Contents

• What is a firewall?
• TCP/IP Concepts Underlying a Packet-Filtering Firewall
• Packet-Filtering Concepts
• What can a static firewall protect against?

Section 1 What Is a Firewall?

PowerPoint Presentation

What Are Security Policies For?

• Security policies reflect the decisions you've made about:
• Which Internet services you want to be accessible to your local client computers,
• Which services you want to offer publicly from your servers,
• Which services you want to offer to specific remote users or sites, and
• Which services and programs you want to run locally for your private use.

What Does a Packet-Filtering Firewall Do?

• Packets are forwarded between networks based on a set of rules enforcing access control policies. Not only examines packet headers for forwarding information, but includes rules about which packets to forward and which to drop.
• May provide state full inspection (not ipchains)
• Must provide some amount of application gateway support unless proxies are used to allow some forms of application traffic through.
• May respond dynamically to trigger events
• Logging

Services Provided by or in Conjunction with a Firewall

• Routing
• Packet-level access control based on packet header contents
• Proxying
• Logging
• Network address translation
• Intelligent inspection of TCP connection state and UDP exchanges
• Anti-Virus Checking
• Intrusion Detection
• Event-based dynamic responses
• URL Filtering
• Authentication
• Encryption

Types of Firewalls

• Stateless or Static Packet-Filtering Firewalls
  • Operates at the IP and transport layers
  • Decisions based on the header contents of current packet
• Stateful or Dynamic Firewalls
  • TCP connection state and UDP exchange state
  • Application layer inspections
• Packet-Filtering Firewall
  • Stand-alone Bastion
  • Dual-homed Bastion
  • Screened Host
  • Screened Subnet
• Proxy
  • Application-level Gateway
  • Circuit-level Gateway

Firewalls Architectures

• Stand-alone, single-homed machine
• Bastion (dual-homed machine)
  • screened host
  • screened subnet
    • Dual-Homed: Bastion + Choke creating a Perimeter Network
    • Tri-Homed: Bastion creates a separate, semi-public DMZ

Screened Host Architecture

Screened Subnet Architecture

DMZ Between Bastion and Choke

Tri-Homed Bastion with DMZ and LAN

Section 2 TCP/IP Concepts Underlying a Packet-Filtering Firewall

TCP/IP Reference Model

IP Information Available to a Stateless Firewall

• network interface
• whether the packet is incoming or outgoing
• source and destination IP addresses
• ICMP, UDP, or TCP protocol
• possibly if the packet contains a fragment
• possibly if source routed
• possibly TOS

ICMP Packet Header Internet Control Message Protocol

• ICMP message types
• possibly a message subtype

Typical ICMP Exchanges

UDP Packet Header User Datagram Protocol

• UDP source port number
• UDP destination port number

Typical UDP Exchange

• Stateless, connectionless
• Query - response
• Like sending a postcard

TCP Packet Header Transmission Control Protocol

• TCP source port number
• TCP destination port number
• TCP connection state flags

TCP Connection Establishment 3-Way Handshake

Section 3 Packet-Filtering Concepts

Packet-Filtering Firewall

• A stateless packet-filtering firewall is normally implemented within the operating system and operates at the IP network and transport protocol layers.
• A firewall makes routing or forwarding decisions based on information in the IP packet header fields.
• Inspects packets at the IP level (network and transport layer mechanism)
• Not only examines packet headers for forwarding information, but includes rules about which packets to forward and which to drop. Packets are forwarded between networks based on a set of rules enforcing access control policies.
• Logging

Firewall Rules

• Firewall rules explicitly define which packets will and will not be allowed through a network interface.
• Packets that match a rule can be allowed through, silently thrown away, or thrown away and an error indication is returned to the sender.
• A rule is based on the specific network interface, protocol, source and destination addresses, TCP and UDP service port numbers, TCP state flags, ICMP message types and codes, and whether the packet is incoming or outgoing.
• Firewall rules are defined separately for both a network interface's input queue and its output queue. The firewall independently filters what comes in and what goes out through an interface.

Firewall Rule sets

• A firewall rule set consists of a list of acceptance and denial rules, and a default policy that is applied if a packet doesn't match any rule.
• The rule lists are called chains because a packet is matched against each rule in the list, one-by-one, until a match is found or the list is exhausted.
• Think of rules as pairs, an input rule and and output rule.
• The lists of rules defining what can come in and what can go out are called chains. The input and output chains are not necessarily 100% symmetric.

Default Policy

• There are two basic approaches to a firewall:
  • Deny everything by default and explicitly allow selected packets through.
  • Accept everything by default and explicitly toss selected packets.
• Each chain has a default policy and a collection of actions to take in response to specific message types. Each packet is checked against each rule in the list in turn until a match is found.
• The first matching rule wins.
• If the packet doesn't match any rule, then it falls through and the default policy is applied.

Chain List Traversal

• The first matching rule wins.
• Rules are hierarchical, ordered from most specific to least specific.
• The first matching rule wins.
• Did I mention that the first matching rule wins?
• Oh, btw, the first matching rule wins.

Deny by Default Policy

IFPW Packet Flow

Rejecting Versus Denying a Packet

• Reject: Discard packet and return an ICMP error message to the sender.
• Deny: Discard packet.

Allowing Incoming Packets from only Specific Remote Source Addresses

• General remote servers allowed from anywhere
• Specialized servers are often explicitly defined by their IP address
• Remote client requests to locally hosted general services allowed from anywhere
• Some, few trusted remote clients are often explicitly defined by their IP addresses
• Examples
  • ping, authenticated ftp, telnet and ssh, ntp, dns, finger, pop and imap

Remote Source Port Filtering

• Client requests to local servers usually use an unprivileged port between 1024 and 65535
• Server responses usually originate from the source port assigned to the particular service

Local Destination Port Filtering

• The destination port in incoming packets identifies the service or client connection the packet is intended for.
• Client requests will set the destination port to the service number assigned to the particular service.
• Responses from remote servers will usually have a destination port in the unprivileged range between 1024 and 65535.
• Protecting non-secure Local Services

Filtering Outgoing Packets

• Local Source Address Filtering
• Remote Destination Address Filtering
• Local Source Port Filtering
• Remote Destination Port Filtering
• Outgoing TCP Connection-State Filtering
• Private Versus Public Network Services

ICMP Filtering

• The following 4 ICMP message types need to pass through the firewall:
• Source Quench
• Parameter Problem
• Incoming Destination Unreachable - all sub-types
• Outgoing Destination Unreachable - sub-type Fragmentation Needed
• The following 4 ICMP message types can optionally pass through the firewall:
• Other Destination Unreachable sub-types (Port Unreachable is used by traceroute)
• Time Exceeded (traceroute)
• Echo Request
• Echo Reply
• Redirect should be allowed from your router only. (Drop them.)

TCP Connection State Filtering

• Client Requests
  • SYN flag set in the first connection request message
  • ACK is set in all subsequent messages
  • Usually bound to an unprivileged port
• Server Responses
  • Always have the ACK flag set
  • Usually bound to the well-known server port

Typical TCP Client Rule Pair

Section 4 What Do Static Firewalls Protect Against?

What Can a Stateless Firewall Protect Against?

• Some source address spoofing
• Revealing useful information in response to port scans
• Malformed broadcast packets used to identify UNIX systems
• Some forms of network mapping
• Some Denial of Service attacks
• Source routed packets
• Some forms of fragmentation bombs used to bypass firewalls
• Protecting remote sites from mistakes on your end
• Access to private LAN services
• Providing additional protection against local server misconfigurations

Source Address Spoofing

• Your IP addresses
• Your LAN addresses
• Class A private addresses 10.0.0.0 - 10.255.255.255
• Class B private addresses 172.16.0.0 - 172.31.255.255
• Class C private addresses 192.168.0.0 - 192.168.255.255
• Class D multicast addresses 224.0.0.0 - 239.255.255.255
• Class E reserved addresses 240.0.0.0 - 247.255.255.255
• loopback 127.0.0.0 - 127.255.255.255 0.0.0.0
• Link local addresses 169.254.0.0 - 169.254.255.255
• TEST-NET addresses 192.0.2.0 - 192.0.2.255
• 0.0.0.0 source address in broadcast messages, except with DHCP
• 255.255.255.255 source address in broadcast messages
• 0.0.0.0 through 0.255.255.255

Importance of Blocking Outgoing Spoofed Source Addresses

• Spoofed packets could be eliminated by adopting the suggestions in RFC 2827, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing"
• Allow only outgoing packets containing source addresses belonging to your local networks
• To be effective, RFC 2827 requires adoption as a universal policy
• For now, you can stop outgoing spoofed addresses from your sites by filtering on outgoing source address

Probes and Scans

• General port scans
• Targeted port scans
• Scans to determine the operating system type
• Stealth probes

General Scan

Targeted Scan

Scans to Determine OS Type

• Telnet login banner
• Malformed broadcast addresses
• TCP/IP stack analysis (stealth scans)

Revealing Useful Information in Response to Port Scans

• Drop packets silently.
• Deny rather than reject blocked packets: i.e. Don't return a TCP RST message or an ICMP error code 3.
• IDENTD or AUTH is an exception if the service isn't offered. - Do return TCP RST or an ICMP error if the service isn't offered.

Block Connections to Insecure Services Running on Unprivileged Ports

• SOCKS - TCP port 1080
• NFS - UDP and TCP port 2049
• X Windows - TCP ports 6000-6063
• portmap - UDP and TCP port 111
• Connections from clients bound to these ports should be allowed.
• Connections to servers on these ports should be blocked - i.e. packets with one of these as the destination port, the SYN flag set, and the ACK flag cleared.

Limit Access to Sensitive or Easily Exploitable Services

• DNS
  • Forwarding-only name servers - Allow DNS exchanges with only your specific remote servers
  • Full name servers - Allow incoming TCP connections from only your specific remote secondaries.
• SSH - if possible, try to limit incoming connections to specific remote hosts
• Telnet - if possible, don't allow telnet. Require an encrypted service such as ssh or ssl telnet.
• POP and IMAP - If remote access is necessary, try to limit incoming connections to specific remote hosts or networks. Avoid clear text passwords if possible.
• FINGER, PING, and TRACEROUTE - disallow or limit incoming connections to specific remote hosts or networks.
• Berkeley Remote Commands - do not allow external access to these services.
• RPC, NFS, NIS, portmap

Malformed Broadcast Addresses

• Source address 0.0.0.0 (in anything other than a DHCP message)
• Source address 255.255.255.255
• Destination address 0.0.0.0

Problems with ICMP

• Ping
  • Don't allow incoming Echo Requests to broadcast addresses
  • Consider blocking or limiting the source addresses you will accept incoming Echo Requests from.
• Outgoing Destination Unreachable provides useful information to port scanners.
  • Fragmentation Needed is the one ICMP 3 subtype needed for normal operation.
• Do not allow Redirect except from or to your adjacent routers.
• Traceroute
  • Generates Time Exceeded messages from intermediate routers, and ICMP 3 Port Unavailable from the destination host.
  • Consider blocking or limiting the source addresses you will accept incoming traceroute requests from.
• Most ICMP messages are meant to communicate between adjacent routers. Consider blocking or limiting the source addresses you will accept most ICMP messages from.

Network Mapping

• Network mapping prior to an attack
• Used to collect IP addresses of hosts on a network
• Used to discover network gateways
• Broadcast ping to a network address space
• Broadcast to destination 0.0.0.0 to identify UNIX systems
• Broadcast UDP echo, daytime, time or chargen messages - automatic response
• Initiate trace routes from different locations simultaneously, and at different times of day, to discover where routes to a specific host converge. DoS attacks against the gateways cut off the internal network from external access.

Source Routed Packets

• Source-routed packets employ a rarely used IP option allowing the originator to define the route taken between two machines, rather than let the intermediate routers determine the path.
• Once traffic is routed through the attacker's machine, he can intercept the packets, read them, modify them, forge them, etc.
• Coupled with source address spoofing, especially useful for exploiting trusted relationships between hosts, collecting passwords, forging servers.
• Block source routed packets at either the packet-filter level or at the OS level.

Packet Fragmentation

• Tiny fragment attack
  • Fragments are rarely reassembled until the final destination
  • Craft fragments so the source and destination ports or ICMP codes are in the second fragment - bypassing the firewall filters
  • Also useful in stealth port scans
• Fragment overlap attack
  • Fragment 1 is constructed to go to an allowed service
  • Fragment 2 overwrites the original ports and connects to a disallowed service on reassembly
  • Denial of Service - Teardrop

Packet Fragmentation - Teardrop

• (frag2->ip_off + frag2->ip_len) - ip->ip_off
• ((5*8)+40) - (15*8) = -40
• Maximum IP packet is 65535 bytes
• Without bounds checking, the packet reassembly code attempts to copy -40 bytes - a very large (unsigned) number of bytes. The operating system crashes.

Denial of Service Attacks

• Denial of Service attacks are based on the idea of flooding your network or systems with packets in such a way as to disrupt or seriously degrade your network connections, tying up local servers to the extent that legitimate requests can't be honored, or crashing the system.
• You can't protect against them completely.
• They are the easiest and most common kind of attack.
• TCP SYN Flooding
• UDP Flooding (chargen, echo)
• ping Flooding: smurf Attacks
• Ping of Death
• Land Attacks
• ICMP Redirect Bombs
• Packet Fragmentation Bombs

TCP SYN Flood

UDP Flood

• UDP test services are especially easy to use - automatic query-response behavior (echo, chargen, daytime, and time)
• Attack launched with a single packet containing a spoofed source address, resulting in an infinite loop of network traffic
• Can be launched between two victims, or between a network of intermediaries and a single victim

Smurf Attack (ping)

Section Four What a Stateless ipchains Firewall Cannot Protect Against

• Spoofing real IP addresses
• Stealth scans
• Some denial of service attacks
• Misuses of application protocols (e.g. LOKI, FTP port command to initiate port scans from an intermediary or establish connections behind the firewall)
• Viruses and trojans
• Applications using unusual or server callback protocols

Stealth Scans

• Used to identify the operating system,
• to get passed some firewalls, and
• to map networks
• Different operating systems respond differently to impossible TCP state flag combinations
• Most systems don't log errant packets until the TCP connection is established. By sending impossible combinations without an established connection, event logging mechanisms can be by-passed.

Denial of Service Attacks

• They are the easiest and most common kind of attack.
• You can't protect against them completely.
• Some can be protected against at the operating system level.
• TCP SYN Flooding
• ping Flooding: smurf Attacks
• Land Attacks
• Packet Fragmentation Bombs
• Buffer overflows

Applications Using Unusual Protocols

• FTP port mode data channels
• RealAudio / QuickTime
• IRC
• Multimedia
• CU-SeeMe
• Quake

FTP Port Mode Data Channel

RealAudio / QuickTime

Summary

• Overview of what packet-filtering firewalls are, what they do
• Summary of the information available to a stateless firewall
• How packets traverse a firewall
• What stateless packet-filters can protect against
• Considerations in building firewall rule sets
• Network traffic a stateless firewall cannot protect against