Advantages and disadvantages of traditional packet filters Advantages a One screening router can protect entire network a Can be efficient if filtering rules are kept simple a Widely available. Almost any router, even Linux boxes Disadvantages a Can possibly be penetrated a Cannot enforce some policies. For example, permit certain users a Rules can get complicated and difficult to test
Advantages and disadvantages of traditional packet filters ◼ Advantages ❑ One screening router can protect entire network ❑ Can be efficient if filtering rules are kept simple ❑ Widely available. Almost any router, even Linux boxes ◼ Disadvantages ❑ Can possibly be penetrated ❑ Cannot enforce some policies. For example, permit certain users. ❑ Rules can get complicated and difficult to test 11
Stateful filters In earlier example, any packet with ACK=1 and source port 80 gets in a Attacker could, for example, attempt a malformed packet attack by sending ACK=1 segments Stateful filter Adds more intelligence to the filter decision-making process a Stateful remember past packets a Memory implemented in a very dynamic state table
Stateful Filters ◼ In earlier example, any packet with ACK=1 and source port 80 gets in. ❑ Attacker could, for example, attempt a malformed packet attack by sending ACK=1 segments ◼ Stateful filter: Adds more intelligence to the filter decision-making process ❑ Stateful = remember past packets ❑ Memory implemented in a very dynamic state table 12
Stateful filters: example Log each TCP connection initiated through firewall: SYN segment Timeout entries which see no activity for, say, 60 seconds source dest source dest address address ort ort 2222217 379687123 12699 80 199120523 37654 0 2222293.2 2222265.143 203.77.24043 48712 80 If rule table indicates that stateful table must be checked check to see if there is already a connection in stateful table Stateful filters can also remember outgoing UDP segments
Stateful filters: example source address dest address source port dest port 222.22.1.7 37.96.87.123 12699 80 222.22.93.2 199.1.205.23 37654 80 222.22.65.143 203.77.240.43 48712 80 13 If rule table indicates that stateful table must be checked: check to see if there is already a connection in stateful table • Log each TCP connection initiated through firewall: SYN segment • Timeout entries which see no activity for, say, 60 seconds Stateful filters can also remember outgoing UDP segments
Stateful example 1)Packet arrives from outside: SA=37.96.87.123, SP=80 DA=22222.1.7,DP=12698,SYN=1,ACK 2) Check filter table - check stateful table source dest source dest flac chec action address address proto port bit conlon outside of ny allow 22222/16 1023 80 22222/16 outside of222.22/16 TCP 80 ACK 22222/16 >1023 outside of allow 22222/16 UDP >1023 53 22222/16 allow outside of 222. 22/16 UDP 53 1023 22222/16 deny a all all all 3)Connection is listed in connection table - let packet through 14
Stateful example action source address dest address proto source port dest port flag bit check conxion allow 222.22/16 outside of 222.22/16 TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK x allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- x deny all all all all all all 14 1) Packet arrives from outside: SA=37.96.87.123, SP=80, DA=222.22.1.7, DP=12698, SYN=1, ACK=1 2) Check filter table ➜ check stateful table 3) Connection is listed in connection table ➜ let packet through
Demilitarized Zone Dmz application gateway firewall Internet Internal Web network server DNS FTP server server Demilitarized zone
Demilitarized Zone (DMZ) 15 Web server FTP server DNS server application gateway Internet Demilitarized zone Internal network firewall