Firewalls Flashcards
A company wishes to make an http service on port 8080 available to internet surfers, indicate a network and / or server configuration to provide the service safely and explain the reasons for the choices made.
I use a firewall of the screened subnet type with the right web proxy and web server on the DMZ in order to have a good level of security given by gateway, bastion and router with packet filtering, but at the same time avoid SPOF given the double check done on the packages
With reference to a network firewall, briefly explain how to configure the whitelist and blacklist
Whitelist: everything that is not explicitly granted does not pass
Blacklist: everything that is not explicitly prohibited passes
They are strategies implemented to decide what type of packets to enter (or leave) the network; the first option is generally preferred because it is safer.
Describe packet filter technology and describe advantages and limitations
It consists of filtering packets entering or leaving a network, and can be stateless (static) or statefull (dinamic):
-static: coarse filtering is applied based on level 3 addresses and level 4 ports with a blacklist or whitelist system
-dinamic: stores status information from the transport layer and / or from the application layer; distinguishes new connections from those already open, thanks to a status table for open connections) packets that correspond to a row of the table are accepted without further checks.
Pros and cons:
+ very scalable
+ good performance (but slightly better dinamic being statefull) + low cost
- complex configurations
- unsafe (inaccurate controls)
Draw the scheme of a dual homed gateway firewall architecture, illustrate the role of its components, advantages and disadvantages.
A dual-homed gateway is put in series with the screening router, a machine equipped with two network cards, one interfaced to the external network and the other interfaced to the internal one, both with routing disabled, and a running process that has the task to decide which traffic is allowed to pass from one network interface to another. This system has a double control point:
* the router acts as a packet filter;
* the dual-homed gateway houses a circuit-level gateway or an application-level gateway as required.
As the gateway interfaces on two different networks, the intermediate network is isolated from the internal network and can be used as a DMZ for public servers. Pros and cons:
+ masking: the gateway can mask the internal network;
+ simplicity: implementation is simple;
+ cost: only small additional hardware requirements are required (eg fast network card);
+ double line of defense: it is not enough to exploit the bug of one of the two devices to enter the internal network.
- management: two systems are required;
- bottleneck: all traffic must pass through the dual-homed gateway;
- flexibility: some types of traffic require control by servers in the internal network (eg spam e-mails).
Packet filter and application level gateway inside a firewall: similarities, differences, advantages and disadvantages of both.
Both do header-based packet filtering, but the packet filter works at layer 3, while the application level gateway works at the application layer.
Packet filter: consists of filtering packets entering or leaving a network, and can be stateless (static) or statefull (dinamic):
-static: coarse filtering is applied based on level 3 addresses and level 4 ports with a blacklist or whitelist system
-dinamic: stores status information from the transport layer and / or from the application layer; distinguishes new connections from those already open, thanks to a status table for open connections) packets that correspond to a row of the table are accepted without further checks.
Pros and cons:
+ very scalable
+ good performance (but slightly better dinamic being statefull) + low cost
- complex configurations
- unsafe (inaccurate controls)
Application-level gateway: inspects packets at the application level (payload): it is made up internally by a series of proxies, one for each application protocol;
it can play the role of terminator: it interacts directly with the client as if it were the server, and with the server as if it were the client; can perform the masking or renumbering of IP addresses: it may be necessary if it is acting as a terminator and one of the two parties asks for the authentication of the other; it can also have authentication functions, especially in egress: the gateway asks the client in the external network to authenticate itself in order to apply the appropriate policies to it. Pros and cons:
+ maximum security: the rules are more granular and simpler than the packet filter, as the controls are based on the application layer;
+ parallelization: multiple CPU cores work in parallel (SMP).
- performance: more thorough checks require more time;
- application dependent: each application protocol requires a specific proxy: - delay in supporting new applications;
- resource consumption: many proxies mean many processes;
- low performance: the processes work in user mode;
- breakdown of the client-server model: it may not be completely transparent to clients, and often requires a modification of the client application;
- attacks: since the client interacts directly with the gateway, the firewall operating system is exposed to attacks;
- application-level security protocols: the firewall may not be able to correctly interpret the contents of the packets (eg SSL: the packet content is encrypted).
What is the circuit gateway and from what does it protect?
It is a non “application-aware” proxy that creates a transport layer circuit between the client and the server without having any understanding of the syntax of the data in transit
Pros and cons:
+ The servers are isolated from all attacks involving:
* the TCP three-way handshake: the protection is activated at the beginning of the session and lasts for the entire session;
* IP packet fragmentation: the proxy reassembles the packet to fully understand its contents.
- breakdown of the client-server model (for the duration of the session): it may require changes to the applications (eg client authentication: it normally occurs at the application level, not at the transport level);
- many limitations of the packet filter remain.
IDS vs IPS: what they are and differences
Intrusion Detection System (IDS) is a system for identifying individuals who use a computer or network without authorization.
Intrusion Prevention System (IPS) is a system that can detect intrusive activity and can also try to stop the activity, ideally before it reaches its objectives.
The difference is that IDS notifies you if it detects an attack, the IPS also tries to
block it.
Explain what the IPS technique consists of.
Intrusion Prevention System (IPS) is a system that can detect intrusive activity and can also try to stop the activity, ideally before it reaches its objectives.
An IPS consists of:
* IDS: detects an attack in progress (eg excess of ICMP packets);
* distributed dynamic firewall: reacts very quickly (eg blocks all ICMP traffic).
What is a firewall?
It is a controlled connection between networks at different security levels, so it is a boundary protection (network filter). The goal is to not let problems propagate and to stop them as soon as possible.
Ingress vs. Egress firewall
Ingress firewall
* it takes care of incoming connections
* typically used to select the (public) services offered
* sometimes as part of an application exchange initiated by my users
Egress firewall
* outgoing connections
* typically to check the activity of my personnel (!)
This classification is easy for channel-based services (e.g. TCP applications), but difficult for message-based stateless services (e.g. ICMP, UDP applications)
Cheswick and Bellovin commendements
The three commandments of firewall
1. the FW must be the only contact point of the internal network (trusted) with the external one (untrusted)
2. only the “authorized” traffic can traverse the FW
3. the FW must be a highly secure system itself
Allowlist and Denylist
Allowlist
* “All that is not explicitly permitted, is forbidden”
* higher security (gatekeeper)
* more difficult to manage
Denylist
* “All that is not explicitly forbidden, is permitted”
* lower security (open gates)
* more easy to manage
Basic components of a firewall
- packet filter / screening router / choke: component that filters traffic at network level
- bastion host: it is a secure system with periodic auditing. It is in the first line of defense
- application gateway (proxy): service that works on behalf of an application, with access control
- dual-homed gateway: system with two network cards that are a bridge between two different networks and routing disabled -> can mask the internal network
Firewall technologies list
- Packet filter
- Circuit level gateway
- Application level gateway
Packet filter
It is a firewall technology.
- present of routers
- it performs an inspection at network level checking network header and transport header
Pros and cons
* independent of applications
* good scalability
* these are approximate controls: easy to “fool” (e.g. IP spoofing, fragmented packets)
* good performance
* low cost (available on routers and in many OS)
* difficult to support services with dynamically allocated ports (e.g. FTP)
* complex to configure
* difficult to perform user authentication
Application level gateway
It is a firewall technology.
- it is composed by a set of proxies inspecting the packet payload at application level
- often requires modifications to the client application
- may optionally mask / renumber the internal IP addresses
- when used as part of a firewall, usually performs also peer authentication
- top security!! (e.g. against buffer overflow of the target application)
- each app has its own proxy
- heavy in computational resources beause each application has its own process -> low performance but fine grained control
- it breaks the client-server model -> more protection for the server, client authN possible, not transaaprent to the client
Proxies can be:
* transparent proxy: it is less intrusive for the client but it needs more work because it has to extract the destination and reroute packets
* strong app proxy: it checks not only packet sintax but semantics too -> only some commands/data are forwarded. This is the only correct configuration for a proxy
There are two types of proxies:
* forward proxy
* reverse proxy
Forward proxy
It is one of the possible kind of proxies in an application level gateway technology.
A forward proxy is a server placed between the client (internal network) and the real server (external network).
For example the HTTP forward proxy is a HTTP server acting just as a front-end and then passing requests to the real server (external). It is an egress controll (outgoing connections from the internal network).
It permits:
* network access control list
* shared cache of external pages for all internal users
* authentication + authorization of internal users
* various controls (e.g. allowed sites, transfer direction, data types, …)
Circuit level gateway
This is a firewall technology.
It is a single generic proxy not application aware.
* it creates a transport-level circuit between client and server …
* … but it doesn’t understand or manipulate in any way the payload data
* … it just copies between its two interfaces the TCP segments or UDP datagrams (if they match the access control rules)
* … but, in doing this, it will re-assemble the IP packets and hence it will provide protection against some L3/L4 attacks
* So it breaks the TCP/UDP-level client/server model during the connection -> (1) more protection for the server that is isolated from all attacks related to the TCP handshake and isolated from all attacks related to the IP fragmentation (2) may authenticate the client but this requires modification to the application
This technology still exhibits many limitations of the packet filter.
SOCKS is the most famous one
Reverse proxy, configurations’ drawings
It is one of the possible kind of proxies in an application level gateway technology.
A reverse proxy is a server that sits between the internal network and a server or group of servers.
HTTP reverse proxy
It is an HTTP server acting just as a front-end for the real server(s) which the requests are passed to.
It implements:
* network ACL & content inspection
* obfuscation (no info about the real server)
* TLS accelerator (with unprotected back-end connections …): it can be the endpoint of a TLS channel
* load balancer
* web accelerator (= cache for static content)
* compression -> major speed
* spoon feeding (gets from the server a whole dynamic page and feeds it to the client according to its speed, so unloading the application server)
There are two possible configurations for a reverse proxy draw them!!!:
* the first configuration is based on a three legged firewall: this means that the firewall is connected to the external net, to the internaal one and to the DMZ. In the DMZ are placed the reverse proxy and the servers for which it is a front end. It is good beacuse confines the attacks in the DMZ. A server and a client of the internal network can just communicate passing through the proxy and the firewall.
* the second configuration has always a three legged firewall (internal, external, DMZ). Here the proxy is always in the DMZ while the servers are in the internal network. Servers and reverse proxy are conencted by a/some VPN(s). Even if the servers are in the internal network there is. not direct access because access is performed only through the reverse poxy.
The suggested configuration is the first one because it confines the attack in the DMZ.
WAF (Web Application Firewall)
As web applications become more and more used, they become prime targets for various security threats.
A WAF is a module installed at a proxy (forward and/or reverse) to filter the application traffic.
Filtering is applied to:
* HTTP commands
* header of HTTP request/response
* content of HTTP request/response
ModSecurity is an example of WAF. It is a plugin for Apache and NGINX (50% and 30% of worldwide
HTTP servers)
OWASP ModSecurity Core Rule Set (CRS)
Firewall architectures (list)
- packet filter
- dual-homed gateway
- screened host
- screened subnet
Paket filter architecture and drawing
This architecture exploits the packet filter to screen the traffic both at IP and upper levels.
If implemented with a router then it is a “screening router architecture” and there’s no need for extra dedicated hardware.
There is no need for a proxy and hence no need to modify the applications.
- simple
- cheap
- insecure!
- single point of failure
Dual-homed gateway architecture and drawing
It is a dual-homed because it has two network cards and automatic routing disabled.
It is composed of a packet filter and of a bastion host (usually a gateway), so it is an implementation of the defense in depth security principle.
The bastion host is just a general purpose computer with gateway capabilities.
The traffic goes first to the packet filter and just if it passes its controls the traffic goes to the gateway.
- easy to implement
- small additional hardware requirements
- the internal network can be masqueraded by the gateway even without the NAT
- unflexible because each packet is double checked even if, with the infromations that the gateway has, the filtering is not improved -> it is a useless checking and leads to a large work overhead
Screened host architecture and drawing
This firewall architecture tries to improve the dual-homed gateway one.
This archhitecture is made of a packet fiilter and a bastion host.
Here just the packets that need to be double checked go to the bastion host. The packet filter is connected both to the internal network and to the bastion host so it will direct the packets based on its decisions.
This is double line of defense not for every packet and the packet filter is a single point of failure.
The packet filter is a router that:
* blocks traffic INT > EXT unless from the bastion
* blocks traffic EXT > INT unless goes to the bastion
The bastion host runs a circuit/application gateway to control the authorized services.
This architecture is more expensive and complex to manage (two systems rather one) but more flexible (skip control over some services / hosts).
Only the hosts/protocols passing through the bastion can be masked (unless the PF uses NAT)
