Dan Fleck

CS 469: Security Engineering

Coming up: References

Firewalls
Slides modified with permission from original by Arun Sood

1. Mark Stamp, Information Security: Principles and Practice, Wiley

Interscience, 2006.
2. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24
29.
3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors,
IEEE Computer, June 2004, p 62 67.
4. Steven Bellovin and William Cheswick, Network Firewalls, IEEE
Communications Magazine, Sept 1994, p 50 57.
5. William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer,
June 2003, p 112 113.
6. Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and
Efficiency of Firewall Policy Deployment, IEEE Symposium on
Security and Privacy, 2007.
7. Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its
Properties, Proc of the 2005 International Conference on
Dependable Systems and Networks, 2005.

Coming up: Firewall as Network

Access Control

References

Firewall as Network Access Control

Access Control
Authentication
Authorization

Firewall
Interface between networks
Usually external (internet) and internal

Allows traffic flow in both directions

Coming up: Firewall

Single Sign On

Firewall
Internal

Interface between networks

Coming up: Firewall

Internet

Usually external (internet) and internal

Allows traffic flow in both directions

Controls the traffic

Firewall as Secretary
A firewall is like a secretary
To meet with an executive
Coming up: Security Strategies

First contact the secretary

Secretary decides if meeting is reasonable
Secretary filters out many requests

You want to meet chair of CS department?

Secretary does some filtering

You want to meet President of US?

Secretary does lots of filtering!

5
[1]

Security Strategies
Least privilege
Objects have the lowest privilege to perform assigned task

Coming up: Security Strategies

-2

Defense in depth
Use multiple mechanisms
Best if each is independent: minimal overlap

Choke point
Facilitates monitoring and control

6
[2]

Security Strategies - 2
Weakest link Fail-safe
If firewall fails, it should go to fail-safe that denies access to avoid
intrusions
Coming up: Security Strategies
-3

Default deny
Default permit
Universal participation
Everyone has to accept the rules

7
[2]

Security Strategies - 3
Diversity of defense
Inherent weaknesses
Multiple technologies to compensate for inherent weakness of
one technology
Coming up: Security Strategies
-4

Common heritage
If systems configured by the same person, may have the same
weakness

Simplicity
Security through obscurity

8
[2]

Security Strategies - 4
Configuration errors can be devastating
Testing is not perfect
Ongoing trial and error will identify weaknesses
Enforcing a sound policy is critical

Coming up: Types of Firewall

9
[2]

Types of Firewall
No Standard Terminology

Simplest firewall
Filter packets based on specified criteria
IP addresses, subnets, TCP or UDP ports

Does NOT read the packet payload

Vulnerable to IP spoofing

Stateful inspection (transport layer)

In addition to packet inspection
Validate attributes of multi-packet flows
Keeps track of connection state (e.g. TCP streams, active connections,
etc)
[2]

Coming up: Types of Firewall - 2

Packet Filtering (network layer)

10

Types of Firewall - 2
Application Based Firewall (application layer)
Allows data into/out of a process based on that process type
Can act on a single computer or at the network layer
e.g. allowing only HTTP traffic to a website
Coming up: Types of Firewall - 3

Log access attempted access and allowed access

Personal firewall single user, home network

11
[2]

Types of Firewall - 3
Proxy
Intermediate connection between servers on internet and
internal servers.
For incoming data
Coming up: Types of Firewall - 4

Proxy is server to internal network clients

For outgoing data

Proxy is client sending out data to the internet

No IP packets pass through firewall. Firewall creates new packets.

Very secure
Less efficient versus packet filters

12
[2]

Types of Firewall - 4
Network Address Translation

Coming up: Packet Filter

Hides internal network from

external network
Private IP addresses
expands the IP address space
Creates a choke point

Virtual Private Network

Employs encryption and integrity protection
Use internet as part of a private network
Make remote computer act like it is on local network

13
[2]

Packet Filter
Advantages

Disadvantages
Can be compromised by many attacks
Source spoofing

Coming up: Packet Filter Example

Simplest firewall architecture

Works at the Network layer applies to all systems
One firewall for the entire network

14

Coming up: Packet Filter Example

Packet Filter - Example

15

[2]

Coming up: Packet Filter Example

Packet Filter - Example

16

[2]

Coming up: Packet Filter Example

Packet Filter - Example

Attack succeeds because of rules B and D

More secure to add source ports to rules

17

Coming up: Packet Filter Example

Packet Filter - Example

18

[2]

 These packets would be admitted. To avoid this add an ACK bit to

the rule set

Coming up: Packet Filter Example

Packet Filter - Example

19
[2]

Coming up: TCP Ack for Port

Scanning

Packet Filter - Example

Attack fails, because the ACK bit is not set. ACK bit is set if the connection
originated from inside.
20
Incoming TCP packets must have ACK bit set. If this started outside, then
no matching data, and packet will be rejected.
Note: This rule means we allow no services other than request that we
originate.

TCP Ack for Port Scanning

Attacker sends packet with ACK set (without prior
handshake) using port p
Coming up: TCP Ack Port Scan

Violation of TCP/IP protocol

Packet filter firewall passes packet

Firewall considers it part of an ongoing connection

Receiver sends RST

Indicates to the sender that the connection should be
terminated

Receiving RST indicates that port p is open!!

21
[1]

 RST confirms that port 1209 is open

Problem: packet filtering is stateless; the firewall should track the
entire connection exchange

Coming up: Stateful Packet

Filter

TCP Ack Port Scan

22
[1]

Stateful Packet Filter

Pro: Adds state to packet filter and

keeps track of ongoing connection
Con: Slower, more overhead. Packet
content info not used

application
transport
network
link
physical

Coming up: Application Proxy

Remembers packets in the TCP

connections (and flag bits)
Adds state info to the packet filter
firewalls.
Operates at the transport layer.

23
[1]

Application Proxy

Coming up: Firewalk Port

Scanning

A proxy acts on behalf the system being

protected.
Application proxy examines incoming app data
verifies that data is safe before passing it to the
system.
Pros
Complete view of the connections and app data
Filter bad data (viruses, Word macros)
Incoming packet is terminated and new packet is sent
to internal network

Con
Speed

24
[1]

Firewalk Port Scanning

Scan ports through firewalls
Requires knowledge of
Coming up: Firewalk and Proxy
Firewall

IP address of firewall
IP address of one system in internal network
Number of hops to the firewall

Set TTL (time to live) = Hops to firewall +1

Set destination port to be p
If firewall does not pass data for port p, then no
response
If data passes thru firewall on port p, then time
exceeded error message
Lets try it Applications->Utilities->Network Utility

25
[1]

Firewalk and Proxy Firewall

Trudy

Router

Router

Packet
filter

Router

Coming up: Firewalls and

Defense in Depth

Dest port 12343, TTL=4

Dest port 12344, TTL=4
Dest port 12345, TTL=4
Time exceeded

Attack would be stopped by proxy firewall

Incoming packet destroyed (old TTL value also destroyed)
New outgoing packet will not exceed TTL.
[1]

26

Firewalls and Defense in Depth

Example security architecture
DMZ
Coming up: Research: Firewall
Policy Verification

WWW server

FTP server
DNS server

Internet

Packet
Filter

Application
Proxy

Intranet with
Personal
Firewalls 27
[1]

Research: Firewall Policy

Verification
Firewall design: consistency, completeness, and compactness

Lesson: Practical firewalls have complex rulesets. They

are hard to get right. Research in place to help validate
the configuration for errors
Lets see some simple ones

Coming up: Lets do some

examples

Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness,"
Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol.,
no., pp.320,327, 2004

28

Lets do some examples

Well supported in Linux:
iptables A INPUT p tcp dport 22 j ACCEPT
-A: append to list of rules
-p:match protocol tcp
--dport 22: match destination port 22 (ssh)
-j ACCEPT: if rule matches, ACCEPT the packet.
1st matching rule wins order matters!
Final rule typically rejects anything that doesnt match: security
says deny all, and only allow in who you want.

Coming up: iptables - chains

iptables is a common tool to build firewalls

29

iptables - chains

iptables A INPUT p tcp dport 22 j ACCEPT

# This allows SSH TO THE FIREWALL BOX!

Coming up: iptables matching

rules

INPUT anything with a destination of the firewall box

OUTPUT anything with a source of the firewall box
FORWARD anything going through the firewall box (neither
source or dest is the firewall box)

30

Jump targets what to do upon match?

-j ACCEPT allow it
-j REJECT -- send a rejection message
-j DROP drop it, dont send any message
-j logaccept, logdrop, logreject
(there are others)
Protocol matching rules
-p tcp , udp, icmp, all (0 means all)

Port matching rules

--dport destination port
--sport source port

Coming up: iptables more

rules

iptables matching rules

31

Physical device interface:

-i vlan0 # Packets coming in on that physical interface
-o eth1 # packets going out on that physical interface
-i only valid for INPUT, FORWARD chain
-o only valid for OUTPUT, FORWARD chain
(Note: Specific interface differs by hardware)
Time-based Limiting
--limit 5/minute (rule matches a maximum of 5 times per
minute (or second or hour, or day, etc)
Syn-flood protection:
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Coming up: iptables - examples

iptables more rules

32

iptables - examples
Lets stop all http access

Lets allow www.gmu.edu though (but only GMU!)

--destination www.gmu.edu

Lets allow only my IP to get to HTTP

--source 192.168.3.10

Coming up: iptables more

rules

Lets stop ping

33

iptables more rules

NEW - A packet which creates a new connection.

ESTABLISHED - A packet which belongs to an existing connection (i.e., a
reply packet, or outgoing packet on a connection which has seen
replies).
RELATED - A packet which is related to, but not part of, an existing
connection, such as an ICMP error, or (with the FTP module inserted), a
packet establishing an ftp data connection.
INVALID - A packet which could not be identified for some reason: this
includes running out of memory and ICMP errors which don't
correspond to any known connection. Generally these packets should
be dropped.

Coming up: iptables more

rules

State matching:
-m state state ESTABLISHED, RELATED

34

iptables more rules

TCP bit matching:

--tcp-flags <string 1> <string2>

string 1 = the set of bits to look at
string 2 = the subset of 1 which should be ones
Above command says look at all the bits (ALL is synonymous with
`SYN,ACK,FIN,RST,URG,PSH) and verify that only the SYN and ACK bits
are set.

Coming up: Would a GUI help?

iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

35
34

iptables - Tunneling
In our network we have one outward facing server, so to get in
from home we must travel (tunnel) through that server.
We really use SSH tunnels:
ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p
10024 localhost

However if everyone needed to use it we could use a firewall

based tunnel:
iptables -t nat -A PREROUTING -p tcp -d dslsrv.gmu.edu --dport 10024
-j DNAT --to-destination sr1s4.mesa.gmu.edu:22

Coming up: Lessons

Would a GUI help?

36

 There are many firewall types

Each provides a different level of security versus performance
Multiple firewalls can be used to segment networks into
security zones
iptables is a powerful example of how to create/manage
firewalls

End of presentation

Lessons

37
35
29