Firewalls, etc.

(Some of the slides in this file were adapted from Oppliger’s online slides at http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm.)

Web Security 2

Chapter 3

• Intro• Various firewall technologies:

– Static Packet Filtering– Dynamic Packet Filtering (or Stateful inspection)– Circuit-level gateways– Application-level gateways (aka. Proxy servers)

• Firewall configurations• NAT• Browser configurations

Web Security 3

Firewalls• A firewall, in the real world, is built between buildings to

prevent a fire started in one building from spreading to another

• A digital firewall serves similar purpose, by preventing security breaches that occur in one zone from spreading to another zone

• In a way, firewalls can be considered as delimiters that together define the perimeter of a network

• A firewall prevents unwanted and/or unauthorized traffic from entering into or getting out of a given network (the ‘protected’ network)

• Also called ‘secure Internet gateways’ or ‘security gateways’

Web Security 4

RFC2828 Internet Security Glossary (by R. Shirey, May 2000)

$ filtering router • An internetwork router that selectively prevents the

passage of data packets according to a security policy.

• A filtering router may be used as a firewall or part of a firewall. • A router usually receives a packet from a network and decides

where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to some security policy.

• The policy is implemented by rules (packet filters) loaded into the router. The rules mostly involve values of data packet control fields (especially IP source and destination addresses and TCP port

Web Security 5

RFC2828 Internet Security Glossary (by R. Shirey, May 2000)

$ bastion host• A strongly protected computer that is in a network

protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall.

• Filtering routers in a firewall typically restrict traffic from the outside network to reaching just one host, the bastion host, which usually is part of the firewall.

• Since only this one host can be directly attacked, only this one host needs to be very strongly protected, so security can be maintained more easily and less expensively.

• However, to allow legitimate internal and external users to access application resources through the firewall, higher layer protocols and services need to be relayed and forwarded by the bastion host. Some services (e.g., DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) require a proxy server on the bastion host.

Web Security 6

Firewalls• According to RFC2828 Internet Security Glossary (by R. Shirey, May

2000):

$ firewall - An internetwork gateway that restricts data

communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall).

- A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies security policy rules to control traffic that flows in and out of the protected network.

Web Security 7

Firewalls- A firewall is not always a single computer. For example, a

firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts, all connected to a small, dedicated LAN between the two routers. The external router blocks attacks that use IP to break security (IP address spoofing, source routing, packet fragments), while proxy servers block attacks that would exploit a vulnerability in a higher layer protocol or service. The internal router blocks traffic from leaving the protected network except through the proxy servers.

- The difficult part is defining criteria by which packets are denied passage through the firewall, because a firewall not only needs to keep intruders out, but usually also needs to let authorized users in and out.

Web Security 8

Firewalls- a more precise definition

• According to Cheswick & Bellovin (1994)• A firewall system is a collection of components

placed btwn two networks that collectively have the following 3 properties:

1. All traffic (inside out, or outside in) must pass through the firewall.

2. Only authorized traffic (as defined by the local security policy) are allowed to pass. firewall policy

3. The firewall itself is immune to penetration.

Web Security 9

Firewalls- additional, stronger features

• A firewall is able to:1. enforce strong authentication for users who wish to

establish inbound or outbound connections

2. associate data streams that are allowed to pass through

the firewall with previously authenticated and authorized

users

• Use of application gateways is needed to support

these higher-level features.

Web Security 10

Compare Various Firewall Technologies

Types Packet filters Application gateways

Sub-types

Static

Dynamic

Circuit-level

Application-level

OSI layers

Network layer

(or Internet layer in TCP/IP)

Transport layer or higher

Web Security 11

Web Security 12

Static Packet Filtering

• Aka ‘screening routers’• Stateless, meaning that each IP packet must be

examined in isolation from what has happened in the past (and what may happen in the future), forcing the filter to make a decision to permit or deny each packet individually based on the packet-filtering rules no concept of session lead to problems when more than one connection is

created in a protocol such as FTP

Web Security 13

Web Security 14

Dynamic Packet Filtering

• Aka stateful inspection• A dynamic packet filter maintains state

information about past IP packets to make more intelligent decisions about the legitimacy of present and future IP packets

• State information are stored in an internal database

• Subsequent packets belonging to the same association can pass quickly through the stateful inspection device

Web Security 15

Circuit-level Gateways

• A proxy server for TCP or UDP (at the transport layer)

• Goal: To allow a TCP/IP application to traverse (i.e., securely use) a firewall

• Is Located and running on a firewall• Relays TCP connections• It does not interfere with the data stream.

Making it different from an application-level gateway

• Example: SOCKS (RFC1928SOCKS Protocol Version 5. By M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, L. Jones. March 1996)

Web Security 16

SOCKS• The implementation of the SOCKS protocol typically involves

the recompilation or relinking of TCP-based client applications to use the appropriate encapsulation routines in the SOCKS library. ‘socksified’ clients

• Procedure for TCP-based clients – When a TCP-based client wishes to establish a connection to an object

that is reachable only via a firewall, it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system. The SOCKS service is conventionally located on TCP port 1080.

– If the connection request succeeds, the client enters a negotiation for the authentication method to be used, authenticates with the chosen method, then sends a relay request.

– The SOCKS server evaluates the request, and either establishes the

appropriate connection or denies it.

Web Security 17

Web Security 18

Application-level Gateways

• A proxy server that allows a specific application protocol to traverse a firewall.

• A scenario: The packet filter of a firewall blocks all inbound Telent and FTP sessions, unless the sessions are terminated by a bastion host.– Multiple application gateways may be running on the bastion

host a proxy server for FTP, a proxy server for Telent, …

– A user who wishes to connect inbound to an intranet server must have his Telnet or FTP client connect to the application gateway

Web Security 19

Web Security 20

Application-level Gateways

• To properly authenticate the user, an application gateway must have access to authentication and authorization information, either locally or remotely:– User-level authentication info may be stored locally on

the firewall

– User-level authentication info may be stored in a centralized authentication server (e.g., RADIUS, TACACS+)

Web Security 21

Trade-offs of Firewalls• Advantages:

1. Provides basic access control services for an intranet

2. Provides a centralized filtering/gateway function

3. (To some degree) Relieves individual hosts the

responsibility of having a filter or firewall itself

4. Centralized management of filtering rules

• Limitations: next

Web Security 22

Trade-offs of Firewalls• Limitations:

1. Cannot protect sites and corporate intranets against insider attacks internal / intranet firewalls

2. Can be circumvented by tunneling unauthorized application protocols in authorized ones

3. Little protection against attacks embedded in the data field of a packet (e.g., virus-infected programs or data files, malicious Java applets, malicious ActiveX controls, …)

4. May foster a false sense of security lax security within the firewall perimeter

Web Security 23

Dual-Homed Firewalls

• A dual-homed host is a host with two network interfaces, each of which is connected to a different network.

• A dual-homed firewall is a dual-homed host on which IP routing and forwarding are disabled.– IP packets can no longer be routed or forwarded

between the two networks.– Data can only be transferred from one network to the

other if there is an application gateway running on the firewall to do that.

– See diagram next.

Web Security 24

outer screening routerinner screening

router

Web Security 25

Dual-Homed Firewalls

• The outer screening router makes sure that– All incoming packets have the bastion host as the

destination address.– All outgoing packets have the bastion host as the

source address.

• The inner screening router makes sure that– All incoming packets have the bastion host as the

source address.– All outgoing packets have the bastion host as the

destination address.

• Packet filtering rules need to be configured.

Web Security 26

Screened Subnet Firewalls

• Two separate screening routers: outer, inner (see diagram next)

• DMZ: the subnet in between the two screening routers

• The bastion host is part of the DMZ.• A packet must pass both screening routers

before it reach the intranet.• When configured properly (e.g., using NAT),

only the bastion host and other servers in the DMZ can be seen from the Internet.

Web Security 27

outer screening router

inner screening router

the DMZ

Web Security 28

NAT and Security• Network Address Translation (NAT) is useful:

– Hide internal private IP addresses– Conserve routable IP addresses on the Internet

• RFC1918 Address Allocation for Private Internets. Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear. February 1996.

• Reserved IP addresses for private networks in RFC 1918 addressing scheme:

– The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Web Security 29

An Example- a firewall supporting NAT

IP addresses: C

Port numbers: c

S = 67.64.10.1

192.168.4.1

21

F = 192.168.4.1

f

67.64.10.3

Also a router ?

Web Security 30

Other Examples- the DCSL network

• Network diagram for the UHCL Distributed Computer Security Lab (D140, D158)– http://www.dcsl-uhcl.net/public/experiments.html

Web Security 31

Advantages of using NAT

• The obvious advantage of using private address space for the Internet at large is to conserve the globally unique address space by not using it where global uniqueness is not required.

• Enterprises themselves also enjoy a number of benefits from their usage of private address space: They gain a lot of flexibility in network design by having more address space at their disposal than they could obtain from the globally unique pool. This enables operationally and administratively convenient addressing schemes as well as easier growth paths.

Web Security 32

Drawbacks of using NAT

• Renumbering of IP addresses may be needed in some cases:

1. Once one commits to using a private address, one is committing to renumber part or all of an enterprise, should one decide to provide IP connectivity between that part (or all of the enterprise) and the Internet.

2. Another drawback to the use of private address space is that it may require renumbering when merging several private internets into a single private internet.

Web Security 33

Is NAT sufficient for network security?

• No. It’s mainly a convenience measure.1. It cannot replace the functionalities of a firewall:

NAT does not track packet sequence numbers, TCP handshake, and UDP progress-based timers, etc.

2. It cannot replace a intrusion detection system:NAT does not concern itself with protecting the hosts from

malicious data being sent on the NAT connections.

3. It cannot replace an access control mechanism.