Internet Security (IntSec)

10 Firewalls

Prof. Dr. Peter Heinzmann

Prof. Dr. Andreas Steffen

Institute for Internet Technologies and Applications (ITA)

ITA, 4.02.2007, 10-Firewalls.ppt 1

10 Firewalls
10.1 Overview
• Network defences – a cascade of security zones
• Secure routers, packet filtering firewalls, application gateways (proxies)
• Firewall functions
10.2 Technologies
• Example firewall – Linux Netfilter
• Packet filtering – filter rules
• Application gateway
• Proxy services
• Stateful inspection technology
• Network address translation (NAT)
• Port address translation (PAT)
10.3 Management
• Remote Administration
• Examples: Checkpoint FireWall-1 and Linux IPCop
• Monitoring and Logging

1
Learning Objectives

• You can explain the major Firewall terms and functions.

• You are able to read and define Firewall rules.
• You are prepared for the lab "Firewall".

ITA, 4.02.2007, 10-Firewalls.ppt 2

2
Internet Security (IntSec)

10.1 Overview

ITA, 4.02.2007, 10-Firewalls.ppt 3

3
 Castle Defences: A Cascade of Security Zones

Keep
Last building in
castle to fall

Inner Perimeter
Stronghold, higher walls Moat / Main Gate
create a containment area Outer perimeter controlling
between Inner & Outer Perimeters castle access

ITA, 4.02.2007, 10-Firewalls.ppt 4

4
 Network Defences: A Cascade of Security Zones

Outer Perimeter

Inner Perimeter
Stronghold Keep

Internal
Internet Firewall

Mission
Critical
Systems
De-Militarized Internal Network
Zone (DMZ) (Intranet)

ITA, 4.02.2007, 10-Firewalls.ppt 5

Ordering, organizing helps to improve security. One way of organizing is the

“classification of documents” an other way is the “structuring of the network”. Most
companies distinguish several network zones, but there is no generally accepted
“zone definition” or “zone naming scheme”. Typically companies distinguish as least
three zones:

1. Internet (insecure zone): This zone is insecure by all practical purposes. It has no
means of protecting the network from the others. The only security in this zone
comes from the machine itself.
2. Demilitarized Zone (DMZ): This zone is separated from the Internet by a first part of a
firewall (typically a Filtering Firewall). It has usually those servers which are accessed
frequently from the Internet (e.g. Company Web-Server, DNS with the address
mapping of the public addresses, Mail-Server)
3. Intranet (secure zone, trusted zone): This zone is separated from the DMZ by a second
part of a firewall (typically a proxy server i.e. Application Level Firewall), which
processes requests for connections from the internal network to the outside.

There may be further specifically secured zones within the Intranet, which are protected
against attacks from hosts on the Intranet. These zones contain mission critical
systems or organizations with high security requirements (e.g. the police departement
within a government organization).

5
Example: HSR

Cisco PIX 515 FW

ITA, 4.02.2007, 10-Firewalls.ppt 6

6
 Firewalls can control traffic at various OSI layers

Application Application

(e.g. TCP SYN, ACK, FIN states)

Application Gateways

Stateful Inspection Engines

Layer Level
(Proxy)
Proxies

Transport Circuit Packet Filtering

Layer Level Firewall
Proxies
Secure Router
Network Packet (Screening Router)
Layer Filter

ITA, 4.02.2007, 10-Firewalls.ppt 7

The main firewall technologies are:

-Packet filtering: check header information of the packets
-Deep packet inspection: look at application content of the packets
-Application Gateways: terminate connections and look also at application content of the
packets

Some firewalls check the packets one by one only. Stateful inspection firewalls look at
packet flows, trying to assign a state to the connections.

Most of the modern firewalls are hybrid products that cannot be easily classified into
groups.

7
 Firewall Functions
Filtering, Inspection, Detection, Logging, Alerting

• Deny everything that is not explicitly permitted … or

• Permit everything that is not explicitly denied.
Alerting

Logging IDS

Detection
ITA, 4.02.2007, 10-Firewalls.ppt 8

A firewall may fulfill several functions:

• Filter and inspect traffic

• Log events (and traffic)
• Perform content screening (virus scan engines, content blocking, url filtering
, protocol compliance testing)
• Allow address reuse (perform Network Address Translation, NAT function),
Hide internal structure
• Detect Attacks, Send alerts, Communicate with other devices e.g. with an intrusion
detection system (Open Platform for Security, OPSEC)
• Act as a virtual private network (VPN) server
• Authenticate Administrators (use of tokens/smart cards or two factor authentication)

8
Internet Security (IntSec)

10.2 Technologies

ITA, 4.02.2007, 10-Firewalls.ppt 9

9
 Example Firewall - Linux Netfilter

eth0 eth1

Route FORWARD
FORWARD
eth1 eth0

Route

INPUT
INPUT OUTPUT
OUTPUT

Chain
Chain
Firewall Host
local process

ITA, 4.02.2007, 10-Firewalls.ppt 10

http://www.netfilter.org

10
 Filter Rules – Default Policy

• Permit everything that is not explicitly denied.

iptables –P INPUT ACCEPT
iptables –P FORWARD ACCEPT
iptables –P OUTPUT ACCEPT
• Deny everything that is not explicitly permitted.
iptables –P INPUT DROP
iptables –P FORWARD DROP
iptables –P OUTPUT DROP

ITA, 4.02.2007, 10-Firewalls.ppt 11

http://www.netfilter.org

11
 Packet Filtering
Screening Router, Deep Packet Inspection

Application Application
Inbound Inbound
Transport Transport

Outbound Network Network Outbound

Src IP Dst IP Protocol Src Port Dst Port TCP Application

Address Address Type Number Number Flags Data

160.85.128.1 • SYN
• ACK
152.96.129.3 • 1 ICMP • 53 DNS • FIN
• 6 TCP • 80 HTTP • ...
• 17 UDP • 23 Telnet
• 50 ESP • ...

ITA, 4.02.2007, 10-Firewalls.ppt 12

Packet-Filtering Firewalls provide network security by filtering network communications

based on the information contained in the TCP/IP headers of each packet. Packet-
Filtering Firewalls are also known as “Screening Routers” or “Filtering gateway firewalls”.
A deep-packet inspection (DPI) firewall checks also the content of the packet.

Packet-Filtering Firewalls use a special rule set to filter IP, TCP, ICMP, and other packets
that pass through the network interface. Arriving and outgoing packets are filtered by the
type, source address, destination address, and port information contained in each packet.
A filtering gateway doesn't require a powerful machine to run on; using an old x468 box
and a specialized one-floppy Linux mini-distribution should do the trick.

12
 Packet Filtering
Examples

• Default Policy: Deny everything that is not explicitly permitted.

iptables –P INPUT DROP
iptables –P FORWARD DROP
iptables –P OUTPUT DROP

• Allow ssh login to firewall host from outside

iptables –A INPUT –i eth0 –p tcp -–dport ssh –j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp -–sport ssh –j ACCEPT

• Allow pings from all interfaces

iptables –A INPUT –p icmp –-icmp-type echo-request –j ACCEPT
iptables –A OUTPUT –p icmp –-icmp-type echo-reply –j ACCEPT
• Drop any traffic coming from host 80.63.5.7
iptables –I INPUT 1 –i eth0 –s 80.63.5.7 –j DROP

ITA, 4.02.2007, 10-Firewalls.ppt 13

There are various strategies for implementing packet filters. The following two are
rather general:
• Build rules from most to least specific.
Most packet filters process their rule sets from top to bottom and stop processing once
a match is made.
• Place the most active rules near the top of the rule set.
Screening packet is a processor-intensive operation. Hence, placing the popular rules
first will save the processor from going through all rules for every packet.

13
 Application Gateway
Application Firewall, Proxy

Application Application
Inbound Inbound
Transport Transport

Outbound Network Network Outbound

Src IP Dst IP Protocol Src Port Dst Port TCP Application

Address Address Type Number Number Flags Data

160.85.128.1 • SYN
• ACK
152.96.129.3 • 1 ICMP • 53 DNS • FIN • HTTP
• 6 TCP • 80 HTTP • ... • SOAP/XML
• 17 UDP • 23 Telnet • SQL
• 50 ESP • ... • ...

ITA, 4.02.2007, 10-Firewalls.ppt 14

Application Gateway has become synonymous with terms such as bastion host, proxy
gateway, and proxy server. An application gateway makes access decisions based on
packet information at all seven layers of the OSI model. An application gateway may also
be configured with the ability to remove objectionable content, such as ActiveX or Java
scripts from web pages.
Some proxies are not „seen“ be the end-systems and therefore are called „transparent
proxies“ (as opposed to „visible proxies“).

The proxy must “understand” each service. Proxies for newer services are usually hard
to find.

14
 Proxy Services

• Circuit-level gateway
• establishes a TCP connection according to defined rules
(a security policy)
• No content filtering can be defined. No user authentication.
• Application-level gateway
• establishes TCP connections with an application-level gateway
in place.
• administrator can control access for selected applications/network
services (e.g. HTTP, SOAP/XML, etc.).
• can filter content and can provide user authentication.

ITA, 4.02.2007, 10-Firewalls.ppt 15

Application Gateway or Proxy Firewalls usually contain additional security that support
software like a VPN server, strong authentication services (tokens, smart cards), or virus
scan engines. Proxy Firewalls also known as “Proxy services” work between external
and internal networks and provide replacement connections instead of direct connections
with remote services. Proxies try to act more or less transparently. Proxy firewalls require
powerful machines. It is possible to divide this category into a two groups:
•A circuit-level gateway is a proxy service that establishes a TCP connection (or
crosswire TCP ports) between internal and external networks according to defined rules
(a security policy). No content filtering can be defined. The freely available SOCKS (a
standard, generic networking proxy protocol -- see Resources for more information) proxy
server is a typical example of this approach. Circuit-level gateways don't provide user
authentication.
•An application-level gateway is a proxy service that establishes TCP connections
between internal and external networks; with an application-level gateway in place, an
administrator can control access for selected applications/network services (i.e., HTTP,
FTP, NNTP). Application-level gateways can filter content, while packet-filter and circuit-
level gateways are unable to determine transmission content. Some application proxies
can cache requested data to save bandwidth. Application-level gateways can provide
user authentication and implement an access rights policy.

15
 Proxy Service Example

TCP Connection 1 TCP Connection 1

Host A S:
S: Host
HostAA Port
Port1024
1024 S:
S:Firewall
FirewallPort
Port3000
3000
D: Proxy Port 8080
D: Proxy Port 8080 D:
D: Server X Port80
Server X Port 80

Server X

Intranet Internet

Host B TCP Connection 2 TCP Connection 2

S:
S: Host
HostBB Port
Port1027
1027 S:
S:Firewall
FirewallPort
Port3001
3001
D: Proxy Port 8080
D: Proxy Port 8080 D:
D: Server X Port80
Server X Port 80

ITA, 4.02.2007, 10-Firewalls.ppt 16

16
 Stateful Inspection Technology

• Communication- and application-derived state and context

information
• Updated dynamically
• Provides full application-layer awareness without requiring
a separate proxy for every service
• Check Point Software is credited with coining the term
stateful inspection in the use of its FireWall-1 in 1993.

ITA, 4.02.2007, 10-Firewalls.ppt 17

Stateful inspection is an advanced firewall architecture that was invented by Check Point
Software Technologies in the early 1990s. Also known as dynamic packet filtering, it has
replaced static packet filtering as the industry standard firewall solution for networks.
Stateful inspection provides enhanced security by keeping track of communications
packets over a period of time. Both incoming and outgoing packets are examined.
Outgoing packets that request specific types of incoming packets are tracked; only those
incoming packets constituting a proper response are allowed through the firewall. In
contrast to static packet filtering, in which only the headers of packets are checked,
stateful inspection analyzes packets up to the Application layer.
In a firewall that uses stateful inspection, the network administrator can set the
parameters to meet specific needs. In a typical network connected to the Internet, ports
are normally closed unless an incoming packet requests connection to a specific port,
and then only that port is opened to the packet. This prevents port scanning, a well-known
technique used by hackers to gain entry to networks and individual computers connected
to the Internet.
[http://searchnetworking.techtarget.com]

17
 Stateful Inspection I

virtual chain of fragments

defrag

ACCEPT pre-inspection “connections”

“connections”
virtual machine
“pending”

ACCEPT DROP/REJECT

ITA, 4.02.2007, 10-Firewalls.ppt 18

Sources:
Thomas Lopatic, John McDonald, TÜV data protect GmbH,
tl@dataprotect.com, jm@dataprotect.com
Dug Song, CITI at the University of Michigan, dugsong@umich.edu
“A Stateful Inspection of Firewall-1”, Black Hat Briefings, 2000.

18
Stateful Inspection II

accepted UDP packet

C S

C any
UDP replies accepted
internal external
client server

• UDP “connections”
• from a client, port C
• to a server, port S + wildcard port
• <s-address, s-port, d-address, d-port, protocol>

ITA, 4.02.2007, 10-Firewalls.ppt 19

19
Stateful Inspection III

“PORT 192,168,0,2,4,36”
21 > 1023
20 1060
data connection
FTP server FTP client
172.16.0.2 192.168.0.2
“PASV”
21 > 1023
“227 ... (172,16,0,2,4,36)”
1060 > 1023
FTP server data connection FTP client
172.16.0.2 192.168.0.2

ITA, 4.02.2007, 10-Firewalls.ppt 20

20
Stateful Inspection with Linux Netfilter
Examples

• Allow replies on outbound TCP packets

iptables -A OUTPUT –o eth0 -p tcp -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state
--state ESTABLISHED,RELATED -j ACCEPT

• Allow replies on outbound UDP packets

iptables -A OUTPUT –o eth0 -p udp -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m state
--state ESTABLISHED,RELATED -j ACCEPT

• Allow replies on outbound ICMP packets

iptables -A OUTPUT –o eth0 -p icmp -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m state
--state ESTABLISHED,RELATED -j ACCEPT

ITA, 4.02.2007, 10-Firewalls.ppt 21

21
Network Address Translation (NAT)

• NAT goals
• Allow use of internal [private] IP-addresses
• Hide internal network structure
• Disable direct [inbound] Internet connections

• NAT types
• Dynamic
„ For connections from inside to outside
„ There may be fewer outside addresses than internal addresses
• Static
„ For connections from outside to specific servers inside
„ One-to-one address mapping (fixed)

ITA, 4.02.2007, 10-Firewalls.ppt 22

22
 Network Address Translation (NAT)

“Local” Network “External” Network

SA NAT SA
10.0.0.1 192.69.1.1
10.0.0.1
SA Internet
SA
192.69.1.2
10.0.0.3 NAT Table
10.0.0.2
Local External
IP Source IP Source
Address Address

10.0.0.3 10.0.0.1 192.69.1.1

10.0.0.3 192.69.1.2

SA
10.0.0.4
?
10.0.0.4

ITA, 4.02.2007, 10-Firewalls.ppt 23

12

Network Address Translation (NAT) is also known as IP masquerading. It provides a

mapping between internal IP addresses and officially assigned external addresses.
Originally, NAT was suggested as a short-term solution to the problem of IP address
depletion. Also, many organizations have, in the past, used locally assigned IP
addresses, not expecting to require Internet connectivity. NAT is defined in RFC 3022.
When NAT is configured, static mappings and/or dynamic pools of addresses must be
configured. Static assignments permanently map a private address to a public address.
Dynamic pools consist of a start IP address and the number of addresses in the pool.
NAT takes the IP address of an outgoing packet and translates it to an officially assigned
global address. For incoming packets it translates the assigned address to an internal
address. For each outgoing IP packet, the source address is checked by the NAT
configuration rules. If a rule matches the source address, the address is translated to a
global address from the address pool. The predefined address pool contains the
addresses that NAT can use for translation. For each incoming packet, the destination
address is checked if it is used by NAT. When this is true, the address is translated to the
original internal address.
It should be noted that implementation of NAT for specific applications that have IP
information in the application data is more sophisticated than the standard NAT
implementations. If NAT translates an address for an IP packet, the checksum is also
adjusted. For FTP packets, the task is even more difficult, because the packets can
contain addresses in the data of the packet. For example, the FTP PORT command
contains an IP address in ASCII. These addresses should also be translated correctly
and checksum updates and even TCP sequence and acknowledgement updates should
be made accordingly.
There is no connection setup or tear-down at the IP level. Therefore, a timeout value
should be configured that instructs NAT how long to keep an association in an idle state
before returning the external IP address to the free NAT pool.
Source: Address Translation Tutorial
http://support.3com.com/infodeli/tools/remote/ocremote/brouters/840/C_Cadtrns.htm

23
 Port Address Translation (PAT)

“Local” Network “External” Network

SA PAT SA
10.0.0.1 192.69.1.1:5001
10.0.0.1
99 Internet
SA SA
10.0.0.3 192.69.1.1:5002
NAT Table
10.0.0.2
Local External
IP Source IP Source
Address Address
10.0.0.3 10.0.0.1:X 192.69.1.1:5001
10.0.0.3:Y 192.69.1.1:5002
10.0.0.3:Z 192.69.1.1:5003
10.0.0.4:X 192.69.1.1:5004

10.0.0.4

ITA, 4.02.2007, 10-Firewalls.ppt 24

13

PAT is used when several privately addressed workstations share a single public
address. PAT uses the TCP and UDP port numbers to map multiple private addresses to
the single public address. For normal applications such as web browsing and FTP
transfers, PAT can be configured by just enabling the feature.
When accesses are originated from the private addressed LAN, a mapping is established
between the source port number and the source private address. When the response is
received on the public addressed WAN port, the destination port is mapped back to the
private address.
Static PAT port mappings or the PAT default address need to be configured when an
application will initiate a TCP or UDP connection from the public network. If a publicly
accessible server resides on a privately addressed LAN, static ports can be defined for
the applications they are running. For example, TCP port 80 for a Web Server and TCP
port 21 for a FTP server can be statically assigned. The PAT default address can be used
with, or instead of, static port assignments, and is set to the private address of a
workstation on the local LAN. If an incoming IP data packet is received on a WAN port
and there is no existing dynamic or static port mapping, the packet will be translated
using the PAT default address.

Source: Port Address Translation

http://support.3com.com/infodeli/tools/remote/ocremote/brouters/840/C_Cadtrns.htm

24
 NAT with Linux Netfilter

eth0 eth1

PREROUTING
PREROUTING Route FORWARD
FORWARD POSTROUTING
POSTROUTING
eth1 eth0
Dst
DstNAT
NAT Src
SrcNAT
NAT
Route

-t nat -t nat
INPUT
INPUT OUTPUT
OUTPUT

Dst
DstNAT
NAT

Chain
Chain -t nat
Firewall Host
Table local process
Table

ITA, 4.02.2007, 10-Firewalls.ppt 25

http://www.netfilter.org

25
 NAT with Linux Netfilter
Examples

• Masquerading (with dynamic IP addresses)

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 \

-j MASQUERADE

• Source NAT (with static IP addresses)

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 \

-j SNAT --to 1.2.3.4-1.2.3.6

• Destination NAT (with static IP addresses)

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \

-j DNAT --to 10.1.0.7:8080

ITA, 4.02.2007, 10-Firewalls.ppt 26

http://www.netfilter.org

26
Internet Security (IntSec)

10.3 Management

ITA, 4.02.2007, 10-Firewalls.ppt 27

27
 Administration Example 1: Checkpoint FireWall-1

Support for over 150

applications plus
custom services

Define authorization
based on multiple
criteria

ITA, 4.02.2007, 10-Firewalls.ppt 28

A firewall’s number one job is to provide access control. By default, FireWall-1 operates
under the strictest security policy: “That which is not explicitly permitted is denied.” From
this starting point, security managers add rules to allow access as appropriate.

Defining these rules is easy and intuitive with FireWall-1. A broad range of applications
and services are supported out of the box, and defining additional network resources
(e.g., protocols, services, users, groups, servers, etc.) is easy. These network resources
are then used as the basis of security policy rules.

InspectXL is FireWall-1’s enabling technology, providing unparalleled application support

and performance beyond 100Mbps. Based on Check Point’s patented Stateful Inspection,
it provides the combination of high performance and high security.

http://www.checkpoint.com/products/firewall-1/index.html

28
 Administration Example 2: Linux IPCop

ITA, 4.02.2007, 10-Firewalls.ppt 29

http://www.ipcop.org

29
Monitoring and Logging

• Main Problem – Multitude of logging soucres

• Operating system logs, network management messages, firewall logs
and alerts, router management messages, intrusion detection alarms,
application and server statistics, system integrity checks.
• Automated processing is a prerequisite.
• Central Log Server
• All important system components should send their log messages to a
central log server. The analysis and reporting can then be done
centrally in a comprehensive way.
• Logs should be immediately copied to secure, non-erasable storage
medium (e.g. write-once CD-ROMs) because attackers will try to
remove their traces from the logs.
• Denial of Service Attacks
• An effective denial of service attack might be mounted by flooding the
log server with innumerous messages thus filling up the file space.
• Automatic alerting mechanisms must prevent this.

ITA, 4.02.2007, 10-Firewalls.ppt 30

30