Lecture 5

PROTECTION/PREVENTION I

FIREWALLS
 Quick Review
2

 The security process

 Assessment, protection/prevention, detection and response

 The security attack process

 Reconnaissance (การลาดตระเวน), exploitation (การหาประโยชน์ ),
reinforcement (การเสริมกําลัง), consolidation (การรวบรวม) and
pillage (ปล้น)
 Security issues in networking protocols
 Specific attacks
 Denial of service, sequence number guessing…
 Next Step
3

 Consider protection and prevention mechanisms

 Try to address direct agents of security attacks
 How do attacks succeed?
 Oscar gets information (reconnaissance)
 Oscar exploits vulnerabilities
 Common weaknesses in design and bugs in software services
 Protection and prevention
 Stop (or block) packets that are sent with the purpose of
reconnaissance or exploitation
 Authenticate and encrypt communications to prevent
Oscar from obtaining information or being able to
communicate
 Firewalls
4

 Protect buildings that were susceptible to fire

 People built thick walls made of brick between such buildings
 If a building caught fire, the thick wall would prevent it from
spreading to surrounding buildings
 Damages would be minimized

 The “Internet Firewall” prevents security attacks from

spreading into the intranet or private network of an
organization
 What is a Firewall?
5

 A network level access control mechanism

 In broad terms, a firewall is all of the following
 A collection of hardware and software PLUS a security policy
 Something placed between a corporate intranet and the Internet
 Seeks to prevent unauthorized and unwanted communications into or
out of the corporate intranet
 Allows the organization to implement and enforce its own traffic
flow policy between the Internet and the Intranet
 Today it means many things
 Ranges from a simple packet filter to a complex intrusion
prevention system
 What is a Firewall? (2)
6
“Outside” “Inside”

Public Private

Firewall

 Establishes a controlled link between the insecure public network

and the secure private network
 Erects a security wall or perimeter around the network
 These days you have “host firewalls” that prevent a host machine from
picking up some types of packets
 Idea of “perimeter” is not completely valid these days
 Design Goals
7

 All traffic from inside the private network to outside and

vice-versa MUST pass through the firewall
 Only authorized traffic defined by a local “security policy”
will be allowed to pass
 The Firewall is as tamperproof as possible
 Fewer bugs, vulnerabilities, and security loopholes
 Host security does not scale well
 Multiple Operating Systems
 Complex access controls
 Vulnerabilities in new software
 Difficult to audit
 Runs less software than most hosts and is much more controlled
 Advantages and Disadvantages
8

 There is only one host/machine/device to be protected -

the firewall
 Simplifies security management
 Possible to implement advanced logging and monitoring
 Can create a VPN using IPSec to other hosts
 Enables segmentation and isolation of problems
 Hides the IP addresses of client stations in an internal network by
presenting one IP address to the outside world
 Disadvantages
 Bottleneck
 Single point of failure
 False aura of confidence
 Services provided by a firewall
9

 Service control
 Determines the types of services that can be allowed
inbound or outbound
 Direction control
 Determines the direction in which a service may be
initiated and allowed to flow
 User control
 Determines access to a service depending on which user
is attempting to access it (both inbound and outbound)
 Behavior Control
 Controls how some services are employed
 Example: DNS, filtering e-mail, etc.
 Protection with Firewalls
10

 Protects against
 Information theft (Reconnaissance)
 Example: Prevents requests to and responses from
services within the private network reaching the
outside
 Information sabotage (Exploitation/Pillage)
 Example: Prevents uploading derogatory content
onto a company’s web page or changing an
employee’s medical records
 Denial of Service (Pillage)
 Example: Prevents common DoS attacks like Smurf
on internal hosts
 Additional features in firewalls
11

 Demilitarized zone firewalls (DMZ firewalls)

 A region of the network is protected, but accessible to outsiders
 The rest of the network is NOT accessible

 Content filtering
 Ensure that employees do not access particular content like stock
quotes 
 Can define categories of unwelcome material
 Can block certain web-sites

 Anti-virus protection
 Can assist with virus detection

 Virtual Private Networks (VPNs)

 Limitations of Firewalls
12

 Cannot protect against

 Attacks that bypass it
 Physical removal of files
 Dial-up modems from hosts on the Intranet

 Internal threats and insider attacks

 Malicious employees
 Viruses in general
 Viruses may come in to the network in several ways
 Firewalls are not foolproof
 They will allow what you permit them to allow
 Human errors can lead to security breach
 Firewall Topics
13

 Types of firewalls
 Packet Filters, Stateful Firewalls, Proxy Firewalls
 Performance – Security tradeoffs
 Firewall policies
 Implementation and pitfalls

 Firewall architectures
 Where do you place firewalls?
 What functions will they perform?
 How do you isolate different segments of your private
network?
 Types of Firewalls
14

OPERATION OF PACKET FILTERS AND

GATEWAYS
Types of Firewalls – based on functionality
15

Types of
Firewalls

Proxy
Packet Filters
Firewalls

Application
Static Packet Dynamic or Stateful Circuit Level
Level
Filters Packet Filters Gateways
Gateways
 Packet Filters Vs Proxies
16

 Packet filters examine packets entering a network one at

a time
 Examination of packets involves rules set by an administrator
 Packets can be blocked to certain hosts or services (IP addresses
and ports)
 Packets can be blocked if they correspond to certain protocols
 Proxies
 Reproduce application layer functionality
 Isolate the protected network from the rest of the world
 Packets are not examined one-by-one but are completely decoded
 Examination after decoding reveals if it is a valid request
 Types of Firewalls – based on device types
17

 Routers
 Most routers can be configured to act as packet filters
 Simple and fast, but usually not very secure
 Multi-homed Hosts
 Run a software application on top of an OS
 Slower, but more secure
 Single host
 Most new OSs come with a built in software Firewall to
protect a single host
 Appliances
 Hardware, software and firmware particularly optimized
for firewall functionality
 Some Remarks – I
18

 The “type” of firewall depends on how

high in the protocol stack a “packet” APP
is examined
 The higher the layer of examination, TCP/UDP
the worse the performance
Requires more processing and slows down

packet flow NETWORK
 The higher the layer of examination,
the more secure the network is LINK
Obtains more information about what a
PHY

packet is trying to do before allowing it or
dropping it
 Improvements in technology have
reduced the degradation in
performance, but it is still a factor
 Some Remarks – II
19

 Classification of firewalls is a useful exercise, but actual

products may do many things
 Most firewalls have overlapping functions
 May do some static and some dynamic filtering
 May also look at the payload of certain applications but
may or may not act as a proxy
 They may have both software and hardware components
 Policies of firewalls can also fall into overlapping
categories
 Static Packet or Screening Filters
20

 A type of firewall that blocks or allows a packet based on

IP addresses or port numbers
 Stateless
 Operates on IP packets individually at the network layer
Oldest type of firewall
 Whether a packet is allowed or not depends on
 A set of rules encoded in the software running the packet filter
 Parses the IP header and TCP/UDP segment header and checks
for
 Protocol numbers, source and destination IP addresses, TCP port
numbers, TCP connection flags, ICMP etc.
 Compares the information with the rules in sequential
order till the packet matches a particular rule
 If no rule matches the packet, a default action is taken
 Operation of Static Packet Filters
21

• When you filter packets, what is outside and what is

inside can get fuzzy depending on the interface
• Need to exercise great care in setting rules as we will see
next

TCP/UDP
Examine Packet
NETWORK

LINK
Packet from Packet allowed
PHY
“outside” “inside”
 In and Out…
22

“Outside” “Inside”

in in
Public i1 i2 Private
out out

 Packets coming “in” to one interface may be going “out” of

another interface
 Many access control lists are based on filtering packets coming
“in” or going “out” of an interface
 Best to filter packets as they come in to avoid additional
processing
 Packet Filtering – Cisco IOS
23

 Cisco routers maintain what is called an access control

list (ACL)
 To configure a Cisco ACL, you have a command that looks like
this
 > access-list <number> <criteria>
 The number is a label for the type of protocol (IP, IPX etc.)
 Can also use a named ACL that has the syntax
 > ip access-list <type> <name>
 > permit | deny <criteria>
 Can add logging of packets that are rejected
 There are many types – standard, extended and reflexive
ACLs
 Standard ACL blocks only source addresses for example
 Faster at the packet filter device
 Extended ACL looks at port numbers and destination addresses
 IPchains and IPtables
24

 Popular on Linux
 IPChains is deprecated - being replaced by
IPtables
 IP Chains also maintains a list of what is allowed
and what is not
> ipchains –A input –i <interface> -p <protocol> -s
<source IP address> -d <destination IP address> -l –j
DENY/PERMIT
 The parameter –l says that the information must be
logged
 The parameter –A says that this command must be
appended at the end of the current list
 Rules for Packet Filtering
25

 Default:  What does this rule set do?

 Discard: Prohibit any packet that is not  First it checks to see if the
allowed packet is from/to Dracula
 Also called the “security-first” policy  If it is it is dropped
 Forward: Allow any packet that is not  Next it sees if some host not
forbidden Dracula has sent a packet to
 Also called the “ease-of-use-first” port 25 of the gateway
policy
 If yes it is allowed, otherwise
 Example: it is dropped
 Default discard policy
 * is a match for anything

Action Ourhost Port Theirhost Port Comments

No
directionality Block * * Dracula * Don’t trust’em
in this rule
set Allow Our- 25 * * Connection to
Gateway SMTP Port
 Example Continued
26

 Consider the policy: Any internal host can send e-mail to outside
 Rule for this may look like this

Action Ourhost Port Theirhost Port Comments

Allow * * * 25 Allow to connect to any SMTP port

 What are potential problems with this rule?

 We cannot control the outside hosts - they may be running some
malicious service on port 25
 An outside host may connect to the internal host using port 25 which is
allowed!
 Better option is to allow outgoing calls to port 25, not all calls
Most packet filters now support source and destination separately and
allow different rules at different interfaces and in different directions
 Source Address Filtering
27

 There are some common terms used to indicate packet filtering by

source address
 Friendly Net
 Allow some IP addresses that are from known networks
 Not advisable to use this approach - why?
 Ingress filtering
 Refers to filtering at the interface that allows packets from outside to
come into the internal network
 Egress filtering
 Refers to filtering at the interface that accepts packets leaving the
internal network
 Block addresses that do not belong to the internal network (why?)
 Block addresses that are NOT supposed to connect to the Internet
 Log all rejected packets - why?
 Some Common Rules - I
Filtering by source address
28
 Deny entry to IP packets with certain source addresses
 What addresses can we deny without fear of blocking legitimate traffic?
 RFC 1918 addresses - Block addresses such as 10.0.0.0 - 10.255.255.255,
172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255
 Loopback address 127.0.0.1, multicast addresses 224.0.0.0 - 239.255.255.255
 Internal addresses
 Perhaps addresses originating from certain domains (.in, .ru, .cn)
 Deny exit from network to IP addresses that are supposed to be used
internally
 Temporarily or otherwise block certain IP source addresses
 You can identify some IP addresses that are launching DoS attacks
 There are some IRC servers that you don’t want your users to connect
 A domain like login.oscar.aol.com
 Port Number and Destination Address
Filtering
29

 Allows access for

 Specific “channels” between networks
 Specific public services like DNS or web
 Specific packet types like ICMP MTU violations

 Can filter packets based on port numbers, flags in

headers, specific protocol types
 Additional granularity
 Slows filtering process compared to “source address only”
filtering
 Some Common Rules - II
Filtering by destination address and ports
30

 Friendly Net
 It is possible to tighten up the friendly net rule by specifying
certain port numbers and destination hosts only
 Example: Allow host 130.215.17.13 to access 136.142.117.13 if it
has port number larger than 1023 and it is connecting to port
number 80 only
 Still not recommended without authentication and
architectural separation
 Allowing and disallowing certain types of traffic
 You can block certain types of traffic leaving your network like
IRC, Instant Messaging, Kazaa or ICMP
 Example: Block ICMP echo requests from any host to any host
 Is this a good idea? Where should an alternative be placed?
 Example of Rule Set
31
 Identify protocol and what the rule may mean
 Assume it is applied at the interface of a filter that accepts incoming
packets to the network 136.142.117.y/24

Rule Protocol Source Address Destination SRC-Port DEST-Port Action

Address

1 TCP 130.215.17.0/24 136.142.117.221 > 1023 22 Allow

2 TCP Any 136.142.117.13 > 1023 80 Allow

3 TCP 136.142.117.0/24 Any Any Any Block

4 UDP Any 136.142.117.13 > 1023 53 Allow

5 UDP Any 136.142.117.14 > 1023 53 Allow

6 Any Any Any Any Any Block

Packet Filtering Rule Set - Rules of Thumb
32

 Unless all parts of the rule are matched, the packet is moved
down the list of rules
 Complete match test
 Better to allow stuff you need and deny the rest than specifically deny
the stuff you suspect
 Specific rules must precede general rules
 Otherwise packets may be admitted or denied by a general rule before
it is tested for a specific rule
 Example: In the previous rule set, Rule 6 cannot be placed prior to any
other rule
 What happens if it is placed first in the list?
 Adding rules in an ad hoc manner can result in catastrophes
 Great care must be exercised to ensure that rules do what they are
supposed to do
 Services to Filter
33
 Common protocols
 SMTP/Mail
 Web
 Allow outbound HTTP or HTTPS
 Need to be checked to see if they are
requests “valid”
 Use architectural methods to protect  No viruses, spoofed addresses etc.
your network against inbound http  Hard to do with packet filters
requests (later)
 POP3/IMAP
 FTP
 Should block access from outside, but
 Tricky protocol - needs more attention
will irritate users
than the rest
 Use SSL tunneling - later
 TCP
 Incoming TCP connections should not  UDP
be allowed unless they were initiated  Must block all calls - a bit draconian
from the inside but sometimes necessary
 Hard to do with simple packet filters
 Others
 NTP
 Block all other unnecessary protocols
 Restrict to specific hosts only like H.323, SMB, Kazaa, etc.
 Personal Firewalls - I
34

Windows
XP SP2
comes with
its own GUI
and controls
for the
Windows
Firewall

Previously known as Internet Connection Firewall

More Windows Firewall
35

Show Log
 Personal Firewalls - II
36

 Also called “desktop firewalls” are becoming very popular

 Protect individual hosts from malicious packets
 Perform per host packet filtering
 Many products are available
 Zone Alarm - http://www.zonelabs.com
 Tiny Firewall - http://www.tinysoftware.com
 McAfee Personal Firewall Plus -
http://us.mcafee.com/default.asp
 Symantec, Sygate, Panda Software, Computer Associates
etc.
Network Statistics on a Mandrake Firewall
37
Firewall Rules
38
 Packet Filtering:
Advantages and Disadvantages
39

 It is hard to set packet filtering rules correctly

 Error-prone process
 Order matters!
 Packet filtering is fast and a low-cost technology
 It is transparent to user applications
 It is however not very secure
 Example: Standard ACL filters based on source
addresses
 Source addresses can be easily spoofed
 Attacks on Packet Filters
40

 IP Spoofing
 The attacker can use an internal IP address or some other allowed IP
address
 Countermeasures:
 Deny all internal IP addresses arriving from outside
 Use IPSec for authentication
 Opening holes
 Sometimes, to accommodate certain protocols, sysads open holes in the
ruleset
 Care must be taken to restrict access through the holes to a limited
number of hosts
 ACK Flags
 Can fool packet filters that accept packets from “established” sessions
that are not really established
 Fragmentation
41

 Fragmentation occurs when the maximum transmission unit (MTU) of a

link is smaller than the size of the IP datagram
 Example: In Ethernet, the MTU is 1500 bytes
 Example: In Frame Relay, the MTU is 1600 bytes
 Similarly, for a TCP segment, a maximum segment size (MSS) is also
specified
 Oscar tries to mask his probes and facilitate attacks using fragmentation of
IP datagrams
 Many filters fail to recognize fragmented packets
 Many IDSs do not support packet reassembly
 Oscar can get through to a target network and to a victim host
 Tiny fragment attacks
 IP fragmentation is used to separate the TCP header information into multiple IP
packets
 RFC 1858 defines methods to deter such attacks (drop fragments smaller than a
given size)
 Fragmentation Basics
42

 When a packet is fragmented, all fragments reach the

destination
 The destination has to reassemble the fragments
 It should be able to figure out
 What fragments are associated together
 Where the fragments fit (what is the offset from the start of the
packet)
 How much of data does a fragment contain (as a check)
 Whether more fragments exist or the reassembly can be undertaken

 The IP header contains the information to reassemble

the fragments
 Some fields may be omitted except in the first fragment
 Example
43

 An IP datagram of size 4000

bytes arrives at a router
 The MTU of the link is 1500
bytes
 The IP header is 20 bytes long
 So the payload has to be
fragmented and sent in new IP
datagrams
 Each IP datagram has the
source and destination
address
 The header of the payload This packet shows the
protocol is NOT repeated protocol that it carries
 This enables Oscar to play
some tricks
 Example - 2
44

 Each IP header has a 16 bit identification field

 This identifies the datagram sent by the host and will be the same
for all fragmented packets
 The fragment id is set to this identification value
 The first IP fragment will contain the protocol header of
the payload (e.g. TCP, ICMP etc.)
 It has offset = 0, length = 1480 bytes
 It also has the “more fragments” field set to 1
 The second IP fragment simply contains the next 1480
bytes of payload data - offset = 1480, length = 1480,
more fragments = 1
 The third IP fragment has 1020 bytes of data, more
fragments = 0
 Fragmentation and Packet Filters
45

 The IP header of each fragment indicates the protocol of

the payload (e.g. TCP, ICMP, etc.) but the filter often
does not read the contents
 Many packet filters are stateless - they are asked to block packets
to port number N from all hosts
 They let the fragments into the networks blocking only the first
one
 Many services set a Do not Fragment (DF) flag
 This is done to discover the smallest MTU along a route
 An ICMP error message reports that the IP datagram cannot be
delivered because the MTU is smaller and reports this value
 Malicious fragmentation has led to many attacks
 Now possible to block any fragmented packet
 Fragmentation Attacks
46

 A common port scanning tool is nmap

 It can be used to fragment TCP headers into many IP datagrams
 Filters may not recognize the port number and allow all
fragments into the network
 Oscar can successfully scan for open ports and services

 No final fragment
 Common for DoS attacks on routers that try to reassemble
packets for broadcast over a link
 Overlapping fragments
 Teardrop is a DoS attack that uses overlapping fragments to
confuse the OS and crash it
 Ping of death crafts IP packets with MTU’s greater than 65535
causing a crash
 Other protocols that may bypass packet
filters
47

 Tunneling
 Using SSH to access services bypasses all filtering
 MBone encapsulation
 MBone is the multicast backbone on the Internet
 Used for example, for reaching large audiences with
video traffic
 Encapsulates packets resulting in bypassing filters
 Arbitrary port creation
 P2P software: BitTorrent, KaZaa, eDonkey, etc.
 IP telephony
 Firewall vulnerabilities
48

 Since port 80 is typically open, many users abuse it by

tunneling other applications within HTTP using SOAP
 Read http://www.schneier.com/crypto-gram-0006.html
 Checkpoint’s FireWall-1 product vulnerabilities reported
in July 2000
 Cisco’s IOS has security vulnerabilities in some versions
 IOS is used in most Cisco products including packet filters and
firewalls
 IOS source code was stolen and posted on the web allegedly by a
16 year old at Uppsala, Sweden in 2004
 Symantec’s Raptor firewall
 Oscar could hijack sessions passing through the firewall
 Dynamic packet filtering
49

 Idea
 Create rulesets on-the-fly and tear them down when completed
 Example
 A host from the internal network - say 136.142.117.221 connects to a
telnet server 130.215.17.13 on the outside
 Say the port number on the client side is 1091
 What is the port number at the server?
 A new ruleset would be created as follows
 Allow packets from host 130.215.17.13 port = 23 to host 136.142.117.221 port =
1091
 The dynamic packet filter will examine all packets to make sure that the
SYN, SYNACK and ACK were completed
 When it observes the FIN packets, it tears down the ruleset thereby
disallowing further communication from 130.215.17.13
 In Cisco devices, this is called a “reflexive” access list
 Can be a burden on routers in terms of performance
 Attacking dynamic packet filters
50

 Much harder to do this

 Trojans and worms internal to the network can abuse dynamic filters
 Oscar needs to know
 Existence of dynamically created access list
 Internal host connecting to external host will create the access list - nothing
else can do it
 Only the host 130.215.17.13 can connect through this access list
 Oscar will have to spoof this address
 The connection can be made only to host 136.142.117.221
 Oscar cannot attack any arbitrary host in the internal network
 The connection can only be made to port 1091
 The communication stage (state) must be precisely known
 Dynamic packet filters can keep track of sequence numbers
 If Oscar can do all this, it probably means that there are much
bigger security problems with the internal network
 Stateful Firewalls
51

 Most advanced and secure Firewall technology

 Also called stateful packet filtering (SPI)
 Same as dynamic packet filtering in many cases
 Firewall keeps track of all requests for information from the
intranet
 Scans the destination of an inbound packet to see if it matches the source
of a previous outbound request
 This can generally examine multiple layers of the protocol stack
 Typically at layers 4 and below, but sometimes at the application layer as well
 Data can also be analyzed if required
 Blocking can be done at any layer or depth
 The “state” of each packet is determined and hence the name
“stateful”
 More on Stateful Firewalls
52

 Stateful firewalls maintain “state” in a content table

 Allows them to accomplish a higher level of security than simple
packet filters
 Still possible to fool them because some incoming connections are
allowed without outgoing connections being created
 Maintaining state information for UDP and ICMP is hard
 There is no concept of state for these protocols
 For UDP, the port numbers are important in maintaining some
pseudo-state information
 Some ICMP messages can have pseudo-states (requests and
responses) but one way ICMP traffic is harder to manage
 Some more on Stateful Firewalls
53

 Filters typically look at only layer 3 and some layer 4 information

 This is called filtering
 It is possible to examine higher layer information, sequence
numbers, and payload as well
 Example: the state of HTTP and FTP can be examined - The GET
command can be examined or the port number exchange in FTP can be
examined
 This is called stateful inspection
 In stateful firewalls, application layer examination is minimal and
abbreviated
 The entire protocol stack is NOT implemented and it is harder for the
firewall to perform a thorough examination
 It can make the rules extremely complex
 Application Level Inspection
54

 Typically only partial inspection is performed

 The packets used to initiate the application session are
examined
 Other packets are simply let through
 Malicious application packets afterwards are not detected

 Detection improves making it harder to attack in stealth

 Deep packet examination
 Sometimes needed to detect covert channels or malicious
payloads carried by known protocols
 Example: Several worms use SQL or NetBIOS or HTTP to
travel over the Internet
 Sometimes called IPS-Lite (more when we discuss detection)
 Filtering Vs Inspection
55

 What is state?
 Protocol, sequence numbers, ports, flags, ack nos.,
application level commands (GET, etc.), timeouts, …
 Blurred line
 Dropping packets using state information is filtering?

 Examining packets using state information and

application information is inspection?
 How does the firewall handle and track state
information?
Examples of Stateful Firewall Products
56

 Cisco PIX firewall

 Windows firewall is said to be stateful
 Checkpoint
 Very first stateful firewall products
 FireWall-1
 Tracks UDP using pseudo-state information
 Juniper’s NetScreen Firewall Appliance
 Most new firewalls support dynamic packet filtering
 IPtables and Netfilter are two freely available software
firewalls for Linux
 Proxy Firewalls or Gateways
57

 Act as a relay for application/lower level traffic

 Client contacts the gateway with identification information
 The gateway contacts the application server and relays packets to
and from it
 It acts on behalf of a client and shields either side from direct
connection
 Make two separate TCP connections
 One between the proxy and the outside host
 Another between the proxy and the inside host

 The gateway can be made to support only certain services

and protocols
 Example no javascript in html pages
 More on Proxy Firewalls
58

 Proxies are both clients and servers

 To the client connecting to it, a proxy behaves as a server
 To the server providing network services, it acts as a client
 To distinguish between the real client and server, often times we refer to
the “listener” and “initiator” of the proxy
 Proxies shield the protected system from being viewed by external
systems
 Proxies usually run on a dual homed host called a Bastion host

Proxy Firewall
Protected Internet
System
Dual Homed with IP
Forwarding Disabled
 Bastion Host
59
 Bastion = fortress  Proxy modules implement
 Bastion hosts are expected to simplified versions of the
be attacked! software
 A Bastion Host is a system  Easy to analyze code for
loopholes
that typically serves as a
 Services on Bastion Hosts
platform for a proxy firewall
 Web
 It employs a secure version of
 FTP
the operating system
 E-mail
 Only required services are
 DNS
installed on it
 E.g. you cannot have a new server
installed
 No user accounts exist on the
Bastion host
 How do clients work with proxies?
60

 SOCKS approach
 Use a protocol that allows adding modules to clients to
make them “proxy - aware”
 Client sends request to proxy instead of the real server
 Client transparency
 Proxy modules masquerade as clients and servers on the
fly
 They intercept packets, connection requests, etc.
 Client is fooled into thinking it has connected with the
real server
 Proxy needs to be on the network path between client and
real server
 Types of Proxy Firewalls
61

 Circuit Level Gateway

 Packet filtering ++ at the TCP level
 Validate and monitor sessions (like stateful packet filters)

 Application Level Gateway

 Custom client/server software implemented for each service
scrutinized by the firewall
 Only allows properly formatted packets to go through
 Circuit-level Gateway - CLGW
62

 Idea:
 Internal users are trustworthy while
external ones are not
out in
 Check connections from inside to
outside or vice versa to see if they are
out in allowed
 Example: Check if SYN and ACK
out in sequence numbers are ok
 All outbound traffic is relayed
out in
without inspection
 All inbound traffic is examined but
minimally or as in the case of a
packet filter

Circuit-Level Gateway
 More on CLGWs
63
 Pros
 Faster than application level gateways
 Provides some protection by preventing connection
to/from certain internal hosts
 Shields internal network topological and host
information
 Cons
 Minimal examination of packets flowing into the
network
 Cannot restrict protocols that do not use TCP
 Does not perform application level examination of
packets
 Application-Level Gateway
64

Application-Level Gateway

Telnet
FTP Server
SMTP
Client HTTP

 Prevents direct communication between external servers and internal computers

 Gives users the appearance that they are communicating directly with external
servers
 Recreates the application request and response and makes sure they are valid
 For example, a client accesses a server to get a web page
 Server serves it with a malicious java applet
 The ALGW drops the applet after examining it
 Example 2: FTP disallows “put” command to prevent writing on to internal network
 Advantages of Proxy Firewalls
65

 Maintain detailed audit information

 Sys Ads can monitor violations of security policies
easily
 Logs are extremely useful
 Prevents information leakage
 What are IP addresses in the protected network, what
OSs are running (based on TTL, window size), etc.
 Better than packet filters
 Not susceptible to IP spoofing
 Supports user authentication
 Less complex filtering rules - rules are within the
proxied application itself
 Other Uses
66

 Reverse Proxy
 Earliest proxy firewalls
 Internal user trying to connect to the outside through a proxy is what
we call a “forward” proxy
 User connecting from outside to internal services is called “reverse
proxy”
 Enables monitoring who is accessing what data from your server
 Can require authentication at the proxy
 Web proxies can cache information enabling quicker
response
 Anonymizing proxies
 Help prevent digital trails of activities
 Proxychaining using SocksChain
 Drawbacks of Proxy Firewalls
67

 Could be a single point of failure

 Performance reduction due to processing of many flows
at the same host
 All network protocols are not supported
 Limited number of services are available
 If new applications are created, it will be hard to proxy them for a
while
 If there is a bug in the OS of the gateway, there could be a
severe security breach
 Protocol issues
 Security protocols like IPSec are incompatible with proxies
hurting end-to-end VPNs
 Proxy Tools
68

 FWTK
 Stands for Firewall Toolkit

 Developed by Trusted Information Systems (TIS) through a

DARPA project in 1993
 Source code is available, but development has stopped

 Check http://www.fwtk.org/fwtk/docs/ for documentation

 Does not support many new protocols like H.323

 SOCKS
69

 What is SOCKS?
 It is a proxy toolkit that can be used with several applications
 More an enabling technology than a product
 Applications need not be designed with proxying in mind
 SOCKS is a software that has the following components
 A SOCKS server that runs in the firewall
 A SOCKS client that runs in the internal hosts
 SOCKS-ified versions of Telnet, FTP etc.
 SOCKS server
 Authenticates requests (password based or Kerberos based)
 It authorizes the request
 Establishes proxy connection to the other host
 Relays the data between the two connections
 Versions of SOCKS
70

 SOCKS V4
 Lacks strong authentication

 Uses TCP headers, IP addresses to grant access

 Needs client to resolve domain names

 SOCKS V5
 Also known as authenticated firewall traversal

 Has strong authentication (many methods are supported)

 Performs address resolution proxy services as well

 Proxy for UDP applications are possible

 Check: http://www.socks.permeo.com/ for more details

 Remarks
71

 Proxy firewalls are becoming less significant

 Not many vendors are marketing proxy firewalls

 Primarily due to performance issues in high-bandwidth

networks
 Secondarily due to compatibility issues
 Other Proxy Firewall Software
72

 Gauntlet
 Available for both Windows and UNIX environments
 Offers a wide range of proxied services - FTP, Telnet, HTTP,
NetMeeting, RealAudio, Microsoft SQL etc.
 PORTUS
 Squid
 Open source web proxy
 Other types of firewalls
73

 Cutoff Proxy
 Combination of CLGW (Circuit-level Gateway) and packet filters
 Initially operates as a CLGW and then switches to a dynamic
packet filter
 It creates a direct connection between client and server
 No longer acts as a listener and initiator
 Provides a balance between security and performance
 Airgap Proxy
 Writes the output of the “external” connection to an SCSI e-disk
from where it is read by an internal connection
 Because the direct connection is broken, it is considered to be
more secure
 Firewall Architectures

SOME CONFIGURATIONS AND EXAMPLES

74
 Firewall Architectures
75

 Placement of packet filters and gateways can impact the

security
 Depending on the network layout and protocol Oscar
could get some access, no access etc.
 Many types of architectures are possible
 Bastion host – “fortress” guards the rest of the private
network
 Bastion host may be single or multi-homed

 Network segments may also be isolated

 Firewall Configurations (1)
76

Bastion host
Or proxy firewall

Private

Packet Filter

 Screened host firewall, single homed bastion

 Packet filter allows packets addressed only to or from the bastion host
to pass through
 Two levels of security
 If the packet filter is compromised, so is the network
 Firewall Configurations (2)
77

Bastion host
Or proxy firewall

Private

Packet Filter
DMZ

 Screened host firewall, dual homed bastion

 Prevents breach of security when the packet filter is compromised
 More secure and prevents any direct physical connection between the
private network and the outside world
 Example
78

Outside
GW Packet Filter
Inside Net0
Inside Net1 Inside Net2

H1 H2

 Gateway is in the DMZ - the outside world can contact GW but in a

limited way because of the packet filter
 Limited connections are possible between Net1 or Net2 and GW
 Anything can pass between Net1 and Net2
 Outgoing calls are possible from Net1/Net2 to the outside world
 Firewall Configurations (3)
79

Bastion host
Inside
Or proxy firewall
Packet Filter

Private
DMZ
Outside Packet
Filter Dial-up

 Screened subnet firewall

 Two packet filters are used
 An isolated subnetwork containing the bastion host and other insecure
connections is created
 There are three levels of defense and the private network is invisible to
the rest of the world
 The rest of the world is invisible to the private network
 Example - FTP
80
 Operation
 The client (user) first opens a
“control” channel to the server
 To set up the data connection,
there are two options
 PORT
 Client sends a PORT command
in the control channel
 Contains IP address (perhaps
different) and random port
number of client
 FTP server connects from port
20 to the random port at client
 PASV - Passive option
More Details of PORT
81
 Example - FTP 2
82
 PASV
 Client sends PASV
 Server starts listening on a
random port and informs
client in the response
 Client initiates the data
channel
 Could be any new IP address
and port number
More Details of PASV
83
 Impact on Firewalls
84

 Packet Filter
 If all incoming TCP connections (SYN) to random ports
are disabled, FTP will not work with PORT, it will with
PASV
 Similar impact with dynamic packet filters

 Stateful Firewalls
 With deep packet inspection, may allow FTP to proceed

 Proxy Firewalls
 Need to be aware of the two channels and behave
appropriately
 Potential attack using FTP - 1
85

Screened
subnet

 FTP server allows anonymous connections

 Web server also runs Telnet for administrators
 Stateful firewall blocks all inbound connections except those
to port 21 on the FTP server and port 80 on the web server
 Appears that we are protected if the Telnet service has vulnerabilities

Source: Northcutt et al, Network Perimeter Security

 Potential attack using FTP - 2
86

 What does Oscar do?

 Uses legitimate FTP connection to upload a file to the FTP server
 File contains exploit commands against Telnet
 Using the control channel, sets the IP address and port number for data
transfer to 136.142.117.132 and 23
 Uses command channel and “RETR” command to retrieve the malicious
file
 The malicious file is however sent to the web server at port 23!
 Solution
 Allow uploads to the FTP server but not downloads from FTP to other
servers
 Use a proxy firewall
 The proxy can determine that the IP address in the port command is an
internal IP address and block the transfer
 DNS and Firewalls
87

 Implementing DNS in a DMZ topology

 Prevents outsiders from accessing host names/addresses on
the inside
 Still allows internal users to contact the outside world
DNS and Firewalls - 2
88
 Choosing a firewall
91

 Router/firmware-based firewalls
 Add additional components in a router to enable firewall
functionality
 Expensive and sometimes may burden the router
 Software-based firewalls
 Sophisticated
 Run on dedicated UNIX/Linux or WinNT hosts
 Require continuous maintenance and support
 Patches
 Dedicated firewall appliances
 High performance
 Plug-and-play installation
 Firewall Policies
92

 Common policy
 Everything is denied except those that are explicitly permitted
 Or those that make it inside the network anyways :-(
 Complexity of policy may make it un-enforceable and
inconsistent
 If a policy is not enforceable, people will ignore the rules
 Example: Report all virus attacks - people clean the virus and move on
 Must have tools that can collect information related to “MUSTS”
in the policy
 Creating an organization wide policy is important
 Risks must be identified, policies must be updated, policies for
mobile employees must be specified and extreme care must be
taken
 Example of iptable firewall
93
 OSI
Model
 Sample of TCP/IP Data Packet
94

Protocol Contents OSI Layer

Ethernet MAC address Datalink

IP IP address Network

TCP TCP header Transport

HTTP HTTP header Application

Application Data Web page Data

 Security Business Process
95

 1. Develop a network use policy

 2. Map out services needed outward and inward
 3. Convert the network use policy and needed
services into firewall rules
 4. Implement and test for functionality and security
 5. Review and test your firewall rules on a periodic
basis
 iptable
96

 linux open source firewall

 Website: www.netfilter.org
 Also available as a module for many Linux admin software

 Basic tables for rule set

 input
 forward
 prerouting
 postrouting
 output

 command line argument

 iptables command rule-specification extensions
 Example of Commands
97

Command Description
-A chain Append one or more rule
-I chain rulenum Insert chain at the location
number
-D chain Delete the indicated chain
-L List all rules
-F Flush all the rules in the current
chain
-P chain policy Set a chain for a specific policy
 Example of Rule-Specification
98

Rule Specifications Descriptions

-p protocol Specify a certain protocol for rule match
-s address/ Specify the IP address, masking and port
mask/port number
-j target This tells what to do with the packet I if it
matches the specification
DROP – drop without any further action
REJECT – drop and send error packet in
return
LOG – log the packet to a file
MARK – mark the packet for further action
REDIRECT – redirect the packet
 Creating an iptables Firewall
99

 0. Assume that your local LAN subnet is 192.168.0.1 -

192.168.0.254,
 eth1 interface is your local LAN connection and
 eth0 interface is your Internet or WAN connection
 1. Start by eliminating any existing rules with a Flush
command:
 iptables -F FORWARD
 2. Flush the other chains:
 iptables -F INPUT iptables -F OUTPUT

 3. Put your standard "deny all" statement right up front.

 iptables -P FORWARD DROP
 iptables -A INPUT -i eth0 -j DROP
 Creating an iptables Firewall (2)
100

 4. To accept fragmented packets in Iptables, this must be

done explicitly.
 iptables -A FORWARD -f -j ACCEPT
 5. Prevent spoofing and smurf attack
 iptables -A FORWARD -s 192.168.0.0/24 -I eth0
-j DROP
 iptables -A FORWARD -p icmp –i eth0 –d
192.168.0.0/24 –j DENY
 6. Allow only connection initiated from inside
 iptables –A FORWARD –p tcp –i eth0 –d
192.168.0.0/24 --dports www,smtp --tcp-flags
SYN,ACK –j ACCEPT
 iptables –A FORWARD –p tcp –i eth0 –d
192.168.0.0/24 --sports www,smtp --tcp-flags
SYN,ACK –j ACCEPT
 Creating an iptables Firewall (3)
101

 7. Accept incoming connections from outside only on

certain ports
 iptables –A FORWARD –m multiport –p tcp –i eth0 –d
192.168.0.0/24 --dports smtp --syn –j ACCEPT
 8. Allow outgoing connections to be initiated by users, but
only on the specific protocols
 iptables –A FORWARD –m multiport –p tcp –i eth0 –d
0.0.0.0 --dports www,smtp --syn –j ACCEPT
 9. Allow certain incoming UDP packets
 iptables –A FORWARD –m multiport –p udp –i eth0 –d
192.168.0.0/24 --dports domain –j ACCEPT
 iptables –A FORWARD –m multiport –p udp –i eth0 –s
192.168.0.0/24 --sports domain –j ACCEPT
 Creating an iptables Firewall (4)
102

 10. Allow all types of internal ICMP outwards, but only

certain types such as echo-reply inwards
 iptables –A FORWARD –m multiport –p icmp –I
eth0 –d 192.168.0.0/24 --dports 0,3,11 –j
ACCEPT
 iptables –A FORWARD –m multiport –p icmp –I
eth1 –d 0.0.0.0 --dports 8,3,11 –j ACCEPT
 11. Set up logging
 iptables –A FORWARD –m tcp –p tcp –j LOG

 iptables –A FORWARD –m udp –p udp –j LOG

 iptables –A FORWARD –m udp –p icmp –j LOG