1. Firewalls & VPNs Principles of Information Security Chapter 6 Part 1

2. References Circuit-level Gateways vs Application Gateways ◦ http://www.pcstats.com/articleview.cfm?articleid=1450&page=5 http://www.pcstats.com/articleview.cfm?articleid=1450&page=5 Introduction to Network Firewalls ◦ http://www.more.net/technical/netserv/tcpip/firewalls/ http://www.more.net/technical/netserv/tcpip/firewalls/ Firewalls Explained ◦ http://www.dmccormick.org/firewalls.htm http://www.dmccormick.org/firewalls.htm Firewall Architectures ◦ http://docstore.mik.ua/orelly/networking/firewall/ch04_02.htm http://docstore.mik.ua/orelly/networking/firewall/ch04_02.htm Introduction to Firewalls (on-line report) ◦ http://www2.hawaii.edu/~sdunan/ics623/Dunan.FirewallReport.html http://www2.hawaii.edu/~sdunan/ics623/Dunan.FirewallReport.html 2

3. Topic Objectives Describe categories of firewalls. Describe firewall architectures. Discuss considerations for selecting architectures 3

4. Firewalls Goal is to prevent specific types of information from moving between external networks and internal networks. In general, the arrangement of security devices placed at the perimeter of a computer network to guard the entry is collectively called a firewall, or firewall perimeter. At least one of those devices is a program or a hardware device called a firewall. 4 So, this “wall” can be several devices, including firewall itself

5. Create an integrated security system 5 firewall perimeter = firewall+ IDS + antivirus Also use access control and auditing Create many firewall perimeters, at strategic entry points Keep patching and updating them!

6. Categorizing Firewalls Processing mode ◦ Packet filtering, aka filtering (e.g. a router) ◦ Application gateways ◦ Circuit gateways ◦ MAC layer firewalls, ◦ hybrid Development Era (generation) ◦ Which level of technology is used Structure ◦ Commercial-grade, residential-grade Implementation ◦ Software, hardware, hybrid 6

7. Many different firewalls to pick from Basic personal use: ZoneAlarm, Norton Personal, Sygate More commercial: e.g Check Point Next Generation http://directory.google.com/Top/Computers/Sec urity/Firewalls/Products/ Many! http://directory.google.com/Top/Computers/Sec urity/Firewalls/Products/ Cisco firewall appliance (i.e. hardware firewall) http://tools.cisco.com/search/JSP/search- results.get?strQueryText=pix+firewall&Search+All+cisco.com=cisco.com&l anguage=en&country=US&thissection=f&accessLevel=Guest&autosuggest= true http://tools.cisco.com/search/JSP/search- results.get?strQueryText=pix+firewall&Search+All+cisco.com=cisco.com&l anguage=en&country=US&thissection=f&accessLevel=Guest&autosuggest= true http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.h tml Performance tables http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.h tml 7

8. Pros and Cons 8 Type of firewallProsCons Software - freewareEasy and freeminimal Software – commercial personal firewalls Simple, cheap,Not too many features, not robust Software – commercial enterprise firewalls Typically installed on a dedicated host; real time monitoring and other admin features $$$, not too easy to setup Hardware appliances Faster and more scalable than software firewalls $$$$$$, difficult to patch if bugs are discovered Hybrid firewallProvides throughput and security of appliance with features of a software firewall $$$$$$$$$$

9. Packet Filtering Firewalls Examine packet headers ◦ Use Access Control Lists (ACLs) to examine and control packet flow based on source/destination IP addresses in the network ◦ Simple firewalls examine IP network layer headers  source/destination IP address, protocol (udp, tcp), inbound or outbound traffic  can reject (deny), discard, or forward packets ◦ 3 types of packet filtering firewalls  static filtering - rules must be configured in advance  dynamic filtering  firewall can modify rules dynamically in response to traffic  opens and closes doors to allow only specified packet wiht source, destination, and port to pass through the firewall  stateful inspection – firewall keeps track of the state of connection and if the packet “makes sense” in the context. It can check incoming packets that are responses to internal requests. If it cannot figure it out, it checks ACL tables. 9

10. IP Packet Structure 10

11. Sample ACL table for a stateless packet filtering firewall 11 RuleSourceIPSource port DestIPDest portAction 1any 192.168.120.0Above 1023Allow 2192.168.120.1any Deny 3any 192.168.120.1anyDeny 4192.168.120.0any Allow 5any 192.168.120.225Allow 6any 192.168.120.380Allow 7any deny Discussion: how do we read such a table? (Look at the Review of TCP and Logic file)Review of TCP and Logic file Discussion: what do these rules mean? Do you see why an IDS is necessary?

12. Stateful Inspection Firewalls Examine transport layer headers Track the state of transport layer connections using a state table. ◦ Able to track TCP and UDP source/destination ports and TCP flags in particular Dynamic stateful inspection firewalls ◦ Maintain dynamic state tables to modify filtering rules based on network events 12

13. TCP and UDP Packet Structure 13

15. Sample ACL table for a statefull packet filtering firewall 15 SourceIPSource port DestIPDest port Connection state 192.168.120.1011037209.233.19.2280Established 192.168.120.1041022165.66.28.2280Established 192.168.120.107101065.66.122.10125Established 192.168.120.1021035212.33.19.479Established 233.54.33.51899192.168.120.10180Established 306.33.21.33558192.168.120.10180Established Discussion: how do we read such a table? (Should we look at the Review of TCP and Logic file ?)Review of TCP and Logic file Discussion: what do these lines mean?

16. Where do we put packet filters? Cloud, packet filter, proxy server, inside net Cloud, packet filter, DMZ, packet filter, inside net 16

17. Application Gateways AKA, application-level firewall, application firewall, or proxy server Frequently installed on a separate computer but used in conjunction with the filtering router Examines application layer information to determine service type, etc. Acts as a proxy for a service request ◦ Web server proxy receives requests for web pages, accesses the web server, and returns the pages to the client ◦ Able to store recently accessed pages in a local cache. May be referred to as cache servers. Frequently placed in an unsecured network location, or a DMZ network Can be used to route all internal traffic for web pages via the intermediate proxy server Still widely used for e-commerce, but DMZ networks becoming more commonly used. Can be slower than other types of firewalls. Designed for one or a few protocols; cannot be easily reconfigured. 17

18. Proxy Server (also called application gateway, or application-level firewall, or application firewall) 18 E.g. web proxy receives traffic meant for/from the web server and then delivers them to/from the web server. The web server is protected by a firewall, in the figure above. There can be a packet-filter firewall in front of the proxy too.

19. Circuit Gateways AKA, circuit gateway firewall or circuit-level gateway Operates at transport layer Create tunnels connecting specific processes or systems and allow only authorized traffic in tunnels Only examines address and port information; does not examine application layer data. 19

20. MAC Layer & Hybrid Firewalls MAC Layer filtering ◦ Operates at Layer 2 and examines MAC addresses ◦ Typically included as a feature of packet filtering firewalls, or hardware firewalls. Hybrid Firewalls ◦ Contain components of different types of firewalls  packet filtering + MAC layer filtering  packet filtering + circuit gateway  packet filtering + proxy server 20

21. Firewall Generations First Generation ◦ static packet filtering Second Generation ◦ Proxy servers or application-level firewalls Third Generation ◦ Stateful inspection firewalls Fourth Generation ◦ Dynamic packet filtering firewalls Fifth Generation ◦ kernel proxy - operates at multiple layers of the protocol stack ◦ Windows NTEXEC kernel ◦ Cisco Centri Firewall kernel 21

22. Firewall Structures Commercial-Grade Firewall Appliances ◦ standalone, self-contained hardware & software ◦ firmware-based instructions increase reliability and performance and reduce compromise ◦ rule sets stored in nonvolatile RAM Commercial-Grade Firewall Systems ◦ Application software running on general-purpose computers Small Office/Home Office-Grade (SOHO) Firewall Appliances ◦ Protection for always-on high speed Internet connections ◦ Support stateful inspection, MAC filtering, port forwarding and NAT ◦ May provide intrusion detection capability Residential-Grade Firewall Software ◦ Frequently available as free or inexpensive software packages that run on individual hosts. 22

23. SOHO Hardware vs Software Firewall Suggestion --- use BOTH ◦ Implements the strategy of defense in depth ◦ Hardware firewalls reduce/eliminate exposure of individual systems from scanning and probes  Very likely to eliminate 100% of pre-attack probes  May improve system performance by reducing unnecessary traffic on local network  SOHO hardware firewalls are not especially expensive and well worth the investment ◦ Software firewalls provide an alternative, secondary firewall as a backup if someone breaks through the perimeter firewall. 23

24. Firewall Architectures 4 common implementations ◦ Packet Filtering Routers ◦ Screened Host Firewalls ◦ Dual-Home Host Firewalls ◦ Screened Subnet Firewalls (with DMZ) 24

25. Packet Filtering Routers Basic Border Firewall 25

26. Untrusted Host Exposed hosts outside border firewall Host is configured for minimal services Both incoming and outgoing traffic goes through the external host ◦ E.g., proxy server Internal hosts cannot trust the external host If all traffic routes through the untrusted host, it may also be a dual-homed host. 26

27. Screened Host Untrusted host on separate network and inside firewall Still untrusted by internal hosts Other untrusted hosts can be on same network Creates a public access network (e.g., web access) aka DMZ aka perimeter network, service network 27

28. Dual-Homed Host All traffic enters/leaves internal network via proxy server. Proxy server may or may not be the firewall. Not required to be the same device. 28

29. Screened Subnet Firewall Traffic between internal network and Internet traverses two firewalls and DMZ network Hosts in DMZ act as publically accessible servers Traffic entering inner firewally must originate from a host in the DMZ Internal firewalls provide protection between internal subnets 29

30. Firewall Configuration Advantages/Disadvantages 30 ConfigurationAdvantagesDisadvantages Screening routerSimple, cheap; stateful packet filter good for home use Min protection; viruses, trojans, etc might get through Dual-homed hostSimple, cheap, can work well if configured well Single point of failure and entry, depends entirely on the host computer Screened host2 layers of protection for home and small biz Single point of failure and entry, depends entirely on the host computer and the router that protects it Screened subnet DMZ Isolates public servers from the internal LAN and thus protects them Servers in DMZ are highly vulnerable, must be hardened Multiple DMZ/firewalls Layers of protection for a biz net$$$ SingleDMZ/two firewalls Balances heavy traffic load$$$ Branch offices/ multiple firewalls Each office is protectedEach location has to be set up Reverse firewallMonitors internal users’ access to external nets Can slow down access to external nets (even parts of internal LAN)

31. SOCKS Servers SOCKS ◦ Protocol for handling TCP traffic through a proxy server. ◦ Proprietary, circuit-level proxy server.  Uses special client-side SOCKS agents on each workstation.  Filtering occurs in workstations, vice the proxy server.  Each workstation must be managed as a firewall detection and protection device. ◦ May require extra support and management resources, since individual clients must also be managed. 31

32. SOCKS Server Note: depicts dual-homed host configuration with inner and outer firewalls. 32

33. Firewall Selection Factors to consider ◦ Which firewall design provides the desired protection? ◦ What type of firewall technology offers the right balance between protection and cost and meets the needs of the organization? ◦ What features are included?  In the base price, as add-ons?  Are all cost factors known? ◦ How easy is it to set up and configure?  How accessible are knowledgeable staff to support the firewall? ◦ Can the proposed firewall adapt to projected network growth in the organization? 33