The only truly secure system is one that is powered off and locked in a windowless room protected by armed guards. As this is neither practical nor useful, security professionals are constantly looking for ways to allow systems to be functional yet still protected. Imagine your organization is like a castle – to defend it you want to be able to control who comes in and out. Most castles have walls with a limited number of gates. These gates create entry and exit points that can be monitored so the castle defenders can see who is coming in and who is leaving. Your organization’s network is a little like that castle as well – you want to be able to control and monitor traffic coming into or leaving your network as well.
A firewall is a hardware or software device that controls network traffic – it’s most commonly used to separate networks and control what traffic flows into or out of networks. Networks can have different levels of trust. For example, the Internet is a “low trust” network – there are all sorts of attackers and malicious traffic on the Internet. You absolutely don’t want to allow traffic to flow into and out of your network unmonitored or uncontrolled. Your internal network, where your users are, might be a “high trust” network in that you trust your peers inside your network to behave themselves and not generate malicious traffic. Chances are you will want your organization to be able to get to the Internet and this is where a firewall comes into play. A firewall can serve as that entry/exit point in the castle walls – controlling what traffic comes into or leaves your network.
In some cases you have systems you want people on the Internet to be able to get to – a web server for example. You don’t really want to allow unsolicited traffic from the Internet to enter your trusted internal network so you can create a “buffer” zone between your network and the Internet. This semi-trusted zone is often referred to as a DMZ or Demilitarized Zone. Traffic from the Internet is filtered, but some of it is allowed to reach systems in the DMZ (like web servers and mail servers). If an attacker succeeds in breaking into a system in your DMZ, they won’t gain access to your internal network as traffic coming from the DMZ is filtered before being allowed into the internal network. To create a DMZ, you can use two firewalls (though some firewalls have multiple network interfaces and allow you to create a DMZ using a single hardware platform). Our illustration shows an outer firewall that separates the DMZ from the Internet and an inner firewall that separates the DMZ from the internal network. The outer firewall controls the traffic from the Internet to the DMZ. The inner firewall controls traffic from the DMZ to the internal network.
A software firewall is a software package that helps filter network traffic on the system where the software is running. Software firewalls are usually called “host based” firewalls as they can only protect the system, or host, on which they are running. There are many commercially available software firewalls from vendors such as McAfee and Symantec, but most modern operating systems (such as Vista and Mac OS X) come with built-in software firewalls that provide traffic filtering capabilities. Once a software firewall is loaded or enabled, it is often configured to simply reject all traffic coming to the system (except responses to traffic the system generated first). Most software firewalls can be configured to let certain types of traffic in and reject others. For example, you might allow instant message traffic to reach your system but not allow someone to scan your system for other services.
A hardware firewall is a physical device that sits “in-line” on your network connection. As the diagram shows, the firewall connects your PC(s) to the Internet and network traffic must pass through the firewall before in can go from the Internet to your PC and vice versa. Many firewalls perform Network Address Translation (NAT). NAT is the process of modifying network address information in datagram packet headers while in transit across a traffic routing device for the purpose of remapping a given address space into another. Put simply, NAT uses private IP addresses behind the firewall and public IP addresses in front of the firewall to talk to the Internet. This allows you to have many systems behind the firewall that all use the same public IP address to talk to the Internet. Private IP addresses (defined by RFC 1918 http://tools.ietf.org/html/rfc1918) are not routed across the Internet – this helps to “hide” your internal network from outsiders. Like software firewalls, hardware firewalls typically have to be configured to work properly for your environment. Many hardware firewalls are configured to block all incoming traffic (except responses to traffic from systems protected by the firewall) and rules (sometimes called “access lists” or “access control lists”) must be defined to specify what traffic is allowed through the firewall or to the DMZ.
Firewalls can use different methods when examining and filtering network traffic. While most commercial firewalls combine techniques or have the ability to perform filtering on multiple levels, some of the basic categories or filtering techniques are: Packet filtering: Packet filtering (also called network layer filtering) examines packets based on data elements in the packets themselves - things like source and destination IP address, TCP vs UDP, what service the packet is coming from or going to, and so on. Administrators create a “ruleset” which is essentially a list of what traffic is allowed to pass through the firewall and where that traffic is allowed to go. For example, web requests may be allowed to reach the web server but are not allowed to reach the mail server. Application layer filtering: Application layer filtering looks at the packets in context of what application or service they are being used for. For example, web traffic that is part of an existing session may be allowed through but FTP sessions may not be allowed through. Application layer filtering can typically examine the traffic to make sure it is what it’s supposed to be i.e. web traffic really is web traffic and not FTP traffic just using TCP port 80. Application layer filtering is more complex and requires more memory, processor speed, and storage space than packet filtering. Firewalls can also act as proxy devices. A network proxy, much like a proxy in any other capacity, acts as a go-between. The firewall may accept packets for a mail server, examine them to make sure there are no viruses or malicious traffic, and then forward them on to the mail server. This helps protect the mail server as there is no direct, public access to the mail server – all the traffic must go through the proxy.
Some firewalls, typically host-based firewalls, are self-learning – they can adapt to the traffic patterns generated by the users. These firewalls will typically monitor network traffic and, when they see a new traffic pattern, will prompt the user for a decision – should this traffic be allowed to pass in/out of your PC or not? In this manner the firewall list can be tuned by the user as they go about their regular activities. This method has its own issues though. In order to be effective, the user must know what various traffic patterns mean and must be able to determine whether or not that traffic is potentially harmful. This presents a problem as the average user will not know how to respond when the firewall asks them “Application XYZ is attempting to communicate on TCP port 2375 – allow this traffic (Y/N)?”. To solve this issue, some firewalls employ the use of White Lists and Black Lists. A White List is a list of known, good traffic that can be safely passed through the firewall. A Black List is a list of known, bad traffic that should not be allowed through the firewall. In the end though, a self-learning firewall is still reliant upon a knowledgeable user to help complete and tune the firewall’s ruleset.
Many security vendors bundle their security products together so you end up with an anti-virus, anti-spyware, and firewall solution all in one product. A firewall alone is not enough to protect your computer from malware – much like the castle example from earlier you need walls, guards, a moat, and so on to have a secure castle. Firewalls, especially network firewalls, can not filter traffic that does not pass through them. If your organization has a network firewall, that device can’t examine traffic such as wireless traffic or someone using a modem to connect to the Internet. Firewalls also can’t protect against malware brought in on infected CDs, USB keys, iPods, and so on.
<ul><li>To provide background on hardware and software firewalls, how they work and how they should be configured. </li></ul>Objective
<ul><li>To create the most secure environment for our information systems, we would like to lock them up somewhere and not connect them to the Internet! </li></ul><ul><ul><li>Not practical or useful </li></ul></ul><ul><li>Lets create a place (much like the gate in a walled castle) where we force all of the traffic to enter and or leave and we can closely observe it </li></ul>Background
<ul><li>A firewall is a hardware or software device which is configured to permit, deny or proxy data through a computer network which has different levels of trust </li></ul><ul><li>A firewall's basic task is to transfer traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. </li></ul>http://en.wikipedia.org/wiki/Firewall Firewalls
<ul><li>A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized Zone (DMZ) </li></ul>Firewalls
<ul><li>Connections from the internal and the external network to the DMZ are permitted, while connections from the DMZ are only permitted to the external network — hosts in the DMZ may not connect to the internal network. </li></ul><ul><li>This allows the DMZ's hosts to provide services to both the internal and external network while protecting the internal network in case intruders compromise a host in the DMZ. </li></ul><ul><li>The DMZ is typically used for connecting servers that need to be accessible from the outside world, such as e-mail, web and DNS servers. </li></ul>http://en.wikipedia.org/wiki/Demilitarized_zone_%28computing%29 Demilitarized Zone
<ul><li>Software loaded on a PC that performs a firewall function. </li></ul><ul><ul><li>Protects ONLY that computer </li></ul></ul><ul><li>There are many commercially available software firewall products. </li></ul><ul><li>After loading on a PC, it may have to be configured correctly in order to perform optimally. </li></ul><ul><li>Many operating systems contain a built-in software firewall </li></ul>PC Internet Firewall Software Firewall
<ul><li>Hardware device located between the Internet and a PC (or PCs) that performs a firewall function </li></ul><ul><ul><li>Protects ALL of the computers that it is behind </li></ul></ul><ul><li>Many have a subnet region of lesser security protection called a Demilitarized Zone (DMZ). </li></ul><ul><li>May perform Network Address Translation (NAT) which provides hosts behind the firewall with addresses in the "private address range". This functionality hides true addresses of protected hosts and makes them harder to target. </li></ul><ul><li>There are several commercially available hardware firewall products. </li></ul><ul><li>After installation, it may have to be configured correctly in order to perform optimally. </li></ul>PC Internet Firewall PC PC PC DMZ Hardware Firewall
<ul><li>Packet Filters, also called Network Layer Firewalls, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established ruleset. The firewall administrator may define the rules; or default rules may apply. </li></ul><ul><li>Application-Layer Firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application while blocking other packets. In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines. </li></ul><ul><li>A Proxy device acts as a firewall by responding to input packets (connection requests, for example) in the manner of an application, while blocking other packets. They make tampering with an internal system from the external network more difficult. </li></ul>http://en.wikipedia.org/wiki/Firewall Firewall Types
<ul><li>Self-learning - some software firewalls will prompt the user as connection attempts occur (in-bound and out-bound) and ask for permission. </li></ul><ul><li>Some require subscription to White/Black Lists. </li></ul><ul><li>Many require (or can also be configured) that allowable ports and/or IP addresses be listed. </li></ul><ul><ul><li>Access Control List – ACL </li></ul></ul><ul><ul><li>Requires a “knowledgeable” user </li></ul></ul>Firewall Configuration
<ul><li>Some firewalls can also help protect against other problems such as viruses, spam, etc. </li></ul><ul><ul><li>However, just because you have a firewall, don’t believe you are fully protected against malware. </li></ul></ul><ul><li>Firewalls CANNOT protect against traffic or software that does not come through it. </li></ul><ul><ul><li>Unauthorized connections (Modem, wireless, etc.) </li></ul></ul><ul><ul><li>Malware delivered via CD, DVD, Thumbdrives, etc. </li></ul></ul>Firewall Issues
<ul><li>In this section we have tried to provide some background on hardware and software firewalls, how they work and how they should be configured. </li></ul>Summary
<ul><li>http://en.wikipedia.org/wiki/Firewall </li></ul><ul><li>http://en.wikipedia.org/wiki/Demilitarized_zone_%28computing%29 </li></ul><ul><li>http://www.htmlgoodies.com/beyond/security/article.php/347320 </li></ul><ul><li>http://www.pcstats.com/articleview.cfm?articleID=1618 </li></ul><ul><li>http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx </li></ul><ul><li>http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx </li></ul>CyberPatriot wants to thank and acknowledge the CyberWatch program which developed the original version of these slides and who has graciously allowed their use for training in this competition. List of References