Contents • Firewall • packet-filter firewall: filters at the network or transport layer • proxy firewall: filters at the application layer • NAT • solve the problem of IP address limitation • provide load balance and redundancy • IDS • active detection to monitor the network status • three methods: signature, statistical and integrity • four types: host, network, applications and integrity • Honeypots • a décor to attract hackers
What is a firewall? • A firewall, is a “router, or several routers or access servers, designed as a buffer between any connected public networks and private network.
Protecting Network using Firewall - 1 • Security protocol cannot prevent malicious people from sending harmful message to a system • A firewall is a device (usually a router or computer) installed between internal network and the Internet • Some large companies with a lot of sensitive information also install firewall within their intranet to protect these types of the network resource from unauthorized employee.
Protecting Network using Firewall - 2 Some modern firewall has additional features: • network address translation (NAT) • encryption in data transmission, e.g. VPN • use strong authentication techniques to authenticate users/ports • anti-virus features • easy to use GUI
Requirements of firewall • Efficient access control (easy to use access control list (ACL), such as GUI interface) • Filtering of vulnerable protocols (based on types of protocols) • Network monitoring • Simple management (features such as GUI, web-based, SNMP enabled)
Firewall classification • A firewall is usually classified into two classes • packet-filter firewall • also known as screen router or screening filter • forward and block packets based on information in the network layer and transport layer headers: source, destination, IP address, source and destination port, type of protocol (TCP or UDP) • proxy-based firewall • also known as application gateway • forward and block packets based on the contents of the messages (I.e. at application level traffic)
Packet-filter firewall - 1 • is a router that uses a filtering table to decide which packet must be discard (not forward) • operate at network layer (or transport layer)
Packet-filter firewall - 2 Example of packet filter rules: • incoming packet from 220.127.116.11 are blocked • incoming packet destined for any internal TELNET (port 23) are blocked • incoming packets destined to internal host 18.104.22.168 are blocked (this host for internal use) • outgoing packets destined for an HTTP server (port 80) are blocked. (i.e. does not want employees to browser the Internet)
Packet Filtering Firewall - 1 • Two main types: • Standard or Stateless packet filtering • Also known as first generation firewall • Operates at either the Network or Transport layer. • Most packet filters used the values of the following header field to determine what to pass or not • Protocol type, IP address, TCP/UDP port, Fragment number
Standard packet filtering • Packet filters make decisions based on packet header information. • Access decisions are based on source and destination addresses, source and destination port numbers, protocol types, and possibly flags within the header themselves. • They does not look at the actual payload.
Packet Filtering Firewall - 2 • Stateful inspection packet filters • known as dynamic packet filtering • filter rules are set up based on policy rule and state of the protocol • For example: • do not allow any services through the firewall except: • Services they’re programmed to allow • Connections that they already maintained in their state tables.
Pros and Cons of Packet Filter Pros • Scalable (Simple) • Provides high performance (High speed) • Application dependent Cons • Does not look into the packet pass the header. • Low security relative to other firewall types • Difficulties in setting up the packet filter rules correctly • Lack of support for authentication
Stateful Multilevel Inspection - 1 • First implemented by CheckPoint under the name “Stateful Multilevel Inspection”. • Stateful Rules are protocol-specific, keeping track of the context of a session (not just its state). • The greatest addition that stateful multilevel filtering provides to dynamic filtering is the ability to maintain application state, not just connection state.
Stateful Multilevel Inspection - 2 • This allows filtering rules to differentiate between the various connectionless protocols (like UDP, NFS and RPC), which were previously immune to management by static filtering and were not uniquely identified by dynamic filtering • Application state allows a previously authenticated user to create new connections without reauthorizing, whereas connection state just maintains that authorization for the duration of a single session.
Proxy-based firewall • Application Level firewall • Make high-level connections at application layer • for example • Policy on access web-pages: Only Internet users who had established business relationships with the company can have access; access by other users must be blocked. • packet-filter firewall is not feasible because it cannot distinguish between different packet. Selection must be done at applications level (i.e. URL) • proxy work on behalf of internal hosts to complete the connection between internal and external hosts.
Proxy-based firewall (2) • A variants of proxy is called circuit gateway • creates a new connection between itself and the remote host • Proxy stand in for outbound connection attempts to servers and then make the request to the actual target server on behalf of the client. When the server returns data, the proxy transmits that data to the client. • Application proxies don’t necessary to be run on firewalls appliances. • it is a high-end servers (or cluster of servers) • Usually Internet client applications (Browser) require to setup to talk to the proxy.
Additional Firewall Components • Authentication • Allows users on the public network to prove their identity to the firewall in order to gain access to the private network from external locations. • to filter unauthorized users • function as an NAS (network access server) • Encrypted Tunnels • tunneling is also called encapsulation, it is a major building block of Virtual Private Networking (VPN) • Tunneling establishes a secure connection between two private networks over a public medium like the Internet. • allows physically separated networks to use the Internet rather than leased-line connections to communicate. • VPN firewall is usually work in pairs
Limitations of Firewall • Even with the use of Proxy firewalls, it is still unable to control the content transferred across the network boundaries satisfactorily. • Firewalls are extremely vulnerable to insider attacks and covert channels • Firewalls can become bottlenecks of traffic • If a firewall is compromised, the protected network is extremely vulnerable
Security Strategies in firewall • Least privilege • every element of the firewalls system should have only the privileges that are needed to carry out its tasks • Defense in depth • security mechanisms should be redundant, should use different approaches (e.g. from different vendors), and should be able to back up each other. • Controlled access • the protected network should have a well-defined access point that forces attackers to use a narrow channel, which you can monitor and control • Fail-safe & fail-over • Fail-safe: a malfunctioning of a subsystem may affect functionality but should not lose security. • Fail-over: the task can taken over by another firewall.
Firewall Philosophies • Default Permit: • “Not Expressly Prohibited” is Permitted • Used in “open” environments (e.g., ISP and some universities) • Difficult to manage • Default Deny: • “Not Expressly Permitted” is Prohibited • used in environment with higher security • May be too restrictive in some environments
Factors to consider for choosing firewall • Performance • Firewall is usually the bottle neck of network traffics. The performance is usually the prime concerns. Stateful inspection filter is the trend as it’s good cost-performance ratio is better. • Scalability • scale adapted to size of company and corporate security policy. Usually, firewall vendor provide modules for client to upgrade according to their needs • Compatibility • work seamlessly with firewall products from different vendors • Network management support • easy installation and compatible with network management protocol
Examples of Firewall Configurations - 1 • In practical implementations, a firewall is usually a combination of packet filters and application (or circuit) gateways.
Examples of Firewall Configurations - 2 • Screened host firewall, Single-homed bastion • A firewall set up consists of two parts • The packet filter ensures that the incoming traffic is allowed only if it is destined for the application gateway, and it also ensures that the outgoing traffic is allowed only if it is originating from the application gateway. • The application gateway performs authentication and proxy functions.
Examples of Firewall Configurations - 3 • This configuration increases the security of the network by performing checks at both packet and application levels. • One big disadvantage here is that the internal users are connected to the application gateway, as well as to the packet filter. • If the packet filter security its compromised, then the whole internal network is exposed to the attacker.
Examples of Firewall Configurations - 5 Screened host firewall, Dual-homed bastion • Direct connections between the internal hosts and the packet filter are avoided. • Instead, the packet filter connects only • to the application gateway, which, in turn, has a separate connection with the internal hosts. • Therefore, now even if the packet filter is successfully attacked, only the application gateway is visible to the attacker. • The internal hosts are protected.
Examples of Firewall Configurations - 7 Screened subnet firewall • It offers the highest security • Two packet filters are used • There are three levels of security for an attacker to break into.
Bastion Host • The bastion host sits on the internal network. • It is the machine that will be accessed by all entities trying to access or leave the network. • It is the only system on the internal network that hosts on the Internet can open connections to (for example, to deliver incoming email). • If the bastion host is compromised, the internal network is wide open to attack from this bastion host • The bastion host thus needs to maintain a high level of host security.
Demilitarized Zone (DMZ) - 1 • Another firewall features is provision of DMZ • DMZ - Demilitarized Zone: • Firewall configuration that allows an organization to securely host its public servers and also protect its internal network at the same time. • DMZ is simply a network segment that is located between the protected and the unprotected networks.
General DMZ rules - 2 • Allow external users to access the appropriate services on DMZ systems. • DMZ systems should be severely restricted from accessing internal systems. • Internal uses can access the DMZ or external network as policy allows • No external users may access the internal system.
Recap • Two type of firewall • packet filter firewall • stateless and stateful inspection • proxy firewall: • application level • not allow client to go directly, must go thru’ a proxy which has rules • Three basic configuration examples: • Screened host firewall, Single-homed bastion • Screened host firewall, Dual-homed bastion • Screened subnet • A modern firewall usually have three interfaces: trusted, DMZ and untrusted
NAT Explained - 1 • NAT hides internal IP addresses by converting all internal host addresses to the address of the firewall as packets are routed through the firewall. • NAT is also called IP masquerading. • Translates the IP addresses of internal hosts to hide them from outside monitoring. • Originally implemented to make more IP addresses available to private networks.
NAT Explained (2) • The firewall then retransmits the data payload of the internal host from its own address using a translation table to keep track of which sockets on the exterior interface equate to which sockets on the interior interface. • To the Internet, all the traffic on your network appears to be coming from one extremely busy computer.
NAT Modes - 1 • Four primary modes of NAT: • Dynamic Translation (also called Automatic, Hide Mode or IP Masquerade) • Wherein a large group of internal clients share a single or small group of internal IP addresses for the purpose of hiding their identities or expanding the internal network address space. • Static Translation (also called Port Forwarding) • Wherein a specific internal network resource (usually a server) has a fixed translation that never changes. Static NAT is required to make internal hosts available for connections from external hosts.
NAT Modes - 2 • Loading Balancing Translation • Wherein a single IP address and port is translated to a pool of identically configured servers so that a single public address can be served by a number of servers. • Network Redundancy Translation • Wherein multiple Internet connections are attached to a single NAT firewall and clients requests are routed through an Internet connection based on load and availability.
NAT used in ISP • A large group of internal clients share a single or small group of internal IP addresses for the purpose of hiding their identities or expanding the internal networkaddress space.
Loading Balancing Translation • A single IP address and port is translated to a pool of identically configured servers so that a single public address can be served by a number of servers.
Hacking through NAT - 1 • Static translation does not protect the internal host. • Static translation merely replaces port information on a one-to-one basis. • This affords no protection to statically translated hosts • Hacking attacks will be just as efficiently translated as any valid connection attempt. • Solution: Reduce the number of attack to one, and then to use application proxy software or other application based security measures.
Hacking through NAT - 2 • If the client establishes the connection, a return connection exists. • Even if hackers can’t get inside our network, you can’t prevent your users form going to the hackers. • Forged email with a Web site link, a Trojan horse, or a seductive content Web site can entice your users to attach to a machine whose purpose is to glean information about your network. • Solution: Higher-level, application-specific proxies are once again the solution.
Cisco PIX firewall - 1 • The Cisco PIX firewall series • a high-performance, enterprise-class firewall product line within the Cisco firewall family. • with integrated hardware and software • delivers high security and network performance • scalable to meet different customer requirements • Product • PIX 525 & PIX 520 - for large enterprise • PIX 515 - for medium size company • PIX 506 - for SOHO