Firewall Locations

and configurations

1 25/11/2018
 Firewall Configurations

 Three common configurations:

1. Screened host firewall - single homed

bastion host
2. Screened host firewall dual homed
3. Screened subnet firewall

2 25/11/2018
 Screened host firewall - single homed bastion host

 Inbound traffic:
 only IP packets destined to the bastion hosts are allowed
in
 Outbound traffic:
 only IP packets from bastion hosts are allowed out.

 Packet level and application level filtering

3 25/11/2018
Screened host firewall - single homed bastion
host
 Firewall consists of two systems:
1. A packet-filtering router
2. A bastion host

4 25/11/2018
 Screened host firewall - single homed
bastion host
 Configuration for the packet-filtering router:
 Only packets from and to the bastion host are allowed to pass
through the router

 The bastion host performs authentication and proxy

functions

5 25/11/2018
 Screened host firewall - single homed
bastion host
 Greater security than single configurations because of
two reasons:
1. This configuration implements both packet-level and
application-level filtering (allowing for flexibility in
defining security policy)
2. An intruder must generally penetrate two separate
systems

6 25/11/2018
 Screened host firewall - single homed
bastion host
 This configuration also affords flexibility in providing direct
Internet access (public information server, e.g. Web server)

 But What if filtering router is compromised ?

 traffic could flow directly between the Internet and the

hosts of the private network.

7 25/11/2018
 Screened host firewall - single homed bastion
host

 But What if filtering router is compromised ?

 Traffic could flow directly between the Internet and
the hosts of the private network.

8 25/11/2018
 A screened host
dual-home bastion
prevents such
security breach

9 25/11/2018
 Firewall Configurations

 Screened host firewall system (dual-homed bastion host)

10 25/11/2018
 Firewall Configurations

 Screened host firewall, dual-homed bastion

configuration

1. If The packet-filtering router is completely compromised

2. Traffic between the Internet and other hosts on the

private network has to flow through the bastion host

11 25/11/2018
 Firewall Configurations

 Screened-subnet firewall system

 Screened subnet firewall configuration

 Most secure configuration of the three
 Two packet-filtering routers are used
 Creation of an isolated sub-network
12 25/11/2018
 Firewall Configurations
 Screened-subnet firewall system

1. Three levels of defense to thwart intruders

2. Outside router advertises only the existence of the
screened subnet to the internet
3. Internal network invisible to the internet
4. Inside router advertises only the existence of the screened
subnet to the internal network.
5. Users on the inside network13cannot construct direct routes
25/11/2018
1. Adds More protection to the protected network
2. Protect internal network from attacks launched from
compromised DMZ-based machines (worms, rootkits,
bots) and Protect the DMZ from internal attacks

3. Protect internal networks

from each other

Internal firewalls =
3 objectives

14 25/11/2018
 Virtual Private Network

 Set of computers that interconnect by means of a relatively

unsecure network.
 Use of a public network exposes corporate traffic to
eavesdropping and provides an entry point for unauthorized
users.

 VPN uses encryption and authentication in the lower

protocol layers to provide a secure connection
through an otherwise insecure network, typically the
Internet.

15 25/11/2018
 Virtual Private Network

 VPNs are generally cheaper than real private networks

using private lines but rely on having the same
encryption and authentication system at both ends.
 The encryption may be performed by firewall software
or possibly by routers. The most common protocol
mechanism used for this purpose is at the IP level and
is known as IPSec.

16 25/11/2018
Virtual Private Networks

17 25/11/2018
 Example

Firewall
Configuration
Virtual Private Networks (VPNs)
 Example

Distributed
Firewall
Configuration
 Firewall Topologies
• includes personal firewall software and firewall software on
host-resident firewall servers

• single router between internal and external networks with

screening router stateless or full packet filtering

• single firewall device between an internal and external

single bastion inline router

• has a third network interface on bastion to a DMZ where

single bastion T externally visible servers are placed

double bastion inline • DMZ is sandwiched between bastion firewalls

• DMZ is on a separate network interface on the bastion

double bastion T firewall

distributed firewall • used by large businesses and government organizations

configuration
Double bastion T
Double
bastion
inline
 Intrusion Prevention Systems
(IPS)

 recent addition to security products

 inline network-based IDS that can block traffic, detect
suspicious traffic
 functional addition to firewall that adds IDS capabilities

 can block traffic like a firewall

 makes use of algorithms developed for IDSs

 may be network or host based

 Host-Based IPS
(HIPS)
 identifies attacks using both signature and anomaly detection
techniques
 signature: focus is on the specific content of application payloads in
packets, looking for patterns that have been identified as malicious
 anomaly: IPS is looking for behavior patterns that indicate malware

 can be tailored to the specific platform

 can also use a sandbox approach to monitor behavior

advantages
• the various tools work closely together
• threat prevention is more comprehensive
• management is easier
 Malicious behavior
 Modification of system resources: Rootkits, Trojan horses,
and backdoors, operate by changing system resources,
such as libraries, directories, registry settings, and user
accounts.
 Privilege-escalation exploits: attempt to give ordinary
users root access.
 Buffer-overflow exploits
 Access to e-mail contact list: Many worms spread by
mailing a copy of themselves to addresses in the local
system’s e-mail address book.
 Directory traversal: A directory traversal vulnerability in a
Web server allows the hacker to access files outside the
range of what a server application user would normally
need to access.
 Malicious behavior
 Attacks such as these result in behaviors that can be
analyzed by a HIPS. The HIPS capability can be
tailored to the specific platform.
 A set of general-purpose tools may be used for a
desktop or server system.
 Some HIPS packages are designed to protect
specific types of servers, such as Web servers and
database servers.
 In this case, the HIPS looks for particular application
attacks.
 Malicious behavior
 In addition to signature and anomaly-detection
techniques, a HIPS can use a sandbox approach.
 Sandboxes are especially suited to mobile code,
such as Java applets and scripting languages.
 The HIPS quarantines such code in an isolated
system area, then runs the code and monitors its
behavior.
 If the code violates predefined policies or matches
predefined behavior signatures, it is halted and
prevented from executing in the normal system
environment.
 Malicious behavior

 System calls:
 The kernel controls access to system resources such as memory, I/O
devices, and processor.
 To use these resources, user applications invoke system calls to the
kernel.
 Any exploit code will execute at least one system call.
 The HIPS can be configured to examine each system call for malicious
characteristics.

 File system access:

 HIPS can ensure that file access system calls are not malicious and
meet established policy.
 Malicious behavior

 System registry settings:

 The registry maintains persistent configuration information about
programs and is often maliciously modified to extend the life of an
exploit.
 The HIPS can ensure that the system registry maintains its
integrity.

 input/output:
 I/O communications, whether local or network based, can
propagate exploit code and malware.
 The HIPS can examine and enforce proper client interaction with
the network and its interaction with other devices.
 Network-Based IPS
(NIPS)
 inline NIDS with the authority to discard packets and tear
down TCP connections
 uses signature and anomaly detection

 may provide flow data protection

 monitoring full application flow content

 can identify malicious packets using:

 pattern matching
 stateful matching
 protocol anomaly
 traffic anomaly
 statistical anomaly
 Pattern matching: Scans incoming packets for
specific byte sequences (the signature) stored in a
database of known attacks

 Stateful matching: Scans for attack signatures in the

context of a traffic stream rather than individual
packets

 Protocol anomaly: Looks for deviation from

standards set forth in RFCs
 Traffic anomaly: Watches for unusual traffic
activities, such as a flood of UDP packets or a new
service appearing on the network

 Statistical anomaly: Develops baselines of normal

traffic activity and throughput, and alerts on
deviations from those baselines
 Snort Inline

 enables Snort to function

as an intrusion prevention
capability drop reject Sdrop
 includes a replace option Snort
which allows the Snort packet is
rejects a
rejected
user to modify packets packet
based on
and
rather than drop them the
result is packet is
logged rejected
options
 useful for a honeypot and an but not
defined
error logged
implementation in the
message
rule and
is
 attackers see the failure logs the
returned
result
but can’t figure out why
it occurred
 Unified
Threat
Management
Products
 Table 9.3

Sidewinder G2
Security
Appliance
Attack
Protections
Summary -
Transport Level
Examples
 Table 9.4

Sidewinder G2
Security Appliance
Attack Protections
Summary -
Application Level
Examples (page 1 of 2)
 Table 9.4

Sidewinder G2
Security Appliance
Attack Protections
Summary -
Application Level
Examples (page 2 of 2)
 Summary
 firewalls  firewall location and
 need for configurations
 characteristics of  DMZ networks
 techniques
 virtual private networks
 capabilities/limitations
 distributed firewalls
 types of firewalls
 intrusion prevention systems
 packet filtering firewall (IPS)
 stateful inspection firewalls  host-based IPS (HIPS)
 application proxy firewall  network-based IPS (NIPS)
 circuit level proxy firewall  Snort Inline
 bastion host  UTM products
 host-based firewall
 personal firewall