stateful firewalls
play

Stateful Firewalls Hank and Foo Types of firewalls Packet filter - PDF document

Dec 30, 2023 •194 likes •510 views

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

  1. 1 Stateful Firewalls Hank and Foo

  2. Types of firewalls • Packet filter (stateless) • Proxy firewalls • Stateful inspection • Deep packet inspection 2

  3. Packet filter (Access Control Lists) • Treats each packet in isolation • Operates at network layer (layer 3) of the OSI model • Filters based on header information in packet (e.g. src/dst IP address, port) • Advantage is speed, application independence, scalability • Easy to trick – spoofing, fragmenting, etc 3

  4. Proxy firewalls • Client doesn’t actually communicate directly with server • Proxy receives request from client and makes a request to server and returns information to client • It can filter the request from client and filter information returned to client • Considered application layer filter • Slower than packet filter, but more secure • Another disadvantage: application specific 4

  5. Stateful inspection • Deals with the state of connections • State here is vaguely defined as “the condition of the connection”, which varies greatly depending on application/protocol used • Stores the states of legitimate connections in a state table (state information usually stored as hash to make matching faster) • Filters packets by matching to valid states in the state table • Usually takes more time during setup of a new connection (application layer inspection performed usually only at setup), compared to after 5

  6. Possible state information • Src/dst IP address, ports • Protocol, flags, sequence, acknowledge numbers • ICMP code and type numbers • Secondary connection information communicated in application layer headers • Application layer specific command sequences (GET, PUT, OPTIONS, etc) 6

  7. How it works • Spends most of the time examining packet information in transport layer (layer 4) and lower • Can examine application layer information (layer 7), usually during new connection setup • If new packet is permitted based on firewall rules/security policy, a new entry is added in the state table • After new connection is setup, because later packets match an entry in the state table, there is no need for application layer inspection 7

  8. Advantages • More secure than basic packet filtering • Faster than proxy firewalls • Performs application layer filtering to a certain degree (e.g. FTP session) • E.g. iptables classifies each packet as either NEW, ESTABLISHED, RELATED, INVALID • For FTP protocol, a control connection is first established • When data is transferred, separate connection is established, and iptables will knowingly classify the first packet as RELATED instead of NEW 8

  9. Disadvantages • Possibly less secure than proxy firewalls (does not perform true content filtering) 1. Abbreviated application-level inspection (e.g. application-level inspection of initializing packet only allows for malicious application-level behavior in subsequent packets) 2. Lack full application support (e.g. monitors FTP session for port command, but lets other non-FTP traffic pass through FTP port) • Slower than basic packet filtering • Vulnerable to new attacks (e.g. SYN flood – overflows state table so no new connection can be made) 9

  10. TCP Connection-oriented protocol 1. Beginning/end of a session is well defined 2. State of connections tracked with flags Therefore considered a stateful protocol The connection can be in 1 of 11 states, as defined in RFC 793 10

  11. Establishing TCP connection 11 Obtained from Inside Network Perimeter Security: Stateful Firewalls

  12. Tearing down TCP connection 12 Obtained from Inside Network Perimeter Security: Stateful Firewalls

  13. 13 Obtained from Inside Network Perimeter Security: Stateful Firewalls

  14. UDP • Connectionless transport protocol have no defined state • Pseudo-stateful tracking • UDP has no sequence numbers or flags • So IP addresses and port numbers used • Ephemeral ports are somewhat random, differ for different connections from same IP • No set method for connection teardown, so timeout value used to remove entries in state table 14

  15. UDP • Cannot correct communication issues by itself, relies entirely on ICMP for error handling • Therefore ICMP also important when tracking UDP states • E.g. Host 2 may send a ICMP source quench message to host 1 to slow down transmission, firewall must know that this ICMP message is related to the UDP session 15

  16. ICMP • Like UDP, not stateful protocol • ICMP sometimes used in a request/reply format (e.g. ping echo request, echo reply) • This can be tracked • For one-way ICMP messages (like error messages) that are precipitated by messages from other protocols, it is more difficult 16

  17. HTTP • HTTP uses TCP in a simple manner, easy to track the state • Can also do track application-level commands like GET 17

  18. FTP • Uses the TCP protocol in a nonstandard way • Stateful firewall with no knowledge of FTP will not pass FTP traffic • Because control and data connections are separate TCP sessions 18

  19. FTP The port number used by the server initializing the data channel is actually sent to it in an FTP port command from the client, which is why application- level inspection is needed here 19 Obtained from Inside Network Perimeter Security: Stateful Firewalls

  20. Examples of stateful firewalls • Check Point Firewall-1 – Check Point Software Technologies Ltd (they coined the term stateful inspection and patented it) • Cisco PIX – Cisco Systems Inc • iptables (and netfilter) – Included in all modern linux distributions Stateful inspection is implemented differently by different vendors 20

  21. iptables • Admins create rules specifying what protocols or specific traffic types should be tracked • Basic state table entry contains – The protocol being used for the connection – The source and destination IP addresses – The source and destination ports – A listing with source and destination IP addresses and ports reversed (to represent response traffic) – The time remaining before the rule is removed – The TCP state of the connection (for TCP only) – The connection-tracking state of the connection 21

  22. Sample state table entry • tcp 6 93 SYN_SENT src=192.168.1.34 dst=172.16.2.23 sport=1054 dport=21 [UNREPLIED] src=172.16.2.23 dst=192.168.1.34 sport=21 dport=1054 use=1 • [protocol name] [protocol number] [timeout] [state] [src ip] [dst ip] [src port] [dst port (initial connection tagged UNREPLIED)] [return src ip] [return dst ip] • tcp 6 41294 ESTABLISHED src=192.168.1.34 dst=172.16.2.23 sport=1054 dport=21 src=172.16.2.23 dst=192.168.1.34 sport=21 dport=1054 [ASSURED] use=1 • After connection established, timeout increased greatly 22

  23. Basic rules • iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT – -A: append to existing rules – OUTPUT: for output traffic – -p tcp: for tcp protocol – -m state: use state module – -j ACCEPT: parameter to accept such traffic • All NEW and ESTABLISHED traffic allowed out, which means no outbound traffic disallowed by this rule 23

  24. Basic rules • iptables –A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT • Only return traffic allowed into network • For UDP, just change previous rules to ‘–p udp’ • Same for ICMP (-p icmp), but also add RELATED • New modules can be added when new protocols used 24

  25. Deep packet inspection • Basically stateful inspection but with visibility into the application layer • Not just keeps track of connection information, but looks at the data too (i.e. content filtering) • Simply a stateful firewall with limited IDS capabilities built in (NOTHING NOVEL) 25

  26. Firewall clustering for scalability Two general ways to use multiple firewalls 1. Single shared state table, possibly with a dedicated and fast communication channel between firewalls 2. Guarantee packets from the same connection reach the same firewall (using load balancers) 26

  27. References • http://dmiessler.com/study/firewalls • http://www.wikipedia.org • http://www.quepublishing.com/articles/artic le.asp?p=373431&seqNum=1 Sample chapter from book Inside Network Perimeter Security: Stateful Firewalls 27

  28. Packet filtering/classification Given packet P with k fields, and N rules, find rules that P matches to. Many different ways to do this, one way is through bit vectors. Presented here is Aggregated Bit Vector Scheme, which builds on the Lucent Bit Vector Scheme which is Nk/w memory accesses, where w is the size of a word in memory 28

  29. 29

  30. References • Baboescu and Varghese, “Aggregated Bit Vector Search Algorithms for Packet Filter Lookups”, http://citeseer.ist.psu.edu/cache/papers/cs/ 27575/http:zSzzSzwww- cse.ucsd.eduzSz~baboescuzSzresearchz Szlookup.pdf/aggregated-bit-vector- search.pdf 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso,

Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso,

Multiprimary support for the availability of cluster-based stateful firewalls Pablo Neira Ayuso, Rafael M. Gasca, Laurent Lefevre <pneira@us.es>, <gasca@us.es>, <lefevre@inria.fr> Quivir Research Group, University of Sevilla,

1.07k views • 17 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the

Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the

Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the following network. Note that these are stateful , bidirectional firewalls . The only flags you need to worry about are SYN and SYN-ACK. The following

415 views • 3 slides
Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org> Proyecto Netfilter <pneira@us.es> University of Sevilla Outline Introduction: Stateless and stateful firewalls Fault-Tolerance

442 views • 21 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software choke point between secured and unsecured network filter incoming and outgoing traffic prevent communications which are forbidden by the

1.06k views • 57 slides
Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document file (no obscure

585 views • 21 slides
Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit - PaaS Team, Huawei Contents Why Abstraction Available solution in Kubernetes Available solution in Mesos Mesos Go Stateful Design

492 views • 25 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1 Why? Maintaining state allows for decisions to be made based on runtime conditions. State based policy can be more concise

576 views • 18 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Illinois & Chicago Fire Fighters The Fight for Funding Presented by: Richard Martin, AFFI

Illinois & Chicago Fire Fighters The Fight for Funding Presented by: Richard Martin, AFFI

Illinois & Chicago Fire Fighters The Fight for Funding Presented by: Richard Martin, AFFI Southern District Legislative Representative Eddy Crews, AFFI Northern District Legislative Representative Dan Fabrizio, Director of Political Action,

566 views • 20 slides
Retirement Planning Presented by the State of Delaware Office of Pensions Current Statistics (as

Retirement Planning Presented by the State of Delaware Office of Pensions Current Statistics (as

Delaware Public Employees Retirement System County & Municipal Police/Firefighters Pension Plan Retirement Planning Presented by the State of Delaware Office of Pensions Current Statistics (as of 6/30/16) 30,072 Retirees from all nine

558 views • 31 slides
Overview Fire Ser Fi ervices es To enhance the quality of living in our community by

Overview Fire Ser Fi ervices es To enhance the quality of living in our community by

Protec ective S e Ser ervices es Overview Fire Ser Fi ervices es To enhance the quality of living in our community by preventing or minimizing injury and loss of life or property from fire or other emergencies that may occur within the

435 views • 11 slides
F I R E L O G I S T I C S A N D M AT H E D U C AT I O N A Rumpke Public Outreach Program

F I R E L O G I S T I C S A N D M AT H E D U C AT I O N A Rumpke Public Outreach Program

F I R E L O G I S T I C S A N D M AT H E D U C AT I O N A Rumpke Public Outreach Program Welcome Welcome & & I ntroductions I ntroductions I dentify emergency exits I dentify emergency exits to all participants. to all

620 views • 50 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Transforming Security Policy Management April 11, 2019 1 Disclaimer This presentation contains

Transforming Security Policy Management April 11, 2019 1 Disclaimer This presentation contains

Transforming Security Policy Management April 11, 2019 1 Disclaimer This presentation contains forward-looking statements. All statements other than statements of historical fact contained in this presentation are forward-looking statements. In

324 views • 28 slides
CSI F IREWALL S HIELD Complete protection for your VSE systems Only for TCP/IP FOR VSE from

CSI F IREWALL S HIELD Complete protection for your VSE systems Only for TCP/IP FOR VSE from

CSI F IREWALL S HIELD Complete protection for your VSE systems Only for TCP/IP FOR VSE from CSI International S Ken McMahon, Director Worldwide Sales Don Stoever, z/VSE Product Developer, CSI F IREWALL S HIELD October 15, 2014 New

332 views • 11 slides
Tailored 685 Third Avenue Technologies LLC New York, NY 10017 Tel: (212) 503-6300 Date:

Tailored 685 Third Avenue Technologies LLC New York, NY 10017 Tel: (212) 503-6300 Date:

Tailored 685 Third Avenue Technologies LLC New York, NY 10017 Tel: (212) 503-6300 Date: December 18, 2018 To: The File of the Hugh L. Carey Battery Park City Authority From: Tailored Technologies, LLC Technology Observations and

291 views • 6 slides

More recommend