Firewall introduction

What we’re covering this week:

Firewall types
Headers Refresher
TCP States and Handshake security
Stateful firewalls
Firewall Topologies
Managing the stateless protocols
Firewalls
▪ Lots of vulnerabilities on hosts in network
▪ Users don’t keep systems up to date
– Lots of patches
– Lots of exploits in wild (no patch for them)
▪ Solution?
– Limit access to the network
– Put firewalls across the perimeter of the network
 Firewalls Overview
▪ Firewalls are devices that or programs that control the flow of the network traffic
between Networks
▪ Firewalls provide a level of protection for devices that sit behind it.
▪ Firewalls found throughout networks, not just on the perimeter
▪ Firewalls Filter! Permit what you want and DROP what you don’t.
 The OSI Model
Communications protocols were developed around the Open System Interconnection
(OSI) model. The OSI model, is a standard for worldwide communications that defines
a framework for implementing protocols and networking components in seven distinct
layers.
 Packets
▪ Large chunks of data must typically be broken up into smaller, more
manageable chunks before they are transmitted from one computer to
another.
▪ Breaking the data up has advantages—you can more effectively share
bandwidth with other systems and you don’t have to retransmit the entire
dataset if there is a problem in transmission.
▪ When data is broken up into smaller pieces for transmission, each of the
smaller pieces is typically called a packet.
 IP Packet
▪ An IP packet, often called a datagram, has two main sections: the
header and the data section (sometimes called the payload). The
header section contains all of the information needed to describe
the packet. packet header length How to process this packet
How large the entire packet
protocol version number
Flags that indicate
unique packet identifier whether or not special
handling of this packet
time to live” field is necessary
that indicates
the packet Description of where
should be this packet fits into
discarded if the the data stream as
value is zero compared to other
packets
 TCP vs. UDP

▪ There are two protocols that have grown so much in

popularity and use that without them, the Internet as we
know it would cease to exist.
▪ These two protocols, the Transmission Control Protocol
(TCP) and User Datagram Protocol (UDP), are protocols that
run on top of the IP network protocol.
▪ The most important difference between TCP and UDP is the
concept of “guaranteed” reliability and delivery.
 TCP

▪ TCP is a “connection-oriented” reliable protocol and was

specifically designed to provide a reliable connection between
two hosts exchanging data.
▪ TCP was also designed to ensure that packets are processed
in the same order in which they were sent. As part of the TCP
protocol, each packet has a sequence number to show where
that packet fits into the overall conversation.
▪
 TCP Headers
The Source Port field for the Destination Port field for the
port that is the source of the port of the remote machine
TCP segment. that is the final §destination
of this TCP segment.
These two fields
considered together have Maximum number of data
two different roles bytes the receiver’s TCP is
depending on if TCP willing to accept from the
connection is being set up sender’s TCP in a single
or already established TCP segment
when a TCP header
has its URG bit set, the
value stored in the
Urgent
When URG bit is set can Pointer field is the
act like an interrupt with when set means that we offset from the value
regard to the interaction want the TCP segment to stored in the Sequence
Stream, connection
between the sender TCP be put on the wire
establishment and tear-down flagsNumber field where the
and the receiver immediately urgent data ends
UDP
▪ UDP is known as a “connectionless” protocol as it
has very few error recovery services and no
guarantee of packet delivery.
▪ With UDP, packets are created and sent on their
way.
▪ UDP is considered to be an unreliable protocol and
is often only used for network services that are not
greatly affected by the occasional lost or dropped
packet.
 Defining a Firewall
▪ For me fire burns and protects: Firewalls burn the bad packets and
protect the good!
▪ Firewalls provide a number of essential services
– IP Address Conservation and Traffic Forwarding
– Network differentiation
– Protection against DOS, Scanning and Sniffing
– IP and Port Filtering
– Content Filtering
– Packet redirection
– Enhanced Authentication and encryption
– Supplemented Logging
 What is NOT a firewall
A firewall is NOT:
• The only thing you should use for security
• Does not solver other aspects of security (human, insider, or
misconfigurations)
• You have to have holes (i.e. porous perimeter)
• An “install it and leave it” device
• Needs to be managed for ever changing network environment
• Needs to be monitored
• 100% safe (bet some of you thought it was)
• As we discussed last week security software is bound to have more bugs
than non-security based software
 Firewalls basics – Fab 4
Packet filtering firewalls

This, the original type of firewall,

operates inline at junction points
where devices such as routers and
switches do their work.

Typically configured to filter packets

in both directions and filter on
information based in the IP Headers
 Firewalls basics – Fab 4
Stateful firewalls (more next week)

▪ Reviews the same packet data as a

packet filtering
▪ Records information about TCP
connections
▪ Keep track of TCP sequence numbers to
prevent attacks that depend on the
sequence number, such as session
hijacking.
▪ Can inspect limited amounts of application
data for well-known protocols like
▪ FTP, in order to identify and track related
connections.
 Firewalls basics – Fab 4
Application Proxy Firewalls

Application-level gateways tend to be

more secure than packet filters. Rather
than trying to deal with the numerous
possible combinations that are to be
allowed and forbidden at the TCP and IP
level, the application-level gateway need
only scrutinize a few allowable
applications. In addition, it is easy to log
and audit all incoming traffic at the
application level
 Firewalls basics – Fab 4
Circuit-level proxy Firewalls

These devices monitor the TCP

handshakes across the network as
they are established between the
local and remote hosts to determine
whether the session being initiated is
legitimate -- whether the remote
system is considered trusted. They
don't inspect the packets themselves.
 Types of Fire wall – 4 Layer Burrito
▪ One way to compare Firewalls is to look at the layers of the TCP/IP stack

Application HTTP, DNS, SMTP. Think Process to Process Application Proxy Firewall
Stacked Protocols i.e. the actual Data in the
RFC2822, MIME datagram
Transport Connection/connectionless Think communication Circuit-level Firewall,
services for application sessions and Ports Stateful Firewall
layer services. TCP/UDP
used at this layer

Network Packet Routing; IPv4, IPv6, Think IP addresses, filtering Packet Switched, Stateful
ICMP and IGMP (internet and routing Firewall
Group Management)

Data MAC, PPP, STP, FDDI, Think Mac filtering, direct Stateful Firewall,
CDP, node to node Transparent Layer 2
communications firewall (Mac Filtering or
Cisco ASA)
 ICMP
▪ Internet Control Message Protocol (ICMP) is probably the third most
commonly used protocol.
▪ ICMP is a control and information protocol and is used by network
devices to determine such things as a remote network’s availability, the
length of time to reach a remote network, and the best route for packets
to take.
Firewalls

Some example Configurations

(there are more obvs!)
 Networking and firewalls – Inside
Outside and DMZ
▪ The most basic of firewalls have two interfaces

▪ Inside and outside – inside being the secure network &

outside being the untrusted network

▪ Trusted and untrusted networks can be inside the

network – Consider R&D and Sales networks

▪ Can any one tell me the issue here?

▪ Limitations of two interfaces become
apparent when outside need access to
specific services

▪ Web server hanging out for all to see

 Networking and Firewalls
▪ Placing Web server behind fire wall
▪ Could allow port 80 or 443 (SSL)
through to IP Address of Server
▪ Adds protection from direct probing

▪ Can any one tell me the issue

here?

What if the web server were

to be compromised?
 Networking and firewalls
▪ Support multiple interfaces on
your firewall
▪ This establishes the DMZ area
▪ DMZ is protected by the
Firewall but access from DMZ
to internal network is restricted

What are the benefits of this?

1. Protect LAN against possible infection or attack.

2. Separation of concerns
 Networking and firewalls

▪ Another design is duplicate firewalls

▪ Inner and outer with DMZ in between
▪ Often firewalls from different vendors
used

▪ Can you list an advantage or a (Gateway)

disadvantage?

▪ Increases expense and management (Choke Point)

overhead
▪ Can implement multiple DMZ each with a
different business purpose
Address translation - static and
Dynamic
▪ Address translation is a Hack to help with rapidly dwindling Ipv4 address
space(pre IPv6)
▪ Translates from Private 10.0.0.0 172.16.0.0 & 192.168.0.0 address spaces to
Public IP addresses
▪ Inside addresses are referred to as inside local and are translated into inside
global addresses that are visible from the outside.
▪ Global addresses are registered to ISP in Blocks
▪ Outside Local is the reverse of inside Global i.e. addresses of extern hosts that are
translated access internally
▪ Remember to keep in mind the direction of traffic - the direction determines which
translation will apply
 Translation
▪ Static Translation maps over a permanent one-to one mapping
established between inside Global and inside Local
▪ Checks within side the NAT table and if an entry is there replaces
addresses accordingly
▪ Dynamic Address translation there is a pool of inside global
addresses defined for outbound traffic
▪ When a packet is received the NAT uses the next available address
in the pool
Packet Filtering and
Stateful Firewalls
 What are stateful firewalls
▪ Stateful firewalls are a type of firewall that attempt to track the state of a
network connection

▪ Stateful Firewalls are a cross between the functions of a Packet Filter and
the additional application level intelligence of a proxy.

▪ We will be discussing:
– Differences between stateless and stateful filtering
– TCP connection states
– Stateful Inspection
– Stateful rules with iptables
 How a Stateful Firewall Works
▪ Let's start by asking the question what makes a stateless firewall different
from a stateful firewall?

▪ Stateless firewalls do not consider the context of a packet

▪ Stateful firewalls inspect packets and compare them against the rule
table to identify if the packet is part of a larger connection
– For example if the firewall receives a packet that initialises a new
TCP connection, the advanced inspection capabilities of the stateful
firewall are used to investigate information at the application layer
▪ Because application level inspection is not performed on every packet
Stateful Firewalls are quicker than Application level/proxy firewalls
A deliberate choke point.

Placing a stateful firewall on the border of the network

provides a single point where packets can be Inspected and logged,
verifying that if the breach occurs, it is recorded.
 What a state?
One of the main elements of TCP that is useful when developing firewall rules in the concept
the states a particular connection can be in. RFC 793 defines 11 TCP states. The first 4 are:
LISTEN : - Represents the state of host is in while
waiting for a Connection request from any remote
TCP port
SYN–SENT :- Represents The state of a host after it
has sent out a SYN packet and is waiting for a
matching SYN-ACK.
SYN-RECIEVED :-The state of the host after
receiving at SYN packet and sending a SYN-ACK
ESTABLISHED :- Represents an open connection
state that the initiating host goes into after receiving
SYN-ACK as does the responding host after It is during the process of establishing a
receiving the lone ACK. This is where data can be TCP connection through the three where
delivered to the user. The normal state for the data
transfer phase of the TCP connection. handshake matter host goes through all
of the states
 Closing the State of Play!
▪ FIN-WAIT -1:- Represents waiting for a connection
termination acknowledgement of the connection
termination request previously sent by the
terminating host

▪ FIN-WAIT-2 :- Represents waiting for a connection

termination response from the remote TCP/IP

▪ CLOSE-WAIT :- Represents waiting for a connection

termination request from the local user.

▪ CLOSING :- Represents waiting for a connection

termination request acknowledgement packet from
the remote TCP/IP.
 Closing the State of Play!
▪ LAST-ACK:- Represents waiting for an acknowledgement
of the connection termination request previously sent to the
remote TCP/IP (which includes an acknowledgement
packet of its own connection termination request).

▪ TIME-WAIT :- Represents waiting for enough time to pass

to be sure that the remote TCP received the
acknowledgement of its connection termination request.

▪ CLOSED:-Closed is considered an abstract state because

it represents the situation when there is no TCP/IP
connection And therefore no information starred in the
transmission control block (TCB).
 Connectionless state
▪ How do you track the state of a connectionless protocol such as UDP?
▪ This is done in a pseudo-stateful manner
▪ The only header items that can be used at this level are IP addresses and
port numbers
▪ Ephemeral ports & their tendencies to differ for any connection from a given
IP
Issues??
▪ UDP has no teardown process – time outs short within the table
▪ Lacks any congestion avoidances - uses ICMP to for source quench messages
 State what’s in the table
Iptables has a state table entry for the system connections and contains the
following:

▪ The protocol being used for the connection

▪ The source and destination IP addresses including the source and destination
ports
▪ Listing with source and destination IP address and ports reversed (to represent
response traffic)
▪ The Time remaining before the rule is removes.
▪ The state of the TCP connection (for TCP only)
▪ The connection tracking state of the connection.

You can monitor the IP state table using iptstate. This provides an interface that
lists current connections that are held within the iptables state table.
 Rules rule – Outbound
▪ This first simple rule is considered on the output Chain which considers what
traffic can leave through the firewall (–A specifies that this will be appended to
the already existing rules – output=packets created by a local process):

iptables -A OUTPUT -p tcp -m state NEW,ESTABLISHED -j ACCEPT

▪ This output rule determines which outbound communications will be accepted

(as specified by the -j or –jump option). This particular rule deals only with the
TCP protocol, as specified by the -p tcp option.
 Rules rule – Outbound
Now lest create a rule that allows return traffic from our connection back to the
local process on the firewall:

iptables -A INPUT -p tcp -m state --state ESTABLISHED -j

ACCEPT

only established connections as listed under the state section are permitted. This
means the only return traffic for previously recorded sessions will be allowed
inbound to our network as defined by the information in the state table.
Q. What would happen in this case if someone attempted to connect via SSH and
why?
 UDP – Pseudo-state
▪ From our previous definition of the items held in the state table, you can see that
the items needed to do a pseudo-stateful job of tracking ICMP and UDP are
present. Examples of basic UDP output and input rules would be as follows:

iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT

▪ These rules appear identical to those specified for TCP, except for the -p udp
option listing.
 State of your relations
▪ ICMP rules look about the same:
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT

iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j

ACCEPT

▪ The main differences are the -p icmp specification for protocol and a new entry
in the --state section: RELATED.
▪ The RELATED option is the means by which iptables allows traffic that is
already in some way associated with an established traffic flow to initiate a new
connection in the state table and be passed through the firewall.
▪ This related traffic might be an ICMP error message that is returned for a UDP
or TCP connection already held in the state table.
Questions ?