Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000) Firewalls Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Firewalls are not just for companies any more: the changing home

High Speed Internet Connections Drive the importance of security

The home Network: always on the Net

Always on, all hackers all the time For me to attack your system, I must send packets to it With dial, you get a different IP address for each call and in relative terms that call is not long Big issue is that you will have the same IP address for a long time with persistent connections You may have the same IP address ALL the time. So plenty of time for someone to go after you Personal PCs have the standard OS vulnerabilities Private Web servers easy targets

Windows file sharing does not help Admin Shares $c On by default in Win 9* and older NT Browser Service Network Neighborhood Could see everyone else's PCs Hard to turn it off on Internet facing interfaces interfaces Who cares? QDATA.*

Multiple security problems Defense in Depth

The tradeoffs

Costs Dollars for the software Download of updates Customization most software out of the box works fine File and print sharing on your home LAN special apps Checking logs

Example of customization

The firewall: The first line of defense

What a firewall does not do

Firewall technologies Network Address Translation

A digression, TCP/IP

Internet Protocol

TCP

TCP connection flow the syn is unique to session start

TCP Ports Identify the App

IP addresses

‘Private’ IP addresses Routable IP addresses are scarce Not every system in the world needs direct and always on access to the Internet Private addresses allows you to address many more systems than the ‘public’ address space (public addresses can be routed over the internet For a private addressed system to access the internet it must be translated to a public address Private addresses are defined by RFC 1918 10.*.*.*, 172.16.*.*-172.31.*.*, 192.168.*.*

Public IP address assignment If you are dialing up, you get one for the duration of the call and it will change If you are on a ‘always on’ you MAY get a one Providers charge for more than 1 permanent IP addresses Some cable systems change your address so you cant host a server without them knowing (and of course you paying) To address multiple PCs and have them access the internet you must NAT

Network Address Translation

Enterprise NAT NAT is also used to ‘hide’ addresses Remote end can only see the NATed address not the real one Both ends use private addresses And will often have duplicates (10.1.1.1) So will often ‘dual nat’ that is translate both source and destination Can even map ports so 1 address, multiple servers 200.200.200.200 port 80; 10.1.1.1 200.200.200.200 port 25; 10.1.1.2 200.200.200.200 port 20: 10.1.1.3

Pat Port address translation Allows many stations to share 1 ip address Depends on keeping track what source port and IP address for each connection Then select a unique port to associate with the single public IP address

Packet Filtering the basis of a firewall

Packet Filtering Firewalls will trust inside addresses Spoofing: attacker makes their address look like an inside address Will rely on the TCP ACK bit to determine if a connection is inbound or outbound will permit all outbound (you to the Inet) by default Can configure what inbound connections you want to allow (home web server) Does not work well with certain applications FTP opens connections from the outside Media and VOIP use dynamic ports

Stateful Inspection

Stateful inspection Look at outbound connection request to the Internet Remember the addresses and the ports Only permit traffic from the Internet if it saw that it was initiated from the inside network All modern firewalls work this way

Proxy Server

Proxy Server Since application is intercepted Can authenticate by user Can log content Can block content by looking at the URLs All web access is via proxy

Authentication w/o proxy Telnet or web to the firewall the login then can access all other services Dedicated client Firewall-1 has a custom client Firewall contacts client code when user tries to access a service ask for login and if ok grants it.

A firewall: Always does packet filters Always does stateful packet filtering Always logs May have a proxy May do authentication

Corporate Firewalls Appliance based ‘Computer’ based PIX, FW1 Nokia more expensive Dedicated OS Harder to crack as fewer OS issues Harder to scale (as based on specific hardware) ‘Computer’ based Runs on NT or Unix Can leverage existing computers Easier to learn at home

Home Firewalls Device Based OS based Part of your access box or can get a dedicated appliance May be ‘free’ with a box you are already getting Does not touch your OS but then may need more configuration Do not have to touch multiple computers Does not impact ‘inside the house’ OS based Tied into the network stack Can easily deal with custom apps May need to modify for home access

Linksys Router (appliance)

Linksys Router Filtering

Linksys Router logs

Norton Personal Firewall (part of OS)

Application list

Summary If you access the internet at all get an OS based firewall If you have always on get an appliance based Or even better use both.