Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi
Outline Overview/Motivation Packet Filtering Application Gateway
Overview/Motivation Why Do We Need Firewalls? Design Issues Firewall Characteristics Typical Setups/Analysis
Why Do We Need Firewalls? Prevent unauthorized access to private networks Prevent unauthorized export of private information
Design Issues That which is not expressly permitted is prohibited –firewall is designed to block everything, services are enabled on a case-by-case basis –can be seen as a hindrance by users That which is not expressly prohibited is permitted –reactive, must predict what kinds of actions would compromise the security of the firewall
Firewall Characteristics Damage Control –If the firewall is compromised or destroyed what kinds of threats does it leave the private network open to? Zones of Risk –How large is the zone of risk during normal operation?
Firewall Characteristics Failure Mode –If the firewall is broken into or destroyed, how easy is it to detect? –How much information is retained to analyze the attack? Ease of Use –How much of an inconvenience is the firewall? Stance –Permissive or prohibitive?
Typical Setups Screening Router Dual Homed Gateway Screened Host Gateway Screened Subnet
Screening Router Basic router with some kind of packet filtering capability –Typically will be able to block traffic between networks or specific hosts on an IP level
Analysis of Screening Router Damage control is difficult because you would need to examine every host for traces of a break-in Zone of risk is the all the hosts on the private network because direct communication is permitted Usually set up as permissive
Analysis of Screening Router In the case of destruction of the firewall it is very hard to trace because commercial routers generally do not keep logs Can fairly easily get around the screening using tunnelling Popular because they allow fairly free access from any point in the private network
Dual Homed Gateway Has a system on both the private network and the Internet, with TCP/IP forwarding disabled
Analysis of Dual Homed Gateway Often used and easy to implement Hosts on the private network can communicate with the gateway, as can hosts on the Internet, but direct traffic between the networks is blocked If the gateway is compromised then the whole private network is accessible Zone of risk is only the gateway host
Analysis of Dual Homed Gateway Permissiveness dependant on the stance of the gateway –logins on gateway is permissive –application gateways is prohibitive Can be adapted more easily to keep logs which can help with tracing what went wrong and which machines on the private network were compromised
Screened Host Gateway Combines a screening router and a dual homed gateway. The screening router is configured such that the gateway is the only system reachable from the Internet
Analysis of Screened Host Gateway Can be configured to block traffic to the gateway on certain ports, permitting only a small number of services to communicate with it Generally very secure, while fairly easy to implement Router is configured to only permit Internet access to the gateway
Analysis of Screened Host Gateway Zone of risk is the gateway and the router Gateway can be on the private network so connectivity is good for local users Stance is dependant upon the gateway Similar to a dual homed gateway
Screened Subnet An isolated subnet is created, between the private network and the Internet –isolate the private network using screening routers with varying levels of filtering
Analysis of Screened Subnet Generally, both the Internet and the private network have access to the subnet but traffic across the screened subnet is blocked Usually configured with one host as the sole point of access on the subnet Zone of risk is host and any screening routers that connect the subnet Appealing for firewalls that use routing to reinforce the existing screening
Analysis of Screened Subnet Forces all services to be provided by application gateways Strongly prohibitive Much harder to break into since you need to compromise multiple systems Can be an inconvenience since hosts that are not addressed correctly cannot use the firewall properly
Packet Filtering Overview Control data traffic using header of each packet –source IP address –destination IP address –etc Screened (Host, Subnet) Setups
Static Packet Filtering “Static” = “doors” are open at all times Advantages –Low overhead / High throughput –Inexpensive or free –Good for traffic management Disadvantages –Allows dangerous direct connections –Leaves holes open –Unsuitable for complex environment –No user authentication
Dynamic Packet Filtering “Dynamic” = opens and closes “doors” according packet header data Can keep track of context information about a session. (stateful filtering) Advantages –Only temporarily opens holes in Network Perimeter –Low overhead / High throughput –Supports almost any service Disadvantages –Allows direct IP connections –No user authentication (requires application gateway)
Application Gateways Overview First Generation vs. Second Generation (transparent) TCP connection state and sequencing are maintained. Prevents direct access to services on the internal network. Outgoing traffic appears to be coming from the firewall rather than the internal network. Works on an application (or service) level.
Application Gateways Lawyer Example A B B’s Lawyer Approved Message Unapproved Message
Application Gateways Example of masking internal network
Application Gateways Advantages Doesn’t allow direct connections between internal and external hosts (proxy). Supports user-level authentication. Ability to analyze application specific commands inside traffic. Can keep logs of traffic.
Application Gateways Disadvantages Takes time to check requests. Doesn’t support every type of connection.
References Thinking About Firewalls V2.0: Beyond Perimeter Security (1997) – htm Application Gateways and Stateful Inspection: A Brief Note Comparing and Contrasting (Avolio & Blask 1998) –