|
| 1 | +Chapter 7. Firewalls |
| 2 | +==================== |
| 3 | + |
| 4 | +Whereas much of this book has focused on the uses of cryptography to |
| 5 | +provide such security features as authentication and confidentiality, |
| 6 | +there is a whole set of security issues that are not readily addressed |
| 7 | +by cryptographic means. For example, worms, viruses and other malware spread by |
| 8 | +exploiting bugs in operating systems and application programs (and |
| 9 | +sometimes human gullibility as well); no amount of cryptography can |
| 10 | +help you if your machine has unpatched vulnerabilities. So other |
| 11 | +approaches are often used to keep out various forms of potentially |
| 12 | +harmful traffic. Firewalls are one of the most common ways to do this. |
| 13 | + |
| 14 | +7.1 Basic Principles of Firewalls |
| 15 | +----------------------------------- |
| 16 | + |
| 17 | +The historical meaning of a firewall is a barrier to prevent the |
| 18 | +spread of fire from one part of a building to another. Firewalls are also |
| 19 | +present in many automotive vehicles to separate passengers from the |
| 20 | +noisy (and possibly fire-prone) engine compartment. Saltzer and |
| 21 | +Schroeder in 1975 applied the term, possibly for the first time, in |
| 22 | +the context of computer security, when discussing least privilege. |
| 23 | + |
| 24 | +A network firewall is a system that typically sits between two regions |
| 25 | +of a network, as illustrated in :numref:`Figure %s <fig-firewall>`, |
| 26 | +protecting the flow of traffic from one region to another. A common |
| 27 | +location would be a strategic point such as the ingress/egress point |
| 28 | +to an enterprise network or data center. Of course, unlike a physical |
| 29 | +firewall that blocks everything in its path, a network firewall is |
| 30 | +really a sort of packet filter that makes decisions about exactly what |
| 31 | +traffic is allowed to pass through it. |
| 32 | + |
| 33 | +Historically, a firewall has been implemented as an “appliance”: a |
| 34 | +dedicated system with one job, filtering packets. Firewalls have also |
| 35 | +been provided as a set of features available on a router, and a |
| 36 | +“personal firewall” may be implemented on an end-user machine. More |
| 37 | +recently (in the last decade or so), *distributed firewalls* have |
| 38 | +appeared in an effort to apply security policies to a greater amount |
| 39 | +of traffic. We return to this class of firewall later in the chapter. |
| 40 | + |
| 41 | +Firewall-based security depends on the firewall being at some sort of |
| 42 | +choke-point. There should be no way to bypass the firewall via other |
| 43 | +gateways, or alternate paths such as wireless connections or dial-up |
| 44 | +connections. While the job of a firewall is to block potentially harmful traffic |
| 45 | +("fire") for some definition of "harmful", a great deal of traffic passes through a firewall. One |
| 46 | +common setting for a firewall is "default closed": by default it |
| 47 | +blocks traffic unless that traffic is specifically allowed to pass |
| 48 | +through. For example, it might filter out all incoming messages except |
| 49 | +those addressed to a particular set of IP addresses and to particular |
| 50 | +TCP port numbers. Given the complexity of the environments where |
| 51 | +firewalls are used, with perhaps thousands of IP addresses and |
| 52 | +hundreds of applications in use, the configuration of firewalls also |
| 53 | +often becomes complex. |
| 54 | + |
| 55 | +.. _fig-firewall: |
| 56 | +.. figure:: figures/f08-20-9780123850591.png |
| 57 | + :width: 600px |
| 58 | + :align: center |
| 59 | + |
| 60 | + A firewall filters packets flowing between a site and the rest of the |
| 61 | + Internet. |
| 62 | + |
| 63 | +When deployed at an ingress/egress point, a firewall divides a network |
| 64 | +into a more-trusted zone on one side of the firewall (the "inside") |
| 65 | +and a less-trusted zone that is "external" to the firewall. This is |
| 66 | +useful if, for example, you do not want external users to access a particular host |
| 67 | +or service within your site. Much of the complexity comes from the |
| 68 | +fact that you want to allow different kinds of access to different |
| 69 | +external users, ranging from the general public, to business partners, |
| 70 | +to remotely located members of your organization. A firewall may also |
| 71 | +impose restrictions on outgoing traffic to prevent certain attacks and |
| 72 | +to limit losses if an adversary succeeds in getting access inside the |
| 73 | +firewall (or to limit the damage of insider attacks). |
| 74 | + |
| 75 | +The location of a firewall often happens to also be the dividing line |
| 76 | +between globally addressable regions and those that use local |
| 77 | +addresses. Hence, Network Address Translation (NAT) functionality and |
| 78 | +firewall functionality often are found in the same device, even though |
| 79 | +they are logically separate. |
| 80 | + |
| 81 | + |
| 82 | +While the example above suggests a trusted and an untrusted network, |
| 83 | +firewalls are often used to create multiple *zones of trust*, such as a |
| 84 | +hierarchy of increasingly trusted zones. A common arrangement involves |
| 85 | +three zones of trust: the internal network, the *DMZ* (“demilitarized |
| 86 | +zone”); and the rest of the Internet. The DMZ is used to hold services |
| 87 | +such as DNS and email servers that need to be accessible to the outside. |
| 88 | +Both the internal network and the outside world can access the DMZ, but |
| 89 | +hosts in the DMZ cannot access the internal network; therefore, an |
| 90 | +adversary who succeeds in compromising a host in the exposed DMZ still |
| 91 | +cannot access the internal network. The DMZ can be periodically restored |
| 92 | +to a clean state. |
| 93 | + |
| 94 | +Firewalls filter traffic based on information that can be found in the |
| 95 | +packets passing through them. This is likely to include such fields as |
| 96 | +IP addresses, the TCP or UDP port numbers, and so on. They are |
| 97 | +configured with a table of values in these fields that characterize |
| 98 | +the packets they will, and will not, forward. Generally, each entry |
| 99 | +in the table is a 4-tuple or 5-tuple: It gives the IP address and TCP (or UDP) |
| 100 | +port number for both the source and destination (four fields), and it |
| 101 | +may also include the specific value of the layer 4 protocol (TCP, UDP, etc.). |
| 102 | + |
| 103 | +For example, a firewall might be configured to filter out (not forward) |
| 104 | +all packets that match the following description: |
| 105 | + |
| 106 | +.. code:: c |
| 107 | +
|
| 108 | + (198.51.100.14, 1234, 192.0.2.11, 80, TCP) |
| 109 | +
|
| 110 | +This pattern says to discard all TCP packets from port 1234 on host |
| 111 | +198.51.100.14 addressed to port 80 on host 192.0.2.11. (Port 80 is the |
| 112 | +well-known TCP port for HTTP.) Of course, it’s often not practical to |
| 113 | +name every source host whose packets you want to filter, so the patterns |
| 114 | +can include wildcards. For example, |
| 115 | + |
| 116 | +.. code:: c |
| 117 | +
|
| 118 | + (*, *, 192.0.2.11, 80, TCP) |
| 119 | +
|
| 120 | +says to filter out all packets addressed to port 80 on 192.0.2.11, |
| 121 | +regardless of what source host or port sent the packet. Notice that |
| 122 | +address patterns like these require the firewall to make |
| 123 | +forwarding/filtering decisions based on level 4 port numbers, in |
| 124 | +addition to level 3 host addresses. For this reason, network |
| 125 | +layer firewalls are sometimes called *level 4 switches*. |
| 126 | + |
| 127 | +Linux has a firewall feature called ``ufw`` (uncomplicated firewall) |
| 128 | +that can apply firewall rules on a host. We can implement the policy |
| 129 | +described above with the following command: |
| 130 | + |
| 131 | +.. code:: c |
| 132 | +
|
| 133 | + $ sudo ufw deny to 192.0.2.11 port 80 |
| 134 | + rule added |
| 135 | + $ |
| 136 | +
|
| 137 | +Then we can check that our rule was applied correctly: |
| 138 | + |
| 139 | +.. code:: c |
| 140 | +
|
| 141 | + $ sudo ufw status |
| 142 | + Status: active |
| 143 | +
|
| 144 | + To Action From |
| 145 | + -- ------ ---- |
| 146 | + 192.0.2.11 80 DENY Anywhere |
| 147 | +
|
| 148 | + $ |
| 149 | +
|
| 150 | +In the preceding discussion, the firewall forwards everything except |
| 151 | +where specifically instructed to filter out certain kinds of packets. A |
| 152 | +firewall could also filter out everything unless explicitly instructed |
| 153 | +to forward it, or use a mix of the two strategies. For example, instead |
| 154 | +of blocking access to port 80 on host 192.0.2.11, the firewall might be |
| 155 | +instructed block everything except access to port 25 (the SMTP mail port) on a |
| 156 | +particular mail server, such as |
| 157 | + |
| 158 | +.. code:: c |
| 159 | +
|
| 160 | + (*, *, 198.51.100.9, 25) |
| 161 | +
|
| 162 | +We can specify this behavior with ufw: |
| 163 | + |
| 164 | +.. code:: |
| 165 | +
|
| 166 | + $ sudo ufw default deny incoming |
| 167 | + Default incoming policy changed to 'deny' |
| 168 | + (be sure to update your rules accordingly) |
| 169 | + $ sudo ufw allow to 198.51.100.9 port 25 |
| 170 | + rule added |
| 171 | + $ sudo ufw status |
| 172 | + Status: active |
| 173 | +
|
| 174 | + To Action From |
| 175 | + -- ------ ---- |
| 176 | + 198.51.100.9 25 ALLOW Anywhere |
| 177 | +
|
| 178 | +Experience has shown that firewalls are very frequently configured |
| 179 | +incorrectly, allowing unsafe access, or breaking applications that |
| 180 | +need access. Part of the problem is that filtering rules can overlap |
| 181 | +in complex ways, making it hard for a system administrator to |
| 182 | +correctly express the intended filtering. A design principle that we |
| 183 | +discussed in Chapter 2 comes into play here: fail-safe defaults. The |
| 184 | +application of that principle to firewalls says they should, by |
| 185 | +default, discard all packets other than those that are explicitly |
| 186 | +allowed. Of course, this means that some valid applications might be |
| 187 | +accidentally disabled; the typical approach is that users of those |
| 188 | +applications eventually notice the breakage and ask the system |
| 189 | +administrator to make the appropriate change. |
| 190 | + |
| 191 | +Many client/server applications dynamically assign a port to the client. |
| 192 | +If a client inside a firewall initiates access to an external server, |
| 193 | +the server’s response would be addressed to the dynamically assigned |
| 194 | +port. This poses a problem: how can a firewall be configured to allow an |
| 195 | +arbitrary server’s response packet but disallow a similar packet for |
| 196 | +which there was no client request? This is not possible with a |
| 197 | +*stateless firewall*, which evaluates each packet in isolation. It |
| 198 | +requires a *stateful firewall*, which keeps track of the state of each |
| 199 | +connection. An incoming packet addressed to a dynamically assigned port |
| 200 | +would then be allowed only if it is a valid response in the current |
| 201 | +state of a connection on that port. |
| 202 | + |
| 203 | +Modern firewalls also understand and filter based on many specific |
| 204 | +application-level protocols such as HTTP or FTP. They use |
| 205 | +information specific to that protocol, such as URLs in the case of HTTP, |
| 206 | +to decide whether to discard a message. When firewalls are able to |
| 207 | +inspect payloads that are inside the TCP header (for example, to parse |
| 208 | +an HTTP request), this is referred to as *deep packet inspection* |
| 209 | +(DPI). Interestingly, there is a problem with any sort of DPI once you |
| 210 | +start encrypting packets end-to-end, as with TLS. We return to this |
| 211 | +issue below. |
| 212 | + |
| 213 | +6.2 Strengths and Weaknesses of Firewalls |
| 214 | +----------------------------------------- |
| 215 | + |
| 216 | +At best, a firewall protects a network from undesired access from the |
| 217 | +rest of the Internet; it cannot provide security to legitimate |
| 218 | +communication between the inside and the outside of the firewall. In |
| 219 | +contrast, the cryptography-based security mechanisms described in this |
| 220 | +chapter are capable of providing secure communication between any |
| 221 | +participants anywhere. This being the case, why are firewalls so common? |
| 222 | +One reason is that firewalls can be deployed unilaterally (by a |
| 223 | +network adminstrator, for example), using individual |
| 224 | +commercial products, while cryptography-based security requires support |
| 225 | +at both endpoints of the communication. A more fundamental reason for |
| 226 | +the dominance of firewalls is that they encapsulate security in a |
| 227 | +centralized place, in effect factoring security out of the rest of the |
| 228 | +network. A system administrator can manage the firewall to provide |
| 229 | +security, freeing the users and applications inside the firewall from |
| 230 | +security concerns—at least some kinds of security concerns. And as |
| 231 | +noted at the start of the chapter, encryption and authentication offer |
| 232 | +limited protection against exploitation of bugs in the operating |
| 233 | +systems of hosts. |
| 234 | + |
| 235 | +Unfortunately, firewalls have serious limitations. Since a firewall does |
| 236 | +not restrict communication between hosts that are on the same side of the firewall, |
| 237 | +the adversary who does manage to gain access to one host at a site |
| 238 | +potentially has access to |
| 239 | +all local hosts. How might an adversary gain access inside the firewall? The |
| 240 | +adversary could be a disgruntled employee with legitimate access, or the |
| 241 | +adversary’s software could be hidden in some software installed from a |
| 242 | +USB drive or downloaded from the Web. It might be possible to bypass the |
| 243 | +firewall by using a VPN—this has proven to be a common form of attack |
| 244 | +in recent years. |
| 245 | + |
| 246 | +A related problem is that any parties granted access through your |
| 247 | +firewall, such as business partners or externally located employees, |
| 248 | +become a security vulnerability. If their security is not as good as |
| 249 | +yours, then an adversary could penetrate your security by penetrating |
| 250 | +their security. |
| 251 | + |
| 252 | + |
| 253 | +While part of the motivation for firewalls is to protect machines that |
| 254 | +may have vulnerabilities from attack, their ability to do so is |
| 255 | +limited. If, for example, an attacker is able to gain access to a |
| 256 | +machine inside the firewall via one of the methods mentioned above, |
| 257 | +they may then be able to connect to another machine inside the |
| 258 | +firewall that contains an unpatched vulnerability, even though that |
| 259 | +machine itself is not directly accessible through the firewall. |
| 260 | +System administrators are expected to monitor for new vulnerabilities |
| 261 | +and patch them, but there is always a chance the vulnerabilities |
| 262 | +appear faster than then can be remediated. While staying up to date |
| 263 | +with patches is a best practice, it is certainly not one that is |
| 264 | +followed uniformly. |
| 265 | + |
| 266 | +In Chapter 1 we discussed the threat posed by viruses, worms, and the |
| 267 | +general catergory of malware. While firewalls aim to stop the spread |
| 268 | +of malware, it can be a difficult task, since many operations that the |
| 269 | +firewall needs to permit, such as web browsing or email delivery, can |
| 270 | +also be used for the delivery of malware. |
| 271 | + |
| 272 | +One approach that is used to detect malware is to search for segments of |
| 273 | +code from known malware, sometimes called a *signature*. This approach |
| 274 | +has its own challenges, as cleverly designed malware can tweak its |
| 275 | +representation in various ways. There is also a potential impact on |
| 276 | +network performance to perform such detailed inspection of data entering |
| 277 | +a network. |
| 278 | + |
| 279 | +Some of the limitations of firewalls are related to the assumption |
| 280 | +that all traffic has to be funneled through a single appliance (or a |
| 281 | +small number of them). This leads to challenges both in performance, |
| 282 | +since so much traffic passes through a single choke point, and in |
| 283 | +effectiveness, since there can be plenty of traffic within an |
| 284 | +enterprise or a data center that has no need to pass through such a |
| 285 | +choke point. These limitations have led to the development of |
| 286 | +*distributed firewalls*, which we discuss in the following section. |
| 287 | + |
| 288 | +6.3 Distributed Firewalls |
| 289 | +------------------------- |
| 290 | + |
| 291 | +A conventional firewall is implemented as a *choke point:* the network |
| 292 | +is set up in such a way that traffic must pass through the firewall to |
| 293 | +get from one part of the network to another. It is common to talk |
| 294 | +about devices as being "inside" or "outside" the firewall based on |
| 295 | +which side of that choke point they sit on. There are two implications |
| 296 | +of such an approach. One is that any devices that sit on the same side |
| 297 | +of the firewall are free to communicate with each other uninterrupted |
| 298 | +by the firewall. The second is that there must be an impenetrable |
| 299 | +barrier around the devices that are "inside" the firewall, with the |
| 300 | +firewall being the only way to get through that barrier. This seems |
| 301 | +appealing if you are trying to secure, say, the machines inside a |
| 302 | +single building, with only one connection to the outside world, but it |
| 303 | +becomes a lot less attractive if we are talking about securing all the |
| 304 | +machines in a complex enterprise spread across many sites. Even in |
| 305 | +simple cases, people find ways around a firewall. Once upon a time you |
| 306 | +might have to worry about an unsanctioned dial-up connection bypassing |
| 307 | +a firewall, while wireless networks and users at the ends of VPN |
| 308 | +tunnels are a bigger issue in contemporary settings. In any case, the |
| 309 | +concept of an impenetrable perimeter can be very difficult to sustain |
| 310 | +in practice. |
| 311 | + |
| 312 | +The fact that a perimeter firewall does not filter traffic between |
| 313 | +machines on the same side of the firewall has enabled a set of attacks |
| 314 | +that make use of *lateral movement*. The core idea is that an attacker |
| 315 | +obtains a foothold in one system *inside* the firewall and then uses |
| 316 | +that as a base of operations to move around to the ultimate |
| 317 | +target. The intial system that the attacker breaches may not be particularly |
| 318 | +important. Perhaps he gains access via a phishing attack or by leveraging a |
| 319 | +vulnerability in the OS. But at this point the firewall is of no use, |
| 320 | +and the attacker can start trying to find ways to move from one system |
| 321 | +to another inside the firewall, until eventually he has access to a |
| 322 | +machine of interest, such as one holding sensitive data. These types |
| 323 | +of lateral movement attacks are extremely common and have been well |
| 324 | +documented, often lasting for months before they are detected. |
| 325 | + |
| 326 | +The obvious solution to problems of lateral movement would seem to be |
| 327 | +internal firewalls. |
| 328 | + |
| 329 | + |
| 330 | + |
| 331 | +.. _fig-dc-firewall: |
| 332 | +.. figure:: figures/Slide47.png |
| 333 | + :width: 600px |
| 334 | + :align: center |
| 335 | + |
| 336 | + A single firewall in a virtualized datacenter. |
| 337 | + |
| 338 | + |
| 339 | + |
| 340 | +.. _fig-dist-firewall: |
| 341 | +.. figure:: figures/Slide48.png |
| 342 | + :width: 600px |
| 343 | + :align: center |
| 344 | + |
| 345 | + A distributed firewall is implemented as part of the virtual |
| 346 | + switch in every host in a datacenter. |
| 347 | + |
| 348 | + |
| 349 | + |
| 350 | + |
| 351 | + |
| 352 | +6.5 Other Security Appliances |
| 353 | +------------------------------ |
| 354 | + |
| 355 | +Related to firewalls are systems known as *intrusion detection systems* |
| 356 | +(IDS) and *intrusion prevention systems* (IPS). These systems try to |
| 357 | +look for anomalous activity, such as an unusually large amount of |
| 358 | +traffic targeting a given host or port number, for example, and generate |
| 359 | +alarms for network managers or perhaps even take direct action to limit |
| 360 | +a possible attack. While there are commercial products in this space |
| 361 | +today, it is still a developing field. |
0 commit comments