Chapter 9: Kinds of Firewalls Kate Solinger Tamara Teslovich.
-
date post
22-Dec-2015 -
Category
Documents
-
view
221 -
download
2
Transcript of Chapter 9: Kinds of Firewalls Kate Solinger Tamara Teslovich.
Chapter 9: Chapter 9: Kinds of Kinds of FirewallsFirewalls
Kate SolingerKate Solinger
Tamara TeslovichTamara Teslovich
What’s a firewall?What’s a firewall? Any device, software, Any device, software,
or arrangement or or arrangement or equipment that limits equipment that limits network accessnetwork access
Characterized by Characterized by protocol level it protocol level it controls in packet controls in packet filtering, circuit filtering, circuit gateways, and gateways, and application gatewaysapplication gateways
Combination of above Combination of above is dynamic packet filteris dynamic packet filter
Packet FiltersPacket Filters Cheap, useful level of gateway securityCheap, useful level of gateway security
Filtering abilities come with router Filtering abilities come with router softwaresoftware
Drop packets based on contentsDrop packets based on contents Incoming or outgoing interfacesIncoming or outgoing interfaces Blocks spoofed packetsBlocks spoofed packets
Ingress and egress filteringIngress and egress filtering Permits or denies certain servicesPermits or denies certain services
Requires intimate knowledge of TCP and UDP Requires intimate knowledge of TCP and UDP port utilization on a number of operating port utilization on a number of operating systemssystems
How to Configure a How to Configure a Packet FilterPacket Filter
Start with a security policyStart with a security policy Specify allowable packets in terms of Specify allowable packets in terms of
logical expressions on packet fieldslogical expressions on packet fields Rewrite expressions in syntax Rewrite expressions in syntax
supported by your vendorsupported by your vendor General rules:General rules:
All that is not expressly permitted is All that is not expressly permitted is prohibitedprohibited
If you do not need it, eliminate itIf you do not need it, eliminate it
Every ruleset is followed by an Every ruleset is followed by an implicit rule reading like this.implicit rule reading like this.
Example 1: Example 1:
Suppose we want to allow inbound Suppose we want to allow inbound mail (SMTP, port 25) but only to our mail (SMTP, port 25) but only to our
gateway machine. Also suppose gateway machine. Also suppose that mail from some particular site that mail from some particular site
SPIGOT is to be blocked.SPIGOT is to be blocked.
Solution 1: Solution 1:
Example 2: Example 2:
Now suppose that we want to Now suppose that we want to implement the policy “any inside implement the policy “any inside
host can send mail to the outside”.host can send mail to the outside”.
Solution 2: Solution 2:
This solution allows calls to come This solution allows calls to come from any port on an inside machine, from any port on an inside machine, and will direect them to port 25 on and will direect them to port 25 on
the outside. Simple enough…the outside. Simple enough…
So why is it wrong?So why is it wrong?
Our defined restriction is based solely Our defined restriction is based solely on the outside host’s port number, on the outside host’s port number, which we have no way of controlling.which we have no way of controlling.
Now an enemy can access any internal Now an enemy can access any internal machines and port by originating his machines and port by originating his call from port 25 on the outside call from port 25 on the outside machine.machine.
Now for a better solution…Now for a better solution…
The ACK signifies that the packet is The ACK signifies that the packet is part of an ongoing conversationpart of an ongoing conversation
Packets without the ACK are Packets without the ACK are connection establishment messages, connection establishment messages, which we are only permitting from which we are only permitting from internal hostsinternal hosts
Figure 9.2: A firewall router with multiple internal networks.
Filter Rule: Open access to Net 2 means source address from Net 3
• Why not spoof address from Net 3?
Network TopologyNetwork Topology
Address-SpoofingAddress-Spoofing
Detection is virtually impossible Detection is virtually impossible unless source-address filtering and unless source-address filtering and logging are donelogging are done
One should not trust hosts outside of One should not trust hosts outside of one’s administrative controlone’s administrative control
External Interface External Interface RulesetRuleset
Allow outgoing calls, permit incoming Allow outgoing calls, permit incoming calls only for mail and only to gateway GWcalls only for mail and only to gateway GW
Note: Specify GW as destination host instead of Net 1 to prevent open access to Net 1
Net 1 Router Interface Net 1 Router Interface RulesetRuleset
Gateway machine speaks directly only to Gateway machine speaks directly only to other machines running trusted mail other machines running trusted mail server softwareserver software
Relay machines used to call out to GW Relay machines used to call out to GW to pick up waiting mailto pick up waiting mail
Note: Spoofing is avoided with the specification of GW
How Many Routers Do We How Many Routers Do We Need?Need?
If routers only support outgoing filtering, we If routers only support outgoing filtering, we need two:need two: One to use ruleset that protects against One to use ruleset that protects against
compromised gatewayscompromised gateways One to use ruleset that guards against address One to use ruleset that guards against address
forgery and restricts access to gateway machineforgery and restricts access to gateway machine An input filter on one port is exactly equivalent An input filter on one port is exactly equivalent
to an output filter on the other portto an output filter on the other port If you trust the network provider, you can go If you trust the network provider, you can go
without input filterswithout input filters Filtering can be done on the output side of the routerFiltering can be done on the output side of the router
Routing FiltersRouting Filters
All nodes are somehow reachable from the All nodes are somehow reachable from the InternetInternet
Routers need to be able to control what Routers need to be able to control what routes they advertise over various routes they advertise over various interfacesinterfaces
Clients who employ IP source routing make Clients who employ IP source routing make it possible to reach ‘unreachable’ hostsit possible to reach ‘unreachable’ hosts Enables address-spoofingEnables address-spoofing Block source routing at borders, not at Block source routing at borders, not at
backbonebackbone
Routing Filters (cont)Routing Filters (cont)
Packet filters obviate the need for route Packet filters obviate the need for route filtersfilters
Route filtering becomes difficult or Route filtering becomes difficult or impossible in the presence of complex impossible in the presence of complex technologiestechnologies
Route squatting – using unofficial IP Route squatting – using unofficial IP addresses inside firewalls that belong to addresses inside firewalls that belong to someone elsesomeone else
Difficult to choose non-addressed address Difficult to choose non-addressed address spacespace
Packet-Filtering Packet-Filtering PerformancePerformance
Performance penalty – defeats Performance penalty – defeats optimization effortsoptimization efforts
Bottleneck at T1 serial linkBottleneck at T1 serial link Degradation depends on number of Degradation depends on number of
rules applied at any pointrules applied at any point Order rules so that most common Order rules so that most common
traffic is dealt with firsttraffic is dealt with first Correctness is more important than Correctness is more important than
speedspeed
Application-Level Application-Level FilteringFiltering
More complex than packet filtering – More complex than packet filtering – detailsdetails
Special-purpose code for each desired Special-purpose code for each desired applicationapplication
Easy to log and control ALL incoming Easy to log and control ALL incoming and outgoing trafficand outgoing traffic
Only deals with attack from the outsideOnly deals with attack from the outside Principal DisadvantagePrincipal Disadvantage
Need for specialized user program or Need for specialized user program or variant user interfacevariant user interface
Circuit-Level GatewaysCircuit-Level Gateways
Work at TCP levelWork at TCP level Generally used to create specific Generally used to create specific
connectsions between isolated networksconnectsions between isolated networks SOCKS protocol – used in relay serviceSOCKS protocol – used in relay service Log the byte flowLog the byte flow
Can’t catch all abuses, packet filter should Can’t catch all abuses, packet filter should be usedbe used
Launder IP connections, by designLaunder IP connections, by design Well suited for some UDP applicationsWell suited for some UDP applications
Figure 9.7: A typical SOCKS connection through interface A, and rogue connection through the external interface, B.
Dynamic Packet FiltersDynamic Packet Filters Most commonMost common Provide good protection and full Provide good protection and full
transparencytransparency Network administrators given full control Network administrators given full control
over trafficover traffic Captures semantics of a connectionCaptures semantics of a connection
Incoming packets for the same connection are Incoming packets for the same connection are allowed (way to treat UDP similar to TCP’s ACK)allowed (way to treat UDP similar to TCP’s ACK)
FTP filtering introduces connection filteringFTP filtering introduces connection filtering X11 is better handled through sshX11 is better handled through ssh
1.2.3.4
Intended connection from 1.2.3.4 to 5.6.7.8
5.6.7.81.2.3.45.6.7.8
Firewall
Figure 9.8: Redialing on a dynamic packet filter. The dashed arrow shows the intended connection; the solid arrows show the actual connections, to and from the relay in the firewall box. The Firewall impersonates each endpoint to the other.
1.2.3.45.6.7.810.11.12.135.6.7.8
ApplicationProxy
Firewall
Intended connection from 1.2.3.4 to 5.6.7.8
Figure 9.9: A dynamic packet filter with an application proxy. Note the change in source address
Figure 9.10: Asymmetric routes with two dynamic packet filters. Distance on the drawing is intended to be proportional to distance according to the routing protocol metrics. The solid lines show actual routes; the dotted lines show rejected routes, based on these metrics.
Dynamic Packet Filter Dynamic Packet Filter ImplementationImplementation
Dynamically update packet filter’s Dynamically update packet filter’s rulesetruleset Changes may not be benign due to orderingChanges may not be benign due to ordering
Redialing method offers greater Redialing method offers greater assurance of securityassurance of security No special-case code necessaryNo special-case code necessary FTP handled with user-level daemonFTP handled with user-level daemon UDP handled just as TCP except for tear UDP handled just as TCP except for tear
downdown ICMP handled with pseudoconnections and ICMP handled with pseudoconnections and
synthesized packetssynthesized packets
Per-Interface Tables Per-Interface Tables Consulted by Dynamic Consulted by Dynamic
Packet FilterPacket Filter Active Connection TableActive Connection Table
Socket structure decides whether data is Socket structure decides whether data is copied to outside socket or sent to copied to outside socket or sent to application proxyapplication proxy
Ordinary Filter TableOrdinary Filter Table Specifies which packets may pass in Specifies which packets may pass in
stateless mannerstateless manner Dynamic TableDynamic Table
Forces creation of local socket structuresForces creation of local socket structures
Asymmetric RoutesAsymmetric Routes
Both sides of the firewall know Both sides of the firewall know nothing of one another’s topologynothing of one another’s topology
Solutions:Solutions: Maintain full knowledge of the topologyMaintain full knowledge of the topology
Not feasible, too much state to keepNot feasible, too much state to keep Multiple firewalls share state Multiple firewalls share state
informationinformation Volume of messages may be prohibitive, Volume of messages may be prohibitive,
code complexitycode complexity
Are Dynamic Packet Are Dynamic Packet Filters Safe?Filters Safe?
Comparable to that of circuit gateways, Comparable to that of circuit gateways, as long as the implementation strategy as long as the implementation strategy is simpleis simple
If administrative interfaces use physical If administrative interfaces use physical network ports as the highest-level network ports as the highest-level constructconstruct Legal connections are generally defined in Legal connections are generally defined in
terms of the physical topologyterms of the physical topology Not if evildoers exist on the insideNot if evildoers exist on the inside
Circuit or application gateways demand Circuit or application gateways demand user authentication for outbound traffic and user authentication for outbound traffic and are therefore more resistant to this threatare therefore more resistant to this threat
Distributed FirewallsDistributed Firewalls A central management node sets the security A central management node sets the security
policy enforced by individual hostspolicy enforced by individual hosts Combination of high-level policy specification Combination of high-level policy specification
with file distribution mechanismwith file distribution mechanism Advantages:Advantages:
Lack of central point of failureLack of central point of failure Ability to protect machines outside topologically Ability to protect machines outside topologically
isolated spaceisolated space Great for laptopsGreat for laptops
Disadvantage:Disadvantage: Harder to allow in certain services, whereas it’s Harder to allow in certain services, whereas it’s
easy to blockeasy to block
Distributed Firewalls Distributed Firewalls DrawbackDrawback
Allowing in certain services works if Allowing in certain services works if and only if you’re sure the address and only if you’re sure the address can’t be spoofedcan’t be spoofed Requires anti-spoofing protectionRequires anti-spoofing protection Must maintain ability to roam safelyMust maintain ability to roam safely
Solution: IPsecSolution: IPsec A machine is trusted if and only if it can A machine is trusted if and only if it can
perform proper cryptographic perform proper cryptographic authenticationauthentication
Where to Filter?Where to Filter?
Balance between risk and costsBalance between risk and costs Always a higher layer that is hard to Always a higher layer that is hard to
filterfilter HumansHumans
Firewalls Aren’t Perfect?Firewalls Aren’t Perfect?
Useless against attacks from the insideUseless against attacks from the inside Evildoer exists on insideEvildoer exists on inside Malicious code is executed on an internal Malicious code is executed on an internal
machinemachine Organizations with greater insider threatOrganizations with greater insider threat
BanksBanks MilitaryMilitary
Protection must exist at each layerProtection must exist at each layer Assess risks of threats at every layerAssess risks of threats at every layer
Rely on transitive trustRely on transitive trust