Secure Networks

SPRING 2025
Firewalls
Evolution of Information Systems

 Centralized data processing system, with a central mainframe supporting

a number of directly connected terminals.
 Local area networks (LANs) interconnecting PCs and terminals to each
other and the mainframe.
 Premises network, consisting of a number of LANs, interconnecting PCs,
servers, and perhaps a mainframe or two.
 Enterprise-wide network, consisting of multiple, geographically distributed
premises networks interconnected by a private wide area network (WAN).
 Internet connectivity, in which the various premises networks all hook into
the Internet and may or may not also be connected by a private WAN.
The need of firewall

 Internet access provides benefits to the organization, it enables the

outside world to reach and interact with local network assets
 a threat to the organization
 it is possible to equip each workstation and server on the premises network
with strong security features
 Not sufficient and Not cost effective
 When a security flaw is discovered, each potentially affected system must
be upgraded to fix that flaw.
 scalable configuration management
 A widely accepted alternative or at least complement to host-based
security services is the firewall
Firewall Characteristics and Access Policy

 All traffic from inside to outside, and vice versa, must pass through the
firewall. This is achieved by physically blocking all access to the local
network except via the firewall.
 Only authorized traffic, as defined by the local security policy, will be
allowed to pass. Various types of firewalls are used, which implement
various types of security policies.
 The firewall itself is immune to penetration. This implies the use of a
hardened system with a secured operating system. Trusted computer
systems are suitable for hosting a firewall and often required in
government applications.
Characteristics use to filter traffic

 IP Address and Protocol Values: Controls access based on the source or

destination addresses and port numbers, direction of flow being inbound or
outbound, and other network and transport layer characteristics.
 Application Protocol: Controls access on the basis of authorized application
protocol data. This type of filtering is used by an application-level gateway that
relays and monitors the exchange of information for specific application
protocols
 User Identity: Controls access based on the users identity, typically for inside
users who identify themselves using some form of secure authentication
technology, such as IPSec
 Network Activity: Controls access based on considerations such as the time or
request, e.g., only in business hours; rate of requests, e.g., to detect scanning
attempts; or other activity patterns.
Firewall Capabilities

 A firewall defines a single choke point that attempts to keep unauthorized

users out of the protected network, prohibit potentially vulnerable services
from entering or leaving the network, and provide protection from various
kinds of IP spoofing and routing attacks
 A firewall provides a location for monitoring security-related events. Audits
and alarms can be implemented on the firewall system.
 A firewall is a convenient platform for several Internet functions that are
not security related i.e. NAT, audit logs
 A firewall can serve as the platform for IPSec.
Firewall Limitations

 The firewall cannot protect against attacks that bypass the firewall.
 The firewall may not protect fully against internal threats
 An improperly secured wireless LAN may be accessed from outside the
organization
 A laptop, PDA, or portable storage device may be used and infected
outside the corporate network and then attached and used internally.
Types of Firewalls
Types of Firewalls
Packet Filtering Firewall

 A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet
and then forwards or discards the packet
 The firewall is typically configured to filter packets going in both directions
 Filtering rules are based on information contained in a network packet:
 Source IP address: The IP address of the system that originated the IP packet (e.g.,
[Link]).
 Destination IP address: The IP address of the system the IP packet is trying to reach (e.g.,
[Link]).
 Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port
number, which defines applications such as SNMP or TELNET.
 IP protocol field: Defines the transport protocol.
 Interface: For a firewall with three or more ports, which interface of the firewall the packet
came from or which interface of the firewall the packet is destined for.
Packet Filtering Firewall

 The packet filter is typically set up as a list of rules based on matches to

fields in the IP or TCP header.
 If there is a match to one of the rules, that rule is invoked to determine
whether to forward or discard the packet.
 If there is no match to any rule, then a default action is taken Two default
policies are possible:
 Default = discard: That which is not expressly permitted is prohibited.
 Default = forward: That which is not expressly prohibited is permitted
Packet Filter Firewall Rules
Packet Filter Firewall Rules

Problem ???
Packet Filter Firewall Rules

Problem = Rule 4 allows external traffic

to any destination port above 1023. As an example of an exploit of this rule, an
external attacker can open a connection from the attacker’s port 5150 to an internal
Web proxy server on port 8080
Packet Filter Firewall Rules

Solution:
Weakness of Packet Filtering Firewall

 Because packet filter firewalls do not examine upper-layer data, they

cannot prevent attacks that employ application-specific vulnerabilities or
functions
 Because of the limited information available to the firewall, the logging
functionality present in packet filter firewalls is limited
 Most packet filter firewalls do not support advanced user authentication
schemes.
 Packet filter firewalls are generally vulnerable to attacks and exploits that
take advantage of problems within the TCP/IP specification and protocol
stack
 Packet filter firewalls are susceptible to security breaches caused by
improper configurations.
Attacks on Packet Filtering Firewall

 IP address spoofing: The intruder transmits packets from the outside with a
source IP address field containing an address of an internal host. The attacker
hopes that the use of a spoofed address will allow penetration of systems that
employ simple source address security, in which packets from specific trusted
internal hosts are accepted.
 Source routing attacks: The source station specifies the route that a packet
should take as it crosses the Internet, in the hopes that this will bypass security
measures that do not analyze the source routing information
 Tiny fragment attacks: The intruder uses the IP fragmentation option to create
extremely small fragments and force the TCP header information into a
separate packet fragment. This attack is designed to circumvent filtering rules
that depend on TCP header information. Typically, a packet filter will make a
filtering decision on the first fragment of a packet
Countermeasures

 IP address spoofing: The countermeasure is to discard packets with an

inside source address if the packet arrives on an external interface. In fact,
this countermeasure is often implemented at the router external to the
firewall.
 Source routing attacks: A countermeasure is to discard all packets that use
this option.
 Tiny fragment attacks: attack can be defeated by enforcing a rule that
the first fragment of a packet must contain a predefined minimum amount
of the transport header. If the first fragment is rejected, the filter can
remember the packet and discard all subsequent fragments.
Stateful packet Inspection

 A traditional packet filter makes filtering decisions on an individual packet basis

and does not take into consideration any higher-layer context.
 A Stateful packet inspection firewall tightens up the rules for TCP traffic by
creating a directory of outbound TCP connections.
 The packet filter will now allow incoming traffic to high-numbered ports only for
those packets that fit the profile of one of the entries in this directory.
 A Stateful packet inspection firewall reviews the same packet information as a
packet filtering firewall, but also records information about TCP connections
 Some stateful firewalls also keep track of TCP sequence numbers to prevent
attacks that depend on the sequence number, such as session hijacking. Some
even inspect limited amounts of application data
State Table
Application-Level Gateway

 An application-level gateway, also called an application proxy, acts as a relay

of application-level traffic
 The user contacts the gateway using a TCP/ IP application, such as Telnet or
FTP, and the gateway asks the user for the name of the remote host to be
accessed.
 When the user responds and provides a valid user ID and authentication
information, the gateway contacts the application on the remote host and
relays TCP segments containing the application data between the two
endpoints
 If the gateway does not implement the proxy code for a specific application,
the service is not supported and cannot be forwarded across the firewall.
 Further, the gateway can be configured to support only specific features of an
application that the network administrator considers acceptable while denying
all other features.
Application-level Gateway

 Application-level gateways tend to be more secure than packet filters.

 Rather than trying to deal with the numerous possible combinations that
are to be allowed and forbidden at the TCP and IP level, the application-
level gateway need only scrutinize a few allowable applications.
 In addition, it is easy to log and audit all incoming traffic at the application
level.
 A prime disadvantage of this type of gateway is the additional processing
overhead on each connection. In effect, there are two spliced
connections between the end users, with the gateway at the splice point,
and the gateway must examine and forward all traffic in both directions.
Circuit-level Gateway

 This can be a stand-alone system or it can be a specialized function

performed by an application-level gateway for certain applications.
 As with an application gateway, a circuit-level gateway does not permit
an end-to-end TCP connection; rather, the gateway sets up two TCP
connections, one between itself and a TCP user on an inner host and one
between itself and a TCP user on an outside host.
 Once the two connections are established, the gateway typically relays
TCP segments from one connection to the other without examining the
contents.
 The security function consists of determining which connections will be
allowed.
Firewall Location
and
Configurations
DMZ Networks
Distributed Firewalls
Virtual Private Network
Intrusion
Prevention
System
Introduction

 A relatively recent addition to the terminology of security products is the

intrusion prevention system (IPS). There are two complementary ways of
looking at an IPS:
 An IPS is an inline network-based IDS (NIDS) that has the capability to block
traffic by discarding packets as well as simply detecting suspicious traffic.
Alternatively, the IPS can monitor ports on a switch that receives all traffic and
then send the appropriate commands to a router or firewall to block traffic. For
host-based systems, an IPS is a host-based IDS that can discard incoming traffic.
 An IPS is a functional addition to a firewall that adds IDS types of algorithms to
the repertoire of the firewall.
Host based IPS

 A host-based IPS (HIPS) makes use of both signature and anomaly detection
techniques to identify attacks.
 Examples of the types of malicious behavior addressed by a HIPS
 Modification of system resources
 Privilege-escalation exploits
 Buffer-overflow exploits
 Access to e-mail contact list
 Directory traversal
 Filtration is based on
 System calls, File access, I/O operations and Registry Settings
Network based IPS

 A network-based IPS (NIPS) is in essence an inline NIDS with the authority to

discard packets and tear down TCP connections.
 In terms of the general methods used by a NIPS device to identify
malicious packets, the following are typical:
 Pattern matching
 Stateful matching
 Protocol anomaly
 Traffic anomaly
 Statistical anomaly
References

 Computer Security Principles and Practice, 2nd Edition.

 Corporate Computer Security, 4th Edition.