Security & Performance of Packet Filters

IP

address spoofing fragment attacks

Fake source address to be trusted Add filters on router to block

Tiny

Split TCP header info over several tiny packets Either discard or reassemble before check
Degradation

depends on number of rules applied at any point Order rules so that most common traffic is dealt with first Correctness is more important than speed
Dr MAhdi NetSec

Port Numbering
TCP Permanent
Server port is number less than 1024 Client port is number between 1024 and 16383

connection

Ports <1024 assigned permanently 20,21 for FTP 23 for Telnet 25 for server SMTP 80 for HTTP

assignment

Variable

Ports >1024 must be available for client to make any connection This presents a limitation for stateless packet filtering If client wants to use port 2048, firewall must allow
incoming traffic on this port
NetSec

use

Dr MAhdi

Better: stateful filtering knows outgoing requests

Firewalls Stateful Packet Filters

If

the outgoing request passes our filter, then all the related responses should be automatically allowed through the filter. Traditional packet filters do not examine higher layer context
i.e. matching return packets with outgoing flow
Stateful

packet filters address this need They examine each IP packet in context
Keep track of client-server sessions Check each packet validly belongs to one
Hence
Dr MAhdi

are better able to detect bogus packets out of context

NetSec

Stateful Filtering

Session Filtering
Packet

decision made in the context of a connection If packet is a new connection, check against security policy If packet is part of an existing connection, match it up in the state table & update table

Dr MAhdi

NetSec

Session Filtering

Screens ALL attempts, Protects All applications Extracts & maintains state information Makes an intelligent security / traffic decision
Applications Applications Presentations Sessions Transport Network DataLink Physical DataLink Physical Presentations Sessions Transport Network Applications Presentations Sessions Transport Network DataLink Physical

Dynamic Dynamic Dynamic State Tables State Tables State Tables

Telnet
Telnet Server Telnet Client

23 Client opens channel to server; tells server its port number. The ACK bit is not set while establishing the connection but will be set on the remaining packets. Server acknowleges.

1234

34 2 1 T R PO

ACK

Dr MAhdi

NetSec

Example: Telnet
Format:
access-list <rule number> <permit|deny> <protocol> <SOURCE host with IP address| any|IP address and mask> [<gt|eq port number>] <DEST host with IP address| any|IP address and mask> [<gt|eq port number>] The following allows user to telnet from an IP address (172.168.10.11) to any destination, but not vice-versa: access-list 100 permit tcp host 172.168.10.11 gt 1023 any eq 23 ! Allows packets out to remote Telnet servers access-list 101 permit tcp any eq 23 host 172.168.10.11 established ! Allows returning packets to come back in. It verifies that the ACK bit is set interface Ethernet 0 access-list 100 out ! Apply the first rule to outbound traffic access-list 101 in ! Apply the second rule to inbound traffic !

Note: anything not explicitly permitted in an access-list is denied.

FTP

FTP Server

FTP Client

20 Data Client opens command channel to server; tells server second port number. Server acknowleges. Server opens data channel to clients second port. Client Acknowledges.

21 Command

5150

5151

51 1 5 T R PO

OK
DATA C HANNE L

TCP ACK

Example FTP Packet Filter

Format:
access-list <rule number> <permit|deny> <protocol> <SOURCE host with IP address| any|IP address and mask> [<gt|eq port number>] <DEST host with IP address| any|IP address and mask> [<gt|eq port number>] The following allows a user to FTP (not passive FTP) from any IP address to the FTP server (172.168.10.12) : access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21 access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20 ! Allows packets from any client to the FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023 access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023 ! Allows the FTP server to send packets back to any IP address with TCP ports > 1023 interface Ethernet 0 access-list 100 in ! Apply the first rule to inbound traffic access-list 101 out ! Apply the second rule to outbound traffic !

Dr MAhdi

NetSec

Proxy Firewalls
Firewall

runs set of proxy programs

Proxies filter incoming, outgoing packets All incoming traffic directed to firewall All outgoing traffic appears to come from firewall
Policy

embedded in proxy programs Two kinds of proxies

Application-level gateways/proxies
Tailored to http, ftp, smtp, etc.

Circuit-level gateways/proxies
Working on TCP level
Dr MAhdi NetSec

Application Gateways
Understands

specific applications

Limited proxies available Proxy impersonates both sides of connection

Resource HTTP

intensive

process per connection

proxies may cache web pages

Dr MAhdi

NetSec

Application Gateways
Block
Has

all unless specifically allowed

full access to protocol

user requests service from proxy proxy validates request as legal then actions request and returns result to user
Need

separate proxies for each service

E.g., SMTP (E-Mail) NNTP (Net news) DNS (Domain Name System) NTP (Network Time Protocol Must write a new proxy application

to

support new protocols

Dr MAhdi NetSec

Application Layer GW/proxy

Clients configured for proxy communication
Telnet FTP HTTP

Applications Presentations Sessions Transport Network DataLink Physical

Applications Presentations Sessions Transport Network DataLink Physical

Applications Presentations Sessions Transport Network DataLink Physical

Application Gateway

Circuit-Level Gateways
Support

more services than Application-level Gateway

less control over data

Hard

to handle protocols like FTP Clients must be aware they are using a circuit-level proxy Protect against fragmentation problem
Dr MAhdi NetSec

Circuit Level Gateway

Dr MAhdi

NetSec

Firewalls - Circuit Level Gateway

Relays

two TCP connections Imposes security by limiting which such connections are allowed Once created usually relays traffic without examining contents Typically used when trust internal users by allowing general outbound connections SOCKS commonly used for this

Dr MAhdi

NetSec

Comparison
Sec Pe urit rfo y rm an ce Packet Filter Session Filter Circuit GW App. GW
Dr MAhdi

Service Support

3 2 2 1

1 2 3 4

No dynamic w/o holes Dependent on vendor for dynamic support Typically < 20

Lower is better for security & performance

NetSec

Comparison
Modify Client Applications? Packet Filter Session Filter Circuit GW App. GW No No Typical, SOCKS-ify client applications Unless transparent, client application must be proxy-aware & configured
NetSec

Dr MAhdi

Dynamic Packet Filters

Most

common Provide good administrators protection and full transparency Network given full control over traffic Captures semantics of a connection

Dr MAhdi

NetSec

1.2.3.4

5.6.7.8

1.2.3.4

5.6.7.8

Firewall
Intended connection from 1.2.3.4 to 5.6.7.8 Redialing on a dynamic packet filter. The dashed arrow shows the intended connection; the solid arrows show the actual connections, to and from the relay in the firewall box. The Firewall impersonates each endpoint to the other.
Dr MAhdi NetSec 21

Application Proxy

1.2.3.4

5.6.7.8

10.11.12.13

5.6.7.8

Firewall
Intended connection from 1.2.3.4 to 5.6.7.8 A dynamic packet filter with an application proxy. Note the change in source address
NetSec 22

Dr MAhdi

Firewalls Arent Perfect?

Useless

against attacks from the inside

Evildoer exists on inside Malicious code is executed on an internal machine

Organizations Protection Cannot

with greater insider threat

Banks and Military

must exist at each layer

Assess risks of threats at every layer

protect against transfer of all virus infected programs or files

because of huge range of O/S & file types

Dr MAhdi

NetSec