ECE6612

http://www.csc.gatech.edu/copeland/jac/6612/
Prof.JohnA.Copeland
john.copeland@ece.gatech.edu
4048945177
fax4048940035
Office:Klaus3362
emailorcallforofficevisit,4048945177
Chapter10aFirewalls

3/10/2013

ComputerSystemEvolution
CentralDataProcessingSystem:withdirectlyattachedperipherals(card
reader,magnetictapes,lineprinter).
LocalAreaNetworks:connectsPCs(interminalemulationmode),
remoteterminals(nextbuilding)andminicomputers.
PremisesNetwork:connectsLANsandLANattacheddevicestoeach
other.
EnterprisewideNetwork:leaseddatalines(T1,DS3)connectvarious
offices.
InternetConnectivity:initiallyforemail,nowforWebaccess,e
commerce,musicandvideodownloads,socialnetworking,telecommuting,
Webandvideoconferencing,distancelearning,....Makestheworld
accessible,butnowtheworldalsohasaccesstoyou.
2

Connectivity Provided by the

Georgia Backbone Network
Schools
Libraries
Kiosks

WWW
State WWW Gateway

Agency Gateway &

Web Server

Citizens
Contractors
City & County
Governments
Firewalls

State Internet
Other Agencies

Agency Virtual
Private Network

LANs at Agency
Offices across Georgia

Agency
Server

Private Virtual
Connection

Non-Agency
State Server

Agency
Agency Firewall
Firewall -- Protects
Protects Agency
Agency Subnets
Subnets
from Unwanted Connections
Subnet 1

Subnet 2
Gateway

WAN

Gateway

Firewalls (and many routers) can reject:

Packets with certain source and destination addresses
Packets with certain high-level protocols (UDP, Telnet)

Proxy Servers - for specific applications

Email messages assembled and inspected, then passed to

internal email server machine.

Prevent Cyber Loafing - Using the Internet for fun

and personal business (not very effective).
4

Browser

Web Server
Application
Layer
(HTTP)
Port80
Transport
Layer
(TCP,UDP)
SegmentNo.
Network
Layer (IP)
IPAddress
130.207.22.5
E'net Data
Link Layer
Ethernet
Phys.
Layer

Router-Firewall
can drop packets
based on
source or destination,
ip address and/or port

Network
Layer

Network
Layer

E'net Data Token Ring

Link LayerData Link Layer
E'net Phys. Token Ring
Layer
Phys. Layer

Application
Layer
(HTTP)
Port31337
Transport
Layer
(TCP,UDP)
SegmentNo.
Network
Layer (IP)
IPAddress
24.88.15.22
Token Ring
Data-Link Layer
Token Ring
Phys. Layer

Process
Application
Layer (HTTP,
FTP, TELNET,
SMTP)

Transport or
App.-Layer
Gateway, or Proxy

Transport

Transport

Layer

Layer

(TCP, UDP)

(TCP, UDP)

Network

Network

Layer (IP)

Layer (IP)

E'net Data

TR Data

E'net Data
Link Layer

Link

Link

Layer

Layer

E'net Phys.
Layer

E'net Phys.

TR Phys.

Layer

Layer

Transport
Layer
(TCP, UDP)

Network
Layer (IP)

Process
Application
Layer
(HTTP(HTTP,
FTP, TELNET,
SMTP)

Transport
Layer
(TCP,UDP)

Network
Layer (IP)

TR Data
Link Layer
TR Phys.
Layer

Policy
NooutsideWebaccess.

FirewallSetting
DropalloutgoingpacketstoanyIP,Port80

OutsideconnectionstoPublicWeb DropallincomingTCPSYNpacketstoanyIP
ServerOnly.
except130:207:244.203,port80
PreventWebRadiosfromeatingup DropallincomingUDPpacketsexceptDNS
theavailablebandwidth.
andRouterBroadcasts.
Preventyournetworkfrombeing
usedforaSmuftDoSattack.

DropallICMPpacketsgoingtoabroadcast
address(130.207.255.255or130.207.0.0).

Preventyournetworkfrombeing
traceroutedorPingscanned.

DropallincomingICMP,UDP,orTCPecho
requestpackets,dropallpacketswithTTL<5.

FirewallAttacks

FirewallDefense

IPInternalAddressSpoofing Dropallincomingpacketswithlocalsourceaddress.
SourceRouting(ExternalSpoof)DropallIPpacketswithSourceRoutingOption.
TinyFragmentAttacks

Dropallincomingpacketfragmentswithsmallsize.

2ndFragmentProbes

AssembleIPfragments(hardwork),oratleast*.

SYNACKProbes

BeStatefulkeeptrackofTCPoutgoingSYN
packets(startofallTCPconnections).

InternalOutboundHacking

Dropalloutgoingpacketswhichdonothavean
"internal"sourceIPaddress.

*Fragmentsafterthefirstonehavenotransportheader(nowaytotellifitis
TCP,UDP,ICMP,...,ordetermineportnumbers.Firewallmustatleastkeepa
temporarylistofapprovedIPIDNumbersbasedonthefirstfragmentdecision.
8

ANetworkFirewallisasinglepointthataNetworkAdministratorcancontrol,
evenifindividualcomputersaremanagedbyworkersordepartments.

Overhalfofcorporatecomputermisfeasanceiscausedbyemployeeswhoare
alreadybehindthemainfirewall.
Solution1isolatesubnetswithfirewalls(usuallyroutersorEthernetswitches
withfiltercapabilities).ProtectFinanceDepartmentfromEngineering
Department[Problem:internalnetworkismuchhigherbitrate,firewallsmore
expensive].
Solution2implementhostbasedfirewallstolimitaccessexceptoncertain
TCP/UDPportsfromspecifichostsorsubnets.Mustbecentrallymanagedto
beeconomical.
Solution3UseaIntruderDetectionSystemthatdividesthenetworkinto
zones,andreportsunauthorizedcrosszoneconnections.
9

Stateful
Firewall

LocalPC
ip1

ExternalHost
ip2

TCP SYN
establishes state (ip1,ip2,tcp, 33489,80)
TCP SYN-ACK or RESET or relatedICMP
established state (ip1,ip2,tcp, 33489,80)
TCP ACKs
established state (ip1,ip2,tcp, 33489,80)

TCP or UDP or ICMP

Not part of an established state

10

# iptables -L -n
Chain INPUT (policy DROP)
target
prot opt source
destination
ACCEPT
tcp -- 143.218.132.0/25
0.0.0.0/0
ACCEPT
tcp -- 130.207.225.0/24
0.0.0.0/0
ACCEPT
all -- 79.76.0.0/16
0.0.0.0/0
ACCEPT
tcp -- 130.207.152.119
0.0.0.0/0
ACCEPT
tcp -- 143.215.151.0/24
0.0.0.0/0
ACCEPT
udp -- 64.192.0.0/10
0.0.0.0/0
ACCEPT
tcp -- 69.59.0.0/16
0.0.0.0/0
ACCEPT
tcp -- 24.0.0.0/8
0.0.0.0/0
DROP
all -- 0.0.0.0/0
0.0.0.0/0

tcp dpt:22
tcp dpt:22
tcp dpt:22
tcp dpt:22
tcp dpt:22

Chain FORWARD (policy DROP)

target
prot opt source
DROP
all -- anywhere

destination
anywhere

Chain OUTPUT (policy DROP)

target
prot opt source
ACCEPT
icmp -- anywhere
ACCEPT
icmp -- anywhere

destination
10.0.0.0/24
anywhere state RELATED,ESTABLISHED

Anoptionspeedsupiptablesbecauseitstopsreverselookups.Alsobeneficialforroute,
netstat,.

11

Uncomplicated Firewall (UFW) for Ubuntu (LINUX)

$ ufw status numbered
Status: active

[
[
[
[
[
[

To
Action
From
---------1] 8822/tcp ALLOW IN
2] Anywhere ALLOW IN
3] 8822/tcp ALLOW IN
4] 8822/tcp ALLOW IN
5] 8822/tcp ALLOW IN
6] Anywhere DENY IN

130.207.150.144
143.215.138.0/25
130.207.225.103
78.88.0.0/16
80.55.0.0/16
Anywhere

$ ufw insert 1 allow proto tcp from

130.207.0.0/16 to any port 8822
Rule Inserted
$ ufw activate (changes iptables configuration)
12

NATNetwork
AddressTranslation

WebServer
130.27.8.35

Internet

To24.88.48.47:y
from130.27.8.35:80
3

To130.27.8.35:80
from24.88.48.47:y
2

Router24.88.48.47withNAT
To192.168.0.20:x
from130.27.8.35:80

Host
192.168.0.10

WebClient
192.168.0.20

To130.27.8.35:80
from192.168.0.20:x

Host
192.168.0.30

x&yarehigh
numberephemeral
clientports.
SimpleNATs,use
x=y

Host
192.168.0.40

WebServer
FTPServer
port80
port21
LocalWebclientaccessinganexternalWebserver

13

FTPClient
130.27.8.35

Internet

To130.27.8.35:x
from24.88.48.47:21
4

To24.88.48.47:21
from130.27.8.35:x
1

Router24.88.48.47withNAT
2
To192.168.0.30:21
from130.27.8.35:y

Host
192.168.0.10

Host
192.168.0.20

Forwarding
Table
Port80>.10
Port21>.30

To130.27.8.35:y
from192.168.0.20:21

Host
192.168.0.30

Host
192.168.0.40

WebServer
FTPServer
port80
port21
ExternalFTPclientaccessingalocalFTPserver

14

15

Home Routers allow incoming

connections based on server port

New Home Routers also allow port

translation (e.g., 2222 -> 22)

16

CombinedFirewallsandIDS

(seealso:IBMProventiawww.iss.net)

17

Protocol Anomaly Detection

WatchGuard Transparent Application layer proxies examine entire connection data
streams, identifying protocol anomalies and discarding harmful or questionable
information.
In addition, WatchGuard firewalls perform:
* Packet Handling - prevents packets from entering the network until they are
reassembled and examined.
* Packet Reassembly - reassembles packet fragments to prevent fragment overlap
attacks such as Teardrop and other Layer 3 protocol anomaly based attacks.
Signature Element Analysis
Rather than using signatures that precisely identify specific attacks, WatchGuard
systems look at what any attack of a certain type (e.g., e-mail) must do to succeed
(e.g., auto-execute an attachment). With rule sets, you can choose to allow or deny
traffic, or even deny all traffic from a source for a specific period.
In addition to rigorous rule sets, the firewall processes policy-based configurations, and
management subsystems perform state and content analysis. These processes protect
against entire known and unknown attack classes, and can narrow the vulnerability
window without having to make you wait for updated attack-specific signatures.
Behavior-Based Analysis
Although behavior-based intrusion detection is a relatively new technology, WatchGuard
has mechanisms in place within the firewall to identify known attack behaviors, such as:
* Port scans and probes
* Spoofing
* SYN flood attacks
* DoS and DDoS attacks
* The misuse of IP options such as source routing
from www.watchguard.com

18

NetworkOperations
*Resolvenetworkperformanceissuesinminutes
*Providesenterprisenetworkvisibilitydowntouserlevel
*Troubleshootsnetworkincidentsat1/3thetimeofpointsolutions
*AnalyzesNetFlow/sFlowtofacilitatecapacityplanningandtraffic
engineering
NetworkSecurity
*Detectsattacksthatbypasssignaturebased,perimeterdefenses
*Leveragesflowdata,includingpacketcapture,toreducesecurityrisksby
90%
*Enforcespoliciesandassurescompliancewithagentfreeuseridentity
tracking
*Deliversscalable,robustsecurityandriskmanagement

fromwww.lancope.com
(alsoseehttp://users.ece.gatech.edu/~copeland/jac/lancope/index.html)

19