Professional Documents
Culture Documents
Laura McFall
DePaul University
School of Computing and Digital Media
What is a Firewall?
A network security device that grants or rejects
network access to traffic flows between an untrusted
zone (e.g., the Internet) and a trusted zone (e.g., a
private or corporate network)
Acts as the demarcation point or “traffic cop” in the
network; all communication should flow through it
and it is where traffic is granted or rejected access
Firewalls enforce access controls through a positive
control model, which states that only traffic defined
in the firewall policy is allowed onto the network
All other traffic is denied (known as “default deny”)
Access Control Lists
Early on, the firewall function was initially performed by
Access Control Lists (ACLs), often on routers
ACLs are essentially rules written out that determine
whether network access should be granted or rejected to
specific IP addresses
So, an ACL can have a line that states all traffic from IP
172.168.2.2 must be rejected, or to allow all traffic on port
80 from 172.168.2.2 to a web server at 10.10.10.201
ACLs are advantageous due to scalability and high-
performance, but can’t read beyond packet headers, which
provide only rudimentary information about the traffic
Thus, ACL packet filtering alone does not have the capacity
to keep threats out of the network
What is a Firewall?
A firewall can be many things:
A router that runs traffic filtering rules or a modified
version of the routing software
A server with 2+ NICS running some traffic filtering or
application proxy or specialized software. Often
Unix/Linux servers
A firewall appliance - specialized hardware device
running a specialized software
A host-based firewall or personal/desktop firewall.
A software application used to protect a single Internet-
connected computer from intruders. Especially useful
for users with "always-on". This is the last firewall piece
in an in-depth defense strategy: load firewall software
on all hosts
What is a Firewall?
A firewall is a device that makes the decision on
what to do with a packet of information sent across
the Internet. The actions a firewall can take:
Forward/accept the packet
Drop the packet silently
Drop the packet and send ICMP back to source to
notify why it was dropped. (Is this wise?)
How is it performed?
Packets are evaluated against a list of “rules” and
conditions
When the packet matches a rule, the action is triggered
(reject or allow). The rest of the rules are not
evaluated
What are proxy firewalls?
Proxy firewalls are the most secure types of firewalls, but
this comes at the expense of speed and functionality, as
they can limit which applications your network can support
The enhanced security of a proxy firewall is because,
unlike with other types of firewall, information packets
don’t pass through a proxy. Instead the proxy acts as an
intermediary - computers make a connection to the proxy
which then initiates a new network connection based on
the request; effectively a mirror of the information transfer
This prevents direct connections and packet transfer
between either sides of the firewall, which makes it harder
for intruders to discover where the location of the network
is from packet information
What are proxy firewalls?
So firewall proxies provide Internet access to computers on
a network but are mostly deployed to provide safety or
security by controlling the information going in and out of
the network. Firewall proxy servers filter, cache, log, and
control requests coming from a client to keep the network
secure and free of intruders and viruses
In essence, proxies are gateway applications used to route
Internet and web access from within a firewall
Proxy servers work by opening a socket on the server and
allowing the connection to pass through. There is often
only one computer in a proxy firewall network with a direct
Internet connection – other computers have access to the
Internet using that computer as gateway
What are proxy firewalls?
A proxy gateway receives a request from a client inside the
firewall, and then sends this request to the remote server
outside of the firewall
The response from the server is then read and sent back
to the client
Usually, the same proxy is used by all client computers
within a network – this enables the proxy to efficiently
cache documents that are requested by multiple clients
What are proxy firewalls?
Proxy firewalls act as middlemen, accepting all traffic
requests coming into the network by impersonating the
true recipient of the traffic within the network
After an inspection, if it decides to grant access, the proxy
firewall sends the information to destination computer
The destination computer’s reply is sent to the proxy,
which repackages the information with the source address
of the proxy server
Through this process, the proxy firewall breaks
(terminates) the connection between two computers so
that it is the only machine on the network that talks to the
outside world
What are proxy firewalls?
Proxy firewalls can inspect content fully and make access
decisions based on more specific levels of information
Access control this nuanced is attractive to network
administrators, however each application needs its own
proxy at the application-level
Proxy-firewalled networks also suffer degraded traffic
performance and many limitations in application support
and general functionality
This ultimately leads to scalability issues that make a
successful implementation tricky to pull off
For this reason, proxy firewalls have not been widely
adopted. In fact, even at the peak of the proxy firewall's
popularity, performance and scalability issues limited
adoption to select verticals in niche deployments
What are proxy firewalls?
Considered to be the most secure type of firewall because
they prevent direct network contact with other systems.
(Because a proxy firewall has its own IP address, an outside
network connection will never receive packets from the
sending network directly)
Having the ability to examine the entire network packet,
rather than just the network address and port number, also
means that a proxy firewall will have extensive logging
capabilities, a valuable resource for security administrators
who are dealing with security incidents
Per Marcus Ranum, (credited with conceiving the proxy
firewall, the goal is to create a single point that allows a
security-conscious programmer to assess threat levels
represented by application protocols and put error detection,
attack detection and validity checking in place
What are proxy firewalls?
The added security offered by a proxy firewall has its
drawbacks, however
Because a proxy firewall establishes an additional connection
for each outgoing and incoming packet, the firewall can
become a bottleneck, causing a degradation of performance
or becoming a single point of failure
Additionally, proxy firewalls may only support certain popular
network protocols, thereby limiting which applications the
network can support
Stateful Inspection Firewalls
Stateful inspection, or stateful filtering, is regarded
as the third generation of firewalls
Stateful filtering does two things: first, it classifies
traffic by looking at the destination port (e.g.,
tcp/80 = HTTP)
Second, it tracks the state of the traffic by
monitoring every interaction of each particular
connection until that connection is closed
Stateful Inspection Firewalls
These properties add more functionality to access
control: stateful inspection firewalls have the ability to
grant or reject access based not only on port and
protocol, but also the packet’s history in the state table
When stateful firewalls receive a packet, they check the
state table to find if a connection has already been
established or if a request for the incoming packet has
been made by an internal host
If neither is found, the packet’s access becomes subject
to the ruling of the firewall security policy
Stateful Inspection Firewalls
Though stateful filtering is scalable and transparent to
users, the extra layer of protection adds complexity to
network security infrastructure, and stateful firewalls face
difficulty in handling dynamic applications such as SIP or
H.323
SIP - Session Initiation Protocol; a communications
protocol for signaling and controlling multimedia
communication sessions. Most common applications
of SIP are in Internet telephony for voice and video calls,
as well as instant messaging, over Internet Protocol (IP)
networks
H.323: standard approved by the ITU - International
Telecommunication Union to promote compatibility in
videoconference transmissions over IP networks
SIP
SIP was designed to setup a "session" between two points
and to be a modular, flexible component of the Internet
architecture
It has a loose concept of a call (that being a "session"
with media streams), has no support for multimedia
conferencing, and the integration of sometimes disparate
standards is largely left up to each vendor
As a result, SIP is a protocol with a vast number of
interoperability problems
While SIP has been successfully deployed in some
environments, those are generally "closed" environments
where the means of interoperability has been PSTN
(Publically Switched Telephone Network) gateways
H.323
Designed with a good understanding of the
requirements for multimedia communication over IP
networks, including audio, video, and data
conferencing. Defines an entire, unified system for
performing these functions, leveraging the strengths of
the IETF and ITU-T protocols
H.323 was designed to scale to add new functionality.
The most widely deployed use of H.323 is "Voice over
IP" followed by "Videoconferencing", both of which are
described in the H.323 specifications
Unified Threat Management (UTM) solutions
Initially defined as the consolidation of stateful inspection
firewalls, antivirus, and IPS into a single appliance; over
time, UTM definition has expanded to include many other
network security functions
Success of UTMs relies on effectiveness of stateful
inspection-based firewall decision that precedes all of its
component functions, because UTM components, while in a
single device, are effectively downstream security services
Thus, the workload of all security components behind the
firewall (inside the network) will be determined by the
strength of its access control
Though UTMs provide a number of security functions in one
product, the fundamental access control technology of the
firewall remains unchanged
Next-generation Firewalls
NGFWs created in response to evolving sophistication of
applications and malware. Application and malware
developers have largely outwitted the long-standing port-
based classification of traffic by building port evasion
techniques into their programs
Malware piggybacks these applications to enter networks
and became increasingly networked themselves (connected
to each other on the computers they individually infected)
NGFWs act as a platform for network security policy
enforcement and network traffic inspection
Next-generation Firewalls
Per technology research firm Gartner Inc. NGFWs are defined by the
following attributes:
Standard capabilities of the first-generation firewall: This includes
packet filtering, stateful protocol inspection, network-address translation
(NAT), VPN connectivity, etc. (Note: A virtual private network (VPN)
extends a private network across a public network (Internet). Enables
users to send and receive data across shared or public networks as if
their computing devices were directly connected to the private network,
thus benefiting from the functionality, security and management policies
of the private network
Truly integrated intrusion prevention: Includes support for both
vulnerability-facing and threat-facing signatures, and suggesting rules (or
taking action) based on IPS activity. The sum of these two functions
collaborating via the NGFW is greater than the individual parts
Full stack visibility and application identification: ability to enforce
policy at the application layer independently from port and protocol
Next-generation Firewalls
Extra firewall intelligence: Ability to take information
from external sources and make improved decisions.
Examples include creating blacklists or whitelists and being
able to map traffic to users and groups using active directory
Adaptability to the modern threat landscape: Support
upgrade paths for integration of new information feeds and
new techniques to address future threats
In-line support with minimum performance degradation or
disruption to network operations
So you know…
Blacklist: basic access control mechanism that allows through
all elements (email addresses, users, passwords, URLs, IP
addresses, domain names, file hashes, etc.), except those
explicitly mentioned. Items on list are denied access
Opposite is a whitelist, which means only items on the list are
let through whatever gate is being used. A graylist contains
items that are temporarily blocked (or temporarily allowed)
until an additional step is performed
Blacklists can be applied at various points in a security
architecture, such as a host network, a web proxy, DNS
servers, an Email server, a computing firewall, directory servers
or application authentication gateways
So you know…
The type of element blocked is influenced by the access control
location
DNS servers may be well-suited to block domain names, for
example, but not URLs. A firewall is well-suited for blocking IP
addresses, but less so for blocking malicious files or passwords
Example uses include a company that might prevent a list of
software from running on its network, a school that might
prevent a list of web sites from being accesses on its
computers, or a business that wants to ensure their computer
users are not choosing easily-guessed, poor passwords
What’s ICMP?
Internet Control Message Protocol – a Transport Layer
control protocol
ICMP messages are sent in several situations: for
example, when a datagram cannot reach its destination,
when the gateway does not have the buffering capacity
to forward a datagram, and when the gateway can
direct the host to send traffic on a shorter route
Not designed to be absolutely reliable; purpose is to
provide feedback about problems in the communication
environment, not to make IP reliable
There are still no guarantees that a datagram will be
delivered or a control message will be returned
What’s ICMP?
Some datagrams may still be undelivered without any
report of their loss, so the higher level protocols that use
IP must implement their own reliability procedures if
reliable communication is required
ICMP messages typically report errors in the processing
of datagrams. To avoid the infinite regress of messages
about messages etc., no ICMP messages are sent about
ICMP messages themselves
IP implementations are required to support this protocol
ICMP is considered an integral part of IP, although it is
architecturally layered upon IP
ICMP provides error reporting, flow control and first-hop
gateway redirection
Other Firewall Services
Firewalls may also perform other services:
NAT / PAT (Network/Port Address Translation)
Stealth scan
SOCKS port
Bounce Scans
UDP
Port Scan Attacks
Stealth scan : a kind of scan designed to go undetected by
auditing tools. Scanning very slowly becomes a stealth technique.
Other techniques such FIN scanning and SYN scanning can be
used as well
Advantages
Scalable and transparent
High performance
Can handle “pesky” applications that jump
ports in the process – Example: FTP in
passive mode – H.323 – These are very
hard to manage by regular packet filtering
Stateful Packet Filtering
Disadvantages
Requires more firewall CPU time for
analysis
Weak for “stateless” protocols
Harder to handle UDP return traffic
May not look at certain application layer
data as a true proxy would
Application and Circuit
Proxy
A proxy firewall acts as an intermediate
communication point between 2 parties:
Each party “thinks” they are directly
communicating to the other
Actually each communicates to the Proxy Firewall
A – Proxy – B: A communicates to the proxy, the
proxy then “acts” as A when communicating to B
and vice-versa
Proxy firewalls act either at layer 3-4 (circuit
proxy) or layer 7 (application proxy). Most
often they act at layer 7
Application and Circuit
Proxy
Advantages
Better security as it fully examines all data in the
packet up to layer 7
Can perform other functions such as Email virus
scanning
Disadvantages
Lower performance
Limited to protocols that are supported by firewall
Poor scalability under heavy traffic
May break custom applications
May not support standard applications on non-
standard ports
Other Services Sometimes Performed by Firewalls
open
ports
OS fingerprinting
Prelude to a Hack: Enumeration
A process of extracting valid account or
exported resource names from systems using
active connections and directed queries
OS specific techniques
Types of information enumerated
Network resources and shares
Users and groups
Applications and banners
Defense:
Intrusion Detection System
1.
4. Alarm Intrusion
Suspicious
Detection
Packet
System (IDS)
Network
2. Suspicious
Administrator Internet
Packet Passed
Attacker
3. Log
Suspicious
Hardened
Packet
Server
Log File Corporate Network
What is an IDS?
Device/software that monitors traffic
and/or host activity looking for the
following:
Malicious traffic
Unusual traffic
Activity on host systems that is outside of
known patterns
Then logs and reports activity in form
of alarms
Evolution of the IDS
Host-based
Network-based
Signature-based
Anomaly-based
Host-based IDS
Characteristics
Runs on single host
Advantages
Easy to deploy and manage
Disadvantage
Not scalable
Deployment
Single mission-critical machine
Desktop machine
Network-based IDS
Characteristics
Network monitor – passive capture traffic and inspect it
Advantages
Once positioned properly, can test effectiveness of
Router/Firewall
Can monitor multiple machines
Disadvantage
Resource intensive – storage, processing power, etc
Single-point failure
Deployment
Data center
Characteristics
Uses known pattern matching to signify attack
Advantages
Widely available; fast; easy to implement and update
Disadvantage
Simple – cannot detect attack without fixed signature
Need updated very often – for new attack and its variant
Deployment
Can be host-based or network-based
Nearly everywhere
Anomaly-based IDS
Characteristics
Uses statistical variance or AI engine to evaluate traffic, normal
usage behaviors
Does not use signature, must be “trained”
Advantages
Can detect attempts to exploit new and undiscovered
vulnerabilities
Can recognize unusual traffic based on payload, src addr, time,
etc
Disadvantage
Slower and more resource intensive
Deployment
Currently fewer deployment – considered immature
Deploying IDS