Defining a Firewall
Why Have Different Types of Firewalls?
Ensuring a physically secure network environment is the first step in controlling access to your network’s data and system files; however, it is only part of a good security plan.This is truer today than in the past, because there are more ways into a network than there used to be. A medium- or large-sized network can have
- multiple Internet Service Providers (ISP’s)
- virtual private network (VPN) servers and various remote access avenues for mobile employees including
- Remote Desktop
- browser based file sharing and e-mail access
- mobile phones and Personal Digital Assistants (PDAs).
- Someone with physical access to your servers has complete control over your data.
- Someone with physical access to your authentication servers owns everything.
One of the most important and overlooked aspects of a comprehensive network
security plan is physical access control. This matter is usually left up to facilities managers and plant security departments, or outsourced to security guard companies.
Some network administrators concern themselves with sophisticated software and hardware solutions to prevent intruders from accessing internal computers remotely, while at the same time not protecting the servers, routers, cable, and other physical components from direct access
Physically breaking into a server room and stealing a hard disk where sensitive data resides is a crude method of breaching security; nonetheless, it happens. In some organizations, it may be the easiest way to gain unauthorized access, especially for an intruder who has help “on the inside.” It is important for you to make physical access control the outer perimeter of your security plan, which means:
- Controlling physical access to the servers
- Controlling physical access to networked workstations
- Controlling physical access to network devices
- Controlling physical access to the cable
- Being aware of security considerations with wireless media
- Being aware of security considerations related to portable computers
- Recognizing the security risk of allowing data to be printed
- Recognizing the security risks involving floppy disks, CDs, tapes, and other removable media
Attacks can be divided into three main categories:
- Reconnaissance Attacks Hackers attempt to discover systems and gather information. In most cases, these attacks are used to gather information to set up an access or a Denial of Service (DoS) attack. A typical reconnaissance attack might consist of:
- a hacker pinging Internet Protocol (IP) addresses to discover what is alive on a network.
- The hacker might then perform a port scan on the system to see which applications are running, and
- to try to determine the operating system (OS) and version on a target machine.
- Access Attacks An access attack is one in which an intruder attempts to gain unauthorized access to a system to retrieve information. Sometimes the attacker has to gain access to a system by:
- cracking passwords or
- using an exploit.
- At other times, the attacker already has access to the system, but needs to escalate his or her privileges.
- DoS Attacks Hackers use DoS attacks to disable or corrupt access to networks, systems, or services. The intent is to deny authorized or valid users access to these resources. DoS attacks typically involve running a script or a tool, and the attacker does not require access to the target system, only the means (the medium=the network) to reach it. In a Distributed DoS (DDoS) attack, the source consists of many computers that are usually spread across a large geographic boundary
Recognizing Network Security Threats
In order to effectively protect your network, you must consider the following question:
From who or what are you protecting it? In this section, we approach the answer to that question from three perspectives:
- Who are the people that break into networks?
- Why do they do what they do?
- What are the types of network attacks and how do they work?
Understanding Intruder Motivations
There are probably as many different specific motives as there are hackers, but the most common intruder motivations can be broken down into a few broad categories:
- Recreation Those who hack into networks “just for fun” or to prove their technical prowess; often young people or “antiestablishment” types.Teen hackers who hack primarily for the thrill of accomplishment, often do little or no permanent damage, perhaps only leaving “I was here” messages to “stake their
claims” and prove to their peers that they were able to penetrate your network’s security. There are also more malevolent versions of the fun-seeking hacker. These cybervandals get their kicks out of destroying as much of your data as possible or causing your systems to crash.
- Remuneration People who invade the network for personal gain, such as those who attempt to transfer funds to their own bank accounts or erase records of their debts, and “hackers for hire” who are paid by others to break into the network. Corporate espionage is also included in this category. Hackers who break into your network for remuneration of some kind—either directly or indirectly — are more dangerous. Because money is at stake, they are more motivated than other hackers to accomplish their objective. Unfortunately, the number of these hackers is increasing dramatically, especially with the profitability of identity theft. Furthermore, because many of them are “professionals”, their hacking techniques could be more sophisticated than those of the average teenage recreational hacker. Monetary motivations include:
■ Personal financial gain
■ Corporate espionage
■ Third-party payment for the information obtained
Those motivated by the last goal are almost always the most sophisticated, and the most dangerous. Money is often involved in the theft of identity information. Identity thieves can be employees who have been approached by any number of malicious organizations and offered money or merchandise or even threatened with blackmail
Kaspersky Labs reports on extortion scams using malware: Users quickly understand that something has happened to their data. They are then told that they should send a specific sum to an e-payment account maintained by the remote malicious user, whether it be EGold, Webmoney or some other e-payment account. The ransom demanded varies significantly depending on the amount of money available to the victim. We know of cases where the malicious users have demanded $50, and of cases where they have demanded more than $2,000. The first such blackmail case was in 1989, and now this method is again gaining in popularity.or physical harm. In some instances, hackers go “undercover” and seek a job with a company in order to steal data that they can give to their own organizations. To add insult to injury, these “stealth spies” are then paid by your company at the same time they’re working against you. There are also “professional” freelance corporate spies that can be contracted to obtain company secrets, or they might do it on their own and auction the data off to competitors. These corporate espionage agents are often highly skilled. They are technically savvy and intelligent enough to avoid being caught or detected. Fields that are especially vulnerable to the threat of corporate espionage include:
■ Oil and energy
■ Computer technology
■ Research medicine
Any company on the verge of a breakthrough that could result in large monetary rewards or worldwide recognition, should be aware of the possibility of espionage and take steps to guard against it. Phishing,
Social engineering, also known as people hacking, is a means for obtaining security information from people by tricking them. The classic example is calling up a user and pretending to be a system administrator. The hacker asks the user for his or her password to perform some important maintenance task. To avoid being hacked via social engineering, educate your user community that they should always confirm the identity of any person calling them, and that passwords should never be given to anyone over e-mail, instant messaging, or the telephone. It is beyond the scope of this article to address social engineering and ways to educate employees against it. However, SysAdmin, Audit, Network, Security (SANS) Institute has both full courses and step-by-step guides to help with this process.the new information gathering technique, is spreading and becoming more sophisticated. Phishing e-mails either ask the victim to fill out a form or direct them to a Web page designed to look like a legitimate banking site. The victim is asked for personal information such as credit card numbers, social security number, or other data that can then be used for identity theft. There has been at least one insidious phishing scheme that uses a Secure Sockets Layer (SSL) certificate so that the data you give to the hacker is safely encrypted on the network.
- Revenge Dissatisfied customers, disgruntled former employees, angry competitors, or people who have a personal grudge against someone in the organization. Vengeance seeking is usually based on strong emotions, which means that these hackers could go all-out in their efforts to sabotage your network.
Examples of hackers or security saboteurs acting out of revenge include:
■ Former employees who are bitter about being fired or laid off, or who quit
their jobs under unpleasant circumstances.
■ Current employees who feel mistreated by the company, especially those
who are planning to leave soon.
■ Current employees who aim to sabotage the work of other employees due
to internal political battles, rivalry over promotions, and the like.
■ Outsiders who have grudges against the company, such as dissatisfied customers or employees of competing companies who want to harm or
embarrass the company
■ Outsiders who have personal grudges against someone who works for the
company, such as employees’ former girlfriends or boyfriends, spouses going
through a divorce, and other relationship-related problems
Luckily, the intruders in this category are generally less technically talented than
those in the other two groups, and their emotional involvement could cause them to be careless and take outrageous chances, which makes them easier to catch.
The three categories of hacker can overlap in some cases. A recreational hacker who perceives himself as having been mistreated by an employer or in a personal relationship, could use his otherwise benign hacking skills to impose “justice,” or a vengeful ex-employee or ex-spouse might pay someone else to do the hacking.
It is beneficial to understand the common motivations of network intruders because, although we might not be able to predict which type of hacker will decide to attack our networks, we can recognize how each operates and take steps to protect our networks from all of them. Even more important than the type of hacker in planning our security strategy, is the type of attack. In the next section, we examine specific types of network attacks and ways in which you can protect against them.
Back to Basics—Transmission Control Protocol/Internet Protocol
A basic understanding will make your firewall deployment much easier. TCP/IP is based on the idea that data is sent in packets, similar to putting a letter in an envelope. Each packet contains a header that contains routing information concerning where the packet came from and where it is going (similar to the address and return address on an envelope), and the data itself (the letter contained in the envelope).
■ Version Indicates the version of IP currently used(IPv4 or IPv6).
■ IP Header Length (IHL) Indicates the datagram header length in 32-bit words.
■ Type of Service Specifies how an upper-layer protocol wants a current datagram to be handled, and assigns various levels of importance to datagrams.
■ Total Length Specifies the length, in bytes, of the entire IP packet, including the data and header.
■ Identification Contains an integer that identifies the current datagram. This field is used to help piece together datagram fragments.
■ Flags Consists of a 3-bit field of which the two low-order (least significant) bits control fragmentation.The low-order bit specifies whether the packet can be fragmented. The middle-order bit specifies whether the packet is the last fragment in a series of fragmented packets.The third or high-order bit is not used.
■ Fragment Offset Indicates the position of the fragment’s data relative to the beginning of the data in the original datagram, which allows the destination IP process to properly reconstruct the original datagram.
■ Time-to-live Maintains a counter that gradually decrements down to zero, at which point the datagram is discarded. This keeps packets from looping endlessly.
■ Protocol Indicates which upper-layer protocol receives incoming packets after IP processing is complete.
■ Header Checksum Helps ensure IP header integrity.
■ Source Address Specifies the sending node.
■ Destination Address Specifies the receiving node.
■ Options Allows IP to support various options, such as security.
■ Data Upper-layer information.
The “envelope” or header of a packet contains a great deal of information, only some of which is of interest to firewall administrators, who are primarily interested in source and destination addresses and port numbers. Only application proxies deal with the data section.
Source and destination addresses reference the exact machine a packet came from and the corresponding machine receiving the packet.These addresses are in the standard form of four sets of three-digit numbers separated by periods (i.e., the IP version 4 standard). For various classes of IP addresses look below(in bold Class name, Class start adress):
- A 0.0.0.0 Standard internet addresses available to all users, except private 10.0.0.0 subnet
- B 188.8.131.52 Standard internet addresses available to all users, except private 172.16.0.0 – 172.31.255.255 range
- C 192.0.0.0 Standard internet addresses available to all users, except private 192.168.0.0 subnet
- D 184.108.40.206 Multicast address class
- E 240.0.0.0 Research and limited broadcast class
- 10.0.0.0 to 10.255.255.255,
- 172.16.0.0 to 172.31.255.255, and
- 192.168.0.0 to 192.168.255.255.
By definition, these subnets, cannot be routed on the Internet.
There is also a group of IP addresses known as self-assigned addresses, which range
- from 169.254.0.0 to 169.254.255.255.
One address is reserved as the loopback address. Address 127.0.0.1 refers to the machine itself, and is generally used to confirm that the TCP/IP protocol is correctly installed and functioning on the machine.
Networks 220.127.116.11 to 254.255.255.255 are reserved for special testing and applications. While Internet-routable, the standard organization or individual does not generally use them.
- The Class D network provides multicast capabilities. A multicast is when a group of IP addresses is defined in such a way as to permit individual packets to have a destination address of all the machines, rather than a single machine.
- Class E is for research by particular organizations and has limited broadcast capabilities. A broadcast is when a single device sends out a packet that has no particular recipient. Instead, it goes to every machine on the subnet. On standard (non-Class E) networks, this is defined by address 255.255.255.255. The Class E network is different and is not accessible to devices on the other classes of networks.
Every device on the Internet must have a unique IP address. If a device has a valid IP address (i.e., not a private, non-routable address or self-assigned address) and is not behind a firewall, it is available for connection to any other device on the Internet. A computer in Berlin can print to a printer in London. A mail server in Chicago can deliver e-mail directly to a machine in Singapore. This ubiquitous communication and ability to transfer data directly from one machine to another is what makes the Internet so powerful. It is also what makes it so dangerous. It is impossible to stress strongly enough that no machine on the public Internet is hidden. No machine is safe from detection. Firewalls are the only method of safely hiding a device on a private network, while still providing access to the Internet as a whole.
Firewalls are able to hide a device by doing address translation. Address translation is when firewalls convert a valid Internet address to a private address on a private subnet. Almost all firewalls do this type of address translation, which has several advantages:
- An Additional Layer of Security Without the firewall in place to do the translations, Internet addresses can’t communicate with the private network and vice versa.
- Expansion of Available IP Addresses Not every device in your organization needs to be accessible from the Internet. User workstations require access to the Internet, but do not need to have incoming traffic originating on the Internet. They only require responses to inquiries sent out. Most firewalls handle this by converting every internal address to a single, Internet-routable address. This address is usually the address of the (gateway) firewall itself, but does not necessarily have to be.
- Ability to Completely Hide a Device from the Internet Is it necessary to have your printers available to the Internet? Does that Web server that is only available to employees at their desks, need to have an Internet address? The answer to both questions is probably “no.” With a firewall capable of address translation, both of these examples can be assigned a private address with no translation to the outside. The device is hidden from anyone on the public Internet and is completely inaccessible.
IP Half-scan Attack
Half scans, also called half-open scans or Finish Packet (FIN) scans, attempt to avoid detection by sending only initial or final packets rather than establishing a connection.
Every IP connection starts with a Synchronous (SYN) packet from the connecting computer. The responding computers respond with a SYN/Acknowledgement (ACK) packet, which acknowledges the original packet and establishes the communication parameters. SYN/ACK continues until the end of the communication when a FIN packet is sent and the connection is broken.
A half scan starts the SYN/ACK process with a targeted computer but does not complete it. Software that conducts half scans, such as Jakal, was/is called a stealth scanner. Many port-scanning detectors were/are unable to detect half scans.
IP spoofing involves changing the packet headers of a message to indicate that it came from an IP address other than the true source.The spoofed address is normally a trusted port that allows a hacker to get a message through a firewall or router that would otherwise be filtered out. Modern firewalls protect against IP spoofing. Hackers use spoofing whenever it is beneficial for one machine to impersonate another. It is often used in combination with another type of attack (e.g., a spoofed address is used in the SYN flood attack to create a “half-open” connection. The client never responds to the SYN/ACK message, because the spoofed address is that of a computer that is down or doesn’t exist. Spoofing is also used to hide the true IP address of the attacker in ping of death, teardrop, and other attacks. IP spoofing can be prevented using source address verification on your firewall.
Denial of Service Attacks
In February 2000, massive DoS attacks brought down several of the biggest Web sites, including Yahoo.com and Buy.com. DoS attacks are a popular choice for Internet hackers who want to disrupt a network’s operations.The objective of DoS attackers is to bring down the network, thereby denying service to its legitimate users. DoS attacks are easy to initiate, because software is readily available from hacker Web sites and warez newsgroups that allow anyone to launch a DoS attack with little or no technical expertise.
Warez is a term used by hackers and crackers to describe bootleggedThe purpose of a DoS attack is to render a network inaccessible by generating a type or amount of network traffic that will crash the servers, overwhelm the routers, or otherwise prevent the network’s devices from functioning properly. DoS can be accomplished by tying up the server’s resources (e.g., by overwhelming the central processing unit (CPU) and memory resources. In other cases, a particular user or machine can be the target of DoS attacks that hang up the client machine and require it to be rebooted.
software that has been “cracked” to remove copy protections and made
available by software pirates on the Internet, or in its broader definition,
to describe any illegally distributed software.
DoS attacks are sometimes referred to in the security community as nuke attacks. Distributed DoS (DDoS) attacks use intermediary computers (called agents) on which programs (called zombies) have previously been surreptitiously installed, usually by a virus or Trojan (see below). The hacker activates these zombie programs remotely, causing the intermediary computers (which can number in the hundreds or even thousands) to simultaneously launch the actual attack. Because the attack comes from the computers running the zombie programs—which could potentially be on networks anywhere in the world—the hacker is able to conceal the true origin of the attack.It is important to note that DDoS attacks pose a two-layer threat. Not only could your network be the target of a DoS attack that crashes your servers and prevents incoming and outgoing traffic, but your computers could be used as the “innocent middlemen” to launch a DoS attack against another network or site. The Domain Name Server (DNS) DoS attack exploits the difference in size between a DNS query and a DNS response, in which all of the network’s bandwidth is tied up by bogus DNS queries. The attacker uses the DNS servers as “amplifiers” to multiply the DNS traffic.
The attacker begins by sending small DNS queries to each DNS server, which contain the spoofed IP address of the intended victim (see “IP Spoofing”). The responses returned to the small queries are much larger in size, so if there are a large number of responses returned at the same time, the link will become congested and DoS will take place. One solution to this problem is for administrators to configure DNS servers to answer with a “refused” response (which is much smaller than a name resolution response) when they receive DNS queries from suspicious or unexpected sources.
Detailed information on configuring DNS servers to prevent this problem is contained in the U.S. Department of Energy’s Computer Incident Advisory Capability information bulletin J-063.
IP Version 6
This standard was devised to address several problems with IPv4, primarily the limited number of possible addresses available. IPv4 supports 4.3x10^9 (4.3 billion) addresses, while IPv6 supports 3.4x10^38 addresses. The roll out of IPv6 is occurring slowly, as more computers and network appliances become IPv6-compatible.
For the foreseeable future, IPv4 will be the de facto standard. What you learn here will still largely apply to IPv6. Firewall concepts, filtering heories, and deployment strategies will change little, if at all. IPv6 does not use the same classes of addresses as IPv4. Instead, there are three classes:
Broadcasts are not supported; however, multicast accomplishes nearly the same end. Also, IPv6 has only two reserved addresses, one for internal protocol implementation and a loopback address. All other addresses are free for use on the public Internet. The question which should come to mind is, “If my firewall supports IVv6, and I really don’t use it, do I need to worry about configuring it?” The short answer is “yes.” There are already exploits that take advantage of IPv6. If firewalls supporting IPv6 are configured incorrectly, they will pass unimpeded through your firewall. Remember, IPv6 is designed to travel over the same network as IPv4. All it needs are routers, switches, and firewalls that support IPv6. Most new network appliances support IPv6.
- multicast, and
TCP/IP supports source routing, which is a means to permit the sender of network data to route the packets through a specific point on the network. There are two types of source routing:
- Strict Source Routing(SSR) The sender of the data can specify the exact route (rarely used).
- Loose Source Record Route (LSRR) The sender can specify certain routers (hops) through which the packet must pass.
If the system allows source routing, an intruder can use it to reach private internal addresses on the Local Area Network (LAN) (normally not reachable from the Internet), by routing the traffic through another machine that is reachable from both the Internet and the internal machine. Source routing should be, and is disabled on most routers to prevent this type of attack. If it is not disabled on your router, disable it now.
A port number is a virtual “mail slot” on each of these machines. Applications running on computers listen to the Internet for incoming information on these ports. Certain applications listen on certain ports. The Internet Assigned Numbers Authority (IANA) defines these ports (e.g.,Web servers listen on ports 80 and 443(SSL) and File Transfer Protocol (FTP) servers listen on port 21. Hypertext Transfer Protocol (HTTP), Hyper-Text Transfer Protocol Secure sockets (HTTPS), and FTP are examples of Internet Protocols. You will never find a legitimate FTP server listening on port 80.
- Ports 1 to 1023 are considered well-known ports, and have clearly defined IP’s.
- Ports 1024 through 49151 are registered ports. Specific software vendors have registered these ports for use by their specific applications.
- Ports 49152 to 65535 are dynamic ports. These have no specific registration and can be used by any application at any time. Using either or both application and gateway firewalls mitigates the misuse of ports.
UDP protocols are generally faster than TCP protocols, but there is no assurance that the data has arrived at its destination intact.
TCP requires a connection started with a SYN packet that receives an ACK packet in response. SYN-ACK continues until the end of the data transmission. Each ACK packet confirms the correct receipt of the SYN packet containing data. On the other hand, UDP protocols send data with no requirement for a response.
RFC 1700 documents, the official well-known port assignments, are available on the Web. The IANA makes the port assignments. In general, a service uses the same port number with UDP as with TCP, although there are some exceptions. The assigned ports were originally numbered from 0 to 255, but were later expanded to 0 to 1023. Some of the most well-known ports used are:
TCP/UDP port 20: FTP (data)
TCP/UDP port 21: FTP (control)
TCP/UDP port 22: SSH
TCP/UDP port 23:Telnet
TCP/UDP port 25: SMTP
TCP/UDP port 53: DNS
TCP/UDP port 67: BOOTP server
TCP/UDP port 68: BOOTP client
TCP/UDP port 69:TFTP
TCP/UDP port 80: HTTP
TCP/UDP port 88: Kerberos
TCP/UDP port 110: POP3
TCP/UDP port 119: NNTP
TCP/UDP port 137: NetBIOS name service
TCP/UDP port 138: NetBIOS datagram service
TCP/UDP port 139: NetBIOS session service
TCP/UDP port 220: IMAPv3
TCP/UDP port 389: LDAP
TCP/UDP port 443: HTTPS
TCP/UDP port 1433: Microsoft SQL
TCP/UDP ports 6660-6669 and 7000: IRC (Internet Relay Chat [IRC])
A total of 65,535 TCP ports and 65,535 UDP ports are used for various services and applications. If a port is open, it responds when another computer attempts to contact it over the network. Port-scanning programs such as netstat, Nmap are used to determine which ports are open on a particular machine. The program sends packets for a wide variety of protocols and, by examining which messages receive responses and which don’t, creates a map of the computer’s listening ports.
It is not possible to turn off all listening ports. If you did, you would render the computer invisible on the network and other devices would be unable to communicate with the computer. This may be exactly what you want with a workstation(a tipical desktop), but with servers, this is impossible.
Port scanning generally does no harm to your network or system, but it does provide hackers with information they can use to penetrate a network. Potential attackers use port scans in much the same way that a car thief checks the doors of parked vehicles to determine which ones are unlocked. Although this activity in itself does not constitute a serious offense and is generally not considered illegal; what the person conducting the scan does with the information can present a big problem. Intensive port scanning can cause a DoS and in some cases crash the machine being scanned. Should these situations occur, the activity is illegal.
The intrusion and attack reporting center is an excellent resource for information on ports that should be closed, filtered, or monitored, because they are commonly used for Trojan and intrusion programs.
Firewall logs are an excellent resource to analyze and to see if you are being port-scanned. Port scans generally appear as pings to various ports on one IP address after another. Port scanners are now automated so the hacker can set it to run and come back later to a report of IP addresses with listening ports. The logs also provide evidence should legal action be taken against the scanner. Thus, logs need to be maintained and backed up in a secure manner.
Other Protocol Exploits
The data portion of the packet itself can be analyzed. Gateway firewalls generally do not perform this type of analysis, or they do it in a “rudimentary” or “simplistic” manner. Application proxies are much more thorough and examine each packet that is passed through the application proxy. Since data packets vary greatly from application to application, it is impossible within the scope of this article to describe how packets are structured and the process for examining each type. Let’s take a brief look at some ways to manipulate the data packet for nefarious purposes.
System and Software Exploits
System and software exploits allow hackers to take advantage of weaknesses of particular OSs and applications (often called bugs). Like protocol exploits, they are used by intruders to gain unauthorized access to computers or networks, or to crash or clog up the systems to deny service to others. Common bugs can be categorized as follows:
- Buffer Overflows Many common security holes are based on buffer overflow problems. Buffer overflows occur when the number of bytes or characters input exceeds the maximum number allowed by the programmer writing the program.
- Unexpected Input Programmers may not take steps to define what happens if invalid input (input that doesn’t match program specifications) is entered. Such input could cause the program to crash or open up a way into the system.
- System Configuration Bugs These are not really bugs per se, but rather they are ways of configuring the OS or software that leaves it vulnerable to penetration.
Popular software such as Microsoft’s Internet Information Server (IIS), Microsoft’s Internet Explorer (MSIE), Linux Apache Web Server, UNIX Sendmail, and Mac Quicktime, are popular targets of hackers looking for software security holes that can be exploited.
Major OS and software vendors regularly release security patches to fix exploitable bugs (time delay here is a great question). It is very important for network administrators to stay up-to-date in applying these fixes and/or service packs to ensure that their systems are as secure as possible.
Trojans, Viruses, and Worms
Intruders who access your systems without authorization or inside attackers with malicious motives, could plant various types of programs to cause damage to your network. There are three broad categories of malicious code:
- Trojans The name, short for Trojan horse, refers to a software program that appears to perform a useful function, but in fact performs actions that the program user is not aware of or did not intend. Hackers often write Trojans to circumvent the security of a system. Once the Trojan is installed, the hacker can exploit the security holes it creates to gain unauthorized access, or the Trojan program can perform some action such as:
- ■ Deleting or modifying files
- ■ Transmitting files across the network to the intruder
- ■ Installing other programs or viruses
- Viruses Includes any programs that are usually installed without the user’s awareness and performs undesired actions. Viruses can also replicate themselves, infecting other systems by writing themselves to any disk used in the computer or sending themselves across the network. Viruses often distribute as attachments to e-mail or as macros in word processing documents. Some viruses activate immediately on installation; others lie dormant until a specific date or time, or when a particular system event triggers them. Viruses come in thousands of varieties. They can do anything from popping up a message that says “Hi!” to erasing a computer’s entire hard disk. The proliferation of computer viruses has also led to the phenomenon of the virus hoax, which is a warning (generally circulated via e-mail or Web sites) about a virus that does not exist or does not do what the warning claims it will do. Real viruses, however, present a real threat to your network. Companies such as Symantec and McAfee make anti-virus software that is aimed at detecting and removing virus programs. Because new viruses are created daily, it is important to download new virus definition files, which contain the information required to detect each virus type on a regular basis, to ensure that your virus protection stays up-to-date.The most dangerous virus is a new, fast replicating virus for which no definition has been created. Fortunately, anti-virus companies now respond within hours of a new outbreak. Since nearly all anti-virus software has auto-update features, the new definitions are usually quickly put in place and effectively shut down the proliferation. This does not mean you are immune from infection if you have anti-virus software, it just means you are generally safe from older viruses. Both viruses and Trojans may carry a logic bomb (i.e., a bit of malicious code designed to “explode” under certain circumstances such as performing, or failing to perform an action). The bomb can do anything from delete files to wipe a computer. The “fun” part of a logic bomb for a hacker is letting the victim believe nothing is wrong and then at a much later time damage the computer, making it more difficult to determine where and when the infection occurred.
- A worm is a program that can travel across the network from one computer to another. Sometimes different parts of a worm run on different computers. Worms make multiple copies of themselves and spread throughout a network. The distinction between viruses and worms has become blurred. Originally the term worm was used to describe code that attacked multi-user systems (networks) and virus was used to describe programs that replicated on individual computers. The primary purpose of a worm is to replicate. Worm programs were initially used for legitimate purposes in performing network management duties, but their ability to multiply quickly has been exploited by hackers, who create malicious worms that replicate wildly and might also exploit OS weaknesses and perform other harmful actions. Unfortunately, nearly all these now contain a root-kit. This is a series of tools that take control of your machine and create a zombie that will do the bidding of the malicious writer. Once a root-kit is installed on your machine, your only choice is to flatten the machine and rebuild from scratch. Root-kits notoriously have subprograms that hide their presence from the OS. While there are tools such as Root-kit Revealer by SysInternals, there is no sure way to confirm that all pieces of the root-kit have been removed. Any remaining bits have the potential to reinstall the entire root-kit and begin transmitting information to the root-kit owner.
In general, most data packets can be manipulated in an attempt to create a buffer overflow, which is a specific condition in an application where more data is written to an area of memory than has been allocated (from OS). The extra data then flows into the next area of memory, where it should not be. If the application design doesn’t consider this possibility, it may be possible to leverage this situation to execute the code in the second memory area. This situation can yield many unwanted results including:
- application hang or crash,
- server hang or crash, or even worst,
- compromise of the machine where control is given to the sender of the packet.
Do Firewalls Have Buffer Overflows?
Short answer, “Yes.” However, there are far fewer than most other software, because firewalls are stripped down to the bare essentials. Firewall software is also scrutinized more closely due to the task the firewall is attempting to perform. Most firewall vulnerabilities result in DoS’s rather than access violations or compromise. Firewalls are designed to fail closed so that the firewall cuts off network access rather than permitting unauthorized access. Also realize that some firewalls are designed to be installed on existing OSs. If the underlying OS has vulnerabilities, your firewall will only be as good as the OS its running on. In addition, a poorly configured firewall can leave gaping holes that a malicious person could walk through with ease. Read the manufacturer’s documentation, white papers provided by the manufacture, and blogs, newsgroups, and discussion groups related to your model of firewall. Learn from other’s mistakes and don’t make them yourself. Most of these resources are freely available on the Web; a few searches should turn up starting points that will lead you to more resources. To a determined hacker, discovering a firewall is tantamount to throwing down a gauntlet and posing the challenge of how to exploit the permitted access. The good news here is that such determined hackers are fewer than the script kiddies (less experienced hackers who rely on pre-written scripts and tools to compromise machines) who look for easy targets with well-known vulnerabilities. Therefore, be certain that the script kiddies will walk away after knocking on the door and getting no answer. Then delve into the literature and make your network unwelcoming to even determined hackers.
There are two basic types of firewalls:
- Application Proxy and
- packet filters firewalls and
- stateful inspection firewalls
An application proxy firewall takes apart each packet that comes in, examines it to see if it meets the criteria set, then rewrites it, and finally sends it on its way.
The proxy when receives a packet terminates the connection from the outside source and starts a new connection from the proxy to the destination. This offers great protection to the servers, because there is no direct interaction between the source and the destination. In addition, the proxy is greatly hardened against attacks and has a very small attack surface (An attack surface, in network speak, refers to the number of ports you have available for someone to try to exploit). It is very difficult for a hacker to take control of an application proxy firewall.
These firewalls are very specific and a proxy must be written for each supported application. The advantage to this is that you will have the exact needs of your particular application addressed; however, you are at the mercy of the vendor should there be an update to your application that the firewall doesn’t support. Delays may occur in upgrading your application until the firewall vendor catches up.
Application proxies are usually “invisible” on the network. Often, they have no IP address themselves, or, if they do, they sometimes masquerade as the destination server. Thus, application proxies may not do address translation. Application proxies work at the application level of the OSI Model. Inspection is done from Application to Physical OSI layer. As the name implies, application proxy firewalls act as intermediaries in network sessions. The user’s connection terminates at the proxy, and a corresponding separate connection is initiated from the proxy to the destination host. Connections are analyzed all the way up to the application layer to determine if they are allowed. It is this characteristic that gives proxies a higher level of security than packet filters, stateful, or otherwise. However, this additional processing extracts a toll on performance.
Depending on how the application proxy is written, it is possible to permit only those packets that are specific for the target application, and reject all others. Typically, these firewalls check against such factors as:
- buffer overflows,
- hidden malicious code,
- correct source and destination IP addresses, and
- correct port usage
For a high level of security, an application proxy is the appliance of choice. The detail of control permitted is unmatched by any other device.
An application proxy is generally far more secure than a gateway. By breaking down each packet to its basic parts and rewriting it, the firewall discovers and drops hidden malicious code. These firewalls can, and have, prevented zero-day attacks.
Application proxies also provide the opportunity to fine tune exactly what you will let into your protected network, and, depending on the design of the firewall, what you will allow out. A reverse proxy handles controlling the outgoing of information. Reverse proxies can play a very important role in high security environments by examining the contents of outgoing packets for sensitive information.
While providing high security, application proxies cannot and should not be used in every situation. There are severe drawbacks to using these devices.
Slower Network Performance
Due to the work an application proxy must perform to dissect each packet and then rewrite it properly to pass on, they tend to be slower than a gateway. Depending on the volume of traffic across the firewall and the complexity of the data, you may see a significant performance hit with an application proxy.
Update Schedule Governed by Vendors
Since vendors specifically write the OS of these appliances, it may take time for them to catch up to the latest release of a particular application. Until your proxy is up-to-date with the application it is protecting, you cannot update the application itself.
Limited Control, Depending on Vendor
While some application proxies can be tweaked, others cannot. In most cases, if you are using standard protocols and the application proxy at your border to the Internet, it will not matter if you can finely control what does and doesn’t enter your protected network. However, using an application proxy to protect an entire server room from the rest of the organization can prove to be disastrous if not tested. Note that neither of these scenarios are typical uses for an application proxy. Most often, an application proxy will be placed in front of a specific type of server, not at a border or subnet.
Example: Due to the sensitivity of the email communications, all e-mail passes through Microsoft Internet Security and Acceleration (ISA) server. ISA server is Microsoft’s application proxy. Built for various applications including Exchange, Structured Query Language (SQL), and Terminal Server, it analyzes the data for appropriateness to the backend application, terminates the connection from the client, and establishes a new connection from ISA server to the backend Exchange. The reverse is done as the Exchange server answers the client’s query.WARNING---Evaluate, Test, Evaluate, and Test Again
Beware of placing black boxes in your environment. Not knowing how they work or why they mark traffic as unacceptable can be almost as destructive as an attack. Having to explain why the device you put on the network performed a DoS against the network it was meant to protect, is no fun. In that case logs sre very important. Faced with a choice between two devices, one that logged everything it did and why, and one that did its thing with little or no feedback to you, I’d always go with the first.
By far, the most commonly deployed firewall is the gateway. This firewall examines the source and destination addresses and ports, and determines if the packet meets the designated rules to pass through the firewall to the servers. There are various levels of gateways. Some are extremely simplistic and only filter packets by port, others can filter by IP address and port, and still others perform various checks on the legitimacy of some or all IPs. Gateways come in two flavors:
- packet filters and
- stateful inspection gateways.
These are basic firewalls with very little flexibility or functionality. Often, these are built into OSs, such as Mac OS X, to provide rudimentary protection for the individual workstation. Windows and Linux have more advanced firewalls built in. Windows firewall has some features of stateful inspection, while Linux has IPChains, which can be used as a full-function firewall. Packet filters also have their place in the network architecture. Network routers will function as packet filters.
In its most basic form, a packet filter makes decisions about whether to forward a packet based only on information found at the IP or TCP/UDP layers (network and transport layers, respectively, in the Open Systems Interconnection (OSI) model.
In effect, a packet filter is a router with some intelligence. However, a packet filter only handles individual packets; it does not keep track of TCP sessions. Thus, it is poorly equipped to detect spoofed packets that come in through an outside interface. These specifically crafted packets will pretend to be part of an existing session by setting the ACK flag in the TCP header. Packet filters are configured to allow or block traffic according to source and destination IP addresses, source and destination ports, and type of protocol (TCP, UDP, Internet Control Message Protocol [ICMP], and so on). While rudimentary, packet filters can provide an effective barrier that reduces your attack surface.
- A Web server, which is only serving unencrypted pages, only requires port 80 open to the Internet. Using a packet filter, you can block all incoming traffic except that destined for port 80. You have just reduced your attack surface from 65535 ports to 1. While any hacker worth their salt will find your single open port, you have greatly reduced their toolset for breaking into your machine. In addition, if there is vulnerability, even a zero-day vulnerability, on one of the other ports, it will be impossible to reach from the outside.
- Another example of packet filter use involves limiting the IP addresses permitted to contact a server. Let’s assume you have a business that has a specific subnet, 192.168.50.x. Your financial application server should only provide services to this subnet. Simply block all other traffic. Now, the only way someone can get to your application server is to be on your specific subnet. Packet filters usually have their own address and address translation. Some of the specific techniques addressed in the following sections can be applied to packet filters, just be aware of their limitations and potential vulnerabilities.
- The ultimate example of a simplistic port-only packet filter is the old Microsoft Windows TCP/IP filter available in 'advanced network properties'. This is so simplistic, it is only worthwhile to use in a few cases.
- Simple Network Management Protocol (SNMP) can transfer various commands to devices. These commands range from information gathering to actual control of the devices.
- IRC is a common protocol used by hackers to communicate with zombies. Blocking this at the border, both incoming and outgoing, removes a control channel for hackers should a machine inside become compromised.
- Telnet and FTP are protocols that transmit both data and authentication credentials in clear text.Telnet is a remote command-line protocol and FTP is used to transfer files to and from servers. Better choices are Secure Shell (SSH) and Secure File Transfer Protocol (SFTP) both of which encrypt data and authentication.
- Simple Message Block (SMB) file sharing, while not insecure in and of itself, has been found to have numerous vulnerabilities in the implementation in Windows and older Linux system. These vulnerabilities can be used to compromise machines, and therefore should be blocked at the border router.
- Also note the Peer-to-Peer (P2P) file sharing, which is not uncommon in academic settings and should be taken into consideration when designing network security.
Packet filters are extremely useful in certain situations. Primarily they should be deployed at the perimeter of your organization where coarse filtering is the best option.
Packet filters are extremely fast. Since they only examine the destination port and/or the source/destination IP address, they have very little work to do. Simple packet filters are an excellent choice if you have an extremely high traffic resource that must process packets in and out very quickly. A high-traffic Web site is an ideal application for a packet filter. You can also throw a packet filter at your corporate border. Perhaps you only need ports such as SSH (22) or Remote Desktop Protocol (RDP) (3365) open for remote administration and VPN for remote access by users. Perfect you don’t need anything fancy to get the job done.
Quick deployment is also a major plus to packet filters. As long as you know the necessary ports and/or subnets, you can have a packet filter set up in literally minutes. There are no complicated rule sets and no extra protocols to deal with.
Answer those two questions and you are on your way.
- What ports do you need open?
- Where can the traffic come from?
While packet filters have the advantages of speed and simplicity, they suffer from problems of security and other limitations that more complicated firewalls do not.
Because packet filters are basic and do simple packet inspection, they are less secure than an application proxy. They pass through anything arriving from a permitted subnet to a permitted port, no questions asked.
Packet filters do not track where an incoming packet came from, or insure that the return packet goes to the same location (see “Stateful Inspection”). This also means that the conversation cannot be moved from lower static ports to higher dynamic ports. Many applications use these after making the initial handshake and the two machines agree how to communicate. The application will request a move to higher ports to free up the lower static ports for other initial handshakes. With a packet filter, this requires opening most, if not all, of the dynamic ports, which, of course, makes the firewall useless.The Windows mail application, Outlook, and its corresponding server, Exchange, demonstrate this very well. Initial communications are started on TCP port 135. Once the connection is established and authenticated, Exchange requests that the communication be moved up to ports around 5000. By default, this could include any number of possible ports that would require too many holes in the packet filter.
FTP, a “standard” protocol, can behave strangely with a packet filter. Since communication happens on port 21 but data transfer is switched to port 20, many packet filters fail to correctly pass FTP packets; therefore, the file transfer is interrupted.
The Stateful Inspection gateway is the standard type of firewall deployed to protect
servers and other network resources. There are many companies that provide this
type of firewall with varying degrees of features. For now, let’s look at how these firewalls work in general.
Stateful inspection is important to security because it provides a deeper level of filtering than Access Control Lists (ACL’s) found in routers, which may only filter based on header information. Firewalls that perform stateful inspection analyze individual data packets as they traverse the firewall. In addition to the packet header,
stateful inspection also assesses the packet’s payload and looks at the application protocol. It can filter based on the source, destination, and service requested by the
packet. The term “stateful inspection” refers to the firewall’s ability to remember the
status of a connection and thereby build a context for each data stream in its
memory. With this information available, the firewall is able to make more informed policy decisions.
Stateful inspection is several steps below an application proxy and much better
than a packet filter. In this case, the firewall keeps track of the TCP SYN/ACK packets that initiate and continue the conversation between two machines in a connection
table. UDP protocols are monitored in a similar fashion, but the table is far less complete, because there is no detailed information. Stateful inspection firewalls
also handle protocols such as Generic Route Encapsulation (GRE) and Protocol 47
used in VPN communications, and ICMP.
All of these types of firewalls have the concept of “inside” versus “outside.”
While there may be several insides that have various levels of security (private, users,
DMZ, and so forth), there is only one outside and it is completely untrusted. By
default, nothing is permitted to cross the firewall from the outside. Conversely,
devices on a higher security interface, such as users, are permitted access to a lower security interface such as DMZ or outside. All of these parameters are configurable; however, before we begin discussing the configuration, let’s get a better understanding of how a firewall decides what can and cannot pass through.
The Inspection Process
The inspection of TCP/IP packets is a multi-step procedure. What follows is a summary
of the steps, not necessarily in order
- A packet arrives at the outside interface (eg. Internet). It is checked for permitted or denied ports and IP addresses. Note that stateful inspection firewalls require both a port and an IP address. IP addresses can be in the form of a single machine, group of IP addresses, or “any,” meaning any valid IP address on the specified network.
- The firewall checks the source IP address for validity. This feature prevents spoofed packets from being transmitted, by allowing only packets whose source addresses match the subnet of the firewall’s incoming interface or routing table. Therefore, if the packet has inconsistent information concerning its origins, it is unlikely that it is legitimate and is dropped.
- The firewall compares the ports and addresses to the ACL, and either clears the packet for further processing or drops the packet.
- The packet’s from and to addresses, as well as other tracking information, is recorded in a table for reference when a return packet is sent. Stateful inspection firewalls keep track of who is talking to whom. This is extremely important for the correct use and protection of the dynamic ports. Should the packet be part of an ongoing connection, there is an entry in the connection table and the packet information is compared to the table for consistency.
- If the packet is a well-known protocol such as SMTP (Internet mail), HTTP (Web), or FTP (file transfer), the packet may be checked against the IANA standards or a vendors private standards for compliance. This insures that packets containing malformed data are dropped and do not reach the servers where they may cause harm. This is not, however, equivalent to the application proxy’s inspection of packet data. Application proxies inspect data contained in the packet to conform to a specific application’s requirements Stateful inspection firewalls simply look for and rewrite the packet. standards compliance and only address translation. They do not wholesale rewrite the packet. They are not application-specific nor do all stateful inspection firewalls perform this type of check.
- Finally, the firewall rewrites the destination IP address from the valid Internet address to the private address, and sends it on its way.
- The firewall checks for a valid IP address and permitted IP address destinations. By default, most firewalls assume that a higher security interface is permitted to access any location outside the firewall. However, this can be overridden.
- A comparison is done between the outgoing packet parameters and the entries in the connection table. The firewall confirms that the entries match and that the packet is headed to the appropriate destination.
- The firewall may confirm the outgoing protocols, although in most cases, firewalls assume that trusted networks use valid protocols.
- Addresses are translated and the packet is sent on its way to the destination.