CPSC 506

Computer Security I
<MEETING TIME AND INSTRUCTOR>
WEEK 5

1
Ch. 9: Firewalls and
Intrusion Prevention
Systems
Why we need firewalls (1)
Being connected to the internet is no longer optional for organizations.
Why we need firewalls (2)
Host-based Security is Not Enough.
◦ Keeping defenses up-to-date on a diversity of hosts is not easy (people bring their laptops to
work)
◦ Need centralized, network-based intrusion prevention.
What is a firewall?
A network appliance installed between the premises network and the Internet, to establish a
controlled link and to erect an outer security wall or perimeter.
What must a firewall do?
Firewall design goals:
1. It must be the only point of access to the network; all traffic from inside to outside, and vice
versa, must pass through the firewall.
2. It must allow only authorized traffic to pass, as defined by the local security policy.
3. The firewall must itself be secure against penetration.
Limitations of firewalls
What they can’t do:
Protect against attacks that bypass the firewall
◦ “Dial-in” capability, improperly secured VPNs
◦ Wireless networks that inadvertently enable communication between systems on different sides of the
firewall

Protect fully against internal threats

◦ Disgruntled employees
◦ Organization members who purposefully or unknowingly cooperate with an external attacker (including
malware downloads)
◦ Portable/mobile devices that are infected outside the network and then attached and used internally.
Policy, policy, policy
The total set of rules and behaviors determining what traffic a firewall lets through constitutes
its access policy.
This policy must be thoroughly understood and vetted by the security staff, and be matched to
the organization’s security policy.
◦ Key is awareness of exactly what your firewall is and isn’t letting through.
Firewall technology
Four Types of Firewall Technology
Differences in firewall capability relate to the protocol layers at which the traffic is analyzed, the
sophistication of the analysis, and whether the firewall actively modifies traffic.
1. Packet filtering
2. Stateful inspection
3. Application proxy
4. Circuit-level proxy
Of course, any given box may implement more than one type.
Type 1: Packet Filtering Firewall
The most basic firewall technology.
Applies rules to each incoming or
outgoing packet individually, either
forwarding or discarding the packet.
Rules match fields in the IP and
transport headers:
◦ Direction, Source IP, Destination IP,
transport protocol, source port,
destination port
◦ Also may check flags
Background: more about TCP and ports
Common client/server protocols use a known, fixed port on the server side.
◦ SSH: port 22
◦ SMTP: port 25
◦ HTTP: port 80

This allows firewalls to limit incoming traffic to servers to known protocols and ports.

However, clients will connect from a random “high port”, between 1024 and 65535.
◦ The firewall must allow this traffic for the protocols to work
◦ But it can potentially allow attack traffic as well.
Packet Filter Firewall Rule Tables
Each row is a rule.
Packets are matched against each rule from top to bottom.
At the first rule that matches, that row’s action (permit or deny) will be taken, and matching will
stop.
This means that the order in which rules are written is important.

13
Sample packet filtering rules

Subset of rules relating to SMTP traffic, which uses port 25 for incoming connections.
Allows all incoming and outgoing high port traffic
This also prevents some kinds of source address spoofing – how?
Packet filtering policies and rules
The way a table of firewall rules is set up indicates one of two types of default policy:
Default-discard: reject every packet unless there is a rule to permit it
◦ A more secure default: can stop attacks that have not been anticipated
◦ Could interfere with normal work and be seen as too restrictive
(however, “allow” rules can be written broadly enough to cover most expected traffic.)
◦ What will a table implementing a default-discard policy look like?

Default-forward: let every packet pass unless there is a rule to stop it

◦ Requires rules to stop each known threat; not likely to protect against new threats
◦ What will a table implementing a default-forward policy look like?
More advanced rule
Direction Src Src Port Dest Protocol Dest Flag Action
Address Address Port

In External 25 Internal TCP >1023 ACK Permit

Source port and flag fields ensure that incoming packets at a high port are responses to SMTP
protocol messages.
Note: All TCP headers after the first packet in a session have the ACK bit set.
Does this prevent all unwanted high port traffic?
Limitations of packet filtering
The weaknesses of packet filtering stem from its only analyzing lower-layer
traffic data, and from analyzing each packet in isolation (statelessly).
◦ Cannot associate packets to “understand” traffic patterns consisting of multiple
packets
◦ Cannot prevent attacks that exploit upper-layer vulnerabilities
◦ Hard to generate logs with useful information
IP Fragmentation Attack (tiny fragment
attack)
A way of “sneaking traffic past the firewall rules”
In the course of being routed, an IP packet may be broken up into
multiple packet fragments (to be reassembled at the destination)
If the fragments are very small, the transport (TCP) header may not be
included in the first fragment.
Packet filters traditionally examine only the first fragment, for
efficiency’s sake.
An attacker may purposefully cause fragments to be very small, so the
transport header information will not be in the first fragment and
will not be scanned.
Solution: drop all packets that don’t contain a predefined minimum
amount of the transport header (enough to test against the rules
properly)
Firewall Type 2: Stateful inspection
Traditional stateless packet filters consider each packet in isolation – no memory.
Stateful inspection keeps track of established TCP sessions with a table.
Typical configuration: table records outgoing connections established by clients on the LAN;
incoming high port traffic is allowed only when it corresponds to an existing connection.
Stateful Inspection Example

Incoming packets: allowed or denied?

216.32.42.123 80 192.168.1.102 1031

173.66.32.122 80 192.168.1.100 1030

20
 Type 3: Application-level Gateway
Active intervention in traffic: Proxy with
authentication service
1. Client contacts the gateway, asking to use a
certain application protocol (FTP, HTTP) with a
remote host
2. Client provides authentication information to
gateway
3. If accepted, gateway contacts the remote host
and relays the TCP data
Generally more secure: only traffic for supported
applications by authenticated users can get
through
Disadvantages: processing overhead, may be seen
as restrictive.
Type 4: Circuit-level Gateway
A proxy at the transport layer
For determining which TCP connections are
allowed.
Sets up two TCP connections, one between the
client and the gateway and another between the
gateway and the remote host.
Allows less fine-grained control than application-
level gateways, but is more flexible.
◦ Internal hosts are not limited to specific
application-layer protocols
◦ (though client software must be configured to
connect through the proxy server)

SOCKS: the de facto standard protocol for circuit-

level gateways.
Firewall Basing
WHERE FIREWALL FUNCTIONS ARE IMPLEMENTED
Dedicated firewalls
A stand-alone host running a (hardened) Unix or Linux operating system, plus firewall software
A software module in a router or a LAN switch

The common factor in these is that they protect more than one host.
Host-based (Server-based) firewalls
Having each host or server on the network have its own firewall gives an additional layer of
security as well as flexibility.
◦ Can have additional restrictions tailored to the security needs of the server, without affecting the rest of
the network.

Packet filtering is built in to the Linux kernel through the netfilter framework, and managed by
iptables (and more recently, the firewalld service)
◦ Stateless or stateful

In BSD Unixes the most prevalent firewall is called pf (for packet filter), also has stateful features
Having host-based firewalls in addition to standalone firewalls is a Good Idea™.
Personal Firewalls
A software feature of end-user operating
systems
Much less complex than server-based or
standalone firewalls – primarily for
preventing unauthorized remote access
Typically default to block all incoming
connections, except for specifically allowed
application protocols.
Windows Firewall Profiles
When you connect to a new network, Windows
asks you which kind it is—home, work, or public.
This information is used to turn on a specific
firewall policy.
Three basic policies, set separately for each
network interface:
Public: most restrictive, very few inbound
connections allowed
Private: assumes network is isolated from the
internet, allows more inbound connections
Domain: least restrictive – for when the
machine is connected to an organization domain
whose security is managed independently
Firewall location and
network configuration
Term: Bastion Host
A term for any system identified as a critical strong point in the network’s security.
◦ As the word ‘bastion’ implies, it must be able to withstand attacks.
◦ Are the most exposed systems on the network

Often refers to the platform for a firewall or gateway.

Features of a bastion host:
◦ Runs only essential services
◦ Hardened version of operating system
◦ Has no access to other internal networks or hosts
◦ Each proxy run in isolation from all the others

29
Simplest firewall configuration
Single firewall at perimeter to protect the network
◦ If firewall is in the router it’s called a screening router
◦ If firewall is between external and internal router it’s single bastion inline

For small or medium-sized companies

Security Zones
In most organizations, different hosts need different levels of exposure to and protection from
the outside internet
◦ Web and email servers have more contact with the outside world than, e.g., internal business servers

Don’t want the more public-facing machines, if compromised, to be used to attack the more
sensitive machines
Solution: different network zones in which different rules apply.
One of the most commonly used types of zones is the DMZ “Demilitarized zone”
◦ Named because it’s the portion of the internal network with the most exposure to the Internet
◦ Web servers, VPN servers, etc. are typically placed in the DMZ network.
◦ Sensitive information should not placed on hosts in the DMZ, and their privileges should be minimized

Zones can be implemented with multiple firewalls, or a single firewall with multiple NICs. We’ll
see different layouts, or topologies, for security zones on a network.
Double Bastion
Inline
Two firewalls, for the DMZ
network and the more
protected internal network
Internal firewall provides
additional layer of defense for
internal hosts
The two firewalls are in-line, so
traffic must pass through the
external firewall to even reach
the internal firewall.
 DMZ

Other
configuration:
Single Bastion T
Firewall has a third network
interface (making a T shape)
Essentially acting as two
separate firewalls for the DMZ
and internal networks.

33
Double Bastion T
A Real Firewall Configuration
We’ll look at the configuration dialogs for a SonicWall™ firewall that has five
interfaces.

35
Distributed Firewalls
If there are
◦ One or more stand-alone firewall,
◦ Host-based firewalls,

And these are together centrally administered,

This is known as a distributed firewall configuration.
Virtual Private Networks (VPNs)
Telecommuters, online students, etc. increasingly need access to organizational networks from
the outside.
But it’s too much of a security risk for organizations to expose their network resources to the
public internet.
Solution: VPNs allow connecting to an organizational network through an insecure network (the
internet)
◦ Should be transparent at the application layer: access to resources should work the same whether
accessing through the local network or on the VPN.
◦ How? Encryption and authentication in the lower protocol layers: packets are encrypted and
authenticated
◦ Establishing a VPN connection is an example of “secure tunneling”
◦ Managed by a gateway appliance, which encrypts, decrypts, and forwards traffic.
◦ Most common encryption for establishing VPNs: IPSec.
VPNs
Internal traffic on the company’s LAN is not (necessarily)
encrypted
IPSec authentication and encryption may be done inside
the firewall or within the firewall
Firewall authenticates and decrypts VPN packets, they are
forwarded onto the local network as if local traffic.
The remote client receives a virtual IP address on the
network; packets sent to this IP are intercepted by the
firewall and encrypted for transmission to the client.
Summary of defense technologies
Antivirus/Anti-malware Firewalls / IPS
◦ Behavior blocking
VPNs
◦ Web Filtering
Spam filters
IDS:
◦ Signature-based, heuristic
◦ Anomaly detection

Why not put them all in one box?

Unified Threat Management
(UTM) products
Single device integrating a variety of approaches to dealing with
network-based attacks
Advantage of integrating multiple data sources in a unified analysis
engine – can potentially be “smarter” than separate appliances
that don’t share information
◦ Potentially also simplifies network administration

Main disadvantage: hard to make it fast enough – a ton of

processing to be done before your network data gets through
Assignments
1. Read through Chapter 9 of the textbook
2. Homework 5, posted on Blackboard
3. Lab activity: A Simulated Firewall Environment

41