 We were looking at packet filtering firewalls and looking going through some examples to create rules for our firewalls remember what the firewall does or a packet filtering firewall we We given the aims that is what do we want to block or what do we want to allow we create a rule To configure the firewall where that rule the main things that it checks is as packets come into the firewall It checks things like the source and destination IP address The source and destination port the protocol and maybe even a few other options So the examples we got to We had a an example where our aim in our network was to stop computer 12 From browsing to servers on the the network 3 3 3 dot zero that is If you're sitting at computer 12 our firewall was on the router RA When you try and access the website 3 dot 3 dot 3 dot 35 It shouldn't allow you that is the firewall should block that and Our assumption was that by default the firewall accepts everything through so if a packet comes through and there are no rules The packet is accepted by the firewall. That's the default rule or default policy and Then what we do is we write rules that drop things that we don't want to allow through and We come up with a rule saying if the source is that of computer 12 and The destination matches anything on the network 3 3 3 dot zero Including 3 3 3 35 3 3 3 3 6 so we can use network addresses to capture a large set of destinations and if the transport protocol is TCP and to Identify that we want to stop web traffic web browsing the destination port is 80 We don't care what the source port is But if it's destined to a web server then it when it gets to the firewall that packet take the action of dropping the packet We just discussed some of the limitations there like What about a secure web server which uses port 443? but ignoring that this works and We just recap on how HTTP works this if the firewall rule was not present Then the way that We access the website is because we're using TCP as the transport protocol. We first set up a TCP connection TCP SIN SINAC AC and Then the HTTP request comes from the client to the server requesting the web page Maybe there's a TCP AC saying thank you for the that data And then finally the server sends the HTTP response containing the web page that was requested So that's the normal behavior with our firewall rule if we Try this using computer 12 this first TCP SIN packet is sent from computer 12 and It reaches the firewall and the firewall compares that packet to the rule and We'll see that the packet matches those conditions Therefore that TCP SIN packet will be dropped by the firewall the TCP SIN packet is dropped and Since the very first packet is dropped meaning it doesn't get to the server. There's going to be no response There's no SIN AC that comes back and no follow-up TCP AC and no HTTP request So we can't set up a TCP connection meaning we can't request the web page effectively blocking our access to the website The point here is that here we just need to drop one packet The very first in the connection such that the whole application doesn't work By dropping the very first packet of course all the subsequent packets won't be sent because they depend upon that first packet or the preceding one when we have a default policy of accept that is we accept everything except what the rule specify and We normally just need to write a rule to drop one packet in the exchange But we mentioned that we could use an alternative We could have a default policy of drop and that was your homework who has an answer for the homework Bonus point for the homework on the NTP denial of service attack if you can give me the answer The question was change the default policy to drop try to do Implement this aim of allowing computer 12 to browse to the servers on 3 3 3 0 What's your answer? Allow 12 So let's write it down. You'll tell me what to add as the rule write a new rule and See how it works So we want to allow so let's write it in detail our aim allow computer 12 To browse to servers in the network 3 3 3 0 slash 24 Noting that by default Our firewall doesn't allow anything With a default policy of drop it means everything is blocked. So what are our conditions source IP? destination IP Actually, we'll write it a little bit shorter To save in space I'll try and fit them all in the one line source IP destination IP protocol source port destination port and action Let's I'll write the answers underneath so former table. What was your answer? source IP Source IP matches the IP address of computer 12 destination IP so let's write it down Similar to the other rule source IP we want to allow computer 12 destination IP the subnet good Slash 24 to indicate that it's a special case that covers the whole subnet protocol six for TCP source port Star don't care destination port 80 because we want to access a web server action Accept How was it different from the previous solution? What did you change? You change the action from drop to accept because we change the default policy from accept to drop So the idea here is drop everything But specify a rule that accepts some things Such that our pop aim is met Does she deserve a bonus mark? Doesn't work if it works you can have a bonus mark does it work Can I access the websites? Well, let's see what would happen if we tried we open our browser and access noting The normal behavior is specified here So what normally happens is the browser? Contacts the web server by first sending a TCP syn packet Source is computer 12 Destination is on the subnet 3330 so those conditions are met Destination port is 80 That condition is met Source port is some number. We don't care because we said the condition was star and the protocols TCP So when that TCP syn packet is sent That packet would match this rule because all the the Criteria match and that TCP syn packet would be accepted The firewall it allowed through That works What happens next? TCP syn packet gets to the server What does a server do when it receives a TCP syn it sends back a syn act packet? This TCP syn plus act packet comes from the server. It's going to the browser The firewalls in the middle here It's going to be received by the firewall What does our firewall do? What will our firewall do now is the condition met for the syn act packet? Well, let's write down the the characteristics so people can see the syn act packet the TCP syn source IP Was one one one 12 Destination IP This is the first packet 333 35 and Protocol TCP we can see that source port This browser would be allocated a port number. So let's make one up 50123 and The destination port would be 80 so this is the first packet sent by the browser These are the four values in the packet header. It's also TCP. We know that Look at these four values one one one twelve three three three thirty five Do they match the rule? Yes, they do source IP matches the destination IP matches Because it's on the subnet We're using TCP the source port rule says any value 50123 is any value. So that matches Destination port 80 matches. So we accept that packet This one is accepted. It gets through the firewall The server sends back a response this syn act which has source IP 333 35 destination IP It's coming back to the browser one one one twelve Source port we're still using TCP Source port. What's the value? This is the TCP syn act. We return it from the server to the browser The server is using port 80. So the source port is 80 Destination port is the one that was the source of the browser 50123 which I chose randomly Still using TCP This is the packet that comes back It gets to the firewall Source IP 333 35 Does it match one one one twelve? No That packet source IP address does not match this source IP address therefore this rule will not match If this rule doesn't match, what do we do with the packet? Drop the packet this packet gets dropped the syn act doesn't get back to the browser and Therefore there's going to be no TCP act coming next and no HTTP requests because each packet depends upon the previous one So our single rule did not quite allow us to access the website so Here we need to be a little bit more Careful and create a more complicated firewall to accept this What's the solution? How do we allow our browser to? Communicate with a web server and allow the responses back. What are we going to do? Didn't quite work. So what do you do? Think about it When you have an exam question think what to have to do. What would you answer? Add a add more rules add another rule. What would that new rule be? Add a new rule a second rule that allows the return packets That is add a rule that says if the source IP Comes from network three three three zero and the destination IP is one one one twelve The source port is 80 and The destination port is anything again. We don't know whether it will be five oh one two three or some other number So we can't specify that Allow the response to come back So we need a second rule in this case Because with a single rule The packets from browser to server accepted, but the return packets are not and for an application We need normally both ways bidirectional communications So let's add that second rule and the way that I'm writing the rules now is one row in a table per rule if the source IP is We essentially reverse things Dot zero slash 24 if the source is anyone out here and They're sending to computer 12 We're still using TCP If the destination sorry if the source port is that of a web server 80 If the destination port is that of a web browser What port does a web browser use? We don't know it changes. So we use any value Then accept it so Now the TCP CNAC will be accepted through the firewall and the subsequent TCP act would match the first rule and The other packets would match one of those two rules Effectively we need to have a rule that allows packets to go out and Second rule to allow the responses to come back and this is Because we've done the inverse of the previous case because we're dropping everything by default We must explicitly allow packets going in both directions To allow all communications when we accept by default to drop We only need to drop one of the directions To stop the application from working. So to achieve the effectively the same thing allow the application We need two rules instead of one We normally assume in a firewall then we when we have multiple rules. We process those rules in order We check our packet against the first rule if it matches take the action If it doesn't match move on to the next rule If it doesn't match any of the rules take the default action The set of rules we build up a table and we refer to that as a firewall table Or a table of rules So depending upon whether we have a default Policy of accept or drop we have different ways to implement that in a firewall Any questions on how to build your firewall rules? Okay, so this one's a little bit more complicated. We need the two two rules Questions one of the practical challenges with firewalls is that Someone has to create these rules a human administrator has to do it and When we're setting up the firewall, there's not just a single or two rules that we need to add There are many rules we normally need to add Because this only allows Computer 12 to access websites. What if we want to allow also computer 12 to access? Secure shell servers in another network Then we need more rules So as we want to allow more applications the set of rules builds up and one of the challenges with securing Firewalls is to make sure there are no mistakes in those rules as soon as you make a mistake then Something's going to go wrong with how the firewall operates and it may lead to either a security violation Or maybe an inconvenience or a problem for our end users and that The difference of the impact of the mistake mainly depends upon the default policy We saw an example of a default policy of accept allow everything accept what our rules say and Here we see an example of a default policy of drop drop everything except what our rules say Which one's better a common exam question is explain the differences between the two default policies in firewalls If you look in last year's exam, I think it was there. What would you say? Which one's better? default drop or default accept Default accept why if we want to drop many things Then why did we buy a computer? Why do we have internet connectivity? Okay, so there's one argument that accept everything and Only drop the things that you You explicitly state under the assumption that you don't want to drop many things You want to allow lots of things so you allow your computer to access many websites many different services All right, maybe that's one argument which may apply for a home user But with respect to security Maybe that's not the best approach because Think about what happens if we make a mistake if we have a default policy of accept Then the attacker outside may be able to access our computers inside Because we accept everything We don't know what the attacker is going to do in advance So therefore they may be able to send packets into our network accessing our resources when we don't want them to So that's one of the problems with a default policy of accept We allow everything including our data, but we also allow the attackers the malicious users data to come in and Commonly we want a firewall to block people outside from accessing our internal resources. I Don't want something on the internet logging into my laptop Whether it's at work or at home Well, I'd like to configure the firewall to block that not just block on known ports, but maybe block on everything so the Maybe best way to set a default policy with respect to securities to drop everything Don't allow anyone to do anything but then make Exceptions add some rules to allow the users to do certain things that we want them to do and in that case even if we make a mistake and forget to allow something the Data will be or the packets will be dropped The only problem with mistake in that case is that we may drop a normal users packets causing them an inconvenience So accepting everything is maybe easier dropping everything is more secure and It's highly recommended when you set up a firewall, especially for a network that you use a default policy of drop drop everything Create the rules to allow the things that you think are allowed Drop is better But it may lead to more complex firewall rules like in this case We need two rules as opposed to the single one. Let's return to the slides and see what We've missed or summarized some points packet filtering firewall We have some policy some aims. We implement that policy via a set of rules The rules to find which packets can pass through the firewall which can come in to our internal network and which can go out So the firewalls inspect each arriving packet in both directions normally and Compares every packet against the our rules our set of rules It takes action based upon a matching rule in practice What we do is to find a set of rules and have a default which matches everything else a default policy of accept Also called allow or forward Is one option a default policy of drop or reject or discard as the other option and the drop policy is recommended for security purposes because if you drop everything Then at least the attackers cannot get in and we cannot have security violations It may mean we inconvenience our users because that their traffic is blocked, but we can fix that So this is if we want security versus convenience we use a default policy of drop How do we write the rules? We use some of the criteria from the packets like addresses port numbers as we've seen in the examples We can use other things like the direction as indicated by the interface on the firewall Did the packet come from outside or did it come from inside and make different rules depending upon the direction? We can use wild cards or To to match multiple values and the actions are typically accept or dropped But they can be more complicate complicated than that an action could be send this packet to some other piece of software to process We often think of firewalls as a piece of software that checks packets as it comes into a computer and in different operating systems They have software to do this in Linux one of them is called IP tables And we'll use that in some examples in Mac. It's IP FW is a software that allows you to add rules Windows as well in the past was called Windows firewall software that allows you to configure rules so that on your Computer the operating system will block or allow packets as you specify So some operating systems have firewall functionality built in Or you can install standalone software which maybe makes it easier or create some default rules that Make it easier to use for for the end user So that's normally software that you may install on your desktop or laptop computer but for a large organization normally the firewall would be a Running on a device like a router or even possibly a switch or a dedicated hardware that controls packets coming into and out of the network and there are different approaches so you can buy a piece of hardware which is primarily designed to be a firewall and here we list some of the names the the commercial names of dedicated firewalls or you can build your own hardware and install special software a special operating system that has is tailored to act as a firewall PF sense monowall and others are some of those So you can buy the hardware which does a firewall or you can buy your own hardware and install your own firewall software whichever one You you prefer in large networks performance is an issue Every packet that comes into the network and goes out has to be processed by the firewall in a large network with thousands of users in Inside SIT. It's reasonably large. We have hundreds. Maybe thousands of users sometimes There are many packets going out Maybe hundreds of thousands of packets per second coming in and out of our network need to be all checked by the firewall The slower the firewall is the larger the delay for those packets and the more inconvenience for the users so sometimes that's where the dedicated hardware is of Benefit it's designed to be as fast as possible in processing the packets So performance becomes an issue for large networks Packet filtering firewalls will see some extension shortly, but they are quite simple We say that simple in that the rules Usually contain just five or six different conditions It's quite easy to implement those rules and to specify them They're very fast compared to some other approaches. Why would they be fast because the packets That the firewall needs to look at The fields are usually known in advance and there's not much processing to check those values So they can be implemented in very fast in software or sometimes in hardware Transparent to users means that The firewall doesn't change anything if the data is accepted So the user if your data is accepted the user doesn't even know the firewall is there So the users don't know about it and not affected by the firewall They just send their normal packets and if it's accepted it goes through if it's rejected or dropped, of course They will notice it But for the normal cases the firewall doesn't impact upon how the users applications operate We'll see some variations where that's not the case Some limitations of packet filtering firewalls some attacks Cannot be detected by a packet filtering firewalls because packet filtering firewalls normally don't look at the application data They don't look at the web page in the response. They just look at the addresses the port numbers are IP addresses so if we get a web page coming into the Internal network a packet filtering firewall normally will not look at the content and Therefore if an attack is based upon the content the firewall may accept it and that making attacks easier We'll see some variations that look at the content Although packet filtering firewalls can count packets coming in and out and we'll see some examples They may not be able to log details about the individual users and the applications being used The only way we identify end users with packet filtering firewalls is based upon IP address Let's say I want to set up my firewall for SIT that allows Steve to access Facebook but This allows all students from accessing Facebook Then the firewall needs to identify when a packet comes in does this packet belong to Steve or does it belong to a student? How does it do that? How would a firewall know who the packet belongs to who sent that packet again? Source IP address may be one way if it comes from the com the IP address Corresponding to Steve's computer then it's allowed if it comes from an IP address corresponding to what a student uses It's blocked So that's one way But unfortunately, that's not always precise. What is my IP address? Well, we need to configure it for my laptop for my phone for my tablet So the firewall needs to be aware that Steve's IP address is not just one device. It's multiple devices are these values and Now they need to do it for every other faculty member because they also want to access Facebook So it becomes a challenge to map Users to IP addresses What's the IP address of a student? Check your phone instead of playing games. Have a look at your IP address Your IP address. What is it? Find your IP address if you have your phone open. What's the range of addresses allocated to students? 10 10 98 2 5 3 10 10 100 100 or something. Okay, so 10 10 in the range of 90 or 100 followed by some some number In fact, those IP addresses are normally allocated to whoever connects to the Wi-Fi If I could connect to the Wi-Fi, I would also get one of those IP addresses So now how do I distinguish between or how does the firewall distinguish between me and a student? If we get the same range of IP addresses So using IP addresses to identify users is not always easy and Packet filtering firewalls Normally just use IP addresses so they don't have any advanced way to identify and authenticate individual users if you in Configure that if you configure the firewall in the wrong way you can have breaches That's the same with many firewalls and some may be subject to attacks if there's bugs or problems with the Protocols being used. I don't think we'll see an example of that. Let's come back to our Example of allowing the website this Aim was implemented using two rules Allow the packets going from the client to the server with the first rule and Allow the packets coming from the server back to the client with the second rule Can someone see a security flaw in this? Our aim Don't allow anyone to communicate drop everything Computer 11 cannot get out. No one can get into our network. That's our aim except Computer 12 can access the websites So these two rules allow computer 12 to access the websites They drop if computer 11 tries to access the websites. It will be dropped because it'll be a different source IP Do these rules have Allow anyone to get in You're outside the network. You want to send a packet into the internal network. How would you do that? No, you the firewall has these two rules you want to bypass the firewall How could you do that? You're outside maybe your computer 36 You're malicious You want to get a packet into the internal network The aim was that no one could send in no one can send out except computer 12 can access the websites We implement these two rules If you're on computer 36, how could you get a packet into? Our internal network, what would you do? Bypass the firewall How would you do it any ideas anyone a hacker or or wants to defeat the firewall? Yeah You break into the computer center, which is locked which has security cameras on it and you you turn off the firewall All right, you can try that one So you go to the network administrator and pay him a million bar and say please turn off the firewall You could try that one too Maybe yeah, let's say we are in this network. We are computer 36 as the attacker Can we send a packet in? Yes, why yes Your computer 36 you're the attacker you want to send a packet in to defeat the aim of not allowing anything in Why can you? The answer is yes, you can why? because of Because of the second rule I am computer 36. I create a packet When I send a packet I can set the source values to whatever I like. It's my computer I can set to what I like right my IP address is three three three thirty six I'm not acting as a web server, but I still use the port number 80 There's nothing to stop me from starting an application on my computer with any port number I can start netcat on any port number so what I do is I Create a packet source IP is three three three thirty six matches the first condition here I Send it to one one one twelve It matches the destination IP I'm using TCP It matches here, and I create an application on my computer as the attacker which uses port 80 A special application just for this attack So the source port will be 80 and I send it to destination port doesn't really matter Maybe it's port 80. I know that there's a web server on computer 12 So I send it to The port number of a known server on computer 12 a known application That packet comes into the firewall the source IP matches The destination IP matches The source port matches Therefore the package is accepted in so that's a problem We created the second rule to allow responses to come back But that allows any packet to come in as long as it matches those conditions any questions on how to Bypass this firewall now Okay, you can bypass it. That's a Maybe you can bypass the firewall now Why not? We just create a packet that meets the conditions that our firewall allows and in this case the second one So just to summarize that what the approach there as the attacker as The attacker let's say I'm computer 36. I run my own application which uses port 80 and Let's so the application the source address will be 80 The source IP matches here the destination. I send this packet to computer 12 Gets to the firewall It's going to computer 12. So the destination IP matches. We're using TCP The source port is that used by my application? Maybe the destination port I set to maybe there's a secure shell server on Computer 12 Destination port 22 this packet gets to the firewall the second rule matches the packet is accepted and That's against our original intentions of not allowing anything in except the responses So that's a problem in this case We don't just allow the responses for the web request to come in We allow any packets in which match those conditions How do you stop that? ideas for stopping this attack Coming back to the what we aim to do if we scroll up. We wanted to allow the reason for the second rule The first rule around allows our packets out the second rule allowed the responses to come back but The problem of that second rule it also allows Initial packets to come from the outside in if we want to stop that what we need to do is somehow specify The second rule only applies to responses to packets accepted by the first rule this should Second rule should have another condition something saying the packet must be a response to a packet accepted from the first rule and We could try to do that based upon the packet types If it's a TCP sin packet allow it to go out if it's a sin act Allow it to come in from the second rule or a TCP act allow it to come in But it gets complicated if we have to have these extra conditions So in practice to overcome this problem. There's another approach and the approach is called stateful packet inspection SPI our problem in general is that When we drop everything we need to allow the packets to go out and packets to come back in response and in TCP There's some expected types of packets another way to think of it is that we want to allow a TCP connection to be set up and any packets associated with that connection to be subsequently accepted So firewalls can have an extra facility or an extra feature called stateful packet inspection that will automatically do that for us So let's have a look and see how SPI works with stateful packet inspection an extra Feature of the firewall is it automatically allows some packets Let's see how it works with an example