CyberP3i Course Module Series Spring 2017 Designer: Dr. Lixin Wang, Associate Professor Firewall Configuration Firewall Configuration Learning Objectives 1. Be familiar with firewalls and types of firewalls 2. Know what firewalls can or cannot block 3. Be familiar with DMZ and NAT, the purposes of using them on computer networks Introduction A firewall is a system that prevents unauthorized access either from or to a private network, usually an internal LAN (local area network). It is a device that filters all network traffic between a protected (inside) network and a less trustworthy (outside) network. A firewall is an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world via wide area networks (WAN) and the Internet. Firewalls are one of the most important security devices for computer networks. They can be implemented in either hardware or software form, or a combination of both. Firewalls prevent unauthorized outside users from accessing private networks that are connected to the Internet, especially intranets. All the network packets entering or leaving the intranet must pass through the firewall, which examines each packet and blocks those not meeting the specified security criteria defined in the firewall rules. With the purpose of protecting a private network, firewalls are a first line of defense for the network. Of course, it cannot be considered the only such security line. Firewalls are generally designed to protect network traffic and communications, examine packets and blocks those packets not meeting certain security criteria, direct packets to appropriate hosts, and thus do not attempt to do user authentications when determining who can access a particular network. Usually a firewall runs on a dedicated device. Only firewall functions should run on the firewall machine because it is a single point through which traffic is channeled and performance is an important issue. The purpose of using a firewall is to protect a private network and keep “bad” things outside the protected network. To this end, firewalls implement a policy of security that is specifically designed to handle what bad things may happen. For instance, the security policy may allow access to the protected network only from certain IP addresses, certain users, or for certain network activities. Firewalls enforce predetermined rules governing what network traffic can flow and what network traffic cannot. Design of Firewalls A security policy defines a set of rules that determine what network traffic can or cannot pass through the firewall. A firewall implements a set of security policies. It is the responsibility of the network administrators to decide what network traffic being allowed to pass through the firewall. The following table gives a sample of firewall configuration. The firewall’s action is determined in a top-down manner and the first matching rule in the table is applied. The * symbol indicates that it matches any value in the field. Rule # Type Source IP Destination IP Destination Port Action 1 TCP * 192.168.1.200 443 Permit 2 TCP 192.168.* 192.168.1.100 80 Permit 3 TCP 192.168.1.* 216.1.1.100 20/21 Deny 4 UDP 216.1.1.* 192.168.1.50 69 Deny Rule 1 in the table says that any incoming network traffic to the port 443 (HTTPS) is allowed from any host to the machine 192.168.1.200 with the HTTPS web server available. By rule 2 any incoming network traffic to the port 80 (HTTP) is allowed from any host in the subnet 192.168.* to the machine 192.168.1.100 with the web server available. Rule 3 says that any incoming network traffic to the port 20/21 (the Standard FTP) is denied from any host in the subnet 192.168.1.* to the machine 216.1.1.100. By rule 4 any incoming network traffic to the port 69 (the Trivial FTP) is denied from any host in the subnet 216.1.1.* to the machine 192.168.1.50. Types of Firewalls Network firewalls fall into one of the following types, each of which does different things. In this section, we will give a brief description for each of these firewall types. (a) Packet filtering This type of firewall system examines each packet entering or leaving the network and accepts or rejects it based on user-defined rules. A packet filtering firewall is fairly effective and transparent to users, but it is difficult to configure. It controls access on the basis of packet addresses (source and destination IP addresses) or specific transport protocol type such as HTTP web traffic or FTP file transfer traffic. Packet filtering blocks or accepts network packets only based on the basis of the IP addresses and the port numbers. Thus, any details in the packet’s data field is beyond the capability of this type of firewall. A packet filtering is illustrated in the following figure. (b) Stateful Inspection Firewall A packet filtering firewall examines packets one at a time, accepting or rejecting each packet based on user-defined rules, and then move to the next one. A stateful inspection firewall holds state information from one packet to another in the input stream for the network. Stateful inspection firewalls make decisions according to the maintained information from multiple packets. (c) Circuit-level gateway implementation This process applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. This type of firewall allows one network to be an extension of another. In the 7-layer OSI model, circuit-level gateway is implemented at the session layer (layer 5) and it works a virtual gateway between the two networks connected by the gateway. A circuit is a logic connection that exists for a certain period of time and then disconnected. The gateway firewall verifies the circuit when it is created and then all the following data transferred over the circuit are no longer checked by the firewall. An application of this type of firewall is to implement a VPN (virtual private network). A circuit-level gateway is illustrated in the following figure. (d) Application Proxy Packet filtering firewalls only look at the headers of packets, not at the data inside the packets. But some applications are complicated and sometimes they contain errors. Also, applications usually act on behalf of all users and they require privileges of all users. An application with bugs may cause a lot of damage when executing with all users privileges. An application proxy server connects to the Internet, makes the requests for pages, connections to servers, etc., and receives the data on behalf of the computer(s) behind it. An application proxy server is a type of gateway that hides the true network address of the computer(s) connecting through it. The firewall capabilities lie in the fact that a proxy can be configured to allow only certain types of traffic to pass (e.g., HTTP/HTTPS files, or FTP traffic). An application proxy firewall simulates the effects of an application at the application layer so that it only receives requests to act properly. This type of firewall is illustrated in the following figure. (e) Next Generation Firewall (NGFW) The next generation firewall (NGFW) filters network and Internet traffic based upon the applications or traffic types using specific ports. NGFWs combine the features of existing standard firewalls with quality of service (QoS) functionalities in order to provide better and deeper inspection for network packets. NGFWs integrate three key features: enterprise firewall capabilities, an intrusion prevention system and an application control. Like the introduction of stateful inspection one in first-generation firewalls, NGFWs bring additional context to the firewall’s decision-making process by providing it with the ability to understand the details of the HTTP/HTTPS traffic passing through the firewall and taking action to accept normal traffic or block the traffic that might exploit vulnerabilities. Next-generation firewalls combine the capabilities of traditional firewalls -- including packet filtering, network address translation (NAT), URL blocking and virtual private networks (VPNs) -- with Quality of Service (QoS) functionality and features not traditionally found in firewall products. These include a intrusion prevention system, SSL and SSH inspection, deep-packet inspection and reputation-based malware detection as well as application awareness. The application-specific capabilities are adopted to hinder the growing number of application attacks occurring from the network layer to the application layer of the OSI network model. In practice, many firewalls use two or more of these techniques in concert. In Windows and Mac OS X, firewalls are built into the operating system. What a firewall can or cannot block Although network firewalls are designed to prevent unauthorized access either from or to a private network, they are not complete solutions to all computer security problems. A firewall can only protect the perimeter of a private network against attacks from the outside Internet. Therefore, firewalls can protect the network only if it control the entire perimeters of the network. If one host in the network connecting to the Internet using an unsecure communication channel, wireless connection for example, then the entire internal network is vulnerable through attacks from the outside Internet. Outside the perimeter of a private network, no data are protected by the firewalls of the network. Since firewalls sit between the protected private network and the outside Internet, they are the most visible part of a network and the most attractive target for attackers. Therefore, for mission-critical networks a few more layers of security should be implemented.