Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition (2013)

---

Firewalls mean different things to different organizations, and each organization has unique requirements. Nevertheless, all firewalls usually share some common properties:

• Must be resistant to attacks: Compromise of the firewall system should be very unlikely, because it would enable an attacker to disable the firewall or change its access rules.

• Must be the only transit point between networks: All traffic between networks must flow through the firewall. This requirement prevents a hacker from using a backdoor connection to bypass the firewall and violate the network access policy.

• Enforces the access control policy of an organization: The access control policy should define what the firewall permits or denies.

By performing network access control, you can use a firewall as a protective measure against the following:

• Exposure of sensitive hosts and applications to untrusted users: A firewall hides most of the functionality of a host and permits only the minimum required connectivity to a host. Complexity is thus reduced, and many possible vulnerabilities are not exposed.

• Exploitation of protocol flaws: You can program a firewall to inspect protocol messages and verify their compliance with the protocol, whether it is Layer 3, Layer 4, or a higher-layer protocol. The firewall limits what attackers can send to their target, preventing the delivery of malformed packets that are used in an attempt either to crash a system or to gain access to an application.

• Malicious data: A firewall can detect and block malicious data sent to clients or servers inside the application stream, thereby stopping it from infecting the server or the client. Because firewalls are located on critical interconnection points of the network, enforcing the network access policies is simple, scalable, and robust. Sometimes a small number of firewalls can handle most of the network access control needs of an organization.

Firewalls are often misunderstood, and false assumptions are often made about their capabilities. Although it is true that firewalls would not be necessary if host and application security could be made extremely robust, many organizations use firewalls as a replacement for host or application security. Such an attitude is extremely dangerous because it can completely ignore host and application security even in extreme cases, such as connecting a sensitive server inside an Internet firewall.

Today, firewalls are such a mainstream technology that they are often considered a panacea for many security issues. While you should be aware of the benefits of the firewall model, you should also be aware of the many limitations that firewalls have and how to mitigate some of these limitations:

• Because firewalls are used in critical points of the network, their misconfiguration can have disastrous consequences. Firewalls are often a single point of failure when it comes to security; a single mistake in a configuration rule or firewall code can compromise the network access policy.

• Many modern applications require that the firewall handle, in addition to the primary control connection, secondary connections that are created to carry, for example, data. A typical example is an application that opens dynamic sessions from the outside to the inside after an initial client request initiated from the inside to the outside. Multimedia applications such as those for audio streaming and videoconferencing are examples where the user opens one session from the inside to the outside to request a feed. To support the streaming, however, additional sessions are opened from the outside to the inside, and by default the firewall rejects those new incoming requests. Once firewall vendors have a chance to study the new protocol, they can create a rule that forces the firewall to peek inside the payload of the original outgoing packet to gain information about the additional sessions that will be created and to prepare for those new incoming sessions.

• End users, when faced with a restrictive firewall, might find their own methods of bypassing it. For example, inside users may use wireless broadband from the protected network to an Internet service provider (ISP) and create a backdoor connection to the protected network.

• Because firewalls are commonly placed at chokepoints, the design of the firewall model must ensure network performance is not affected by inspecting all the traffic.

• Tunneling unauthorized data over authorized connections (covert channels) is simple and generally impossible to detect. This activity usually requires the help of someone on the trusted side of the firewall.

Firewalls in a Layered Defense Strategy

In a layered defense scenario, firewalls provide perimeter security of the entire network and of internal network segments in the core. For example, system administrators can use a firewall to separate the human resources and financial networks of an organization from other networks or network segments within the organization.

A layered defense strategy combines different types of firewalls in layers to add depth to the information defense of an organization, as shown in Figure 9-2. For example, traffic that comes in from the untrusted network first encounters a packet filter on the outer router, located in the perimeter security. The traffic next goes to the screened host firewall or bastion host system, which applies more rules to the traffic and discards suspect packets. This bastion host system is also part of the perimeter security. The traffic then goes to an interior screening router, part of the core network security. The traffic moves to the internal destination host only after this routing. This type of demilitarized zone (DMZ) setup, located between the perimeter and the core, is called a screened subnet configuration. Endpoint traffic moves in the network after it has been properly authenticated by sophisticated Identity services.

Figure 9-2. Layered Defense Strategy

Two recurring terms in this chapter are bastion host and packet filter, which are defined as the following:

• Bastion host: A computer that is expected to be attacked and therefore is hardened. An example of a bastion host is firewall software installed on a workstation that is already running a commonly available operating system. Before the firewall is put into production, the workstation needs to be hardened to protect against the potential vulnerability that the operating system has.

• Packet filter: Typically, a router configured with access lists used to filter out unwanted traffic.

A common misconception is that a layered firewall topology is all that you need in place to declare your internal network to be safe. This myth is probably encouraged by the booming firewall business; however, you need to consider the following factors when building a complete defense-in-depth environment:

• A significant number of intrusions come from hosts within the network. For example, firewalls often do little to protect against viruses downloaded through email.

• Firewalls do not protect against rogue modem or rogue wireless access point installations. In addition, and most important, a firewall is not a substitute for informed administrators and users.

• Firewalls do not replace backup and disaster recovery mechanisms resulting from attack or hardware failure. An in-depth defense also includes offsite storage and redundant hardware topologies.

Defense in depth and diversity of defense are related topics. Defense in depth calls for multiple levels of defense; diversity of defense calls for using different types of technologies in that defense.

An example of implementing both diversity of defense and defense in depth is using a perimeter router as a packet filter and using a stateful firewall to segment the unprotected segment from the protected segment.

Static Packet-Filtering Firewalls

Packet-filtering firewalls work primarily at the network layer of the Open Systems Interconnection (OSI) model, or the IP layer of TCP/IP, as shown in Figure 9-3. Packet-filtering firewalls are generally considered Layer 3 devices, but they typically have the capability to permit or deny traffic based on Layer 4 information, such as protocol, and source and destination port numbers, in addition to the Layer 3 source and destination IP address. Packet filtering uses rules and ACLs to determine whether to permit or deny traffic based on source and destination IP addresses, protocol, source and destination port numbers, and packet type. Packet-filtering firewalls are usually part of a router firewall.

Figure 9-3. How Static Packet Filters Map to the OSI Model

Recall that services rely on specific ports to function; for example, Simple Mail Transfer Protocol (SMTP) servers listen to port 25 by default. Because packet-filtering firewalls filter traffic according to static packet header information, they are sometimes referred to as static filters. By restricting certain ports, you can restrict the services that rely on those ports. For example, blocking port 25 on a specific workstation prevents an infected workstation from broadcasting email viruses across the Internet.

Packet-filtering firewalls are similar to packet-filtering routers but with some differences in implementation. Packet filters are very scalable, application independent, and have high performance standards; however, they do not offer the complete range of security solutions required in modern networks. For example, a packet filter does not have the capability to understand dynamic protocols upon which a client request requires additional incoming connections to be initiated from the outside, toward the inside client.

Any device that uses ACLs can perform packet filtering. Cisco IOS router configurations commonly use ACLs, not only as packet-filtering firewalls but also to select specified types of traffic that is to be analyzed, forwarded, or influenced in some way. Later in this chapter, you will see examples of both ingress and egress filtering done with ACLs.

Figure 9-4 shows a simple packet-filtering example using a Cisco router.

Figure 9-4. Static Packet Filter in Action

In most network topologies, you need to protect the Ethernet interface connecting to the internal (inside) network, while the serial interface that connects to the Internet (outside) is unprotected. In Figure 9-4, the internal addresses that the firewall must protect are in the 10.1.1.0/24 subnet (on the Ethernet interface). The IP address of the Ethernet 0 interface is 10.1.1.1/24.

The particular network security policy shown in Figure 9-4 (ACL 101) allows all users from the inside to access Internet services on the outside. Therefore, all outgoing connections are accepted. The router checks only packets coming from the Internet (security policy ACL 102). In this case, the ACL allows Domain Name System (DNS), SMTP, and FTP services, and the return of traffic initiated from the inside. ACL 102 denies access to all other services.

Packet-filter firewalls (or packet filters) use a simple policy table lookup that permits or denies traffic based on the following possible criteria:

• Source IP address

• Destination IP address

• Source port number

• Destination port numbers

• Synchronize/start (SYN) packet receipt

The firewalls are extremely fast because they do little computation. The rules are extremely easy to implement because they require little security expertise. Router manufacturers easily embed packet-filtering logic in silicon and, consequently, packet filtering is a feature of most routers. Packet-filtering firewalls are relatively inexpensive. Even if other firewalls are used, implementing packet filtering at the router level affords an initial degree of security at the network and transport layers.

Packet filters do not represent a complete firewall solution. However, they are a key element of a secure architecture.

The following are disadvantages of packet filters:

• Packet filtering is susceptible to IP spoofing. Hackers send arbitrary packets that fit ACL criteria and pass through the filter.

• Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the Layer 4 header in the first fragment and packet filters may filter based on information found in the Layer 4 header, fragments after the first fragment are passed unconditionally. A decision to use packet filters assumes that the filter of the first fragment accurately enforces the policy.

• Complex ACLs are difficult to implement and maintain correctly.

• Packet filters cannot dynamically filter certain services. For example, sessions that use dynamic port negotiations are difficult to filter without opening access to a whole range of ports.

• Packet filters are stateless. They examine each packet individually rather than in the context of the state of a connection.

Application Layer Gateways

Application layer firewalls, also called proxy firewalls or application gateways, provide a higher level of security than packet-filtering firewalls because they allow the greatest level of control. Application gateways operate on Layers 3, 4, 5, and 7 of the OSI model, as shown in Figure 9-5.

Figure 9-5. Application Layer Gateway in Action

Most application layer firewalls include specialized application software and proxy servers. A proxy is an application that does work on behalf of something else. Proxy services are special-purpose programs that manage traffic through a firewall for a specific service, such as HTTP or FTP. Proxy services are specific to the protocol that they are designed to forward, and they can provide increased access control, perform careful detailed checks for valid data, and generate audit records about the traffic that they transfer.

Proxy firewalls act as intermediaries between networks to determine whether to allow the communication to proceed. No direct connection exists between an outside user and internal network resources, because the original connection stops in the proxy and a new connection is set between the proxy and the outside destination. For this reason, the only IP address of the network that is visible from the Internet is the IP address of the outside interface of the proxy. The client connects to the proxy server and submits an application layer request. The application layer request includes the true destination and the data request itself. The proxy server analyzes the request and can filter or change the packet contents. The server makes a copy of each incoming packet, changes the source address, and sends the packet to the destination address. The destination server replies to the proxy server, and the proxy server passes the response back to the client.

Sometimes, application layer firewalls support only a limited number of applications, or even just one application. Some of the more common applications that an application layer firewall might support include email, web services, DNS, Telnet, FTP, Usenet news, Lightweight Directory Access Protocol (LDAP), and Finger.

Application layer firewalls provide several advantages:

• Application layer firewalls authenticate individuals, not devices: These firewalls typically allow you to authenticate connection requests before allowing traffic to an internal or external resource. This process enables you to authenticate the user requesting the connection instead of authenticating the device.

• Application layer firewalls make it is harder for hackers to spoof and implement DoS attacks: An application layer firewall enables you to prevent most spoofing attacks, and DoS attacks are limited to the application firewall itself. The application firewall can detect DoS attacks, and thus reduce the burden on your internal resources.

• Application layer firewalls can monitor and filter application data: You can monitor all data on a connection, so you can detect application attacks such as malformed URLs, buffer-overflow attempts, unauthorized access, and more. You can even control the commands or functions you allow an individual to perform based on the authentication and authorization information.

• Application layer firewalls can provide detailed logging: Using application layer firewalls, you can generate detailed logs and monitor the actual data that the individual is sending across a connection. This logging can prove extremely useful if a hacker finds a new type of attack, because you can monitor what the hacker does and how the machine does it, and then address the attack. Besides using logging for security purposes, you can use it for management purposes by keeping track of who is accessing what resources, how much bandwidth is used, and how often a user accesses the resources.

The topology in Figure 9-6 represents a typical proxy server deployment. A client inside the network is requesting access to a website. The client browser uses a proxy server for all HTTP requests. Perfect examples of proxy gateways performing application layer filtering are the Cisco IronPort Web Security Appliance (WSA) and the Cisco IronPort Email Security Appliance (ESA). Network security policies force all client connections to go through the proxy server. As shown in Figure 9-6, the browser connects to the proxy server to make requests. Client-side DNS queries and client-side routing to the Internet are not needed when using a proxy server. The client has to reach only the proxy server to make the request.

Figure 9-6. Proxy Server Communication Process

When the proxy server receives the request from a client, it performs user authentication according to the rules applied to it and uses its Internet connection to access the requested website. It forwards only packets that match the firewall rules. On the return route, the proxy server analyzes the packet, including the Layer 5 and Layer 7 header and payload, to ensure that the server allows the content of the reply back in (as an example, checking whether the payload carries hidden malware) before forwarding the packet to the client.

In spite of how an application layer firewall works, with its thorough inspection of the request and response, this firewall provides only a limited number of services, such as HTTP and FTP; however, this type of firewall provides the highest level of filtering for those specific protocols.

The main limitation of application layer firewalls is that they are process intensive because the server evaluates a significant amount of information embedded in many packets. This type of technology requires many CPU cycles and a lot of memory to process every packet that needs inspection, which sometimes creates throughput problems. In addition, the detailed logging can create disk space problems. To address these issues, you can use one of two solutions:

• Employ a context transfer protocol: Using a context transfer protocol, where identity-specific information tracks users, enables you to perform only authentication and authorization; you cannot monitor data on the connection, only whether the user is authorized to go on the Internet. This solution is not a real firewall per se, because packets are checked not for their content but for the validity of their source and destination addresses. This solution would be similar to a packet filter that has the capability to learn the source and destination information dynamically and match return traffic based on that information.

• Monitor only key applications: With this solution, you limit the application layer firewall to process only certain application types (such as email, Telnet, FTP, or web services) and then, perhaps, process only connections to specific internal resources. The problem with this approach is that you are not monitoring all applications and connections, and this creates a security weakness.

Application layer firewalls typically do not support all applications, such as multimedia or peer-to-peer file sharing applications (to name a few). Instead, they are generally limited to one or a few connection types, typically common applications such as email, Telnet, FTP, and web services. Therefore, an application layer firewall cannot monitor data on all applications: it monitors data only on applications it intrinsically understands.

Finally, application layer firewalls sometimes require you to install vendor-specific software on the client, which the firewall uses to handle the authentication process and any possible connection redirection. This limitation can create scalability and management problems if you must support thousands of clients.

Dynamic or Stateful Packet-Filtering Firewalls

Stateful packet filters, or stateful firewalls, are the most versatile and therefore the most common firewall technologies in use. Stateful filtering provides dynamic packet-filtering capabilities to firewalls. Stateful inspection is a firewall architecture that is classified at the network layer, although for some applications it can analyze traffic at Layer 4 and Layer 5, too, as shown in Figure 9-7. Some stateful firewalls can analyze traffic up to Layer 7 under special circumstances and additional configuration.

Figure 9-7. Stateful Packet-Filtering Firewall

Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and confirms that the session is valid. Stateful packet filtering maintains a state table and allows modification of the security rules on-the-fly. The state table is part of the internal structure of the firewall and tracks all sessions and inspects all packets passing through the firewall. If packets have the expected properties that are predicted by the state table, the firewall allows them to pass. The state table changes dynamically according to traffic flow.

Stateful firewalls use a state table to keep track of the actual communication process. From a transport layer perspective, the firewall examines information in the headers of Layer 3 packets and Layer 4 segments. For example, the firewall looks at the TCP header for SYN, reset (RST), acknowledgment (ACK), FIN, and other control codes to determine the state of the connection. In this scenario, the session layer is responsible for establishing and tearing down the connection.

When an outside service is accessed, the stateful packet filter firewall “remembers” certain details of the request by saving the state of the request in the state table. Each time a TCP or User Datagram Protocol (UDP) connection is established for inbound or outbound connections, the firewall logs the information in a stateful session flow table. When the outside system responds to the request, the firewall server compares the received packets with the saved state to allow or deny network access.

The stateful session flow table contains the source and destination addresses, port numbers, UDP connection information and TCP sequencing information, and additional flags for each TCP connection associated with a particular session. This information creates a connection object against which the firewall compares all inbound and outbound packets. The firewall permits data only if an appropriate connection exists to validate the passage of that data.

More advanced stateful firewalls include the capability to parse FTP port commands and update the state table to allow FTP to work transparently through the firewall. Advanced stateful firewalls can also provide TCP sequence number randomization, and DNS query and response matching to ensure that the firewall allows packets to return only in response to queries that originate from inside the network. These features reduce the threat of TCP RST flood attacks and DNS cache poisoning. Some stateful firewalls can also check the validity of protocol commands to ensure that intrusive and dangerous commands are not admitted on the network.

Packets inside the network must make their way to the outside network. This can possibly expose internal IP addresses to potential hackers. That is why most firewalls incorporate Network Address Translation (NAT) with stateful inspection and proxy servers for added security.

Stateful firewalls keep track of the state of a connection: they know whether the connection is in an initiation, data transfer, or termination state. This information is useful when you want to deny the initiation of connections from external devices (default behavior of a firewall) but allow your inside users to establish connections to these external devices and permit the responses to come back through the stateful firewall.

Figure 9-8 shows a successfully established HTTP TCP session that leads to a dynamic ACL rule entry on the outside interface that permits response packets from the web server to the client.

Figure 9-8. Stateful Packet Filtering

Stateful packet-filtering firewalls are good to use for the following applications:

• As a primary means of defense: In most situations, a stateful firewall is used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic.

• As an intelligent first line of defense: Networks use routing devices that support a stateful function as a first line of defense or as an additional security boost on perimeter routers.

• As a means of strengthening packet filtering: Stateful filtering provides more stringent control over security than packet filtering does, without adding too much cost.

• To improve routing performance: Stateful packet-filtering devices perform better than packet filters or proxy servers. Stateful firewalls do not require a large range of port numbers to allow returning traffic back into the network, providing that the firewall is familiar with the protocol and its behavior. The state table determines whether a packet is returning traffic. If it is not returning traffic, the filtering table filters the traffic.

• As a defense against spoofing and DoS attacks: Stateful packet filtering works on packets and connections. In particular, stateful firewalls track the state of the connection in the state table listing every connection or connectionless transaction. By determining whether packets belong to an existing connection or are from an unauthorized source, stateful firewalls allow only traffic from connections that are listed in the table. As an example, during the three-way handshake of a TCP session, the firewall tracks the flag and therefore can predict what the following exchange between the client and the server will be. When the firewall removes a connection from the state table (for instance, because of the connection termination following the TCP four-way handshake as a goodbye), the firewall does not allow any more traffic from that device. In addition, the stateful firewall can log more information than a packet-filtering firewall can, including when a connection was set up, how long it was up, and when it was torn down. This logging makes connections harder to spoof.

Stateful firewalls have the following limitations:

• Stateful firewalls cannot prevent application layer attacks: For example, your network might allow traffic to port 80 on a web server. Your stateful firewall examines the destination address in the Layer 3 packet and the destination port number in the segment. If there is a match, the stateful firewall allows the incoming and outgoing traffic. One problem with this approach is that the stateful firewall does not examine the actual contents of the HTTP connection.

• Not all protocols have a state: UDP and Internet Control Message Protocol (ICMP) do not have a state, so a stateful firewall does not know whether the session is initiating, transmitting, or finishing, as it would with TCP. For example, UDP has no defined process for how to set up, maintain, and tear down a connection. The firewall can provide only limited support for these protocols compared to the thorough information the firewall has regarding, as an example, a TCP connection. Routers define UDP connections on an application-by-application basis.

• Some applications open multiple connections: On earlier (more basic) stateful firewalls, if the client was inside the network and the server was outside the network, both stateful and packet-filtering firewalls had problems dealing with the data connection that the FTP server established to the client. You needed to open a whole range of ports to allow this second connection. Cisco IOS Firewall does not have this problem. The firewall monitors FTP control traffic and discovers information exchanged between the client and the server, which it uses to prepare the data path established from the server in the direction of the client. In this scenario, the firewall is not filtering the traffic at the application layer; it is only reading some purposeful information to prepare for the data. Here we are not talking about application inspection, discussed earlier, where the firewall reads the payload of Layer 7 to assess the FTP commands or some strings found in the FTP payload.

• Stateful firewalls do not authenticate users by default: Stateful firewall technology itself does not mandate user authentication. Add-on functionality is used to provide a feature such as proxy authentication.

Other Types of Firewalls

Over the years, variations of standard stateful firewalls have emerged. Some examples of those variations, which provide additional or restrictive features, are deep packet inspection (DPI) firewalls and Layer 2 firewalls.

Application Inspection Firewalls, aka Deep Packet Inspection

Application inspection firewalls ensure the security of applications and services. Some applications require special handling by the firewall application inspection function. Applications that require special application inspection functions are those that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports.

The application inspection function works with NAT to help identify the location of the embedded addressing information. This arrangement allows NAT to translate embedded addresses and to update any checksum or other fields that are affected by the translation.

The application inspection function also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports. The initial session on a well-known port negotiates dynamically assigned port numbers. The application inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.

An application inspection firewall behaves in different ways according to each layer:

• Transport layer mechanism: From a transport layer perspective, the application inspection firewall acts like a stateful firewall by examining information in the headers of Layer 3 packets and Layer 4 segments. For example, the application inspection firewall looks at the TCP header for SYN, RST, ACK, FIN, and other control codes to determine the state of the connection.

• Application layer mechanism: The application inspection firewall checks the conformity of commands within a known protocol. For example, when the application inspection firewall checks the SMTP message type, it allows only acceptable message types on Layer 7 (such as, DATA, HELO, MAIL, NOOP, QUIT, RCPT, and RSET). In addition, the application inspection firewall checks whether the command attributes that are used (for example, length of a message type) conform to the internal rules. These rules often trust the RFC of a specific protocol. Sometimes, application layer firewalls provide protocol support for HTTP, and the application inspection firewall can determine whether the content is really an HTML website or a tunneled application, such as Instant Messaging or GoToMyPC. In the case of a tunneled application, the application inspection firewall would block the content or terminate the connection. Future development will provide application inspection support for more protocols on an application inspection firewall.

There are several advantages of an application inspection firewall:

• Application inspection firewalls are aware of the state of Layer 4 and Layer 5 connections.

• Application inspection firewalls check the conformity of application commands.

• Application inspection firewalls have the capability to check and affect Layer 7.

• Application inspection firewalls can prevent more kinds of attacks than stateful firewalls can. For example, application inspection firewalls can stop an attacker from trying to set up a virtual private network (VPN) tunnel (triggered from inside the network) through an application firewall by way of tunneled HTTP requests.

Transparent Firewalls (Layer 2 Firewalls)

Cisco IOS routers, Cisco ASA Adaptive Security Appliance Software, Cisco Firewall Services Module, and Cisco ASA Services Module offer the capability to deploy a security appliance in a secure bridging mode as a Layer 2 device to provide rich Layer 2 through 7 security services for the protected network, as illustrated in Figure 9-9. This capability enables businesses to deploy security appliances into existing network environments without the need to readdress the network. Although the security appliance can be invisible to devices on both sides of a protected network, as shown in Figure 9-9, administrators can use an exposed IP address to manage the appliance.

Figure 9-9. Transparent Firewalling: Firewall Interfaces All in the Same Subnet