Firewalls: taxonomy 1. Traditional packet filters a filters often combined with Major firewall vendors router, creating a firewall Checkpoint ciscoⅨ 2 Stateful filters 3. Application gateways
Firewalls: taxonomy 1. Traditional packet filters ❑ filters often combined with router, creating a firewall 2. Stateful filters 3. Application gateways 6 Major firewall vendors: Checkpoint Cisco PIX
Traditional packet filters Analyzes each datagram going through it; makes drop decision based on source IP address tcP or udP or ICMP destination IP address a Firewalls often configured to block all UDP source port destination port direction a Is the datagram leaving or TCP flag bits entering the internal D syn bit set: datagram for network? connection initiation router interface ACK bit set: part of o decisions can be different established connection for different interfaces
Traditional packet filters ◼ source IP address ◼ destination IP address ◼ source port ◼ destination port ◼ TCP flag bits ❑ SYN bit set: datagram for connection initiation ❑ ACK bit set: part of established connection ◼ TCP or UDP or ICMP ❑ Firewalls often configured to block all UDP ◼ direction ❑ Is the datagram leaving or entering the internal network? ◼ router interface ❑ decisions can be different for different interfaces 7 Analyzes each datagram going through it; makes drop decision based on:
Filtering Rules- Examples Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 External connections to Drop all incoming TCP SyN public Web server only packets to any IP except 2222244.203,por+80 Prevent IPTV from eating Drop all incoming UDP packets up the available except dN and router bandwidth broadcasts Prevent your network Drop all ICMP packets going from being used for a to a"broadcast"address(eg Smurf dos attack 22222255255) Prevent your network Drop all outgoing ICMP from being traceroute
Filtering Rules - Examples 8 Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 External connections to public Web server only. Drop all incoming TCP SYN packets to any IP except 222.22.44.203, port 80 Prevent IPTV from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a Smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (eg 222.22.255.255). Prevent your network from being tracerouted Drop all outgoing ICMP
Access control lists Apply rules from top to bottom source dest source dest flag action address address protocol portport bit alw|2222216 outside of iny TCP 1023 80 22222/16 allow outside of|222.22/16 TCP 80 >1023ACK 222.22/16 allow222.22/16 outside of UDP|>102353 22222/16 allow outside of/222.22/16 UDP 53 >1023 22222/16 del
Access control lists action source address dest address protocol source port dest port flag bit allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- deny all all all all all all 9 Apply rules from top to bottom:
Access control lists each router/firewall interface can have its own ACL Most firewall vendors provide both command line and graphical configuration interface 10