Firewall and IDS/IPS Flashcards
What is a firewall
Firewall: wall of bricks to prevent fire propagation
In Cyber-sec: controlled connection between networks at different security levels (networks security level -> not OSI levels). Placed at security level boundary.
Firewalls are not products that you buy, you design them.
Types:
-
Ingress: filter that checks incomping connection from untrusted networks
- purpose: select the (public) services offered; limits which internal services can be accessed from the outside.
- Problem: the request to open a connection with the outside could be part of application exchange between internal users.
-
Egress: checks outgoing connections
- Check personell activity: visisted websites, verify confidential documents are not sent outside network, verify user is not download malware.
- Classification is easy for channel based services(e.g. TCP, applications), difficult for message-based services ( ICMP, UDP applications), in the latter the firewall is usually bidirectional (distinction between ingress/egress meaningless).
Firewall design
Firewall are deisgned, not bought.
The design can consiste of a single component, and that’s why company say they are “offering firewalls”.
The ability to configure components gives enough freedom that we are able to achieved the desired trade-off between security and functionality at a minimum cost.
When designing a firewall, we need to understand which security level we’ll be working on.
There’s an inverse relationship between the level of functionality offered and the security level achieved.
Firewall 3 commandments
- Firewall must be the only pont of contact between internal and external network
- only “authorized” traffic can traverse the firewall: we know apriori the description of the kind of traffic
- protocols, ports, external nodes addresses
- risk of cutting off valid traffic and to loose or open for attackers.
- the FW must be a highly secure system itself: some companies use a powerful general purpose to install the firewall on, but they load other programs on it, that could impact the overall security of the system.
Authorization policies
Whitelisting: what is not explicitly permitted is prohibited.
- Difficult to manage
- higher level of security
- suggested
Blacklisting: what is not explicitly prohibited is permitted.
- Lower security (open gates)
- Easier to manage
Basic Firewall components
- Screening router (choke): router able to filter traffic at network level
- Bastion host: secure system, periodically audited, First line of defese.
- Application gateway (proxy): works on behalf of the application to handle external traffic. Has access control functionality.
- Dual-homed gateway: system with 2 network cards, acts as a bridge between two networks, but with normal routing disabled: other components should be “mounted” on it, that decide if packets are allowed or not.
Firewall name by network stack level
There are different terms used to refer to the firewall depending on the network level at which it works.
Application gateway: examines in detail application data.
Circuit Gateway: works at layer 4, TCP/UDP is the data unit used to filter traffic.
Packet filter: typically only the information about the network level is analyzed (not upper level).
The higher the level the more accurate is the detection, but the more expensive it is.
Screening router architecture
Equip switching element with filtering abilities: since it is a L3 net. device, it will be able to perform filtering based on IP and upper levels (packet filter).
Pros:
- No dedicated HW needed.
- No need to modify the applications, since it doesn’t address App. Level in anyway (no need for a proxy)
- Simple, easy, cheap and…
Cons:
- insecure solution: the kind of controls it can perform aren’t that sophisticated.
- switching element is a single point of failure, if it gets pwnd, the attacker will have full access to the system.
Dual homed gateway architecture
General called “gateway”, element that checks higher level information w.r.t. packet filter. It has 2 net. cards, routing disabled, if a packet is good it will pass from one interface tothe other.
Pros:
- Easy to implement: 2 components that check different stuff.
- Requres a bit more HW than packet filter: General purpose machine with gateway SW installed.
- Since the gateway is the fronted of the internal networkit can mask internal addresses without using NAT.
- Security in-depth: duoble line of defense.
Cons:
- Inflexible: even if traffic should be permitted in the packet filter, it must also be permitted by the gateway:
- Electronic Mail Example: it’s difficult to limit who’s the sender, so that is check by the mail server (internal to the network). The gateway would reconstruct the packet only to see that it’s not its job to check the packet.
- Large work overhead.
Screened host
Improvement of the dual-homed gateway architecture by removing the bottlenex at the gateway:
packet filter is connected to the internal network as well as the gateway. The packet filter will block all traffic that doens’t come from the bastion or that isn’t whitelisted.
Pros:
- Flexible
- In this way packets that don’t need a double check can get through immediately.
Cons:
- single point of failure.
- more expensive and complex: due to sync. of 2 systems
- only hosts/protocols passing through the bastion can be masked (unless router uses NAT)
Screened subnet architecture
Screened host suffers from single point of failure problem, here the packet filter is split doing 2 different operations:
- select permitted incoming traffic
- select traffic to be forwared to the internal network:
- acts as a bridge from intermediate network and internal one.
Once a packet is allowed by the first router it will be checked by the second and forwarded to the GW r the internal network. Note that to have true defense in-depth the routers should be from 2 different vendors, so that they are not affected by the same bugs.
The network completely decoupled from both internal and external is called DMZ, usually home to the GW, public servers (web server, remote access systems), here is the place where to put services to expose to the outside.
This solution is more expensive than others, more complex.
Screened subnet architecture V2
To reduce costs and simplify management/config often routers are replaced by 3-in-1 gateway: three-legged firewall, typically a general purpose computer, that is connected to the DMS, the internal and the external network.
Components of V1 are now SW components.
This solution is cheaper than the previous, but less secure:
- Single point of failure.
- Complexity of the GW leads to larger attack surface.
Four-legged or five-legged firewalls don’t really exist, company use the term to indicate the number of net. cards/ DMZs, that can be assigned to a different deparment of the company, isolating their traffic.
Firewall technologies
Depending on the network level, different names:
- (static) packet flter
- Stateful (dynamic) packet filter
- cuf-off proxy
- circuit-level gateway/proxy
- application-level gateway/proxy
- statefule inspection
These technologies differ in terms of:
- Controls performed (threat detection)
- Performance: different levels require different computational costs.
- Protection of the firewall O.S.: some solutions have different protections for the firewall.
- Keeping or breaking the client-server model: firewalls are between client and server, they could be transparent or could act as a proxy. Breaking the client-server model is more secure, but then the firewall will be the target of attacs.
(Static) packet filter
Available on rotuers, so that bad packets can be discarded fast, abe to check IP header and when available the transport header.
Pros:
- Application independent
- Good performance
- low cost
Cons:
- easy to fool controls (e.g. ip spoofing, fragmented packets)
- complex managing services with dynamically allocated ports (e.g. FTP)
- complex config: everything is expressed in IP, ports, protcols.
- Difficult to perfom user authentication: since we are at L3.
Stateful (dynamic) packet filter
Similar concept to packet filter, but it remembers previous packets in order to process faster new ones.
Can look inside packets for commands that indicate the ports that will be used next.
Can distinguish new connections from already open ones: packets matching open connection are forwarded without any further controls.
Better performance thanks to SMP (Symmetrical Multi-Processing) thanks to use of state tables.
Still has limitations of the packet filter.
Application level gateway
Made out of a set of proxies which inspect payload at application level.
Often requires modification to the client application and may optionally mask/renumber the internal IP addresses.
When used as part of a firewall, usual performs peer authn (usually for the egress FW).
Since the proxy understands the app. level commands, it can provide top security, e.g. buffer overflow of target application.
Forward-proxy (egress) != Reverse-proxy (ingress)
Rules may be more fine-grained and simpler w.r.t. a packet filter, because they can be expressed in application-level commands.
OS on which FW is installed may expose it to attacks.
Every application needs a specfic prox., since it will need its own commands and data:
- Delay in supporting new applications
- Heavy on computational resources: for each connection a separate process is needed, which typically will run in user mode.
- Low performance (user-mod proc.)
Using SMP may improve performance, but breaks client/server model:
- More protection for the server
- May authenticate the client
- Not trasparent to the client, the application needs config. to work with proxy.
Application-level security techniques (e.g. SSL) will prevent the gateway from inspecting traffic, for this reason there are variants of the application level gateway: transport proxy and strong application proxy.
HTTP (forward) proxy
Typically HTTP proxy, is an HTTP server acting as a front-end and then passing requests to the real server.
Benefits|:
- Network Access Control List:
- shared cache of external pages for all internal users;
- authentication and authorization of internal users
- other control (e.g. allowed sites, transfer direction, data types)
HTTP reverse proxy
HTTP server acting as a front-end for the real-server(s) which the requests are passed to.
It can implement ACL in case it is possible to limit clients that contact the server, but usually an ingress firewall doesn’t.
It is possible to inspect content.
Benefits:
- Obfucation (no real contact with the real server, no info about it)
- SSL accelerator (with unprotected back-end connections): can be the end-point for SSL/TLS. An HSM (HW sec. module) can be placed here, so that the traffic comes in clear after TLS channel is terminated, so that it can be inspected.
- Load balances
- Web accellerator (static content cache)
- Compression
- Spoon feeding: paces the speed at which a client receives a page (acccording to its speed), offloading the application server.
Configuration: Reverse proxy should be in DMZ with servers (public). If the servers need to access internal network for data, then the reverse proxy is connected to them via VPN, but the servers now reside in the internal network; this is to avoid servers having to pass reverse proxy and firewall before accessing internal network.
Stealth firewall
A firewall without IP address => cannot be directly attacked.
It physically intercepts packets by setting interfaces in promiscuos mode (network card gets copy of any packets reaching the interface).
Based on the security policies the firewall will discard or copy the netwrok traffic without altering it.
Since it is not addressed, it isn’t possible to make remote maintenance/config unless there is a dedicated network card attached to the security management network.
Protections offered by the firewall
If the firewall has a rule that enables some kind of traffic, and this kind of traffic can be infected (fire), then other measures are needed to protect this kind of traffic.
All channels that are enabled to pass the firewall other protections are needed: VPN, semantic firewall / IDS, Application level security.
NIDS Architecture
Conceptually there is always a 3-legged firewall:
- 1 connection to exteranal net
- 1 connection to internal
- 1 connection to DMZ.
Sensors are inserted on the most critical hosts.
Network sensors are needed to check for malicious traffic, but also to check behaviour of internal users.
In the DMZ a host sensor on each server palced in the DMZ should be inserted.
There is a net sensor on the external interface of the firewall, it is needed to analyze attack attempts to get statistics about the effectiveness of firewalls (usually 98%).
The IDS director collects sensors’ data.
Honey pot
Method to attract attackers.
The external network is separated by a FW from the internal, here there are 2 DMZs, a real one and a decoy DMZ, here there is a vulnerable machine.
Inspection systems will control and report on methodologies used by attackers (malware, new kind of attacks). Honey pots are placed allover the world by antimalware manifacturers.
The honey pot can also be placed inside the internal network to detect if any internal user is performing attacks.
