CyberP3i Course Module Series

Spring 2017

Designer: Dr. Lixin Wang, Associate Professor

Firewall Configuration

Firewall Configuration

Learning Objectives 1. Be familiar with firewalls and types of firewalls 2. Know what firewalls can or cannot block 3. Be familiar with DMZ and NAT, the purposes of using them on computer networks

Introduction A firewall is a system that prevents unauthorized access either from or to a private network, usually an internal LAN (local area network). It is a device that filters all network traffic between a protected (inside) network and a less trustworthy (outside) network. A firewall is an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world via wide area networks (WAN) and the Internet. Firewalls are one of the most important security devices for computer networks. They can be implemented in either hardware or software form, or a combination of both. Firewalls prevent unauthorized outside users from accessing private networks that are connected to the Internet, especially intranets. All the network packets entering or leaving the intranet must pass through the firewall, which examines each packet and blocks those not meeting the specified security criteria defined in the firewall rules. With the purpose of protecting a private network, firewalls are a first line of defense for the network. Of course, it cannot be considered the only such security line. Firewalls are generally designed to protect network traffic and communications, examine packets and blocks those packets not meeting certain security criteria, direct packets to appropriate hosts, and thus do not attempt to do user authentications when determining who can access a particular network. Usually a firewall runs on a dedicated device. Only firewall functions should run on the firewall machine because it is a single point through which traffic is channeled and performance is an important issue. The purpose of using a firewall is to protect a private network and keep “bad” things outside the protected network. To this end, firewalls implement a policy of security that is specifically designed to handle what bad things may happen. For instance, the security policy may allow access to the protected network only from certain IP addresses, certain users, or for certain network activities. Firewalls enforce predetermined rules governing what network traffic can flow and what network traffic cannot.

Design of Firewalls A security policy defines a set of rules that determine what network traffic can or cannot pass through the firewall. A firewall implements a set of security policies. It is the responsibility of the network administrators to decide what network traffic being allowed to pass through the firewall. The following table gives a sample of firewall configuration. The firewall’s action is determined in a top-down manner and the first matching rule in the table is applied. The * symbol indicates that it matches any value in the field.

Rule # Type Source IP Destination IP Destination Port Action 1 TCP * 192.168.1.200 443 Permit 2 TCP 192.168.* 192.168.1.100 80 Permit 3 TCP 192.168.1.* 216.1.1.100 20/21 Deny 4 UDP 216.1.1.* 192.168.1.50 69 Deny

Rule 1 in the table says that any incoming network traffic to the port 443 (HTTPS) is allowed from any host to the machine 192.168.1.200 with the HTTPS web server available. By rule 2 any incoming network traffic to the port 80 (HTTP) is allowed from any host in the subnet 192.168.* to the machine 192.168.1.100 with the web server available. Rule 3 says that any incoming network traffic to the port 20/21 (the Standard FTP) is denied from any host in the subnet 192.168.1.* to the machine 216.1.1.100. By rule 4 any incoming network traffic to the port 69 (the Trivial FTP) is denied from any host in the subnet 216.1.1.* to the machine 192.168.1.50.

Types of Firewalls Network firewalls fall into one of the following types, each of which does different things. In this section, we will give a brief description for each of these firewall types. (a) Packet filtering This type of firewall system examines each packet entering or leaving the network and accepts or rejects it based on user-defined rules. A packet filtering firewall is fairly effective and transparent to users, but it is difficult to configure. It controls access on the basis of packet addresses (source and destination IP addresses) or specific transport protocol type such as HTTP web traffic or FTP file transfer traffic. Packet filtering blocks or accepts network packets only based on the basis of the IP addresses and the port numbers. Thus, any details in the packet’s data field is beyond the capability of this type of firewall. A packet filtering is illustrated in the following figure.

(b) Stateful Inspection Firewall A packet filtering firewall examines packets one at a time, accepting or rejecting each packet based on user-defined rules, and then move to the next one. A stateful inspection firewall holds state information from one packet to another in the input stream for the network. Stateful inspection firewalls make decisions according to the maintained information from multiple packets.

(c) Circuit-level gateway implementation This process applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. This type of firewall allows one network to be an extension of another. In the 7-layer OSI model, circuit-level gateway is implemented at the session layer (layer 5) and it works a virtual gateway between the two networks connected by the gateway. A circuit is a logic connection that exists for a certain period of time and then disconnected. The gateway firewall verifies the circuit when it is created and then all the following data transferred over the circuit are no longer checked by the firewall. An application of this type of firewall is to implement a VPN (virtual private network). A circuit-level gateway is illustrated in the following figure.

(d) Application Proxy Packet filtering firewalls only look at the headers of packets, not at the data inside the packets. But some applications are complicated and sometimes they contain errors. Also, applications usually act on behalf of all users and they require privileges of all users. An application with bugs may cause a lot of damage when executing with all users privileges. An application proxy server connects to the Internet, makes the requests for pages, connections to servers, etc., and receives the data on behalf of the computer(s) behind it. An application proxy server is a type of gateway that hides the true network address of the computer(s) connecting through it. The firewall capabilities lie in the fact that a proxy can be configured to allow only certain types of traffic to pass (e.g., HTTP/HTTPS files, or FTP traffic). An application proxy firewall simulates the effects of an application at the application layer so that it only receives requests to act properly. This type of firewall is illustrated in the following figure.

(e) Next Generation Firewall (NGFW) The next generation firewall (NGFW) filters network and Internet traffic based upon the applications or traffic types using specific ports. NGFWs combine the features of existing standard firewalls with quality of service (QoS) functionalities in order to provide better and deeper inspection for network packets. NGFWs integrate three key features: enterprise firewall capabilities, an intrusion prevention system and an application control. Like the introduction of stateful inspection one in first-generation firewalls, NGFWs bring additional context to the firewall’s decision-making process by providing it with the ability to understand the details of the HTTP/HTTPS traffic passing through the firewall and taking action to accept normal traffic or block the traffic that might exploit vulnerabilities. Next-generation firewalls combine the capabilities of traditional firewalls -- including packet filtering, network address translation (NAT), URL blocking and virtual private networks (VPNs) -- with Quality of Service (QoS) functionality and features not traditionally found in firewall products. These include a intrusion prevention system, SSL and SSH inspection, deep-packet inspection and reputation-based malware detection as well as application awareness. The application-specific capabilities are adopted to hinder the growing number of application attacks occurring from the network layer to the application layer of the OSI network model.

In practice, many firewalls use two or more of these techniques in concert. In Windows and Mac OS X, firewalls are built into the operating system.

What a firewall can or cannot block Although network firewalls are designed to prevent unauthorized access either from or to a private network, they are not complete solutions to all computer security problems. A firewall can only protect the perimeter of a private network against attacks from the outside Internet. Therefore, firewalls can protect the network only if it control the entire perimeters of the network. If one host in the network connecting to the Internet using an unsecure communication channel, wireless connection for example, then the entire internal network is vulnerable through attacks from the outside Internet. Outside the perimeter of a private network, no data are protected by the firewalls of the network. Since firewalls sit between the protected private network and the outside Internet, they are the most visible part of a network and the most attractive target for attackers. Therefore, for mission-critical networks a few more layers of security should be implemented. Relying only on the protection of a single firewall system is not a wise decision for these networks. Also, firewalls must be carefully and correctly configured and their configuration must be updated whenever either the internal or external networks change.

DMZ (demilitarized zones) Network firewalls allow a network administrator to divide their network into different segments or zones. Servers that need to communicate with both internal and external computers create a security problem for organizations. Placing such server computers in the internal network, behind the firewalls, means that the firewalls need to allow a lot of traffic going through. On the other hand, if these server computers are placed outside the firewalls, they are very vulnerable for attacks. The solution to this dilemma is generally a DMZ, a zone between the Internet and the organization’s internal network. A DMZ can be designed in a number of ways but typically, a DMZ is placed outside the organization’s (internal) firewall but has a firewall (external) between itself and the Internet. This means that the internal firewall, will only let through traffic from hosts in the DMZ, generally also restricted to specific ports from specific hosts. The external firewall will only let through traffic to the servers in DMZ, also that generally limited to specific ports for every server. This way, the organization’s internal network is relatively well protected at the same time as it is possible to reach some of the organization’s server computers from the Internet. All the external-facing servers, resources and services (available to outside users on the Internet) should be located in the DMZ so they are accessible from the Internet but the rest of the internal LAN remains unreachable from outside. This provides an additional layer of security to the internal private LAN as it restricts the ability of attackers to directly access internal servers and data via the Internet. Any service that is being provided to outside users on the Internet should be placed in the DMZ. The most common of these services are: Web server, Mail server, DNS server, and FTP server. The hosts running these basic services in the DMZ are reachable by hackers and cybercriminals around the world and need to be hardened to withstand constant attacks. The following figure shows an architecture of a network with a DMZ and an internal LAN protected by internal and external firewalls.

Network Address Translation (NAT) Network Address Translation is the process where a network device, usually a firewall, assigns a public IP address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization must use, for both economy and security purposes. The most common form of network address translation involves a large private network using addresses in a private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to 192.168.255.255). The private IP addressing mechanism works well for computers that only have to access resources inside the network, like workstations needing access to database, file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, to access resources outside the network, like the Internet, these computers in a private LAN have to have a public IP address in order for responses to their requests to return to them. This is where NAT comes into play. Internet requests that require Network Address Translation are quite complicated but happen so rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall sees the request from the computer with the internal private IP address. It then makes the same request to the Internet using its own public IP address, and returns the response from the Internet resource to the computer inside the private LAN. From the perspective of the resource on the Internet, it is sending information to the address of the firewall. From the perspective of the workstation inside a private network, it appears that communication is directly with the site on the Internet. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. That means only one public IP address is needed for hundreds or even thousands of hosts in the same network. Most modern firewalls are stateful - that is, they are able to set up the connection between the internal workstation and the Internet resource. They can keep track of the details of the connection, like ports, packet order, and the IP addresses involved. This is called keeping track of the state of the connection. In this way, they are able to keep track of the session composed of communication between the workstation and the firewall, and the firewall with the Internet. When the session ends, the firewall discards all of the information about the connection. There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with internal IP addresses to access the Internet. In large networks, some servers may act as Web application servers and require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing outside users in the public to access the servers only through that IP address. However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional policy rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows network engineers to more efficiently route internal network traffic to the same resources, and allow access to more ports, while restricting access at the firewall. It also allows detailed logging of communications between the network and the outside world. Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external public IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port access and protocols. NAT is a very important aspect of firewall security. It conserves the number of public addresses used within an organization, and it allows for stricter control of access to resources on both sides of the firewall. Firewalls are used for NAT. This allows a network to use private IP addresses that are not routed over the Internet. Private IP address schemes allow organizations (or even household networks) to limit the number of publicly routed IP addresses they use, reserving public addresses for Web servers and other externally accessed network equipment. NAT allows administrators to use one public IP address for all of their users to access the Internet. The firewall is "smart" enough to send the requests back to the requesting workstation's internal private IP. NAT also allows users inside a private network to contact a server using a private IP while users outside the network must contact the same server using a public IP.

References: 1. Pfleeger, C. P., Pfleeger, S. L., and Margulies, J. Security Computing. Prentice Hall, 2015 2. https://kb.iu.edu/d/aoru 3. https://en.wikipedia.org/wiki/DMZ_(computing) 4. http://whatismyipaddress.com/nat

Review Questions: 1. What is firewall and why firewalls should be installed on computer networks? 2. Compare different types of firewalls. What are the advantages and disadvantages for each type of firewalls discussed in the module? 3. What a firewall can or cannot block? 4. What is a DMZ and where should a DMZ placed in an organization’s network? 5. What is Network Address Translation (NAT)? What is the main purpose of using NAT? When NAT is needed?