Network Firewalls
Josef Pojsl, jp@tns.cz
Trusted Network Solutions, a.s.
March 14, 2011
03/14/2011 Slide 2
Agenda
1) What is a firewall?
2) A word about topology
3) On the origin of firewalls
4) Statefulness, transparency, proxies
5) The evolution of UTM appliances
6) Real threats, future firewalls
03/14/2011 Slide 3
The Definition of Firewall
✗
No personal firewalls
✗
No home firewalls
✗
No small office firewalls
●
There are many definitions of firewall
Firewall is a set of measures (hardware, software,
personell) whose primary goal is to separate two
or more networks with different trust levels and
mitigate threats implied by communication
between them.
03/14/2011 Slide 4
Topology
●
Hosts with different trust levels must
be separated into different networks
●
Connections should only be initiated
from a more trusted (e.g. internal)
network to a less trusted network
zone whenever possible
Firewalls provide network security,
not host security
03/14/2011 Slide 5
Firewall 1.0
●
Late 1980s / early 1990s
●
Packet filtering routers (DEC, AT&T)
●
Circuit level gateways (AT&T)
●
Bastion hosts / proxies (DEC SEAL)
03/14/2011 Slide 6
FW 1.0: Packet Filtering
●
Selective blocking of individual packets
based on IP addresses & TCP/UDP ports
●
Default-allow policy
●
Evolved from routers as their add-on feature
●
Typically combined with Network Address
Translation (NAT)
Basic filtering on routers is still being used
together with modern firewalls
03/14/2011 Slide 7
FW 1.0: Circuit Level GWs
●
Stand between packet filters and
application proxies
●
Work on session layer
●
Terminate client TCP/UDP sessions and
replicate them to servers
●
Do not operate on application layer
Some proxy firewalls still use them
for unknown application protocols
03/14/2011 Slide 8
FW 1.0: Proxies
●
Evolved from so-called „Bastion hosts“
●
Application layer commands
●
Users must have known about them
●
Default-deny policy
Most modern firewalls still use proxies
even if the vendors do not admit it
03/14/2011 Slide 9
Firewall 2.0
●
Mid 1990s
●
Stateful filtering (Check Point)
●
Transparent proxies (Gauntlet)
Stateful filters and transparent proxies are
still at the heart of most modern firewalls
03/14/2011 Slide 10
FW 2.0: Stateful Filtering
●
PF: One rule out, another rule in
●
Stateful Packet Inspection (SPI) takes care
about who initiates the communication
●
Handles TCP / UDP / ICMP traffic (?FTP, SIP)
●
Default-deny or default-allow policy
●
Still often combined with NAT
The most important firewall feature
up to these days
03/14/2011 Slide 11
FW 2.0: Transparent Proxies
●
Proxies placed at the border of perimeter
●
Transparency = no visibility for users
●
Inherently translates addresses (NAT)
●
Provides application layer control
●
Authentication
●
Content checking (antispam, antivirus,...)
●
Needs specific code for each app. layer protocol
03/14/2011 Slide 12
Firewall 3.0
●
Early 2000s
●
Unified Threat Management (UTM)
●
Firewall / UTM appliances (NetScreen
- now Juniper, FortiGate, Symantec)
●
European projects (Phion - now
Barracuda, NetASQ, Astaro, Kernun)
03/14/2011 Slide 13
FW 3.0: UTM
●
Integration of additional features:
➔
Intrusion detection / prevention (IDS / IPS)
➔
Antivirus / antispam / anti-anything
➔
Content filtering / blocking
➔
Network Access Control (NAC)
➔
Anomaly detection
03/14/2011 Slide 14
FW 3.0: Appliances
●
Earlier, firewalls came as software
●
Now, they were sold as hardware
●
Rack form factor
●
Pre-packaged appliances equiped with
hardened OS and the software
●
Multi-gigabit throughput
03/14/2011 Slide 15
Threats and challenges today
●
Forget about ports and IP addresses
●
Phishing / Pharming
●
Botnets / DDoS
●
Cyber War
●
Viruses / worms attacking PDF
●
XSS, CSRF, ClickJacking etc.
03/14/2011 Slide 16
Phishing / Pharming
●
A large attack against Česká
Spořitelna in March 2007
●
Forged bank site (very authentic)
●
Fraudulent e-mails (several versions
received by thousands of users)
●
Accompanied with a Trojan capturing
authentication from keyboard
03/14/2011 Slide 17
DDoS on Estonia
●
In spring 2007, Russian-Estonian conflict was
accompanied with a large-scale cyber attack against
Estonian government, newspaper and technology sites
●
Russian riots in Tallin and cyber attacks were
coordinated and both came in three ways
●
Estonia, one of the Europe's most wired countries,
showed very vulnerable
●
Russia was blamed to orchestrate the attacks, officially
denied
●
NATO's investigation
03/14/2011 Slide 18
Great Firewall of China
●
Internally called „The Golden Shield Project“,
Chinese government launched the biggest firewall
in the world in 2003
●
Many sites are completely unreachable from the
whole of China (BBC)
●
Even encrypted HTTP traffic is being scanned
●
During Olympic Games in Beijing in 2008, the
firewall rules were relaxed after protests from
journalists
03/14/2011 Slide 19
MS SQL Slammer Worm
●
Exploit of a buffer overflow bug in MS SQL Server
●
SQL Slammer worm hit the Internet on Jan 25, 2003
●
A patch had been released 6 months earlier
●
90% of its 75,000 victims were infected within 10
minutes, some of the infected systems belonged to MS
●
Its spread followed an exponential curve with doubling
time of 8.5 seconds in the early phases of the attack
●
The entire worm (376 bytes) fit into a single UDP packet
●
In Aug 2002, D. Litchfiled made available his proof of
concept code which the worm was probably based on
03/14/2011 Slide 20
Botnets
●
Groups of computers controlled by attackers
●
Real computer owners are unaware of the botnet
●
Botnets spread via unpatched vulnerabilities
●
Used for Distributed Denial of Service attacks,
sending SPAM, adware/spyware distribution etc.
●
Botnets may typically be leased for a fee
03/14/2011 Slide 21
Botnet Examples
BredoLab
●
30M computers
●
Originated in Russia
or Kazakhstan
●
Dismantled in Nov
2010
Mariposa
●
12M computers
●
Spanish hackers
●
Slovenian authors
●
All arrested in July
2010
03/14/2011 Slide 22
Stuxnet
●
2009: Special purpose worm, attacking
industrial SCADA systems
●
Large piece of code, written in several
programming languages; rootkit
●
Takes advantage of several Windows
vulnerabilities; centrally controlled
●
Used to attack nuclear facilities in Iran,
possibly originated in Israel/USA
03/14/2011 Slide 23
PDF attacks
●
Adobe Acrobat runs scripts within PDF
documents
●
Many people are unaware of the risks
●
In 2009, Acrobat PDF attacks (48%)
finally outnumbered attacks
on MS Word (39%)
03/14/2011 Slide 24
Challenges
●
Securing network perimeter, access
control
●
Recognizing applications
●
Performing identity management
●
Providing accurate statistics and
forensics data
●
IPv6
03/14/2011 Slide 25
Applications & Users
Applications are not ports
Users are not IP addresses
03/14/2011 Slide 26
IPv6 and Firewalls
●
IPv4 exhaustion → transition to IPv6
●
New shape of security
●
Multicast
●
Avoidance of NAT?
●
Network Discovery Protocol (NDP)
Specific problems of dual-stack
03/14/2011 Slide 27
Firewall 4.0?
●
Early 2010s (Palo Alto, Kernun)
●
Combination of many technologies
●
Stateful Filtering
●
Transparent Proxies
●
Intrusion Detection Systems
●
Anomaly Detections Systems
●
Heuristic Analysis
Access control for users
to real applications
03/14/2011 Slide 28
Recommended Reading
●
Cheswick, W. R., Bellovin, S. M., Rubin, A. D.:
Firewalls and Internet Security: Repelling the Willy
Hacker, 2nd edition, Adison-Wesley, ISBN 0-201-
63466-X, 2003
●
Schneier, B.: Beyond Fear, Springer Verlag, ISBN
978-0387026206, 2006
03/14/2011 Slide 29
Useful Links
●
SecurityFocus - Vulnerabilities
http://www.securityfocus.com/
●
Open Web Application Security Project
http://www.owasp.org/
●
Marcus J. Ranum Site
http://www.ranum.com/
Network Firewalls
Josef Pojsl, jp@tns.cz
Trusted Network Solutions, a.s.
March 14, 2011