Lecture 17: Firewalls

• Slides
• Playlist (length: 52:42)

Intro to DoS

Selecting an Access Control Policy

What factors might influence choosing between a default-allow policy and a default-deny policy?

The cost of an attack. For example, if our system has very sensitive data, we might prefer using a default-deny policy.

Stateless Packet Filter

(True/False) Stateless packet filters can't deny all inbound TLS connections, because TLS connections have confidentiality.

False. Remember that TLS is built on top of TCP, so it requires the inbound connection to send a SYN-ACK packet. This will be blocked by the stateless packet filter.

Stateful Packet Filter Rules

Write a stateful firewall rule that would allow all TLS traffic from an external host 161.20.2.0 into your network 16.120.20.0/24.

allow tcp 161.20.2.0:* -> 16.120.20.0/24:*

Optionally, you could add /ext and /int here, although it’s not required because we specified both hosts already.

Designing a Stateful Filter

Stateful Filter Challenges

Remember that in the TCP lecture, we said that TCP guarantees that packets will be reconstructed in the correct order. What part of the TCP protocol is the attacker exploiting here to prevent this?

The attacker is sending multiple packets with the same sequence number, which causes confusion between the firewall and the receiver. Both need to reconstruct the message, but they don’t know which packet to use.

Application-Level Firewalls

What might be a disadvantage of application-level firewalls?

Remembering every single connection at the firewall takes more resources compared to the other firewalls we’ve seen.

VPNs

Why Have Firewalls Been Successful?

Attacks on Firewalls

Firewalls Conclusion