Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Polytechnic University Problems faced by corporate networks Leaking of critical information External threats A scheme named firewall was introduced

Polytechnic University Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall Internet privately administered /16 By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another.

Polytechnic University Firewall goals: All traffic from outside to inside and vice- versa passes through the firewall. Only authorized traffic, as defined by local security policy, will be allowed to pass. The firewall itself is immune to penetration.

Polytechnic University Firewalls: types 1. Traditional packet filters ◦ filters often combined with router, creating a firewall 2. Stateful filters 3. Application gateways Major firewall vendors: Checkpoint Cisco PIX

Polytechnic University Traditional packet filters source IP address destination IP address source port destination port TCP flag bits ◦ SYN bit set: datagram for connection initiation ◦ ACK bit set: part of established connection TCP or UDP or ICMP ◦ Firewalls often configured to block all UDP direction ◦ Is the datagram leaving or entering the internal network? router interface ◦ decisions can be different for different interfaces Analyzes each datagram going through it; makes drop decision based on:

Polytechnic University Filtering Rules - Examples Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 External connections to public Web server only. Drop all incoming TCP SYN packets to any IP except , port 80 Prevent IPTV from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a Smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (eg ). Prevent your network from being tracerouted Drop all outgoing ICMP

Polytechnic University Access control lists action source address dest address protocol source port dest port flag bit allow /16 outside of /16 TCP > any allow outside of /16 TCP80 > 1023ACK allow /16 outside of /16 UDP > allow outside of /16 UDP53 > denyall Apply rules from top to bottom:

Polytechnic University Access control lists Each router/firewall interface can have its own ACL Most firewall vendors provide both command-line and graphical configuration interface

Polytechnic University Advantages and disadvantages of traditional packet filters Advantages ◦ One screening router can protect entire network ◦ Can be efficient if filtering rules are kept simple ◦ Widely available. Almost any router, even Linux boxes Disadvantages ◦ IP address spoofing ◦ Source routing attacks ◦ Tiny fragment attack ◦ Can possibly be penetrated ◦ Cannot enforce some policies. For example, permit certain users.

Polytechnic University Stateful Filters In earlier example, any packet with ACK=1 and source port 80 gets in. ◦ Attacker could, for example, attempt a malformed packet attack by sending ACK=1 segments Stateful filter: Adds more intelligence to the filter decision-making process ◦ Stateful = remember past packets ◦ Memory implemented in a very dynamic state table

Polytechnic University

Application gateways (aka proxy gateways) Gateway sits between user on inside and server on outside. Instead of talking directly, user and server talk through proxy. Allows more fine grained and sophisticated control than packet filtering. For example, ftp server may not allow files greater than a set size. A mail server is an example of an application gateway ◦ Can’t deposit mail in recipient’s mail server without passing through sender’s mail server host-to-gateway ftp session gateway-to-remote host ftp session application gateway

Polytechnic University Configuring client Tools/options/connections/LAN settings/proxies:

Polytechnic University Advantages and disadvantages of proxy gateways Advantages ◦ Proxy can log all connections, activity in connections ◦ Proxy can provide caching ◦ Proxy can do intelligent filtering based on content ◦ Proxy can perform user-level authentication Disadvantages ◦ Not all services have proxied versions ◦ May need different proxy server for each service ◦ Requires modification of client ◦ Performance

Polytechnic University Application gateways + packet filter Filters packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to ftp outside. 1. Require all ftp users to ftp through gateway. 2. For authorized users, gateway sets up ftp connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all ftp connections not originating from gateway. host-to-gateway ftp session gateway-to-remote host ftp session application gateway router and filter

Polytechnic University Chaining Proxies proxy 1 proxy 2

Polytechnic University SOCKS Proxy protocol Generic proxy protocol ◦ Don’t have to redo all of the code when proxifying an application. Can be used by HTTP, FTP, telnet, SSL,… ◦ Independent of application layer protocol Includes authentication, restricting which users/apps/IP addresses can pass through firewall.

Polytechnic University SOCKS proxy protocol HTTP SOCKS Library TCP SOCKS Daemon TCP Apache/IIS Firefox/Oper a/IE HTTP TCP Firewall Application 1. For example, let’s assume that browser requests a page 2. SOCKS Library is a collection of procedures. It translates requests into a specific format and sends them to SOCKS Daemon 3. The SOCKS Daemon runs on the firewall host. The daemon authenticates the user and forwards all the data to the server. 4. The server receives requests as ordinary HTTP. It does not need a SOCKS library.

Polytechnic University Demilitarized Zone (DMZ) Web server FTP server DNS server application gateway Internet Demilitarized zone Internal network firewall

Polytechnic University Firewalls: Summary Filters ◦ Widely available in routers, linux Stateful filters ◦ Maintains connection state Application gateways ◦ Often implemented with SOCKS today