass through.
The countermeasure is to discard packets with an inside source IP address if the packet arrives on an
external interface. In fact, this kind of measure is often implemented at the router, external to the
firewall. That is, when the router receives the packet from the Internet, it would check whether the
source IP address is correct. If the source IP address is an internal IP address, the router should know
that this IP address is spoofed, because the router just received this packet from the Internet, meaning
an external host.
A related attack, is a source routing attacks. Here, the attacker specifies the route the attack should take
as it crosses the internet. And the attacker hopes that this will bypass security measures and checks
along the way.
A countermeasure is for the firewall or the router to discard all packets that use this option.
Another attack is a tiny fragment attack. Here, the attacker uses the IP fragmentation option to create
extremely small fragments, and forces the TCP header information into separate packet fragments. This
attack is designed to circumvent filtering rules that depend on TCP header information. Typically, a
packet filter will make a filtering decision based on the first fragment of a packet. The attacker here
hopes that the filtering firewall examines only the first fragment and that the remaining fragments are
passed through.
This attack can be defeated by enforcing that the first fragment of a packet must contain a predefined
minimum amount of transport header information. If the first fragment is rejected, then all the
subsequent fragments should also be rejected.
P2_L3 - Firewalls Page 14
GaTech OMSCS – CS 6035: Introduction to Information Security
Let's do a quiz. This quiz is on the
rules on IP fragmentation. You can
imagine that we can implement
these rules in a packet filtering
firewall to check valid IP fragments.
Here, please mark all answers that
are true. First, each fragment must
not share a common fragment
identification number. Second, each
fragment must say what its place or
offset it is in the original fragmented
packet. Third, each fragment must tell the length of the data carried in the fragment. Fourth, the
fragment does not need to know whether more fragments follow this one. Please mark all answers that
are true.
Instructor Notes - Analysis of Fragmentation Attacks
First, each fragment must not share
a common fragment identification
number. This is false because each
fragment of the same IP packet
must share the same identification
number.
Second, each fragment must say
what it's place or offset it is in the
original un-fragmented packet. This is true because otherwise we cannot correctly reassemble the
fragments into the original IP packet.
Third, each fragment must tell the length of the data carried in the fragment. This is true. Again, this has
the correct assembly of the fragments into the original packet.
Fourth, the fragment does not need to know whether more fragments follow this one. This is false.
Because each fragment must know whether there are more fragments to follow. Again, this information
is necessary for correct reassembly of the fragments.
P2_L3 - Firewalls Page 15
GaTech OMSCS – CS 6035: Introduction to Information Security
Now, let's discuss Stateful
Inspection Firewall. This is different
from Packet Filtering Firewall.
In a Stateful Inspection Firewall, a
packet is analyzed and a decision is
made based on the context of other
related packets. Typically, this
means the connection this packet
belongs to.
Therefor we need to record and
maintain information about
connections. And then decisions are made on each packet based on the current state of the connection
and the context of the packet within this connection.
More specifically as the packet arrives at the firewall, the firewall updates the information about a
connection accordingly and then decides whether the packet is allowed in the context of the
connection. For example, for inbound packet, there is part of an established email connection. The
firewall can check that the inbound packet is a response to a previously outbound packet.
In addition, the firewall can resemble multiple packets of the connection and inspect the connection
data such as the exact FTP commands or which file the FTP is transmitting. Or the firewall can actually
look into the page contents received from a web server.
Here's an example of a connection
table.
As we can see each record contains the
most basic information about
connection. In particular the source IP
address, source port, destination IP
address, destination port, and most
importantly the current connection
state. For example whether it's
established or not.
Internally to the firewall, there could be another data structure that is linked to the connection table.
For example, for web traffic, since a page can spend multiple packets, this internal data structure of the
firewall can maintain the contents of a page that it has received so far. That is, this data structure which
is linked to the connection table will allow the firewall to perform more specific analysis of the
connection.
P2_L3 - Firewalls Page 16
GaTech OMSCS – CS 6035: Introduction to Information Security
The packet filtering or the state fill
inspection firewalls on a two main or
more traditional types of firewalls.
There are other more modern firewalls.
In particular, an application-level
gateway, or sometimes called an
application proxy, is an application-
specific firewall.
It essentially acts as a relay of
application-level traffic, or a man or
system in the middle. That is, to the external server, this gateway acts as the client, and to the internal
client, this gateway acts as the external server. For example, many organizations have a web proxy, and
that is a application-level gateway.
Let's discuss a typical workflow of an
application-level gateway.
1. First, the user contacts the
gateway using an application such as
FTP or the browser.
2. The gateway then asks
information such as the name of the
remote server, the user login
information, and so on.
3. The user then provides the valid
authentication information to the
gateway.
4. The gateway then contacts the external server and provides the valid user authentication
information. In other words, the gateway acts as the user to the external server.
5. When the external server sends back a response, the gateway is going to analyze it, and if the
traffic is allowed, it's going to forward it to the user, but in order for the gateway to be able to
correctly analyze the server response, the gateway must implement the correct application
logic. For example, if this is a web proxy, you must be able to process web traffic, just like a
browser.
P2_L3 - Firewalls Page 17
GaTech OMSCS – CS 6035: Introduction to Information Security
As we can see, if you want to use
application-level firewalls, we must
implement proxy code for each
application that we want to
protect. The advantage is that we
can then restrict certain
application features. For example,
a web proxy can prevent active
scripts in web pages. This can be
accomplished by the proxy
removing the scripts in the pages
returned by the remote server, and
therefore application-level gateways tend to be more secure.
On the other hand, application-level gateway does incur additional overhead. This is easy to see,
because each connection from the user to the external server is actually spliced into two connections.
One is from the user to the gateway, and the other one is from the gateway to the external server. And
the gateway must examine and forward all traffic in both directions.
To review the different firewall
types, let's do a quiz. Here, please
mark each statement as either T for
true or F for False. The first
statement. A packet filtering firewall
is typically configured to filter
packets going in both directions. The
second statement. A prime
disadvantage of an application-level
gateway is the additional processing
overhead on each connection. The third statement. A packet filtering firewall can decide if the current
packet is allowed based on another packet that it has just examined. The fourth statement. A stateful
inspection firewall needs to keep track of information of an active connection in order to decide the
current packet. Please mark each statement as either T for true of F for false.
*** No Trancscript ***
P2_L3 - Firewalls Page 18
GaTech OMSCS – CS 6035: Introduction to Information Security
Now let's discuss firewall deployment
strategy. That is, where in the network
do we put a firewall?
Typically, we put an application level
gateway, such as a web proxy, to a
dedicated machine and we call these
machines the bastion hosts.
These machines are made to be very
secure. Here are some measures that
we can take to make this bastion host
very secure:
First, these machines execute a
secure version of the operating
system.
In addition, only the services
that the admin consider essential are
installed on the host. For example, a
bastion host may only allow DNS and web traffic.
A bastion host can also require that, even for traffic coming from an internal host, the user must
authenticate himself to the bastion host.
Each proxy running on the bastion host is configured to allow access only to specific host
systems in the internal network. This is important because we don't want compromised proxy
lead to attacks to the entire internal network.
Each proxy module is a very small software package, designed with security in mind. That is, we
want each proxy to be as small and simple program as possible so that we can check for
security. For example, a typical Unix email application may contain over a couple hundred
thousand lines of code, while an email proxy may contain fewer than one thousand lines of
code.
A proxy typically performs no disk access other than reading its initial configuration file. This
makes it difficult for an attacker to install a Trojan horse on the bastion host and affect the
proxy.
Proxies are typically non-privileged and they're isolated from each other. The security benefit is
that if a proxy is compromised by an attack, it cannot easily compromise the entire bastion host
or affect other proxies.
P2_L3 - Firewalls Page 19
GaTech OMSCS – CS 6035: Introduction to Information Security
Firewalls are typically deployed in
network perimeters. But, in addition
to network firewalls, there are also
host-based firewalls.
A host-based firewall is a software
module, used to secure an individual
host that is to enforce the host
specific security policy. Similar to a
network firewall, a host-based
firewall can filter and restrict traffic
to and from the host. Typically, a
host-based firewall is installed on an internal, important server.
There are several advantages of
deploying host based firewalls.
For example, specific security
policies for service can be
incremented with different filters
for servers used for different
applications.
Since the firewall is not at the
network parameter, both internal
and external attacks can be stopped
by the host based firewall. That is, while an attack coming from the internal network is missed by the
firewall at the network perimeter, it can be stopped by the host based firewall.
We typically deploy host based firewall in addition to network firewall, so therefore, host based firewalls
provides an additional layer of protection.
Personal firewall is similar to a host
based firewall. It controls traffic
between a personal computer and
the rest of the network.
P2_L3 - Firewalls Page 20
GaTech OMSCS – CS 6035: Introduction to Information Security
Personal firewalls are also often
deployed at home routers to protect
home networks.
These firewalls tend to be simpler
because the home networks are less
complex than the enterprise networks.
Similar to firewalls at corporate
networks, the main function of
personal firewalls is to track traffic in
both directions. For example, the
personal firewall on the home router
can stop attacks from reaching the internal home computers.
It can also monitor outgoing traffic. For example, it can detect connection to an extended server as
known for performing botnet command control and it can block such connection. Therefore, even when
a home computer has been compromised, it cannot participate in botnet activities.
As an example, these services are typically not
allowed, but a personal firewall can selectively
enable any of these services.
In addition to disabling and enabling
certain services, personal firewalls can
also provide advanced features.
For example, a personal firewall can be
configured to hide the system from the
Internet. This is accomplished by the
firewall dropping unsolicited packets from
the Internet.
The firewall can also drop all UDP packets
or ICMB packets and only allow TCB
packets to certain ports. A personal
firewall can also support logging. For
example, recording all unwanted traffic and activities.
It can also allow the user to specify only certain applications to subconnections from the Internet. For
example, the user can specify that only the applications signed by public keys, issued by a valid
certificate authority can connect to the Internet.
P2_L3 - Firewalls Page 21
GaTech OMSCS – CS 6035: Introduction to Information Security
Let's do a quiz. Suppose that a
company already has a conventional
network firewall in place. Which of
the following situations would
require an additional personal
firewall? The first one, an employee
uses a laptop on the company
network and at home. The second
one, an employee uses a desktop on
the company network to access
websites worldwide. The third case,
a remote employee uses a desktop to create a VPN on the company's secure network. The last one,
none of the above. Which of the following situations would require an additional personal firewall?
The first one an employee uses a laptop
on the company network and at home.
In this case a personal firewall is
required because when the employee
takes the laptop to his home it needs
protection. That is when the laptop is at
home it is not protected by the
conventional network firewall at a
company, so it requires a personal firewall. The second one, an employee uses a desktop on the
company network to access websites worldwide. In this case, it does not require a personal firewall
because the desktop is within the company's network. The third case, a remote employee uses a
desktop to create a VPN on the company's secure network. In this case, a personal firewall is required.
In fact, a personal firewall on a desktop is typically used to create a VPN, so that the remote desktop can
access the company's secure network. And obviously, this last statement is false.
P2_L3 - Firewalls Page 22
GaTech OMSCS – CS 6035: Introduction to Information Security
Let's look at how firewalls should be
deployed to protect a network.
Here's a figure that illustrates a
common firewall configuration that
includes an additional network
between the external and internal
firewalls.
An external firewall is placed at the
edge of the local area network, just
inside the boundary router. The
boundary router connects the
complete network to the Internet.
One or more internal firewalls protect the bulk of the enterprise network.
Between the external firewall and the internal firewall is typically the DMZ, systems that are externally
accessible, but need some protections are usually located in the DMZ. These systems require or foster
external connectivity, such as the public facing corporate web server, an email server, and a DNS server.
The external firewall provides some basic or first line defense, but allows access to these public facing
systems.
The internal firewall provides additional protection. In particular, it protects traffic from a DMZ to the
internal trusted network.
Comparing with the external firewall,
an internal firewall performs more
stringent filtering.
This is because the internal network
would require more protection, than
the public facing systems on a DMZ.
The internal firewall protects the
remainder of the enterprise network
from attacks launched from the DMZ.
For example, if the public facing web server in the DMZ is compromised, the internal firewall is to stop
attacks from that compromised web server. In addition, the internal firewall also controls access to the
DMZ from internal network. For example, only the authorized traffic from the internal network can
reach to the DMZ to change the settings of a public facing web server. For example, such activities must
be from a sys admin's work station.
In addition, multiple internal firewalls can be used to protect different parts of the internal network
from each other. That is, even if one part of the internal network has been compromised, the other
parts are still being protected by their own internal firewalls.
P2_L3 - Firewalls Page 23
GaTech OMSCS – CS 6035: Introduction to Information Security
A distributed firewall configuration
typically includes standalone network
firewalls, host based firewalls, and
personal firewalls.
That is, the standalone network
firewalls protect the internal network
from attacks from the Internet.
In addition, host based firewalls are
placed at workstations and servers.
These host based firewalls protect
against internal attacks and provide
protection tailored to specific machines and server applications. For example, with host based firewalls
providing server specific protection, we can have one public facing, external web server and an internal
facing web server.
In addition, personal firewalls can be used to protect personal computers, regardless of where they are
in the network.
An important issue here is the need to
coordinate the multiple firewalls for
security monitoring. This typically
involves aggregating the logs from
multiple firewalls and perform
correlation analysis. For example, if
multiple host based firewalls see the
same attack, this may suggest that
there's a worm spreading inside the
internal network.
Let's do a quiz on firewall
deployment. The question is, typically
the systems in which of the following
will require or foster external
connectivity such as a corporate web
site, an email server, or a DNS server?
Are these systems in a DMZ, IP
protocol field, boundary firewall, or
VPN?
The answer is DMZ. We typically put these public facing servers in a DMZ, but also
protect the internal network from these servers.
P2_L3 - Firewalls Page 24
GaTech OMSCS – CS 6035: Introduction to Information Security
Here's another quiz on firewall
deployment. Which of the following
configurations involves stand-alone
network firewall plus host-based
firewalls working together? Is it
packet filtering firewall, distributed
firewall, boundary firewall or VPN?
The answer is distributed firewall. Typically, a distributed firewall
includes stand-alone network firewall, host-based firewalls, plus
personal firewalls.
We can now, summarize a spectrum
of Firewall locations and Topologies.
The first are the host-based
firewalls that include, also, personal
firewalls. These can be placed on
servers or personal computers.
We can place a network firewall
on a router to protect the internal
network from the external network.
Or, a network firewall can also
be placed on a dedicated device,
such as a bastion host.
A bastion host can also have a third interface through DMZ.
We can also have an external firewall on a bastion host and a separate internal firewall on a
different bastion host.
We can then put the DMZ in between these two firewalls.
All the external firewall bastion host can have a third interface to the DMZ.
We can also use a distributed firewall configuration that includes network firewalls, and host
based fire walls.
P2_L3 - Firewalls Page 25
GaTech OMSCS – CS 6035: Introduction to Information Security
Firewalls prevents intrusion by way
of traffic filtering. The filtering
techniques include packet filtering,
session filtering, and application
level gateway. Firewalls can be
deployed at network perimeter, end
hosts, servers, and they can be used
to create a DMZ.