Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Internet firewall tuet


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Internet firewall tuet

  1. 1. RPANetwork Internet Firewall Tutorial A White Paper July 2002
  2. 2. What a firewall does How it Works Computer networks are generally designed to do A Firewall disrupts free communication one thing above all others: allow any computer between trusted and un-trusted networks, connected to the network to freely exchange attempting to manage the information flow information with any other computer also and restrict dangerous free access. connected to the same network. There are numerous mechanisms employed In an ideal world, this is a perfect way for a network to do this, each one being somewhereAbout the Author to operate facilitating universal communications between completely preventing packets between connected systems. Individual flowing, which would be equivalent to computers are then free to decide who they want completely disconnected networks, and to communicate with, what information they allowing free exchange of data, which would want to allow access to and which services they be equivalent to having no Firewall. will make available. This way of operating is called “host based security”, because individual In order to understand how each of these computers or hosts, implement security works, it is first necessary to understand the mechanisms. The Internet is designed in this way, basics of how data moves across the Internet. as is the network in your office.Rob Pickering’s involve- Protocols: TCP/IPment in the field of In practice individual computers on say, anInternet security started The underlying way that data moves across the office network, are not terribly good at definingin the 1980s when he Internet is in individual packets called Internetwas involved in and securely enforcing a consistent security policy. They run very complex, and therefore by Protocol (IP) datagrams. Each packet isdeveloping implemen- completely self contained, and has the uniquetations of the Internet definition error prone software systems, and it is ver y difficult to ensure that they are address of the originating computer (source-TCP/IP protocol suite.He also designed and consistently kept secure, much less that their address), and intended recipient computerimplemented one of the users obey basic advice like choosing difficult (destination address). On it’s journey betweenearliest commercial to guess passwords etc. the source and destination, the packet isInternet connections in forwarded by routers which simply forward it on,the UK, at a time before This situation may be adequate where individual one hop at a time to it’s destination. In a non-the widespread avail- users on a network have a similar level of trust such Firewall environment these packets flow freelyability of commercial that there is little chance or motive for a user to between the two machines.firewalls. subvert host security, such as a small company network where everyone with physical access is TCPHe has worked onInternet security trusted (e.g employee etc). To have a complete conversation in order tostrategy and implemen- Once that network is connected to other networks e.g. send an e-mail, or view a web page, atation for major where the trust relationships simply do not exist in sequence of packets are grouped togetherorganisations like3Com, as well as the same way, then other mechanisms need to using something called Transmission Controllecturing widely on be put in place to provide adequate security by Protocol (the TCP bit of TCP/IP).computer security protecting resources on the trusted network fromissues. Under TCP a complete conversation looks , potential access by attackers on the un-trusted part something like this: of the network. The way this is done is by partially breaking Åyr‡†Ã‡hyxÅÃÃU8QÃT`IÃhpxr‡ connectivity at the network level so that nodes on the trusted and untrusted parts of the network Åuhƒƒ’Ç‚ÇhyxÅÃU8QÃT`I68FÃhpxr‡ can no longer freely exchange information in an unfettered ÅPFÐr¶…rÇhyxvtÅÃU8QÃT`I68FÃhpxr‡ way. The device which does this is W Q Åi’‡r†Ã ÂsÀ’Ãqh‡hÅÃU8QÃqh‡hÆrt€r‡ U H called a H OL Y U U…ˆ†‡rqÃIr‡‚…x V‡…ˆ†‡rqÁr‡‚…x H 6 “Firewall”, by Åi’‡r†Ã !ÂsÀ’Ãqh‡hÅ Av…rhyy reference to Åhpx‚yrqtr҂ˆ…Ãi’‡r†Ã ÅÃÃÃU8QÃ68FÃhpxr‡ the analogue in American automobile Åhpx‚yrqtr҂ˆ…Ãi’‡r†Ã !Å ÅD¶€Ãsvv†urqÁ‚À‚…rǂÆrqÅÃU8QÃADI68F engineering, where the Firewall is a thick steel plate barrier between engine and passenger compartments which prevents a fire in the ÅD¶€Ãsvv†urqǂ‚Á‚À‚…rǂÆrqÅÃU8QÃADI68F former spreading to the latter. I suppose that if this particular piece of technology had been invented on the English side of the Atlantic, it The data part above would contain the higher would have been called a “bulkhead” instead! level protocol which actually sends and e-
  3. 3. mail, or requests, and gets the contents of a web that the initial “Lets talk” TCP SYN packet is Glossar ypage. always seen coming from the originator of the connection, to the destination service. BSD: Berkeley SoftwareIn order to connect to the right service on a Distribution - a deriva-particular host, a special identifier called a “port Our Firewall then could implement the above tive of the UNIX operat-number” is used which routes the exchange security policy by translating to the following ing system developed under a contract fromthrough to the correct application program on network level operations: the US Department ofthe server end of the connection. For example, Defense, and madeby convention, web-requests are directed at port If packet is a TCP SYN from any inside publically available80, and incoming e-mails involve a connection address to any outside address, port 80, when the project wasto port 25. allow through. wound up in the late 80s. Used very widely asSimpler Requests: UDP If packet is a TCP SYN from any outside a secure operating address to any inside address, port 80, block. system, and as the basisTCP is a bit cumbersome for simple requests, so of many commerciala streamlined protocol called User Datagram Allow through all other packets. firewalls and securityProtocol also exists. This doesn’t have the same As we will see later, this trivial algorithm isn’t products.connection setup overhead and tends to be ideal, but it is at least a faithful DMZ: Demilitarisedused for simpler conversations which perhaps implementation of the security policy shown Zone - a special networkonly involve a simple information exchange, earlier (the bug is in the security policy, not which is used forwhich may be repeated if packets are lost and the implementation!). computers which needthings go wrong. to be connected to fromA domain name service request, used to get an Types of Firewall the Internet.IP address for a host name, is an example of a There are a number of different kinds of IP: Internet Protocol -UDP exchange: lowest level packet technique which may be employed by a Firewall format of the Internet,From A to N: UDP: Q: in order to correctly identify a conversation and contains basic detailsFrom N to A: UDP: A: act on it. about where the data came from and where itA similar port mechanism is used in UDP to The techniques used by a particular Firewall is going to.route packets to the appropriate application on have an impact on the accuracy with which itthe host. can identify traffic, the level of sophistication of NAT: Network Address the checks it can implement, but also it’s Translation - techniqueDetermining Conversation Details complexity and therefore cost and likelihood that allows internal that it incorporates bugs. network to use privateIf asked to write down a security policy that we self managed IP ad-would like our Firewall to implement in English, Packet Filter dresses but still talk toit would probably look something like: other Internet systems The network level operations corresponding to with real addresses. “Allow internal users to access external www the security policy above were actually an Port number: an servers, but not allow external users to access example of a simple packet filter. identifier carried in a our Intranet server”. TCP or UDP packet A Firewall implementing a packet filter looks at which identifies whichIn order to implement this policy, our Firewall one packet at a time, and considers it in process or applicationneeds to be able to examine packets and isolation in order to make a forwarding within a host thedetermine if they belong to either a decision. conversation is ad-conversation which should be allowed, or one dressed to.which should be blocked. Because of the way that a packet filtering Firewall works, it can implement a restricted SMTP: Simple MailTo do this, it basically needs to know two things: range of filtering decisions. The principal Transport Protocol - the application layer • The application being connected to. limitations of packet filtering are: protocol used to send • The direction of the conversation. • TCP connections can be filtered on port mail over the Internet.The first one of these can be guessed from the and direction in order to implement TCP: Transmissionport number on the receiving end of the simple directional traffic rules keyed on Control Protocol - keyconnection. For example, by convention, WWW port number only. reliable Internet protocolservers run by default on port 80, e-mail servers • It is not possible to completely filter TCP over which applications packets which aren’t valid, or don’t form like web, e-mail etc arerun on port 25 etc. all carried. part of an active connection.Somewhat harder (and crucial to the above), is • It is not possible to fully filter UDPto determine the direction of conversation. connections to ensure that they are partWhilst each packet flowing through the Firewall of a valid a self contained unit, by examining thesequence it is possible to see what the overall The latter restriction is a fairly seriousdirection of the conversation is (ie who drawback of packet filtering. It means theinitiated it). Firewall implementor is left with the choice of either completely blocking UDPFrom the TCP transaction diagram it can be seen transactions, or accepting that packets may
  4. 4. traverse the Firewall which should not be allowed are to apply for and get sufficient IP addresses for your network:through. • You need to be prepared to justify the need for all the IPIn the face of this, the only safe option is to block addresses you will use in terms of the number ofexternal to internal UDP transactions when using a computers you have, or will have - it is not possible topacket filtering Firewall. obtain 10 times as many IP addresses as you need simply for administrative convenience.Although the above drawbacks may seem significant, • There is a bureaucratic overhead that both you and your ISPthere are also some quite strong advantages to a basic need to be prepared to undertake.packet filtering Firewall: • Unless you are a very large organisation with thousands of computers who can justify a direct allocation of addresses, • It is simple to implement, which means that it is you will need to do this all over again when you change much more unlikely that exploitable bugs exist providers. in the Firewall code. • The same simplicity means that rule sets tend to Many organisations and ISPs choose to sidestep these issues by only be less complex, and again are less likely to allocating a single global IP address to the customer,who then installs contain unintentional access routes. a NAT device at the end of the connection and uses self allocated • It can be implemented on relatively inexpensive private addresses on their internal network. hardware, meaning that simple,cheap boxes can do packet filtering for very large numbers of user The way that NAT works is very similar to stateful inspection connections. firewalling, but with the added twist that the Firewall modifies the address part of all packets on the way through.Stateful Inspection The NAT gateway sees an outgoing packet from an internal privateStateful inspection takes the basic principles of packet address, to an external global Internet address. It makes a note offiltering and adds the concept of history, so that the the (internal, private) source address of the packet, and theFirewall considers the packets in the context of previous destination server address and port number. It then overwritespackets.So for example, it records when it sees a TCP SYN packetin an internal table, and in many implementations willonly allow TCP packets that match an existingconversation to be forwarded to the network.This has a number of advantages over simpler packet filtering: • It is possible to build up Firewall rules for protocols which cannot be properly controlled by packet the source IP address with it’s own single global Internet address filtering (e.g. UDP based protocols). and sends it on towards the Internet. • More complete control of traffic is possible. The remote server receives the packet with the NAT gateway’sEqually, there are some disadvantages to a stateful address as the originator, and directs it’s replies at this address.inspection solution, in that the implementation is When the reply packet arrives back at the NAT gateway, it looksnecessarily more complex and therefore more likely to up the address and port number in it’s table, works out whatbe buggy. the (internal) address of the real originator was, substitutes thisIt also requires a device with more memory and a more into the destination address and forwards on through thepowerful CPU etc for a given traffic load, as information Internal network.has to be stored about each and every traffic flow seen Limitations of NATover a period of time. Although NAT is an extremely convenient way to avoid IPNetwork Address Translation address allocation issues, the technique itself does have some limitations.This is not really a Firewall technology at all, but is oftenconfused with one! NAT is a pragmatic solution to the issue Firstly most simple NAT gateways can only deal withof IP address limitations. substituting addresses which occur at the start of the packet in an area called the header.When a network is connected to the Internet, thecomputers on that network need to be given addresses The designers of Internet application protocols never reallyso that other computers on the Internet can send packets envisaged the use of NAT, and some applications themselves useto them. the address of the computer they are talking to and bury it in the application data part of the packet. Unless the NAT gateway knowsBecause IP addresses are a somewhat limited resource, about how to interpret the application data as well as the Internetand have to be unique across the globe, they are assigned headers for these protocols, then they will not operate properly inhierarchically by a central authority and passed down in a NAT environment.blocks to service providers who then make them availableto their customers. Examples of protocols that have this problem include FTP (file ,As an end customer this has some implications if you
  5. 5. transfer protocol), and a protocol called H.323 On the Internet, a protocol called SMTP is Glossar ywhich is used extensively my Microsoft used to deliver between mail servers. ThisNetmeeting and similar audio/video works in effect by the mail sender’s machine UDP: User Datagramapplications. Problems with NAT and FTP are connecting to the mail recipient’s server and Protocol - a simpleeasily dealt with by using a protocol mode pushing the e-mail. Internet transportcalled passive FTP which doesn’t have the same protocol which conveysissues with NAT. Unfortunately the H.323 protocol In order to accept mail from the Internet onto trivial repeatableissues are more fundamental, and you may well a local mail server it is usual to open up a requests and responsesfind that this protocol will not work with most hole which allows any server to connect to between client and the local mail server. server in a very efficientNAT gateways. but less reliable way.Security Implications of NAT This will often be justified using logic which says that this is only a small hole to one Vulnerability: In a computer securityIt is a widely held belief that the presence of NAT, specific service on one specific host, and the context, a specific defectand use of private internal addresses renders a rest of the internal network is still fully or “hole” in an applica-network immediately secure. This is a most protected by the Firewall “outbound only” rule. tion which is known todangerous notion! hackers and allows them Unfortunately what this does is open up the to subvert security orThe basis of this is that with outgoing only NAT, an internal mail server to any attack that is take control of a compu-attacker cannot connect directly to a machine on possible against the software installed on it, ter.the internal network, even if the Firewall rules are and if this is at all complex, there will be lotsaccidentally configured to allow this.The reasoning of potential attacks.then goes that seeing as the Firewall is now fail-safe, the network is invulnerable. As an example, a recent search on Bugtraq (an industry source of applicationThe problem with this assertion is that it’s vulnerability data) against a popular mailassumption that outgoing only NAT will be the only server, Microsoft Exchange showed that therething enabled is often false, and ignores the had been 4 major vulnerabilities discovered,possibility that an attacker will compromise the just between March and July not by making a direct connection at apacket level with an internal host, but will instead Many of these vulnerabilities would havefind another mechanism to make it call him. allowed a remote hacker not only to gain unauthorised access to the server itself, butOutgoing only Solution also to then use it as a launch point to attack any other system on the network, just as if theMany simple Firewall solutions are sold by ISPs and Firewall wasn’t there.system resellers on a “fit and forget” basis on theassumption that a simple, cheap packet filter or No Holes: the Demilitarised Zonestateful inspection device is perfectly secure solong as it incorporates NAT, and is configured to The classic solution to the allow only problem of opening up o u t b o u n d holes in the network connections. perimeter to allow access to services is the The problem with Demilitarised Zone or this approach is DMZ. Named after the that in order to buffer zone between do anything opposing forces in a useful, the first military peacekeeping thing most users scenario, the DMZ is a need to do is special separate network open holes, or of servers to which reverse NAT external untrusted hosts connections to have access, but which internal servers. have no access to the Internal network. Once this is done, F i r e w a l l ’s Large enterprise Internet access and Firewall protection can be systems always incorporate at least one levelentirely sidestepped by an attacker and of DMZ as this is seen as essential toinformation on the internal network is no longer preventing the vulnerabilities describedparticularly secure. above which are inherent in opening up holes in the Firewall onto the internalHoles and Incoming Traffic network.An example of the kind of hole which is The issue with this solution for the mediumtypically opened up in a Firewall is that sized or smaller enterprise is one of cost. Anecessary for mail delivery. typical DMZ solution requires at least three
  6. 6. devices, the external Firewall, the internal possible to provide fully managed firewall Finding out more...Firewall, and the DMZ server machine. This and network systems for a simple, low, fixedmeans of course three times the cost which initial setup and monthly managed solution For information on secure managed solutions, pleasemay not be feasible or proportionate for a cost. visit the RPANetwork site atsmall organisation wishing to secure it’s ADSL connection. Typical Solution Alternatively feel free to Most organisations really don’t want or needApplication Proxies call Rob Pickering to invest in their own Internet server systems directly on 0845 644 2805Another mechanism for controlling risks at all. An example, a typical configuration at any time, or e-mail himwhen Internal servers must allow connections with extremely low cost of ownership is a at the Internet is to use a technique called managed mail server solution where weApplication Proxies on a single external provide and manage both the firewall, andfirewall. the customer’s own mail server as a managed service. Based on the secure BSD operatingThese work by terminating the externalconnection at a special service within thefirewall. As the name suggests, this service actsas a proxy for the real server, implementing theapplication protocol in the same way as the HhvyÃTr…‰r…real server running on the internal network. It Wv…‡ˆhyforms a connection to the internal server, only 9Ha 9r†x‡‚ƒpassing on application protocol elements thatpass it’s strict checks of correctness. 9TGÃS‚ˆ‡r… 9r†x‡‚ƒ Av…rhyyThis way, most mechanisms for subverting the 9r†x‡‚ƒinternal application server are blocked.Using an application proxy is not without 9r†x‡‚ƒdifficulty as their complexity tends to mean thatthey need to be implemented on firewalls whichare significantly more powerful than the relatively system, all of the systems are initially set up,simple systems used for basic packet filters.This, and continually monitored as part of theand the fact that such firewalls are typically sold “Enterprise” customers mean that their cost is The managed solution provides both theoften uneconomic for small businesses. firewall, and e-mail server as a maintenanceApplication proxy firewalls also tend to require and risk free solution, leaving you to providefrequent software updating to ensure that they just the network connectivity and desktopare running latest versions of the proxy code.This network to which the secure systems areoccurs both when new exploits are identified connected.which need to be blocked, but also whenproblems occur in interactions between the Other Solutionsproxy and widely deployed applications (in other The fully managed approach lends itself towords when the proxy is actually breaking an the accessible provision of a full range ofotherwise working connection due to over strict services which are normally associated withor even erroneous checking). large enterprise networksA More Manageable Virtual Private NetworksSolution Using cost effective managed services, the provision of VPN systems allowing safe andGiven that full blown DMZ design, or high cost effective sharing of informationdeployment and management costs of an between multiple office and mobileapplication proxy firewall, are usually not workers becomes something accessible toeconomic for businesses of 1-1000 employees even the smallest business.with broadband Internet connectivity, a better Combined managed Firewall and VPNsolution is required. nodes provide the latest secure IPSecA managed solution bridges the gap between encryption technology, which gives youineffective “hope for the best” fit and forget assurance that your confidential datafirewalls, and adequate, if expensive cannot be accessed in transit. The managed“Enterprise” DMZ and proxy systems. dimension means you know that the network is being continually monitored forHow These Work problems by experts, and software kept up to date to meet evolving threats.Taking a range of fixed, but immediately secureand useable firewall configurations, it is