Post

Firewalls

Posted Updated
By Filippo Visconti 3 min read

Firewalls

Introduction

A firewall is a system used to protect or separate a trusted network from an untrusted network, while allowing authorised communications to pass from one side to the other.

Firewalls enforce an access control policy between two networks Inside / Intranet.

Network firewalls protect different network segments. Host firewalls protect single hosts.

INGRESSFilter incoming traffic from a low security to a high security net
EGRESSFilter incoming traffic from a high security to a low security net
DEFAULT POLICYDefines what to do when no rule matches (ACCEPT or DENY ALL)

Stateless firewalls

These firewalls examine a packet at the network layer and the decision based on packet header information, such as IP, port, flags.

Pros:

  • Application independent
  • Good performance and scalability

Cons:

  • No state nor application context

Stateful firewalls

These firewalls keep also track of the state of the network connections and the decision is based on it too.

Pros:

  • More powerful rules

Cons:

  • State for UDP?
  • Possibly inconsistent state between host and firewall
  • State explosion → possible DoS attack

Next Generation Firewalls

These firewalls perform deep packet inspection and take application and protocol state into account for security decision.

Pros:

  • Even more powerful rules
  • Application and protocol awareness

Cons:

  • Needs to support many applications and protocols
  • Performance, scalability
  • Possibly inconsistent state between host and firewall

Web Application Firewalls

These firewalls protect web-based applications from malicious requests.

They use request patterns (signatures) to detect SQL injections, XSS, buffer overflow attempts, etc…

They also offer user authentication and session management.

Most often, WAFs are implemented as a reverse proxy to protect public-facing web applications.

Deployment challenges

Protecting large number of hosts, endpoints and network segments is not trivial.

Attack techniques

IP SOURCE SPOOFINGSpoofing the source IP address to bypass filters Works for stateless protocols (e.g. UDP, ineffective for TCP).  ARTIFICIAL FRAGMENTATIONFragment packets to
bypass rules. Without proper reassembly at the firewall the attack gets through. VULNERABILITIESExploiting vulnerabilities in firewall software / firmware / OS. Exploit vulnerabilities in    
target application. DENIAL OF SERVICEFirewall state explosion → defaults to fallback policy. TUNNELING/COVERT CHANNELSData in ICMP ping packets, or use DNS requests as channel. Attack 
through VPN virtual private network. PAYLOAD ENCODINGDifferent encodings or mappings confuse detection    

Attack detection

REACTIVESystem can only detect already known attacks  PROACTIVESystem can detect known and new, yet unknown attacks
—————–—————————————————————————————————————————————————– DETERMINISTICSystem
always performs the same given the same input. The same stimuli always result in same action. Reason for alert is known. NON-DETERMINISTICSystem detection is fuzzy (heuristics, machine 
learning, sandboxing) and depends on current state of the world. Reason for alert typically not known.    

Screenshot 2023-01-10 at 22.32.14.png

Signature-based Detection

Exists in practically all detection and protection technologies and it is by far the fastest and most efficient way of categorising a data artifact. It has a boolean output: known good and known bad.

Pros:

  • Low resource requirements
  • Fast
  • Low false positives

Cons:

  • Reactive – threat must be known before
  • Frequent update of signatures
  • Humans in the loop

Sandboxing-based Detection

Sandboxing products typically run a samples in a (instrumented) sandbox environment It examines / monitors the runtime behaviour of sample (e.g. malware) and it compares the behaviour against a list or rules previously developed by the vendor in their lab or it applies machine learning for behaviour classification.

Pros:

  • Proactive, can detect unknown threats
  • No signature updates required

Cons:

  • Resource intensive
  • High latency
  • Difficult to scale

Machine Learning

Golden rule: Data you are going to work on needs to come from approximately the same distribution as the data you are training on.

Types of attacks

Screenshot 2023-01-10 at 23.23.43.png

Screenshot 2023-01-10 at 23.25.00.png

“It is better to be roughly right than precisely wrong.”

Screenshot 2023-01-10 at 23.33.45.png

Screenshot 2023-01-10 at 23.34.08.png

network-security, lecture-notes
network-security lecture-notes firewalls ids ips
This post is licensed under CC BY 4.0 by the author.