INLS 566

1
INLS 566

• October 24, 2006
• Firewalls

2
Housekeeping

• Security policy project due next week
• Any questions about material so far?
• Any interesting security news? (5 min)

3
Firewall

• Limits network access
• Inbound / outbound
• Need not be a standalone box
• Can be hardware or software
• May allow / deny at various levels
• Term Firewall not very specific!

4
Examples

• Cisco PIX
• Built in XP firewall, ZoneAlarm
• Wireless AP
• Military communications
• Home router

5
Network Levels

• (7-layer) OSI Reference Model

Web, SQL
TCP, UDP
IP, ICMP
packet, mac address
wires, radio
6
Layer 1 Filters

• Unplug (or dont plug)
• E.g., scan laptop before plugging in
• (Or WiFi wallpaper)

7
Layer 2 Filters

• Filter on MAC address
• Subsystem of many devices
• Wireless AP
• Military communications
• Home router
• Commercial switch or router

8
Layer 3 Filters

• One of the most common
• Filter IP address, port number, flags
• Packet filter
• NAT firewall

9
NAT Firewall

• Network Address Translation
• One (public) IP address outside
• RFC 1918 private IP addresses inside
• 10.0.0.0 10.255.255.255, 172.16.0.0
  172.31.255.255, 192.168.0.0 192.168.255.255
• Router translates back and forth
• Puts inside ID information in outgoing source
  port number
• Private addresses dont work outside

10
Packet Filter

• List of Allow Deny rules (typical)
• Looks at only one packet at a time
• Source IP address port number
• Destination IP address port number
• Protocol type, flags (e.g., inbound/outbound)
• Easy to build, hard to program
• A lot like assembly language programming
• Example (ICMP)

11
Example (IOS)

• access-list fred permit tcp any host 10.1.1.42 eq
  www
• access-list fred permit tcp any host 10.1.1.42 eq
  smtp
• access-list fred permit tcp any host 10.1.1.42 eq
  pop3
• access-list fred permit tcp any host 10.1.1.42 eq
  https
• access-list fred permit tcp any host 10.1.1.42 eq
  1443
• access-list fred deny ip any any

12
Application Layer

• Often referred to as Layer 7
• The services you want
• SMTP, POP3 (email)
• HTTP, HTTPS (web)
• ssh (command line)
• FTP, telnet, etc.

13
Application Gateway

• Intercepts and parses application traffic
• Understand transactions at application level
• E.g., HTTP proxy, email gateway
• Inspects each transaction for no-nos
• HTTP buffer overflow
• Email attachment with a virus
• Complex application, complex filter

14
Firewalls ?

• If threat easily recognized by a filter
• If threat has to go through the firewall
• One element of layered protection

15
Firewalls ?

• Threats outside their logic
• E.g., port 80 (need application gateway)
• Firewall errors
• Administrator mistakes (e.g., bad rules)
• Bugs in the firewall software
• Hardware failure

16
Firewalls ?

• Threats from inside
• People making mistakes and/or violating policy
• Inside machines compromised by other attacks
• Perimeter mistakes
• Rogue modems, rogue wireless APs
• Infected laptops, kids using the VPN

17
Firewalls ?

• Have software firewall on your laptop
• Especially if you connect to different networks
• Have software firewall on your PC
• Unexpected traffic out surprise, youre
  infected
• Have hardware firewall at home
• Another layer, harder for malware to turn off
• (But find out details of what they do)

18
Suggested Reading

• Dhillon
• ch. 4 (pp. 44-63)
• McClure
• 4th ed., pp. 583-585