Firewalls

Prabhaker Mateti

Abstract:  A firewall is a computer system dedicated to protect a LAN from the Internet at large.  In this lecture, we discuss the technical details of what a firewall is leaving the development of a security policy to a later lecture. This work was supported in part by NSF DUE-9951380.     PMfirewalls.ppt
   

Table of Contents

  1. Educational Objectives
  2. Firewalls
    1. Security Policy
    2. Packet Filters
    3. Circuit Relay
    4. Proxy services
    5. Screening Router and a Bastion Host Together
    6. Three Myths of Firewalls
  3. Lab Experiment
  4. Acknowledgements
  5. References

Educational Objectives

  1. Understand the technical essentials of firewalls.
  2. Realize the limitations of firewalls.
  3. Recognize the need for a security policy.

Firewalls

In the context of buildings, a firewall is a fireproof wall intended to prevent the spread of fire from one room or area of a building to another.   It has acquired a related but an outside-to-inside attack prevention meaning in the context of the Internet.  A typical intranet these days is not connected to the Internet directly.  Instead, we connect it to a firewall, and channel all transmissions through the firewall.  

[Screening router diagram]

 

From Internet Security Glossary [RFC 2828, (I) = Internet basis, (C) = Commentary and Additional Guidance] :

Firewall
(I) An internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). (See: guard, security gateway.)  (C) A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies security policy rules to control traffic that flows in and out of the protected network.

(C) A firewall is not always a single computer. For example, a firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts, all connected to a small, dedicated LAN between the two routers. The external router blocks attacks that use IP to break security (IP address spoofing, source routing, packet fragments), while proxy servers block attacks that would exploit a vulnerability in a higher layer protocol or service. The internal router blocks traffic from leaving the protected network except through the proxy servers. The difficult part is defining criteria by which packets are denied passage through the firewall, because a firewall not only needs to keep intruders out, but usually also needs to let authorized users in and out.

Further discussion of the definition of what a firewall  is not useful as the term has been used with a variety of meanings by the industry.  It can be a simple packet filter to an enormously complex computer system with extensive logging systems, intrusion detection systems, etc.  Nearly every topic of this course can fit under the heading of "building a firewall. "  Instead, let us discuss specific functionality that aids in securing a LAN.

Security Policy

Every organization that uses LANs should have rules governing acceptable use of computing resources, security practices, and operational procedures.  A firewall is designed to enforce these policies as they apply to the Internet.

In this lecture, we discuss the technical details of what a firewall is leaving the development of a security policy to a later lecture.

Dual Homed Gateway

A dual homed gateway is a system that has two or more network interfaces, each of which is connected to a different network. In firewall configurations, a dual homed gateway usually acts to block or filter some or all of the traffic trying to pass between the networks.

Routers

Routers are computer systems with a very focused functionality: route IP packets.  As a result, the base computer system is designed optimally for the routing purpose, and often run highly refined and hardened versions of an OS from ROM.  Because it is a router, it generally contains several NICs.

A Screening Router is a router configured to permit or deny traffic based on a set of permission rules. A Screened Host is a host on a network behind a screening router. A screened subnet is a subnet behind a screening router.  Such a subnet is also called a ''sand box'' or ''demilitarized zone'' network   Conceptually, this is similar to a dual­homed gateway, except that an entire network, rather than a single host is reachable from the outside.

A Tunneling Router is a router capable also of encrypting the traffic and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption. 

A firewall uses NAT (Network Address Translation) to hide the internal workstation addresses, and to re-address all outgoing messages from workstations on the LAN by replacing internal IP addresses with the external IP address of the gateway.

Packet Filter

It filters packets based on certain rules (see Packet Filtering in the References).   This is the simplest of the firewalls.  Protocols such as Telnet and SMTP lend themselves to packet filtering. The type of router used in a packet filtering firewall is known as a screening router.  A screening router, unlike an ordinary router, determines not only whether or not it can route a packet towards its destination, but also whether or not it should. "Should" or "should not" are determined by the site's security policy.

Here are some examples of ways in which you might program a screening router to selectively route packets to or from your site:

  1. Block all incoming connections from systems outside the internal network, except for incoming SMTP connections (so that you can receive email).
  2. Block all connections to or from certain systems you distrust.
  3. Allow email and FTP services, but block dangerous services like TFTP, the X Window System, RPC, and the "r" services (rlogin, rsh, rcp, etc.).

You can configure most modern routers to pass or drop packets as above.

The primary disadvantage of any packet filtering gateway is that once access has been granted by the device to a host on the internal network, the attacker has direct access to any exploitable weaknesses in either the software or the configuration of that host. The ability to jump off to other internal hosts from that point is restrained only by the security present on those hosts.

Packet filtering can be static by letting desired methods of connecting between the internal and external networks left open at all times.  The advantages of static packet filtering are:

Because it does very little work outside of routing traffic, the overhead is extremely low, so near or at hardware speed traffic is likely. The ability to setup packet filters is standard in most routers. Packet filtering is also always helpful for managing traffic on networks.  The disadvantages of static packet filtering are that it:

Dynamic packet filters open and close "doors" in the firewall based on header information in the data packet. Once a series of packets has passed through the "door" to it’s destination, the firewall closes the door.

Things you cannot do with packet filters include:

Bastion Host

A system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls, or may be "outside" Web servers or public access systems. Generally, a bastion host is running some form of general purpose operating system (e.g., Linux, VMS, Windows) rather than a ROM-based or firmware operating system like commercial routers do.  Bastion hosts are also referred to as ''gateway hosts.''

DMZ

A Demilitarized Zone (DMZ) is a neutral zone between the private LAN and the public Internet. FTP servers, Web servers and the like are located in DMZ.

Stateful Inspection

Stateful packet filtering is an enhancement to dynamic packet filtering.  A stateful inspection firewall examines the state of any active network connections and based on this information determines what packets to accept or reject. This is an active process that does not rely on static rules. The advantages of dynamic packet filtering are that it only temporarily opens holes in the network perimeter, and has low overhead and high throughput.

Circuit Relay

A Circuit Relay is also called a "Circuit Level Gateway."   It determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time.

Whether a connection is valid may be based upon:

Every session of data exchange is validated and monitored and all traffic is disallowed unless a session is open.

Circuit Level Filtering takes control a step further than a Packet Filter. Among the advantages of a circuit relay is that it can make up for the shortcomings of the ultra-simple and exploitable UDP protocol, wherein the source address is never validated as a function of the protocol. IP spoofing can be rendered much more difficult.

A disadvantage is that Circuit Level Filtering operates at the transport layer and may require substantial modification of the programming which normally provides transport functions (e.g. Winsock).

Proxy services

A proxy server is also called  an application gateway, or simply a proxy.  A proxy service requires two components: a proxy server and a proxy client. In this example, the proxy server runs on the dual-homed host.

A proxy client is a special version of a normal client program (e.g., a Telnet or FTP client) that talks to the proxy server rather than to the "real" server out on the Internet.  After connecting to the proxy, the user is authenticated to the firewall.  The proxy server evaluates requests from the proxy client, and decides which to approve and which to deny. If a request is approved, the proxy server contacts the real server on behalf of the client (thus the term "proxy"), and proceeds to relay requests from the proxy client to the real server, and responses from the real server to the proxy client. The proxies provide replacement connections and act as gateways to the services performing all data exchanges with the remote system on their behalf. This can render a host behind the firewall all but invisible to the remote system.  It is a gateway because all traffic to and from the remote node  goes through it. 

In some proxy systems, instead of installing custom client proxy software, standard software is used, but special user procedures are set up.

Transparency is the major benefit of proxy services. To the user, a proxy server presents the illusion that the user is dealing directly with the real server. To the real server, the proxy server presents the illusion that the real server is dealing directly with a user on the proxy host (as opposed to the user's real host).

 


Using proxy services with a dual-homed host

Proxy works at the application (telnet, FTP, etc.) level.  For example, the FTP proxy might refuse to let users export files, or it might allow users to import files only from certain sites. Application proxies can also verify that the interaction between client and server actually conforms to the protocol in use (i.e., HTTP or FTP). The ability to verify the activities of the applications (rather than focus on packet headers) has been a selling point for proxy firewalls, which are marketed as having more control than packet filters and therefore more security. More sophisticated proxy services might allow different capabilities to different hosts, rather than enforcing the same restrictions on all hosts.  This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system, and can often be instructed to sound alarms or notify an operator under defined conditions. Because they are more involved in the connection, proxy firewalls tend to have lower performance than packet filters.

SOCKS is a proxy construction toolkit, designed to make it easy to convert existing client/server applications into proxy versions of those same applications. The Trusted Information Systems Internet Firewall Toolkit (TIS FWTK) includes proxy servers for a number of common Internet protocols, including Telnet, FTP, HTTP, rlogin, X11, and others; these proxy servers are designed to be used in conjunction with custom user procedures.

Three Myths of Firewalls

  1. Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network. In practice, this is rarely the case, especially for a network which spans a large enterprise. Users may setup their own backdoors, using modems, terminal servers, or use such programs as "PC Anywhere" so that they can work from home. The more inconvenient a firewall is to your user community, the more likely someone will set up their own "back door" channel to their machine, thus bypassing your firewall.
  2. Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered trustworthy. This neglects the large number of computer crimes which are committed by insiders.
  3. Newly evolving systems are blurring the lines between data and executables more and more. With  macros, JavaScript, Java, and other forms executable fragments which can be embedded inside data, a security model which neglects this will leave you wide open to a wide range of attacks.

Lab Experiment

All work should be carried out in the Operating Systems and Internet Security (OSIS) Lab, 429 Russ.   Use any of the PCs numbered 192.168.17.19 to .30.  No other WSU facilities are allowed. 

  1. The following are links to two directories of files that can together be built as an ISO image to be burned as a bootable Linux CD.
    1. BootCD
    2. IPtables
  2. The above were for a previous version of Linux kernel and distribution.  Update them and build a new bootable CD based on current versions of all needed components.

Lab Experiment 2

All work should be carried out in the Operating Systems and Internet Security (OSIS) Lab, 429 Russ.   Use any of the PCs numbered 192.168.17.19 to .30.  No other WSU facilities are allowed. 

On a Windows machine that you "own", download, install and properly configure a firewall.  There are several "well known firewalls" that are free for personal use:

  1. Agnitum Outpost
  2. Sygate Personal Firewall
  3. Zone Alarm

Please web-search for download locations.

Acknowledgements

The figures are from the "Web".

References

  1. D. Brent Chapman & Elizabeth D. Zwicky; Building Internet Firewalls. O'Reilly & Associates. ISBN 1-56592-124-0, 517 pages.  Reference.
  2. Simson Garfinkel, Gene Spafford, "Practical Unix and Internet Security,"  2nd edition (April 1996), O'Reilly & Associates; ISBN: 1565921488.  Errata: http://www.oreilly.com/catalog/puis/errata/ Chapter 21: Firewalls.  Required Reading.
  3. Mark Grennan,  Firewall and Proxy Server HOWTO, Aug 21, 2000, http://www.tldp.org/HOWTO/Firewall-HOWTO.html.   Recommended Reading.
  4. Microsoft, Frequently Asked Questions About Internet Firewalls, Last Updated: March 10, 2004, http://www.microsoft.com/security/protect/firewall.asp Required Reading.
  5. Robert L. Ziegler, and Carl B. Constaintine, "Linux Firewalls," 2nd Edition, ISBN: 0735710996, New Riders Publishing, October 2001. Describes how to set up a Linux based firewall. Reference.
  6. R. Shirey, Internet Security Glossary, RFC 2828, www.rfc-editor.org.  Reference.
last edited: May 22, 2008
Copyright © 2008 pmateti@wright.edu