Stephen S. Yau 1CSE , Fall 2006 Firewalls

Stephen S. Yau 2CSE , Fall 2006 DMZ The DMZ (stands for Demilitarized Zone) is a portion of a network that separates a purely internal network from an external network. The DMZ (stands for Demilitarized Zone) is a portion of a network that separates a purely internal network from an external network. DMZ is the place, where public servers and proxies should be located DMZ is the place, where public servers and proxies should be located Proxy is an intermediate agent or server that acts on behalf of an endpoint without allowing a direct connection between the two endpoints Proxy is an intermediate agent or server that acts on behalf of an endpoint without allowing a direct connection between the two endpoints T1: ch23.3 T2: ch26.3

Stephen S. Yau 3CSE , Fall 2006 Firewalls A firewall is a host that mediates access to a network, allowing and disallowing certain types of access on the basis of a configured security policy. A firewall is a host that mediates access to a network, allowing and disallowing certain types of access on the basis of a configured security policy. Protect a network from external networks Protect a network from external networks Block unwanted traffic and pass desirable traffic to and from both sides of the network Block unwanted traffic and pass desirable traffic to and from both sides of the network Examples: Examples: Allows: http, mails Allows: http, mails Keeps out: suspected users, denial of services attacks, spam, viruses Keeps out: suspected users, denial of services attacks, spam, viruses T1: ch T2: ch26.3.1

Stephen S. Yau 4 Operations of Firewall

5 Firewalls in Different Layers Network layer: Packet-Filtering Firewalls Network layer: Packet-Filtering Firewalls - Concerned with routing of packets to their destinations. - Determine if a packet is from a permitted source to a permitted destination Transport layer: Circuit-Level Firewalls Transport layer: Circuit-Level Firewalls - Concerned with session of packets - Need more knowledge of packet header to make decisions on accepting or denying packets Application layer: Application-Level Firewalls Application layer: Application-Level Firewalls - Concerned with contents of packets - Need information about data make decision on accepting or denying packets Further reading:

6 Packet Filtering Firewalls A packet filtering firewall performs access control on the basis of attributes of the packet headers, such as destination addresses, source address, and options. A packet filtering firewall performs access control on the basis of attributes of the packet headers, such as destination addresses, source address, and options. Whenever network receives a packet, three possible actions: Whenever network receives a packet, three possible actions: forward it to destination forward it to destination block it block it return it to sender return it to sender One of these actions is chosen according to a set of rules usually in a form of “access control lists”. One of these actions is chosen according to a set of rules usually in a form of “access control lists”. T1: ch T2: ch Rule Source Address Destination Address Action / /24permit / /16deny / /0 deny (default)

Stephen S. Yau 7CSE , Fall 2006 Packet Filtering Firewalls (cont.) Factors which determine the actions: Factors which determine the actions: - Source address - Destination address - Direction of traffic Rules applied top to bottom Rules applied top to bottom Ordered from least restrictive to most restrictive Ordered from least restrictive to most restrictive Packets are not scrutinized Packets are not scrutinized Auditing is possible Auditing is possible

Stephen S. Yau 8CSE , Fall 2006 An Example of Packet Filtering Firewall Local Network ( /8) Incoming Packet [ , ] (denied) Network Server: Firewall (Rule 1: /16, /8 deny Rule 2: /24, /24 permit… Rule N: /16, /20 permit) Another Network ( /24) Incoming Packet [ , ] (permitted)

Stephen S. Yau 9CSE , Fall 2006 Circuit-Level Firewalls Validates sessions before opening connections (handshakes) Validates sessions before opening connections (handshakes) Once a connection is made, all packets related to that connection pass Once a connection is made, all packets related to that connection pass Packets not scrutinized Packets not scrutinized No direct connections with other networks without validation No direct connections with other networks without validation

Stephen S. Yau 10CSE , Fall 2006 Circuit-Level Firewalls (cont.) Establishes two connections: Establishes two connections: Between client and firewall Between client and firewall Between firewall and server Between firewall and server Implemented using sockets ( which is IP address + Port number) Implemented using sockets ( which is IP address + Port number) Manipulating established connection is easy Manipulating established connection is easy Packets are not scrutinized Packets are not scrutinized Auditing is possible Auditing is possible

Stephen S. Yau 11CSE , Fall 2006 An Example of Circuit-Level Firewall Network News Transfer Protocol (NNTP): Network News Transfer Protocol (NNTP): The NNTP server connects to firewall The NNTP server connects to firewall Internal systems' NNTP clients connect to firewall. Internal systems' NNTP clients connect to firewall. Circuit-level firewall simply passes bytes between systems Circuit-level firewall simply passes bytes between systems Internal Systems (NNTP clients) External Servers (NNTP news providers) Circuit-Level Firewall (Choke Point)

Stephen S. Yau 12CSE , Fall 2006 Application-Level Firewalls Application-level firewall (also called Proxy firewall) uses proxies to perform access control. Application-level firewall (also called Proxy firewall) uses proxies to perform access control. Acts as a proxy server, evaluates requests and decides according to security concerns Acts as a proxy server, evaluates requests and decides according to security concerns Two connections per session Two connections per session All packets are scrutinized All packets are scrutinized Auditing is possible Auditing is possible T1: ch T2: ch26.3.1

13 Application-Level Firewalls (cont.) Access control based on contents of packets and messages, as well as on attributes of packet headers. Access control based on contents of packets and messages, as well as on attributes of packet headers. Not allow direct connections between two endpoints through a proxy firewall Not allow direct connections between two endpoints through a proxy firewall Accept/Deny Rules Application Level Proxy Network Layer Outgoing PacketsIncoming packets Application Level Network Level Applications

Stephen S. Yau 14CSE , Fall 2006 An Example of Application-Level Firewall Simple (Send) Mail Transfer Protocol Proxies Simple (Send) Mail Transfer Protocol Proxies SMTP application proxies configured to allow only necessary SMTP commands, such as helo, mail from: and rcpt to:, to pass through firewall SMTP application proxies configured to allow only necessary SMTP commands, such as helo, mail from: and rcpt to:, to pass through firewall Stop “expn” command, which tries to expand a list Stop “expn” command, which tries to expand a list Stop “vrfy” command, which tries to verify that an account exists Stop “vrfy” command, which tries to verify that an account exists The above are used by attackers and spammers to enumerate accounts. The above are used by attackers and spammers to enumerate accounts. MIME type and message size can be used to filter traffic. MIME type and message size can be used to filter traffic.

Stephen S. Yau 15CSE , Fall 2006 An Example of Application Level Firewall (cont.) Local Network: Mail Clients Incoming/Outgoing Request for SMTP (denied) Network Server: Implements Application Firewall in SMTP/POP/IMAP Deny: expn, vrfy Allow: helo, mail from: Incoming/Outgoing Mail ; (permitted)

Stephen S. Yau 16CSE , Fall 2006 An Example of Using Firewalls Requirements of the Drib Corporation: Requirements of the Drib Corporation: The Drib wants the public be able to access its web server and mail server, and no other services. The Drib wants the public be able to access its web server and mail server, and no other services. The Drib wishes to check all incoming s for computer viruses through s and attacks though web connections. The Drib wishes to check all incoming s for computer viruses through s and attacks though web connections. The Drib’s has sensitive data which it does not want outsiders to see. The Drib’s has sensitive data which it does not want outsiders to see. The Drib allows file sharing among its systems. It does not want the packets containing sensitive information to leak to the Internet. The Drib allows file sharing among its systems. It does not want the packets containing sensitive information to leak to the Internet. T1: ch23.3 T2: ch26.3

Stephen S. Yau 17CSE , Fall 2006 An Example of Using Firewalls (cont.) Desirable Network Infrastructure Desirable Network Infrastructure The public entities should be confined to the DMZ area The public entities should be confined to the DMZ area The outer firewall presents an interface between DMZ and internet, that allows connections to the WWW service (HTTP and HTTPS) and to electronic mail (SMTP) service. The outer firewall presents an interface between DMZ and internet, that allows connections to the WWW service (HTTP and HTTPS) and to electronic mail (SMTP) service. Proxies having virus and attack scanning programs should be implemented at the outer firewall. Proxies having virus and attack scanning programs should be implemented at the outer firewall. The Drib’s most sensitive data and systems should reside in the internal network. The Drib’s most sensitive data and systems should reside in the internal network. The inner firewall sitting between DMZ and internal network will block all traffic, except those specifically authorized to enter the internal network The inner firewall sitting between DMZ and internal network will block all traffic, except those specifically authorized to enter the internal network

18 An Example of Using Firewalls (cont.) Mail server Outer Firewall Internal DNS server Internet Web Server DMZ INTERNAL Inner Firewall Internal mail server DNS server Corporate data subnet Customer data subnet Development subnet Network designed for the Dribble Corporation

19 An Example of Using Firewalls (cont.) Outer firewall configuration The outer firewall is a proxy-based firewall. When connection is initiated, the mail proxy on the firewall collects the mail, analyzes it for computer viruses and other forms of malicious logic. If none is found, it forwards the mail to the DMZ mail server. Similarly, when a web connection arrives, the web proxy scans the message for any suspicious components, if none is found, it forwards the messages to DMZ web server. Mail server Outer Firewall Internet Web Server DMZ

Stephen S. Yau 20CSE , Fall 2006 DMZDMZ An Example of Using Firewalls (cont.) Inner firewall configuration The inner firewall is also a proxy-based firewall. Mail connections through the inner firewall are allowed, and all s are sent to DMZ mail server for disposition Disallows packets containing sensitive information (detected by the proxies in the inner firewall) to reach DMZ All other traffic, including web access, are blocked Internal DNS server INTERNAL Inner Firewall Internal mail server Corporate data subnet Customer data subnet Development subnet

Stephen S. Yau 21CSE , Fall 2006 Choosing a Firewall What OS required and other OSs supported? What OS required and other OSs supported? How much CPU/RAM/Disk space it needs? How much CPU/RAM/Disk space it needs? What is the authentication scheme? What is the authentication scheme? Does it support logging? Does it support logging? What hardware is provided? What hardware is provided? What software is provided? What software is provided? What is the cost for installing and operating the firewall? What is the cost for installing and operating the firewall? What are other features? What are other features?

Stephen S. Yau 22CSE , Fall 2006 Firewall Design Criteria Organizations deciding to use firewalls must analyze their security needs. Potential risks and threats must be contemplated. Organizations deciding to use firewalls must analyze their security needs. Potential risks and threats must be contemplated. The following considerations may affect design and extensiveness of implementation of firewalls: The following considerations may affect design and extensiveness of implementation of firewalls: Organizational policies Organizational policies What level of access control does management want? What level of access control does management want? The desired level of monitoring and access must be determined. The desired level of monitoring and access must be determined. What level of risk is the organization willing to accept? What level of risk is the organization willing to accept?

Stephen S. Yau 23CSE , Fall 2006 Firewall Design Criteria (cont.) A checklist of what messages should be monitored, permitted and denied must be established. A checklist of what messages should be monitored, permitted and denied must be established. The cost of various firewall programs, including on-going maintenance, must be considered against the potential threat. What would be the potential cost/damage of attacks to the system from outside? The cost of various firewall programs, including on-going maintenance, must be considered against the potential threat. What would be the potential cost/damage of attacks to the system from outside? The number, placement, and types of firewalls to be used must be determined. The number, placement, and types of firewalls to be used must be determined. Firewalls should have packet filtering, circuit-level controls, and application-level proxies in order to provide effective security. Firewalls should have packet filtering, circuit-level controls, and application-level proxies in order to provide effective security. What is the estimated overhead in using the selected firewalls? What is the estimated overhead in using the selected firewalls?

Stephen S. Yau 24CSE , Fall 2006 Some Commercially Available Firewalls Hardware Hardware Linksys Etherfast Cable/DSL Firewall Router, Microsoft MN-100, D-Link Express EtherNetwork Linksys Etherfast Cable/DSL Firewall Router, Microsoft MN-100, D-Link Express EtherNetwork Mac OS X servers Mac OS X servers DoorStop Server Firewall, Firewall X2, Impasse, IPNetSentry, Net Barrier DoorStop Server Firewall, Firewall X2, Impasse, IPNetSentry, Net Barrier Linux Linux IP tables, SINUS, ipchains IP tables, SINUS, ipchains Windows Windows BlackICE, Kerio, McAfee, Norton Personal Firewall, Outpost, Sygate, Terminet, and ZoneAlarm BlackICE, Kerio, McAfee, Norton Personal Firewall, Outpost, Sygate, Terminet, and ZoneAlarm

Stephen S. Yau 25CSE , Fall 2006 References Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004, ISBN: Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004, ISBN: Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: M. Merkow, J. Breithaupt, Information Security: Principles and Practices, Prentice Hall, August 2005, 448 pages, ISBN M. Merkow, J. Breithaupt, Information Security: Principles and Practices, Prentice Hall, August 2005, 448 pages, ISBN J. G. Boyce, D. W. Jennings, Information Assurance: Managing Organizational IT Security Risks. Butterworth Heineman, 2002, ISBN J. G. Boyce, D. W. Jennings, Information Assurance: Managing Organizational IT Security Risks. Butterworth Heineman, 2002, ISBN