Firewalls: Concepts, Design and Applications TDC 568: Network Management Professor Ehab Al-Shaer Sources: Panko, Stallings, NIST
Firewall Basics
What does a Firewall do? {
{ { { {
Define security boundaries to block/permit untrusted/trusted access to internal resources => protecting networks and hosts Restrict external access Log network activities Intrusion detection Restrict information transfer to/from the net
How does a Firewall work? { { {
Inspect packets Address translation (NAT) Encryption/Decryption
Firewall Inspects Packets
1
Screened Subnet Architecture DMZ: inbound -> permitted outbound -> blocked Screened: outbound -> permitted inbound -> blocked
Firewall Basics
First Step: Write your network and system security policy: {
Firewall Policy: the implementation of the security policy in the firewall. {
regulations and rules to organize access resources (e.g., reading news is not allowed, which services are public, one way FTP permitted, change password every month ... etc)
General FW policies Permit any access except Deny Any access except Í recommended
In any case, the less exceptions you have the better the policy will be
Firewalls Design
Firewall Strategies { { {
A packet filter Application proxy server both
Firewall Architectures { { { { {
packet filter router/host single-homed gateway dual-homed gateway a screened host a screened subnet
2
Firewall Architecture • •
Using dual-homed host (or screening pkt filter router) Using screened host ¾ ¾
• •
•
if the proxy server is a single-homed, then clients and the router have to be configured to forward to the proxy if dual-home proxy server is used, it is more transparent
Using screened subnet to create DMZ area (I call it Alcatraz island) Bastion host: host that has been tightly secured (no user accounts.. etc) and used in the DMZ area for special purpose such as proxy server or web serving .. etc Sacrificial host: used intentionally to lure prospective hackers (honey pot)!
Packet Filter (Stateless) Firewall •
Hardware { { {
•
Advantages: { { {
•
router with screening capabilities Dual-homed host with filtering and proxy server capabilities FW appliances free you only need one in the network entrance point easy to use: no special training is required
Disadvantages { { {
managing large number of rules becomes complex work on a small set of data (some tcp/ip headers) if it is misconfigured the damage is sever to your network
Application Gateways and Proxy Server Firewalls •
Packet filters vs. Proxy servers ¾ ¾ ¾ ¾
• •
protocol level vs. application level Proxy server does not bypass packets but it acts as client/server between the two ends. proxy server must understand the application one proxy per application
Proxy server can check incoming and outgoing traffic (e.g., Web and FTP applications) Proxy Types: Classical Proxies: clients have to connect to proxy first Transparent Proxies: proxies intercept client IP packets and issue the connection to remote server General proxy may not work well (secure) for specific or not wellknown applications (TIS Firewall toolkit can be used to make custom proxies)
¾ ¾
•
3
Proxy Server Evaluation Advantages
•
{ { { { {
hiding network information application/content-level filtering fail over and load balancing features single-point of control (easy to control access) powerful logging features
Disadvantages
•
{ { {
increases the communication latency/delay proxy per application and no generic one client might need to be modified/reconfigured to use the proxy server
Packet Filter Firewalls {
Stateless filters: simple filters that make decisions on a packet-by-packet basis you can not create rules that filters packet based on other packets or previous history you have to check each packet in the same stream to maintain the policy
{
Statefull filters: dynamic filters that keeps state (table) in the memory that matches up the incoming and outgoing streams.
{
Firewall rule evaluation More specific rules should be up Each rule has either permit or deny action The matching stops as soon as a rule is evaluated to TRUE, then action is executed (permit or deny).
Stateful Packet Filter Firewalls {
{
{ { {
{
To improve the performance, not every single packet is matched against the rules. Only the SYN packet is matched then the session will be logged in the table. All other packets related to this stream are compared to the table (very fast) in the kernel memory Table look up looks only for Src and Dst Timers are used to evict broken sessions it permits to pass through TCP replies (for admitted streams) using the FW tables, while inspecting TCP SYN packets If any rule fires, FW action is taken (rule conflict?)
4
Firewall Rules
Packet Filters/FW Rules: to implement the FW policy {
{
Questions to ask: Which services do want to offer on the network and in which direction? Do want to restrict user Internet access: which, what and when? Is there any trusted external hosts to which you want to give network access? Fields used to Filter Packets: IP headers: options, proto, src/dest IP, TCP and UDP: src/dest port, flags, SYN and ACK bits
Firewall Rules Firewall Rule Basics
{ { { { { { { {
Interface name (FW may have more than one incoming/outgoing link Interface or traffic direction Source and destination IP address: this includes broadcast and multicast addresses IP options : need to check this for source routing ICMP Transport Protocols: UDP, TCP, IPX, .. Well-know TCP/UDP Services: WEB, FTP .. etc More restricted rules come first to avoid rule conflict and shadowing: 1. Permit ANY TCP incoming (more general) 2. Deny DestPort=25 TCP incoming (will be shadowed by rule 1)
Recommendations for Firewall Selection {
{
{ {
{
Stateful Multi-layer Inspection (SMLI) based Firewall—packet filtering and proxy-based firewalls are less flexible and have less performance. The FW must contains NAT (Network Address Translation) -changes the source address of all traffic leaving your network, preventing hackers from IP spoofing and breaking into your network. Local machines will be given a fake IP address and the FW/NAT will translate it to the actual (ISP) one or more IP address. User Authentication (UA)— it provides password-level protection for remote users. De-Militarized Zone (DMZ)—it allows you to create a public access segment of your network for use by external clients without breaching the security of your network. This area will not be fully secured Encryption/Virtual Private Network (VPN)-- create your own virtual private network over the Internet
5
Recommendations for Firewall Selection {
{
{
{
Supporting easily configurable security policies– This is important for network changes and growth Supporting Pervasive Intrusion Detection– Such as virus detection and scanning, Port scanning and ping sweeps. Centralized Reporting and Analysis-- This central point can help network administrators spot trends in the activities of suspicious network users or intruders. The FW Should Adapt to a Growing Network-- Proper firewall solutions should be able to quickly adapt to changes in your network environment. Any changes should be easily accommodated by a “point-and-click” interface that’s easy to understand and interpret, so that the user does not get confused and cause more disruption to the security plan.
Recommendations for Firewall Configuration •
•
•
One of the most critical steps in building a firewall is creating the security policy and rules. Security rules defines what and how the security policy will be enforced. The key success to a secure firewall is simplicity. Simple rules and not too long rules are easy to manage and verify. It is recommended not to use more than 25-30 rules in order to avoid introducing security breaches through miss-configurations. Bastion host should not be used for anything else - If you use it for anything else than as an Internet gateway, you may be adding weaknesses to security architecture.
Recommendations for Firewall Policy Configuration •
NIST recommends that the firewall design policy start with the most secure, i.e., deny all services except those that are explicitly permitted. The policy designers then should ask the following: Which Internet services the organization plans to use, e.g., TELNET, WWW, and NFS, ¾ Where the services will be used, e.g., on a local basis, across the Internet, or from remote organizations, ¾ Additional needs, such as encryption or dial-in support, ¾ What are the risks associated with providing these services and access, ¾ What is the cost/impact on network usability Disable Windows TCP/IP Stack-- There has been a lot of concern over the security of Windows NT because of an inherent weakness in its networking stack. ¾
•
6
Firewall Rule Recommendations • • • • • •
Use IP addresses not host name Do not return all CIMP codes via the external interfaces (echo request, dest unreachable, redirection) Reject all packets entering through the external interface that have in the IP source the address of an internal machine or domain! Block vulnerable services such as NFS, NIS, X Windows Deny ALL services at the end of your rule list for telnet, ftp, email .. etc, use SSH and/or proxy servers for strong authentication and filtering
Firewall Rule Examples (Stateless) To allow incoming and outgoing SMTP traffic (corrected) for a stateless filter: direction
Prot
1. outbound 2. inbound 3. inbound 4. outbound 5. *
TCP TCP TCP TCP *
Src Dest dest Src Address Address Port internal external 25 >=1024 external internal >=1024 25 external internal 25 >=1024 internal external >=1024 25 * * * *
Action Port allow allow allow allow deny
BTW, in stateless filter, you can use the ACKbit to block initiating TCP traffic to pass into the network while allowing reply TCP traffic. Stateful is more efficient here because not always Ack bit is cleared in the SYN packet.
Firewall Rule Examples (Stateful) To allow incoming and outgoing SMTP traffic (corrected) for a stateful filter: direction
Prot
Src
Dest
Address
dest
Src
Address Port
Port
1. outbound
TCP
2. inbound
TCP
external internal 25
>=1024 allow
3.
*
*
*
*
internal external 25
Action
*
*
>=1024 allow deny
Rule #1 and #2 automatically creates an entry for this stream in the FW table to allow for the replies to go back without stating this as a rule. This entry will use tuple to match reply packets belong to the same stream.
7
Network Address Translators (NAT): Server Proxy Example Basic operation
•
{ { {
{
{ { {
Hiding the information on your network Increases the LAN address space. Uses valid IP addresses (EIP) in the outside communications and internal IP address (IIP) in the inside communications Mapping/assignment has to be done between EIP and IIP such that the total number of the simultaneous IIP sessions will not exceed the number if EIP (static or dynamic assignment) NAT substitutes IIP with EIP before sending NAT is not recommended if a large number of active/simultaneous clients is expected Solution: NAPT (network address and port translation)– IP and port in the packet is replaced, means a single IP address might serve about 2**16 client
Managing Firewall Policies
Managing a firewall policy is complex task: { { {
Rules has to be inserted in the correct order, otherwise .. In general adding or modifying rules requires careful policy analysis With large number of rules, this task just becomes overwhelming
Filtering rules might have conflicts resulting in different actions for the same traffic Î inconsistency/ambiguity
Effective firewall security requires proper management techniques to analyze and verify the filtering rules in the firewall policy
What can go wrong when writing or modifying a set of filtering rules in a firewall (called “policy conflicts”) ?
Types and Examples of Intra-Firewall Conflicts 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12:
tcp, 140.192.37.20, any, *.*.*.*, 80, deny tcp, 178.124.32.*, any, 163.134.21.*, 80, accept tcp, 140.192.37.*, any, *.*.*.*, 80, accept tcp, *.*.*.*, any, 161.120.33.40, 80, accept tcp, 140.192.37.*, any, 161.120.33.40, 80, deny tcp, 140.192.37.30, any, *.*.*.*, 21, deny tcp, 140.192.37.*, any, *.*.*.*, 21, accept tcp, 140.192.37.*, any, 161.120.33.40, 21, accept tcp, *.*.*.*, any, *.*.*.*, any, deny udp, 140.192.37.*, any, 161.120.33.40, 53, accept udp, *.*.*.*, any, 161.120.33.40, 53, accept udp, *.*.*.*, any, *.*.*.*, any, deny
Internet
R/FW
D1
D2
140.192.37.0 161.20.33.0
: the shadowed rule is never activated : correlated rules imply ambiguity in action : an exception of a general rule is a potential for security holes (potential) : redundant rules increase the policy size and waste performance : irrelevant rules are never activated
8
Types and Examples of Inter-Firewall Conflicts 1: 2: 3: 4: 5: 6: 7: 8: 9:
tcp, 161.120.*.* : any, 140.192.*.* : 80, tcp, 161.120.*.* : any, 140.192.22.5 : 21, tcp, 161.120.*.* : any, 140.192.*.* : 21, tcp, 140.192.*.* : any, 161.120.33.* : 23, tcp, 161.120.33.* : any, 140.192.*.* : 23, tcp, 161.120.24.* : any, 140.192.37.3 : 25, tcp, 161.120.24.* : any, 140.192.22.5 : 25, tcp, 161.120.*.* : any, 140.192.37.* : 25, tcp, *.*.*.* : any, *.*.*.* : any,
accept deny accept accept accept deny deny accept deny
1: 2: 3: 4: 5: 6: 7: 8:
tcp, 161.120.*.* : any 140.192.*.* : 80, tcp, 140.192.*.* : any, 161.120.*.* : 80, tcp, 161.120.*.* : any, 140.192.22.5 : 21, tcp, 161.120.33.* : any 140.192.37.* : 23, tcp, 161.120.*.* : any, 140.192.*.* : 23, tcp, 161.120.24.* : any, 140.192.37.3 : 25, tcp, 161.120.24.* : any, 140.192.*.* : 25, tcp, *.*.*.* : any, *.*.*.* : any,
accept accept accept deny accept deny accept deny
D2.2
D2.1
161.120.33.0
161.120.24.0
R2/ FW 2
R0/ FW 0
Internet
R1/ FW 1
D1.1
D1.2
140.192.22.0
140.192.37.0
: upstream FW blocks traffic accepted by downstream FW : upstream FW permits traffic denied by downstream FW : downstream FW denies traffic already blocked by upstream FW : blocks part of the traffic accepted by downstream FW or permits part of the traffic denied by downstream FW
9