Firewalls

A firewall represents a barrier between an "internal" network (assumed to be secure and trusted) and an "external" network (assumed to be insecure and untrusted). The purpose of a firewall is to prevent unwanted and unauthorized communications into or out of the internal network. Thus, security is aggregated at a single point.

Analogies

Door of a house or office building
Border control of a country

Design goals for a firewall

All traffic from inside to outside, and vice versa, must pass through the firewall
Only authorized traffic, as defined by the local security policy, will be allowed to pass

Other benefits of a firewall

It provides a location for monitoring security-based events. Audits and alarms can be implemented on it
It is a convenient platform for several Internet functions that are not security related (network address translator, network management related to Internet usage, ...)
It can be used to implement Virtual Private Networks (VPN) by using a tunnel mode capability

Limitations of firewalls

The firewall cannot protect against attacks that bypass the firewall

Dial-out and dial-in facilities may bypass it
People carrying data and programs on CD-ROMS and USB sticks bypass it
Encrypted traffic, while not bypassing the firewall, may be hard to filter

No protection against internal threats

No protection against virus-infected programs or files

Impractical or impossible to scan all the incoming files

Types of Firewalls

Categorised by how far "up the stack" they go.

Packet filter

Just filters at the level of TCP/IP
least "intelligent"

Application-level filter

Filters at the level of applications
most "intelligent"

Circuit-level gateway

between 1 and 2

Packet Filters

A set of rules is applied to each incoming IP packet to decide whether it will be forwarded or discarded. The TCP/IP packet is parsed and filtered based on information that is usually found in packet headers:

Protocol number
Source and destination IP addresses
Source and destination port numbers
TCP connection flags (e.g. SYN and ACK flags)

Packet filters are (almost) stateless:

each TCP/IP connection must be examined independently from what happened in the past
at the packet level, there is some statefulness:
an outgoing connection with source port x opens the port x for incoming packets for the duration of the connection.

Packet Filter Rules

Packets are matched against the rules in order. On match, take the corresponding action.
Example:

Type	Source addr	Dest. addr	Source port	Dest. port	Action
tcp	*	123.4.5.6	>1023	23	Permit
tcp	*	123.4.5.7	>1023	25	Permit
tcp	129.6.254.48	123.4.5.8	>1023	119	Permit
udp	*	123.4..	>1023	123	Permit
*	*		*	*	Deny

Well-known ports are used to identify applications (23=Telnet, 25=SMTP, 119=NNTP, 123=NTP, ...)

IP Fragmentation Problem

When an IP packet is fragmented, only the first fragment contains the transport (TCP or UDP) header!

Solution 1:

Filtering is applied to first fragments
Other fragments pass through
Anyway, when reassembled, partial IP packets are discarded by the destination
May still be dangerous for outbound packets, because could be used to deliberately leak sensitive data via non-first fragments

Solution 2

Maintain a cache of recently seen first fragments, together with the associated action (Permit or Deny) that was applied
Apply same decision to non first fragments
Another example of statefulness

Packet filters are used and widely deployed, for several reasons:

It is a low-cost technology
It is transparent to applications (no changes needed)
It is not based on cryptography: good for worldwide distribution

Main weaknesses

Correctly configuring packet filter rules is difficult and error-prone

Is optimized for the router, not for the administrator
Care with the rule ordering is required, when there are exceptions
Requires intricate knowledge of TCP/IP

Thinking in terms of bidirectional flows whose characteristics may be different

No user authentication

Rules are applied to non authenticated packets

Application gateways

An application-level gateway, also called proxy server, acts as a relay of application-level traffic

The user (from the intranet or the Internet) contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed

When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays the application data between the two endpoints

If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall

The gateway can be configured to support only specific features of an application that the network administrator considers acceptable, while denying others.

An application gateway relays TCP segments between the two TCP connections in the 2 directions

(Client <--> Proxy <--> Server)
The Server sees the Proxy's IP address (not the client's)

Client application may have to be modified, so that it conencts to the Proxy, not the Server

E.g., most web browsers know how to use web proxies
Alternatively, it may happen transparently to the client.

Client thinks it is connecting to the Server, but the firewall intercepts the connection and redirects to the Proxy.

Benefits of application-level filtering

Application protocols can be filtered; e.g.

filter out Java applets and ActiveX controls from HTTP traffic in order to protect internal hosts from executable content and software-driven attacks
Check for known viruses in file types (e.g., jpeg)
analyse and possibly filter email attachments

Keep logs at the application level

Circuit-level gateway

The circuit-level gateway is somehow an intermediate solution between the packet filter and the application gateway

Runs at the transport layer, and can thus act as proxy for any application

Like an application gateway, the circuit-level gateway does not permit an end-to-end TCP connection

Rather, it sets up two TCP connections too and relays the TCP segments from one to the other
Main benefit: TCP/IP "hacks" such as malformed packets, fragments (etc.) can be filtered

It does not examine the application data. A typical use:

When the system administrator trusts the internal users, a circuit-level gateway is enough for outbound connections

No overhead for outgoing data

An application gateway can still be used for inbound connections

Example: SOCKS

SOCKS is a networking proxy mechanism that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side without requiring direct IP reachability.

The client has to connect to the SOCKS server at the firewall

It is attached to a well-known port

Then the client enters a negotiation for the authentication method to be used, and authenticates with the chosen method
Then the client sends a connection relay request to the SOCKS server, containing the desired destination IP address and transport port
The SOCKS server informs the client, and in case of success starts relaying the data between the 2 connections

Tunnels

Once a firewall is in place, you need to provide mechanisms to get through it!

Examples:

Home workers connecting to work computers (email, intranet, file servers)
Partnerships between companies allowing partial internal access
Remote branch offices

Secure shell (ssh)

Ssh is a protocol which enables a secure way of making a connection from a client to a server across a public network. It is designed to be lightweight and practical, yet secure.

Server authentication by public key fingerprint

Designed for situations where CA-signed certificate is too heavyweight
When Client connects first time, it displays the hash of the Server's public key

User can verify, if she wishes, or just assume correct

The hash is stored by the client until the next session
gromit% ssh acws-0117
The authenticity of host 'acws-0117 (147.188.194.108)' can't be established.
DSA key fingerprint is b7:d3:54:a4:db:8f:5c:e8:a0:26:38:cf:f9:cb:5c:af.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'acws-0117,147.188.194.108' (DSA) to the list of known hosts.
mdr@acws-0117's password: ******

If it changes, the user is warned; can verify or ignore

After server authentication, a session key is established
Several possibilities for client authentication

password (sent encrypted using session key)
public/private key
"keyboard-interactive" (RFC 4256): a versatile method supporting one-time passwords and SevureID keyfobs

ssh tunnels

ssh allows ports on the remote server to be mapped onto ports of the local client.

The unix command

ssh -L x:ServerHost:y IntermediateHost

specifies that port x on the local (client) host is to be forwarded to port y on ServerHost. This works by allocating a socket on the Client to listen to port on the local side. Whenever a connection is made to this port, the connection is forwarded over the secure channel to IntermediateServer, and a connection is made from there to port y of ServerHost. Only the superuser can forward privileged ports.

Similarly, the command

ssh -R x:ServerHost:y IntermediateHost

specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connec‐tion is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.

These commands can also be done using GUIs in Windows. For example, see SoCS support pages.

Typical usage:

ssh -L2500:mail-relay.cs.bham.ac.uk:25 tw.cs.bham.ac.uk

Virtual Private Networks (VPNs)

A virtual private network (VPN) is a private communications network often used by companies or organizations, to communicate confidentially over a public network.

Similarly to ssh, VPNs allow

Encrypted traffic over a public network
Firewall tunnelling

Compared with ssh, VPNs give a more comprehensive way of tunnelling through firewalls. They allow the home worker effectively to join the workplace network

You even get a workplace IP address
So you can access all the services of the workplace network transparently, as if you were physically there.

There are lots of ways to implement a VPN. Here, we mention two popular ones.

PPTP VPN

PPTP is widely used because it is easy to configure and is supported by MS WIndows since Windows 98. PPTP makes use of two underlying protocols.

PPTP protocol stack

. . .

PPP

GRE

. . .

Generic Routing Encapsulation (GRE) is a tunneling protocol designed to encapsulate a wide variety of network layer packets (possibly non-IP) inside IP packets. GRE was developed by Cisco and was designed to be stateless; the tunnel end-points do not monitor the state or availability of other tunnel end-points. GRE creates a virtual point-to-point link with routers at remote points on an IP internetwork.
Point-to-point protocol (PPP) normally runs on a direct connection between two computers using serial cable, phone line, trunk line, etc, providing a datalink over which IP can be run. PPP provides authentication and encryption.

PPTP VPN is implemented on PPP, which in turn is run on GRE (the client initiates a connection to TCP port 1723).

Client authentication is done by MS-CHAP or EAP-TLS, within the PPP connection. A specification for PPTP was published as RFC 2637. Although popular and widely deployed (it is easy to configure and is supported by MS WIndows since Windows 98), PPTP has not been proposed or ratified as a standard by the IETF, perhaps because it is not fully secure.

L2TP IPSec VPN

In contrast with PPTP, L2TP/IPsec requires a shared key or public key certificates.

Using an existing connection, a client uses L2TP by making a UDP connection to server port 1701. This provides a virtual datalink layer for the VPN, over which PPP and IPSec may be run to provide a secure connection. The combination of these two protocols is generally known as L2TP/IPsec.