9

Scanning the Horizon

CHAPTER SPOTLIGHT

Port scanning, vulnerability enumeration,

mapping

topology

Subnets and architectural protections; security perimeter

Firewalls: their purpose, design, and configurations
Network address translation

A'IVI'A
Attack: Investigation, Intrusion, and Compromise
Threat: Port Scan
Attack Details

371

Harm: Knowledge and Exposure

374

Recurring Thread: legal-Are Port Scans legal?

VUlnerability: Revealing Too Much

375

VUlnerability: Allowing Internal Access

376

Countermeasure: System Architecture

Countermeasure: Firewall

377

Countermeasure: Network Address Translation (NAT)

Countermeasure: Security Perimeter
Conclusion
Exercises

368

369
370

376

37B
397
399
400
402

II

Keep

your hands in your pockets and don't touch anything," my mother

used to admonish me when we went into a store. But what kid can resist

picking up, looking at, feeling, or playing with the delights in a grocery,
hardware, stationery or, most enticing, toy store? Children learn by encountering new
things and cataloging their size, shape, color, texture, weight, and smell. As long as
they don't damage things, surely children aren't doing any harm by just exploring (or
so I used to counter-unsuccessfully-to
my mother).
Can the same thing be said for a computing system? Is there any harm in an outsider's probing a system? Perhaps not, but some exploring outsiders are not as innocent as
children. In this chapter we learn about network scanning as a way to determine characteristics and vulnerabilities of a network.

1\1"1'A(;I{: INVESTIGATION, INTRUSION, AND COMPROMISE

According to a paper by Casey [CASaS], in March 2000, an alert system administrator
for a network of research computers noticed an account for a user named "omnipo-

tent." Having assigned all user account names, this administrator knew that name had
never been assigned and called for the network's incident response team to investigate.
After much detailed analysis the investigators found that dozens of machines had been
compromised and many had a Telnet account not requiring a password, appropriately
named "open_sesame." On further examination, it appeared as if an intruder had
exploited known vulnerabilities in any of three Solaris (Unix) services: cmsd (Calendar
Manager), ttdbserverd (Tool Talk), and sadmind (AdminSuite). Because these vulnerabilities were well known, attacks could easily have been launched by anyone who
knew that any particular machine was running a vulnerable version of one of these
services.

The only problem was that these compromised machines were on protected networks, not visible outside the laboratories' network. Thus, the attack had to have been
based within the network. Ultimately, investigators determined the intruder had stolen
a user identity ("used3") and password months earlier and then accessed that account
remotely as a base from which to expand the attack, making it seem as if the attack
originated inside the network.
But even from the inside how did the attacker know exactly which network
machines to target and with which attack? The attacker probably used a profiling tool
called a port scanner that queries machines regarding the service software they are running and reports back the versions of different software. Having identified vulnerable
machines , the attacker then installed the open_sesame backdoor access and ran a script

369

370

Chapter 9

Scanning the Horizon

that installed other malicious code (and kindly patched the vulnerabilities,
to prevent anyone else from exploiting these same flaws).

presumaf

Al

The attacked network was for a research institution running medical studies oncan.
cer and AIDS treatments. Its computer operation was active 24 hours a day to monitor
and collect data from experiments. Because of the attack, the organization was fo~e"
to shut down its operation for several days, harming the results of several ongoing
experiments. The attacker, a 17-year-old in Texas, was identified, charged, and brought
to justice in 2004. The disposition of this case is not public because he applied foran'
was granted youthful offender treatment.

'fUlUlll'I': PORT SCAN

Vulnerabilities in different versions of software products are well known: Vendorspost
lists of flaws and protective or corrective actions, and security professionals mamlalD
and distribute similar lists, as well as tools to test for vulnerabilities. Hackers circulate
copies of attack code and scripts. The problem for the attacker is to know which allacb
to address to which machines: An attack against a specific version of Adobe Reader
will not work if the target machine does not run Reader or runs a version that doesnot
contain the particular vUlnerability. Sending an attack against a machine that is not vulnerable is at least time consuming but worse, may even make the attacker standD.ut or
become visible and identifiable. Attackers want to shoot their arrows only at hkely
targets.
An easy way to gather network information is to use a port scanner, a program
.
. ~
that, for a particular
Internet (IP) address, reports which ports respond to quenes
which of several known vulnerabilities seem to be present. Dan Farmer and w~~
Venema [FAR90, FAR95] are among the first to describe the technique in the C
and SATAN tools. Since then, tools such as NESSUS and Nmap have expanded ontbe
network-probing concept.
scan is much like a routine physical examination from a doctor, particuJarl~
h A- port
"1'.
w~
t e nuna questIOns used to determme a medical history. The questions and answ
themselves may not seem significant, but they point to areas that suggest further
investigation.

CL:
. Port scanning tools are readily available, and not just to the underground co~:u~
ruty. The Nmap scanner, ongmally wntten by Fyodor and available at www.rns will
.org/nmap, IS a useful tool that anyone can download. Given an address, Nmap
report all open ports, the service each supports and the owner (user ID) of the daemoo
"d"'
,
'I~
ProVI mg the service. (The owner is significant because it implies what pnVt ,
would be conferred on Someone who cOmpromised that service. Administrators tend ::
name pnvtleged accounts with names like admin or system.) Another readily avall: b_
scanner IS netcat, wntten by Hobbit, at www.IOphtcom/users/iOpht.
Commercral p aJ'
od
ucrs are a httle more costly, but not prohibitive. Well-known commercial scanners
Nessus (Nessus Corp. [AND03]), CyberCop Scanner (Network Associates), SecUl'
Scanner (Cisco), and Internet Scanner (Internet Security Systems).

SV:

CL:

SV:

CL:

SV:

CL:

--SV:

fiGURE

Attack Details

371

ATTACK DETAILS
What does a port scanner do and how does it work? In this section we describe port
scanners in general, with specific attention to the Nmap scanner.
To understand port scanning, you need to understand computer network services. As
you know, data do not just magically slip into a computer or execute on their own;
some active program on the computer has to receive the data and store or call them.

Some programs solicit data, like the box that prompts for a name and password, but
other times those data arrive from the network and must be directed to a program that
will handle them. An example of this latter case is incoming email: New mail can be
sent at any time, so a service program running on a computer has to be ready to receive

email and pass it along to a user's email client such as Microsoft Outlook or Mozilla
Thunderbird. Such services are sometimes called daemons; for example, the daemon
ready to receive incoming mail is named popd; it supports the Post Office Protocol
mail reception function.

Many common services are bound to agreed-upon ports, which are essentially just
numbers to identify different services; the destination port number is given in the
header of each packet or data unit. Ports 0-4095 are called well-known ports and are
informally associated with specific services. For example, incoming email is often

transmitted with the Post Office Protocol (POP), and the POP server is typically bound
to port 110. A POP server is a program that waits for a client to request email that has
been queued. The client contacts the server, sending a packet to port 110, requesting
establishment of a session; with the server's response, the client and server negotiate to
transfer mail from the server.

The client initiates a request to connect with a POP server by a defined protocol
implemented in ASCII text commands. The server responds, typically identifying itself
and sometimes its version number (so that client and server can synchronize on capa-

bilities and expectations). We show a sample of that exchange in Figure 9-1. Lines
from the client are labeled CL and responses from the POP server are labeled Sv, Anyone can initiate such an exchange by using Telnet, the terminal emulator program.

CL: tel net incoming.server.net

SV: +OK Messaging Multiplexor

110
(Sun Java(tm) System Messaging
Apr 3 2006)) <4d3897ff.11ec04f8@vms108.

CL:
SV:
CL:
SV:
CL:
SV:

6.2-6.01
(built
mailsrvcs.net>
user vI
+OK password
required
for
pass pI
-ERR [AUTH] Authentication
quit
+OK goodbye

user

failed

~--~~------------FIGURE9-,

POP Server Session Creation

[email protected]

Server

372

Chapter 9

Scanning the Horizon

A scanner such as Nmap probes a range of ports, testing to see what service\
respond. An example output from Nmap is shown in Figure 9-2. (The site nameana
address have been changed.) Notice that the entire scan took only 34 seconds.
Port scanning tells an attacker three things: which standard ports or servicesarerun
ning and responding on the target system, what operating system is installedonmt
target system, and what applications and versions of applications are present.Tbil
information is readily available for the asking from a networked system; it canI<
obtained quietly, anonymously, without identification or authentication, drawingIittlt
or no attention to the scan.
It might seem that the operating system name or versions of system application!
would not be significant, but knowing that a particular host runs a given version-thai

may contain a known or even undisclosed flaw-of a service, an attacker can devis~an
attack to exploit precisely that vulnerability. Thus, a port scan can be a first stepnt
more serious attack.
Another thing an attacker can learn is connectivity. Figure 9-2 concerns a sin~1e
host. In Figure 9-3 we have expanded the search to an entire subnetwork (again,Wlt~

Nmap scan report

192.168.1.1
/ somehost.eom (online)
ping
address:
192.168.1.1
(ipv4)
hostnames:
somehost.eom (user)
The 83 ports scanned but not
shown below
Port
State
se rvi ee Reason
21
tep
open
ftp
syn-aek
22
tep
fi ltered
ssh
no-response
2S
tep
fi ltered
smtp
no-response
80
tep
open
http
syn-aek
106 tep
open
pop3pw
-aek
110 tep
open
pop3
syn-aek
111 tep
fil te red rpebind
no-response
113 tep
fi ltered
auth
no-response
143 tep
open
imap
syn-aek
443
tep
open
http
syn-aek
465
tep
open
unknown syn-aek
646 tep
fi lte red ldp
no-response
993 tep
open
imap
syn-aek
995 tep
open
syn-aek
2049 tep
filtered
nfs
no-response
3306 tep
open
mysq1
syn-aek
8443 tep
open
unknown syn-aek
34 sec. scanned
1 host(s)
1 host(s)
o host(s)

results

are in state:
closed
Product
version
Extra
ProFTPD
1.3.1

Apache
2.2.3
poppassd
Couri e r pop3d

(centOS)

Courier
Apache

Imapd
2.2.3

rel'd 2004
(centOS)

Courier

Imapd

rel'd

MySQL

5.0.45

scanned
online
offline

9-2 NmapScannerOutput
::;;:-;:---=:==:--:------------FIGURE

. 0
'0

2004

Attack Details

373

changed name and address).As you can see, the network consists of a router,three
computers, and one unidentified device.

The information from Figure 9-3 gives another important clue:Because the latency
time (thetime between when a packet issent to the device and the device responds) for
alldevices is similar,itis likelythey are on the same network segment. Thus, you
could sketch a connectivitydiagram of the network (as shown in Figure 9-4).

,
Starting Nmap 5.21
Dayl ight Ti me

(http://nmap.org)

at 2010-00-00

Nmap scan report for router (192.168.1.1)

Host is up (0.005 latency).
MAC Address: 00:11:22:33:44:55
(Brand 1)
Nmap scan report for computer
Host is up (0.785 latency).
MAC Address: 00:22:33:44:55:66

(192.168.1.39)
(Brand

2)

Nmap scan report computer

(192.168.1.43)
Host is up (0.0105 latency).
MAC Address: 00:11:33:55:77:99
(Brand 3)
Nmap scan report for unknown
Host is up (0.0105 latency).
MAC Address:
00:12:34:56:78:9A
Nmap scan report
Host is up.
FIGURE93

for computer

Nmap Scan of a Small Network

device
(Brand

192.168.1.44
4)

(192.168.1.47)

12:32

Eastern

374

Chapter 9

Scanning the Horizon

Nmap has many options; an outsider can fingerprint Owners and users, identi~
common

services running on uncommon ports, map the connecnvrry

o.f (routes

between) machines, or deduce the real kind of unknown device. Notice that withoolya
couple of commands the attacker in the two examples shown learns
how many hosts there are
what their IP addresses are
what their physical (MAC) addresses are
what brand each is
what operating system each runs, and what version
what ports respond to service requests

what service applications respond, and what program and version theyare
running
how long responses took (which reveals the speed of various
ne t wark conner.
tions and thus may indicate the design of the network)
For lazy attackers, Nmap even has an opnon
.'
. by which
" It automa tirca lly 0"enerate;
a
specified number of random IP addresses and then scans those addresses. This POlOtlS
especially significant for computer security. If an attacker wants to exploit a vuloero'
bility known in a particular version of some software, the attacker does not need IO ron
the attack repeatedly against
many systems that run a different
version-c-o r even
.' dl ffer,
.
'.
ent software entirely.
Instead,
the
attacker
first
runs
an
Nmap
scan
eit
er
"
.
. h picking, sal
10,000 addresses at random, or picking all addresses in a specified range, SOl,
O
W
10 .200**.
"" use a
hen Nmap returns Its results from all these scans, the attac ker can
simp
e text e diitor to select from the large output only those lines Iidenuifyning the des"'"
.
I
software version.

U!ln~l: KNOWLEDGE AND EXPOSURE

. . afterp
You
is the harm is of someone knowing machines and services,
II thmight ask what
h
a,
e reason t e ports are open IS
data. A scanner IS
. to mterchange
.
. JUs
. t pickingu
data the machines voluntarily divulge
'5
Th'k'
,
&~
,m mstead of two houses in a neighborhood a burglar is casmg.
b tWO
nothmg about the first house. As to the second house he knows it is occupied Y '0
people, whose bedroom is On the upper floor. The couple
have a dog, whic, h sleeps
, hlly
'
I
the hbasement behind a closed door. They always leave a back window open shg 0
soht e cat can get in
and out And one of the occupants recently sprame
'to
. dh ei'ankle,s
I I .
sh e b
moves
s
ow
Y and with
some
pam,
Clearly
the
second
house
IS
more
a
"
.
uracuw 0
I
.
the
t e urgar,. in part because he can plan an attack that capitalizes on, icsknoW
of'
vulnerabilities In that house. Thus, unnecessarily exposing charactenst
computing system can be harmful.
'0
N

etwor an vu nerabllJtyscanners,
of which Nmap is only one examp Ie, havet- [1l
..
d
purposes, one goo and One bad, The good use is by network adm imsrrators
which
. .
or syste
owners who Will explore their networks with the tool. The tool Will report

RECU

Recurring Thread: Legal-Are

Port Scans Legal?

37S

devices may be running out-of-date and vulnerable versions of software that should be
upgraded or which ports are unnecessarily exposed and should be closed. Administrators of large networks may use a scanner to document and review all the devices connected to the network (because new devices may be added to the network at any time).
But of course, as we have shown, the bad use of a network scanner is to allow an
attacker to learn about a system. (The law is not settled as to whether scanning computers without permission is illegal, as described in the following legal thread.) Because of
the importance of the good use, sound commercial software companies continue to
improve the uses and usahility of network scanners which, unfortunately, also supports
the bad use.

RECURRING THREAD: LEGAL-ARE

PORT SCANS LEGAL?

While legal cases involving port scanning (without follow-up hacking attacks) are rare,
they do happen. One of the most notable cases involved a man named Scott Moulton
who had an ongoing consulting contract to maintain the Cherokee County, Georgia,
emergency 911 system. In December 1999, he was tasked with setting up a router connecting the Canton, Georgia, police department with the 91 I center. Concerned that
this might jeopardize the 911 center's security, Scott initiated some preliminary port
scanning of the networks involved. In the process he scanned a Cherokee County web
server that was owned and maintained by a competing consulting firm named VC3.
They noticed the scan and emailed Scott, who replied that he worked for the 91 I center
and was testing security. VC3 then reported the activity to the police.
Moulton lost his 911 maintenance contract and was arrested for allegedly violating
the Computer Fraud and Abuse Act of America Section 1030(a)(5)(B). This act applies
against anyone who "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage" (and meets other requirements).
The damage claimed by VC3 involved time spent investigating the port scan and
related activity. Moulton sued VC3 for defamation, and VC3 countersued for violation
of the Computer Fraud and Abuse Act as well as the Georgia Computer Systems
Protection Act.
The civil case azainst
Moulton was dismissed before trial, implying a complete lack
b
of merit. The ruling made many Nmap users smile:
Court holds that plaintiff's
put test of defendant's

act of conducting an unauthorized port scan and through-

servers does not constitute

a violation

of either the Georgia

Computer Systems Protection Act or the Computer Fraud and Abuse Act.-Civ.

Act.

No. I :00-CV-434- TWT (N.D. Ga. November 6, 2000).

The basis of the opinion involved Moulton's motive. There was no allegation of
maliciousness; in fact, his action was specifically to prevent harm. Thus, the court
stated:
The public
Moulton's

data stored on Defendant's

network was never in jeopardy.

actions never threatened the pub tic health and safety.

Plaintiff

376

Chapter 9

VIJI,NlmABIU'I'Y:

Scanning the Horizon

REVEALING TOO MUCH

A computer device or network can ,introduce a vu Inera bili

I rty
b Y giiving away toomuc~
information, ' Consider two examples of the login
in prompt
orornot tth a t you have seen many
times:
Enter
Enter

**

user IO:
password:

MyIO
PASSI

ERROR: Incorrect

**

password

versus
Enter
Enter

**

user IO:
password:

MYIO
PASSI

ERROR: unacceptable

user

ID or

password

**

In the first example, the attacker has learned that MylD is a valid
,
, system lD, whil,
the second form says only that one or the other or both are mva
I
,
,
t'ons
' r d The first cs
reduces the attacker's work sIgnificantly:
Instead of needing
M ID
' ,
ing to
to try
try man
many combinen
of user ID and password, the attacker need only find a password that matchesI'd~ser
There is no advantage for the system to give out too much information. A va I ker
who mistyped or forgot a paSSword will soon remedy the problem, w erea s an attac m'.
h
who now knows a valid
valuable know Ie d ge that
, reduces
' user's !D, has gained
,
attack work factor,
I of

. .
"
. urn 'amounodel,
SImIlarly,
systems can be configured to divulge
the mllllm.
information. Some service applications respond immediately with the" make, m
and version number, like the following line taken from Figure 9-2:
443

tcp

open

http

syn-ack

Apache

2.2.3

((entOS)

. version
Although some client software might need to know the server is runlllng
nlila
2.2.3 for compatibility, it may be possible to defer revealing that informatIOnrtUscan.
connection has been established and it is clear the activity is not merely a po have
Not all servers give that option, however. Thus, system administrators may not
fullScontrol over how much detail of their network is revealed.
. h uld
d
'
,
A
rvrce
sd0sys'
ystem
a
ffilmstrators
do
have
COntrol
over
open
ports,
however.
se
b
e active, meanlllg
, a servICe
. application should be running only if It
., IS ne ~u ,
sary
d
tem a mlnJstrators
should regularly scan their network to ensure that on ly~
"
ports are active.

VIJI,NllIlABIU'I'Y: ALLOWING INTERNAL ACCESS

' ..
, depth in Chapters 3, 4, and 6, an dwe",i~
We
In
are<!
h explored software vulnerabilities
in trhe rest 0f' this book; you can get an idea of how numerous and v
ot ers III
software VUlnerabilities are by the way they appear throughout this book,

Countermeasure:SystemArchitecture

377

An attacker with a port scan can use knowledge of running software and network
architecture to inject an attack on a specific network computer that shows up on the

scan. Such an attack can cause two difficulties. First, achieving some degree of control
of a target machine may let the attacker access other machines not accessible from outside the network. A router, specifically, is a connection between two subnetworks.
Although a port scan may reveal only one side of a router's connectivity,

that of the

visible subnetwork, once the attacker has compromised the router, the attacker can
continue, through the router, to explore and attack machines on the router's internal

network side. Routers tend to be quite stable devices, not subject to most software vulnerabilities,

but other network hosts may connect to two or more networks, so this

vulnerability is a problem with any such device.

The other problem raised by an attacker's compromising

a networked machine is

that now the attacker will appear to other network components as an insider, presum-

ably more trustworthy and often with greater privileges than an outsider. As you know,
you must consider vulnerabilities

not as isolated problems but as potential links in a

longer chain of additional vulnerabilities, compromises, and harm.

Thus, to summarize, a port scan is often an attacker's first step, useful for reconnaissance. Some ports and services are necessary for a network to interact with other net-

works, so they cannot be shut off, blocked, or otherwise quieted. An attacker is likely
to learn something of a network's design and composition. However, we can limit the
harm of a port scan in several ways. First, we can structure a network so that it has the
minimum

number of visible devices. We can strive for few software vulnerabilities

in

those devices that are visible. And a specific security device called a firewall makes
that minimum

number exactly one and has a simple structure to reduce the likelihood

of software vulnerabilities.

In the next sections we consider system architectures and

firewal!s.

(;OIJN'I'IIIUII\i\SlJIUI: SYSTEM ARCHITEGURE

If you are trying to limit the information a port scan reveals about a network and its
hosts and services, the natural approach is to segment the network, with many hosts on

segments that are not immediately visible to the outside.

As an example, think about a typical hospital telephone system. Some functions,
such as human resources or patient services, need to accept calls directly from outsid-

ers, and those telephone numbers could be published in a directory. But you do not
want the telephone number of the operating room or the diagnostics laboratory or even
housekeeping or maintenance to be readily available to outsiders. The hospital would
publish a

general

operator's number; if an outsider has a convi.ncing reason to need to

be connected with the operating room, the operator can determine that and forward the
call or perhaps redirect it to someone else who can be of better assistance. Certain
executives may have administrative assistants who screen ~elf ~alls, ~lIowlllg some
throuzh immediately, taking messages for others, and redirecting still others. The
archit~cture implicit in this description of a hospital's telephone s~rvice is of a small
number of externally accessible phones, and a few other choke points that screen and
redirect all other calls.

378

Chapter 9

Scanning the Horizon

A similar situation OCcurs with networks. Compare the network of Figure 9.5(,)to
that of Figure 9-5(b). In Figure 9-5(a), all five computers A-E are visible to theoutsI"
network, whereas in Figure 9-5(b) only computer A is visible. The network of devie.
B-E in Figure 9-5(b) is known as a protected subnet, and device A is called a dual
homed gateway.
Architecture (a) affords some advantages over architecture (b). First, hostA
becomes a single point of failure; If gateway A is not available for any reason, it cannrn
pass traffic to or from B-E, meaning they are effectively disconnected from theno.
work. Furthermore, the gateway device A becomes a potential bottleneck, so devices]
through E share access through A; if A is slow Or if one of B-E consumes a larg'
amount of network bandwidth, the other machines' performance suffers.
We can even expand the notion of protected subnets to two or more subnets,~
shown in Figure 9-6. The three subnets could be for separate departments or uw
groups, or they could be allocated geographically. Of course, the more subnets gateway
A supports, the more risk if device A fails.

Reconfiguring the architecture of a network limits or complicates movement,but it

does not address the central security goal of controlled access. To accomplish thatwe
depend on a device called a firewall, which we describe next.

(;OIJN'I'llIUIIIASIJIUI:

FIREWALL

Firewalls in buildings, as their name implies, are walls intended to inhibit the spreadof
fire from One part of a bUilding to another. Firewalls are bu iIt of materials that Witlstand fires of a particular intensity or duration; they deter fire spread but areom

(a)

FIGURE 9.5

(b)
(a) Visible Devices; (b) Less Visible Devices

Countermeasure: Firewall

379

Subnet 2

Subnet I
FIGURE 9-6

Multiple Protected Subnets

guaranteed or intended to stop a particularly intense fire. As computer security devices,

network firewalls are similar, protecting one subnet from harm from another subnet.
They are intended to block many sources of damage and to deter others.

What Is a Firewall?
The concept of a chokepoint and subnets and gateways leads us directly to firewalls,
one of the most important security devices for networks. Firewalls were officially
Invented in the early 1990s, but the concept really reflects the reference monitor
(described in Chapter 8) from two decades earlier. The first reference to a firewall by
that name may be by Marcus Ranum [RAN92]; other early references to firewalJs are
the Trusted Information Systems firewall toolkit [RAN94] and the book by Bill Cheswick and Steve Bellovin [updated as CHE02].
A firewall is a device that filters alJ traffic between a protected or "inside" network
and a less trustworthy or "outside" network. Usually a firewall runs on a dedicated
device; because it is a single point through which traffic is channeled, performance is
important, which means that only firewall functions should run on the firewalJ
machine.
In practice, a firewall is a computer with memory, storage devices, interface cards
for network access, and other devices. It runs an operating system and executes application programs. Often the hardware, operating system, and applications are sold as a
package, so the firewall application (a program) is sometimes also called a firewall.
Because a firewall is executable code, an attacker could compromise that code and
execute from the firewalJ's device. Thus, the fewer pieces of code on the device, the

380

Chapter

Scanning

the Horizon

fewer tools the attacker would win

runs on a proprietary or carefully
typically does not have compilers,
gramrning libraries, or other tools
firewall computer.

by compromising
the firewall. Firewall code usuall}
minimized operating system. The firewall system
linkers, loaders, general text editors, debuggers.pe
an attacker might use to extend all attack from the

The purpose of a firewall is to keep "bad" things outside a protected environment.

To accomplish that, firewalls implement a security policy that is specifically design.
to address what bad things might happen. For example, the policy might be to prevent any access from outside (while still allowing traffic to pass from the insideto
the outside). Alternatively, the policy might permit accesses only from certain places.
from certain users, or for certain activities. Part of the challenge of protecting a net.
work with a firewall is determining which security policy meets the needs of t~
installation.
People in the firewall community (users, developers, and security experts) disagre<
about how a firewall should work. In particular, the community
is divided about a fire'
wall's default behavior. We can describe the two schools of thought as "that which IS
not expressly forbidden is permitted" (default permit) and "that which is not expressl}
permitted is forbidden" (default deny). Users, always interested in new features, pre'
fer the former. Security experts, relying On several decades of experience, strongJ~
counsel the latter. An administrator
implementing
or configuring
a firewall mu51
choose one of the two approaches, although the administrator
can often broaden the
policy by setting the firewall's parameters.

Design of Firewalls
As we have described them, firewalls are simple devices that rigorously and effec
tively Control the flow of data to and from a network. Two qual ities lead to that effer
tiveness: a well-understood
traffic flow policy
and a trustworthy
design and
implementation.
Policy
A fi
II
.
. what
irewa lmplements
a security pOlicy, that is, a set of rules that determme
ute!
traffic can Or cannot pass through the firewall. As with many problems 111 camp
.
I'
.
.
.
._
secumy, we wou d Ideally like a simple pOlicy such as "good" traffic can pa .
"b d" t ffi . bl k
'
". neither
a
ra IC IS
oc ed. Unfortunately
determinino
"good" and "bad IS
"
'1
J".
,
b
I\vor~
simp e nor a gonthmlc.
Firewalls come with example policies
but each ne I
d . .
,
1Cu~
a rrurusrraro- needs to determine what traffic should be allowed in a part
network.
An exam

If'
p eo

I fi
Th rahlris
a simp e newall configuration
is shown in Table 9-1.
e all's
processed from the top down, and the first matching rule determines
the firew",
actIOn. ThIS policy says any traffic to port 25 (mail transfer)
from port 80 (web p",
access), or to port 69 (so-called trivial file transfer) is aJlow~d to or from any
the 192.168.J
SUbnetwork; furthermore,
outside
traffic to destination
ad
192.168.J.l8
(presumably a web server) is allowed. All other traffic is denied.

hO~:

Countermeasure:
TABLE 9-1

Type

Example

Firewall

Configuration

Source Addr.

Destination

,
,

TCP
UDP
TCP

192.168.1.'

TCP

TCP

UDP

Addr.

192.168.1.

Destination

Port

Firewall

Action

25

Permit

69

Permit

80

Permit

192.168.118

80

Permit

192.168.1.'

Deny

192.168.1'

192.168.1.*

381

Deny

Trust

A firewall is an example of the reference monitor, a fundamental computer security

concept. Remember from Chapter 8 that a reference monitor has three characteristics:

always invoked
tamperproof
small and simple enough for rigorous analysis
A firewall is a special form of reference monitor. By carefully positioning a firewall
in a network's architecture, we can ensure that all network accesses that we want to

control must pass through the firewall. A firewall is positioned as the single physical
connection between a protected (internal) network and an uncontrolled (external) one.

This placement ensures the "always invoked" condition.

A firewall is typically well isolated, making it highly immune to modification. Usually a firewall is implemented on a separate computer, with direct connections only to
the outside and inside networks. This isolation is expected to meet the "tamperproof'
requirement. Furthermore, the firewall platform runs a stripped-down operating system
running minimal services that could allow compromise of the operating system or the
firewall application. For example, the firewall prohably generates a log of traffic
denied, but it may not have installed tools by which to view and edit that log; modifications, if necessary, can be done on a different machine in a protected environment. In
this way, even if an attacker should compromise the firewall's system, there are no
tools with which to disguise or delete the log entries that might show the incident.
Finally, firewall designers strongly recommend keeping the functionality of the firewall simple. Over time, unfortunately, demands on firewall functionality have increased
(such as traffic auditing, a graphical user interface, a language for expressing and
implementing complex policy rules, and capabilities for analyzing highly structured
traffic), so most current firewalls cannot he considered either small or simple. Nevertheless, firewall manufacturers have withstood most marketing attempts to add irrelevant functionality whose net effect is only to reduce the basis for confidence that a
fIrewall operates as expected.

382

Chapter 9

Scanning the Horizon

Types of Firewalls
Firewalls have a wide range of capabilities, but in general, firewalls fall into oneofa
small number of types. Each type does different things; no one type is necessarilyria
or better and the others wrong. In this section, we examine each type to see whatitj,
how it works, and what its strengths and weaknesses are. In general, screening routers
tend to implement rather simplistic security policies, whereas guards and proxy gse
ways have a richer set of choices for security policy. Simplicity in a security pohcyo
not a bad thing; the important question to ask when choosing a type of firewalliswhl
threats an instaHation needs to counter.
Because a firewall is a type of host, it is often as programmable as a gooct-qualiry
workstation. While a screening router can be fairly primitive, the tendency is tolmple.

ment even routers on complete computers with operating systems because editorsana
other programming tools assist in configuring and maintaining the router.Howeve,r.
firewall developers are minimalists: They try to eliminate from the firewall alllhat~
not strictly necessary for the fIrewall's functionality. There is a good reason fortID;
minimal constraint: to give as little assistance as possible to a successful attacker.ThU\
fuewalls tend not to have user accounts so that, for example, they have no passwo
file to conceal. Indeed, the most desirable firewall is one that runs contentedly lfl'
back room; except for periodic scanning of its audit logs, there is seldom a reasooro
touch it.
Network Technotogy Background

Before we describe firewalls, we need to explain a bit of network technolo~1

Figure 9-7 depicts what is known as the ISO Open Systems Interconnect (OSI) mod'
of networking. In this model, data are generated at the top layer (7_Application) b)
I
some app icanon
rt
. program. Then the data pass through the
'.~other six layers;
layer the data are reformatted packaged and addressed For example the rraaspo
Iayer performs error checking
. I,
and correction to ensure a. reliable data 'he
flow, t nclk I
war .ayer handles addressmg to determine how to route data and the data I'an k lay"
,_,
divid
d
.
,
hySleivr es ata mto manageable blocks for efficient transfer. The last layer, the p irt~
layer, deals with the electneal or other technology by which signals are rransm
7 - Application
6 - Presentation

7- Application
6 - Presentation

5 -Session

4- Transport

5-Session
4 - Transport

3-Network

Zr-Data Link

3-Network
2-Data Link

I-Physical

I-Physical

FIGURE 9-7

OSI Reference Model

Countermeasure:

Firewall

383

across some physical medium. At the destination, the data enter at the bottom of a
similar stack and travel up through the layers, where addressing details are removed
and items are again repackaged and reformatted. Finally, they are delivered to an
application on the destination side. Each layer plays a well-defined role in the communication. This architecture is more conceptual than actual, but it facilitates
discussion of network functions.
Different firewall types correspond to different threats. Consider the port scan
example with which we began this chapter. Suppose you identified an attacker who
probed your system several times. Even if you decided your defenses were solid, you
might want to block all outside traffic-not
just port scans-from
the attacker's
address. That way, even if the attacker did learn of a vulnerability in your system, you
would prevent any subsequent attack from the same address. But that takes care of only
one attacker at a time.
Now consider how a port scan operates. The scanner sends a probe first to port I,
then to pons 2, 3, 4, and so forth. These pons represent services, some of which you
need to keep alive so that external clients can access them. But no normal external client needs to try to connect to all your pons. So you might detect and block probes from
any Source that seems to be trying to investigate your network. Even if the order of the
probes is not 1-2-3-4 (the scanner might scramble the order of the probes to make their
detection more difficult), receiving several connection attempts to different ports from
the same source might be something to stop after you had seen enough probes to identify the attack. For that, your firewall would need to record and correlate individual
connection probes.
A different network attack might target a specific application. For example, a flaw
might be known about version x.y of the brand z web server, involving a data stream of
a specific string of characters. Your firewall could look for exactly that character string
directed to the web server's port. These different kinds of attacks and different ways to
detect them lead to several kinds of firewalls. Types of firewalls include
packet filtering gateways or screening routers
stateful inspection firewalls
application-level
circuit-level

gateways, also known as proxies

gateways

guards
personal firewalls
We describe these types in the following sections.
Packet Filtering Gateway
A packet filtering gateway or screening router is the simplest, and in some situations, the most effective type of firewall. A packet filtenng gateway controls access on
the basis of packet address (source or destination) or specific transport protocol type
(such as HTTP web traffic), that is, by exarrunmg the control information of each SIngle packet. A firewall can screen traffic before it gets to the protected network. So, if
the port scan originated from address 100.200.3.4, you might configure the packet filtering gateway firewall to discard all packets from that address. FIgure 9-8 shows a

384

Chapter 9

Scanning the Horizon

HTrP

FIGURE 9-8

Packet Filter

packet filter that blocks access from (or to) addresses In

. one networ k:,t he filterallows
HlTP traffic but blocks traffic by using the Telner protocol.
Ilyonl~
Packet filters do not "see inside" a packet; they block or accept packets so field (f~
basis of the IP addresses and ports. Thus, any derails
. In
. t h e pac
. k e.t's data . Ibeyon~
example, allowing certain Telnet commands while blocking other services) IS
the capability of a packet filter.
II'dilyof
Packet filters can perform the very Important
service
of ensunn'gtheva h reaSOns
.
.
inside addresses. Inside hosts typically trust other inside hosts for all td~linguis~
described as charactenslIcs of LANs. But the only wayan inside host ca n
Source
another inside host is by the address shown in the source field of a message~s com'
addresses in packets can be forged, so an inside application might think It W kelfil.
municating with another host on the inside instead of an outside forger':J:c
pack"
ter SIts between the lIlslde network and the outside net, so It can kno
creening
from the outside is forging an inside address, as shown in Figure 9-9. A s laim
erl
packet filter rnighr
be configured to block all packets from the OutSI'de rhat c blackS
.
their source address was an inside address. In this example, the packet filte~bUI,
of
all packets claimjng to come from any address of the form 100.50.25.x aceep"
Course, II
. permns
'. III any packets with destination 100.50.25.x. ) A pac ket filterIIYpe-or rejects solely according to the header information-address,
size, protoc~ckel filof each packet by itself. Such processing is simple, efficient, and fast,. so a p bvio
usly
tering firewall often serves as a sturdy doorkeeper to quickly eliminate 0
unwanted traffic.
. plici~
.
.
.
. n of dsun
The pnmary
dIsadvantage
of packet filtering routers is a combinatio
fiIleri g,
n
and complexity. The router's inspection is simplistic; to perform sophisticate
lexand
the filtering rules set needs to be very detailed. A detailed rules set will beGO:~pleand
therefore prone to error. For example, blocking all port 23 traffic (Telnet) IS

Countermeasure: Firewall

385

Sec: other addresses

,
Src: 10150.25.X

100.50.25.x Network

..
I
~

FIGURE9-9

Packet Filter Screening Outside Hosts

straightforward. But if some Telnet traffic is to be allowed, each IP address from which
it is allowed must be specified in the rules; in this way, the rule set can become
very long.
Statefullnspection Firewall
Filtering firewalls work on packets one at a time, accepting or rejecting each packet
and moving on to the next. They have no concept of "state" or "context" from one

packet to the next. A stateful inspection firewall maintains state information from one
packet to another in the input stream.
Recall the description of observing probes against ports 1,2,3,4,
and so forth; that
activity is an example of the use of a stateful inspection firewall. By itself, a probe
against port I is meaningless; it is most likely a legitimate attempt to connect to the
service of port I, but it could also be a single mistake, or the start of a port scan attack.
The firewall records that address 100.200.3.4 sent a connection packet to port I at
01 :37.26. When the probe against port 2 arrives, the firewall may record the second
connection from 100.200.3.4, at 01:37.29. After two more connections at 01:37.34 and
01:37.36, the next connection at 01:37.39 meets the firewall's rule for number of different ports in a short time, so it activates the rule to block connections from
100.200.3.4, as shown in Figure 9-10. The firewall progresses through several states
(the count of connection requests from address 100.200.3.4) from different packets
until the count exceeds the threshold for acceptable behavior. The name stateful inspection refers to accumulating threat evidence across multiple packets.
One classic approach used by attackers is to break an attack into multiple packets by
forcing some packets to have very short lengths so that a firewall cannot detect the
characteristic of an attack split across two or more packets. A stateful inspection

386

Chapter 9

Scanning the Horizon

10.1.3.1:4-.

10.1.3.1:3-.

10.1.3.1:2-.
10.1. .1:1

10.1.3.1
Further
10.1.3.I:x

trT

~~

FIGURE 9-10

Statefullnspection Blocking Multiple Probes

firewall would track the sequence of packets and conditions

..
to thwart such an attack.

from one pac ketto aooth

Application Proxy
Packet filters look only at the headers of packets, not at the data mSI
g ruM
. .de the .packe~
Therefore, a packet filter would pass anything to port 25, assurnmg
Is
metim"
. it screerun
allow inbound connections to that port. But applications are complex and
act on
contain errors. Worse, applications (such as the email delivery agent) a ten sto
behalf of all users, so they require the privileges of all users (for example"onto ru'
inCOming mail messages so that inside users can read them). A flawed appltcatl ,
ning with all-users privileges, can cause much damage.
h t sim '
u
An application proxy gateway: also called a bastion host, is a firewal~lt ;eque,~

/0

Iates the (proper) effects of an apphCatlOn so that the application receives 0id~as ifill'
to act properly. A proxy gateway is a two-headed device: It looks to the Ins h 'nsid~
the outside (destination) connection, While to the outside it responds just as tel
would.
. mail~
I
An appd rcanon
proxy
runs
pseudoapplications.
For
instance,
w
en
e
.
h
JectronJC atthe
I
trans
f
erre
to
a
ecano,
.
a
sending
process
at
one
site
and
a
receivmg
..
process
'1 ans
d
.
'.
..
fa
mal
tr fer
esunation commuJ1lcate by a protocol that establishes the legitimacy 0
d destin.
and then actually transfers the mail message. The Protocol between sender an of this
tion is carefully defined. A proxy gateway essentially intrudes in the middle

Countermeasure: Firewall

387

protocol exchange, seeming like a destination in communication with the sender that is
outside the firewall, and seeming like the sender in communication with the real destination on the inside. The proxy in the middle has the opportunity to screen the mail
transfer, ensuring that only acceptable email protocol commands are sent to the destination.
As an example of application proxying, consider the FIP (file transfer) protocol.
Specific protocol commands fetch (get) files from a remote location, store (put) files
onto a remote host, list files (Is) in a directory on a remote host, and position the process (cd) at a particular point in a directory tree on a remote host. The commands of
the FIP protocol are actually a subset of commands a user could execute from a workstation to manipulate files. Some administrators might want to permit gets but block
puts, and to list only certain files or prohibit changing out of a particular directory (so
that an outsider could retrieve only files from a prespecified directory). The proxy
would simulate both sides of this protocol exchange. For example, the proxy might
accept get commands, reject put commands, and filter the local response to a request
to list files.
To understand the real purpose of a proxy gateway, let us consider several examples.
A company wants to set up an online price Jist so that outsiders can see the

products and prices offered. It wants to be sure that (a) no outsider can change
the prices or product list and (b) outsiders can access only the price list, not any
of the more sensitive files stored inside.
A school wants to allow its students to retrieve any information from World
Wide Web resources on the Internet. To help provide efficient service, the
school wants to know what sites have been visited and what files from those
sites have been fetched; particularly popular files will be cached locally.
A government agency wants to respond to queries through a database management system. However, the agency wants to screen results so that no names or
identification are returned in results---only counts in categories.
A company with multiple offices wants to encrypt the data portion of all email
to addresses at its other offices. (A corresponding proxy at the remote end will
remove the encryption.)
Each of these requirements can be met with a proxy. In the first case, the proxy
would monitor the file transfer protocol data to ensure that only the price list file was
accessed and that the file could only be read, not modified. The school's requirement
could be met by a logging procedure as part of the web browser. The agency's need
could be satisfied by a special-purpose proxy that interacted with the database management system, performing queries but filtering the output. A firewall application could
encrypt and decrypt specific email messages for the last situanon. These functions are
shown in Figure 9-11.
..
.
The proxies on the firewall can be tailored to specific requirements, such as logging
details about accesses.They can even present a common user interface to what may be
dissimilar internal functions. Suppose the internal network has a mixture of operating
system types, none of which support strong authent~cat~on through a challengeresponse token. The proxy can demand strong authentication (name, password, and

388

Chapter 9

Scanning the Horizon

Filtered

commands

ocec

Logging
File

cache
FIGURE 9-11

Proxy

Firewall Functions

challenge-response),
validate the challenge-response
itself,
.
. an d t.h en pass 00 ci~
onl'
simple name and password authentication details in the form required by a spe
internal host's operating system.
,
, !]J[//J
The distinction between a proxy and a screening router is that the PI~oxyI;;'~ntil<
the Protocol stream to an application, to control actions through the firewa
basis of things visible within the Protocol, not just on external header data,
Circuit-Level Gateway
A circuit-level gateway is a firewall that essentially allows one network to !JeW
a\'it.
extension of another. It operates at level 5, the session level, an d It
un.
iOJaio~
i f cuons as
tual gateway between two networks. A circuit is a logical connection that IS n~ circuit
for a period of time, then torn down or disconnected. The firewall verifies t ~sfe~
when it is first created. After the circuit has been verified, subsequent data tra eetio.
Over

the

circuit are not

checked. Circuit-level

can be made through the gateway.

gateways

can

limit

which conn

rk Su~

One use for a circuit-level gateway is to implement a virtual private netw~ I.xand
pose a company has two offices, each with its own network, at addresses I OO'h' 50 tWO
200.l.l.x. Furthermore, it wants to ensure that communication
between tete"!
'. pnvate, so It
'. msta IIs a pair of encryption devices. Th e CIIC
. uit -.level go9.[2.
a dd resses IS
separates all traffic to and from the 100 and 200 networks as shown In
0
two .
. Floure
d
. figure shows only the 100 network; a parallel structure '.exists on t h200
ThIS
e 0e sh an
.
. gateway on the 100 network routes all 200 network tra ffic
The CIrcuit
I throUa
the200
encryplion
When traffic returns the main firewall routes all tra ffic
I from aj In
. deVIce.
.
network
through the encryptIon
unit.' (for decryption) and back to the 100 0'ateWffie. ",
.
h

ffi'
I'
~~
t IS way, tra c invo ving the 100 and 200 networks is screened (so no a
fidene .'
ti
masquerade as part of this pair of protected networks), and encrypted for can
ity. Virtual private networks are described in more detail in Chapter 11.

Countermeasure:

Firewall

389

100.1 l.x network

Circuit

gateway

,
To

Yes

200. 1. I.x?

c:=-===:::,
DODO

Encryption
No

Main
firewall

FIGURE9-12

Circuit-Level Gateway

Guard
A guard

is a sophisticated

firewall. Like a proxy firewaJl, it receives protocol data

units, interprets them, and emits the same or different protocol data units that achieve
either the same result or a modified result. The guard decides what services to perform
on the user's behalf in accordance with its available knowledge, such as whatever it can
reliably know of the (outside) user's identity, previous interactions, and so forth. The
degree of control a guard can provide is limited only by what is computable. But
guards and proxy firewalls are similar enough that the distinction between them is
sometimes fuzzy. That is, we can add functionality to a proxy firewall until it starts to
look a lot like a guard.
Guard activities can be quite detailed, as illustrated in the following examples:

university wants to

allow its students to use email up to a limit of so many

messages or so many characters of email in the last so many days. Although

this result could be achieved by modifying email handlers, it is more easily
done by monitoring the common point through which all email flows, the mail
transfer protocol.
A school wants its students to be able to access the World Wide Web but,
because of the capacity of its connection to the web, it will allow only so

390

Chapter 9

Scanning the Horizon

many bytes per second (that is, allowing text mode and simple graphicsb~
disallowing complex graphics, video, music, or the like) .
A library wants to make available certain documents but, to support fairuseof
copyrighted matter, it will allow a user to retrieve only the first so many charters of a document. After that amount, the library will require the user 10 paya
fee that will be forwarded to the author.
A company is developing a new product based on petroleum and heliumg~
code-named "light oil." In any outbound data flows, as file transfers, em~.
web pages, or other data stream, it will replace the words "petroleum:'
"helium," or "light oil" with "magic." A firewall is thought of primarilyas"
inbound filter: letting in only appropriate traffic (that which conforms 10 m,
firewall's security policy). A firewall or guard can easily screen outboundtml'
fic in this instance .
A company wants to allow its employees to fetch files by FTP.

However,10 pre'
vent introduction of viruses, it will first pass alJ incoming files througha vuUl
scanner. Even though many of these files will be nonexecutable text or grop~'
ics, the company administrator thinks that the expense of scanning them(whi~
file shall pass) will be negligible.

I,"

Ii
"
""

Each of these scenarios can be implemented as a modified proxy. Because thepro.I!

decision is based on Some quality of the communication data, we call the proxyaguaJd
Since the security policy implemented by the guard is somewhat more complex
acuon of most proxies, the guard's code is also more complex and therefore moreexpod
to error, Simpler firewalls have fewer possible ways to fail or be subverted. An example
a guard process is the so-called Great Firewall of China, described in Sidebar 9.1.

than:

Personal Firewalls
F
.
. studentsand
rrewa II s typicaliy
protect a (sub)network of multiple hosts. University
.. ,
I
. a ffiIces are behind
. a real firewall. Increasingly, home users, I.ndivld"
emp oyees ill
, 'ed
workers, and small businesses use cable modems or DSL connections with unfirnt
ways-on access. These people need a firewall, but a separate firewall comp ed
protect a single workstation can seem too complex and expensive. These peoplenc a
firewall's capabilities at a lower price.
k
A pe
I fi
II .
'.
, to blllO
rsona rrewn IS an apphcatlOn program that runs on a workstaliOn
th
unwanted traffic, usually from the network. A personal firewall can complement '
.
war k a f a conventIonal
firewall by screening the kind of data a single host WI'IIacrep'
caW
or 11 can compensate for the lack of a regular firewall, as in a private DSL or

u.

modern connection.

Just as a network firewall screens incoming and outgoing traffic for that networ;;,'
personal firewall screens traffic on a single workstatl'on A workstation could be I
bl
r '
..
c

pletS.
nera eta ma ICIOUScode or mahclous active agents (ActiveX controls or Java ap 'n
leakage of personal data stored on the workstation, and vulnerability scans to ide;~S
potentIal weaknesses. Commercial implementations of personal firewalls included"
Endpomt ProtectlOn from M A'
FS
'
ft WiD0
.
lee, - ecure Internet Security, Microse
Flfewall,
and Zone Alarm fromC CheckPo'
t
m.

Countermeasure: Firewall

Great Firewall of China

391

Sidebar 9-1

ulers in the People's Republic of China want to control data to which their residents have
access. Content companies like Google and Yahoo/Microsoft have been told that if they want
to do business in China they need to employ special versions of their web applications that filter
out"offensive words." When Skype wanted to enter the Chinese market, they were similarly told
they had to scrub text messages; the result: Skype text now eliminates words such as "Falun
Gong"and "Dalai Lama."
Bloomberg Business News reports that China employs 30,000 people to monitor content
on web sites and report on ones that violate standards [ELG06]. All Internet traffic passes
through a bank of government-controlled firewalls. Any email or text messages that contain
bannedwords are dropped at the firewall.
As a condition of doing business in China, Google was asked to provide a special search
capabilitythat would not allow access to certain banned sites or render unacceptable content.
Tiananmen is one sensitive term, as is June 4 (the date of the uprising); enter those into a
searchengine and, according to CNN, you obtain the result "According to relevant law and regulations,the results are not displayed." But enter 8x8, which of course evaluates to 64 or 6/4, the
abbreViationfor June 4, and you may find some blog entries that have not yet been censored
[SHAll]. Facebook and Twitter are, of course, censored, but people find crafty ways to evade
thatcensorship.
After complying with Chinese restrictions for several years, Google officially left mainland
Chinain Summer 2010. Initially, Google's traffic was redirected to servers in Hong Kong, techniCallyChinese but operating with great freedom. Chinese firewalls and addressing servers redirectattempts to reach external sites.
Although not technically a firewall, the Great Firewall of China, formally known by the more
appealing name Golden Shield Project, certainly performs firewall functions. However, as the
Citedexamples show, filtering content is more difficult than screening addresses.

The personal firewall is configured to enforce some policy. For example, the user
may decide that certain sites, such as computers on the company network, are highly
trustworthy, but most other sites are not. The user defines a policy permitting download
of code, unrestricted data sharing, and management accessfrom the corporate segment
but not from other sites. Personal firewalls can also generate logs of accesses, which
can be useful to examine in case something harmful does slip through the firewall.
Combining a virus scanner with a personal firewall is both effective and efficient.
Typically, users forget to run virus scanners daily, but they do remember to run them
occasionally, such as sometime during the week. However, leaving the virus scanner
execution to the user's memory means that the scanner detects a problem only after the
fact-such as when a virus has been downloaded in an email attachment. With the
combination of a virus scanner and a personal firewall, the firewall directs all incoming

email to the virus scanner, which examines every attachment the moment it reaches the
target host and before it is opened.
A personal firewall runs on the very computer it is trying to protect. Thus, a clever
attacker is likely to attempt an undetected attack that would disable or reconfigure the
firewall for the future. As described in Sidebar 9-2, users can defeat the secunty policy

392

Chapter 9

Scanning the Horizon

Poking a Hole in the Firewall

Sidebar 92

irewalls have clear security benefits, but sometimes they prevent well-intentioned usersfrom
accessing needed data and functions. For instance, firewalls usually prevent a user onone
system from using the File Transfer Protocol (FTP) to upload or download files on another system
For this reason, someone inside the firewall sometimes "pokes a hole" through the firewall sothata
trusted outsider can get in temporarily. These holes allow files to be shared, applications to be
accessed, and more. Technically called an SSH backdoor, the firewall hole can be set up in vario~
ways. Once the outsider's work is done, the insider closes up the hole and protection is restored:
Some operating systems allow firewails to be intentionally breached. For example, Win'
dows XP formally allows a user to create the hole by setting "exceptions" on the administrative
screen for the Windows firewall, Shown in Figure 9-13. The exceptions can either open a port01,
preferably, enable a specified program or service to have access within the firewall.

i
,

e:::.....f 6!I,.-:"'e--"",,,,1'l

No

N.
N.
No
No

(...
-le .......
Je

f...

8t'lti1dov~~~t

....

I:6:lcb.tlWl'J ..

[""
FIGURE9-13

Firewall Exceptions

What are the downsides of such firewall breaches? Ever thin

that this chapter haS
descrrbed, In terms of inadvertently allowing others to squeeze t~rou~h the hole at the same
time. SO IS It ethical to poke a hole in a fireWall? 0 I ft
b
I'Stempora~,
d .
.
. .
. n y I I IS a solutely necessary,
lan IS done with the Permission of the system administrator. Such situations may arise in
gencles, When protected Information or services are needed to address unusual problems.
challenge IS to ensure that the emergency does not b
.

e';e

ecome standard

practice.

--#.r
~

'!-:.'

'tJ'J'0"C

"""''''',,'lii'''l;1:.:i~~'''T..,.:l:lI~~~,;
..tl;i;;WJIii;..,ol:L1J''r''''

Countermeasure: Firewall

393

of their own firewall. You learned in Chapter 8 that code that hooks into an operating
system can be a rootkit itself, a potential threat, while on the other hand, such code can
be vulnerable to a crafty attack through the operating system by a rootkit. Still, especially for cable modem, DSL, and other "always on" connections, the static workstation is a visible and vulnerable target for an ever-present attack community. A personal
firewall can provide reasonable protection to clients that are not behind a network
firewall.

Comparison of Firewall Types

We can summarize the differences among the several types of firewalls we have studied in depth. The comparisons are shown in Table 9-2. Firewall types are arranged generally from least sophisticated on the left to more so on the right, with the exception of
personal firewalls, which are more like an enterprise packet filter. Do not, however,
interpret least sophisticated as meaning weakest or least desirable; in fact, packet
filtering firewalls are the workhorses of enterprise networks, quickly and efficiently

TABLE 9-2

Comparison

Packet Filter

of Firewall Types

Stateful
Inspection

Application
Proxy

Circuit
Gateway

Guard

Personal
Firewall

Simplest
decision-making
rules

More complex

Even more
complex

Between packet
filter and
stateful
inspection

Most complex

Similar to
packet filter, but
getting more
complex

Sees only
addresses and
service
protocol type

Can see
addresses
and data

Sees and
analyzes ful!
data portion
of pack

Sees addresses
and data

Sees and
analyzes full
content of data

Can see full data

portion

AUditinglimited
because of speed
IImaations

Auditing
possible

Auditing likely

Auditing likely

Auditing likely

Auditing likely

Screens based on
connection rules

Screens based
on information
across multiple
packets-in
either headers
or data

Screens based
on behavior of
application

Screens based
on address

Screens based
on interpretation
of content

Typically
screens based on
content of each
packet
individually,
based on
address or
content

Usually
preconfigured to
detect certain
attack signatures

Simple proxies
can substitute
for complex
decision rules,
but proxies must
be aware of
application's
behavior

Relatively
simple
addressing
rules make
configuration
straightforward

Complex guard
functionality;
can be difficult
to define
accurately

Usually starts in
mode to deny all
inbound traffic;
adds addresses
and functions to
trust as they
arise

Complex
addressing rules
Can make
configuration

"icky

394

Chapter 9

Scanning the Horizon

blocking much undesirable traffic. As you study this table, bear in mind that firewalk
like many other commercial products, are caught in marketing wars. Productsmat
started as simple packet filters SOon began to appear with functions more nonnally
found in stateful inspection and application-level firewalls. Thus, few productsnowfit
the crisply distinct definitions of types just presented, and the cells of this mfile
describe fundamental properties that may be enhanced in practice.
Example Firewall Configurations
Let us look at several examples to understand how to use firewalls. We presentsitua.
tions designed to show how a firewall complements a sensible security policyM~
architecture.
The simplest use of a firewall is shown in Figure 9-14. This environment haS'
screening router positioned between the internal LAN and the outside network connee.
tion. In many cases, this installation is adequate when we only need to screenme
address of a router.

,,

However, to Use a proxy machine, this organization is not idea/. Similarly, configm.
ing a router for a complex set of approved or rejected addresses is difficult. If thefire
wall router is successfully attacked, all traffic on the LAN to which the firewalltl
connected is visible. To reduce this exposure, a firewall is often installed on itsown
LAN, as shown in Figure 9-15. The firewall's LAN feeds traffic to a router for asep"
rate protected LAN of users' machines. In this configuration, the only traffic visihl,!'
th
'd o
e OutSI'd'e IS on t he firewall's LAN, whose data either came from the OutSIe
destined to go outside .

r.

Screening

as
Firewall -.

router

,.
~~

FIGURE 9-14

Screening Router

Countermeasure;

~~
~

Firewall

395

.-------Firewall

fiGURE 9-15

Firewall on Separate LAN

Proxying leads to a slightly different configuration. The proxy host-firewall communicates with both internal systems and the outside because it looks like an internal
host to the outside.
Examples of proxied applications include email, web page service, and file transfer.
We describe a proxy application for web page servers. A company has an internal web
structure, with pages describing products, customers, and perhaps internal contact
information. There is a protected database of products, including stock on hand, but the
company does not want to release exactly how many units of a product are on hand.
Thus, each time it is ready to display a product's page, the firewall queries the database
and, based on the result obtained, adds a line saying "available now" or "out of stock."
The firewall serves as a user's proxy to access the database on behalf of the outside
user but limits the information returned from the query.
A typical architecture for this situation is shown in Figure 9-16. The web page
server, also known as a bastion host, is on its own LAN, isolated from the main internal
LAN by a second firewall.
The same architecture can be extended, as shown in Figure 9-17. In this figure, the
externally accessible services, such as web pages, email, and file transfer, are on servers in the demilitarized
zone or DMZ, named after the military buffer space, sometimes called the "no man's land," between the territories held by two competing
armies.
In all these examples, the network architecture is critical. A firewall can protect only
what it can control, so if a subnetwork has external connections not screened by the
firewall, the firewall cannot control traffic on that unscreened connection. An example
is a device with its own direct Internet connection (perhaps a rogue wireless connection). As we saw earlier in this chapter, visibility to one device, perhaps via the wireless connection mentioned here, can give an attacker visibility and access to other

396

Chapter 9

Scanning the Horizon

Firewall

Firewall

Web page server

Database

FIGURE9-16

Application Proxy

I
I

DMZ

a!

Firewall

Web page server

~;
Email server

m'~

FrP server

(~OUN

Firewall

Database
FIGURE 917

tI

Demilitarized

Zone

Countermeasure:

Network Address Translation

(NAT)

397

devices. For this reason, it is critical that the only path to any protected network device
passes through the network's firewall.
Although these examples are simplifications, they show the kinds of configurations
firewalls protect. Next, we review the kinds of attacks against which firewaJls can and
cannot protect.
WhatFirewalls Can-and Cannot-Block
As we have seen, firewalls are not complete solutions to all computer security problems. A firewall protects only the perimeter of its environment against attacks from
outsiders who want to execute code or access data on the machines in the protected
environment. Keep in mind these points about firewalls.
Firewalls can protect an environment only if the firewalls control the entire
perimeter. That is, firewalls are effective only if no un mediated connections
breach the perimeter. If even one inside host connects to an outside address, by
a wireless connection for example, the entire inside net is vulnerable through
the wireless network interface and its host.
Firewalls do not protect data outside the perimeter; data that have properly
passed (outbound) through the firewall are just as exposed as if there were no
firewall.
Firewalls are the most visible part of an installation to the outside, so they are
the most attractive target for attack. For this reason, several different layers of
protection, called defense in depth, are better than relying on the strength of
just a single firewall.
Firewalls must be correctly configured, that configuration must be updated as
the internal and external environment changes, and firewall activity reports
must be reviewed periodically for evidence of attempted or successful intrusion.
Firewalls are targets for penetrators. While a firewall is designed to withstand
attack, it is not impenetrable. Designers intentionally keep a firewall small and
simple so that even if a penetrator breaks it, the firewall does not have further
tools, such as compilers, linkers, loaders, and the like, to continue an attack.
Firewalls exercise only minor control over the content admitted to the inside,
meaning that inaccurate data or malicious code must be controlled by other
means inside the perimeter.
Firewalls are important tools in protecting an environment connected to a network.
However the environment must be viewed as a whole, all possible exposures must be
considered, and the firewall must fit into a larger, comprehensive security strategy.
Firewalls alone cannot secure an environment.

COUN'I'1I1U1II1\SIJUII: NETWORK ADDRESS TRANSLATION (NAT)

Firewalls protect internal hosts against unacceptable inbound or outbound data flows.
However as shown earlier in this chapter, sometirnes an outsider can gam valuable
information just by learning the architecture or connectivity of the internal network.

398

Chapter 9

Scanning the Horizon

When an internal host presents its IP address to an outsider (necessary if the outsider,
expected to reply), the outsider can infer some of the network architecture fromth,
pattern of addresses. Conveniently, a firewall can also prevent this informationfrom
escaping.
Every packet between two hosts contains the Source host's address and portand
the destination host's address and port. Port 80 is the number reserved for HTIP(web
page) access. As shown in Figure 9-18, internal host 192.168.1.35 port 80 is sending.
packet to external host 65.216.161.24 pan 80. Using a process called network
address
translation
(NAT), the Source firewall
converts
source addr~s
192.168.1.35:80 in the packet to the firewall's Own address, 173.203.129.90. Thefire.
wall also makes an entry in a table Showing the destination address, the sourceport
and the original Source address, to be able to forward any replies to the original sou,"
address. As you might expect, the firewall converts the address back on any reWID
packets.
The only complication to this scheme occurs if two internal hosts both contactt~
same destination address Over the same port, which might be expected if two internl
hosts both wanted to access the web page at www.google.com,
for example. In ibu
case, the firewall would rewrite the Source port number of one requesting host toarM'
darn different number so that the firewall could properly retranslate the return. Internl

..
1
e

User host

~o"'

(internal)

Destination

mY"

65.216.16124

~.j

Src: t 92.168.1.35:80
Src:

173.203.129.90
Table of translations performed
Source
Desr
192.168.1.35:80
65.216.161.24:80
FIGURE 918

Network Address TranSlation

Countermeasure:SecurityPerimeter
host 192.168.1.35 might become
come 173.203.129.90:4966

173.203.129.90:4236,

and 192.168.1.57

399
might be-

The outside world sees only one external address, 173.203.129.90, for the whole
secured internal network, so outsiders cannot infer the design of the internal network.
In fact, outsiders do not know if one communication at one time is from the same
internal host as a later communication, thus shielding individual internal users
somewhat. Although primarily used because of another problem (limited public
address numbers), network address translation performs a significant security role.

OllJN'I'I!IUII!llSIJIU!: SECURITY PERIMETER

A careful network architecture design plus appropriate firewalls leads to a defense
called a security perimeter. As the name indicates, this is a network that is surrounded
by security, or a design in which an identifiable set of devices is protected together. For
a parallel situation, think of medieval fortresses: A castle was often built on a hilltop or
beside a tall cliff on the sea, so that the geography formed a first banier against attack.
Then the fortress was surrounded by a tall stone wall, sometimes with a moat, and
often with only one entry and exit point. In this way, invaders were forced to attack at
only one point. Inside the castle there might be still more rings of security: a second
wall with guards on the outside and castle residents (servants, most likely) inside. Then
there would be the castle itself for the ruler and his (occasionally her) family, again
protected by heavy doors and armed guards. With this design an attacker not only had
to cross the moat and penetrate the exterior wall but also get through the interior wall
and into the castle.
In a computer system, a security perimeter is both a physical and logical concept.
Physically there is no moat or wall, but the design of one entry point, protected with a
firewall, serves the same purpose. And the separate security rings are represented by
different subnetworks, with less sensitive activities in the outer rings and the most sensitive data and processes embedded more deeply in inner rings.
For example, to an online merchant, the web server, the device that hosts a system's
web pages, and the email server, the device that receives incoming email, are less sensitive than users' machines or a database of orders. Thus, this merchant might construct
a network as shown in Figure 9-19. Notice that the front firewall performs three functions: It directs incoming web searches and email deliveries to the web and email servers, respectively. These two actions occur for any incoming access requests. Second,
hecause of network address translation, the firewall knows which internal (users') hosts
are awaiting responses from outside addresses, so when one of these expected replies
arrives, the firewall translates the address and dispatches the incoming data accordingly. Finally, it drops any other requests, thus protecting all internal subnetworks from
potentially harmful traffic.
.
As shown in the figure, sometimes a second firewall is added so that the first (outer)
firewall handles only the web and email subnets and the second firewall protects the
users and data on the internal subnet. These two firewalls implement two layers of
protection.

400

Chapter 9

Scanning the Horizon

..
.
.
,
b
.rUscrs
'

'

su net ' \,

,
,
Firewall

Optional second

,
,

firewall

,
,
,

".
/' Web server
I

subner

.'
,,'

FIGURE 919

'

Layered Perimeler Protection

CONCLUSION
Port and host scanmng
, ortan
. IS
" a common first step for attackers, and you c an easily
see
why: It is easy to perform, tools to do it are readily available, and it yields Im
"l
P
infonnation to locate easily accessed and vulnerable machines, Althoug I1 port sea
1inser'
nni
itself is not an attack-in almost all cases it involves only inspection, not acrua altack
tion of code Or change to existing data or software-it
can be a precursor to an
and so it should be defended against.
e tWO
Fortunately, network and subnetwork architecture
design
'
, and firre walls arre the
very useful and effective
Controls
against
port
scannmg.
Design helps
.' secuhe net.
'
,
'.
more sensitive parts of a network more deeply and less accessibly within InsitiV'
work. Firewalls work to limit access strictly to (and from) those more affic are
parts, COntrolling not only whether but even which specific Iypes of tra najor
allowed to pass. From this chapter you should understand the followinf [
concepts:
d
Port scanners are tools to map the architecture and components (hardware
dOC"
an
software) of a network segment. Network administrators use scan.ners to 1l',ate
rnent and check theij. networks. Outside attackers use scanners t 0 mvesc
networks and perhaps find weaknesses.

it

Conclusion

401

Port scanners are remote, silent, and stealthy applications; that is, the attacker
can perform a scan remotely and without drawing attention or being easily
identified. Thus, port scans are often used as a first step or precursor to a
directed attack.
Segmenting

a network into subnetworks partially shields them against outside

observation or attack. Subnetworks also provide some protection against loss of

service due to hardware malfunction.
A firewall filters traffic in transit between two networks. Based on traffic filtering rules, the firewall identifies and denies access to harmful traffic.
Firewalls are a form of reference monitor, in that they are always invoked,
highly tamper resistant, and small and simple enough to lead to confidence that
they perform their filtering accurately. Although firewalls are a first-levei
defense and hence a prime target for attack, these properties help ensure that
firewalls are seldom compromised.
A packet filtering gateway or screening router controls access according to the
characteristics of each packet, one at a time. The characteristics include source
and destination addresses, and service requested (protocol type).
A stateful inspection firewall filters according to criteria involving two or more
packets, not necessarily in immediate succession.
An application proxy firewall imitates the behavior of a protected host, allowing only acceptable information to flow between the outside and the internal
application.

A circuit-level gateway maintains a session between two subnetworks. A typical application of such a gateway is to implement a virtual private network
between two separate networks with a high degree of mutual trust.
A guard is a special-purpose device that filters data flow according to any conditions that can be programmed. Guards are generally designed and implemented for one specific purpose.
A personal firewall is a software application that runs on a single computer,
performing many of the same functions as a packet filtering gateway to protect
that one host.

Network address translation is a technique for converting internal addresses to

external ones. Firewalls typically perform this translation. In some cases multiple internal addresses are mapped to one external address to shield the internal
hosts from access.
A segmented network architecture implements a layered defense, often protected by one or more fuewalls. A firewall between the external network and

internal network segments enforces a perimeter defense.

In the next chapter we explore a similar topic: observing traffic en route from when

it leaves the protected internal network until it reaches its destination.

.-II
402

Chapter

TABLE93

Scanning

the Horizon

Threat-Vulnerability-Countermeasure

Threat

Chart for Port and VUlnerability

Consequence

Port scanning and

enumeration
Vulnerability
enumeration

Internal architecture
exposed

Moderate

Vu Inerabie software
versions revealed

Very serious

Vulnerability
Software vulnerabilities
revealed

Severity

Scanning

Ease of Exploitation
Easy: automated checking loa!

Easy: automated

Exploitability

checking tool

Prevalence

Can lead to exploitation of the vulnerabilities

themselves

Extremely

prevalent

Architecture
Compromise

of one host can affect security of

other connected

Countermeasure
Network design

ones

Issues Addressed
Architecture

Firewall

Visibility of
VUlnerabilities and
internal architecture

Mitigation

Administrative
and technical
Technical

~'

J
.'i
J

Network address
translation

Visibility of internal
architecture

Technical

Type

Prevalent

Mitigation Effect

Effort

By itself, moderate
deterrence

Moderate

Conceals internal
network; screens
traffic Content

Very effective

Prevents direct
access to protected
network segments
from outside

Very etTectjve,
especially when
combined With
firewall
screening _

EXERCISES
I.
I s ,h ere any reason Why a network administrator should ensure that known vu InerabiJiri~
J ofy
are patched
to any external network? us
your
answer. On hosts on a network that has no connection

2.

3.
4.

o ne

. .
. "My systems are used for nothins that cou Id not be shored
ne t wor k ad mmlstrator
Said
h s'

I::>
with
the whole ~orl~; therefore, , l have no need to stay current with
vutnerabi TpatC
tty e.
Do you agree with this administrator's position? Justify your answer,
,

. runnmg
. a service, such as FTP (file transfer)
Is there any hann 10
there IS no need for file transfers? Justify your answer.

on a system oo~d

o ut ['me

'
.
, g involrO
th e points
10 favor of and against the follOWing proposition:
Port soannm
it;'
onlyethical
examininq
an
actlVlty.responses returned in respOnse to queries anyone can make; therefore,
5.
P ort scannmg
'.
.
IS POSSIble
because service daemons have to respond to a II connection
ttempl
reques,s; that rs, the daemon cannot distingUish a valid service request from a sca:~tY and
based On JUst the first communication. (After obraininc information such as an Ide oc hY
authenticator, a service daemon may decide to termina~e 'he sesslon.) Outline a prot,,"i"
ol
wbich a server could defer revealing its identity (service, application name, an~ib<what
details) until havmg been assured of the party requesting the connection. Also desc
effect this would have on requesters' confidence.

Exercises

403

6. Wha~ is a justification for one network's having two separate firewalls, the first a packet
filtenng gateway and the second an application proxy? The alternative would be to merge
these two functions into a single unit. What advantages are there of the separation?
7. A firewall's security policy essentially defines good and bad traffic. Describe characteristics
that a packet filtering firewall could apply to determine that a packet qualifies as good.
8. The two schools of firewall design are defaull deny (deny anything not on an explicit list of
approved traffic) and default accept (accept anything unless a speci.fic rule bans it). List the
advantages and disadvantages of each approach.
9. Is a firewall an example of security by obscurity? That is, does a firewall merely conceal a
network's structure that a good attacker can determine in other ways?
10. A corporate administrator wants employees to concentrate on their jobs and not waste company time doing things that are not job related. Thus, the administrator has the corporate
firewall block outbound web access to certain sites, such as the 10caJnewspaper or Amazon.
Is this a good idea? Explain your answer. Be sure to consider technical and nontechnical
aspects. (Technical aspects might include whether a firewall can do the intended blocking;
nontechnical aspects might address employee morale.)
11. Explain why small size and simplicity should be criteria for a firewall's design.
12. What security principles or objectives does a firewall achieve?
13. A router directs traffic between two (or more) networks; a packet filtering gateway firewall
screens traffic in transit between two (or more) networks. These two functions seem similar
enough that perhaps they should be implemented on the same device. Explain the advantages and disadvantages of merging them onto one platform.
14. Other than the port scan sequence described in this chapter, list another condition that would
cause a firewall to have to examine more than one segment of a communications exchange
in order to determine whether the traffic was benign.
IS. Consider an example of a stateful inspection firewall that sees and allows one item, sees and
allows another, and so on, until a critical number of items or some other condition indicates
that the traffic stream is harmful and should be blocked. Is there any potential harm in
admitting the initial pieces up to the point of determining the stream is harmful? Justify your
answer. Suppose instead that the firewall quarantined possibly harmful traffic until having
enough data to determine whether the stream should be blocked or admitted. List the advantages and disadvantages of quarantining potentially bad data.
16. Why should ease of use (by the administrator to define .th.efirewall acceptance rules~ be a
criterion for selecting a firewall? After all, network administrators are skilled professJOn~ls
who understand details of networking, and they only have to set the rules once or modify
them occasionally.
17. Is network address translation an example of security by obscurity? That is. does the firewall
merely hide addresses that an outsid.er might be .abl~ to find out som~ other way? What
advantages accrue to a malicious outsider by knowing mternal addresses.
18. What security principles does network segmentation satisfy?