Stateful FirewallsHank and Foo1
Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection2
Packet filter (Access Control Lists) Treats each packet in isolation Operates at network layer (layer 3) of theOSI model Filters based on header information inpacket (e.g. src/dst IP address, port) Advantage is speed, applicationindependence, scalability Easy to trick – spoofing, fragmenting, etc3
Proxy firewalls Client doesn’t actually communicate directly withserver Proxy receives request from client and makes arequest to server and returns information toclient It can filter the request from client and filterinformation returned to client Considered application layer filter Slower than packet filter, but more secure Another disadvantage: application specific4
Stateful inspection Deals with the state of connections State here is vaguely defined as “the condition of theconnection”, which varies greatly depending onapplication/protocol used Stores the states of legitimate connections in a statetable (state information usually stored as hash to makematching faster) Filters packets by matching to valid states in the statetable Usually takes more time during setup of a newconnection (application layer inspection performedusually only at setup), compared to after5
Possible state information Src/dst IP address, ports Protocol, flags, sequence, acknowledgenumbers ICMP code and type numbers Secondary connection informationcommunicated in application layer headers Application layer specific commandsequences (GET, PUT, OPTIONS, etc)6
How it works Spends most of the time examining packetinformation in transport layer (layer 4) and lower Can examine application layer information (layer7), usually during new connection setup If new packet is permitted based on firewallrules/security policy, a new entry is added in thestate table After new connection is setup, because laterpackets match an entry in the state table, thereis no need for application layer inspection7
Advantages More secure than basic packet filtering Faster than proxy firewalls Performs application layer filtering to a certain degree(e.g. FTP session) E.g. iptables classifies each packet as either NEW,ESTABLISHED, RELATED, INVALID For FTP protocol, a control connection is first established When data is transferred, separate connection isestablished, and iptables will knowingly classify the firstpacket as RELATED instead of NEW8
Disadvantages Possibly less secure than proxy firewalls (doesnot perform true content filtering)1. Abbreviated application-level inspection (e.g.application-level inspection of initializing packet onlyallows for malicious application-level behavior insubsequent packets)2. Lack full application support (e.g. monitors FTPsession for port command, but lets other non-FTPtraffic pass through FTP port) Slower than basic packet filteringVulnerable to new attacks (e.g. SYN flood –overflows state table so no new connectioncan be made)9
TCPConnection-oriented protocol1. Beginning/end of a session is welldefined2. State of connections tracked with flagsTherefore considered a stateful protocolThe connection can be in 1 of 11 states, asdefined in RFC 79310
Establishing TCP connectionObtained from Inside Network Perimeter Security: Stateful Firewalls11
Tearing down TCP connectionObtained from Inside Network Perimeter Security: Stateful Firewalls12
Obtained from Inside Network Perimeter Security: Stateful Firewalls13
UDP Connectionless transport protocol have nodefined state Pseudo-stateful tracking UDP has no sequence numbers or flags So IP addresses and port numbers used Ephemeral ports are somewhat random, differfor different connections from same IP No set method for connection teardown, sotimeout value used to remove entries in statetable14
UDP Cannot correct communication issues by itself,relies entirely on ICMP for error handling Therefore ICMP also important when trackingUDP states E.g. Host 2 may send a ICMP source quenchmessage to host 1 to slow down transmission,firewall must know that this ICMP message isrelated to the UDP session15
ICMP Like UDP, not stateful protocol ICMP sometimes used in a request/replyformat (e.g. ping echo request, echo reply) This can be tracked For one-way ICMP messages (like errormessages) that are precipitated bymessages from other protocols, it is moredifficult16
HTTP HTTP uses TCP in a simple manner, easyto track the state Can also do track application-levelcommands like GET17
FTP Uses the TCP protocol in a nonstandardway Stateful firewall with no knowledge of FTPwill not pass FTP traffic Because control and data connections areseparate TCP sessions18
FTPThe port numberused by the serverinitializing the datachannel is actuallysent to it in an FTPport command fromthe client, which iswhy applicationlevel inspection isneeded here19Obtained from Inside Network Perimeter Security: Stateful Firewalls
Examples of stateful firewalls Check Point Firewall-1 – Check Point SoftwareTechnologies Ltd (they coined the term statefulinspection and patented it) Cisco PIX – Cisco Systems Inc iptables (and netfilter) – Included in all modernlinux distributionsStateful inspection is implemented differentlyby different vendors20
iptables Admins create rules specifying what protocols orspecific traffic types should be tracked Basic state table entry contains––––The protocol being used for the connectionThe source and destination IP addressesThe source and destination portsA listing with source and destination IP addressesand ports reversed (to represent response traffic)– The time remaining before the rule is removed– The TCP state of the connection (for TCP only)– The connection-tracking state of the connection21
Sample state table entry tcp 6 93 SYN SENT src 192.168.1.34 dst 172.16.2.23sport 1054 dport 21 [UNREPLIED] src 172.16.2.23dst 192.168.1.34 sport 21 dport 1054 use 1 [protocol name] [protocol number] [timeout] [state] [src ip][dst ip] [src port] [dst port (initial connection taggedUNREPLIED)] [return src ip] [return dst ip] tcp 6 41294 ESTABLISHED src 192.168.1.34dst 172.16.2.23 sport 1054 dport 21 src 172.16.2.23dst 192.168.1.34 sport 21 dport 1054 [ASSURED]use 1 After connection established, timeout increased greatly22
Basic rules iptables -A OUTPUT -p tcp -m state --stateNEW,ESTABLISHED -j ACCEPT–––––-A: append to existing rulesOUTPUT: for output traffic-p tcp: for tcp protocol-m state: use state module-j ACCEPT: parameter to accept such traffic All NEW and ESTABLISHED traffic allowed out,which means no outbound traffic disallowed bythis rule23
Basic rules iptables –A INPUT -p tcp -m state --stateESTABLISHED -j ACCEPT Only return traffic allowed into network For UDP, just change previous rules to ‘–p udp’ Same for ICMP (-p icmp), but also addRELATED New modules can be added when new protocolsused24
Deep packet inspection Basically stateful inspection but withvisibility into the application layer Not just keeps track of connectioninformation, but looks at the data too (i.e.content filtering) Simply a stateful firewall with limited IDScapabilities built in (NOTHING NOVEL)25
Firewall clustering for scalabilityTwo general ways to use multiple firewalls1. Single shared state table, possibly with adedicated and fast communicationchannel between firewalls2. Guarantee packets from the sameconnection reach the same firewall(using load balancers)26
References http://dmiessler.com/study/firewalls http://www.wikipedia.org p 373431&seqNum 1 Samplechapter from book Inside NetworkPerimeter Security: Stateful Firewalls27
Packet filtering/classificationGiven packet P with k fields, and N rules, find rules that P matches to.Many different ways to do this, one way is through bit vectors.Presented here is Aggregated Bit Vector Scheme, which builds on theLucent Bit Vector Scheme which is Nk/w memory accesses, where wis the size of a word in memory28
29
References Baboescu and Varghese, “Aggregated BitVector Search Algorithms for Packet /papers/cs/27575/http:zSzzSzwwwcse.ucsd.eduzSz ctorsearch.pdf30
Examples of stateful firewalls Check Point Firewall-1 – Check Point Software Technologies Ltd (they coined the term stateful inspection and patented it) Cisco PIX – Cisco Systems Inc iptables (and netfilter) – Included in all modern linux distributions Stateful i
2.) Stateful inspection firewalls 3.) Circuit-level gateways 4.) Proxy or Application-level gateways firewalls 5.) Next-generation firewalls 1.) Packet-filtering firewall This technique is based on most fundamental and oldest type of firewall model. Packet-filtering firewalls essentially make a checkpoint at a traffic switch or router.
Although a variety of stateful re wall products have been available and deployed on the Internet for some time, such as Cisco PIX Firewalls [4], Cisco Ree xive ACLs [5], CheckPoint FireWall-1 [3] and Netlter/IPT ables [13], no model for specifying stateful re walls exists. The lack of such a model constitutes a signicant impediment for fur-
Packet filtering firewalls are software firewalls that act as programs installed in the computer, and they act by blocking the network IP protocol, the IP address, and the port figure (Abbes et al., 2016). It is mainly used for smaller networks (Scheid, 2016). Stateful multilayer inspection firewalls are responsible for keeping
First generation firewalls were relatively simple filter systems called packet filter firewalls, but they made today's highly complex security technology for computer networks possible. Packet filter firewalls, also referred to as stateless firewalls, filtered out and dropped traffic based on filtering rules. Packet filter firewalls did not .
Purdue Printing Services The School of Pharmacy and Pharmaceutical Sciences Purdue University Heine Pharmacy Building, Room 104 575 Stadium Mall Drive West Lafayette, IN 47904-2091 (765) 494-1361 (765) 494-7800 Fax www.pharmacy.purdue.edu The Purdue Pharmacist is published three times a year for alumni
Cisco netflow tools (NFSen, cflow, silktools, etc). –network traffic mgmt, security possible Snort (can be stateful) –goal can be capture “connections” and make connection state decisions for IDS, as opposed to per packet NAT/stateful firewalls
Cisco ASA 5500-X Series Next Generation Firewalls The Cisco ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X are next-generation firewalls that combine the most widely deployed stateful inspection firewall in the industry with a comprehensive suite of next-generation networkFile Size: 217KBPage Count: 12
CCSS English/Language Arts Standards Reading: Informational Text Second Grade Key Ideas and Details Craft and Structure Integration of Knowledge and Ideas. Indicator Date Taught Date Retaught Date Reviewed Date Assessed Date Re-Assessed CCSS.ELA-LITERACY.W.2.1 Write opinion pieces in which they introduce the topic or book they are writing about, state an opinion, supply reasons that support .