PowerPoint Presentation
Deakin University CRICOS Provider Code: 00113B
1
❖Task 3.1P is available on OnTrack.
❖Week 4 tasks will be available soon.
❖Make sure you plan your time for each task so that you can
complete the tasks before the due date.
❖If you have any questions related to tasks, please use the
discussion forum.
Reminder
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 5 – Part 1
Deakin University CRICOS Provider Code: 00113B
Network Security Defenses – Basics
(NAT, Firewalls)
3
Topics,
Deakin University CRICOS Provider Code: 00113B
Network Address Translation
(NAT)
5
Question:
Do ALL hosts connected to Internet have a unique global IP Address?
Deakin University CRICOS Provider Code: 00113B
Internet = INTERrconnected NETwork
21
6
Background: Private Network
• Private IP network is an IP network that is not directly connected to the Internet
• IP addresses in a private network can be assigned arbitrarily.
▪ Not registered and not guaranteed to be globally unique
• Generally, private networks use addresses from the following experimental address
ranges (non-routable addresses):
▪ 10.0.0.0 – 10.255.255.255
▪ 172.16.0.0 – 172.31.255.255
▪ 192.168.0.0 – 192.168.255.255
how do you connect from these private networks to Internet? 🤔
Deakin University CRICOS Provider Code: 00113B
7
Network Address Translation (NAT)
• NAT is a router function designed for IP
address conversion.
• It enables Private Networks that use
unregistered IP addresses to connect to
Internet.
• It allows connecting two networks together
and translates the private (not globally
unique) addresses in the internal network
into globally unique addresses, before
packets are forwarded to another network.
Deakin University CRICOS Provider Code: 00113B
Network Router
8
Network Address Translation (NAT): Example
Deakin University CRICOS Provider Code: 00113B
9
Network Address Translation (NAT): Example
Deakin University CRICOS Provider Code: 00113B
10
Question:
What is the security advantage of NAT?
Hides computers IP addresses
port numbers and their
connections in internal
networks.
Deakin University CRICOS Provider Code: 00113B
Deakin University CRICOS Provider Code: 00113B
Firewalls
12
Firewall
• In real life, firewalls are
structures that are built to
prevent the spread of fires
or similarly destructive
forces.
Example: A firewall used to inhibit the spread of a fire at an electrical substation.
(https://en.wikipedia.org/wiki/Firewall_(construction)#/media/File:Power_systems_in_Toppila_Jun2008.jpg)
13
Network Firewall
❑ A network firewall, however, can be better compared to a moat of a
medieval castle:
▪ It restricts people to entering at one carefully controlled point
▪ It prevents attackers from getting close to other defences
▪ It restricts people to leaving at one carefully controlled point
http://www.castlesfortsbattles.co.uk/south_east/bodiam_castle.html
14
Firewall
• Perimeter defence:
▪ Divide the world into safe inside(intranet) and dangerous outside world (Internet)
▪ Prevent anything bad from entering the inside
• Block communication that is evil, risky or just unnecessary = Access Control at Network-
level ☺
Firewall monitors incoming and outgoing network traffic and permits, or blocks
network packets based on a set of security rules.
15
What a Firewall can do with a Packet?
• The firewall forwards the packet.
▪ This is the common operation in case the packet belongs to a flow
or application that you want to allow.
▪ Typical terms for this: Allow / Permit / Accept / Pass
• The firewall deletes the packet and does not forward it.
▪ This is the common operation in case the packet belongs to a flow
or application that you want to stop.
▪ Typical terms for this: Drop / Deny / Reject
• Other options include
▪ to log that a certain type of packet appeared,
▪ to inform the admin, etc.
16
Firewall Configuration – Basics
▪ The firewall is configured by an administrator.
▪ The administrator configures:
▪ A default rule
▪ Rule set
Default DENY (~Whitelisting): Everything that is not
explicitly permitted is denied.
Default PERMIT (~Blacklisting): Everything that is not
explicitly forbidden is permitted
17
Information Accessible to a Firewall for Decision Making
L2
L3
L4
5-7
App
How can a firewall gain information for its decision?
• Basically, it can only use the packet and the data in its header fields.
Application Layer: Application Layer Filtering requires an application
level packet filter. This is not standard in firewall operation.
Link Layer: direction of packet, next physical hop
Network Layer: communication end points (entities), transport protocol
Transport Layer: ports (applications), protocol state
18
Types of Firewalls
• Stateless Firewalls (uses Stateless Packet Filtering)
• Stateful Firewalls (uses Stateful Packet Filtering)
• Application-layer firewalls
19
Stateless Firewall
• Allow or block IP packets based on their IP header fields and TCP/UDP port numbers
• Packet filter is defined as a rule table
▪ Linear list of rules
▪ Each rule consist of conditions and an action
▪ For each packet, the first matching rule is applied
▪ Two possible actions:
❑ ALLOW (a.k.a. accept, permit, bypass) or BLOCK (a.k.a. drop, deny), maybe also
allow and log or block and log
20
Stateless Firewall
• The firewall keeps no state.
▪ The filtering decision is made separately for every packet, and does not take
into account any earlier decisions made on related packets.
21
Specifying Packet Filter Rules
• Direction of traffic flow:
▪ Inbound: The traffic is coming from an interface which is outside the protected
network and its destination can be reached on an interface which is connected
to the protected network
▪ Outbound: the opposite of inbound
▪ For every packet filtering rule this direction is specified as either
“inbound”, “outbound”, or “either”.
• Source and destination address specifications can make use of wildcards, e.g.
125.26.*.* denotes all addresses starting with 125.26.
▪ For source and destination ports we sometimes write ranges, e.g. “>1023” (i.e.,
port number > 1023)
• Filtering rules are applied in the order of specification, that means the first rule
that matches a packet is applied
22
Example 1: Inbound email to SMTP server 1.2.3.10
* = any
What happens if the order of Rule 1 and Rule 2 are swapped?
Rule 1 ==>
Rule 2 ==>
Direction
Inbound
Inbound
Outbound
Either
Rule Direction Src. Addr. Dest. Addr. Protocol Src. Port Dest. Port ACK Action
A Inbound External Mailserver TCP >1023 25 Any Permit
B Outbound Mailserver External TCP 25 >1023 Yes Permit
C Outbound Internal External TCP >1023 25 Any Permit
D Inbound External Internal TCP 25 >1023 Yes Permit
E Either Any Any Any Any Any Any Deny
23
Example 2: Only allow SMTP / email communication with a mail
server
• This rule set aims to specify that incoming and outgoing email should be the only allowed
traffic into and out of a protected network
• Email is relayed between two servers by transferring it to an SMTP-daemon on the target
server (server port 25, client port > 1023)
• Rule A allows incoming email to enter the network and rule B allows the acknowledgements
to exit the network
• Rules C and D are analogous for outgoing email
• Rule E denies all other traffic
SMTP
(used for
email,
port 25)
24
Example 2
What would happen to a Telnet connection with reference to the rule set in
Example 2:
▪ As a telnet server resides usually at port 23, and all allowed inbound
traffic must be either to port 25 or to a port number > 1023, incoming
packets to initiate an incoming telnet connection are successfully
blocked.
▪ The same holds for outgoing telnet connections
▪ List of TCP and UDP port numbers can be found at:
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
25
Reminder: TCP and UDP
• TCP = Transmission Control Protocol
▪ session and connection between two parties
▪ port 1081 <=> port 80
• UDP =User Datagram Protocol
▪ No need to open / close connections
▪ Just transmit / broadcast /receive some data…
26
Example 3: When Stateless Firewall Fails (TCP)
We want to allow a Telnet flow (uses TCP) between a client at IP address 1.1.1.1 and a
server at 2.2.2.2. Assume further that the client is inside the organization’s network, and
the server is outside. Client- to-server packets look like this:
Source IP=1.1.1.1, Destination IP=2.2.2.2, Source Port=NNN, Destination Port=23
NNN is an arbitrary number selected by the client.
On the other hand, return traffic, from the server to the client, swaps IP addresses and
port numbers, and looks like this:
Source IP=2.2.2.2, Destination IP=1.1.1.1, Source Port=23, Destination Port=NNN
27
Example 3: When Stateless Firewall Fails (TCP)
Now the network admin wishes to write the firewall rule:
The person writing the rules to allow this flow knows the endpoints’ IP addresses, and
knows that the telnet port is 23. But she does not know the client’s source port (NNN),
which is selected dynamically at run time. So to allow both directions of traffic through
the firewall, she needs to write two basic filtering rules:
1. Permit TCP packets from 1.1.1.1, to 2.2.2.2, with Any source port and destination port 23.
2. Permit TCP packets from 2.2.2.2, to 1.1.1.1, with source port 23 and ANY destination port.
What’s the risk here?🤔
28
Example 3: When Stateless Firewall Fails (TCP)
Rule 2 that matches packets based on their source port → extremely risky.
Remember that the source port is under the packet sender’s control. An
attacker on machine 2.2.2.2 can craft packets with source
port 23, destination IP 1.1.1.1, and a destination port of his choice. Packets
crafted this way will cross the firewall because they match the second telnet
rule – and then access a non-telnet port!
• This type of risk is unavoidable in stateless firewall. Since the firewall does not keep
state, it doesn’t “remember” whether a telnet flow is already established, and what
source port number the client selected.
• Thus, the firewall must rely on source-port filtering – which, as we just saw, is
unreliable and risky.
29
Example 4: When Stateless Firewall Fails (UDP)
• Admin makes a rule allowing a client computer on an internal network to talk to a
DNS server outside the firewall.
• He would tell the firewall to allow UDP packets from that host, with source ports
1024 to 65535 destined to destination host 1.2.3.4 on destination port 53.
• This rule works fine, but what happens when the DNS server responds? To allow
the response, you need a rule to allow UDP packets from source port 53 to
destination ports 1024 to 65535.
The problem with allowing those UDP packets is that attackers could talk to any UDP
service on a port between 1024 and 65535, as long as they use a source port of 53!!
30
Stateless Firewall – Pros and Cons
Advantages of stateless operation:
▪ Simpler to implement, less complexity
▪ Highest performance in terms of speed
Challenges of stateless operation:
• Serious limitations in protecting Private Networks (as seen in Example 3)
• Limitation in supporting UDP (as seen in Example 4)
• Stateless filtering can still be found, e.g., in routers, but these devices should not be
perceived as “real” firewalls and should only be used in relatively safe environments,
such as within an organization’s internal network, to separate departments from each
other.
31
Stateful Firewalls
• In Stateful Filtering packets that arrive may generate a state in the firewall.
▪ The basic idea is to track all connections, e.g. memorize for some minutes that A
sent a UDP packet to B in order to detect replies.
▪ After some timeout interval, state will be deleted.
❑ Otherwise, danger to run out of memory.
❑ Old state could be misused (like accepting a UDP reply to a host who sent
the initial message a week ago?)
32
Stateful Firewalls
• An important feature of stateful firewalling is connection tracking.
▪ The firewall sees the first packet of a connection.
▪ Subsequent packets are considered to be part of this connection.
States that a connection can be in:
• New
This is the first packet for a yet unknown connection.
• Established
This is a packet for an existing connection.
• Related
▪ This is a packet related to an existing connection. Application-specific configuration is needed
before firewalls can recognize related packets.
▪ E.g. FTP uses different ports for control connection and related data connections.
• Invalid
Packet contains invalid header field values.
33
Example 1 Stateful Firewall – (Example 2 of stateless revisited)
Rule Direction Src. Addr. Dest. Addr. Protocol Src. Port Dest.Port State Action
A Inbound External Mailserver TCP >1023 25 New Permit
B Outbound Internal External TCP >1023 25 New Permit
C Either Any Any TCP Any Any Established Permit
D Either Any Any Any Any Any Any Deny
❑ This is the mail server example from the stateless filtering section.
❑ We need to accept new connections to our mail server and new
connections to other external mail servers.
❑ The replies are all accepted as we allow packets of established
connections to pass. Other connections cannot reach the established
state.
34
Example 2 Stateful Firewall – Webserver
Rule Direction Src. Addr. Dest. Addr. Protocol Src. Port Dest.Port State Action
A Inbound External Webserver TCP >1023 80 New Permit
B Outbound Internal External TCP >1023 80 New Permit
C Outbound Internal External UDP >1023 53 New Permit
D Either Any Any Any Any Any Established Permit
E Either Any Any Any Any Any Any Deny
• Allow HTTP traffic initiated by external hosts to webserver (TCP port 80)
• Allow internal hosts to initiate
▪ HTTP traffic to Internet (TCP, port 80)
▪ DNS traffic to Internet (UDP, port 53)
• New connections are only accepted if the direction of the communication is correct. Since messages
are remembered using the stateful connection tracking. This works also for UDP.
• Once accepted, we accept established connections in both directions.
• Do not allow other communication, in particular no communication initiated by external hosts to
the local hosts other than the webserver.
35
Key Limitation of Packet-level Firewalls (Stateless & Stateful)
• Do not prevent application-specific attacks
▪ No content (payload) inspection
▪ For example, firewall will not block an attack string that is a buffer overflow in a
URL decoding routine. Or an e-mail attachment that contains a virus could pass
through the firewall if SMTP/POP connections are allowed
36
Application-level Firewalls
• Evaluates network packets for valid data at the application layer before allowing a
connection (remember the TCP/IP protocol and the different levels in Week 4?).
• The firewall examines the data in all network packets at the application layer and
maintains complete connection state and sequencing information.
• Specialized application software and proxy services are used in application layer
firewalls.
• Proxy services can provide access control, detailed checks for valid data, and generate
audit records about the traffic they transfer because the proxy services are specific to
the protocol that they are designed to forward.
37
Limitations of Application-level Firewalls
• Obvious: Big overhead and slow!!
• Need separate proxy for each application (FTP, HTTP, ..)
▪ Proxy services are vulnerable to operating system and application level bugs.
▪ The firewalls need to support more libraries such as Win32, Winsock, NDIS, and the
standard C library. The security of the firewall server may be effected by problems
in these operating system components.
38
Comparison Table of Stateless, Stateful, and Application-level
Firewalls
Security Computational costs
Stateless Filter 3 1
Stateful Filter 2 2
Application-level 1 4
“1” being the best, “4” being the worst
[Chapter 18] Introduction to Computer Networks and Cybersecurity, J. Irwin, CRC Press.
39
Two important building blocks of Firewalls
• De-militarized zone (DMZ) :
▪ A subnetwork added between an external and an internal network in order to provide an
additional layer of security; also called perimeter network. (separates the internal network
from the outside world)
• Bastion Host:
▪ A computer that must be highly secured because it is more vulnerable to attacks than other
hosts on a subnetwork
▪ A bastion host in a firewall is usually the main point of contact for user processes of hosts of
internal networks with processes of external hosts
▪ Web Server, Mail Server, etc. placed in DMZ are Bastion Host.
40
DMZ
• DMZs are the best place for your public information.
• Outsiders can obtain the information that they need about a company without
accessing the internal network.
• The company’s confidential and proprietary company information should be
stored behind your DMZ on your internal network.
• Servers on the DMZ shouldn’t contain sensitive trade secrets, source code, or
proprietary information.
• A breach of your DMZ servers should at worst create an annoyance in the form of
downtime while you recover from the security breach ☺
Deakin University CRICOS Provider Code: 00113B
Firewall Architectures:
The Simple Packet Filter Architecture
• The simplest architecture just consists of a packet filtering router
• It can be either realized with:
▪ A standard workstation (e.g. Linux PC) with at least two network interfaces
plus routing and filtering software
▪ A dedicated router device, which usually also offers filtering capabilities
Deakin University CRICOS Provider Code: 00113B
Firewall Architectures:
The Dual-Homed Host Architecture
• The dual-homed host provides:
▪ Proxy services to internal and / or external clients
▪ Potentially additional packet filtering capabilities
• Properties of the dual-homed host:
▪ It has two network interfaces
• Drawback: As all permitted traffic passes through the bastion host, this may introduce a
performance bottleneck
Deakin University CRICOS Provider Code: 00113B
Firewall Architectures:
The Screened Host Architecture
• The packet filter:
▪ Allows permitted IP traffic between screened host and the Internet
▪ Blocks direct traffic between other internal hosts and the Internet
• The screened host provides proxy services:
▪ The screened host acts as a bastion host, being partially protected by the
packet filter
Deakin University CRICOS Provider Code: 00113B
Firewall Architectures:
The Screened Subnet Architecture
• A DMZ is created between two packet filters
• The inner packet filter serves for additional protection in case the bastion host is compromised:
▪ This avoids a compromised bastion host to sniff internal traffic
• The DMZ (i.e., perimeter network) is also a good place to host a publicly accessible information
server, e.g. a www-server (use for websites, etc)
Deakin University CRICOS Provider Code: 00113B
Firewall Summary – What it can do
What firewalls can do:
▪ A firewall is a focus for security decisions
▪ A firewall can enforce a security policy, i.e. concerning access control
▪ A firewall can log Internet activity efficiently
▪ A firewall can block unwanted traffic if the traffic can be characterized,
❑ e.g. with an IP 5-tuple: IP source address, IP destination address, source port
number, destination port number, transport protocol
▪ A firewall can limit exposure to security problems in one part of a network
Deakin University CRICOS Provider Code: 00113B
Firewall Summary – What it CANNOT do
What firewalls cannot do:
▪ A firewall can’t protect against malicious insiders (remember Wikileaks from Week 3 – Part
1?)
▪ A firewall can’t protect against connections that don’t go through it (Dial-up connection!, or
unauthorized access point in an organization – more about this in WLAN security lecture)
▪ A firewall can’t protect against completely new threats (remember Zero Day?)
▪ A firewall can’t fully protect against viruses,
• e.g. if viruses are spread through emails, and the email service is allowed
through the firewall, which is typically the case
Also, Firewalls are costly to operate and need to be configured and constantly maintained, easily
misconfigured and hard to troubleshoot (order of rules, semantics and configuration varies
between implementations, redundancy, etc). Network admins are reluctant to make changes (fear
of breaking things), ..
Deakin University CRICOS Provider Code: 00113B
Firewall Summary – one last word
In this lecture, we mostly looked to Firewall as blocking incoming traffic. However, it makes
a lot of sense for organizations to impose restrictions on Outgoing traffic. For example:
Security
• Prevent people from accessing untrusted services or dangerous content
• Prevent compromised machines from spreading viruses to the Internet, phishing etc
Cost
• Businesses and other organizations are charged by megabyte -> block access to P2P, VoIP
Productivity
• How do employees spend their time?
Liability
• Does free Internet access by employees or visitors expose the company to legal risks?
Deakin University CRICOS Provider Code: 00113B
References and Further Reading
[Chapter 18] Introduction to Computer Networks and Cybersecurity, J. Irwin, CRC Press.
Other:
O’Reilly, 2000. E. Zwicky, S. Cooper, B. Chapman. Building Internet Firewalls. Second Edition,
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), Dr George
Danezis (University College London, UK), and Dr Michael March (University of Maryland, USA), Prof. Carle (TUM,
Germany).