Firewall - An Important Componentin Computer Systems Security
1.Introduction
Firewalls are an important component in securing not only networks, but also individual computers. Furthermore, with the widespread events of computer intrusions, firewalls have received even more attention not only from system and network administrators, but also from home-users. Although many companies offer free and fully functional personal software firewalls, and have tried to make them as user-friendly as possible, using and configuring a software firewall to secure a system is not as instinctive as it seems. Thus, this paper attempts to explain how a firewall works, and the common pitfalls in using one.
2.What is a Firewall
A firewall is a hardware, software, or a combination of both, that isolates an organization’s internal network from the Internet, filtering information, allowing some packets to pass and blocking others. It allows a network administrator to control access between the outside world and resources within the network, by managing the traffic flow to and from these resources.
Traditionally, firewalls used to protect internal networks from the outside world. However, such a set up (as seen from the above picture) does not protect a computer from an intruder within the network itself! To get around this problem, one can add another layer of security by installing a personal software firewallon each and every individual computer within the network.
3.Why Use a Firewall
A Firewall can:
a.prevent denial of service attacks (e.g. SYN flooding):
In a SYN flooding attack, an attacker attempts to establish many bogus TCP connections with the target. The target computer will be busy returning ACK messages for each connection to the source, leaving no resources left for other valid connections. This situation is aggravated when the source IP address is spoofed or invalid, and the target system is left waiting for return messages from the “source” of the TCPconnections. However, with a firewall, bogus connections can be detected and filtered out.
b.prevent unauthorized access to internal network:
By maintaining a list of trusted or blocked IP addresses, a firewall can filter out unauthorized connections, and allow only authorized computers to connect to thecomputers in the internal network.
- Block Trojans / Application backdoors:
Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor or hidden access that provides some level of control of the program. A firewall may protect a system by preventing unauthorized access.
d.Plug Operating system bugs:
Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of. For instance, the recent Sasser worm took advantage of a loophole in the Microsoft Windows operating system to propagate, causing hundreds of thousands of computers to shut down in matter of hours. However, even a simple firewall (which unfortunately many end-users failed to implement), can prevent that, as it blocks the TCP ports (445, 9996, 5554) by default.
e.Stealth the ports of a computer:
The ports of a computer can essentially be classified under “open, close, or stealth”. When a port is open on a system, internet packets requesting a connection with the machine are being accepted and connections are being created. Open ports are the result of something in the system or network deliberately preparing to accept unsolicited incoming connections from unknown and anonymous machines on the Internet. Due to the inherent difficulty of writing completely secure programming code, a high percentage of open ports are "exploitable" by malicious Internet hackers. Open ports may also be the result of default Operating system configuration, running unnecessary services.
With closed ports, anyone doing a port-scan on the machine’s IP address will detect that machine, but "closed" ports will quickly refuse connection attempts. Since it's much faster for a scanner to re-scan a machine that's known to exist, the presence of that machine might be logged for further scrutiny at a later time. For example, when a new operating system vulnerability is discovered, and before the potential for exploitation has been repaired.
Unfortunately, many hackers detect an available target by scan the ports of a random IP address. By putting the computer in a “stealth mode”, the computer does not respond to port scans and will seem “invisible” to the internet. A "Stealth" port completely ignores and simply drops any incoming packets without telling the sender whether the port is "open" or "closed". When all of the system's ports are stealth, the system will be completely invisible to random port scans, leading any attacker to believe that the machine is turned off, disconnected, or does not exist.
4.Hardware vs. Software Firewalls
Hardware Firewall / Software Firewall- Expensive. Prices increases exponentially with each additional feature. / - Basic firewalls available for free. Even those with extra features are relatively cheap.
- Good performance (speed). / - Dependent on CPU power and can slow down network due to overhead.
- Extremely secure and reliable / - Runs on top of OS. Vulnerabilities in OS may compromise the firewall.
5.How Firewalls Work
There are basically 2 types of firewalls: packet filtering, and application-level. However, modern firewalls (especially software-based) are typically hybrid and use a combination of the following techniques. Some even offer additional features that overlap other products, like Intrusion Detection Systems (IDS), cookies control, and spam and web-content filtering, that are not within the scope of this paper.
- Network Address Translation (NAT), Packet Filtering
The basic purpose of NAT is to multiplex traffic from the internal network and present it to the Internet as if it was coming from a single computer having only one IP address. This allows home users and small businesses to share a single internet connection. This technology is most commonly implemented in routers, which thus naturally provide a natural firewall that will protect the computers behind it from access by unauthorized users.
In this example, the 3 computers in the local network have different internal IP addresses. However, all the datagrams leaving the local network have the same source NAT IP address 138.76.29.7 and the outside world can only see that IP address, thus protecting the rest of the network.
The TCP/IP protocols include a multiplexing facility so that any computer can maintain multiple simultaneous connections with a remote computer. To multiplex several connections to a single destination, client computers label all packets with unique "port numbers". Each IP packet starts with a header containing the source and destination addresses and port numbers:
An IP Packet:
Source address / Source port / Destination address / Destination portThis combination of numbers completely defines a single TCP/IP connection. The addresses specify the two machines at each end, and the two port numbers ensure that each connection between this pair of machines can be uniquely identified. Each separate connection is originated from a unique source port number in the client, and all reply packets from the remote server for this connection contain the same number as their destination port, so that the client can relate them back to its correct connection. In this way, for example, it is possible for a web browser to ask a web server for several images at once and to know how to put all the parts of all the responses back together.
A NAT gateway (e.g. router) must change the source address on every outgoing packet to be its single public address. It therefore also re-numbers the Source Ports to be unique, so that it can keep track of each client connection. The NAT gateway uses a port mapping table to remember how it renumbered the ports for each client's outgoing packets. The port mapping table relates the client's real local IP address and source port plus its translated source port number to a destination address and port. The NAT gateway can therefore reverse the process for returning packets and route them back to the correct clients. When any remote server responds to an NAT client, incoming packets arriving at the NAT gateway will all have the same Destination address, but the destinationPort number will be the unique SourcePort number that was assigned by the NAT. The NAT gateway looks in its port mapping table to determine which "real" client address and port number a packet is destined for, and replaces these numbers before passing the packet on to the local client. When an incoming packet is received on the NAT port, and the destination port number is not found in the port mapping table, the packet is deemed invalid, and rejected. This way, bogus packets will not be received by any of the computers in the internal network.
Thus, the router / NAT gateway filters packet-by-packet, and forward/drop a packet based on:
-source IP address, destination IP address
-TCP/UDP source and destination port numbers
-ICMP message type
-TCP SYN and ACK bits
This is also known as Packet Filtering, whereby packets are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded.
Advantages:
-security is naturally provided by a router
-Because the port mapping table relates source and destination addresses and port numbers, it is possible to validate any or all of this information before passing incoming packets back to the client. This checking helps to provide effective firewall protection against Internet-launched attacks on the private LAN.
-Slower network performance due to overhead in translating destination addresses and port numbers in the port mapping table.
Disadvantages:
-NAT only allows connections that are originated on the inside network. For instance, an internal client can connect to an outside FTP server, but an outside client will not be able to connect to an internal FTP server because it would have to originate the connection, andNAT will block that connection. This can be worked around by configuring the NAT gateway to open a port or do a port-forwarding. However, this would mean that part of the internal network will be exposed to the internet, and poses both inconvenience and a security risk on networks that run server programs.
-Does not provide outbound connection protection (connections originating from inside the network)! While NAT provides protection from inbound connections (connections originating from outside a network), it does not prevent a malicious program (e.g. Trojan horse) inside the internal network from connecting and sending confidential data to the outside world.
b.Stateful Packet Inspection (SPI)
As explained previously, all NAT firewalls already perform a simple form of "stateful inspection" of the packets that flow through them, by analyzing the various components of an IP packet. However, SPI-based routers implement some form of advanced "stateful inspection" in their firewalls, and can provide additional protection such as:
-blocking Java, ActiveX, and Cookie portions of downloaded web pages
-blocking access to WAN Proxy servers
-blocking "IP Spoofing" attacks
-blocking malformed IP packet attacks such as "Ping of Death", and variants such as "Teardrop", "Bonk", and "Nestea"
-blocking SYN flood and LAND attacks
Stateful inspection does not examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, and incoming information is then compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.
One example where stateful inspection comes useful is the FTP service. FTP is a TCP based service exclusively, with no UDP component to it. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. However, depending on the mode (active or passive), the data port is not always on port 20 and this can cause a problem not only for someone, who is behind a NAT firewall,trying to connect to an FTP server, butalso for one running the server behind a NAT firewall.
Active-mode FTP:
-In an active mode FTP, the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
-From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:
- FTP server's port 21 from anywhere (Client initiates connection)
- FTP server's port 21 to ports > 1024 (Server responds to client's control port)
- FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
- FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)
-In step 1, the client initiates a connection. Its command port contacts the server's command port and sends the command PORT 1027. The server then sends an ACK back to the client's command port in step 2. In step 3, the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.
-The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server. It simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall’s point of view, this appears to be an outside system initiating a connection to an internal client, and is something that is usually blocked by the client side NAT. Of course, a user on the client side can overcome this by configuring his NAT firewall to open all port numbers that is 1024 and above (as the listening port is random). However, that will leave his system open and defeat the purpose of the firewall. The server side faces no problem as its firewall only needs to open up port 20 and 21.
Passive-Mode FTP:
-In order to resolve the issue of the server initiating the connection to the client, a different method for FTP connections was developed. This was known as passive mode, or PASV, the command used by the client to tell the server it is in passive mode.
-In passive mode FTP, the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.
-From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:
- FTP server's port 21 from anywhere (Client initiates connection)
- FTP server's port 21 to ports > 1024 (Server responds to client's control port)
- FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
- FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
-In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3, the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client's data port.
-While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. The server-side NAT firewall does not only need to open up port 21, but also ports from 1024 to 65535, posing a huge security risk! Although many modern FTP daemons allow the administrator to specify a range of ports which the FTP server will use, do so restricts the number of connections the FTP server is allowed to handle.
Where Stateful Packet Inspection Comes in:
-From the above scenario, we can see the inflexibility of NAT firewalls, causing inconvenience and restriction of communications on both the client and server side. Such scenario is where stateful packet inspection turns useful!
-In passive-mode FTP, a server-side firewall with SPI features only needs to open port 21. As in the above example, when a client connects to the server at port 21, the server replies with PORT 2024, telling the client which port it is listening to for the data connection. However, this time, connections from the client to port 2024 of the server will not be blocked. Stateful packet inspection will be able to determine that port 2024 is opened due to FTP activity, initiating from port 21. By “inspecting” the packets, it automatically allows inbound connections to port 2024 temporarily, and will resume the state of blocking it when the TCP session is terminated.