IP Cyber Security Unit 2: Firewalls
UNIT 2 Content : • Firewalls in general basic operation and architecture • Main border firewalls using stateful inspection • Screening firewalls using static packet inspection • Network addresses translation (NAT). • Application proxy firewalls • Antivirus filtering. • Demilitarized zones (DMZs)+IDS/IPS
Security Technology (Measures or Tools) • Firewalls • A system or group of systems that enforce a network access control policy • Filters data packets in and out of intended target • Strength relies on configuration • Governs the flow of data into and out of a Local Area Network • Separates a private network (LAN) from the public IP Net • Will defend the following attacks: • Denial of Services (DoS) Attacks • Unauthorized Access • Port-scanning and Probing • Intrusion Detection Systems • Complements firewalls to detect if internal assets are being hacked or exploited • Network-based Intrusion Detection • Monitors real-time network traffic for malicious activity • Similar to a network sniffer • Sends alarms for network traffic that meets certain attack patterns or signatures • Host-based Intrusion Detection • Monitors computer or server files for anomalies • Sends alarms for network traffic that meets a predetermined attack signature • Will defend the following attacks: • Denial of Service (DoS) attacks • Website Defacements • Malicious Code and Trojans
Security Technology (Measures or Tools) • Virus Protection • Software should be installed on all network servers, as well as computers • Shall include the latest versions, as well as signature files (detected viruses) • Should screen all software coming into your computer or network system (files, attachments, programs, etc.) • Will defend the following attacks: • Viruses and Worms • Malicious Code and Trojans • Authentication and Authorization • Authentication • Comes in (3) forms: What you have, know, or are • Have – Smartcard, token • Know – Password or PIN • Are – Fingerprint, Retina scan • Two factor authentication is the strongest – (2) out of the (3) listed means (i.e. ATM card) • Password (most common) • Should be at least (8) mixed characters and numbers • Should be changed at least every (90) days • Should have a timeout of (3) attempts • Authorization • What an individual has access to once authenticated • Will defend the following attacks: • Unauthorized access
Security Technology (Measures or Tools) • Encryption • Protects data in transit or stored on disk • The act of ciphering and enciphering data through the • use of shared software keys, data cannot be accessed without the appropriate software keys • Common use of encryption includes the following technologies: • Virtual Private Networking (VPN): Used to secure data transfer across the IP Net • Secure Sockets Layer: Used to secure client to server web-based transactions • S-MIME: Used to secure e-mail transactions • Wireless Equivalency Privacy (WEP) protocol: Used to secure wireless transactions • Will defend the following attacks: • Data sniffing and spoofing • Wireless attacks
Assessment and Auditing • Assessment (Risk and Vulnerability) • Process by which an organization identifies what needs to be done to achieve sufficient security • Involves identifying and analyzing threats, vulnerabilities, attacks, and corrective actions • Key driver in the Information Security process • Should be conducted by a third-party • Include manual and automated (vulnerability scanners) methods • Auditing • Compare the state of a network or system against a set of standards or policy • Will defend the following attacks: • Identify weaknesses and vulnerabilities that address all of the mentioned attacks • Data and Information Backups • Must have for disaster recovery and business continuity • Should include daily and periodic (weekly) backups • Should be stored off-site, at least (20) miles away from geographic location, and have 24X7 access • Should be kept for at least (30) days while rotating stockpile • Will defend the following attacks: • Used to respond and replace information that is compromised by all the mentioned attacks
The Unprotected Network What could possibly be wrong with this setup? Hackers paradise & administrators nightmare!
What Can We Do? • Fortunately firewalls can give us very good protection against attacks from the IP Net. • The only problem is that there are numerous firewall strategies. • In order to choose the right strategy we need to know a bit more about the underlying communication protocol TCP/IP.
Intranets • An intranet is a network that employs the same types of services, applications, and protocols present in an IP Net implementation, without involving external connectivity • Intranets are typically implemented behind firewall environments.
Extranets • Extranet is usually a business-to-business intranet • Controlled access to remote users via some form of authentication and encryption such as provided by a VPN • Extranets employ TCP/IP protocols, along with the same standard applications and services
Type of Firewalls • Firewalls fall into four broad categories • Packet filters • Circuit level • Application level • Stateful multilayer
A Simple Packet Filter Firewall This must be really secure...?
2. Circuit level • Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP • Monitor TCP handshaking between packets to determine whether a requested session is legitimate.
3. Application Level • Application level gateways, also called proxies, are similar to circuit-level gateways except that they are application specific • Gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through
4. Stateful Multilayer • Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls • They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer
A Stateful firewall Can Do That A stateful firewall is an advanced packet filter that keeps track of the state of the network connections going through it. Whenever a packet arraives to the stateful firewall, it checks whether it matches an ongoing connection. If a match is found the packet can pass through.
Log File Firewalls Hardened Server IP Net Firewall Allowed Legitimate Packet Attacker IDS Legitimate Packet Hardened Client PC Internal Corporate Network Legitimate Host Network Management Console
Log File Firewall Hardened Server IP Net Firewall IDS Attack Packet Attacker Denied Attack Packet Hardened Client PC Internal Corporate Network Legitimate Host Network Management Console
Firewall Architecture (Single Site) Main BorderFirewall ScreeningRouter Firewall Internal Firewall IP NET 172.18.9.x Subnet Public Webserver 184.108.40.206 External DNS Server 220.127.116.11 Host Firewall Host Firewall SMTP ApplicationProxy Server 18.104.22.168 HTTPApplicationProxy Server 22.214.171.124 Marketing Client on 172.18.5.x Subnet Accounting Server on 172.18.7.x Subnet
Defense in Depth with Firewalls IP Net Screening Border Router with Packet Filter Firewall Software Application Firewall e-mail, HTTP, etc. Client with Host Firewall Software Main Firewall: Stateful Inspection Firewall Site
Basic Firewall Operation 1. IP Net (Not Trusted) Attacker 2. IP Net Border Firewall 1. Internal Corporate Network (Trusted)
Basic Firewall Operation 3. Attack Packet 1. IP Net (Not Trusted) Attacker 2. Border Firewall 4. Dropped Packet (Ingress/from) 4. Log File
Basic Firewall Operation 5. Passed Legitimate Packet (Ingress/from) 5. Legitimate Packet 1. IP Net (Not Trusted) Legitimate User 2. IP Net Border Firewall 1. Internal Corporate Network (Trusted)
Basic Firewall Operation 7. Passed Packet (Egress/to) 1. IP Net (Not Trusted) Attacker 2. IP Net Border Firewall 7. Dropped Packet (Egress/to) 4. Log File 1. Internal Corporate Network (Trusted)
Basic Firewall Operation 6. Attack Packet that Got Through Firewall 6. Hardened Client PC 1. IP Net (Not Trusted) Attacker 2. IP Net Border Firewall 6. Hardened Server 1. Internal Corporate Network (Trusted)
Border Firewall 1. IP Net (Not Trusted) Attacker 2. IP Net Border Firewall 1. Internal Corporate Network (Trusted)
Border Firewall 6. Attack Packet that Got Through Firewall 6. Hardened Client PC 1. IP Net (Not Trusted) Attacker 2. IP Net Border Firewall Hardened Hosts Provide Defense in Depth 6. Hardened Server 1. Internal Corporate Network (Trusted)
Packet Filter RuleBase • Any type of access from the inside to the outside is allowed. • No access originating from the outside to the inside is allowed except for SMTP and HTTP. • SMTP and HTTP servers are positioned “behind” the firewall.
A network of IP address 192.168.1.0, with the “0” indicating that the network has addresses that range from 192.168.1.0 to 192.168.1.254. • The firewall would normally accept a packet and examine its source and destination addresses and ports, and determine what protocol is in use. • Firewall starts at the top of the rulebase and work down through the rules – whenever it finds a rule that permits or denies the packet, it takes the appropriate action: • Accept: firewall passes the packet through the firewall as requested, subject to whatever logging capabilities may or may not be in place. • Deny: firewall drops the packet, without passing it through the firewall. Once the packet is dropped, an error message is returned to the source system. The “Deny” action may or may not generate log entries depending on the firewall’s rule base configuration. • Discard: firewall not only drops the packet, but it does not return an error message to the source system. This particular action is used to implement the “black hole” methodology in which a firewall does not reveal its presence to an outsider. “Discard” action may or may not generate log entries.
A first rule permits return packets from external systems to return to the internal systems, thus completing the connection – it is assumed that if a connection to an external system was permitted, then the return packets from the external system should be permitted as well. • The second rule prohibits the firewall from forwarding any packets with a source address from the firewall – this would indicate that an attacker is spoofing the firewall’s address, hoping that the firewall would pass this packet to an internal destination, which might then accept the packet since it would appear to have come from the trusted firewall. • The third rule simply blocks external packets from directly accessing the firewall. • The fourth rule allows internal systems to connect to external systems, using any external addresses and any protocol. • Rules 5 and 6 allow external packets past the firewall if they contain SMTP data or HTTP data – email and web, respectively. • The final rule blocks any other packets from the outside.
UNIT 2 Content : • Firewalls in general basic operation and architecture • Main border firewalls using stateful inspection • Screening firewalls using static packet inspection • Network addresses translation (NAT). • Application proxy firewalls • Antivirus filtering. • Demilitarized zones (DMZs)+IDS/IPS.
Opening Connections in Stateful Inspection Firewalls • Default Behavior • Permit connections initiated by an internal host (ingress) • Deny connections initiated by an external host (egress) • Can change default behavior with access control lists (ACLs) for ingress and egress Automatically Accept Connection Attempt IP Net Router Automatically Deny Connection Attempt
Permitting Incoming Connections in a Stateful Inspection Firewall • Default Behavior Can be Modified by Access Control Lists (ACLs) • Ingress ACL permits some externally-initiated connections to be opened • Egress ACL prohibits some internally-initiated connections from being opened • On basis of IP address, TCP or UDP port number, and/or IP protocol • Sets of if-then rules applied in order
Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL) • 1. If TCP destination port = 80, Allow Connection • [Pass all HTTP traffic to any webserver. (Port 80 = HTTP)] • 2. If TCP destination port = 25 AND destination IP address = 126.96.36.199, Allow Connection • [Pass all SMTP traffic to a specific host (mail server), 188.8.131.52. Port 25 = SMTP] • Safer than Rule 1