A proxy firewall operates at what layer of the open system interconnection (osi) model?

Application Layer Firewalls

Application layer firewalls can filter traffic at the network, transport, and application layer. Filtering at the application layer also introduces new services, such as proxies. Application proxies are simply intermediaries for network connections. Assume that a user in the internal network wants to connect to a server in the external network. The connection of the user would terminate at the firewall; the firewall would then create a connection to the Web server. It is important to note that this occurs seamlessly to the user and server.

As a result of the proxy the firewall can potentially inspect the contents of the packets, which is similar to an intrusion detection system (IDS). This is increasingly important since a growing number of applications, as well as illegitimate users, are using nonstandard port numbers to transmit data. Application layer firewalls are also necessary if an existing connection may require the establishment of another connection—for example, the Common Object Resource Broker Architecture (CORBA).

Increasingly, firewalls and other security devices are being merged into a single device that can simplify management. For example, an intrusion prevention system (IPS) is a combination firewall and IDS. An IPS can filter packets based on the header, but it can also scan the packet contents (payload) for viruses, spam, and certain types of attacks.

Comparing ISA 2004 to Other Firewall Products

Microsoft defines ISA Server 2004 as “an advanced application layer firewall, VPN, and Web cache solution that enables customers to easily maximize existing IT investments by improving network security and performance.”

ISA Server 2004 includes the following key features: multi-layer inspection, advanced application layer filtering, secure inbound traffic and protection from “inside attacks” via VPN client connections, integrated multi-networking capabilities, network templates, and stateful routing and inspection.

ISA Server 2004's ease of use features include: simple, easy to learn and use management tools; prevention of network access downtime; savings on bandwidth costs; integration with Windows Active Directory, third party VPN solutions and other existing infrastructure; a thriving community of partners, users and Web resources.

ISA Server 2004's high-performance features include: ability to provide fast, secure anywhere/anytime access; a safe, reliable and high-performance infrastructure; an integrated single-server solution; a way to scale out the security infrastructure; enhanced network performance, and reduced bandwidth costs.

ISA Server 2004 is a software firewall, which can be installed on Windows 2000 Server (with Service Pack 4 or above) or Windows Server 2003. Internet Explorer 6, or later, must be installed.

ISA Server is reliable, scalable, and extensible, and supports high availability through the Windows Server 2003 Network Load Balancing (NLB) service.

ISA Server offers compatibility and interoperability with Active Directory, with Exchange server and other Microsoft Server System products, and in a mixed network environment.

ISA Server 2004 provides administrators with a friendly graphical interface that not only has many advantages over most of its competitors, but also is a big improvement over the ISA Server 2000 interface.

ISA Server 2004 provides remote management capability through the ISA Server management console and the Remote Desktop Protocol (RDP).

ISA Server 2004 provides improved logging and reporting through the dashboard, alerts, the sessions panel, connectivity monitors, the report configuration wizard, and the ability to view connection information in real time.

One of the major strengths of ISA Server 2004 is its ability to perform application layer filtering (ALF). The application layer filtering feature allows the ISA Server 2004 firewall to protect against attacks that are based on weaknesses or holes in a specific application layer protocol or service.

ISA Server 2004 includes the following features that set it apart from the competition: secure Exchange RPC filter, link translation filter, and the OWA forms-based filter.

ISA Server 2004 includes a collection of intrusion detection filters that are licensed from Internet Security Systems (ISS). These intrusion detection filters are focused on detecting and blocking network layer attacks. In addition, ISA Server 2004 includes intrusion detection filters that detect and block application layer attacks.

ISA Server 2004 supports the following VPN protocols: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol/IPSec (L2TP/IPSec), and IPSec Tunnel Mode.

The ISA Server 2004 VPN feature supports two types of VPN connections: Remote Access VPN and Site-to-site VPN.

The ISA Server 2004 VPN quarantine feature increases the security of VPN client connections by “pre-qualifying” VPN clients before they are allowed to connect to the corporate network.

In addition to ISA Server 2004's firewall and VPN features, the ISA Server 2004 firewall can also act as a Web proxy server. The ISA Server 2004 machine can be deployed as a combined firewall and Web-caching server, or as a dedicated Web-caching server.

ISA Server 2004 supports forward and reverse caching, and multiple ISA servers can be configured to use distributed and hierarchical caching.

Check Point's add-on modules have to be purchased at extra cost, in many cases for functionality that is included at no extra charge with ISA Server.

Check Point includes no Web-caching functionality; this must be added as an off-box solution or via add-on modules.

Check Point's SecureClient software costs extra, and is needed to add VPN client configuration verification, similar to ISA Server's VPN quarantine feature that is included at no extra cost.

Cisco PIX requires add-on third party products to provide functionalities such as deep content inspection that are included with ISA Server at no cost.

Cisco PIX includes no Web caching functionality; this must be added by purchasing a Cisco Content Engine or a third-party caching solution.

Enforcement of VPN configuration policy for PIX requires the proprietary Cisco Secure VPN client v3.x or above.

NetScreen requires that additional appliances or third party products be purchased to provide functionalities included with ISA Server (more sophisticated intrusion detection/deep content inspection, caching).

NetScreen uses a proprietary VPN client or security client (which includes personal firewall) that must be purchased at extra cost.

VPN configuration enforcement with NetScreen only enforces client firewall policy.

SonicWall requires that additional appliances or third-party products be purchased to provide functionalities included with ISA Server (more sophisticated intrusion detection/deep content inspection, caching).

NetScreen uses a proprietary VPN client that must be purchased at extra cost.

Downloading of client configuration data from VPN gateway requires security client.

WatchGuard does not include application proxies on its low cost models. ALF includes only HTTP, FTP, DNS.

WatchGuard provides no Web-caching functionality. Cost of adding a caching solution must be factored in when comparing cost with ISA server.

WatchGuard uses proprietary remote VPN client software that must be purchased at extra cost.

Symantec requires that additional appliances or third party products be purchased to provide functionalities included with ISA Server (more sophisticated intrusion detection/deep content inspection, caching).

Symantec provides no Web-caching functionality. Cost of adding a caching solution must be factored in when comparing cost with ISA server.

Symantec uses proprietary remote VPN client software that must be purchased at extra cost.

Blue Coat is the only one of ISA Server 2004's major competitors that includes Web-caching functionality.

Blue Coat does not include site-to-site VPN gateway or remote access VPN functionality.

Blue Coat requires that content filtering be done through a third-party service.

Open source firewalls are more popular with highly technical individuals (such as hackers) and those who advocate and are familiar with open source operating systems.

The cost advantage of open source firewalls is often offset by difficulty of use, lack of documentation, lack of technical support, and weak or missing logging and alerting features.

IPChains provides rudimentary firewall functionality and does not include services usually taken for granted in commercial firewall products such as ALF, VPN gateway, IDS, and others.

The Juniper Firewall ToolKit was developed by Obtuse Systems to run on Linux and BSD/FreeBSD. It was based on ipfirewall and offered as a toolkit for building proxy firewalls.

Ipfirewall is a kernel packet filter that comes with FreeBSD. It performs network-layer packet filtering only; application-layer filtering must be done by another program/service.

IPCop is a user-friendly firewall that runs on Linux and is managed from a Web UI, thus it can be managed remotely. It includes NAT functionality to protect a small LAN. It is based on the Smoothwall code and licensed under the GNU GPL. The firewall is based on ipchains.

IPCop was designed for home and SOHO users rather than enterprise-level networks.

Data Gathering and Extraction

As an attacker it’s great to get root access to a system, high-fives and handshakes will surely ensue in dimly lit rooms for a particularly good prize, but that is only the mid-point in our quest. Once we’re on a system we must think of ways to gather data quickly as we may not be on the system long; our connection could break, the computer could drop the process we’re in, or we could be discovered.

At the heart of the matter there are only a few directories (which we have looked at in other Chapters) that matter to us, the main ones being the home directories of the users and the other being to dump password files for cracking. These two main directories are usually then extracted to our attacking system to be mulled over to find more password or other possible directories where information is being stored on the local machine or on the network.

Though a question remains as to what to do to get this information off the system we’re attacking. So we’ve copied all of our “acquired” data into once place and we’ve packaged it up into a tar ball (.tar.gz file) and we’re waiting to exfiltrate it, but we run into an issue, we can’t communicate directly to our machine as that would be a bit too obvious if we just FTP the data to ourselves.

In most home user environments you can move around large files and the user would be none the wiser as most users lack the utilities to detect data exfiltration. In corporate environments we’ve discovered that even if they have a million dollars worth of sensors in place, odds are it’s not being watched very well for anomalous data transfer into and out of the environment, but there are always exceptions.

Let’s take some time and look at a few of the technologies that could be hindering our progress (in a corporate environment) or ways that we can remain discreet.

Local Firewall—In the case of the local OS X firewall we must look at it from the prospective of its purpose. It is a basic (very basic) rule based application layer firewall. It is meant to keep the system “hidden” on the network and only permit communication to and from the system from authorized applications and listening services. The great part about already being on the system is that we can do a few things to the firewall; add our own authorized applications, use one that is on the trusted apps list, or just turn the firewall off.

List Trusted Applications: /usr/libexec/ApplicationFirewall/socketfilterfw --listapps /Applications/another.app

Add Application: /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/another.app

Remove Application: /usr/libexec/ApplicationFirewall/socketfilterfw --remove /Applications/another.app

Unblock an application: /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /Applications/another.app

Kill firewall: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

Remember the goal is to be stealthy so use the least noticeable tactic first, like see if they have IRC, Skype, AIM, or some other program capable of file transfer added to the firewall trusted applications list to be able to get your files out with. If you wish to look at the other commands in socketfilterfw you can use the -h option.

Corporate Firewall—Unless there is something seriously wrong with the corporate firewall you will most likely not be able to manipulate it in the same way that you are able to manipulate the local firewall. Good news for you though, most corporate firewalls are designed to keep people out, not keep data in. What is means is that if you are having trouble getting your data out on non-standard ports, switch to standard traffic ones such as 22 (SSH), 80(HTTP), and 443(HTTPS).

If that does not work, set up a listener on your internet facing system and attempt to make connections to it to find an open port on the firewall. If, on the other hand, they let traffic out on port 22, jump for joy and SCP the data from your target to your dummy box in the aether. Never send traffic directly back to yourself if you are attempting to be stealthy, you could get yourself blocked if they find you.

Outbound Proxy—You’ve run into a situation where you have tried to get out on 22, but the firewall will not let you. You’ve tried to send data across 80 and 443, but the packet filtering firewall recognizes those are not Web requests or it will not allow outbound connects and forces you to go to the proxy. There are couple alternatives here we can use to possibly get the data out, we could attempt to send our traffic over port 53 (DNS) or we could setup a “legitimate” Website and upload our file over SSL to it.

While setting up a Website to upload a file is achievable without too much difficulty, sending a file over port 53 and disguising it as DNS traffic would require an effort beyond the scope of this book, fear not though, we have an option for DNS. For DNS you can look at a tool (set of scripts) like OzymanDNS by Dan Kaminsky. A great tutorial is available by Andreas Gohr (http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple).

The moral of the story when it comes to exfiltration of data is to be quietly persistent. There will almost always be a hole in the armor somewhere or some process you can access that will allow you to send data outbound at a given time during the day (like normal work hours). Understanding your target’s business processes (where possible) is a great way to discover faults in those processes to leverage against them.

Firewalls

A firewall blocks access to an internal network from outside and blocks users of the internal network from accessing potentially dangerous external networks or ports. There are three distinct firewall technologies:

Packet filtering A network layer firewall or packet-filtering firewall works at the network layer of the Open Systems Interconnection (OSI) model and can be configured to deny or allow access to specific ports or Internet Protocol (IP) addresses. It is designed to operate rapidly by either allowing or denying packets simply based on source and destination IP address and port information. This is the simplest and fastest form of traffic-filtering firewall technologies.

It works in two directions: to keep intruders at bay and to restrict access to the external network from internal users.

Two distinct firewall base policies are as follows:

Allow by default – it allows all traffic to pass through the firewall except traffic that is specifically denied.

Deny by default – it blocks all traffic from passing through the firewall except for traffic that is explicitly allowed.

Ports 0 through 1023 are considered well-known ports. These ports are used for specific network services and should be considered the only ports allowed to transmit traffic through a firewall.

Ports outside the range of 0 through 1023 are either registered ports or dynamic/private ports.

User ports range from 1024 to 49,151.

Dynamic/private ports range from 49,152 to 65,535.

Since only the header of a packet is examined, a packet-filtering firewall has speed.

There are two major drawbacks to packet filtering:

A port is either open or closed.

It does not understand the contents of any packet beyond the header.

Stateful inspection Stateful inspection operates at the network and the transport layers of the OSI model, but it has the ability to monitor state information regarding a connection. In effect, when a connection is established between two hosts, the firewall will initially determine if the connection is allowable based on a set of rules about source and destination ports and IP addresses. Once the connection is deemed to be acceptable, the firewall remembers this. Therefore, subsequent traffic can be examined as either permissible or not within the context of the entire session. It then functions by checking each packet to verify that it is an expected response to a current communications session.

Application-layer gateways They are also called as application-layer gateway devices or application filtering. Application-layer gateways are more advanced than packet filtering, operate at the application layer of the OSI model, and examine the entire packet to determine what should be done with the packet based on specific defined rules. They use complex rules to determine the validity of any given packet, and part of analyzing each packet includes verifying that it contains the correct type of data for the specific application it is attempting to communicate with.

The drawbacks to application-layer gateway technology are as follows:

Application-layer gateways are much slower than packet filters.

A limited set of application rules are predefined and any application not included in the predefined list must have custom rules defined and loaded into the firewall.

Application-layer gateways must then rebuild packets from the top down and send them back out. This breaks the concept behind the client/server architecture and slows the firewall down even further.

Defense in Depth

The runtime can be the subject of a defense-in-depth approach, by deploying an additional layer of security inside it.

For instance, we can add a security layer to the runtime that can perform tasks such as input validation, auditing and logging, and output encoding (such as HTML encoding as cross-site scripting and other HTML injection-based attack mitigation).

This “embedded application layer firewall” has some advantages that are not usually provided by a WAF, since it can operate from the inside and has access to internal runtime variables and state that are not exposed to the outside. It can also make fine-grained decisions based on the application's internal state that an external box cannot make, as it has a shallow view of each request by just observing the data sent to the application. In addition, it can also be used to protect against business logic attacks, which is the major weakness for most WAFs.

2 Contents

1.

Introduction

Network Firewalls

Firewall Security Policies

Rule-Match Policies

A Simple Mathematical Model for Policies, Rules, and Packets

First-Match Firewall Policy Anomalies

Policy Optimization

Policy Reordering

Combining Rules

Default Accept or Deny?

Firewall Types

Packet Filter

Stateful Packet Firewalls

Application Layer Firewalls

Nation-State Backed

Host and Network Firewalls

Software and Hardware Firewall Implementations

Choosing the Correct Firewall

Firewall Placement and Network Topology

Demilitarized Zones

Perimeter Networks

Two-Router Configuration

Dual-Homed Host

Network Configuration Summary

Firewall Installation and Configuration

Supporting Outgoing Services through Firewall Configuration

Forms of State

Payload Inspection

Secure External Services Provisioning

Network Firewalls for Voice and Video Applications

Packet Filtering H.323

Firewalls and Important Administrative Service

Protocols

Routing Protocols

Internet Control Message Protocol

Network Time Protocol

Central Log File Management

Dynamic Host Configuration Protocol

Internal IP Services Protection

Firewall Remote Access Configuration

Load Balancing And Firewall Arrays

Load Balancing in Real Life

How to Balance the Load

Advantages and Disadvantages of Load Balancing

Highly Available Firewalls

Load Balancer Operation

Interconnection of Load Balancers and Firewalls

Firewall Management

Summary

Chapter Review Questions/Exercises

True/False

Multiple Choice

Exercise

Hands-On Projects

Case Projects

Optional Team Case Project

Distribution Layer

Distribution acts as the boundary surface between Core and Access. One oversimplification would be to say that distribution allows for the aggregation and centralization of key distribution components. It reduces the complexity of the network.

Core is the simplest. It provides critical connectivity services and is typically designed to be highly available and always on. Redundancy is an important component of this. Its mission is to provide redundancy, isolation, and backbone connectivity. Typical L3 equipment includes items such as 24-and 48-port switches, and wireless access points.

The diagram in Fig. 5.13 attempts to demonstrate the looseness of some (most) modern networks. This diagram is in stark contrast to typical network diagrams, which often show a single point of access for all systems, connecting them to the Internet. This connected space5 model layers firewalls in a ring, or a sphere (like a run-about ball) wrapped around your network, but only some spheres converge and are placed in more vulnerable positions than others. Multiple trusts may exist that have intrusive rights and weak passwords. It is, of course, not really a sphere, but it is easier to think about it that way. The four-tiered model6 describes:

A perimeter-based firewall

A demilitarized zone (DMZ)

A wireless zone

All internal switches

Over the past few decades, networks have been transforming. DMZ? “Too much trouble to maintain,” said the IT technicians and their managers. “Modern firewalls are more than enough to protect us from internal threats,” said the IT directors and doers of the time. Besides, they would say, once a DMZ is compromised, they [the hackers] are practically inside. It is just a matter of time. There is some truth in this. As you can see in Fig. 5.13, what protection does the firewall give to the dual-homed host in the employee's pocket? Or to the hacker in the coffee shop across the street, who has accessed via the wireless, using a password he picked up from a conference room whiteboard? Modern networks are multiplexed composites of the four-tiered network. Tapping them? Do your best. The more structure, the better adherence to the four-tiered model that you can get, the stronger and more thorough your taps will be. Legitimate tap products are best. Your tap network should be 100% segregated from the business network. It should be undetectable to anyone on the network.

Traditional thinking is that wireless networks should be treated as untrusted, should connect only via virtual private networks, and should use two-factor authentication. In the military, such edicts could easily be issued. In a modern workplace, such dictatorial viewpoints will bump up against looser styles of networking, and where CISO and CIO philosophies may clash. Many employees do not perceive a difference between authoritarianism and limited wireless network connectivity. Furthermore, in this current climate and age of unrestricted computing, what is to stop me from tethering my computer to my cell phone and using it as the Internet, creating a portal on the network that cannot be seen?. And although most breaches may not come from “the inside,” enough do that we need to worry about new devices appearing on our network as well, or the ability of users to attach computers to unknown or unregistered networks. Logging and tracking of events such as this can be done in a security paradigm such as this, but are outside of the scope of this chapter.

If you are fortunate, you will find a network that is well-organized and planned and follows Best Practices. An efficient network reduces the number of connections necessary through by using additional core equipment.

If your topology (your networking infrastructure) matches that of a bird's nest, deploying successful sensor instrumentation will be expensive and it can be difficult to assess placement. A simpler architecture will be (1) less expensive, and (2) cheaper and easier to tap.

Chapter 9: A Design Methodology for Developing Resilient Cloud Services—Cihan Tunc, Salim Hariri, and Abdella Battou

Cloud Computing is emerging as a new paradigm that aims to deliver computing as a utility. For the cloud computing paradigm to be fully adopted and effectively used, the authors argue that it is critical that the security mechanisms are robust and resilient to malicious faults and attacks. Security in cloud computing is of major concern and a challenging research problem since it involves many interdependent tasks, including application layer firewalls, configuration management, alert monitoring and analysis, source code analysis, and user identity management. It is widely accepted that one cannot build software and computing systems that are free from vulnerabilities and cannot be penetrated or attacked. Therefore it is widely accepted that cyber resilient techniques are the most promising solutions to mitigate cyberattacks and to change the game to the advantage of the defender over the attacker.

Moving Target Defense (MTD) has been proposed as a mechanism to make it extremely difficult for an attacker to exploit existing vulnerabilities by varying the attack surface of the execution environment. By continuously changing the environment (e.g., software versions, programming language, operating system, connectivity, etc.), we can shift the attack surface and, consequently, evade attacks.

In this chapter the authors present a methodology for designing resilient cloud services that is based on redundancy, diversity, shuffling, and autonomic management. Redundancy is used to tolerate attacks if any redundant version or resource is compromised. Diversity is used to avoid the software monoculture problem where one attack vector can successfully attack many instances of the same software module. Shuffling is needed to randomly change the execution environment and is achieved by “hot” shuffling of multiple functionally equivalent, behaviorally different software versions at runtime. The authors also present their experimental results and evaluation of the RCS design methodology. Their experimental results show that their proposed environment is resilient against attacks with less than 7% in overhead time.

The E-Commerce Module

The E-Commerce Module is intended to house and protect the business-driving public infrastructure of the organization and includes database, application, and web services components, among others. To provide a comprehensive defense, the SAFE blueprint calls for focused Layer 4–7 IDS analysis and Host IDS capabilities. Furthermore, multitiered stateful inspection firewalls and packet-filtering devices are included for perimeter defense. Wire speed switching on VLAN-capable switches provides server connectivity in the E-Commerce Module for fast, efficient server access.

The Corporate Internet Module

The Corporate Internet Module provides secure connectivity for internal corporate users to the Internet. It also offers logical space for inbound and outbound services such as SMTP, web proxy, and content inspection servers. This business functionality is protected with stateful inspection firewalls, Layer 7 filtering, spoof mitigation, and other basic filtering. It also includes advanced and focused Network IDS analysis and host-based detection systems.

The VPN/Remote Access Module

Due to the potential size and scaling requirements of Enterprise-sized VPN solutions, the Enterprise Network Edge Area includes a VPN/Remote Access module. This module contains the required encryption, VPN termination points, and authentication mechanisms for the Enterprise environment. Included in this module are various IDS components that are placed at the encryption endpoint to inspect inbound and outbound VPN traffic. Stateful inspection firewalls are also integrated into the VPN/Remote Access Module for perimeter security from, and to, remote connections.

The Extranet Module

The Extranet Module is similar to the E-Commerce Module in that it houses application and web-based services. Extranets are typically intended to facilitate access by semi-trusted users such as partners or other remote entities. Like the E­Commerce Module, the Extranet Module includes NIDS and HIDS, as well as stateful inspection firewalls. It also includes authentication and VPN termination services for remote use.

The WAN Module

The Enterprise Network Edge WAN Module includes sparse security features to facilitate efficient network transport. The WAN Module may include Layer 3 access control mechanisms for secure transport.