Assume all these firewalls block the outside from creating new connections unless specifically allowed in the FW’s rules
Where firewalls fit in the
• Why firewall?
• What is a firewall?
• What is the perfect firewall?
• What types of firewall are there?
• How do I defeat these firewalls?
• How should I deploy firewalls?
• What is good firewall architecture?
• Firewall trends.
What are the risks?
• Theft or disclosure of internal data
• Unauthorized access to internal hosts
• Interception or alteration of data
• Vandalism & denial of service
• Wasted employee time
• Bad publicity, public embarassment, and law suits
What needs to be secured?
• Crown jewels: patent work, source code,
market analysis; information assets
• Any way into your network
• Any way out of your network
• Information about your network
Why do I need a firewall?
• Peer pressure.
• One firewall is simpler to administer than
• It’s easier to be security conscientious with
What is a firewall?
• As many machines as it takes to:
– be the sole connection between inside and
– test all traffic against consistent rules.
– pass traffic that meets those rules.
– contain the effects of a compromised system.
• All of the machines in the firewall
– are immune to penetration or compromise.
– retain enough information to recreate their
The Perfect firewall
• Lets you do your business
• Works with existing security measures
• has the security “margin of error” that your
The security continuum
• Ease of use vs. degree of security
• Cheap, secure, feature packed, easy to
administer? Choose three.
• Default deny or default accept
Easy to use Secure
Policy for the firewall
– Who gets to do what via the Internet?
– What Internet usage is not allowed?
– Who makes sure the policy works and is being
– When can changes be made to policy/rules?
– What will be done with the logs?
– Will we cooperate with law enforcement?
What you firewall matters more
than which firewall you use.
• Internal security policy should show what
systems need to be guarded.
• How you deploy your firewall determines
what the firewall protects.
• The kind of firewall is how much insurance
How to defeat firewalls
• Take over the firewall.
• Get packets through the firewall.
• Get the information without going through
A partial list of back doors.
• personal modems
• vendor modems
• partner networks
• home networks
• loose cannon experts
• employee hacking
• reusable passwords
• “helpful” employees
• off-site backup &
Even perfect firewalls can’t fix:
• Tunneled traffic.
• Holes, e.g. telnet, opened in the firewall.
• WWW browser attacks / malicious Internet
Priorities in hacking through a
• Collect information.
• Look for weaknesses behind the firewall.
• Try to get packets through the firewall.
• Attack the firewall itself.
• Subvert connections through the firewall.
Information often leaked through
• DNS host information
• network configuration
• e-mail header information
• intranet web pages on the Internet
• mail servers
• web Servers
• old buggy daemons
• account theft
• vulnerable web browsers
Attacking the firewall
• Does this firewall pass packets when it’s
• Is any software running on the firewall?
A fieldtrip through an IP packet
• Important fields are:
– source, destination, ports, TCP status
. . TOS . . .. . . SRC DEST opt SPORT DPORT
• How Packet filters work
– Read the header and filter by whether fields
match specific rules.
– SYN flags allow the router to tell if connection
is new or ongoing.
• Packet filters come in dumb, standard,
specialized, and stateful models
Standard packet filter
– allows connections as long as the ports are OK
– denies new inbound connections, using the
– Examples: Cisco & other routers, Karlbridge,
Unix hosts, steelhead.
Packet filter weaknesses
– It’s easy to botch the rules.
– Good logging is hard.
– Stealth scanning works well.
– Packet fragments, IP options, and source
routing work by default.
– Routers usually can’t do authentication of end
Stateful packet filters
– SPFs track the last few minutes of network
activity. If a packet doesn’t fit in, they drop it.
– Stronger inspection engines can search for
information inside the packet’s data.
– SPFs have to collect and assemble packets in
order to have enough data.
– Examples: Firewall One, ON Technologies,
Weaknesses in SPF
– All the flaws of standard filtering can still
– Default setups are sometimes insecure.
– The packet that leaves the remote site is the
same packet that arrives at the client.
– Data inside an allowed connection can be
– Traditionally SPFs have poor logging.
• Proxy firewalls pass data between two
separate connections, one on each side of
– Proxies should not route packets between
• Types: circuit level proxy, application
proxy, store and forward proxy.
General proxy weaknesses
• The host is now involved, and accessible to
– The host must be hardened.
• State is being kept by the IP stack.
• Spoofing IP & DNS still works if
authentication isn’t used.
• Higher latency & lower throughput.
Circuit level proxy
– Client asks FW for document. FW connects to
remote site. FW transfers all information
between the two connections.
– Tends to have better logging than packet filters
– Data passed inside the circuit could be
– Examples: Socks, Cycom Labyrinth
– FW transfers only acceptable information
between the two connections.
– The proxy can understand the protocol and
filter the data within.
– Examples: TIS Gauntlet and FWTK, Raptor,
Application proxy weaknesses
• Some proxies on an “application proxy”
firewall may not be application aware.
• Proxies have to be written securely.
Store and forward , or caching,
– Client asks firewall for document; the firewall
downloads the document, saves it to disk, and
provides the document to the client. The
firewall may cache the document.
– Can do data filtering.
– Examples: Microsoft, Netscape, CERN, Squid
proxies; SMTP mail
Weaknesses of store & forward
– Store and forward proxies tend to be big new
programs. Making them your primary
connection to the internet is dangerous.
– These applications don’t protect the underlying
operating system at all.
– Caching proxies can require more administrator
time and hardware.
Network Address Translation
– NAT changes the ip addresses in a packet, so
that the address of the client inside never shows
up on the internet.
– Examples: Cisco PIX, Linux Masquerading,
Firewall One, ipfilter
Types of NAT
• Many IPs inside to many static IPs outside
• Many IPs inside to many random IPs
• Many IPs inside to one IP address outside
• Transparent diversion of connections
Weaknesses of NAT
• Source routing & other router holes
• Can be stupid about complex protocols
– ICMP, IP options, FTP, fragments
• Can give out a lot of information about your
• May need a lot of horsepower
– Watches ethernet or router for trigger events,
then tries to interrupt connections. Logs
synopsis of all events.
– Can log suspicious sessions for playback
– Tend to be very good at recognizing attacks,
fair at anticipating them
– Products: Abirnet, ISS Real Secure,
SecureNetPro, Haystack Netstalker
Weaknesses of intrusion
– Can only stop tcp connections
– Sometimes stops things too late
– Can trigger alarms too easily
– Doesn’t work on switched networks
– Very cheap
– Solves most behavioral problems
– Logfiles are crucial for legal recourse
– Very programmer or administrator intensive
– Doesn’t prevent damage
– needs a stable environment to be useful
Types of logging
• program logging
• syslog /NT event log
– Argus, Network General, HP Openview,
• router debug mode
– A very good tool for tracking across your
• Logging almost all commercial firewall
– No tripwires
– No pattern recognition
– No smart/expert distillation
– No way to change firewall behavior based on
– No good way to integrate log files from
• All types of firewall are useful sometimes.
• The more compartments on the firewall, the
greater the odds of security.
• Belt & suspenders
• Webserver placement
• RAS server placement
• Partner network placement
• Internal information protection (intranet
Firewall deployment checklist
• Have list of what needs to be protected.
• Have all of the networks configured for the
• All rules are in place
• Logging is on.
What steps are left?
• What is the firewall allowing access to?
– Internal machines receiving data had better be
– If these services can’t be secured, what do you
have to lose?
• Day 0 Backups made?
• Are there any gaps between our stated
policy and the rules the firewall is
• A firewall works when an audit finds no
deviations from policy.
• Scanning tools are good for auditing
conformance to policy, not so good for
• Good configurations should:
– limit Denial of Service.
– minimize complexity for inside users.
– be auditable.
– allow outside to connect to specific resources.
Minimal restriction, good
• Stateful packet filter, dmz, packet filter,
The Multimedia Nightmare
• secure multimedia & database content to provided
to multiple Internet destinations.
• Web server is acting as authentication & security for
access to the Finance server.
Firewalls in multiple locations
– Identical proxies on both sides.
VPN over internal LAN
Low end, good security, for low
• Packet filter, “Sacrificial Goat” web server,
Application Firewall, bastion host running logging
& Store & Forward proxies
High end firewalls
• ATM switching firewalls
• Round robin gateways
– Don’t work with transparent proxies
• High availability
– “Toaster” firewalls
– Call-outs / co-processing firewalls
– Dumb protocols
– LAN equipment & protocols showing up on the
– Over-hyped content filtering
More Firewall Trends
– blurring between packet filters & application
– more services running on the firewall
– High availability, fail-over and hot swap ability
– Statistics for managers
Firewall trends & “religious”
• Underlying OS for firewalls
– Any firewall OS should have little in common
with the retail versions.
• Firewall certification
– Buy your own copy of ISS and “certify”
Source vs. Shrink-wrap
• Low end shrinkwrap solutions
• The importance of source
– Can you afford 1.5 programmer/administrators?
– Are you willing to have a non-employee doing
your security? (Whose priorities win?)
Downside of firewalls
• single point of failure
• difficult to integrate into a mesh network
• highlights flaws in network architecture
• can focus politics on the firewall