Firewalls
From Sysadmin
Contents |
Introduction
This document principally deals with the theory and practice of stateful firewalls. Background information is provide context for the use of stateful firewalls on the modern Internet.
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.
Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.
Examples within this document use the Netfilter systems available in the Linux operating system.
History
The term firewall originally referred to a wall intended to confine a fire or potential fire within a building. Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment.
Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for network security were the routers used in the late 1980s:<ref name="report_unm">A History and Survey of Network Firewalls Kenneth Ingham and Stephanie Forrest</ref>
- Clifford Stoll's discovery of German spies tampering with his system<ref name="report_unm" />
- Bill Cheswick's "Evening with Berferd" 1992 in which he set up a simple electronic to observe an attacker<ref name="report_unm" />
- In 1988, an employee at the NASA Ames Research Center in California sent a memo by email to his colleagues <ref>[1] Firewalls by Dr.Talal Alkharobi</ref> that read, "We are currently under attack from an Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames."
- The Morris Worm spread itself through multiple vulnerabilities in the machines of the time. Although it was not malicious in intent, the Morris Worm was the first large scale attack on Internet security; the online community was neither expecting an attack nor prepared to deal with one.<ref>RFC 1135 The Helminthiasis of the Internet</ref>
First Generation: Stateless Packet Filters
The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what became a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steven M. Bellovin|Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based on their original first generation architecture.<ref>http://www.internetfirewall.org/article/internet-firewall-basics/the-history-of-firewalls.html The History of Firewalls</ref>
Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).
This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number).<ref>http://www.wanredundancy.org/resources/firewall/network-layer-firewall Network Layer Firewall</ref>
TCP and UDP protocols constitute most communication over the Internet, and because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.<ref>http://www.skullbox.net/tcpudp.php TCP vs. UDP By Erik Rodriguez</ref>
Packet filtering firewalls work mainly on the first three layers of the OSI reference model, which means most of the work is done between the network and physical layers, with a little bit of peeking into the transport layer to figure out source and destination port numbers.<ref>William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin (2003). "Google Books Link". Firewalls and Internet security: repelling the wily hacker</ref> When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. When the packet passes through the firewall, it filters the packet on a protocol/port number basis (GSS). For example, if a rule in the firewall exists to block telnet access, then the firewall will block the IP protocol for port number 23. <ref>Aug 29, 2003 Virus may elude computer defenses by Charles Duhigg, Washington Post</ref>
Second Generation: Application Layer
The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect if an unwanted protocol is sneaking through on a non-standard port or if a protocol is being abused in any harmful way.
An application firewall is much more secure and reliable compared to packet filter firewalls because it works on all seven layers of the OSI model, from the application down to the physical Layer. This is similar to a packet filter firewall but here we can also filter information on the basis of content. Good examples of application firewalls are MS-ISA (Internet Security and Acceleration) server, McAfee Firewall Enterprise & Palo Alto PS Series firewalls. An application firewall can filter higher-layer protocols such as FTP, Telnet, DNS, DHCP, HTTP, TCP, UDP and TFTP (GSS). For example, if an organization wants to block all the information related to "foo" then content filtering can be enabled on the firewall to block that particular word. Software-based firewalls (MS-ISA) are much slower than hardware based stateful firewalls but dedicated appliances (McAfee & Palo Alto) provide much higher performance levels for Application Inspection.
In 2009/2010 the focus of the most comprehensive firewall security vendors turned to expanding the list of applications such firewalls are aware of now covering hundreds and in some cases thousands of applications which can be identified automatically. Many of these applications can not only be blocked or allowed but manipulated by the more advanced firewall products to allow only certain functionality enabling network security administrations to give users functionality without enabling unnecessary vulnerabilities. As a consequence these advanced version of the "Second Generation" firewalls are being referred to as "Next Generation" and surpass the "Third Generation" firewall. It is expected that due to the nature of malicious communications this trend will have to continue to enable organizations to be truly secure.
Third generation: "stateful" filters
From 1989-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam, developed the third generation of firewalls, calling them circuit level firewalls.
Third-generation firewalls, in addition to what first- and second-generation look for, regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.
This type of firewall can actually be exploited by certain Denial-of-service attacks which can fill the connection tables with illegitimate connections.
Subsequent developments
In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colors and icons, which could be easily implemented and accessed on a computer operating system such as Microsoft Windows or Apple's Mac OS. In 1994 an Israeli company called Check Point|Check Point Software Technologies built this into readily available software known as FireWall-1.
The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS).
Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.
Another axis of development is about integrating identity of users into Firewall rules. Many firewalls provide such features by binding user identities to IP or MAC addresses, which is very approximate and can be easily turned around. The NuFW firewall provides real identity-based firewalling, by requesting the user's signature for each connection. authpf on BSD systems loads firewall rules dynamically per user, after authentication via SSH.
Types
There are different types of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced. <ref>Firewall http://www.tech-faq.com/firewall.html</ref>
Network layer and packet filters
Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The firewall administrator may define the rules; or default rules may apply. The term "packet filter" originated in the context of BSD operating systems.
Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.
Stateless firewalls require less memory, and can be faster for simple filters that require less time to filter than to look up a session. They may also be necessary for filtering stateless network protocols that have no concept of a session. However, they cannot make more complex decisions based on what stage communications between hosts have reached.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, of the source, and many other attributes.
Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).
Application-layer
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.
On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. The additional inspection criteria can add extra latency to the forwarding of packets to their destination.
Application firewalls function by determining whether a process should accept any given connection. Application firewalls accomplish their function by hooking into socket calls to filter the connections between the application layer and the lower layers of the OSI model. Application firewalls that hook into socket calls are also referred to as socket filters. Application firewalls work much like a packet filter but application filters apply filtering rules (allow/block) on a per process basis instead of filtering connections on a per port basis. Generally, prompts are used to define rules for processes that have not yet received a connection. It is rare to find application firewalls not combined or used in conjunction with a packet filter.<ref>http://www.symantec.com/connect/articles/software-firewalls-made-straw-part-1-2</ref>
Also, application firewalls further filter connections by examining the process ID of data packets against a ruleset for the local process involved in the data transmission. The extent of the filtering that occurs is defined by the provided ruleset. Given the variety of software that exists, application firewalls only have more complex rulesets for the standard services, such as sharing services. These per process rulesets have limited efficacy in filtering every possible association that may occur with other processes. Also, these per process ruleset cannot defend against modification of the process via exploitation, such as memory corruption exploits. Because of these limitations, application firewalls are beginning to be supplanted by a new generation of application firewalls that rely on mandatory access control (MAC), also referred to as sandboxing, to protect vulnerable services. An example of a next generation application firewall is AppArmor included in some Linux distributions.<ref>http://www.symantec.com/connect/articles/software-firewalls-made-straw-part-1-2</ref>
Proxies
A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, while blocking other packets.
Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.
Many-to-One Network address translation
Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have IPv4 addresses in the "private address ranges" defined in RFC 1918. NAT comes in many varieties (such as One-to-One and Many-to-One) and within each of these broad types there are variations between implementations. When dscussed without further qualification NAT normally refers to One-to-One NAT and that is the usage adopted here.
Originally, the NAT function was developed to address the limited number of IPv4 routable addresses that could be used or assigned to companies or individuals as well as reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organization. Since that time the use of NAT has come to be perceived by many as a security feature but in reality any security achieved through this is as a result of unreachability, which is achievable without the use of NAT. The perceied security goes along with but is not a result of the use of NAT.
One-to-One Network Address Translation
Network Firewalls
For Workstations
For Servers
- Sits in front of the server
Host Firewalls
- Sit on the server
- Provide defence-in-depth
- Less likely to experience firewall resource exhaustion before service exhaustion
Access
ICMP
Contrary to popular belief failure to allow certain types of Internet Control Message Protocol (ICMP) traffic through a firewall will impede the correct functioning of hosts on the Internet.
Minimum Set
The minimum set of ICMP types that should be allowed through a firewall is:
| ICMP Type | Description |
|---|---|
| 3 | Destination Unreachable |
| 4 | Source Quench |
| 11 | Time Exceeded |
Ping
The ping command, originally authored by Mike Muuss in December 1983, is a standard utility included in all mainstream operation systems. It is used to perform basic network diagnostics. It is important to understand the limitations of the ping utility in confirming connectivity.
A successful ping response will generally mean that the host being pinged is available on the Internet, however it is important to understand that another host along the path (such as a router or firewall) could respond without the target host ever knowing. Similarly, a successful ping does not in any way imply that a particular TCP or UDP connection can be made to the host.
An unsuccessful ping often means that ICMP echo replies are blocked at a firewall or router in front of the host or that the host is configured not to respond with them.
Ping uses the following ICMP types to send requests and replies:
| ICMP Type | Description |
|---|---|
| 0 | Echo Reply |
| 8 | Echo Request |
A strict interpretation of RFC 1122 section 3.2.2.6 would indicate that all hosts on the Internet should respond to pings to unicast addresses:
Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes.
As operational system and network administrators are well aware there is some difference between how the Internet is stated to work on paper and how it works in practice. Despite the requirement stated above it is common for ICMP echo reply to be ignored by hosts.
UDP
TCP
Transparent Firewalls
Defence in Depth
Perimeter Security
Deep Packet Inspection
Sample Firewalls
The Future
It is the opinion of the author that today's stateful firewalls will have less and less relevance to the threats of the future. As CPU performance continues to improve (partly as a result of increasing numbers of cores) deep packet inspection of all data passing through a network will become a realistic option.
Conclusion
While it is generally desirable to place a network firewall in front of client systems such as workstations, this is generally undesirable for servers. In contrast host firewalls can be safely placed on servers to provide some defence-in-depth.
