Secure Communication System

Design

Lecture 3A -- Firewall

Nazar Abbas Saqib

[Link]@[Link]

1
 Agenda

• What are Firewalls?

• Why Firewalls?
• Types of Firewalls
• Packet Filter Firewalls
• Dynamic Packet Filter
Firewalls
• Application Level
Firewalls
• Circuit Level Gateways
• Bastion Host
• Firewall Configurations
• Network Address
Translations (NAT)
2
 Firewalls – Why?
Due to internet, any computer can be connected to any other computer in the
world – a great advantage to individuals and corporate as well
The protection of corporate network becomes a challenge. At a broad level,
there are two kinds of attacks (Fig):
1. Leakage of critical information from corporate network to competitors- a
great setback
2. Malicious attacks (viruses, worms, etc) on corporate network from the
outsiders to create havoc

Does encryption work?

33
 Firewall
• A firewall is a device used to secure the connection between one
computer or network and another computer or network. It can be
implemented in software or hardware or a combination of both.
• Firewall is installed between the internal network of an organization and
the rest of the Internet (Fig.)
• All traffic between the network and the internet in either direction must
pass through the firewall
• The firewall decides if the traffic can be allowed to flow or whether it
must be stopped from proceeding further

4
Firewall

5
 Types of Firewall

1. Simple packet-
packet-filters
2. Stateful packet
packet--filtering
3. Application-
Application-layer proxies

Most packaged firewall products use some combination of

these three technologies.

6
1. Simple packet-
packet-filters

7
 Packet Filter Firewall
As the name suggests, packet filter firewall refers to filter out all
packets passing through the firewall. Packet filter applies a set
of rules to each packet and based on the outcome, decides to
either forward or discard the packet. It is also called as
screening router or screening filter
A firewall can be used as a packet filter

8
 Packet Filter Firewall

• A packet-filter firewall is simply a router that uses a filtering

table to decide which packets must be discarded (not
forwarded). The filtering rules are based on number of fields at
the network or transport level

• It can forward or block packets based on the information in

the network layer : source and destination IP addresses
• It can forward or block packets based on the information in
the transport layer : source and destination port addresses
and type of protocol (TCP or UDP)

9
How to Configure a Packet Filter
Packet filters usually permit or deny network traffic based on:

1. Source and destination IP addresses

2. Protocol, such as TCP, UDP, or ICMP
3. Source and destination ports and ICMP types and codes
4. Flags in the TCP header, such as whether the packet is a
connect request
5. Direction (inbound or outbound)
6. Which physical interface the packet is traversing

10
11
 How to Configure a Packet Filter
The rules specified in the packet filter work as follows:

A
B
C
D 80
*
A. Incoming packets from network [Link] are blocked (security
precaution). Note that the * (asterisk) means “any.”
B. Incoming packets destined for any internal TELNET server (port 23) are
blocked.
C. Incoming packets destined for internal host [Link] are blocked. The
organization wants this host for internal use only
D. Outgoing packets from to an HTTP server (port 80) are blocked. The
organization does not want employees to browse the Internet 12
Packet Filter Firewall- PROS & CONS

Advantages:
Fast, simple, transparent
Disadvantages:
Cannot prevent attacks on specific application weaknesses
Limiting logging capabilities
Typically no support for user authentication
Vulnerable to exploits that take advantage of problems in the
TCP/IP specification
Easy to make mistakes when creating rules

13
Packet Filter Firewall-Attacks & Countermeasures

Packet filter firewalls are vulnerable to following attacks :

1. IP spoofing
2. Source address routing
3. Tiny fragment attacks

14
Packet Filter Firewall-Attacks & Countermeasures
IP address spoofing
• An intruder outside the network sends packets to internal corporate
network by using one of the internal IP address as the source
address. The attacker hopes that the use of spoofed address will
allow penetration of systems that employ simple source address
security – packets from specific trusted internal hosts are accepted

• How to defeat?
• Discard all packets coming with source addresses 15
equal to one of the internal addresses
Packet Filter Firewall-Attacks& Countermeasure
Exploiting source routing address info

Source routing has two variations:

Loose: The attacker specifies a list of IP addresses through which a

packet must travel. However the packet could also travel through
additional routers that interconnect IP addresses specified in the list

Strict: The IP addresses in the list specified by the attacker are the only
IP addresses through which a packet is allowed to travel

16
Packet Filter Firewall-Attacks& Countermeasure
The security of packet filter can be compromised by :

Source routing address

• An intruder specifies the route, the packet should take as it crosses
the internet , in the hopes that this will bypass security measures
that do not analyze source routing information ( use of loose source
record route (LSRR)

17
Packet Filter Firewall-Attacks& Countermeasure
Exploiting source routing address info

Normal traffic flow from the attacker to the server goes via "router a", "router b",
"router c", a firewall and finally to the victim we have our standard scenario for
routing traffic over the Internet.

18
Packet Filter Firewall-Attacks& Countermeasure
Exploiting source routing address info
By exploiting, The routing could be made to go via "router a", "router b", "trusted host", the firewall
and finally to the victim using the source IP of the trusted host.

If the external trusted host is allowed through the firewall ruleset based on source IP address, the attacker
could bounce off this host in order to gain access to the internal network. This attack works as the Trusted
host retransmits the packet using its own IP address as the source address.

19
Packet Filter Firewall-Attacks& Countermeasure
Exploiting source routing address info

Traffic can be source routed directly to many low end firewalls, which then
forward traffic to the internal network using their internal IP address as the new
packet source. Even Worse

20
Packet Filter Firewall-Attacks& Countermeasure

How to defeat?
The countermeasure is to discard all packets that use
this option

21
Packet Filter Firewall-Attacks & Countermeasures
Tiny fragment attacks
• Fragmentation of packets is required when IP packet is greater than the
maximum frame size of the network (called as Maximum Transmission Unit
or MTU)
• The tiny fragment attack is staged by sending an IP packet with first
segment so small that it contains only the source and destination port
information for TCP, not the TCP flags. These are sent in the next fragment
• therefore if access list is based on TCP flags such as SYN=0 or 1 or
ACK=1 or 0, they cannot test the first packet
• If first packet passes, most network devices do not check remaining
packets
• An intruder can exploit this feature of TCP/IP protocol suite to intentionally
create tiny fragments, in this hope that only the first fragment is examined
and not the remaining packets

• How to defeat?
• Discard all those packets where the upper layer protocol type is TCP
and packet is fragmented
22
 Pictures 1 and 2 show both fragments and picture 3 shows the defragmented packet on the target machine:

Fig. 1

Fig. 3
The attack consists of requesting a TCP connection
fragmented into two IP packets. The first IP packet of
68 bytes only holds the 8 first bytes of the TCP header
(source and destination ports and sequence number).
The data in the second IP packet then holds the TCP
connection request (SYN flag is 1 and ACK flag is 0).
Fig. 2
23
2. Stateful packet-
packet-filtering

24
Dynamic Packet Filter Firewall or Stateful packet filter
Firewall

TCP traffic establish TCP session first

TCP port number less than 1024 are well known – permanently
assigned
The port number > 1024 are dynamically generated and have lifetime
of TCP connection
A simple packet-filtering firewall must allow inbound network traffic on
all these high-numbered ports for TCP-based traffic to occur. This
creates a vulnerability - can be exploited by attackers

A dynamic packet filter examines packets

based on the current state of the network

25
Dynamic Packet Filter Firewall or Stateful packet filter
1. A stateful inspection packet filter tightens up the rules for TCP traffic by
creating a directory of outbound TCP connections, as shown in Table
2. The packet filter will now allow incoming traffic to high-numbered ports only for
those packets that fit the profile of one of the entries in this directory.

26
Dynamic Packet Filter Firewall or Stateful packet filter
Firewall

27
What about TCP and UDP Traffic?
What are the states a dynamic firewall
keeps tracking?

28
Dynamic Packet Filter Firewall or Stateful packet filter

This has several important advantages over simple (stateless) packet-filtering.

1. Bidirectionality: without some sort of connection-state tracking, a packet-filter isn't

really smart enough to know whether an incoming packet is part of an existing
connection (e.g., one initiated by an internal host) or the first packet in a new
(inbound) connection. Simple packet filters can be told to assume that any TCP packet
with the ACK flag set is part of an established session, but this leaves the door open
for various " spoofing" attacks.

2. Another advantage of state tracking is protection against certain kinds of port

scanning and even some attacks. For example, the powerful port scanner nmap
supports advanced " stealth scans" (FIN, Xmas-Tree, and NULL scans) that, rather
than simply attempting to initiate legitimate TCP handshakes with target hosts, involve
sending out-of-sequence or otherwise nonstandard packets. When you filter packets
based not only on IP-header information but also on their relationship to other packets
(i.e., whether they're part of established connections), you increase the odds of
detecting such a scan and blocking it.

29
3. Application-
Application-layer proxies

30
 Application Gateway Firewall

• Packet filter firewalls does not work at application level Message

needs to be filtered on the information in the message

• Ex. An organization wants to implement a policy

• Only those Internet users who have previously established

business relations with the company can have access; access to
other users must be blocked.

• In this case, a packet-filter firewall is not feasible because it cannot

distinguish between different packets arriving at TCP port 80
(HTTP). Testing must be done at the application level (using URLs).

31
 Application Gateway Firewall
An application gateway is also called as a proxy server as it acts like a proxy and
decides about the flow of application level traffic. Typically they work as follows:

1. An internal users contacts the application gateway (AG) using a TCP/IP

application such as FTP, Telnet or HTTP
2. The AG asks for remote host (domain name or IP) as well as the user id and
password
3. The user provides information to the gateway, user is authenticated by AG
4. The AG accesses the remote host on behalf of the user and relays packets
between end points

A proxy firewall filters at the application layer

32
 Application Gateway Firewall

• If the gateway does not implement the proxy code for a specific
application, the service is not supported and cannot be forwarded
across the firewall.

• Further, the gateway can be configured to support only specific

features of an application that the network administrator
considers acceptable while denying all other features.

33
 Network Address Translation (NAT)
• In computer networking, network address translation (NAT) is the process
of modifying network address information in datagram packet headers
while in transit across a traffic routing device for the purpose of remapping
a given address space into another
• NAT solves the problem of the shortage of IP addresses. It allows users to
have a large number of IP addresses internally but only a single IP address
externally . Only the external traffic needs the external IP address. Internal
traffic can work with the internal addresses (Fig – next page)
• For NAT to be possible, internet authorities have classified a list of internal
as well as external IP addresses

34
• One of the job done by firewall or proxy servers
35
 Variant of application gateway: Circuit-Level Gateway

Circuit level gateway is a variation of application gateway- performs some additional
functions

Circuit level gateway establishes a new connection b/w remote host and itself -- as it is done
by application gateways firewalls

Circuit level gateway changes the source IP address in packets with its own – IP addresses
of internal users are hidden from the outside world – an additional feature

The SOCKS server is an example of the real life implementation of circuit gateway 36
 Application Gateway vs Packet Filter
1. Application-level gateways tend to be more secure than packet filters.
Rather than trying to deal with the numerous possible combinations that are
to be allowed and forbidden at the TCP and IP level, the application-level
gateway need only scrutinize a few allowable applications.

2. In addition, it is easy to log and audit all incoming traffic at the application
level.

3. A prime disadvantage of this type of gateway is the additional processing

overhead on each connection. In effect, there are two spliced connections
between the end users, with the gateway at the splice point, and the
gateway must examine and forward all traffic in both directions.

37
 Comparison
Packet filtering Stateful Application proxy
Price Least expensive Moderately Most Expensive
expensive
Speed Fast Fast Slower
Configuration Easy Moderate Moderate
Application High Moderate Low-must have a separate to proxy
Independence for each application for which traffic
is to be filtered
Sophistication of Low Moderate High
filtering rules

User None (use IP None (use IP High

Authentication addresses) addresses)
Network Exposure Both ends Both ends End of conversation isolated
directly directly through application proxy
connected connected
Packet types TCP and UDP TCP and UDP Generally TCP (although few do
filtered handle UDP)
Effectiveness Lowest Moderate Highest

38