3. Network security is simply the proper balance
of
trust and performance
• The higher up the OSI layer the architecture goes to
examine the information within the packet, the more
processor cycles the architecture consumes
• The higher up in the OSI layer at which an architecture
examines packets, the greater the level of protection the
architecture provides, since more information is available
upon which to base decisions
6. Static Packet Filter
• One of the oldest firewall architectures
• Operates at the network layer (OSI layer 3)
• The decision to accept or deny a packet is based
upon:
Source address
Destination address
Application or protocol
Source port number
Destination port number
7. Firewall Rules
Before forwarding a packet:
the firewall compares the IP header and
TCP header against a set of rules that
dictate whether the firewall should deny or
permit the packet to pass
8. Packet Filter Limitation
A packet filter only examines data in the IP
header and TCP header; it cannot know
the difference between a real and a forged
address. If an address is present and
meets the packet filter rules along with the
other rule criteria, the packet will be
allowed to pass
9. IP Address Spoofing
A hacker can substitute:
– the actual source address on a malicious packet
with
– the source address of known trusted client
10. Static Packet Filter
Considerations
Pro’s Con’s
Low impact on network performance Operates only at network layer, therefore it
only examines IP and TCP headers
Low cost - now included with many operating
systems
Unaware of packet payload – offers low level of
security
Lacks state awareness – may require
numerous ports be left open to facilitate services
that use dynamically allocated ports
Susceptible to IP spoofing
Difficult to create rules (order of preference)
Only provides for a low level of protection
11. Dynamic (Stateful) Packet Filter
• The dynamic packet filter is “aware” of the difference
between a new and an established connection
• Once a connection is established, it is entered into a
table that typically resides in RAM
• Subsequent packets are compared to this table in
RAM, most often by software running at the operating
system (OS) kernel level
• When the packet is found to be an existing
connection, it is allowed to pass without any further
inspection
12. Dynamic Packet Filter
Considerations
Pro’s Con’s
Lowest impact of all examined architectures on
network performance (when designed to be fully
SMP-compliant)
Operates only at network layer, therefore it only
examines IP and TCP headers
Low cost – now included in some operating
systems
Unaware of packet payload
State awareness provides measurable
performance benefit
Susceptible to IP spoofing
Difficult to create rules
Can introduce additional risk, if connection can
be established without following the RFC 3-way
handshake
Only provides for a low level of protection
13. Circuit Level Gateway
• The Circuit-Level Gateway operates at the session
layer (OSI 5)
• Extension to packet filter, adding verification of
proper handshaking (SYN, ACK and sequence
numbers)
14. Circuit Level Gateway
Considerations
Pro’s Con’s
Low to moderate impact on network performance Share many of the same negative issues
associated with packet filter
Breaks direct connection to server behind firewall Allows any data to simply pass through the
connection
Higher level of security than a static or dynamic
(stateful) packet filter
Only provides for low to moderate level of
security
15. Application Level Gateway
• Like a circuit-level gateway, an application-level gateway
intercepts incoming and outgoing packets (proxy),
preventing any direct connection between a trusted server
or client and an un-trusted host
• Two important differences:
proxies are application specific
entire packet is examined at the application layer
• Like a circuit-level gateway, an application-level gateway
intercepts incoming and outgoing packets (proxy),
preventing any direct connection between a trusted server
or client and an un-trusted host
• Two important differences:
proxies are application specific
entire packet is examined at the application layer
16. Example of an Application
• As an example:
an FTP Application Level Gateway can filter
dozens of commands to allow a high granularity
on the permissions of specific users of the
protected FTP service
• As an example:
an FTP Application Level Gateway can filter
dozens of commands to allow a high granularity
on the permissions of specific users of the
protected FTP service
17. Going A Step Further:
Strong Application Proxies
Strong application proxies extend the level of
security:
Instead of copying the entire datagram on
behalf of the user, a strong application proxy
creates a new empty datagram; only those
commands and data found acceptable are
copied from the original datagram.
19. Stateful Inspection
• Stateful inspection combines the many aspects
of dynamic packet filtering, circuit-level and
application-level gateways
• While stateful inspection has the inherent ability
to inspect all seven layers of the OSI model, most
installations only operate as a dynamic packet
filter at the network layer of the model
20. Stateful Inspection
Considerations
Pro’s Con’s
Offers the ability to inspect all
Seven layers of the OSI model
Provides an integral dynamic
(stateful) packet filter
Fast when operated as dynamic
packet filter, however many SMP-
compliant dynamic packet filters
are actually faster
The single-threaded process of
the stateful inspection engine has
a dramatic impact on performance
Many believe the failure to break
the client/server model creates an
unacceptable security risk
No stateful inspection-based firewall
has achieved higher than a Common
Criteria EAL 2
21. Intrusion Prevention Systems (IPS)
• Interpret the intent of data contained in
application payload
• Provide application level analysis and verification
• Understand enough of protocols to take decisions
without the overhead of application proxies
•Use patterns matching, heuristics and behavioral
analysis to detect attacks
22. Network IPS / Host IPS
Pro’s Con’s
Provide application
level analysis and
verification
Primarily signature
based
IPS includes
heuristics, behavioral
patterns
24. 1. New packet arrives at the external interface
Layer 4 data is tested to validate that the IP source and destination, as well as
service ports, are acceptable to the security policy of the firewall
The TCP three-way-handshake is fully validated for each and every connection
This approach effectively eliminates any possibility of SYN flooding
1. New packet arrives at the external interface
Layer 4 data is tested to validate that the IP source and destination, as well as
service ports, are acceptable to the security policy of the firewall
The TCP three-way-handshake is fully validated for each and every connection
This approach effectively eliminates any possibility of SYN flooding
Strong Application Firewall
25. 2. For each “good” packet, a new empty
datagram is created on the internal side of the
firewall
Creating a brand new datagram completely eliminates the possibility
that an attacker could hide malicious data in any unused protocol
headers or, for that matter, in any unused flags or other datagram
fields
2. For each “good” packet, a new empty
datagram is created on the internal side of the
firewall
Creating a brand new datagram completely eliminates the possibility
that an attacker could hide malicious data in any unused protocol
headers or, for that matter, in any unused flags or other datagram
fields
Strong Application Firewall
26. 3. Protocol anomaly testing is performed on the
packet to validate that all protocol headers are
within clearly defined protocol specifications
This enables an administrator to minimize or eliminate the risk of many
security issues that commonly plague SMTP applications on the Internet
today, such as:
– Worms and virus attacks
– Mail relay attacks
– Mime attacks
– SPAM attacks
– Buffer overflow attacks
– Address spoofing attacks
– Covert channel attacks
3. Protocol anomaly testing is performed on the
packet to validate that all protocol headers are
within clearly defined protocol specifications
This enables an administrator to minimize or eliminate the risk of many
security issues that commonly plague SMTP applications on the Internet
today, such as:
– Worms and virus attacks
– Mail relay attacks
– Mime attacks
– SPAM attacks
– Buffer overflow attacks
– Address spoofing attacks
– Covert channel attacks
Strong Application Firewall
27. 4. The application proxy applies the (very granular)
command-level controls and validates these
against the permission level of the user
The application proxy approach provides the ultimate level of application
awareness and control; administrators have the granularity of control needed
to determine exactly what kind of access is available to each user
4. The application proxy applies the (very granular)
command-level controls and validates these
against the permission level of the user
The application proxy approach provides the ultimate level of application
awareness and control; administrators have the granularity of control needed
to determine exactly what kind of access is available to each user
Strong Application Firewall
28. 5. Once the packet has been recognized as
protocol-compliant and the application-level
commands validated against the security policy
for that user, the permitted content is copied to
the new datagram on the internal side of the
firewall
The application proxy breaks the client/server connection, effectively removing
any direct link between the attacker and the protected server. By copying and
forwarding only “good” contents, the application proxy firewall can eliminate
virtually all protocol level and covert channel attacks
5. Once the packet has been recognized as
protocol-compliant and the application-level
commands validated against the security policy
for that user, the permitted content is copied to
the new datagram on the internal side of the
firewall
The application proxy breaks the client/server connection, effectively removing
any direct link between the attacker and the protected server. By copying and
forwarding only “good” contents, the application proxy firewall can eliminate
virtually all protocol level and covert channel attacks
Strong Application Firewall
30. • Universal Threat Management security appliances are
products that unify and integrate multiple security features
integrated onto a single hardware platform. Qualification
for inclusion within this category requires network firewall
capabilities, network intrusion detection and prevention
(IDP), and gateway anti-virus (AV) functionality.
• Universal Threat Management security appliances are
products that unify and integrate multiple security features
integrated onto a single hardware platform. Qualification
for inclusion within this category requires network firewall
capabilities, network intrusion detection and prevention
(IDP), and gateway anti-virus (AV) functionality.
Unified Threat Management (UTM)