Firewalls
-
Upload
sonali-parab -
Category
Education
-
view
582 -
download
0
description
Transcript of Firewalls
Ethical Hacking.
Firewall.
Case Study by: Sonali. Parab.
1
Ethical Hacking: Firewall.
Firewall
Objective
A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Abstract
In computing, a firewall is a software or hardware-based network security system that
controls the incoming and outgoing network traffic based on applied rule set. A firewall
establishes a barrier between a trusted, secure internal network and another network (e.g., the
Internet) that is not assumed to be secure and trusted.
Many personal computer operating systems include software-based firewalls to protect
against threats from the public Internet. Many routers that pass data between networks
contain firewall components and, conversely, many firewalls can perform basic routing
functions.
Figure 1: Illustration of Firewall.
2
Ethical Hacking: Firewall.
Introduction
What is a Firewall?
A firewall is a secure Internet gateway that is used to interconnect a private network to the Internet (see Figure 1). There are a number of components that make up a firewall:
i) The Internet access security policy of the organisation. This states, at a high level, what degree of security the organisation expects when connecting to the Internet. The security policy is independent of technology and techniques, and should have a lifetime independent of the equipment used. An example of statements from such a security policy might be: external users will not be allowed to access the corporate network without a strong level of authentication; any corporate information not in the public domain must be transferred across the Internet in a confidential manner, and corporate users will only be allowed to send electronic mail to the Internet - all other services will be banned.
ii) The mapping of the security policy onto technical designs and procedures that are to be followed when connecting to the Internet. This information will be updated as new technology is announced, and as system configurations change etc. For example, regarding authentication, the technical design might specify the use of one-time passwords. Technical designs are usually based on one of two security policies, permit any service unless it is expressly denied, or deny any service unless it is expressly permitted. The latter is clearly the more secure of the two.
iii) The firewall system, which is the hardware and software which implements the firewall. Typical firewall systems comprise a IP packet filtering router, and a host computer (sometimes called a bastion host or application gateway) running application filtering and authentication software.
Why Firewalls? Prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “real” connections. Prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s
homepage with something else. Allow only authorized access to inside network (set of authenticated users/hosts).
There are three types of fire walls.
Packet Filter: IP Packet Filter Firewall is a firewall deciding to forward or to drop a certain packet according to the information of the packet’s head. Packet filters act by inspecting the "packets" which transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).
This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself.
3
Ethical Hacking: Firewall.
Packet filtering firewalls work mainly on the first three layers of the OSI reference model, which means most of the work is done between the network and physical layers, with a little bit of peeking into the transport layer to figure out source and destination port numbers.
Figure 2: Packet Filtering Firewall.
Stateful FiltersStateful filters introduce a technology of stateful inspection packet filtering. These firewalls perform the work of their first-generation predecessors but operate up to layer 4 (transport layer) of the OSI model. This is achieved by retaining packets until enough are available to make a judgment about its state. Known as stateful packet inspection, it records all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain connection state as one of their test criteria. Certain DoS attacks bombard the firewall with thousands of fake connection packets to overwhelm it by filling its connection state memory.
Figure 3: Stateful Inspection Firewall.
4
Ethical Hacking: Firewall.
Application LayerApplication layer filtering can "understand" certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is being abused in any harmful way. The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion prevention systems (IPS).
Figure 4: Application level gateway Firewall.
Bastion Host Firewall:A Bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. A firewall at layer 5 Internet (7 ISO) is sometimes called a bastion host, application gateway, proxy server or guardian system. Its purpose is to filter the service provided by the application. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers.
Figure 5: Bastion Host Firewall.
5
Ethical Hacking: Firewall.
Literature Review
The term firewall originally referred to a wall intended to confine a fire or potential fire
within a building. Later uses refer to similar structures, such as the metal sheet separating the
engine compartment of a vehicle or aircraft from the passenger compartment.
Firewall technology emerged in the late 1980s when the Internet was a fairly new technology
in terms of its global use and connectivity. The predecessors to firewalls for network security
were the routers used in the late 1980s
Clifford Stoll's discovery of German spies tampering with his system
Bill Cheswick's "Evening with Berferd" 1992 in which he set up a simple electronic "jail"
to observe an attacker
In 1988, an employee at the NASA Ames Research Center in California sent a memo
by email to his colleagues that read, "We are currently under attack from an Internet
VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA
Ames."
The Morris Worm spread itself through multiple vulnerabilities in the machines of the
time. Although it was not malicious in intent, the Morris Worm was the first large scale
attack on Internet security; the online community was neither expecting an attack nor
prepared to deal with one.
First generation: Packet filters
The first paper published on firewall technology was in 1988, when engineers from Digital
Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This
fairly basic system was the first generation of what is now a highly involved and technical
internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were
continuing their research in packet filtering and developed a working model for their own
company based on their original first generation architecture.
Packet filters act by inspecting the "packets" which are transferred between computers on the
Internet. If a packet matches the packet filter's set of filtering rules, the packet filter will drop
(silently discard) the packet or reject it (discard it, and send "error responses" to the source).
This type of packet filtering pays no attention to whether a packet is part of an existing
stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each
packet based only on information contained in the packet itself (most commonly using a
combination of the packet's source and destination address, its protocol, and, for TCP and
UDP traffic, the port number).
TCP and UDP protocols constitute most communication over the Internet, and because TCP
and UDP traffic by convention uses well known ports for particular types of traffic, a
"stateless" packet filter can distinguish between, and thus control, those types of traffic (such
6
Ethical Hacking: Firewall.
as web browsing, remote printing, email transmission, file transfer), unless the machines on
each side of the packet filter are both using the same non-standard ports.
Packet filtering firewalls work mainly on the first three layers of the OSI reference model,
which means most of the work is done between the network and physical layers, with a little
bit of peeking into the transport layer to figure out source and destination port numbers.
When a packet originates from the sender and filters through a firewall, the device checks for
matches to any of the packet filtering rules that are configured in the firewall and drops or
rejects the packet accordingly. When the packet passes through the firewall, it filters the
packet on a protocol/port number basis (GSS). For example, if a rule in the firewall exists to
block telnet access, then the firewall will block the TCP protocol for port number 23.
Second generation: "Stateful" filters
From 1989–1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan
Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling
themCircuit-level gateways.
Second-generation firewalls perform the work of their first-generation predecessors but
operate up to layer 4 (transport layer) of the OSI model. This is achieved by retaining packets
until enough information is available to make a judgement about its state. Known as stateful
packet inspection, it records all connections passing through it and determines whether a
packet is the start of a new connection, a part of an existing connection, or not part of any
connection. Though static rules are still used, these rules can now contain connection state as
one of their test criteria. Certain denial-of-service attacks bombard the firewall with
thousands of fake connection packets in an attempt to overwhelm it by filling its connection
state memory.
Third generation: application layer
Marcus Ranum, Wei Xu, and Peter Churchyard developed an Application Firewall known as
Firewall Toolkit (FWTK). In June 1994, Wei Xu extended the FWTK with the Kernel
enhancement of IP filter and socket transparent. This was known as the first transparent
Application firewall, released as a commercial product of Gauntlet firewall at Trusted
Information Systems. Gauntlet firewall was rated one of the number 1 firewalls during 1995–
1998.
The key benefit of application layer filtering is that it can "understand" certain applications
and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS),
orHypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted
protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is
being abused in any harmful way. As of 2012, the so-called next-generation firewall (NGFW)
is nothing more than the "widen" or "deepen" inspection at application-stack. For example,
7
Ethical Hacking: Firewall.
the existing deep packet inspection functionality of modern firewalls can be extended to
include i) Intrusion prevention systems (IPS);
ii) User identity integration (by binding user IDs to IP or MAC addresses for
"reputation"); and/or
iii) Web Application Firewall (WAF). WAF attacks may be implemented in the tool
"WAF Fingerprinting utilizing timing side channels" (WAFFle).
Study
Penetration of FirewallAttacking Packet Filtering Firewall• IP Address Spoofing Attack• Denial-of-service Attack• Tiny Fragment Attack• Trojan Attack
Attacking Stateful Inspection Firewall• Protocol Tunneling• Trojans Rebound
Attacking Proxy• Unauthorized Web Access• Unauthorized Socks Access• Unauthorized Telnet Access
Penetration of Firewall using WinGate.
WinGate is Integrated Gateway Management Software for Microsoft Windows,
providing web caching, firewall and NAT services, along with a number of integrated proxy
servers and also email services (SMTP, POP3 and IMAP servers).
WinGate 1.0 was first released on 5 October 1995, and was a re-write of a product that had
been previously released in prototype form by Adrien de Croy under the name SocketSet
earlier that year.
WinGate proved very popular, and by the mid to late 1990s, WinGate was almost ubiquitous
in homes and small businesses that needed to share a single Internet connection between
multiple networked computers. The introduction of Internet Connection Sharing inWindows
98 however, combined with increasing availability of cheap NAT-enabled routers, forced
WinGate to evolve to provide more than just internet connection sharing features. Today,
focus for WinGate is primarily access control, email server, caching, reporting, bandwidth
management and content filtering.
WinGate comes in three versions, Standard, Professional and Enterprise. The Enterprise
edition also provides an easily configuredvirtual private network system, which is also
available separately as WinGate VPN. Licensing is based on the number of concurrently
8
Ethical Hacking: Firewall.
connected users, and a range of license sizes are available. Multiple licenses can also be
aggregated.
The current version of WinGate is version 8.0.5 (released 5 December 2013).
Figure 6: WinGate.
Hardware Firewall vs Software Firewall
• Hardware firewalls are specifically built within hardware devices like routers whereas software firewalls are software programs installed on computers.
• Hardware firewalls protect a whole network while software firewalls protect individual computers on which they are installed.
• By default, hardware firewalls filter web packets while software firewalls may not filter web packets unless web traffic filtering controls are enabled.
• A hardware firewall can be configured to use a proxy service for filtering packets while a software firewall does not use a proxy service to filter.
Firewall AnalysisUnderstanding the deployed firewall policy can be a daunting task. Administrators today have no easy way of answering questions such as can I telnet from here to there? Or from which machines can our DMZ be reached, and with which services? , or what will be the
9
Ethical Hacking: Firewall.
effect of adding this rule to the firewall?' ' . These are basic questions that administrators need to answer regularly in order to perform their jobs, and sometimes more importantly, in order to explain the pol icy and its consequences to their management. There are several reasons why this task is difficult, including:
1. Firewall configuration languages tend to be arcane, very low level, and highly vendor specific.
2. Vendor-supplied GUIs require their users to cl ick through several windows in order to fully understand even a single rule: at a minimum, the user needs to check the I P addresses of the source and destination fields, and the protocols and ports underlying the service field.
3. Firewall rule-bases are sensitive to rule order. Several rules may match a particular packet, and usual ly the first matching rule is applied -- so changing the rule order, or inserting a correct rule in the wrong place, may lead to unexpected behavior and possible security breaches.
4. Alternating PASS and DROP rules create rule-bases that have complex interactions between different rules. What pol icy such a rule-base is enforcing is hard for humans to comprehend when there are more than a handful of rules.
Firewall Policies:To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies.
Policy Actions:• Packets flowing through a firewall can have one of three outcomes:
– Accepted: permitted through the firewall
– Dropped: not allowed through with no indication of failure
– Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected.
Blacklists and White Lists:There are two fundamental approaches to creating firewall policies (or rulesets) to effectively minimize vulnerability to the outside world while maintaining the desired functionality for the machines in the trusted internal network (or individual computer).
• Blacklist approach
– All packets are allowed through except those that fit the rules defined specifically in a blacklist. This type of configuration is more flexible in ensuring that service to the internal network is not disrupted by the firewall.
10
Ethical Hacking: Firewall.
Figure 7: Black list firewall approach.
• Whitelist approach
– A safer approach to defining a firewall ruleset is the default-deny policy, in which packets are dropped or rejected unless they are specifically allowed by the firewall
Figure 8: White list firewall approachMethodology
Design Principles of Firewalli. Packet Filtering Firewall:
11
Ethical Hacking: Firewall.
Allow the packet which match the established rule set to pass and deny the packet which violate the established rule set, at the same time, it will record log message, alarm the administrator when a policy has been violated.
Working of Packet Filtering Firewall.• A packet filter has a set of rules with accept or deny actions• Based on the information contained in the packet itself• Using different field in the head of the packet to filter, include the packet's source and destination address, its protocol, port number, and so on • When the packet filter receives a packet of information, the filter compares the packet to your pre-configured rule set• At the first match, the packet filter either accepts or denies the packet of information
Figure 9: Working of Packet Filtering Firewall.
A packet filtering router should be able to filter IP packets and decision to forward/drop packets based on the following four fields:
source IP address, destination IP address TCP/UDP source and destination port numbers
12
Ethical Hacking: Firewall.
ICMP message type TCP SYN and ACK bits
Filtering is used to: block connections from specific hosts or networks block connections to specific hosts or networks block connections to specific ports block connections from specific ports
Example 1: block incoming and outgoing datagrams with IP protocol field = 17and with either source or dest port = 23.All incoming and outgoing UDP flows and telnet connections are blocked.
Example 2: Block inbound TCP segments with ACK=0.Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.
Advantages• High speed• Transparent for the users
Disadvantages• Cannot filter the packet according the containing of the packet• Only offer brief log messages• Every port that may be used must be open to the external network, which increase the risk of attack• Very difficult to configure ACL (Access Control List).
13
Ethical Hacking: Firewall.
ii. Stateful Inspection Firewall: A stateful inspection firewall is a firewall that monitors the state of the connection and compiles the information in a state table.Working of Stateful Inspection FirewallStateful packet inspection (SPI) or stateful inspection is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected.
Figure 10: Working of Stateful Inspection Firewall.
Advantages• Safer than static packet filtering• Better performance than static packet filtering
Disadvantages• Security is not high enough due to fewer checks on packet data• More detections demand higher performance of the firewall
14
Ethical Hacking: Firewall.
iii. Application Layer Gateway (ALG, or Proxy Server)Responsible for the communication between external network and internal network. When the users intend to communicate, they do not communicate directly, proxy will help forwarding instead.
Working of Application Layer Gateway (ALG, or Proxy Server)
Figure 11: Working of ALG Firewall.
Function Offered by Proxy• Authentication mechanism• Content Filtering• Mature Log
Advantages• Accelerate the network by its Cache• Prevent any detection to internal network• Filtering the content of the packet effectively• Reduce direct attack to internal network• No IP Address Spoofing Attack• Mature Log
Disadvantages• A special service must have a special proxy• Too much access delay when proxy server is busy• Opaque (not transparent) for the users• Slower than Packet Filtering firewall
15
Ethical Hacking: Firewall.
iv. Bastion Host Firewall.A Bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers.
Figure 12: Working of Bastion host Firewall.
Placement of Bastion hostsThere are two common network configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first "outside world" firewall, and an inside firewall, in a demilitarized zone (DMZ). Often smaller networks do not have multiple firewalls, so if only one firewall exists in a network, bastion hosts are commonly placed outside the firewall
Bastion hosts are related to multi-homed hosts and screened hosts. While a dual-homed host
often contains a firewall it is also used to host other services as well. A screened host is a
dual-homed host that is dedicated to running the firewall.
Figure 13: Internal Bastion host. Figure 14: External Bastion host.
16
Ethical Hacking: Firewall.
Firewall Configurationsi. The Dual Homed Gateway
This is a secure firewall design comprising an application gateway and a packet filtering router. It is called “dual homed” because the gateway has two network interfaces, one attached to the Internet, the other to the organisation's network. Only applications with proxy services on the application gateway are able to operate through the firewall. Since IP forwarding is disabled in the host, IP packets must be directed to one of the proxy servers on the host, or be rejected. Some manufacturers build the packet filtering capability and the application proxies into one box, thereby simplifying the design (but removing the possibility of having an optional info server and modems attached to the screened subnet, see Figure 10). The disadvantages of the dual homed gateway are that it may be a bottleneck to performance, and it may be too secure for some sites (!) since it is not possible to let trusted applications bypass the firewall and communicate directly with peers on the Internet. They must have a proxy service in the firewall.
Figure 15: Dual Homed Gateway Firewall.
ii. The Screened Host Gateway The screened host gateway is similar to the above, but more flexible and less secure, since trusted traffic may pass directly from the Internet into the private network, thereby bypassing the application gateway. In this design the application gateway only needs a single network connection The IP router will normally be configured to pass Internet traffic to the application gateway or to reject it. Traffic from the corporate network to the Internet will also be rejected, unless it originates from the application gateway. The only exception to these rules will be for trusted traffic that will be allowed straight through.
Figure 16: The screened host gateway Firewall.
17
Ethical Hacking: Firewall.
iii. The Screened Subnet Gateway This configuration creates a small isolated network between the Internet and the corporate network, which is sometimes referred to as the demilitarised zone (DMZ), see Figure 12. The advantages of this configuration is that multiple hosts and gateways can be stationed in the DMZ, thereby achieving a much greater throughput to the Internet than the other configurations; plus the configuration is very secure as two packet filtering routers are there to protect the corporate network.The IP router on the Internet side will only let through Internet traffic that is destined for a host in the DMZ (and vice versa). The IP router on the corporate network side will only let site traffic pass to a host in the DMZ (and vice versa).This system is as secure as the dual homed gateway, but it is also possible to allow trusted traffic to pass straight through the DMZ if required. This configuration is of course more expensive to implement!
Figure 17: The Screened Subnet Gateway Firewall.
iv. Double Proxying and a DMZThe configuration shown in Figure 13 is even more secure that the screened subnet seen in the previous section. It is used by a bank to protect its internal network from direct access from the Internet. Users from the Internet have to pass through two application proxies before they can access the bank’s intranet.This shows that there really is no limit to how complex a firewall configuration can be. The only limitations are the cost and performance implications of building ulta-secure firewall configurations.
Figure 18: Double Proxying and a DMZ Firewall.
18
Ethical Hacking: Firewall.
ReviewsIn short, firewalls are necessary. Without a firewall, your internet-connected PC would not last for many minutes before succumbing to an attack. Ever since Vista, Windows operating systems have included an excellent two-way firewall, which means it can protect against things trying to attack from the outside and things trying to connect with their senders once they make it inside the firewall to your computer. Many people are content to run the Windows firewall, and there is nothing wrong with that. However, some people prefer a firewall from the same publisher who sells their security software.
Figure 17: The firewall.
19
Ethical Hacking: Firewall.
Conclusions
What Can a Firewall Do: Manage and control network traffic• Packet Inspection• Connections and State• Stateful Packet Inspection
Act as an intermediary• protect internal host from the risk of direct interaction• Insulate the protected host from threats by ensuring that an external host can never directly communicate with the protected host
Protect resources• To protect resources from threat • Protected resources should always be kept patched and up-to-date
Record and report on events• Record all communications especially access policy violations • Through system log or proprietary logging format• Alarm when a policy has been violated
References
1. Network Firewall Technologies-David W Chadwicki. IS Institute, University of Salford, Salford, M5 4WT, England.
2. Packet Filtering and Stateful Firewalls Avishai Wool, Ph.D., School of Electrical Engineering.
3. KAIST, Dept. of EECS.
4. http://en.wikipedia.org/wiki/Firewall_(computing)
5. http://my.ss.sysu.edu.cn/WebSec/download/chap6.pdf
6. http://en.wikipedia.org/wiki/WinGate