Firewalls

1
Firewalls
2
DMZ

• The DMZ (stands for Demilitarized Zone) is a
  portion of a network that separates a purely
  internal network from an external network.
• DMZ is the place, where public servers and
  proxies should be located
• Proxy is an intermediate agent or server that
  acts on behalf of an endpoint without allowing a
  direct connection between the two endpoints

T1 ch23.3 T2 ch26.3
3
Firewalls

• A firewall is a host that mediates access to a
  network, allowing and disallowing certain types
  of access on the basis of a configured security
  policy.
• Protect a network from external networks
• Block unwanted traffic and pass desirable traffic
  to and from both sides of the network
• Examples
• Allows http, mails
• Keeps out suspected users, denial of services
  attacks, spam, viruses

T1 ch23.3.1 T2 ch26.3.1
4
Operations of Firewall
5
Firewalls in Different Layers

• Network layer Packet-Filtering Firewalls
• - Concerned with routing of packets to their
  destinations.
• - Determine if a packet is from a permitted
  source to a permitted destination
• Transport layer Circuit-Level Firewalls
• Concerned with session of packets
• Need more knowledge of packet header to make
  decisions on accepting or denying packets
• Application layer Application-Level Firewalls
• Concerned with contents of packets
• Need information about data make decision on
  accepting or denying packets

Further reading http//www.cisco.com/univercd/cc/
td/doc/product/iaabu/centri4/user/scf4ch3.htm
6
Packet Filtering Firewalls

• A packet filtering firewall performs access
  control on the basis of attributes of the packet
  headers, such as destination addresses, source
  address, and options.
• Whenever network receives a packet, three
  possible actions
• forward it to destination
• block it
• return it to sender
• One of these actions is chosen according to a set
  of rules usually in a form of access control
  lists.

T1 ch23.3.1 T2 ch26.3.1
Rule Source Address Destination Address Action
1 149.59.0.0/16 123.45.6.0/24 permit
2 149.59.34.0/24 123.45.0.0/16 deny
3 0.0.0.0/0 0.0.0.0/0 deny (default)
7
Packet Filtering Firewalls (cont.)

• Factors which determine the actions
• - Source address
• - Destination address
• - Direction of traffic
• Rules applied top to bottom
• Ordered from least restrictive to most
  restrictive
• Packets are not scrutinized
• Auditing is possible

8
An Example of Packet Filtering Firewall
Incoming Packet 64.248.128.5, 8.16.192.7 (permit
ted)
Another Network (8.16.192.0/24)
Network Server Firewall (Rule 1 24.128.0.0/16,
4.0.0.0/8 deny Rule 2
64.248.128.0/24, 8.16.192.0/24 permit
Rule N 34.128.0.0/16,
14.16.128.0/20 permit)
Incoming Packet 24.128.34.8, 4.16.128.3 (denied)
Local Network (4.0.0.0/8)
9
Circuit-Level Firewalls

• Validates sessions before opening connections
  (handshakes)
• Once a connection is made, all packets related to
  that connection pass
• Packets not scrutinized
• No direct connections with other networks without
  validation

10
Circuit-Level Firewalls (cont.)

• Establishes two connections
• Between client and firewall
• Between firewall and server
• Implemented using sockets ( which is IP address
  Port number)
• Manipulating established connection is easy
• Packets are not scrutinized
• Auditing is possible

11
An Example of Circuit-Level Firewall

• Network News Transfer Protocol (NNTP)
• The NNTP server connects to firewall
• Internal systems' NNTP clients connect to
  firewall.
• Circuit-level firewall simply passes bytes
  between systems

Internal Systems (NNTP clients)
Circuit-Level Firewall (Choke Point)
External Servers (NNTP news providers)
12
Application-Level Firewalls

• Application-level firewall (also called Proxy
  firewall) uses proxies to perform access control.
  
• Acts as a proxy server, evaluates requests and
  decides according to security concerns
• Two connections per session
• All packets are scrutinized
• Auditing is possible

T1 ch23.3.1 T2 ch26.3.1
13
Application-Level Firewalls (cont.)

• Access control based on contents of packets and
  messages, as well as on attributes of packet
  headers.
• Not allow direct connections between two
  endpoints through a proxy firewall

Applications
Accept/Deny Rules
Application Level
Application Level Proxy
Network Level
Network Layer
Outgoing Packets
Incoming packets
14
An Example of Application-Level Firewall

• Simple (Send) Mail Transfer Protocol Proxies
• SMTP application proxies configured to allow only
  necessary SMTP commands, such as helo, mail from
  and rcpt to, to pass through firewall
• Stop expn command, which tries to expand a list
  
• Stop vrfy command, which tries to verify that
  an account exists
• The above are used by attackers and spammers to
  enumerate e-mail accounts.
• MIME type and message size can be used to filter
  traffic.

15
An Example of Application Level Firewall (cont.)
Network Server Implements Application Firewall
in SMTP/POP/IMAP Deny expn, vrfy Allow helo,
mail from
Local Network Mail Clients
Incoming/Outgoing Request for SMTP ltexpngt
(denied)
Incoming/Outgoing Mail lthelogtltmail
fromgt (permitted)
16
An Example of Using Firewalls

• Requirements of the Drib Corporation
• The Drib wants the public be able to access its
  web server and mail server, and no other
  services.
• The Drib wishes to check all incoming e-mails for
  computer viruses through emails and attacks
  though web connections.
• The Dribs has sensitive data which it does not
  want outsiders to see.
• The Drib allows file sharing among its systems.
  It does not want the packets containing sensitive
  information to leak to the Internet.

T1 ch23.3 T2 ch26.3
17
An Example of Using Firewalls (cont.)

• Desirable Network Infrastructure
• The public entities should be confined to the DMZ
  area
• The outer firewall presents an interface between
  DMZ and internet, that allows connections to the
  WWW service (HTTP and HTTPS) and to electronic
  mail (SMTP) service.
• Proxies having virus and attack scanning programs
  should be implemented at the outer firewall.
• The Dribs most sensitive data and systems should
  reside in the internal network.
• The inner firewall sitting between DMZ and
  internal network will block all traffic, except
  those specifically authorized to enter the
  internal network

18
An Example of Using Firewalls (cont.)
DMZ
INTERNAL
Inner Firewall
Mail server
DNS server
Corporate data subnet
Customer data subnet
Web Server
Internal DNS server
Internal mail server
Outer Firewall
Development subnet
Internet
Network designed for the Dribble Corporation
19
An Example of Using Firewalls (cont.)

• Outer firewall configuration
• The outer firewall is a proxy-based firewall.
• When e-mail connection is initiated, the mail
  proxy on the firewall collects the mail, analyzes
  it for computer viruses and other forms of
  malicious logic. If none is found, it forwards
  the mail to the DMZ mail server.
• Similarly, when a web connection arrives, the
  web proxy scans the message for any suspicious
  components, if none is found, it forwards the
  messages to DMZ web server.

DMZ
Mail server
Web Server
Outer Firewall
Internet
20
An Example of Using Firewalls (cont.)

• Inner firewall configuration
• The inner firewall is also a proxy-based
  firewall.
• Mail connections through the inner firewall are
  allowed, and all emails are sent to DMZ mail
  server for disposition
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
• Disallows packets containing sensitive
  information (detected by the proxies in the inner
  firewall) to reach DMZ
• All other traffic, including web access, are
  blocked

INTERNAL
Inner Firewall
D M Z
Corporate data subnet
Customer data subnet
Internal DNS server
Internal mail server
Development subnet
21
Choosing a Firewall

• What OS required and other OSs supported?
• How much CPU/RAM/Disk space it needs?
• What is the authentication scheme?
• Does it support logging?
• What hardware is provided?
• What software is provided?
• What is the cost for installing and operating the
  firewall?
• What are other features?

22
Firewall Design Criteria

• Organizations deciding to use firewalls must
  analyze their security needs.  Potential risks
  and threats must be contemplated. 
• The following considerations may affect design
  and extensiveness of implementation of firewalls
  
• Organizational policies
• What level of access control does management
  want? 
• The desired level of monitoring and access must
  be determined. 
• What level of risk is the organization willing to
  accept?

23
Firewall Design Criteria (cont.)

• A checklist of what messages should be monitored,
  permitted and denied must be established.
• The cost of various firewall programs, including
  on-going maintenance, must be considered against
  the potential threat.  What would be the
  potential cost/damage of attacks to the system
  from outside?
• The number, placement, and types of firewalls to
  be used must be determined.
• Firewalls should have packet filtering,
  circuit-level controls, and application-level
  proxies in order to provide effective security.
• What is the estimated overhead in using the
  selected firewalls?

24
Some Commercially Available Firewalls

• Hardware
• Linksys Etherfast Cable/DSL Firewall Router,
  Microsoft MN-100, D-Link Express EtherNetwork
• Mac OS X servers
• DoorStop Server Firewall, Firewall X2, Impasse,
  IPNetSentry, Net Barrier
• Linux
• IP tables, SINUS, ipchains
• Windows
• BlackICE, Kerio, McAfee, Norton Personal
  Firewall, Outpost, Sygate, Terminet, and
  ZoneAlarm

25
References

• Matt Bishop, Introduction to Computer Security,
  Addison-Wesley, 2004, ISBN 0321247442
• Matt Bishop, Computer Security Art and Science,
  Addison- Wesley, 2002, ISBN 0201440997
• M. Merkow, J. Breithaupt, Information Security
  Principles and Practices, Prentice Hall, August
  2005, 448 pages, ISBN 0131547291
• J. G. Boyce, D. W. Jennings, Information
  Assurance Managing Organizational IT Security
  Risks. Butterworth Heineman, 2002, ISBN
  0-7506-7327-3
• http//www.du.edu/jtinucci/Security/Thaxton/thaxt
  on.html