Firewalls Original slides prepared by Theo Benson IP

Firewalls Original slides prepared by Theo Benson

IP Options of Concern • Options may change the length of the IP header, and may require additional processing, putting load on routers/firewalls. • IP strict/loose source routing: source specifies a series of intermediate destinations; might be used to bypass security devices, might cost ISPs transit fees • IP record route option: each router on the packet’s path appends its address to the option field • IP timestamp: like record route, but each router also adds a timestamp to the option field

Unix Firewalls • Free. BSD: ipfw • Linux: ipfw → ipchains → iptables • Mac. OS X: ipfw example rules: # SSH # Allow ssh from unc. edu hosts /sbin/ipfw -f add allow tcp from 152. 2. 0. 0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152. 19. 0. 0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152. 23. 0. 0/16 to any 22 setup

Stateful Firewalls • A bit more complicated • Keep track of transport layer connections (e. g. , TCP, UDP) that may comprise multiple packets • Often allow only connections initiated from behind the firewall

How are they deployed? The firewall is the gatekeeper The Internet AKA “Everything evil” “circle of trust” Only one way in or out into the circle

Similar to streaming a Video … Loading Youtube Browser HTTP Requests Get: image. png HTTP Requests Get: video. avi Network

Allowing Outbound Connections Only SYN The Internet AKA “Everything evil” “circle of trust” • Why would someone from the outside want to start a connection?

Allowing Outbound Connections Only SYN The Internet AKA “Everything evil” “circle of trust” • Why would someone from the outside want to start a connection? – They would if you were running a web-server, an email-server, a gaming server …. Pretty much any ‘server’ service. – Firewall configuration may allow “punching holes” to specific addresses/ports

An Early Web-based Attack http: //www. phishing. com includes the following embedded links on its home page http: //192. 168. 1. 1/printer_vulnerability_string http: //192. 168. 1. 2/printer_vulnerability_string http: //192. 168. 1. 3/printer_vulnerability_string http: //192. 168. 1. 4/printer_vulnerability_string …

Traversing Firewalls • Two hosts behind separate firewalls may try to fool their firewalls by simultaneously establishing outbound connections. • An external server may help coordinate which source ports, sequence numbers, to use. (E. g. , STUN protocol. )

Network Address Translation (NAT) Src: 192. 168. 1. 100: 32532 192. 168. 1. 100 Src: 128. 2. 205. 42: 45323 128. 2. 205. 42 • For outbound packets, the translator replaces (typically) private address with it’s own public address, and rewrites the source port. • Translator remembers the mapping. • For inbound packets, the reverse translation is performed.

NAT versus Firewall • A network address translator is not intrinsically a firewall – it can work with public addresses on both sides!, but – Often the two are combined in one device – Traffic cannot be sent directly to private addresses used behind a NAT from the public Internet – Intrinsic security is coming from the use of private addresses rather than public addresses, not from the NAT itself

What Happens When you Connect to a Website? Loading Sound. Cloud Browser Network HTTP Requests Get: image. png HTTP Requests Get: sound. mp 3 What happens if the virus/worm is hidden in an email? Picture? Or if the security exploit is in an HTML page?

Deep Packet Inspection • Examine payload (data) portion of packet as well as headers IP Header TCP/UDP Header Payload

Application Level Firewall • Why are they needed? • Attackers are tricky – When exploiting security vulnerabilities – Attacks span multiple packets • Need a system to scan across multiple packets for Virus/Worm/Vulnerability exploits

Application Level Firewalls • Similar to Packet-filters except: – Supports regular expression – Search across different packets for a match – Reconstructs objects (images, pictures) from packets and scans objects.

Application Level Firewalls • Similar to Packet-filters except: – Supports regular expression – Searches across different packets for a match – Reconstructs objects (images, pictures) from packets and scans objects. Appy reg-ex to the object: HTTP Requests Get: image. png

Application Level Firewalls • Similar to Packet-filters except: – Supports regular expression – Searches across different packets for a match – Reconstructs objects (images, pictures) from packets and scans objects. HTTP Requests Get: image. png

Why doesn’t everyone use App level firewalls? • Object re-assembly requires a lot of memory • Regular-expressions require a lot of CPU • App level firewalls are a lot more expensive – And also much slower – So you need more -- a lot more.

How do you Attack the Firewall? • Most Common: Denial-of-Service attacks – Figure out a bug in the Firewall code – Code causes it to handle a packet incorrectly – Send a lot of ‘bug’ packets and no one can use the firewall