FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh

What is a Firewall hardware, software, or a combination of both, that isolates an internal network from the Internet. hardware, software, or a combination of both, that isolates an internal network from the Internet. filters information, allowing some packets to pass and blocking others. filters information, allowing some packets to pass and blocking others.

LAN vs. Individual

Why Use a Firewall prevent denial of service attacks prevent denial of service attacks –SYN flooding prevent unauthorized access to internal network prevent unauthorized access to internal network block Trojans / Application backdoors block Trojans / Application backdoors –Sasser Worm

How Firewalls Work NAT (Network Address Translation) NAT (Network Address Translation) Packet Filtering Packet Filtering Stateful Packet Inspection (SPI) Stateful Packet Inspection (SPI) Application-based Application-based

NAT (1) Implemented in routers Implemented in routers Computers in the network have different internal IP addresses Computers in the network have different internal IP addresses Outside world only see one IP address Outside world only see one IP address

NAT (2)

Packet Filtering Allow/drop packets based on: Allow/drop packets based on: –source IP address, destination IP address –TCP/UDP source and destination port numbers –ICMP message type –TCP SYN and ACK bits

NAT & Packet Filtering Advantage: Advantage: –Naturally provided by routers Disadvantages: Disadvantages: –only allows connections originating from inside the network –Level of security decreases with # of ports open –No outbound connection protection

Stateful Packet Inspection (SPI) Does not analyze various components of an IP packet Does not analyze various components of an IP packet Compares certain key parts of the packet to a database of trusted information Compares certain key parts of the packet to a database of trusted information

SPI (2) Advantages: Advantages: –Overcomes inflexibility of NAT firewalls –Only one port needs to be opened for each service (e.g. FTP daemon) Disadvantage: Disadvantage: –Additional performance overhead

Application-based Firewalls (1) Offer a more fine-grained control over network traffic Offer a more fine-grained control over network traffic Filter packets based on: Filter packets based on: –Application –IP Filtering –Port numbers and protocols used –Direction of traffic (inbound/outbound)

Application-based Firewalls (2) Advantages: Advantages: –More flexible than NAT-based firewalls –Provides application-based outbound traffic protection, in addition to inbound traffic protection –May block Trojan viruses Disadvantage: Disadvantage: –Security depends heavily on user

Limitations of Firewalls IP Spoofing IP Spoofing Communication vs. Performance vs. Security Communication vs. Performance vs. Security Application spoofing Application spoofing Social Engineering Social Engineering Content Attack Content Attack –confidential data transported into the network through permitted connections

Leak Tests “proof of concept” programs to show the vulnerability of firewalls “proof of concept” programs to show the vulnerability of firewalls Application-Masquerading Application-Masquerading –Solution: Checksums, MD5 Signatures FireHole FireHole –Bypass outbound traffic protection through “dll injection”  Application hijack –Solution: Component Control

Conclusion Firewalls are not fool-proof! Firewalls are not fool-proof! Essential to have a multi-layered approach in any defense system Essential to have a multi-layered approach in any defense system