Ch 8 Configuring Firewalls - Network Sec

Block these communications

-All ICMP from the Internet -Any traffic directed at the firewall -Any traffic to known closed ports -Any traffic to ports of known malware, 31337, used by Back Orifice -Inbound TCP 53 to block external DNS zone transfer requests -Inbound UDP 53 to block external DNS user queries -Any traffic from IP addresses on a blacklist -Any traffic from internal IP addresses that are not assigned

Defining Firewall Rules

-Keep the rule set simple: fewer complications, less loopholes, easy to test, harder to attack -Document every rule actively filtering traffic: also include the "intention and purpose" of the rule -Use a change control mechanism to track rule modifications: the last change made probably caused it to break, make it easy to find the last change -Always confirm the default deny before using changed rule sets: the final rule in the set should always be default deny and its never changed

Downside of Encryption with Firewalls

A firewall is typically not the intended destination or direct communication partner of an encryption communication. Encrypted data cannot be filtered by a firewall. Some parts of the packet are not encrypted. Encryption in transit takes 2 forms: Tunnel Mode: encrypts the payload and header, includes a temporary header Transport Mode: encrypts only the payload, the header remains in plaintext A firewall can view and filter based on headers. In tunnel mode, the header only shows the endpoints of the tunnel, not the endpoints of the communication, so it's not very useful. In transport mode, the firewall can filter based on header because it's in plaintext. Encryption for web communications and email exchanges is acceptable because other transactions might not be encrypted. Orgs can allow encryption of specific types over specific protocols or port, and disallow encrypted communications elsewhere. In firewall rules, the encrypted traffic ranges from full allowance to full denial. Decide based on the security stance of your org, the risk presented by both encryption and plaintext transactions, and the types of communications needed for essential business tasks. A trend is to have the encrypted tunnel end at the boundary firewall of the DMZ. Allows you to examine the contents of the packets first, before allowing it to reach the destination or web server in the DMZ. Another concern: when encrypted traffic crosses a firewall, it can't perform NAT. With an encrypted and hashed header, NAT cannot modify the IP addresses. Select encryption protocols that are NAT compatible if this is a function you want.

Access Control Lists (ACL)

A firewall rule can be called a filter or an ACL. These are the same. A filter is the intention to deny unwanted items of concern. ACLs grant or deny traffic on an access control / authentication basis. Controlling a specific user or client's access to a protocol or port.

Inbound and Outbound

Allow inbound responses to initial outbound requests. Sometimes a single rule can define both in and out parameters, some need 2 separate rules, one for the outbound request and one for the inbound response. Each service must be supported through proper 2 way rules. Firewalls allow external hosts to request access to internal resources, but need to create an inbound rule or ingress filter. Deny by default will block everything unless a rule is created to allow inbound communication from non-internal IP addresses.

Caching

Caching: holding of often accessed content in storage or memory of the firewall. A staleness value should trigger a content refresh. Adding caching to a firewall turns it into a proxy server for whatever service you configure the caching to supplement. This only works for web and file transfer, so if the bottlenecks are not caused by these, caching is not a good solution. But, web transfer is the usual performance issue, so this works.

Management Interfaces

Configure firewalls for performance and security functions through a management interface. May be a command-line or GUI. The GUI could be a client application or a web interface hosted on the firewall's own server. Always make sure the management interface offer encrypted access by default. This is the most important aspect of management interface configuration. Keep it safe from eavesdroppers, interception, session hijacking. Secure this physically and logically. Physical contact is limited to authorized personnel only. Use a strong authentication process for logical security. Never re-use old passwords. First step in deploying a new firewall is changing the default password of the admin account. Then modify every pre-defined user account and default access code. Avenues of accessing the management interface: telnet, encrypted telnet, web, encrypted web, SSH. Select one secure option and disable the rest, and test the disabled options to make sure they don't work. Also consider physical cabling: CON for console, TER for terminal, ADM for admin, cannot be disabled through software. An RS-232 cable is used to connect a computer directly to the firewall to gain access to the management interface. If more than one NIC port exists, limit access to one port. If the firewall supports wireless activity, disable management interface access over a wireless connection. You should have access only via one logical pathway and the physical CON cabling, disable everything else. Every successful and attempted connection to the management interface should be logged. Record all configuration changes made. This log can serve as a part of change documentation for future troubleshooting, reconfiguration, investigation. Verify manually that all setting remain as configured. Compare the live settings to those in your documentation. If there is a difference, investigate and repair.

Firewall Enhancements

Content Filtering mechanisms for allow/deny decisions are based on: IP address, port, protocol service, MAC address, content keyword, user authentication. Unnecessary features not only inflate the cost but can cause security problems or introduce vulnerabilities into the network. Malware scanning is a new feature, not a stretch of capabilities, especially for application proxies or stateful inspection firewalls. Does it operate at wire speed? Does it work as well as stand-alone malware scanners? How often does it update virus signature definitions? Can also offer IDS/IPS features. It can filter, as well as watch and defend vs intrusions. Does it operate at wire speed? Is it better than having stand-alone products? Some firewalls can operate as VPN endpoints. Is this better than stand-alone options? Unified Threat Management (UTM) Include firewalls in the construction of virtualized networks. Install software firewalls into every virtual host in the network. You can use hardware firewalls when traffic between virtual hosts crosses a physical network segment. If the hardware firewall must exist in the virtual environment, it acts no different than a virtual host in that environment.

DoS attacks

DoS attacks: can consume all available bandwidth and processing capabilities of the firewall. Prevents any legit traffic from reaching the network. This is the only weakness that can't be fixed with a patch.

Firewalking

Firewalking: technique to learn the configuration of a firewall from the outside. Uses a valid IP address of an internal host. The hacker tries to establish a connection over a bunch of different ports. This is basically port scanning. The hacker can learn which ports are open and which allow communications with an internal system. It discovers the rules of a basic packet-filtering firewall. Stateful inspection firewalls are not vulnerable to it.

Patch Management System

Firewall vendors release patches, must have a patch management system. If it's not repaired fast, hackers have a window to attack. Vendors release patching documentation, but hackers can read this to identify all the vulnerabilities that exist without a patch applied to attack you. Patch it fast.

Fragmentation attacks

Firewalls are vulnerable to fragmentation attacks. Abuse of the fragmentation offset feature of IP packets. Larger datagrams can fragment into small size, when they reassemble, there can be malicious overlapping and overrun. Overlapping causing overwriting of components, creating a new excessively large datagram for DoS attacks, or to confuse IDS detection or firewall filtering. Protections against these attacks: using modern IDS and firewall filtering, and performing sender fragmentation to query the network route to determine the smallest MTU or datagram size. Ensures that no en-route fragmentation will occur.

Firewall Rules

Firewalls filter traffic using rules or filters. Rules are used to control what traffic enters or leaves a secured network. Security admin or Firewall admin configures the rules based on the org's security policy. 2 main security stances govern rules: Default deny Default allow Most firewalls come pre-configured with rules above and beyond the default as "Deny by default". With common exceptions that allow common forms of communication like web, email, IM, file transfer. Always review the factory installed rules before deployment. Disable any rule not needed. Double check to make sure the rules abide by your security policy. If the security policy does not pre-define which rules to implement on a new firewall: 1- Inventory all essential biz processes and communications that will cross the firewall 2- Determine the protocols, ports, IP addresses of valid traffic for internal and external hosts 3- Write out the rules or use a firewall rule simulator 4- Test the rules in a safe environment 5- Obtain written approval for the rule sets from the change board or admin 6- Document the rules into a security policy procedure amendment and submit to the management team Common rules found on firewalls: -access to insecure websites like HTTP -access to secure websites like HTTPS -access to other website protocols like SQL, Java -Inbound email -Outbound email Keep rules to a minimum, only what is an essential business task, only essential traffic. Each rule granted increases the attack surface.

Elements of a Firewall Policy

First step in deploying a firewall is creating a firewall policy. Then deploy in compliance with the policy. Purpose of a firewall policy: -Guide for installation -Guide for configuration -Tool to assist with troubleshooting -Guideline to detect changes -Mechanism to ensure consistent filtering across all firewalls Firewall Policy defines security zones of risk and zones of trust. Describe what each subnet does, level of risk and level of trust. Then formulate a deployment strategy. Firewall Policy defines what type of firewall you need at each zone transition or interface, static filtering, stateful inspection, or proxy. Firewall Policy defines a complete firewall rule set for each firewall. The order, and justify why you selected the rule. Firewall Policy prescribes host software firewalls on clients and servers. Configure host firewalls to complement appliance firewalls. Policy also addresses: -what to log -logging location and redundancies -where to store log files -what add-ons or enhancements to us -who is responsible for firewall admin -how to access firewall config interfaces -where to physically and logically locate a firewall -the level of physical access control necessary -what backup o redundancy is present -how to manage encryption where to use or disallow it -how to deploy IDS to interact with firewalls This is the first and last authority on al things firewall in the org. Review the firewall policy periodically to determine if its meeting your security needs. Work improvements into the security policy, then adjust the deployed infrastructure to comply with the security policy.

Internal code planting

Internal code planting: when outbound traffic is unfiltered due to having no rules. This is phishing. Employee downloads malicious code on an internal client, who then calls home to an external server, and the hacker has control of their system to do anything.

Load Balancing

Load Balancing: Distribution of the firewall filtering workload across multiple parallel firewalls between routers that perform load balancing traffic management on both inbound and outbound communication. Deeper packet inspection, maintaining wire speed. Additional benefits: redundancy and fault tolerance. Improve the availability of the filtering service. Based on the OSI model layer 3 where the balancing occurs, layer 4 directs the traffic based on protocols, layer 7 determines routes based on application and header info. Router load balancing traffic management uses round-robin or fair queuing. Round-Robin: hands out tasks in a non-priority sequence Fair Queuing: send the next transaction to the firewall with the least current workload

Allow or Block?

Most common asked question when installing a firewall. The answer is subjective and variable. Must research this for your network and decide. 1- Perform an inventory of all needed and desired communications. Indicate the protocol in use, ports in use, source and destination IP addresses. 2- Block all communications that should only be internal. The default deny rules can do this also. If a port or protocol is common, an allow rule might give external access. 3- You can add a deny rule just prior to an allow rule as a protection that if traffic gets past the deny rule, it is safe to be allowed. 4- Determine which communications are mission-critical, optional, recreational, or actually malicious. Block malicious traffic immediately. Evaluate other factors, including policy. Is it needed for business? Is this an increase to attack surface? Is anything no longer necessary? Anything on the list redundant? Set the filtering based on the needs of the network. Lean towards caution and lock things down. Create additional filtering rules to respond to real-world conditions over time as hackers try to break in.

Client source port

Most session-based communications will use. well known default port for the destination port where the service or protocol resides. These often use a randomly selected higher order port above 1023 for the client source port. Most firewalls will handle and adjust for the random source port.

Improving Performance

Network communication speed is one of the most common firewall concerns. Should function at wire speed, no delay or latency because it operates at the same speed as the network. In a 1000 Mbps network, a 100 Mbps capable firewall is too slow. 2 criteria to improve firewall performance: Caching Load Balancing High Availability: associated with load balancing and network availability. % of time of available service, like 95% of the time, and the other 5% down for updates and patches. Aids in satisfaction because it makes traffic get to the user faster. Having a fail-safe plan to disconnect the firewall if compromised is essential. Better to have redundant pathways with duplicate firewalls.

Composing firewall rules

Setting up rules is easy if it's minimal rules. Software host firewalls use a GUI wizard setup, hardware firewalls expose the raw rule itself. Some vendors have an interface page for "allow rules" and page for "deny rules", so the page would dictate the action. Rules have 6 main components: 1- Base protocol: TCP, UDP, ICMP 2- Source address 3- Source port 4- Target address 5- Target port 6- Action: allow or deny, also log and alert Sometimes they use port 80, sometimes its shown as HTTP, for example For outbound rules, the source port and target address is usually ANY. This allows any internal client access. Or create a rule to deny access to ANY. For inbound rules, the source address and port address is usually ANY. This allows any external client access to an internal server, like a web server. Only needed when an internal resource is found in the DMZ or Extranet. The only rule required otherwise in a static filtering firewall would be one that responds to internal client requests to outside resources. Stateful inspection firewalls allow this traffic automatically, without a rule.

Limitations of Firewalls

Software code written by humans, the logic and controlling mechanisms. Do not assume the code is always perfect. Hackers are always looking for coding bugs and zero-day flaws. Firewalls can freeze, crash, hackers can read / adjust filtering rules. Some exploits are based on buffer overflows Firewall vendors release patches, must have a patch management system Firewalls are vulnerable to fragmentation attacks Firewalking Internal code planting DoS attacks Stateful inspection firewalls address fragmentation, firewalking, and internal code. Patching addresses bugs. Upstream filtering prevents flooding attacks from reaching the Internet facing firewall, but requires an ISP to support it. Keep systems current with patches, use a hardened config, know the new exploits, monitor the environment for successful and attempted compromises. This is maintaining security.

Buffer overflows

Some exploits are based on buffer overflows. Memory buffer exceed its capacity and extra content overflows into adjacent memory. If the overflow extends into the next memory segment designated for code execution, the hacker can insert code that will execute instead. This can crash a system.

Ordering Firewall Rules

The most important aspect of a firewall. This is critical to firewall security. Mistakes create loopholes. loophole: flaw in the logic of filtering that will allow an unwanted action to occur. Evaluate, test, verify that rules are correct and in order. 1- The last rule is the catchall rule to deny by default all traffic not allowed. 2- Place critical deny-exceptions first to eliminate the possibility of accidentally allowing a known malicious communication. 3- Use fewer rules, rather than more rules. Only use more rules when it relates to a large range of internal IP addresses. Consider reconfiguring the network for security, instead of creating a larger rule set. 4- Put rules relating to more common traffic earlier in the rule set. Due to time, the fewer rules to check before granting an allow, the faster traffic will be. 5- Overlapping is acceptable when on purpose like having explicit allow rules with additional deny specifications. When it's accidental, you will get loopholes. Keep the rule set simple, document and then test every rule. The primary goal: filter traffic in accordance with your security policy.

ICMP rules

When switching to an ICMP rule, the ports are dropped because layer 2 doesn't use ports. Uses "numbered types" to specify the rule, there are dozens: Type 8: Echo Request Type 0: Echo Reply Type 3: Destination Unreachable Type 11: Time Exceeded Also uses a numbered code, like: Type 3, Code 3: Destination Port Unreachable Defined at RFC 2939 ICMP is a protocol used in most networks to deliver error messages. Enables hackers to learn about the version of software and patch levels within the network. You want to block inbound ICMP echo requests.

Default allow

all traffic is allowed through. Allow by default deny by exception: as malicious traffic is identified an exception rule blocks it. This is the blacklist-like action in a firewall, everything is permitted with some exceptions.

Default deny

all traffic is potentially malicious, unwanted, unauthorized. Deny by default allow by exception: as authorized traffic is identified, an exception rules grants it access. This is the whitelist-like action in a firewall, only those exceptions are allowed through. This is the most secure stance. Fewer exceptions are required.

Unified Threat Management (UTM)

deployment of a firewall as an all-encompassing primary gateway security solution. One device performs firewall filtering, IPS, antivirus scans, anti-spam filtering, VPN endpoint, content filtering, load balancing, logging, and more. It does a lot, but masters none. This is a single point of failure, but can improve security.

Transport Mode

encrypts only the payload, the header remains in plaintext

Tunnel Mode

encrypts the payload and header, includes a temporary header

External entities

should never be able to initiate a connection, unless it's with a web server.

First-match-apply rule system

starting from the top, if the rule matches the traffic, the rule is applied. Once a matching rule is applied, no further rule matching is attempted.