The Seattle SAGE Group (SSG)
Seattle based special interest group for system and network administrators.
Presentation at March 13, 1997 Meeting
Selecting a Firewall
Carl Brown
Pencom Systems Administration
What am I talking about?
- How do you select a firewall?
- What topics are important?
- What questions do you ask?
How do you select a firewall?
- Types of Firewalls
- Failure Modes
- "Popular" Attacks
Types of firewalls
- Packet Filters
- Proxies
- Combinations
Packet Filters
- To forward, or not to forward?
- Can "drop" or "reject" packet
Can only filter based on content
- Protocol Type
- Application (Telnet/DNS/etc.)
- Addresses (Source/Destination)
- "Established" Status
Filtering Rules
- Many different statements
- Each one checked in order
- Stops when "permit" or "deny" is reached
Filtering Example
Stateful Packet Filters
- Add "time" and "state" to rule set
- Mimic "Established" Status for UDP
Address Translation/Masquerading
- Replace Addresses in Packet
- Static Address Assignments
- Dynamic Address "Pools"
Limitations
- Only makes sense at beginning of conversation
- Exponential Backoff Crash
- No content filtering
- FTP backchannel connection
Proxies
- Maintain a connection to both parties
- Copy data between conversations
- Protocol-specific filtering
- Can require Authentication
- Separate program for each application
"Standard" proxies
- Require knowledge of proxy's existence
- "Proxy Aware" Software
- User manually connects to Proxy
Transparent Proxies
- Proxy connection started automatically
- Transparent to client
Content Screening Examples
- FTP: no .exe files
- HTTP: no JAVA/Active-X
- SMTP: no "|" or "/" in address
Limitations
- New software for every protocol
- Failure Modes
Failure Modes
- Screening Router
- Dual-Homed Proxy
- Screened Subnet (DMZ)
Screening Router
- Filtering bug
- Misconfiguration
- Game Over
Dual-Homed Proxy
- Firewall/OS bug
- Misconfiguration
- Game Over
DMZ/Screened Subnet
- Filtering/Proxy bugs
- Misconfiguration
- Service level Access
- Multiple bugs
- Game Over
"Popular" Attacks
- Buffer Overruns
- “SYN” Denial of Service Attacks
- Sendmail
- Itty Bitty Packet
- IP Spoofing
Buffer Overruns
- gets() or friends
- fill buffer
- overwrite code your code
- "Internet Worm"
"SYN" Denial of Service
- Too Many "Half Open" connections
- Change timeout
- Change number of connections
- Pray
Sendmail
- What, AGAIN!?!?!?
- Runs as root (has to)
- Very complicated program
- Isolate it
Itty Bitty Packet
- Packet filter attack
- Very very small first fragment
- Contact packet filter vendor
IP Spoofing
- Have to "guess" sequence number
- Filter incoming packets "From" you
- DON'T RELY ON HOST INFORMATION
Seattle Sage Group Home Page