Figure 5-1: Border Firewall

Firewalls

1. Internet Chapter 5 (Not Trusted) 2. Attacker Internet Border Revised March 2004 Panko, Corporate Computer and Network Security Firewall Copyright 2004 Prentice-Hall 1. Internal Corporate Network (Trusted) 1 2

Figure 5-1: Border Firewall Figure 5-1: Border Firewall

3. 5. Passed Legitimate 5. Legitimate Attack Packet (Ingress) Packet Packet

1. Internet 1. Internet (Not Trusted) (Not Trusted) 2. Attacker 2. Legitimate Internet Internet User Border Border 4. Dropped Packet Firewall Firewall (Ingress) 4. Log 1. Internal Corporate File Network (Trusted) 3 4

Figure 5-1: Border Firewall Figure 5-1: Border Firewall

7. Passed Packet (Egress) 6. Attack Packet that Got Through Firewall

1. Internet 6. Hardened 1. Internet (Not Trusted) Client PC (Not Trusted) 2. Attacker 2. Attacker Internet Hardened Hosts Internet Border Provide Defense Border 7. Dropped Packet Firewall in Depth Firewall (Egress) 4. 6. Hardened Log 1. Internal Corporate Server 1. Internal Corporate File Network (Trusted) Network (Trusted) 5 6

1 Figure 5-2: Types of Firewall Figure 5-2: Types of Firewall Inspection Inspection

„ Packet Inspection „ Network Address Translation (NAT)

{ Examines IP, TCP, UDP, and ICMP headers { Hides IP addresses and port numbers

„ Static packet inspection (described later) „ Denial-of-Service (DoS) Inspection „ Stateful inspection (described later) { Detects and stops DoS attacks „ Application Inspection „ Authentication { Examines application layer messages { Requires senders to authenticate themselves

7 8

Figure 5-2: Types of Firewall Figure 5-2: Types of Firewall Inspection Inspection

„ Virtual Private Network (VPN) Handling „ Hybrid Firewalls

{ VPNs are protected packet streams (see { Most firewalls offer more than one type of Chapter 8) filtering

{ Packets are encrypted for confidentiality, so { However, firewalls normally do not do antivirus firewall inspection is impossible filtering

{ VPNs typically bypass firewalls, making border „ Some firewalls pass packets to antivirus security weaker filtering servers

9 10

Figure 5-3: Firewall Hardware and Firewalls Software

„ Firewall Hardware and Software „ Screening Router Firewalls { Screening router firewalls { Add firewall software to router { Computer-based firewalls { Firewall appliances { Usually provide light filtering only { Host firewalls (firewalls on clients and servers) { Expensive for the processing power—usually „ Inspection Methods must upgrade hardware, too

„ Firewall Architecture

„ Configuring, Testing, and Maintenance

11 12

2 Figure 5-3: Firewall Hardware and Figure 5-3: Firewall Hardware and Software Software

„ Screening Router Firewalls „ Computer-Based Firewalls

{ Screens out incoming “noise” of simple { Add firewall software to server with an scanning attacks to make the detection of existing operating system: Windows or UNIX serious attacks easier { Can be purchased with power to handle any { Good location for egress filtering—can load eliminate scanning responses, even from the router { Easy to use because know operating system

13 14

Figure 5-3: Firewall Hardware and Figure 5-3: Firewall Hardware and Software Software

„ Computer-Based Firewalls „ Computer-Based Firewalls

{ Firewall vendor might bundle firewall software { Security: Attackers may be able to hack the with hardened hardware and operating system operating system software „ Change filtering rules to allow attack packets in

{ General-purpose operating systems result in „ Change filtering rules to drop legitimate packets slower processing

15 16

Figure 5-3: Firewall Hardware and Figure 5-3: Firewall Hardware and Software Software

„ Firewall Appliances „ Host Firewalls

{ Boxes with minimal operating systems { Installed on hosts themselves (servers and

{ Therefore, difficult to hack sometimes clients)

{ Setup is minimal { Enhanced security because of host-specific knowledge { Not customized to specific firm’s situation „ For example, filter out everything but { Must be able to update webserver transmissions on a webserver

17 18

3 Figure 5-3: Firewall Hardware and Figure 5-3: Firewall Hardware and Software Software

„ Host Firewalls „ Host Firewalls

{ Defense in depth { The firm must manage many host firewalls

„ Normally used in conjunction with other { If not centrally managed, configuration can be a firewalls nightmare

„ Although on single host computers attached { Especially if rule sets change frequently to internet, might be only firewall

19 20

Figure 5-3: Firewall Hardware and Software Perspective

„ Host Firewalls „ Computer-Based Firewall { Firewall based on a computer with a full { Client firewalls typically must be configured by operating system ordinary users „ Host Firewall „ Might misconfigure or reject the firewall { A firewall on a host (client or server) „ Need to centrally manage remote employee computers

21 22

Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Firewalls

„ Firewall Hardware and Software Complexity Performance „ Inspection Methods of Filtering: Requirements { Static Packet Inspection Number of Filtering { Stateful Packet Inspection Rules, { NAT Complexity If a firewall cannot inspect packets { Application Firewalls Of rules, etc. fast enough, it will drop unchecked packets rather than pass them { IPSs

„ Firewall Architecture Traffic Volume (Packets per Second) „ Configuring, Testing, and Maintenance 23 24

4 Figure 5-5: Static Packet Filter Firewall Figure 5-5: Static Packet Filter Firewall

Corporate Network The Internet Corporate Network The Internet

Permit IP-H TCP-H Application Message Permit IP-H TCP-H Application Message (Pass) (Pass) IP-H UDP-H Application Message IP-H UDP-H Application Message

Deny Deny (Drop) IP-H ICMP-H ICMP Message (Drop) IP-H ICMP-H ICMP Message

Arriving Packets Log Static Only IP, TCP, UDP and ICMP Log Static Examined One at a Time, in Isolation; File Packet Headers Examined File Packet Filter Filter This Misses Many Arracks Firewall Firewall 25 26

Figure 5-6: Access Control List (ACL) For Figure 5-6: Access Control List (ACL) Ingress Filtering at a Border Router for Ingress Filtering at a Border Router

„ 1. If source IP address = 10.*.*.*, DENY „ 5. If source IP address = 1.2.3.4, DENY [private IP address range] [black-holed address of attacker]

„ 2. If source IP address = 172.16.*.* to „ 6. If TCP SYN=1 AND FIN=1, DENY 172.31.*.*, DENY [private IP address range] [crafted attack packet] „ 3. If source IP address = 192.168.*.*, DENY [private IP address range]

„ 4. If source IP address = 60.40.*.*, DENY [firm’s internal address range]

27 28

Figure 5-6: Access Control List (ACL) Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router for Ingress Filtering at a Border Router

„ 7. If destination IP address = 60.47.3.9 AND „ 9. If TCP destination port = 20, DENY [FTP TCP destination port=80 OR 443, PASS data connection] [connection to a public webserver] „ 10. If TCP destination port = 21, DENY „ 8. If TCP SYN=1 AND ACK=0, DENY [FTP supervisory control connection] [attempt to open a connection from the „ 11. If TCP destination port = 23, DENY outside] [Telnet data connection]

„ 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]

29 30

5 Figure 5-6: Access Control List (ACL) Figure 5-6: Access Control List (ACL) for Ingress Filtering at a Border Router for Ingress Filtering at a Border Router

„ 13. If TCP destination port = 513, DENY „ 17. If ICMP Type = 0, PASS [allow [UNIX rlogin without password] incoming echo reply messages]

„ 14. If TCP destination port = 514, DENY „ DENY ALL [UNIX rsh launch shell without login]

„ 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]

„ 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 31 32

Figure 5-6: Access Control List (ACL) Figure 5-7: Access Control List (ACL) for Ingress Filtering at a Border Router for Egress Filtering at a Border Router

„ DENY ALL „ 1. If source IP address = 10.*.*.*, DENY [private IP address range] { Last rule

{ Drops any packets not specifically permitted by „ 2. If source IP address = 172.16.*.* to earlier rules 172.31.*.*, DENY [private IP address range]

{ In the previous ACL, Rules 8-17 are not needed; „ 3. If source IP address = 192.168.*.*, DENY Deny all would catch them [private IP address range]

„ 4. If source IP address NOT = 60.47.*.*, DENY [not in internal address range] { Rules 1-3 are not needed because of this rule 33 34

Figure 5-7: Access Control List (ACL) Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router for Egress Filtering at a Border Router

„ 5. If ICMP Type = 8, PASS [allow outgoing „ 8. If source IP address = 60.47.3.9 and TCP echo messages] source port = 80 OR 443, PERMIT [public webserver responses] „ 6. If Protocol=ICMP, DENY [drop all other { Needed because next rule stops all packets outgoing ICMP messages] from well-known port numbers

„ 7. If TCP RST=1, DENY [do not allow „ 9. If TCP source port=0 through 49151, outgoing resets; used in host scanning] DENY [well-known and registered ports] „ 10. If UDP source port=0 through 49151, DENY [well-known and registered ports]

35 36

6 Figure 5-7: Access Control List (ACL) Figure 5-7: Access Control List (ACL) for Egress Filtering at a Border Router for Egress Filtering at a Border Router

„ 11. If TCP source port =49152 through „ 13. DENY ALL 65,536, PASS [allow outgoing client { No need for Rules 9-12 connections]

„ 12. If UDP source port = 49152 through 65,536, PERMIT [allow outgoing client connections] { Note: Rules 9-12 only work if all hosts follow IETF rules for port assignments (well-known, registered, and ephemeral). Windows computers do. Unix computers do not

37 38

Figure 5-8: Stateful Inspection New Firewalls Firewalls

„ Default Behavior „ Firewall Hardware and Software { Permit connections initiated by an internal host { Deny connections initiated by an external host „ Inspection Methods { Can change default behavior with ACL { Static Packet Inspection { Stateful Packet Inspection { NAT Automatically Accept Connection Attempt { Application Firewalls Router Internet „ Firewall Architecture Internet

„ Configuring, Testing, and Maintenance Automatically Deny Connection Attempt 39 40

Figure 5-8: Stateful Inspection Figure 5-8: Stateful Inspection Firewalls Firewalls

New „ State of Connection: Open or Closed „ Stateful Firewall Operation

{ State: Order of packet within a dialog { If accept a connection…

{ Often simply whether the packet is part of an { Record the two IP addresses and port numbers in open connection state table as OK (open) (Figure 5-9)

{ Accept future packets between these hosts and ports with no further inspection „ This can miss some attacks, but it catches almost everything except attacks based on application message content

41 42

7 Figure 5-9: Stateful Inspection Firewall Figure 5-9: Stateful Inspection Firewall Operation I Operation I 2. Establish Stateful Firewall 1. Connection 3. TCP SYN Segment TCP SYN Segment 6. 4. From: 60.55.33.12:62600 From: 60.55.33.12:62600 Internal TCP SYN/ACK Segment TCP SYN/ACK Segment To: 123.80.5.34:80 To: 123.80.5.34:80 Client PC External From: 123.80.5.34:80 From: 123.80.5.34:80 60.55.33.12 Webserver Note: Outgoing Stateful To: 60.55.33.12:62600 To: 60.55.33.12:62600123.80.5.34 Internal Connections 5. Firewall External Client PC Allowed By Check Connection Webserver 60.55.33.12 Default OK; 123.80.5.34 Connection Table Connection Table Pass the Packet

Internal Internal External External Internal Internal External External Type Status Type Status IP Port IP Port IP Port IP Port TCP 60.55.33.12 62600 123.80.5.34 80 OK TCP 60.55.33.12 62600 123.80.5.34 80 OK 43 44

Figure 5-8: Stateful Inspection Figure 5-8: Stateful Inspection Firewalls Firewalls

„ Stateful Firewall Operation „ Static Packet Filter Firewalls are Stateless

{ For UDP, also record two IP addresses and port { Filter one packet at a time, in isolation numbers in the state table { If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection Connection Table Internal Internal External External { But stateful firewalls can (Figure 5-10) Type Status IP Port IP Port TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 1.8.33.4 69 OK

45 46

Figure 5-10: Stateful Firewall Figure 5-8: Stateful Inspection Operation II Firewalls

Stateful Firewall „ Static Packet Filter Firewalls are Stateless 1. Internal 2. { Filter one packet at a time, in isolation Spoofed Attacker Client PC Check TCP SYN/ACK Segment Spoofing 60.55.33.12 Connection Table: { Cannot deal with port-switching applications No Connection From: 10.5.3.4.:80 External To: 60.55.33.12:64640 Webserver Match: Drop { But stateful firewalls can (Figure 5-11) 10.5.3.4 Connection Table Internal Internal External External Type Status IP Port IP Port TCP 60.55.33.12 62600 123.80.5.34 80 OK UDP 60.55.33.12 63206 222.8.33.4 69 OK 47 48

8 Figure 5-11: Port-Switching Figure 5-11: Port-Switching Applications with Stateful Firewalls Applications with Stateful Firewalls 2. To Establish 1. Connection 3. 6. 4. TCP SYN Segment TCP SYN Segment Internal Stateful TCP SYN/ACK Segment TCP SYN/ACK Segment From: 60.55.33.12:62600 From: 60.55.33.12:62600 Client PC Firewall External From: 123.80.5.34:21 From: 123.80.5.34:21 To: 123.80.5.34:21 To: 123.80.5.34:21 60.55.33.12 FTP To: 60.55.33.12:62600 5. To: 60.55.33.12:62600 Server Use Ports 20 To Allow, Use Ports 20 123.80.5.34 Internal Stateful Firewall and 55336 for Establish and 55336 for Client PC External Data Transfers Second Data Transfers 60.55.33.12 FTP Server Connection 123.80.5.34 State Table State Table Internal Internal External External Internal Internal External External Type Status Type Status IP Port IP Port IP Port IP Port Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK TCP 60.55.33.12 55336 123.80.5.34 20 OK 49 Step 5 50

Figure 5-8: Stateful Inspection Firewalls New Firewalls

„ Stateful Inspection Access Control Lists „ Firewall Hardware and Software (ACLs) „ Inspection Methods { Primary allow or deny applications (port numbers) { Static Packet Inspection { Stateful Packet Inspection { Simple because no need for probe packet rules because they are dropped automatically { NAT { Application Firewalls { Simplicity of stateful firewall gives speed and therefore low cost { IPSs „ { Stateful firewalls are dominant today for the Firewall Architecture main corporate border firewalls „ Configuring, Testing, and Maintenance 51 52

Figure 5-12: Network Address Figure 5-12: Network Address Translation (NAT) Translation (NAT)

From 192.168.5.7, Port 61000 From 60.5.9.8, 1 Port 55380 2 Internet Internet Client NAT 3 Server Firewall Host Client NAT Server 192.168.5.7 To 60.5.9.8, 4 Sniffer 192.168.5.7 Firewall Host Port 55380 Sniffer To 192.168.5.7, Port 61000 Internal External Internal External IP Addr Port IP Addr Port IP Addr Port IP Addr Port Translation Translation 192.168.5.7 61000 60.5.9.8 55380 192.168.5.7 61000 60.5.9.8 55380 Table Table ...... 53 54

9 Figure 5-12: Network Address Translation (NAT) Firewalls

„ Sniffers on the Internet cannot learn internal „ Firewall Hardware and Software IP addresses and port numbers „ Inspection Methods { Only learn the translated address and port { Static Packet Inspection number { Stateful Packet Inspection „ By themselves, provide a great deal of { NAT protection against attacks { Application Firewalls { IPSs { External attackers cannot create a connection to an internal computers „ Firewall Architecture

„ Configuring, Testing, and Maintenance 55 56

Figure 5-13: Application Firewall Figure 5-13: Application Firewall Operation Operation

2. 3. Examined 1. HTTP Request Filtering HTTP Request From 192.168.6.77 From 60.45.2.6 4. HTTP Browser6. Examined HTTP Proxy Webserver HTTP Response to Browser HTTP Proxy Webserver Application Response To 5. 60.45.2.6 Application 192.168.6.77 Filtering on Hostname, URL, MIME, Application Firewall etc. 60.45.2.6

Filtering: Webserver Client PC Blocked URLs, Client PC Application Firewall Webserver 123.80.5.34 192.168.6.77 Post Commands, etc. 192.168.6.77 60.45.2.6 123.80.5.34

57 58

Figure 5-13: Application Firewall Figure 5-14: Header Destruction With Operation Application Firewalls

Header Removed A Separate Proxy Program is Needed Arriving Packet App New Packet for Each Application Filtered on the Firewall MSG App Orig. Orig. (HTTP) App New New MSG TCP IP MSG TCP IP FTP SMTP (HTTP) Hdr Hdr (HTTP) Hdr Hdr Webserver Client PC Proxy (E-Mail) 123.80.5.34 192.168.6.77 Proxy X Outbound Attacker Application Firewall Webserver 60.45.2.6 Filtering on Inbound and Outbound 1.2.3.4 123.80.5.34 PUT Filtering on Obsolete Application Firewall Commands, Content Application Firewall Strips Original Headers from Arriving Packets 60.45.2.6 Creates New Packet with New Headers This Stops All Header-Based Packet Attacks 59 60

10 Figure 5-15: Protocol Spoofing Relay Operation

{ Application Firewalls Use Relay operation

Trojan 2. „ Act as server to clients, clients to servers Horse Protocol is Not HTTP Firewall Stops „ This is slow, so traditionally application The Transmission firewalls could only handle limited traffic X 1. 2. 3. Examined Application Trojan Transmits 1. HTTP Request Filtering HTTP Request Firewall Internal on Port 80 Attacker From 192.168.6.77 From 60.45.2.6 Client PC to Get Through 1.2.3.4 60.55.33.12 Simple Packet Filter Firewall Browser HTTP Proxy Webserver Application 61 62

Automatic Protections in Relay Operation Other Application Firewall Protections

„ Protocol Fidelity „ Stopping Certain Application Commands { Application that spoofs the port number of { HTTP: Stop POST another operation (e.g., Port 80) will not work in { TCP: Stop PUT relay operation { E-Mail: Stop obsolete commands used by „ Header Destruction attackers { IP, TCP, UDP, and ICMP headers dropped at firewall so cannot do damage „ Blocked IP Addresses and URLs { Black lists „ IP Address Hiding { Sniffer on the Internet only learns the application „ Blocking File Types firewall’s IP address { Use MIME and other identification methods 63 64

Figure 5-16: Circuit Firewall Firewalls New

Generic Type of Application Firewall „ Firewall Hardware and Software

„ Inspection Methods 1. Authentication 3. Passed Transmission: { Static Packet Inspection No Filtering 2. Transmission { Stateful Packet Inspection 4. Reply { NAT 5. Passed { Application Firewalls Reply: No Webserver Circuit Firewall External { IPSs Filtering 60.80.5.34 (SOCKS v5) Client 60.34.3.31 123.30.82.5 „ Firewall Architecture „ Configuring, Testing, and Maintenance 65 66

11 Intrusion Prevention System (IPS) Intrusion Prevention System (IPS) New New

„ Provide More Sophisticated Inspection „ IPSs Act Proactively

„ Examine Streams of Packets { Once an attack is diagnosed, future packets in the attacks are blocked { Look for patterns that cannot be diagnosed by looking at individual packets (such as denial-of- { This frightens many firms because if an IPS acts service attacks incorrectly, it effectively generates a self-serve { And cannot be diagnosed by simply accepting denial of service attack packets that are part of a connection { First that use IPSs may only permit the most „ Do Deep Packet Inspection definitively identifiable attacks to be blocked, such as SYN flood denial of service attacks. { Examine all headers at all layers—internet, transport, and application 67 68

Figure 5-17: Single-Site Firewall Architecture Firewalls for a Larger Firm with a Single Site

1. Screening Router 60.47.1.1 Last „ Types of Firewalls Rule=Permit All InternetInternet „ Inspection Methods 172.18.9.x Subnet „ Firewall Architecture Screening Router Firewall Public External { Single site in large organization Uses Static Packet Filtering. Webserver DNS Server Drops Simple Attacks. 60.47.3.9 60.47.3.4 { Home firewall Prevents Probe Replies { SOHO firewall router from Getting Out. { Distributed firewall architecture Last Rule is Permit All SMTP HTTP Marketing toAccounting Let Main Firewall „ Configuring, Testing, and Maintenance Client on Server on Relay Proxy 172.18.5.x Handle172.18.7.x Everything but Proxy Server Simple Attacks 60.47.3.10 69 Subnet Subnet 60.47.3.1 70

Figure 5-17: Single-Site Firewall Architecture Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site for a Larger Firm with a Single Site

2. Main Firewall 3. Internal Last Rule=Deny All Firewall InternetInternet InternetInternet 172.18.9.x 172.18.9.x Subnet Subnet 4. Client Public External Public External Host InternalWebserver Firewalls and DNS Server Webserver DNS Server Firewall Hardened60.47.3.9 Hosts 60.47.3.4 60.47.3.9 60.47.3.4 Main Firewall Provide Defense in Depth Uses Stateful Inspection Last Rule is Deny All Stop Attacks from Inside Marketing Accounting SMTP HTTP Relay Marketing Accounting SMTP HTTP Client on Server on Stop External Attacks that Get PastProxy the Relay Proxy Proxy Server Client on Server on 172.18.5.x 172.18.7.x Main Firewall Proxy Server 60.47.3.10 60.47.3.1 172.18.5.x 172.18.7.x Subnet Subnet Subnet Subnet 60.47.3.10 60.47.3.1 71 72

12 Figure 5-17: Single-Site Firewall Architecture for a Larger Firm with a Single Site Figure 5-18: Home Firewall

PC Servers that must be Firewall accessed from outside Always-On are placed in a Internet Internet Connection special subnet172.18.9.x called theSubnet Internet Demilitarized Zone (DMZ). Service Provider UTP Coaxial Broadband Cord Attackers cannot get to Public External Cable Modem Webserver DNS Server Home PC Other subnets from there 60.47.3.9 60.47.3.4 DMZ servers Windows XP has an internal firewall New are specially hardened 6. DMZ Originally called the Internet Connection Firewall SMTP HTTP Disabled by default Marketing Accounting 5. Server Relay Proxy Client on Server on Host After Service Pack 2 called the Windows Firewall Proxy Server 172.18.5.x 172.18.7.x Firewall Enabled by default Subnet Subnet 60.47.3.10 60.47.3.1 73 74

Figure 5-20: Distributed Firewall Figure 5-19: SOHO Firewall Router Architecture

Internet Service Provider Ethernet Switch UTP Management Console UTP User PC Remote Management Remote PCs UTP is needed to must be actively Broadband SOHO reduce management labor managed Modem Router centrally (DSL or Internet --- Dangerous because Cable) Router User PC if an attacker compromises Home PC DHCP Sever, it, they own the network Firewall NAT Firewall, and Limited Application Firewall

User PC Many Access Routers Combine the Router Site A Site B and Ethernet Switch in a Single Box 75 76

Figure 5-21: Other Security Architecture Issues Firewalls

„ Host and Application Security (Chapters 6 „ Types of Firewalls and 9) „ Inspection Methods „ Antivirus Protection (Chapter 4) „ Firewall Architecture „ Intrusion Detection Systems (Chapter 10) „ Configuring, Testing, and Maintenance „ Virtual Private Networks (Chapter 8)

„ Policy Enforcement System

77 78

13 Figure 5-22: Configuring, Testing, and Figure 5-22: Configuring, Testing, and Maintaining Firewalls Maintaining Firewalls

„ Firewall Misconfiguration is a Serious „ Create Policies Before ACLs Problem { Policies are easier to read than ACLs { ACL rules must be executed in series { Can be reviewed by others more easily than { Easy to make misordering problems ACLs

{ Easy to make syntax errors { Policies drive ACL development

{ Policies also drive testing

79 80

Figure 5-22: Configuring, Testing, and Figure 5-23: FireWall-1 Modular Maintaining Firewalls Management Architecture

„ Log Files Must test Firewalls with Security Audits Policy Policy Firewall Module { Attack your own firewall based on your policies Application Module Enforces Policy { Only way to tell if policies are being supported (GUI) Sends Log Create, Edit Management Entries Policies Module Stores „ Maintaining Firewalls Policies Stores Log Files { New threats appear constantly Log File Log File { ACLs must be updated constantly if firewall is to Entry Data be effective Application Module Firewall Module (GUI) Enforces Policy Read Log Files Sends Log Entries 81 82

Figure 5-24: FireWall-1 Service Figure 5-25: Security Level-Based Architecture Stateful Filtering in PIX Firewalls

2. Statefully Filtered Automatically Accept Connection Packet 1. Arriving Packet Security Level Security Level Router Inside=100 Outside=0 InternetInternet 3. DoS Internal Client FireWall- External Server Protection 1 Firewall Automatically Optional Reject Connection Authentications Internal Network 4. Content Vectoring Security Level=60 5. Protocol Statefully Filtered Packet Plus Application Third-Party Connections Are Inspection Application Allowed from More Inspection Secure Networks to Firewall Less Secure Networks 83 84

14 Topics Covered Topics Covered

„ Border Firewalls „ Firewall Hardware and Software { Sit between a trusted and untrusted network { Screening firewall router { Drop and log attack packets { Computer-based firewalls „ Types of Firewall Inspection { Static packet inspection { Firewall appliances { Stateful inspection { Host firewalls (firewalls on clients and servers) { Application proxy firewalls { Performance is critical; overloaded firewalls drop { NAT packets they cannot filter { Denial-of-Service, Authentication, VPNs

85 86

Topics Covered Topics Covered

„ Static Packet Inspection „ Stateful Inspection { Examine IP, TCP, UDP, and ICMP headers { Packets that Attempt to Open Connections { Examine packets one at a time „ By default, permits all internally initiated { Miss many attacks connections „ Used primarily in screening firewall routers { Access Control Lists (ACLs) „ By default, denies all externally initiated connections „ List of if-then pass/deny statements „ Applied in order (sensitive to misordering) „ ACLs can change default behavior „ For main firewall, last rule is Deny All „ For screening firewall, last rule is Pass All

87 88

Topics Covered Topics Covered

„ Stateful Inspection „ Network Address Translation (NAT)

{ Other Packets { Operation

„ Permitted if part of established connection „ Internal host sends a packet to an external host

„ Denied if not part of established connections „ NAT device replaces source IP address and TCP or UDP port number with stand-in values { Importance „ When packets are sent back, the stand-in „ Fast and therefore inexpensive values are replaced with the original value „ Catches almost all attacks „ Transparent to internal and external hosts „ Dominates main border firewall market

89 90

15 Topics Covered Topics Covered

„ Network Address Translation (NAT) „ Application Firewalls

{ Why? { Inspect application messages

„ To hide internal host IP addresses and port „ Catch attacks that other firewalls cannot numbers from sniffers on the Internet „ Usually do NOT do antivirus filtering

„ To permit firms to have more hosts than they „ Programs that do filtering are called proxies have assigned public IP addresses „ Proxies are application-specific { Perspective „ Circuit firewalls are not application-specific; „ Often used in other types of firewalls use required authentication for control

91 92

Topics Covered Topics Covered

„ Application Firewalls „ Application Firewalls

{ Relay operation { Automatic Protection from Relay Operation

„ Application firewall acts as server to clients, „ Protocol fidelity: stops port spoofing clients to servers „ Header destruction: no IP, TCP, UDP, or „ This is slow, so traditionally application ICMP attacks firewalls could only handle limited traffic „ IP address hiding

93 94

Topics Covered Topics Covered

New „ Application Firewalls „ Intrusion Prevention Systems (IPSs)

{ Command-based filtering (HTTP POST, etc.) { Use sophisticated detection methods created for intrusion detection systems { Host or URL filtering (black lists) „ Examine streams of packets, not just { File type filtering (MIME, etc.) individual packets

{ NOT antivirus filtering „ Deep inspection: filter all layer messages in a packet

{ But unlike IDSs, do not simply report attacks „ Stop detected attacks

95 96

16 Topics Covered Topics Covered

New New „ Intrusion Prevention Systems (IPSs) „ Intrusion Prevention Systems (IPSs)

{ Spectrum of attack detection confidence { Sophisticated filtering in processing-intensive

„ Stop attacks detected with high confidence { Traditional IDSs could not filter in real-time so could not be placed in-line with traffic „ Do not stop attacks with low detection confidence because doing so can create a { ASICs provide higher speeds, allowing IPSs to self-inflicted DoS Attack be placed in-line with traffic

97 98

Firewall Architectures Firewall Architectures

„ Site Protection „ Site Protection

{ Screening Firewall Router (Static Packet) { DMZ

{ Main Border Firewall (Stateful) „ For hosts that must face Internet attack

{ Internal Firewalls „ Must be hardened (bastion hosts)

{ Host Firewalls „ Public webservers, etc.

{ DMZ „ Application firewalls

{ Defense in Depth „ External DNS server

99 100

Firewall Architectures Firewall Architectures

„ Home Firewall „ Distributed Firewall Architecture

{ Host firewalls are especially needed for always- { Most firms have multiple sites on broadband connection { Multiple firewalls at many sites „ SOHO Firewall { A central manager controls them { Separate firewall between the switch and the broadband modem { If the manager is hacked, very bad

{ Some broadband modems do NAT, providing { Management traffic must be encrypted considerable protection

101 102

17 Configuring, Testing, and Maintenance

„ Configuration { Firewalls must be configured (ACLs designed, etc.)

„ Testing { Configuration errors are common, so firewalls must be tested

„ Maintenance { Must be reconfigured frequently over time as the threat environment changes

103

18