Where firewalls fit in the

corporate landscape

Firewall topics

Why firewall?
What is a firewall?
What is the perfect firewall?
What types of firewall are there?
How do I defeat these firewalls?
How should I deploy firewalls?
What is good firewall architecture?
Firewall trends.

What are the risks?

Theft or disclosure of internal data

Unauthorized access to internal hosts
Interception or alteration of data
Vandalism & denial of service
Wasted employee time
Bad publicity, public embarassment, and law suits

What needs to be secured?

Crown jewels: patent work, source code,
market analysis; information assets
Any way into your network
Any way out of your network
Information about your network

Why do I need a firewall?

Peer pressure.
One firewall is simpler to administer than
many hosts.
Its easier to be security conscientious with
a firewall.

What is a firewall?
As many machines as it takes to:
be the sole connection between inside and
outside.
test all traffic against consistent rules.
pass traffic that meets those rules.
contain the effects of a compromised system.

Firewall components
All of the machines in the firewall
are immune to penetration or compromise.
retain enough information to recreate their
actions.

The Perfect firewall

Lets you do your business
Works with existing security measures
has the security margin of error that your
company needs.

The security continuum

Easy to use

Ease of use vs. degree of security

Cheap, secure, feature packed, easy to
administer? Choose three.
Default deny or default accept

Secure

Policy for the firewall

Who gets to do what via the Internet?
What Internet usage is not allowed?
Who makes sure the policy works and is being
complied with?
When can changes be made to policy/rules?
What will be done with the logs?
Will we cooperate with law enforcement?

What you firewall matters more

than which firewall you use.
Internal security policy should show what
systems need to be guarded.
How you deploy your firewall determines
what the firewall protects.
The kind of firewall is how much insurance
youre buying.

How to defeat firewalls

Take over the firewall.
Get packets through the firewall.
Get the information without going through
the firewall.

A partial list of back doors.

personal modems
vendor modems
partner networks
home networks
loose cannon experts

employee hacking
reusable passwords
viruses
helpful employees
off-site backup &
hosting

Even perfect firewalls cant fix:

Tunneled traffic.
Holes, e.g. telnet, opened in the firewall.
WWW browser attacks / malicious Internet
servers.

Priorities in hacking through a

firewall

Collect information.
Look for weaknesses behind the firewall.
Try to get packets through the firewall.
Attack the firewall itself.
Subvert connections through the firewall.

Information often leaked through

firewalls

DNS host information

network configuration
e-mail header information
intranet web pages on the Internet

Ground-floor windows

mail servers
web Servers
old buggy daemons
account theft
vulnerable web browsers

Attacking the firewall

Does this firewall pass packets when its
crashed?
Is any software running on the firewall?

A fieldtrip through an IP packet

Important fields are:
source, destination, ports, TCP status
. . TOS . . .. . . SRC DEST opt SPORT DPORT SEQ# ACK#

..ACK,URG,SYN .

DATA

Types of firewall

Packet filters
Proxy gateways
Network Address Translation (NAT)
Intrusion Detection
Logging

Packet filters
How Packet filters work
Read the header and filter by whether fields
match specific rules.
SYN flags allow the router to tell if connection
is new or ongoing.

Packet filters come in dumb, standard,

specialized, and stateful models

Standard packet filter

allows connections as long as the ports are OK
denies new inbound connections, using the
SYN flag
Examples: Cisco & other routers, Karlbridge,
Unix hosts, steelhead.

Packet filter weaknesses

Its easy to botch the rules.

Good logging is hard.
Stealth scanning works well.
Packet fragments, IP options, and source
routing work by default.
Routers usually cant do authentication of end
points.

Stateful packet filters

SPFs track the last few minutes of network
activity. If a packet doesnt fit in, they drop it.
Stronger inspection engines can search for
information inside the packets data.
SPFs have to collect and assemble packets in
order to have enough data.
Examples: Firewall One, ON Technologies,
SeattleLabs, ipfilter

Weaknesses in SPF
All the flaws of standard filtering can still
apply.
Default setups are sometimes insecure.
The packet that leaves the remote site is the
same packet that arrives at the client.
Data inside an allowed connection can be
destructive.
Traditionally SPFs have poor logging.

Proxy firewalls
Proxy firewalls pass data between two
separate connections, one on each side of
the firewall.
Proxies should not route packets between
interfaces.

Types: circuit level proxy, application

proxy, store and forward proxy.

General proxy weaknesses

The host is now involved, and accessible to
attack.
The host must be hardened.

State is being kept by the IP stack.

Spoofing IP & DNS still works if
authentication isnt used.
Higher latency & lower throughput.

Circuit level proxy

Client asks FW for document. FW connects to
remote site. FW transfers all information
between the two connections.
Tends to have better logging than packet filters
Data passed inside the circuit could be
dangerous.
Examples: Socks, Cycom Labyrinth

Application proxy
FW transfers only acceptable information
between the two connections.
The proxy can understand the protocol and
filter the data within.
Examples: TIS Gauntlet and FWTK, Raptor,
Secure Computing

Application proxy weaknesses

Some proxies on an application proxy
firewall may not be application aware.
Proxies have to be written securely.

Store and forward , or caching,

proxies
Client asks firewall for document; the firewall
downloads the document, saves it to disk, and
provides the document to the client. The
firewall may cache the document.
Can do data filtering.
Examples: Microsoft, Netscape, CERN, Squid
proxies; SMTP mail

Weaknesses of store & forward

proxies
Store and forward proxies tend to be big new
programs. Making them your primary
connection to the internet is dangerous.
These applications dont protect the underlying
operating system at all.
Caching proxies can require more administrator
time and hardware.

Network Address Translation

(NAT)
NAT changes the ip addresses in a packet, so
that the address of the client inside never shows
up on the internet.
Examples: Cisco PIX, Linux Masquerading,
Firewall One, ipfilter

Types of NAT
Many IPs inside to many static IPs outside
Many IPs inside to many random IPs
outside
Many IPs inside to one IP address outside
Transparent diversion of connections

Weaknesses of NAT
Source routing & other router holes
Can be stupid about complex protocols
ICMP, IP options, FTP, fragments

Can give out a lot of information about your

network.
May need a lot of horsepower

Intrusion detection
Watches ethernet or router for trigger events,
then tries to interrupt connections. Logs
synopsis of all events.
Can log suspicious sessions for playback
Tend to be very good at recognizing attacks,
fair at anticipating them
Products: Abirnet, ISS Real Secure,
SecureNetPro, Haystack Netstalker

Weaknesses of intrusion detection

Can only stop tcp connections

Sometimes stops things too late
Can trigger alarms too easily
Doesnt work on switched networks

Logging
Pros:
Very cheap
Solves most behavioral problems
Logfiles are crucial for legal recourse

Cons:
Very programmer or administrator intensive
Doesnt prevent damage
needs a stable environment to be useful

Types of logging
program logging
syslog /NT event log
sniffers
Argus, Network General, HP Openview,
TCPdump

router debug mode

A very good tool for tracking across your
network

Commercial Logging
Logging almost all commercial firewall
packages stinks

No tripwires
No pattern recognition
No smart/expert distillation
No way to change firewall behavior based on
log information
No good way to integrate log files from
multiple machines

Firewall Tools
All types of firewall are useful sometimes.
The more compartments on the firewall, the
greater the odds of security.
Belt & suspenders

Firewall topology

Webserver placement
RAS server placement
Partner network placement
Internal information protection (intranet
firewalling)

Firewall deployment checklist

Have list of what needs to be protected.
Have all of the networks configured for the
firewall
All rules are in place
Logging is on.

What steps are left?

What is the firewall allowing access to?
Internal machines receiving data had better be
secure.
If these services cant be secured, what do you
have to lose?

Last checks
Day 0 Backups made?
Are there any gaps between our stated
policy and the rules the firewall is
enforcing?

Auditing
A firewall works when an audit finds no
deviations from policy.
Scanning tools are good for auditing
conformance to policy, not so good for
auditing security.

Sample configurations
Good configurations should:

limit Denial of Service.

minimize complexity for inside users.
be auditable.
allow outside to connect to specific resources.

Minimal restriction, good

security
Stateful packet filter, dmz, packet filter,
intrusion detection.

Inside

The Multimedia Nightmare

Proxy
CACHE

Inside
secure multimedia & database content to provided to
multiple Internet destinations.
Web server is acting as authentication & security for
access to the Finance server.

Firewalls in multiple locations

VPN over internal LAN

Identical proxies on both sides.

Low end, good security, for low

threat environments
Packet filter, Sacrificial Goat web server,
Application Firewall, bastion host running logging
& Store & Forward proxies

Store &
Forward

Inside

High end firewalls

ATM switching firewalls
Round robin gateways
Dont work with transparent proxies

High availability

Firewall Trends

Toaster firewalls
Call-outs / co-processing firewalls
VPNs
Dumb protocols
LAN equipment & protocols showing up on the
Internet
Over-hyped content filtering

More Firewall Trends

blurring between packet filters & application
proxies
more services running on the firewall
High availability, fail-over and hot swap ability
GUIs
Statistics for managers

Firewall trends & religious

issues.
Underlying OS for firewalls
Any firewall OS should have little in common
with the retail versions.

Firewall certification
Buy your own copy of ISS and certify
firewalls yourself.

Source vs. Shrink-wrap

Low end shrinkwrap solutions
The importance of source
Can you afford 1.5 programmer/administrators?
Are you willing to have a non-employee doing
your security? (Whose priorities win?)

Downside of firewalls

single point of failure

difficult to integrate into a mesh network
highlights flaws in network architecture
can focus politics on the firewall
administrator

Interesting firewall products

Checkpoint Firewall-1
http://www.checkpoint.com
SecureNetPro http://www.mimestar.com
IP Filter http://coombs.anu.edu.au/~avalon/ipfilter.html
Seattle Labs http://www.sealabs.com
Karlnet Karlbridge http://www.karlnet.com
V-One inc http://www.v-one.com
ISS Realsecure http://www.iss.net