Chapter 9

Firewalls and Intrusion

Prevention Systems
 The Need For Firewalls

 internet connectivity is essential

 however it creates a threat

 effective means of protecting LANs

 inserted between the premises network and the Internet

to establish a controlled link
 can be a single computer system or a set of two or more
systems working together

 used as a perimeter defense

 single choke point to impose security and auditing
 insulates the internal systems from external networks
 Firewall use: Two basic
philosophies
1. That which is not expressly permitted is
prohibited

2. That which is not expressly

prohibited is permitted

4 25/11/2018
 That which is not expressly permitted is prohibited

1. The firewall must be designed to block

everything, and services are enabled on a case-
by-case basis
2. Fail-safe approach from administrator's point of
view
3. Does nor call for an administrator with
exception skills

5 25/11/2018
 That which is not expressly prohibited is permitted

1. The sysdamin is in a reactive mode to the actions

of the users.
2. Offers the user the greatest flexibility
3. But often pits the user against the sysadmin.
4. Requires an sysadmin that can anticipate user's
actions, thus a better skilled admin
5. A NIGHTMARE approach for the security point of
view

6 25/11/2018
 Firewall Characteristics
design goals
• all traffic from inside to
outside must pass through the
firewall
• only authorized traffic as
defined by the local security
policy will be allowed to pass
• the firewall itself is immune to
penetration
techniques used by
firewalls to control
access and enforce the
site’s security policy are:
• service control
• direction control
• user control
• behavior control
 Firewall Characteristics

 Four general techniques:

1. Service control
 Determines the types of Internet services that can be
accessed, inbound or outbound
2. Direction control
 Determines the direction in which particular service
requests are allowed to flow
3. User control
 Controls access to a service according to which user is
attempting to access it
4. Behavior control
 Controls how particular services are used (e.g. filter e-mail)
8 25/11/2018
capabilities:
• defines a single choke point
• provides a location for monitoring
security events
• convenient platform for several Internet
functions that are not security related
• can serve as the platform for IPSec

limitations:
• cannot protect against attacks bypassing
firewall
• may not protect fully against internal threats
• improperly secured wireless LAN can be
accessed from outside the organization
• laptop, PDA, or portable storage device may
be infected outside the corporate network
then used internally
Types of
Firewalls
 Types of Firewalls

 Three (4) common types of Firewalls:

1. Packet-filtering routers
2. Stateful inspection firewalls
3. Application-level gateways or application
proxy firewalls
4. Circuit-level gateways or circuit-level proxy
firewalls

11 25/11/2018
 Packet Filtering Firewall
 Applies rules to packets in/out of firewall
Based on information in packet header
 Source IP address , destination IP address, source and destination port numbers
 IP protocol field,
 Router interface
 Two default policies:
1. Discard - prohibit unless expressly permitted
 more conservative, controlled, visible to users
2. Forward - permit unless expressly prohibited
 easier to manage/use but less secure

12 25/11/2018
Firewalls – Packet Filters

13 25/11/2018
 Packet Filter Rules
Default
=
Discard policy

Top-to- Bottom
application of rules

14 25/11/2018
 Firewall Rules
1. First entry: packets from SPIGOT are blocked
2. Inbound mail is allowed only to OUR-GW host

15 25/11/2018
 Firewall Rules
 Explicit statement of the default policy.
 All rule sets include this rule explicitly as the last
rule.

16 25/11/2018
 Firewall Rules
 Any inside host can send mail to outside
 A TCP packet with destination port 25 is routed to the
SMTP sever of the destination machine
 Any problem with this rule?

1. Using port 25 for SMTP receipt is just a default.

2. The outside machine can have another application
linked to port 25
3. Attackers could use this top gain access to internal
machines
4. Any Solutions? 17 25/11/2018
 Firewall Rules-solution to the previous problem
1. Uses features of TCP connections : once a TCP connection
is setup, the ACK flag of the TCP segment is set to
acknowledge segments sent from the other party.
2. First rule : allow packets where source address is included
in the list “{our hosts” and the destination TCP Number is
25.
3. Incoming packets with a port number 25 and that have an
ACK Flag in the TCP segment are allowed.
4. Rule designates explicitly source and destination to define
the rules explicitly

18 25/11/2018
 Firewall Rules - ftp connections
 FTP: two TCP connections: one for control, one for data
transfer
 Data transfer: use different port, dynamically assigned
 Most servers use low numbered ports
 Most out going calls use a higher-numbered port > 1023

1. Packets that originate internally are allowed

2. Reply packets to connections initiated by an internal
machine are allowed
3. Packets destined for a high numbered port on an
19 25/11/2018
internal machine.
 Packet Filter Weaknesses
 Weaknesses

1. cannot prevent attack on application bugs

2. limited logging functionality

3. do no support advanced user authentication

4. vulnerable to attacks on TCP/IP protocol bugs

5. improper configuration can lead to breaches

 Attacks
 IP address spoofing, source route attacks, tiny fragment
attacks

20 25/11/2018
 IP address Spoofing

 How: Outside intruder use an internal address as the

packet source IP address

 Aim : access to systems using simple source address

security- packets from specific internal hosts are trusted

 Countermeasure:
 Discard packets with an inside address if packet arrive son an
external interface

21 25/11/2018
 Source Routing

 How: Source station specifies the route a packet should

take as it crosses the Internet

 Aim: to bypass security measures that do not analyse

source routing information

 Countermeasures: discard packets using source routing

22 25/11/2018
 Tiny fragment attacks
 How:
 Creates extremely small fragments
 Force the tcp header info into a separate fragement

 Aim:
 Circumvent filtering rules based on TCP header info
 Usually decision is based on first fragment of a packet, the other
fragments are either accepted or rejected based solely on the first
fragment.
 Attacker hopes only the first fragment is examined and the others are
let through

 Countermeasures:
 First fragment must contain a predefined minimum amount of the
transport header

23 25/11/2018
 IP and
TCP

24 25/11/2018
Tiny fragment attack  The first fragment contains
only eight octets of data
(the minimum fragment
size).
 In the case of TCP, this is
 sufficient to contain the
source and destination port
numbers, but it will force
the TCP flags field into the
second fragment.
 Filters that attempt to drop
connection requests (TCP
datagrams having SYN=1
& ACK=0) will be unable to
test these flags in the first
octet,
 and will typically ignore
them in subsequent
fragments.

25 11/25/2018
 Stateful Inspection Firewall

 Reviews packet header information but also keeps info on TCP connections

 Low , “known” port number for server

 High , port number dynamically assigned for client

 Simple packet filter must allow all return high port numbered packets back in ----
vulnerabilities

 Stateful inspection packet firewall tightens rules for TCP traffic using a directory of
TCP connections

 Only allows incoming traffic to high-numbered ports for packets matching an

entry in this directory

 May also track TCP seq numbers as well

26 25/11/2018
27 25/11/2018
Stateful Inspection Firewall
tightens rules for TCP traffic
by creating a directory of
outbound TCP connections
• there is an entry for each
currently established connection
• packet filter allows incoming
traffic to high numbered ports
only for those packets that fit the
profile of one of the entries in
this directory
reviews packet information
but also records information
about TCP connections
• keeps track of TCP sequence
numbers to prevent attacks that
depend on the sequence number
• inspects data for protocols like
FTP, IM and SIPS commands
 Application-Level Gateway
 Relay of application-level traffic
1. Users contact gateway with remote
host name, at the application level (
http, ftp, telnet)
2. User must be authenticated
3. Gateway contacts application on
remote host and relays TCP
segments between server and user
 Gateway must have proxy code for
each application - may restrict
application features supported
 More secure than packet filters
 But have higher overheads

29 25/11/2018
 Circuit-Level Gateway
 Sets up two TCP connections, one
to an inside user and one to an
outside host
 Relays TCP segments from one
connection to the other without
examining contents
 Typically used when inside users
trusted
 may use application-level gateway
inbound and circuit-level gateway
outbound
 Hence lower overheads

30 25/11/2018
 Application-Level Gateway
 also called an application proxy
 acts as a relay of application-level traffic
 user contacts gateway using a TCP/IP application
 user is authenticated
 gateway contacts application on remote host and relays TCP
segments between server and user
 must have proxy code for each application
 may restrict application features supported

 tend to be more secure than packet filters

 disadvantage is the additional processing overhead on
each connection
 Circuit-Level
circuit level proxy Gateway
• sets up two TCP connections, one between itself and a TCP user
on an inner host and one on an outside host
• relays TCP segments from one connection to the other without
examining contents
• security function consists of determining which connections will
be allowed

typically used when inside users are trusted

• may use application-level gateway inbound and circuit-level
gateway outbound
• lower overheads
 Firewall Basing
Several options for locating firewalls:
1. Bastion host
2. Individual host-based firewall
3. Personal firewall

33 25/11/2018
 Bastion Hosts

 system identified as a critical strong point in the network’s

security
 serves as a platform for an application-level or circuit-level
gateway
 common characteristics:
 runs secure O/S, only essential services
 may require user authentication to access proxy or host
 each proxy can restrict features, hosts accessed
 each proxy is small, simple, checked for security
 each proxy is independent, non-privileged
 limited disk use, hence read-only code
 Host-Based Firewalls
 used to secure an individual host

 available in operating systems or can be provided as an add-

on package

 filter and restrict packet flows

 common location is a server

advantages:
• filtering rules can be tailored to the host
environment
• protection is provided independent of topology
• provides an additional layer of protection
 Personal Firewall
 controls traffic between a personal computer or workstation
and the Internet or enterprise network
 for both home or corporate use

 typically is a software module on a personal computer

 can be housed in a router that connects all of the home

computers to a DSL, cable modem, or other Internet interface
 typically much less complex than server-based or stand-alone
firewalls
 primary role is to deny unauthorized remote access

 may also monitor outgoing traffic to detect and block worms

and malware activity
 Example
Personal Firewall Interface