Firewall Technologies: A Comparative Study CSE 588 Network Systems Spring '97 Overview of firewalls A firewall is defined as a collection of components placed between 2 networks that collectively have the following components: * All traffic from inside to outside, and vice versa, must pass through the firewall. * Only authorized traffic, as defined by the local security policy, will be allowed to pass. * The firewall itself is immune to penetration. The goal of a good firewall product is to provide good performance (since it is a bottleneck in the network), network security and application transparency. Additional features include logging capabilities and security features like detection of IP spoofing. Benefits of firewalls 1. A firewall is a focus for security decisions. The firewall is a choke point. The network administrator can focus all security measures at this checkpoint. 2. A firewall can enforce security policy. The firewall only allows approved services to pass through and those only within the rules set up for them. 3. A firewall can log Internet activity efficiently. Information about use and misuse of the network can be logged effectively by the firewall because all traffic flows through it. 4. A firewall limits exposure. Internal firewalls can be used to keep information from different departments in the corporation separate. Things a firewall can not do 1. A firewall can't protect against malicious insiders. 2. A firewall can't protect against connections that don't go through the firewall. 3. A firewall can not protect against viruses. The virus can enter the internal network hidden in a regular protocol stream. Tunneling is the practice of encapsulating a message from one protocol in another and using the facilities of the second protocol to traverse the network. At the destination, the encapsulation is stripped off and the original message is reinjected into the network. The firewall is powerless against this. 4. Firewalls can't protect against problems with the higher level protocol. E.g. X11 lets the user do many dangerous tasks. The firewall can only protect against this by blocking it out. Things to keep in mind while designing a firewall 1. The firewall machine is not a general-purpose host. Features of doubtful security are not necessary and should be kept off the firewall host. 2. Should have professional administration of firewalls and not allow anyone to have access to the firewall. 3. Fewer normal users implies no problems with bad passwords and hence it is harder to breach the security of the firewall. No installed base of users on the firewall machine allows the administrator to make arbitrary changes to program interfaces without affecting users. 4. Any other machines should not trust firewalls. Types of firewalls Firewalls are classified into the following categories: 1. Packet filtering 2. Proxy services: These are further categorized as: i. Application gateways ii. Circuit gateways Packet filters Packet filtering is a network security mechanism that works by controlling what data can flow to and from a network. Packet filters allow or block packets, usually while routing them from one network to another. IP packets contain information about their source addresses, destination addresses, source and destination ports, and session and application protocols being used to transfer the data. The router positioned between the internal network and the external net can choose to let packets through in either direction depending on rules specified based on the above parameters. Advantages of packet filtering 1. One screening router can protect an entire network. A single strategically placed screening router can regulate all traffic between the internal net and the Internet. 2. Packet filtering doesn't require user knowledge or cooperation. Packet filtering is completely transparent to the user. No special client software or configuration is needed. 3. Packet filtering is widely available in many routers. 4. Great performance if not too many filters are installed. 5. Logging at one place. 6. Inexpensive. A router is needed to connect the internal net to the Internet anyway and most routers come with packet filtering controls. Disadvantages of packet filtering 1. Current filtering tools are not perfect. Rules tend to be hard to configure on most routers. Once configured, packet filtering rules tend to be hard to test. Packet filtering capabilities of many products are incomplete, making implementation of certain types of highly desirable filters difficult. 2. By themselves packet filters offer weak security. If the firewall is compromised, all networks behind it are at risk. Bugs in packet filters will allow unwanted packets directly into the internal network. 3. Some protocols are not well suited to packet filtering. Protocols like the Berkeley "r" commands (rcp, rlogin, rsh etc.) are poorly suited to packet filtering. This is because they use address based authentication - no user passwords are needed. They also use random ports below 1023 to signify trust - i.e. if the request originates from a trusted client and from a port < 1023 then the message must be safe. If an intruder impersonates a trusted source, packet filtering can't do anything about these protocols. Also can't monitor link-state information, which means they have trouble dealing with connectionless datagram based protocols like UDP, NFS and RPC. 4. Some policies can't readily be enforced by normal packet filtering routers. E.g. packets specify what host they came from but not what user. Also, packets specify what port they are going to, not what application. Might not give net managers enough control over the traffic. Things to consider while configuring a packet filtering router 1. Protocols are usually bi-directional. E.g. it doesn't do any good to allow outbound Telnet packets that carry the user's keystrokes to go out to an external host if you don't also allow the incoming packets for that connection. 2. Be careful of inbound vs. outbound semantics. Have to distinguish between inbound and outbound packets and inbound and outbound services. E.g. Telnet is an outbound service but it involves inbound and outbound packets. 3. Default permit vs. default deny. Default deny means denying access to anything that isn't explicitly permitted. This is a much safer stance than the converse - default permit. Kinds of Packet Filtering 1. Filtering by Address: This is the simplest, although not the most common, form of filtering. You can restrict the flow of packets based on the source and/or destination addresses. Risks of filtering by address: Source addresses can be forged so it is not safe to trust them. There are two ways of doing this. The source address attack involves the attacker pretending to be someone else while sending the packets. The host's responses go to the real source (the machine the attacker is impersonating) This machine will usually reset the bogus connection so the attacker tries to complete the attack before this happens. Most protocols are predictable enough to permit the attacker to accomplish this. Or the attacker can crash or flood the real machine or confuse the routing to the real host. The man in the middle forgery attack depends on being able to carry out a complete conversation while claiming to be the trusted host. 2. Filtering by Service: You can decide to allow outbound Telnet, FTP, SMTP or other well-known protocols. The filtering here is done using protocol info and port numbers usually. For the Telnet example, the filter would allow outbound packets of TCP protocol with a source port > 1023 and a destination port of 23 and allow inbound packets of the TCP protocol with source port 23 and destination port > 1023 and the ACK bit set. Risks of filtering by source port: You can trust the source port only as much as you can trust the source machine. You can counter this by limiting inbound connections to ports where trustworthy servers are running i.e. a Telnet server at that port will accept only valid Telnet packets. Proxy systems Proxying provides Internet access to a single host or a very small number of hosts, while appearing to provide access to all your hosts. The hosts that have access to the Internet act as proxies for the machines that don't, doing what these machines want done. A proxy server for a particular protocol or a set of protocols runs on a dual homed host (a computer that has at least two network interfaces) or a bastion host. A bastion host is a computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. The user's client program talks to this proxy server instead of directly to the real server out on the Internet. The proxy server evaluates requests from the client and decides which to pass on and which to reject. If a request is approved, the proxy server talks to the real server on behalf of the client and proceeds to relay requests from the client to the real server and to relay the real server's answers back to the real client. As far as the user is concerned, talking to the proxy is just like talking directly to the real server. As far as the real server is concerned, it's talking to the user on the host running the proxy server; it doesn't know the user is actually on some other host. Proxying usually requires appropriate proxying server software. On the client side, it needs either i. Custom client software - with this approach, the software must know how to contact the proxy server instead of the real server when the user makes a request and how to tell the proxy server what real server to connect to ii. Custom user procedures - the user used standard client software to talk to the proxy server and tells it to connect to the real server. Advantages of Proxy Services 1. Proxy services allow users to access Internet services "directly". With a dual homed approach a user had to log into the host before using any Internet services. With proxy services user think they are interacting directly with Internet services from their own machines. 2. Proxy services are good at logging. Because proxy servers understand the underlying protocol, they allow logging to be performed in a particularly effective way. E.g. instead of logging all the packets transferred, an FTP proxy server only logs the commands issued and the responses received, this results in a much smaller and more useful log. 3. Can build intelligence into the proxy server. E.g. can do caching of frequently accessed items. Disadvantages of Proxy services 1. Proxy services lag behind nonproxied services. Proxy services for more traditional protocols like FTP and Telnet are widely available but proven software for newer or less widely used services is hard to find. 2. Need a new proxy service for each new service the corporation wants to support. 3. Proxy services usually require modifications to clients, procedures or both. 4. Proxy services aren't workable for some services. Proxying relies on the ability to insert the proxy server between the client and the server; that requires relatively straightforward interaction between the two. E.g. it would be really hard to provide proxy services for the UNIX talk program. 5. Proxy services don't protect you from all protocol weaknesses. As a security solution, proxying relies on the ability to determine which operations in a protocol are safe. Not all protocols provide easy ways of doing this. The X Window System protocol, for example, provides a large number of unsafe operations, and it's difficult to make it work while removing the unsafe operations. Types of Proxy servers An application level proxy is one that knows about the particular application it is providing proxy services for; it understands and interprets the commands in the application protocol. Sendmail is an example. A circuit level proxy is one that creates a circuit between the client and server without interpreting the application protocol. The modern hybrid proxy gateway that looks like a proxy to the outside and a filtering router to the inside is an example of a circuit level gateway. In general, application level gateways use modified procedures while circuit level proxies use modified clients. This is because the circuit level proxy can't interpret any data from the packets sent to it. Additional info needs to be sent to it from the client to make the connection work. An advantage of a circuit level proxy is that it provides support for a wide variety of protocols. They are usually generic proxy servers. The disadvantage of a circuit level gateway is that it provides very little control over what happens through the proxy. Like a packet filter it controls connections based on source and destination addresses and can't easily determine whether the commands going through it are safe or even in the correct protocol. A third kind of proxy server is a Network address translation (NAT) box. These were developed to alleviate the shortage of IP addresses problem. A private numbering scheme is used for the addresses of the hosts in the internal networks. The NAT box serves as an intermediary between the internal and external nets and translates the internal addresses into real IP addresses. Firewall Architectures 1. Dual Homed Host. This is built around a dual homed host computer. Such a host could act as a router between the networks these interfaces are attached to; it is capable of routing IP packets from one network to the other. However, for this architecture, you turn off the routing between the interfaces. Systems outside the firewall can communicate with the dual homed host and systems inside can do so also. However the two networks can not communicate with each other directly. A dual homed host can provide services by i. proxying between the interfaces ii. have users log onto the dual homed host directly. This is generally quite inconvenient for the users and is an old style architecture that is hardly used any more. It also has bad security implications since as mentioned before, we do not want too many users accessing the firewall machine. This is the easiest architecture for proxy services. However, if the dual homed host is penetrated, the internal network is exposed. 2. Screening Router. This is a pure packet filtering architecture with a packet filtering router placed between the external and internal network. If the router is compromised, the entire internal network is exposed in this architecture. 3. Screened Host: Whereas a dual homed host architecture provides services from a host that's attached to multiple networks, a screened host architecture provides services from a host that's attached only to the internal network and a screening router. Packet filtering provides the primary security. The bastion host sits on the internal network. The packet filtering on the screening router is set up in such a way that the bastion host is the only system on the internal net that hosts on the Internet can open connections to. Even then, only certain types of connections are allowed. The packet filtering also permits the bastion host to open connections to the outside world. The packet filter can also either let the other hosts on the internal net open connections to the outside world depending on the packet filtering rules; or disallow connections to the Internet from the other hosts, thus forcing them to go through the proxy for all their services. This architecture provides better security than just a dual homed host because it is easier to defend a router which provides a very limited set of services than defend a host. However, even in this system, if either the bastion or the router fails the entire internal system is compromised. 4. Screened Subnet: This architecture adds an extra layer of security to the screened host by adding a perimeter network that further isolates the internal network from the Internet. This reduces the amount of damage done if a bastion host is penetrated. By isolating the bastion host on a perimeter network, the impact of a break in is reduced to just the perimeter network. The only type of traffic an intruder sees on this perimeter net is traffic between the bastion host and the external world - private communications between hosts on the internal net are still hidden from the attacker. With the simplest type of screened subnet architecture, there are two screening routers, each connected to the perimeter net. One sits between the perimeter net and the external network (called the exterior router) and the other sits between the perimeter net and the internal net (interior router). The bastion host sits on this perimeter network. To get to the internal network, the intruder now has to break the exterior router, the bastion host and the interior router - a significantly harder task than in any of the previous architectures. Some sites even go as far as to create a layered series of perimeter nets between the outside world and their internal net. Less trusted and more vulnerable services are placed on the outer perimeter nets. 5. Multiple bastion hosts on a screened subnet. This is a minor variation on the previous architecture. Reasons to do this would be performance, redundancy and the need to separate data or servers. The configuration could have one bastion host handle services that are important to the users (like SMTP etc.) and another bastion host dealing with the services provided by the net to the outside world so that the users don't get slowed down by these. It could also boost performance by providing a separate bastion for Usenet traffic. 6. Merge interior and exterior routers. Again a variation on the screened subnet architecture, this setup uses just one router with 3 interfaces. One interface goes to the outside net, one to the bastion and one to the internal net. So there still is a perimeter net and additional rules could be set up to allow some packets to flow directly between the outside and internal net. This is a performance boost but again gives a single point of vulnerability in the configuration. Available products 1. CheckPoint Software FireWall-1. Data Communications and Net Computing rated this the best firewall on the market in 1996. Has 44% of the firewall market. Has a very easy to administer GUI. FireWall-1 is a packet filter and therefore outperforms all the proxies on the market. It has a very interesting technology called Stateful Inspection that understands various application level protocols and tracks them at the IP level. Check Point FireWall-1's Stateful Inspection overcomes the limitations of packet filtering (no application level awareness) and application gateways (performance penalty) by providing full application-layer awareness without breaking the client/server model. With Stateful Inspection, the packet is intercepted at the network layer, but then the INSPECT Engine takes over. It extracts state-related information required for the security decision from all application layers and maintains this information in dynamic state tables for evaluating subsequent connection attempts. This provides a solution which is highly secure and offers maximum performance, scalability, and extensibility. UDP is usually not handled well by packet filtering but Checkpoint has a method for dealing with this also. FireWall-1's Stateful Inspection implementation secures UDP-based applications by maintaining a virtual connection on top of UDP communications. FireWall-1's INSPECT Engine maintains state information for each session through the gateway. Each UDP request packet permitted to cross the firewall is recorded, and UDP packets traveling in the opposite direction are verified against the list of pending sessions to ensure that each UDP packet is in an authorized context. A packet that is a genuine response to a request is delivered and all others are dropped. If a response does not arrive within the specified time period, the connection times out. In this way, all attacks are blocked, while UDP applications can be utilized securely. FireWall-1 doesn't need a specially modified OS kernel either. 2. Advanced Network and Services Inc. Interlock 3.0 is a dual homed application gateway architecture. 3. Trusted Information Systems - Gauntlet 3.0. This is an application gateway with an authenticated circuit gateway that allows the firewall manager to configure certain "plug gateway" services to be available on a per user basis after users authenticate themselves to the firewall. Gauntlet has a modified OS kernel. Detects IP spoofing. 4. Network Engineering Software's Telaxian Shield firewall. This firewall lets you do load sharing among multiple bastion hosts. Appears to be a screened subnet architecture with NAT boxes. Bibliography 1. William Cheswick and Steven Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Publishing Company, 1994. 2. D. Brent Chapman and Elizabeth D. Zwicky, Building Internet Firewalls. O'Reilly & Associates, 1995. 3. http://www.checkpoint.com 4. http://www.tis.com 5. http://www.ans.net 6. http://www.fireants.com 7. Data Communications, November 21, 1995, David Newman and Brent Melson, Can Firewalls take the Heat? 8. Proceedings of SPIE - International Society for Optical Engineering, 1996, Linda McShie, Firewall systems: the Next Generation.