1. Introduction
- A firewall is a system or group of systems that enforces an access control policy between networks
- Mostly the goal is to protect TCP/IP networks
- Other possible firewalls: between applications on a windows environment, java card firewalls, etc.
- Functions:
-
- Blocking traffic
- Permitting traffic
- Enabling secure remote connections (VPN)
- Logging traffic
- Content filtering (blocking): viruses, attacks
- Network management purposes (screening the traffic etc.)
-
2. Main goals
The main goal of firewalling is
– to control unnecessary services, traffic
– to hide our internal network topology and services
– to protect against protocol errors (e.g. invalid SMTP commands can be filtered)
– to enable logging
– to control the activity of internal users
– every accessible point is a possible security hole: With firewalling we minimize the accessible points and we are making it more difficult to deploy an attack
– we can make it more difficult to exploit the vulnerability: E.g. with tftp denied it is more difficult to send files to the internet after an attack
– we can separate the network to subnetworks: an intrusion will not compromise our whole system, just a subnetwork/server
3. A firewall is not good
- Stopping information flow/leakage:
Data can be leaked out even through DNS applications or e.g. HTTP tunnels. It is very hard to protect against covert channels.
- Complete protection against intrusions:
A single open port can be used to gain privileged access
An application proxy might not stop attacking through badly formed parameters, etc.
An industry spy can use the telefax to transport secrets…
4. Packet filtering – disable access to unwanted services
5. Packet filtering
- Filtering based on network layer of the IP stack
- Filtering rules described in rule base
- Default permit / default deny design
- Most routers have packet filtering capabilities
- A good packet filter…
-Permits connections to really-needed services
-Also filters internal access – Most of the intrusions come from employees
-Detects anomalies – TCP packet without SYN handshake etc.
-Filters out all the services what we do not use currently (not only those we don’t want to show)
-Hides internal network elements and architecture (NAT)
-Filters services available to internal hosts (e.g. filter out streaming)
Main problem:
Stateless? Stateful? How?
- Packet filtering rules mostly based on:
- IP protocol (UDP, TCP, …)
- Source IP address
- Destination IP address
- Source/Destination port (socket)
- Connection state (TCP: SYN, RST, established,… or e.g. FTP states)
- (rate control)
- (filter rules based on time schedule – no streaming before 8 p.m.)
- incoming/outgoing interface
- etc.
6. Application gateway
- Proxies rebuild the whole protocol (application layer gateway)
- Needs to know the exact specification of the protocol we use
- Can investigate the content of the flow
- Can protect against protocol errors
- More vulnerable to DoS
- Can be more complicated to (internal) users (e.g. telnet proxy)
- Lower performance
- Higher security
7. Packet filter vs. Application gateway
- Packet filtering without states is insecure
- Stateful packet filtering is fast
- Stateful packet filtering might not protect against some protocol errors
- Application gateways are more sophisticated
- Application gateways are (mostly) not transparent, so an internal webserver beyond an application gateway can not log who is downloading the page
- Modern solutions mix the two methods.
Christyan Ade(07.01.53.0192)
