Firewalls: Concepts, Design and

Applications

TDC 568: Network Management

Professor Ehab Al-Shaer

Sources: Panko, Stallings, NIST

Firewall Basics

„ What does a Firewall do?

{ Define security boundaries to block/permit
untrusted/trusted access to internal resources =>
protecting networks and hosts
{ Restrict external access
{ Log network activities
{ Intrusion detection
{ Restrict information transfer to/from the net
„ How does a Firewall work?
{ Inspect packets
{ Address translation (NAT)
{ Encryption/Decryption

Firewall Inspects Packets

1
Screened Subnet Architecture
DMZ:
inbound -> permitted
outbound -> blocked

Screened:
outbound -> permitted
inbound -> blocked

Firewall Basics

„ First Step: Write your network and system

security policy:
{ regulations and rules to organize access
resources (e.g., reading news is not allowed,
which services are public, one way FTP permitted,
change password every month ... etc)
„ Firewall Policy: the implementation of the
security policy in the firewall.
{ General FW policies
„ Permit any access except
„ Deny Any access except Í recommended

„ In any case, the less exceptions you have the

better the policy will be

Firewalls Design
„ Firewall Strategies
{ A packet filter
{ Application proxy server
{ both
„ Firewall Architectures
{ packet filter router/host
{ single-homed gateway
{ dual-homed gateway
{ a screened host
{ a screened subnet

2
Firewall Architecture

• Using dual-homed host (or screening pkt filter router)

• Using screened host
¾ if the proxy server is a single-homed, then clients and the
router have to be configured to forward to the proxy
¾ if dual-home proxy server is used, it is more transparent
• Using screened subnet to create DMZ area (I call it
Alcatraz island)
• Bastion host: host that has been tightly secured (no
user accounts.. etc) and used in the DMZ area for
special purpose such as proxy server or web serving ..
etc
• Sacrificial host: used intentionally to lure prospective
hackers (honey pot)!

Packet Filter (Stateless) Firewall

• Hardware
{ router with screening capabilities
{ Dual-homed host with filtering and proxy server capabilities
{ FW appliances
• Advantages:
{ free
{ you only need one in the network entrance point
{ easy to use: no special training is required
• Disadvantages
{ managing large number of rules becomes complex
{ work on a small set of data (some tcp/ip headers)
{ if it is misconfigured the damage is sever to your network

Application Gateways and Proxy

Server Firewalls

• Packet filters vs. Proxy servers

¾ protocol level vs. application level
¾ Proxy server does not bypass packets but it acts as
client/server between the two ends.
¾ proxy server must understand the application
¾ one proxy per application
• Proxy server can check incoming and outgoing traffic
(e.g., Web and FTP applications)
• Proxy Types:
¾ Classical Proxies: clients have to connect to proxy first
¾ Transparent Proxies: proxies intercept client IP packets and
issue the connection to remote server
• General proxy may not work well (secure) for specific or not well-
known applications (TIS Firewall toolkit can be used to make
custom proxies)

3
 Proxy Server Evaluation

• Advantages
{ hiding network information
{ application/content-level filtering
{ fail over and load balancing features
{ single-point of control (easy to control access)
{ powerful logging features
• Disadvantages
{ increases the communication latency/delay
{ proxy per application and no generic one
{ client might need to be modified/reconfigured to use the proxy
server

Packet Filter Firewalls

{ Stateless filters: simple filters that make decisions on a

packet-by-packet basis
„ you can not create rules that filters packet based on other
packets or previous history
„ you have to check each packet in the same stream to
maintain the policy
{ Statefull filters: dynamic filters that keeps state (table) in the
memory that matches up the incoming and outgoing streams.
{ Firewall rule evaluation
„ More specific rules should be up
„ Each rule has either permit or deny action
„ The matching stops as soon as a rule is evaluated to
TRUE, then action is executed (permit or deny).

Stateful Packet Filter Firewalls

{ To improve the performance, not every single packet is
matched against the rules. Only the SYN packet is
matched then the session will be logged in the table.
{ All other packets related to this stream are compared to
the table (very fast) in the kernel memory
{ Table look up looks only for <IP, Port> Src and Dst
{ Timers are used to evict broken sessions
{ it permits to pass through TCP replies (for admitted
streams) using the FW tables, while inspecting TCP
SYN packets
{ If any rule fires, FW action is taken (rule conflict?)

4
 Firewall Rules

„ Packet Filters/FW Rules: to implement the FW policy

{ Questions to ask:
„ Which services do want to offer on the network and in
which direction?
„ Do want to restrict user Internet access: which, what and
when?
„ Is there any trusted external hosts to which you want to
give network access?
{ Fields used to Filter Packets:
„ IP headers: options, proto, src/dest IP,
„ TCP and UDP: src/dest port, flags, SYN and ACK bits

Firewall Rules
„ Firewall Rule Basics
{ Interface name (FW may have more than one
incoming/outgoing link
{ Interface or traffic direction
{ Source and destination IP address: this includes broadcast
and multicast addresses
{ IP options : need to check this for source routing
{ ICMP
{ Transport Protocols: UDP, TCP, IPX, ..
{ Well-know TCP/UDP Services: WEB, FTP .. etc
{ More restricted rules come first to avoid rule conflict and
shadowing:
1. Permit ANY TCP incoming (more general)
2. Deny DestPort=25 TCP incoming (will be shadowed by rule 1)

Recommendations for Firewall

Selection

{ Stateful Multi-layer Inspection (SMLI) based Firewall—packet

filtering and proxy-based firewalls are less flexible and have less
performance.
{ The FW must contains NAT (Network Address Translation) --
changes the source address of all traffic leaving your network,
preventing hackers from IP spoofing and breaking into your
network. Local machines will be given a fake IP address and the
FW/NAT will translate it to the actual (ISP) one or more IP
address.
{ User Authentication (UA)— it provides password-level
protection for remote users.
{ De-Militarized Zone (DMZ)—it allows you to create a public
access segment of your network for use by external clients
without breaching the security of your network. This area will not
be fully secured
{ Encryption/Virtual Private Network (VPN)-- create your own
virtual private network over the Internet

5
Recommendations for Firewall
Selection

{ Supporting easily configurable security policies– This is

important for network changes and growth
{ Supporting Pervasive Intrusion Detection– Such as virus
detection and scanning, Port scanning and ping sweeps.
{ Centralized Reporting and Analysis-- This central point can
help network administrators spot trends in the activities of
suspicious network users or intruders.
{ The FW Should Adapt to a Growing Network-- Proper firewall
solutions should be able to quickly adapt to changes in your
network environment. Any changes should be easily
accommodated by a “point-and-click” interface that’s easy to
understand and interpret, so that the user does not get confused
and cause more disruption to the security plan.

Recommendations for Firewall

Configuration

• One of the most critical steps in building a firewall is

creating the security policy and rules. Security rules
defines what and how the security policy will be
enforced.
• The key success to a secure firewall is simplicity.
Simple rules and not too long rules are easy to
manage and verify. It is recommended not to use
more than 25-30 rules in order to avoid introducing
security breaches through miss-configurations.
• Bastion host should not be used for anything else -
- If you use it for anything else than as an Internet
gateway, you may be adding weaknesses to
security architecture.

Recommendations for Firewall Policy

Configuration

• NIST recommends that the firewall design policy start

with the most secure, i.e., deny all services except
those that are explicitly permitted. The policy designers
then should ask the following:
¾ Which Internet services the organization plans to use, e.g.,
TELNET, WWW, and NFS,
¾ Where the services will be used, e.g., on a local basis, across
the Internet, or from remote organizations,
¾ Additional needs, such as encryption or dial-in support,
¾ What are the risks associated with providing these services
and access,
¾ What is the cost/impact on network usability
• Disable Windows TCP/IP Stack-- There has been a lot of
concern over the security of Windows NT because of an inherent
weakness in its networking stack.

6
Firewall Rule Recommendations

• Use IP addresses not host name

• Do not return all CIMP codes via the external
interfaces (echo request, dest unreachable,
redirection)
• Reject all packets entering through the external
interface that have in the IP source the address of
an internal machine or domain!
• Block vulnerable services such as NFS, NIS,
X Windows
• Deny ALL services at the end of your rule list
• for telnet, ftp, email .. etc, use SSH and/or proxy
servers for strong authentication and filtering

Firewall Rule Examples (Stateless)

To allow incoming and outgoing SMTP

traffic (corrected) for a stateless filter:

direction Prot Src Dest dest Src Action

Address Address Port Port
1. outbound TCP internal external 25 >=1024 allow
2. inbound TCP external internal >=1024 25 allow
3. inbound TCP external internal 25 >=1024 allow
4. outbound TCP internal external >=1024 25 allow
5. * * * * * * deny

BTW, in stateless filter, you can use the ACKbit to block initiating TCP traffic to
pass into the network while allowing reply TCP traffic. Stateful is more
efficient here because not always Ack bit is cleared in the SYN packet.

Firewall Rule Examples (Stateful)

To allow incoming and outgoing SMTP

traffic (corrected) for a stateful filter:

direction Prot Src Dest dest Src Action

Address Address Port Port
1. outbound TCP internal external 25 >=1024 allow
2. inbound TCP external internal 25 >=1024 allow
3. * * * * * * deny

Rule #1 and #2 automatically creates an entry for this stream in the FW table
to allow for the replies to go back without stating this as a rule. This entry
will use <IPSrc, IPDest, PortSrc, PortDest> tuple to match reply packets
belong to the same stream.

7
Network Address Translators (NAT):
Server Proxy Example
• Basic operation
{ Hiding the information on your network
{ Increases the LAN address space.
{ Uses valid IP addresses (EIP) in the outside
communications and internal IP address (IIP) in the
inside communications
{ Mapping/assignment has to be done between EIP and
IIP such that the total number of the simultaneous IIP
sessions will not exceed the number if EIP (static or
dynamic assignment)
{ NAT substitutes IIP with EIP before sending
{ NAT is not recommended if a large number of
active/simultaneous clients is expected
{ Solution: NAPT (network address and port translation)–
IP and port in the packet is replaced, means a single IP
address might serve about 2**16 client

Managing Firewall Policies

„ Managing a firewall policy is complex task:
{ Rules has to be inserted in the correct order, otherwise ..
{ In general adding or modifying rules requires careful policy analysis
{ With large number of rules, this task just becomes overwhelming
„ Filtering rules might have conflicts resulting in different actions
for the same traffic Î inconsistency/ambiguity
„ Effective firewall security requires proper management
techniques to analyze and verify the filtering rules in the firewall
policy
„ What can go wrong when writing or modifying a set of filtering
rules in a firewall (called “policy conflicts”) ?

Types and Examples of Intra-Firewall

Conflicts
1: tcp, 140.192.37.20, any, *.*.*.*, 80, deny
Internet
2: tcp, 178.124.32.*, any, 163.134.21.*, 80, accept
3: tcp, 140.192.37.*, any, *.*.*.*, 80, accept
4: tcp, *.*.*.*, any, 161.120.33.40, 80, accept
5: tcp, 140.192.37.*, any, 161.120.33.40, 80, deny R/FW
6: tcp, 140.192.37.30, any, *.*.*.*, 21, deny
7: tcp, 140.192.37.*, any, *.*.*.*, 21, accept
8: tcp, 140.192.37.*, any, 161.120.33.40, 21, accept
9: tcp, *.*.*.*, any, *.*.*.*, any, deny
10: udp, 140.192.37.*, any, 161.120.33.40, 53, accept
11: udp, *.*.*.*, any, 161.120.33.40, 53, accept
12: udp, *.*.*.*, any, *.*.*.*, any, deny D1 D2
140.192.37.0 161.20.33.0

: the shadowed rule is never activated

: correlated rules imply ambiguity in action
: an exception of a general rule is a potential for
security holes (potential)
: redundant rules increase the policy size and
waste performance
: irrelevant rules are never activated

8
Types and Examples of Inter-Firewall
Conflicts
1: tcp, 161.120.*.* : any, 140.192.*.* : 80, accept D2.2 D2.1
2: tcp, 161.120.*.* : any, 140.192.22.5 : 21, deny 161.120.33.0 161.120.24.0
3: tcp, 161.120.*.* : any, 140.192.*.* : 21, accept
4: tcp, 140.192.*.* : any, 161.120.33.* : 23, accept
R2/
5: tcp, 161.120.33.* : any, 140.192.*.* : 23, accept
FW 2
6: tcp, 161.120.24.* : any, 140.192.37.3 : 25, deny
7: tcp, 161.120.24.* : any, 140.192.22.5 : 25, deny
8: tcp, 161.120.*.* : any, 140.192.37.* : 25, accept
9: tcp, *.*.*.* : any, *.*.*.* : any, deny R0/
Internet
FW 0
1: tcp, 161.120.*.* : any 140.192.*.* : 80, accept
2: tcp, 140.192.*.* : any, 161.120.*.* : 80, accept
3: tcp, 161.120.*.* : any, 140.192.22.5 : 21, accept R1/
4: tcp, 161.120.33.* : any 140.192.37.* : 23, deny FW 1
5: tcp, 161.120.*.* : any, 140.192.*.* : 23, accept
6: tcp, 161.120.24.* : any, 140.192.37.3 : 25, deny
7: tcp, 161.120.24.* : any, 140.192.*.* : 25, accept D1.1 D1.2
8: tcp, *.*.*.* : any, *.*.*.* : any, deny 140.192.22.0 140.192.37.0

: upstream FW blocks traffic accepted by downstream FW

: upstream FW permits traffic denied by downstream FW
: downstream FW denies traffic already blocked by upstream
FW
: blocks part of the traffic accepted by downstream FW or
permits part of the traffic denied by downstream FW