COMP 4706

Advanced Network Security

–
Firewall Implementation and
Design
Term: January 2005

Dana Epp
dana@scorpionsoft.com
http://silverstr.ufies.org/blo
g/
Agenda
 Review from last class
 Group STRIDE analysis
 Building a firewall port matrix
 Introduction to NMAP
 Hands on - Scanning ports with NMAP
 Hands on – Creating basic firewall rules on
Linux
Learning Outcomes
On successful completion of this course,
students will be able to:
 Identify various types of firewalls and their
functions, including which firewalls operate at
which OSI protocol layer, and the basic
variations of firewall architectures
 Describe risk mitigation techniques to varying
threats with the use of different firewall
architectures
 Demonstrate the ability to design and deploy
policies on a firewall
Basic Types of Firewalls
 Packet filtering firewalls
 Stateful packet inspection firewalls
 Application proxies
 Hybrids
Packet filter
A packet filter firewall is the simplest
type of firewall. Dealing with each
individual packet, the firewall applies
its rule set to determine which packet
to allow or disallow. The firewall
examines each packet based on the
 Source IP address
following criteria:
 Destination IP address
 TCP/UDP source port
 TCP/UDP destination port
Packet Filter - Pros
 They are fast because they operate on IP addresses and
TCP/UDP port numbers alone, ignoring the data contents
(payload) of packets.
 Due to the fact that packet payload is ignored, application
independence exists.
 Least expensive of the three types of firewalls.
 Packet filtering rules are relatively easy to configure.
 There are no configuration changes necessary to the
protected workstations.
Packet filters - Cons
 Allow a direct connection between endpoints through
the firewall. This leaves the potential for a
vulnerability to be exploited.
 There is no screening of packet payload available. It
is impossible to block users from visiting web sites
deemed off limits, for example.
 Logging of network traffic includes only IP addresses
and TCP/UDP port numbers, no packet payload
information is available.
 Complex firewall policies are difficult to implement
using filtering rules alone.
 There is a reliance on the IP address for
authentication rather than user authentication.
 Dynamic IP addressing schemes such as DHCP may
complicate filtering rules involving IP addresses.
Stateful packet inspection
Examines the contents of packets
rather than just filtering them; that
is, they consider their contents as
well as their addresses.
Stateful packet inspection firewalls
also take into account the state of
the connections they handle so that,
for example, a legitimate incoming
packet can be matched with the
outbound request for that packet and
Stateful packet inspection
- Pros
 Offers improved security over basic packet
filters due to packet examination.
 Offers a degree of application independence,
based on level of stateful packet examination.
 Better logging of activities over basic packet
filters.
 Good performance.
 Configuration changes to the protected
workstations are unnecessary.
Stateful packet inspection
- Cons
 Allow a direct connection between
endpoints through the firewall. This leaves
the potential for a vulnerability to be
exploited.
 No hiding of your private systems.
 Setting up stateful packet examination
rules is more complicated.
 Only supported protocols at the
application layer.
 No user authentication.
Application proxies
An application proxy is a program
running on the firewall that emulates
both ends of a network connection.
One can think of it as a sort of
"translator" in-between the two
computers communicating.
Application proxies - Pros
 Firewall does not let end points
communicate directly with one another.
Thus a vulnerability in a protocol which
could slip by a packet filter or stateful
packet inspection firewall could be
overcome by the proxy program.
 Has the best content filtering capability.
 Can hide private systems.
 Robust user authentication.
 Offers the best logging of activities.
 Policy rules are usually easier than
packet filtering rules.
Application proxies - Cons
 Performance problems; much slower than the other
two
 Must have a proxy for every protocol. Failure to have a
proxy may prevent a protocol from being handled
correctly by the firewall.
 TCP is the preferred transport. UDP may not be
supported.
 Limited transparency, clients may need to be modified.
Setting up the proxy server in a browser, for example.
 No protection from all protocol weaknesses.
OSI – Open System
Interconnect
TCP/IP Protocol
Architecture
Three way TCP handshake
Common Ports and
Services
 Windows: %windir
%\System32\drivers\etc\services
 Linux:
/etc/services
 Examples:
SMTP = port 25
HTTP = port 80
POP3 = port 110
PPTP = port 1723
The STRIDE Threat Model
 Spoofing identity
 Attacker obtains something that enables authentication
 Tampering with data
 Unauthorized change made to stored or in-transit information
 Repudiation
 Performing an illegal operation in a system that lacks the ability to
trace such operations
 Information disclosure
 Exposing critical information to unauthorized individuals
 Denial of Service (DoS)
 Denies service to others
 Elevation of privileges
 Attacker exploits a weakness to gain greater privileges on a system
than were intended
Ranking and Prioritizing
Threats
 Chance of attack occurring
 1 = high 10 = low
 How much effort/cost/time is needed to
launch the attack?
 What is the cost/damage if it occurs?
 1 = little 10 = massive
 RISK = Damage / Chance
 Goal is to reduce risk
 Do high risk items first
How to Respond to
Threats
1. Do nothing.
2. Inform the user of the threat.
3. Remove the problem.
4. Fix the problem.
Defense in Depth
 Assume external systems are insecure
 “We’re secure, we have a firewall” *ugh*
 Assume your system(s) is the last thing
standing
 Plan on failure
 More layers of security means more work to
compromise a target
 Threat risk goes down as threat difficulty goes up
 Never depend on security through obscurity
Group STRIDE
Analysis
Building a firewall port
matrix
 Determine trust zones
 Determine ports that need opening
 Determine packet type (tcp/udp)
 Determines direction of packet flow
 Determine any limitations you can
set on src/dst
LUNC
H
Introduction to NMAP
 Can scan networks to find active (online) hosts
 Can scan hosts to find open ports
 Can send crafted packets to fingerprint the
operating system

 Can be used defensively to identify

weaknesses that need to be corrected, or
offensively by an attacker to probe for
vulnerabilities to exploit.
Interesting NMAP options
 -v = Verbose logging
 -O = OS fingerprinting
 -sS = SYN stealth scan
 -P0 = Scan without ping probes

 nmap –v –O –sS your.host.com

Introduction to iptables
 3rd generation firewall on Linux
 Supports basic packet filtering as
well as connection state tracking

 For our needs for this course, we

will use simple/basic packet
filtering
 Introduction to iptables
# Sample firewall – incomplete… do not use. For discussion only
IPTABLES=/sbin/iptables
ANY=“0.0.0.0/0”
ETHIP=“10.10.1.1”
ADMINNOC=“10.10.1.250”

# Flush chains
$IPTABLES --flush

# Set default policies

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Allow SSH from admin NOC

$IPTABLES -A INPUT -p tcp -s $ADMINNOC --sport 1024:65534 --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $ADMINNOC -sport 22 --dport 1024:65534 -j ACCEPT

# Allow Web access

$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

# Allows secure web access

$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT

$IPTABLES -A INPUT -j DROP

Dropping vs Rejecting
Packets
 Rejecting packets COULD resource starve
your system
 Dropping packets could cause network
diagnostic hell for the other end if you
don’t respond ‘nicely’
 Dana’s Law: It is better to DROP packets
and buy your favorite network admin a
beer than to REJECT and have alarms go
off at 2 in the morning during a DoS,
waking you up.
Hands on
LAB
Good reading
 IPTables Packet Filtering HOWTO
http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
 Building Internet Firewalls
ISBN:1-56592-124-0
 Linux Firewalls
ISBN: 0-7357-0900-9
 Threat Modeling
ISBN: 0-7356-1991-3
Any Questions?