COMP 4706

Advanced Network Security – Firewall Implementation and Design
Term: January 2005 Dana Epp g/

     

Review from last class Group STRIDE analysis Building a firewall port matrix Introduction to NMAP Hands on - Scanning ports with NMAP Hands on – Creating basic firewall rules on Linux

Learning Outcomes
On successful completion of this course, students will be able to:

Identify various types of firewalls and their functions, including which firewalls operate at which OSI protocol layer, and the basic variations of firewall architectures Describe risk mitigation techniques to varying threats with the use of different firewall architectures Demonstrate the ability to design and deploy policies on a firewall

Basic Types of Firewalls
Packet filtering firewalls  Stateful packet inspection firewalls  Application proxies  Hybrids

Packet filter
A packet filter firewall is the simplest type of firewall. Dealing with each individual packet, the firewall applies its rule set to determine which packet to allow or disallow. The firewall examines each packet based on the  Source IP address following criteria:  Destination IP address  TCP/UDP source port  TCP/UDP destination port

Packet Filter - Pros

  

They are fast because they operate on IP addresses and TCP/UDP port numbers alone, ignoring the data contents (payload) of packets. Due to the fact that packet payload is ignored, application independence exists. Least expensive of the three types of firewalls. Packet filtering rules are relatively easy to configure. There are no configuration changes necessary to the protected workstations.

Packet filters - Cons
 

  

Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. There is no screening of packet payload available. It is impossible to block users from visiting web sites deemed off limits, for example. Logging of network traffic includes only IP addresses and TCP/UDP port numbers, no packet payload information is available. Complex firewall policies are difficult to implement using filtering rules alone. There is a reliance on the IP address for authentication rather than user authentication. Dynamic IP addressing schemes such as DHCP may complicate filtering rules involving IP addresses.

Stateful packet inspection
Examines the contents of packets rather than just filtering them; that is, they consider their contents as well as their addresses. Stateful packet inspection firewalls also take into account the state of the connections they handle so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and

Stateful packet inspection - Pros
Offers improved security over basic packet filters due to packet examination.  Offers a degree of application independence, based on level of stateful packet examination.  Better logging of activities over basic packet filters.  Good performance.  Configuration changes to the protected workstations are unnecessary.

Stateful packet inspection - Cons
Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited.  No hiding of your private systems.  Setting up stateful packet examination rules is more complicated.  Only supported protocols at the application layer.  No user authentication.

Application proxies
An application proxy is a program running on the firewall that emulates both ends of a network connection. One can think of it as a sort of "translator" in-between the two computers communicating.

Application proxies - Pros

    

Firewall does not let end points communicate directly with one another. Thus a vulnerability in a protocol which could slip by a packet filter or stateful packet inspection firewall could be overcome by the proxy program. Has the best content filtering capability. Can hide private systems. Robust user authentication. Offers the best logging of activities. Policy rules are usually easier than packet filtering rules.

Application proxies - Cons
 

Performance problems; much slower than the other two Must have a proxy for every protocol. Failure to have a proxy may prevent a protocol from being handled correctly by the firewall. TCP is the preferred transport. UDP may not be supported. Limited transparency, clients may need to be modified. Setting up the proxy server in a browser, for example. No protection from all protocol weaknesses.

OSI – Open System Interconnect

TCP/IP Protocol Architecture

Three way TCP handshake

Common Ports and Services
Windows: %windir %\System32\drivers\etc\services  Linux: /etc/services  Examples: SMTP = port 25 HTTP = port 80 POP3 = port 110 PPTP = port 1723

The STRIDE Threat Model
  

Spoofing identity

Attacker obtains something that enables authentication Unauthorized change made to stored or in-transit information Performing an illegal operation in a system that lacks the ability to trace such operations Exposing critical information to unauthorized individuals Denies service to others Attacker exploits a weakness to gain greater privileges on a system than were intended

Tampering with data


  

Information disclosure

Denial of Service (DoS)

Elevation of privileges

Ranking and Prioritizing Threats

Chance of attack occurring
1 = high 10 = low  How much effort/cost/time is needed to launch the attack?

 

What is the cost/damage if it occurs?

1 = little 10 = massive

RISK = Damage / Chance  Goal is to reduce risk  Do high risk items first

How to Respond to Threats
1. 2. 3. 4.

Do nothing. Inform the user of the threat. Remove the problem. Fix the problem.

Defense in Depth
 

Assume external systems are insecure

“We’re secure, we have a firewall” *ugh*

Assume your system(s) is the last thing standing

Plan on failure

More layers of security means more work to compromise a target

Threat risk goes down as threat difficulty goes up

Never depend on security through obscurity

Group STRIDE Analysis

Building a firewall port matrix
Determine trust zones  Determine ports that need opening  Determine packet type (tcp/udp)  Determines direction of packet flow  Determine any limitations you can set on src/dst


Introduction to NMAP
Can scan networks to find active (online) hosts  Can scan hosts to find open ports  Can send crafted packets to fingerprint the operating system
 

Can be used defensively to identify weaknesses that need to be corrected, or offensively by an attacker to probe for vulnerabilities to exploit.

Interesting NMAP options
-v = Verbose logging  -O = OS fingerprinting  -sS = SYN stealth scan  -P0 = Scan without ping probes
 

nmap –v –O –sS

Introduction to iptables
3rd generation firewall on Linux  Supports basic packet filtering as well as connection state tracking
 

For our needs for this course, we will use simple/basic packet filtering

Introduction to iptables
# Sample firewall – incomplete… do not use. For discussion only IPTABLES=/sbin/iptables ANY=“” ETHIP=“” ADMINNOC=“” # Flush chains $IPTABLES --flush # Set default policies $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # Allow SSH from admin NOC $IPTABLES -A INPUT -p tcp -s $ADMINNOC --sport 1024:65534 --dport 22 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $ADMINNOC -sport 22 --dport 1024:65534 -j ACCEPT # Allow Web access $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT # Allows secure web access $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT $IPTABLES -A INPUT -j DROP

Dropping vs Rejecting Packets
Rejecting packets COULD resource starve your system  Dropping packets could cause network diagnostic hell for the other end if you don’t respond ‘nicely’  Dana’s Law: It is better to DROP packets and buy your favorite network admin a beer than to REJECT and have alarms go off at 2 in the morning during a DoS, waking you up.

Hands on LAB

Good reading
 

IPTables Packet Filtering HOWTO

Building Internet Firewalls ISBN:1-56592-124-0  Linux Firewalls ISBN: 0-7357-0900-9  Threat Modeling ISBN: 0-7356-1991-3

Any Questions?