ISY 251 - Chapter 4: Introduction to Firewalls
Processing Mode
*(Firewall Categories)* Five Major Processing-Mode Categories 1. Packet Filtering Firewalls 2. Application Gateways 3. Circuit Gateways 4. MAC layer firewalls 5. Hybrids
Hybrid Firewalls (119)
-Combine elements of various firewall types -An advantage to this approach is the enabling of an organization to make security improvements without completely replacing its existing firewall.
Screened Host Firewalls (128)
-Combine the packet filtering router with a separate, dedicated firewall, such as an application proxy server. -Allows the router to prescreen packets to minimize the network traffic and load on the internal proxy -Compromising the bastion host can disclose the configuration of internal networks, and possibly provide external sources with internal information
Firewall Components (102)
-Packet filter -Proxy Server -Authentication System -Software that performs Network or Port Address Translation
Configurations that work best for organizations (127)
3 factors: 1. The objectives of the network 2. The organization's ability to develop and implement the architectures. 3. The budget available for the function
Packet Filtering (99)
*(Two basic functions a firewall)* Determining whether to allow or deny the passage of packets of digital information, based on established security policy rules
Application Proxy (99)
*(Two basic functions a firewall)* Providing network services to users while shielding individual host computers. This is done by breaking the IP flow (the traffic into and out of the network)
Port Address Translation
-Uses one external address for all other systems, assigning random and high-order port numbers to each internal computer. -Someone on the outside, it looks like all traffic (in a PAT network) is coming from one computer, or from a small network when NAT is used (IP numbers that do not change) -PAT/NAT prevents external attacks from reaching internal machines with addresses in specified ranges
Proxy Server (105)
A service/hardware/firewall that makes high-level application connections on behalf of internal hosts and other machines. A single firewall product can provide both outbound packet filtering and outbound proxy service
Problems with static IP addresses on Computers (112)
Very easy target for an attacker, who might use it as a staging area for launching long, sustained attacks.
Commercial-Grade Firewall Systems (120)
-Consists of application software that is configured for the firewall application and runs on a general-purpose computer -These systems exploit the fact that firewalls are essentially application software packages that use common general-purpose network connections to move data from one network to another.
MAC Layer Firewalls (118-119)
-Designed to operate at the Media Access Control Sublayer of the Data Link (layer 2) of the OSI network model -Enables these firewalls to consider, in their filtering decisions, the specific host computer's identity, as represented by its MAC or NIC Address.
Circuit Gateway (118)
-Operates at the transport layer -Connections are authorized based on address -Do not usually examine traffic flowing b/w one network and another, but they do prevent direct connections b/w one network and another. -Creating tunnels connecting specific processes or systems on each side of the firewall, and then allowing only authorized traffic through these tunnels.
Components of a firewall
-Packet Filter -Proxy Server -Authentication system -software to perform NAT and PAT -Can encrypt traffic -help establish VPNs -Some are just one part of a router -Can be set up to create multiple-component security setup to establish DMZs
Broadband Router Expansion of Application
-Packet Filtering Firewalls -Wireless Access Points -Small Stackable LAN switches -Gives Small Office, Home Office (SOHO) use the strong protection that comes from the use of NAT services. -Some SOHO firewalls include packet filtering, port filtering, and simple intrusion detection systems, and some can even restrict access to specific MAC address
Unintentionally Activating Network Services (104)
-Sometimes caused by something like an unplanned mail server starting by default when the company starts a web server. This type of event is one of the biggest vulnerabilities that firewalls can protect against.
Elements of a sample state table (110)
-Source IP -Source Port -Destination Address -Destination Port -Time Remaining (in seconds) -Total Time (in seconds) -Protocol
Commercial-Grade Firewall Appliances (120)
-Standalone, self contained combinations of computing hardware and software -The customized software operating system that drives the device can be periodically upgraded -Have many features of general computers, addition of firmware-based instructions that increase their reliability and performance and minimize likelihood of compromise
Packet-Filtering Firewalls
-Static FIltering requires that the filtering rules be developed and installed with the firewall. -Dynamic filtering reacts to an emergent event and updates or creates rules to deal with that event -Stateful inspection firewalls (stateful firewalls) keep track of each network connection b/w internal and external systems using a state table.
Screened Subnet Firewalls (with DMZ)
-The DMZ can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet. -More recent strategies using proxy servers have provided much more secure solutions -A common arrangement is a subnet firewall consisting of two or more internal bastion hosts behind a packet-filtering router, with each host protecting the trusted network. -An entire network segment that performs two functions: 1. Protects the DMZ systems and information from outside threats by providing of intermediate security 2. Protects the internal networks by limiting how external connections can gain access to them. -Can be expensive to implement, configure, and manage
Dual-Homed Host Firewalls (129)
-The bastion host contains two NICs rather than one, as in the bastion host configuration. -One NIC is connected to the external network, and one is connected to the internal network, providing additional layer of protection. With two NICs, all traffic must physically go through the firewall to move between the internal and external networks. -A benefit is its abaility to translate many different procols at their respective data link layers -If a dual-homed host is compromised, that compromise will likely disable the connection to the external network.
Software vs Hardware Firewalls
-When you use software only, the attacker is inside the computer, battling a piece of software (usually free) that may not have been correctly installed, configured, patched, upgraded, or designed. If there's a known vulnerability, the attacker could gain unrestricted access to one's system. -A hardware firewall, even if the attacker manages to crash the firewall system, the computer and info are still safely behind the now-disabled connection, which is assigned a nonroutable IP address, making it virtually impossible to reach from the outside.
Application Layer Gateways (114)
-Works at the application layer (top layer of OSI) -Also known as the proxy server -Control the way applications inside the network access external networks by setting up proxy services. Acts as a substitute (proxy) for the client, making requests for Web pages or sending and receiving e-mail on behalf of individual users, who are this shielded from directly connecting with the internet.
Firewall Security Features (101)
-logging [un]authorized accesses into and out of a network -Providing a VPN link, which can make two separated networks appear to be connected to one another -Authenticating users who provide usernames and passwords so they can be identified and given access to needed services -Shielding hosts inside the network so that attackers cannot ID them and use them as staging areas for sustained attacks -Caching data so that files that are repeatedly requested can be called from cache to reduce server load and improve Web-site performance -Filtering content that is considered inappropriate or dangerous
Filtering Content
An application proxy server can be set up to filter on some detailed criteria. You can block files that have a certain filename or part of a filename, a keyword, an email attachment, or a type of content.
Firewall Generations (119)
Available on Page 119
TCP FIltering Rules (112)
Block packets below port 20, or specific packets like telnet connections on 23
Software Firewalls (and misconceptions) (100)
Designed simply to permit authorized traffic to pass through while blocking unauthorized and unwanted traffic. If unwanted traffic is disguised well enough to fool the firewall, it will be able to get past the barrier.
Benefit of Firewall @ Network Perimeter (102)
Enables someone to set up a checkpoint where they can block viruses and infected e-mail messages before they get inside. -Less obvious benefits includes the enabling one to log passing traffic, protecting the network at one time. -Having defined boundaries, with firewalls, helps minimize damage in an attack
Extranet (101)
Extended network that shares part of an organization's network with a third party -In this situation, it's harder to establish the network "perimeter" -If it operates over a VPN, it should have its own perimeter firewall b/c the network boundary technically extends to the end of the VPN. --To ensure security, install a firewall on the partner company's VPN host
Details About Filtering (112)
Filtering does not hide the IP addresses of the hosts on the inside of a network perimeter that appear to be behind the filter from an outsider's perspective. The IP addresses are contained in outbound traffic, which makes it easy for attackers to target individual hosts that are behind the filter.
Firewall Stateful Packet Inspector(111)
First checks it state table to see if such a request matches a previous entry. Because no such previous entry exists, the firewall consults its rule base. Because the only rule specified is that only internal users can connect to port 80, the packet is blocked.
Application Gateways
Frequently Installed on a dedicated computer, separate from the filtering router, but it is commonly used in conjunction with a filtering router.
Providing Centralization (106)
Having a firewall on the perimeter gives the network administrator a single location from which to configure security policies and monitor arriving and departing traffic.
Firewall Structures
Most commercial-grade firewalls are dedicated appliances. They are stand-alone units running on fully customized computing platforms that provide both the physical network connection and firmware programming necessary to perform their function, whatever that function may be.
What a firewall is (99)
Not necessarily a single device, whether a router, appliance, VPN gateway, or software program Each individual firewall is a combination of software and hardware components.
IP's use of ICMP (112)
Report any errors that occurred in the transmission. Utilities like Ping and Traceroute use ICMP. The danger is that ICMP packets can be filled with false information that can trick your hosts into redirecting or stopping communications.
Stateful Packet-Filtering Firewalls (109)
Stateful Inspection - or stateful packet filtering - is an examination of the data contained in a packet as well as the state of the connection between the internal and the external computer. This information, known as the state table, is kept in a memory location called the cache.
Stateless Packet-Filtering FIrewalls (109)
Stateless inspection - or stateless packet filtering - is firewall packet inspection that ignores the state of the connection b/w the internal computer and the external computer. A firewall that conducts stateless packet filtering simply blocks or allows a packet based on the information in the header.
Primary Disadvantage of Application-Level Firewalls (115)
They are design for a specific protocol and cannot be easily reconfigured to protect against attacks on other protocols Can do complex tasks including -Content Filtering -Load Balancing -IP Address Mapping -Filtering Content -URL Filtering
Two Flavors of Port Numbers (104)
Well known Ports (0-1023) Ephemeral Ports (1024-65535)
Load Balancing
When a network has more than one entry address, the number of connections assigned to each can be managed to assure an even workload. Large organizations comonly install more than one firewall and divide the traffic load between them.
URL Filtering
You can also block a sites DNS name
Bastion Host (103)
a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or in a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers
Enabling Documentation (106)
Every firewall should be configured to provide information to the network administrator in the form of log files -Log files record attempted intrusions and other suspicious activity, as well as mundane events like: -Legitimate file access -unsuccessful connection attempts
How do firewalls help document what happens on a network?
Every firewall should be configured to provide information to the network administrator in the form of log files. Log files record attempted intrusions and other suspicious activity, as well as mundane events like legitimate file accesses, unsuccessful connection attempts, and the like. Looking through log files is tedious, but it can help a network administrator identify weak points in the security system so they can be strengthened. Log files can also identify intruders so they can be apprehended in case theft or damage actually occur. Regular review and analysis of log file data are what make firewalls effective because methods of attack change all the time. The firewall rules must be evaluated and adjusted to account for the many new and emerging threats.
Caching (100)
Storing it (data) on a disk
IP Filtering Rules (112)
The rules used for all parts of the IP protocol controls the overall flow of IP traffic through your network. If you have ID'd a computer or network that you want to block from your company's network, you would specify Source IP or Destination IP rule criteria. These rules will affect the entire TCP/IP suite of protocols.
IP Address Mapping
This a type of NAT or PAT in which a static IP address assigned by an ISP is mapped to the private IP address of a computer on the local network; it is sometimes called address vectoring or static IP mapping. The benefit of this to an internal network is to shield actual internal IP addresses from the prying eyes of unauthorized external clients.