CEN 448

Security and Internet Protocols

Chapter 20
Firewalls
Dr. Mostafa Hassan Dahshan
Computer Engineering Department
College of Computer and Information Sciences
King Saud University
mdahshan@ccis.ksu.edu.sa

Firewalls
„ Internet connectivity essential to organization
„ Internet provide benefits
„ But enables outside to reach local resources
„ Not practical to secure all workstations
„ Alternative is firewalls
„ Inserted between local network and Internet
„ Single choke point to impose security, audit
Design Goals
„ All traffic must pass thru firewall
… from inside to outside or outside to inside
… block all access to LAN except thru firewall

„ Only authorized traffic is allowed to pass

… defined by security policy
„ Firewall immune to penetration
… must be running secure operating system
… access control must be defined

Capabilities
„ Single choke point
… simplifysecurity management
… provide protection from various attack types

„ Monitoring security related events

… implement audits and alarms
„ Can provide non-security related services
… DNS, network management
„ Platform for IPSec
… using tunnel mode or implement VPN
What Firewalls Cannot Protect
„ Attacks that bypass firewall
… dial-out or dial-in service inside LAN
… violates “single choke point” rule

„ Internal threats
… disgruntled employee cooperate with attacker
„ Transfer of virus-infected programs
… varioustypes of operating systems
… impossible to scan all file types

Types of Firewalls
„ Packet-filtering router
„ Stateful inspection firewalls
„ Application-level gateway
„ Circuit-level gateway
Packet-Filtering Routers
„ Apply set of rules to each in or out IP packet
„ Packet is then forwarded or discarded
„ Filtering rules based on
… source IP address: e.g., 192.168.1.1
… destination IP address: e.g. 192.168.1.2
… transport protocol: TCP, UDP, DCCP, SCTP
… transport port number
… interface: inside, outside, or multiple interfaces
Packet-Filtering Routers
„ Filter set up as list of rules
„ Rules match fields in IP or TCP header
„ If packet matches one of rules, role invoked
„ If no match, apply default rule
„ Default rule can either be
… deny: discard all packets except permitted by rule
… permit: forward all packets except denied by rule

Packet Filtering Examples

„ Inbound mail allowed, but only to gateway host

„ Packets from SPIGOT host are blocked
… SPIGOT has history of sending massive email
Packet Filtering Examples

„ Explicit statement of default policy

„ Conservative approach, everything is blocked
„ Services must be added on a case by case basis
„ More secure, but inconvenient for users
„ With “default allow”, admin must identify all threats

Packet Filtering Examples

„ Any inside host can send mail to outside

„ TCP packets with remote port 25 are allowed
„ Problems
… some SMTP may not use default port 25
… attacker run have different service on port 25
… attacker can send packets using source port 25
Packet Filtering Examples

„ Solve problems with C

„ Take advantage of TCP ACK flag
… sent in response to locally established connection
„ Allow packets from local host with dest port 25
„ Allow incoming packets from port 25 with ACK
… only replies to local connections

Packet Filtering Examples

„ Allow
… packets originated internally
… reply packets to connection initiated internally
… packets destined to high-numbered port on internal host

„ Most servers use low numbered ports < 1024

„ Most attack targets are in this range
Packet Filtering Firewalls

„ Advantages
… simple: few variables
… fast: only check TCP/IP headers
… transparent to users

„ Disadvantages
… cannot prevent application-level attacks
… vulnerable to attacks on problems within TCP/IP
… few variables: possible weak configurations

Attacks on Packet-Filtering Routers

„ IP address spoofing
… use fake source IP address (e.g. internal IP)
… goal: penetrate source address based security
… countermeasure: discard packets from external
interface with internal IP address as source
„ Source routing attacks
… source routing overwrites routing decision
… goal: allow packet get into private IP network
… countermeasure: discard packets with this option
Attacks on Packet-Filtering Routers

„ Tiny fragments attacks

… use IP fragmentation option
… create very small fragments
… force transport header into separate fragments
… goal: circumvent transport header filtering rules
… countermeasure: enforce minimum fragment size
to predefined min amount of transport header

Stateful Inspection Firewalls

„ Simple packet-filtering is only based on
individual packets
„ TCP sessions involve multiple connections
„ Simple packet filter must allow all inbound
traffic on ports 1024-65535
„ Can create vulnerability
„ Stateful packet inspection (SPI)
… maintain directory for established connections
… only allow inbound packets with existing session
Stateful Inspection Firewalls

Application-Level Gateway
„ Also called proxy server
„ Acts as relay of application-level traffic
„ Local host contacts gateway
… provide authentication information
… provide remote host information

„ Gateway contacts remote host

… applicationservice must be supported by GW
… relay TCP segments between local, remote
Application-Level Gateway
„ Advantages
… more secure than packet filter
… restrict to few allowable applications, services
… can protect on application level

„ Disadvantage
… additionalprocessing overhead
… maintain two spliced connections

Circuit-Level Gateway
„ Can be standalone or part of application GW
„ Shim layer between application, transport
„ No direct end-to-end TCP connection
„ Two separate TCP connections
… one between inside host – gateway
… one between gateway – outside host

„ Once setup, doesn’t filter individual packets

„ Security is which connections to allow
Bastion Host
„ Also called demilitarized zone (DMZ)
„ Computer host or network inserted between
internal network and Internet
„ Provides service interface to outside users
(web, email, FTP)
„ Prevents outside users from getting direct
access to company’s data
„ Strong point in the security of network
„ Platform for application, circuit-level gateway

Bastion Host
Source: en.wikipedia.org/wiki/Demilitarized_zone_(computing)

DMZ or Bastion Host

Bastion Host Characteristics
„ Runs secure operating system
„ Must not contain sensitive data
„ Only essential services installed
… determined by admin
… e.g. SSH, DNS, FTP, SMTP, authentication

„ May require auth, also for each proxy

„ Each proxy allow access to specific hosts
„ Proxy maintain audit info, log all connections

Firewall Configurations
„ Screened host firewall, single-homed bastion
„ Screened host firewall, dual-homed bastion
„ Screened-subnet firewall
Screened Host Firewall,
Single-Homed Bastion Host

Screened Host Firewall,

Single-Homed Bastion Host
„ Consists of two systems
… packet filtering router
… bastion host: proxy, authentication

„ IP packets from Internet only allowed to BH

„ IP packets to Internet only allowed from BH
„ Advantages
… both packet, app level filtering: 2 layers security
… flexibility: public access for web/info server
Screened Host Firewall,
Dual-Homed Bastion Host

Screened Host Firewall,

Dual-Homed Bastion Host
„ Two separate subnets
„ BH has two network interfaces
„ Two levels of defense: router, BH
„ Protect internal hosts if router compromised
„ Also, same features of previous config
Screened-Subnet Firewall

Screened-Subnet Firewall
„ Two packet filtering routers
„ Creates isolated subnet containing BH
… may also contain modems, public servers
… can be accessed from Internet or internal net
… through traffic is blocked

„ Advantages
… three levels of defense: router, BH, router
… internal network is invisible to Internet
… Internet is invisible to internal network
Finally
„ The most secure computer is a one which
is disconnected from the network, AND
TURNED OFF!

Additional References
„ Microsoft Security Bulletin (MS99-038),
www.microsoft.com/technet/security/bulletin/fq99-038.mspx
„ Stateful Inspection Firewall,
www.juniper.net/products/integrated/stateful_inspection_fire
wall.pdf
„ Doug Lowe, “Networking All-in-One Desk Reference For
Dummies,” ISBN 0764599399,
books.google.com/books?id=GnGDds-1OekC
„ Home Computer Security – Glossary,
www.cert.org/homeusers/HomeComputerSecurity/glossary.
html
„ Syngress et al., “The Best Da*n Firewall Book Period”, ISBN
1931836906, books.google.com/books?id=q7rlxtIlOsEC