CEG 499/699:
Internet Security


College of Engineering & CS
Wright State University
Dayton, Ohio 45435-0001

Firewalls
 

Prabhaker Mateti
 
Abstract:  A firewall is a computer system dedicated to protect a LAN from the Internet at large.  In this lecture, we discuss the technical details of what a firewall is leaving the development of a security policy to a later lecture.
 
This work is supported in part by NSF DUE-9951380.
  07/26/00

Table of Contents

  1. Educational Objectives
  2. Firewalls
    1. Security Policy
    2. Packet Filters
    3. Circuit Relay
    4. Proxy services
    5. Screening Router and a Bastion Host Together
    6. Three Myths of Firewalls
  3. Lab Experiment
  4. Acknowledgements
  5. References

Educational Objectives

  1. Understand the technical essentials of firewalls.
  2. Realize the limitations of firewalls.
  3. Recognize the need for a security policy.

Firewalls

In the context of buildings, a firewall is a fireproof wall intended to prevent the spread of fire from one room or area of a building to another.   It has acquired a related but an outside-to-inside attack prevention meaning in the context of the Internet.  A typical intranet these days is not connected to the Internet directly.  Instead, we connect it to a firewall, and channel all transmissions through the firewall.  

A firewall is a computer system dedicated to protect a LAN from the Internet at large.  It is at the entry point of the LAN it protects. All traffic from/to the LAN to/from any host on the Internet at large goes through a firewall.  They receive, inspect and make decisions about all incoming data before it reaches other parts of the system or network. They regulate outgoing data also.

A rigorous definition of what a firewall is not useful as the term has been used with a variety of meanings by the internet security industry.  It can be a simple packet filter to an enormously complex computer system with extensive logging systems, intrusion detection systems, etc.  Nearly every topic of this course can fit under the heading of "building a firewall. "  Instead, let us discuss specific functionality that aids in securing a LAN.

Security Policy

Every organization that uses LANs should have rules governing acceptable use of computing resources, security practices, and operational procedures.  A firewall is designed to enforce these policies as they apply to the Internet.  A firewall cannot protect against inside attacks,  buffer overflow exploits, etc.

In this lecture, we discuss the technical details of what a firewall is leaving the development of a security policy to a later lecture.

Dual Homed Gateway

A dual homed gateway is a system that has two or more network interfaces, each of which is connected to a different network. In firewall configurations, a dual homed gateway usually acts to block or filter some or all of the traffic trying to pass between the networks.

Bastion Host

A system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls, or may be "outside" Web servers or public access systems. Generally, a bastion host is running some form of general purpose operating system (e.g., UNIX, VMS, WNT, etc.) rather than a ROM-based or firmware operating system like commercial routers do.  Bastion hosts are also referred to as ''gateway hosts.''

Routers

Routers are computer systems with a very focused functionality: route IP packets.  As a result, the base computer system is designed optimally for the routing purpose, and often run highly refined and hardened versions of an OS from ROM.  Because it is a router, it generally contains several NICs.

A Screening Router is a router configured to permit or deny traffic based on a set of permission rules. A Tunneling Router is a router capable also of encrypting the traffic and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption.  A Screened Host is a host on a network behind a screening router. A screened subnet is a subnet behind a screening router.  Such a subnet is also called a ''sand box'' or ''demilitarized zone'' network   Conceptually, this is similar to a dual­homed
gateway, except that an entire network, rather than a single host is reachable from the outside.

Network Address Translation (NAT)

A firewall uses NAT to hide the internal workstation addresses, and to re-address all outgoing messages from workstations on the LAN by replacing internal IP addresses with the external IP address of the gateway

 

Packet Filter

It filters packets based on certain rules (see Packet Filtering in the References).    This is the simplest of the firewalls.  Protocols such as Telnet and SMTP lend themselves to packet filtering. The type of router used in a packet filtering firewall is known as a screening router.  A screening router, unlike an ordinary router, determines not only whether or not it can route a packet towards its destination, but also whether or not it should. "Should" or "should not" are determined by the site's security policy.

[Screening router diagram]
Using a screening router to do packet filtering

Here are some examples of ways in which you might program a screening router to selectively route packets to or from your site:

  1. Block all incoming connections from systems outside the internal network, except for incoming SMTP connections (so that you can receive email).
  2. Block all connections to or from certain systems you distrust.
  3. Allow email and FTP services, but block dangerous services like TFTP, the X Window System, RPC, and the "r" services (rlogin, rsh, rcp, etc.).

You can configure most modern routers to pass or drop packets as above.

The primary disadvantage of any packet filtering gateway is that once access has been granted by the device to a host on the internal network, the attacker has direct access to any exploitable weaknesses in either the software or the configuration of that host. The ability to jump off to other internal hosts from that point is restrained only by the security present on those hosts.

Packet filtering can be static by letting desired methods of connecting between the internal and external networks left open at all times.  The advantages of static packet filtering are:

Because it does very little work outside of routing traffic, the overhead is extremely low, so near or at hardware speed traffic is likely. The ability to setup packet filters is standard in most routers. Packet filtering is also always helpful for managing traffic on networks.  The disadvantages of static packet filtering are that it:

Dynamic packet filters open and close "doors" in the firewall based on header information in the data packet. Once a series of packets has passed through the "door" to it’s destination, the firewall closes the door.

Things you cannot do with packet filters include:

Stateful Inspection

Stateful packet filtering is an enhancement to dynamic packet filtering.  A stateful inspection firewall examines the state of any active network connections and based on this information determines what packets to accept or reject. This is an active process that does not rely on static rules. The advantages of dynamic packet filtering are that it only temporarily opens holes in the network perimeter, and has low overhead and high throughput.

Circuit Relay

This is also called a "Circuit Level Gateway."   It determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time. Whether a connection is valid may be based upon:

Every session of data exchange is validated and monitored and all traffic is disallowed unless a session is open.

Circuit Level Filtering takes control a step further than a Packet Filter. Among the advantages of a circuit relay is that it can make up for the shortcomings of the ultra-simple and exploitable UDP protocol, wherein the source address is never validated as a function of the protocol. IP spoofing can be rendered much more difficult.

A disadvantage is that Circuit Level Filtering operates at the transport layer and may require substantial modification of the programming which normally provides transport functions (e.g. Winsock).

Proxy services

A proxy server is also called  an application gateway, or simply a proxy.  Proxy services are specialized server programs.  A client application first connects to a process on the firewall machine that listens for client connections. After connecting to the proxy, the user is authenticated to the firewall. The proxies take users' requests for Internet services (such as FTP and Telnet) and forward them, as appropriate according to the site's security policy, to the actual services. The proxies provide replacement connections and act as gateways to the services performing all data exchanges with the remote system in their behalf. This can render a computer behind the firewall all but invisible to the remote system.  It is gateway because all traffic to and from the remote node  goes through it.  It works at the application (telnet, FTP, etc) level.  Transparency is the major benefit of proxy services. To the user, a proxy server presents the illusion that the user is dealing directly with the real server. To the real server, the proxy server presents the illusion that the real server is dealing directly with a user on the proxy host (as opposed to the user's real host).

A proxy service requires two components: a proxy server and a proxy client. In this example, the proxy server runs on the dual-homed host. A proxy client is a special version of a normal client program (e.g., a Telnet or FTP client) that talks to the proxy server rather than to the "real" server out on the Internet.  Alternately, if users are taught special procedures to follow, normal client programs can be used as proxy clients. The proxy server evaluates requests from the proxy client, and decides which to approve and which to deny. If a request is approved, the proxy server contacts the real server on behalf of the client (thus the term "proxy"), and proceeds to relay requests from the proxy client to the real server, and responses from the real server to the proxy client.

Using proxy services with a dual-homed host

In some proxy systems, instead of installing custom client proxy software, you'll use standard software, but set up a special user procedures for using it.

The proxy server can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others, limiting file access to certain types, varying rules according to authenticated users and so forth.  Depending on your site's security policy, requests might be allowed or refused. For example, the FTP proxy might refuse to let users export files, or it might allow users to import files only from certain sites. More sophisticated proxy services might allow different capabilities to different hosts, rather than enforcing the same restrictions on all hosts.  This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system, and can often be instructed to sound alarms or notify an operator under defined conditions.

There is some excellent software available for proxying. SOCKS is a proxy construction toolkit, designed to make it easy to convert existing client/server applications into proxy versions of those same applications. The Trusted Information Systems Internet Firewall Toolkit (TIS FWTK) includes proxy servers for a number of common Internet protocols, including Telnet, FTP, HTTP, rlogin, X11, and others; these proxy servers are designed to be used in conjunction with custom user procedures.

Many standard client and server programs, both commercial and freely available, now come equipped with their own proxying capabilities, or with support for generic proxy systems like SOCKS. These capabilities can be enabled at run time or compile time.

Application proxies can also verify that the interaction between client and server actually conforms to the protocol in use (i.e., HTTP or FTP). The ability to verify the activities of the applications (rather than focus on packet headers) has been a selling point for proxy firewalls, which are marketed as having more control than packet filters and therefore more security.

Because they are more involved in the connection, proxy firewalls tend to have lower performance than packet filters. Moreover, traditional proxy firewalls required modified user methods or specialized client applications to interact with the proxy. However, most of today’s proxy firewalls use transparent proxy firewalls, which do not have this limitation.  Application-level gateways are generally regarded as the most secure type of firewall. They certainly have the most sophisticated capabilities. A disadvantage is that setup may be very complex, requiring detailed attention to the individual applications that use the gateway.

Screening Router and a Bastion Host Together

A bastion host can do the following that a screening router can not:

  1. All internal addresses can be concealed.
  2. Enables that there be single signon.
  3. ports or addresses can be translated.
  4. Filter all UDP packets other than for an embedded service (say NFS)

Three Myths of Firewalls

  1. Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network. In practice, this is rarely the case, especially for a network which spans a large enterprise. Users may setup their own backdoors, using modems, terminal servers, or use such programs as "PC Anywhere" so that they can work from home. The more inconvenient a firewall is to your user community, the more likely someone will set up their own "back door" channel to their machine, thus bypassing your firewall.
  2. Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered trustworthy. This neglects the large number of computer crimes which are committed by insiders.
  3. Newly evolving systems are blurring the lines between data and executables more and more. With  macros, JavaScript, Java, and other forms executable fragments which can be embedded inside data, a security model which neglects this will leave you wide open to a wide range of attacks.

Lab Experiment

Setting Up a Firewall for Home Office

A simple Linux firewall can be setup without too much difficulty by visiting the sites www.linuxrouter.org/ and www.linuxfirewall.org/ and following their tutorials.

This lab experiment is optional.

Acknowledgements

The figures are from http://www.sunworld.com/sunworldonline/swol-01-1996/swol-01-firewall_p.html.

References

  1. Mark Grennan,  Firewall and Proxy Server HOWTO, July 24, 2000, www.grennan.com/ Firewall-HOWTO.html  Recommended Reading.
  2. Robert L. Ziegler, Linux Firewalls, New Riders Publishing; ISBN: 0735709009; 1999. 
  3. http://www.linux-firewall-tools.com/linux/firewall/index.html  Reference.
  4. Lance Spitzner,  Armoring Linux, Last Modified: 25 June, 2000, www.enteract.com/~lspitz/ papers.html  Required Reading.
  5. D. Brent Chapman & Elizabeth D. Zwicky; Building Internet Firewalls. O'Reilly & Associates. ISBN 1-56592-124-0, 517 pages.  Reference.
  6. Simson Garfinkel, Gene Spafford Practical Unix and Internet Security, 2nd edition (April 1996), O'Reilly & Associates; ISBN: 1565921488.  Errata: http://www.oreilly.com/catalog/puis/errata/ Chapter 21: Firewalls.  Recommended Reading.

     

07/26/00 07:13:12 PM
Copyright © 2000 pmateti@cs.wright.edu