F2 - Brandvägg 2
Transcript of F2 - Brandvägg 2
-
8/2/2019 F2 - Brandvgg 2
1/22
1
KTH STH
L2, Firewalls
HI1023 - Ntverksskerhet, gk
KTH STHSlide 2Slide 2 Micael LundvallMicael Lundvall
Outline of Lecture 2
Firewall Characteristics
NAT (Network Address Translation)
Port Forwarding
Types of firewalls
Firewall Configuration
Trusted systems
-
8/2/2019 F2 - Brandvgg 2
2/22
2
KTH STHSlide 3Slide 3 Micael LundvallMicael Lundvall
Firewall Characteristics
All traffic between inside and outside must passthrough the firewall.
Only authorized traffic, as defined by localsecurity policy, will be allowed to pass.
The firewall itself is immune to penetration.
Trusted private networkUntrusted public network
Firewall
KTH STHSlide 4Slide 4 Micael LundvallMicael Lundvall
Four general techniques
Service control
Type of Internet service that can be accessed
Direction control
Direction of service request that may pass
User control
User access to specified service
Behavior control
Controls how particular services are used
-
8/2/2019 F2 - Brandvgg 2
3/22
3
KTH STHSlide 5Slide 5 Micael LundvallMicael Lundvall
Firewall example, DMZ
ip_int 192.168.123.1
Router 194.1.1.1
Internet
int-sql int-proc int-mail websrv dmz-proz
ISDN
ip_ext 194.1.1.1/32
ip_dmz 194.1.1.3
dmznet 194.1.1.0/24intnet 192.168.123.0/24
KTH STH
NAT (Network Address Translation)
NAT is used by a device that sits between aninternal network and the rest of the world.
NAT solves IPv4 lack of IP-addresses (232).
NAT has many forms and can work in serevalways.
Slide 6Slide 6 Micael LundvallMicael Lundvall
-
8/2/2019 F2 - Brandvgg 2
4/22
4
KTH STH
Static NAT
Static NAT - Mapping an unregistered IPaddress to a registered IP address on a one-to-one basis.
Particularly useful when a device needs to beaccessible from outside the network
Slide 7Slide 7 Micael LundvallMicael Lundvall
KTH STHSlide 8Slide 8 Micael LundvallMicael Lundvall
Port Forwarding, Static NAT
Port Forwarding allows the router/firewall topublish one or more internal IP-addresses onthe external interface.
Internet
132.168.27.32
10.0.0.11
10.0.0.12
10.0.0.13
10.0.0.14
10.0.0.15
10.0.0.1
10.0.0.11:80132.168.27.32:80
-
8/2/2019 F2 - Brandvgg 2
5/22
5
KTH STH
Dynamic NAT
Dynamic NAT - Maps an unregistered IPaddress to a registered IP address from a groupof registered IP addresses.
Slide 9Slide 9 Micael LundvallMicael Lundvall
KTH STH
Overloading, PAT (Port Address Translation)
Overloading - A form of dynamic NAT thatmaps multiple unregistered IP addresses to asingle registered IP address by using differentports.
Slide 10Slide 10 Micael LundvallMicael Lundvall
-
8/2/2019 F2 - Brandvgg 2
6/22
6
KTH STHSlide 11Slide 11 Micael LundvallMicael Lundvall
Port-mapped NAT (NAPT, PAT, )
Can be implemented in most routers.
Hides private net from public net.
All outgoing trafik seems to come from onesingle address, the routers external.
Internet
NAT Router
132.168.27.32
10.0.0.11
10.0.0.12
10.0.0.13
10.0.0.14
10.0.0.15
10.0.0.1
KTH STHSlide 12Slide 12 Micael LundvallMicael Lundvall
Port-mapped NAT (NAPT, PAT, )
NAT works with blocks of port numbers.
Every internal PC gets a NAT port numberwhen connecting to an external address.
Privateaddress
Privateport
External address Externalport
NATport
Usedprotocol
10.0.0.5 2123 128.10.19.20 80 14003 TCP
10.0.0.1 1862 128.10.19.20 80 14010 TCP
10.0.2.1 2660 207.200.75.200 21 14012 TCP
10.0.0.3 1274 128.210.1.5 53 14007 UDP
-
8/2/2019 F2 - Brandvgg 2
7/22
7
KTH STH
Overlaping
Overlapping - IP addresses used on a internalnetwork are registered IP addresses in use onanother network.
Slide 13Slide 13 Micael LundvallMicael Lundvall
KTH STHSlide 14Slide 14 Micael LundvallMicael Lundvall
Type of firewalls
Packet filter (PF)
Also referred to as Static/Stateless Packet Filter
Stateful Inspection
Also referred to as Dynamic Packet Filter
Cirquit-Layer Gateway, (CLG)
Also referred to as proxy server
Application-Layer Gateway, (ALG)
-
8/2/2019 F2 - Brandvgg 2
8/22
8
KTH STHSlide 15Slide 15 Micael LundvallMicael Lundvall
Packet Filtering Firewall
Set of rules in ACL to allow or deny packets based
on source and destination.
Packet is filtered only on info in header.
Payload is NOT examed.
LANPacket filtering
in router
Internet
FirewallRouter
KTH STHSlide 16Slide 16 Micael LundvallMicael Lundvall
Packet Filter
A packet at the Network Layer will encapsulateheaders for the layers above.
No information is held about packets that have
been previously checked.
IP headerSrc addressDst address
TCP headerSrc addressDst address
Application data
IP Layer TCP Layer
-
8/2/2019 F2 - Brandvgg 2
9/22
9
KTH STHSlide 17Slide 17 Micael LundvallMicael Lundvall
Filtering rules
Rules are contained in a filter table or list
Access Control List (ACL)
Rules are processed top-down.
As soon as a rule matches, the action associatedwith this rule is performed and processingterminated.
Action Source Src port Dst Dst port flags
Allow Our net >1023 * 80 *
Allow * 80 Our net >1023 ACK
Deny * * * * *
KTH STHSlide 18Slide 18 Micael LundvallMicael Lundvall
Analysis of Stateless Filtering
Works well when all the information needed toopen connection is held within the individualpackets.
E.g. to allow outgoing connections to anyWeb server, you must:
allow outgoing requests to establish aconnection.
allow all subsequent packets that are partof this connection.
-
8/2/2019 F2 - Brandvgg 2
10/22
10
KTH STHSlide 19Slide 19 Micael LundvallMicael Lundvall
TCP connection
TCP can destinguish a packet that is about toopen a connection from a packet that is part ofan existing connection.
Openconnection
Port> 1023
Port
80
Port
80
Existingconnection
Port> 1023
KTH STHSlide 20Slide 20 Micael LundvallMicael Lundvall
Fragmentation
Somtimes IP packets arrive fragmented.
The original packet may have been to largefor a link.
Fragmented packets are a problem forstateless filtering.
Not all fragments contain the TCP header.
-
8/2/2019 F2 - Brandvgg 2
11/22
11
KTH STHSlide 21Slide 21 Micael LundvallMicael Lundvall
Fragmentation
Network Layer Network Layer
IP TCP Data
IP TCP Data
IP2 Data IP1 TCP Data
1. Packet sent 2. Packet is fragmentedat a router.
3. Packet received andreassembled at the destination
KTH STHSlide 22Slide 22 Micael LundvallMicael Lundvall
UDP
UDP headers do not hold enough informationfor effective stateless filtering.
An incomming packet may be either a
request, or response to a previous outgoingpacket.Port > 1023
Port 53
Port 53
New Port > 1023
ClientServer
-
8/2/2019 F2 - Brandvgg 2
12/22
12
KTH STHSlide 23Slide 23 Micael LundvallMicael Lundvall
Stateful Packet Filter
Can allow or deny packets based on
Information in the current packet.
Information in previous transmitted packets
Remembers state information about the
communication from previous packets.
KTH STHSlide 24Slide 24 Micael LundvallMicael Lundvall
Stateful Packet Filter
Maintains a table of active TCP sessions andUDP "pseudo" sessions.
Each entry records the session's:
source and destination IP addresssource and destination port numbers
the current TCP sequence number
-
8/2/2019 F2 - Brandvgg 2
13/22
13
KTH STHSlide 25Slide 25 Micael LundvallMicael Lundvall
Connection State Table
Src Addr Src Port Dst Addr Dst Port Connection192.168.1.10 1054 210.9.88.23 80 Established
192.168.1.11 1055 216.32.42.12 80 Established
192.168.1.12 1056 173.32.42.89 25 Established
Entries are created for TCP connections or UDPstreams that pass rules in ACL.
Packets associated with these sessions are
permitted to pass without ACL check.
KTH STHSlide 26Slide 26 Micael LundvallMicael Lundvall
Stateful Packet filter
DNS server
1. Resolve aDNS query
2. Packet to
UDP port 53 onDNS server
3. Stateful filter checkspacket going out andcreate a rule allowingreplies within limited time
4. DNS replyallowed
Client
Resolve of a DNS query
-
8/2/2019 F2 - Brandvgg 2
14/22
14
KTH STHSlide 27Slide 27 Micael LundvallMicael Lundvall
Fragmentation
Fragments reassembled for inspection
Unexpected fragments can be detected anddropped of the filter.
Internal network
Fragment 1
Fragment 2
Fragment n
No filtering on fragments at the router
1. Denial-of-serviceattack floods networkwith fragments
2. Inspect and attempt toreassemble fragmentsinto a packet. If it fails,deny the fragment.
KTH STH
Firewall Builder
Slide 28Slide 28 Micael LundvallMicael Lundvall
-
8/2/2019 F2 - Brandvgg 2
15/22
15
KTH STHSlide 29Slide 29 Micael LundvallMicael Lundvall
Juniper firewall
KTH STHSlide 30Slide 30 Micael LundvallMicael Lundvall
Stateful Inspection Packet Filter
SPF with Inspection Modules.
Checks if the session opened really seems to
be the protocol corresponding to used port.
If not, the session is terminated.
E.g. HTTP inspection module checks if the first lineof a TCP request on port 80 starts with thecharacters PUT, POST or GET.
-
8/2/2019 F2 - Brandvgg 2
16/22
16
KTH STHSlide 31Slide 31 Micael LundvallMicael Lundvall
Circuit-Level Gateway
Hides the internal network by providing acommunication endpoint for clients and servers.
Normaly added as a service on a well-known portnumber
All connection through the firewall must berelayed through this port.
KTH STHSlide 32Slide 32 Micael LundvallMicael Lundvall
Operation of a CLG
123.1.2.310.1.1.4
1. Client connectsto the CLG andspecifies thedestination host
Network Layer(disable routing)10.1.1.1 130.1.2.1
2. CLG connects to thedestination host ifallowed by the policy
3. Data is copiedbetween the twoconnections
Transport Layer
-
8/2/2019 F2 - Brandvgg 2
17/22
17
KTH STHSlide 33Slide 33 Micael LundvallMicael Lundvall
CLG Connections
Information is stored within the circuit-level gatewayabout the connections.
Each client connection gets a unique port number.
Can destinguish connections for all clients.
Connection A Connection BClient 10.1.1.4 CLG 10.1.1.1 port 1080
CLG 130.1.2.1 port 4711123.1.2.3 port 80
KTH STHSlide 34Slide 34 Micael LundvallMicael Lundvall
CLG Connections
Can be used for both incomming and outgoingconnections.
Require special client configuration
Can use any port numberSOCKS is the standard implementation for acircuit-level gateway
-
8/2/2019 F2 - Brandvgg 2
18/22
18
KTH STHSlide 35Slide 35 Micael LundvallMicael Lundvall
Application-Level Gateway
Acts as a relay of application-level trafficbetween clients an servers for specifikapplications.
Require a separate ALG for each protocol.
Does not provide the service itself.
It acts as the client to the real server.
KTH STHSlide 36Slide 36 Micael LundvallMicael Lundvall
ALG content filtering
Can check or filter protocol content.
Can filter HTML tag to block JavaScript, Javaor ActiveX.
Checks for viruses.Checks for illegal content and usage
Could affekt performance.
Provides integration with content and URL-
filtering software.
-
8/2/2019 F2 - Brandvgg 2
19/22
19
KTH STHSlide 37Slide 37 Micael LundvallMicael Lundvall
Operation of an ALG
123.1.2.310.1.1.4
1. Client connectsto the ALG andspecifies thedestination host
Network Layer(disable routing)10.1.1.1 130.1.2.1
2. The ALG acts asthe client to make aconnection to theserver dependingon its policy
3. Data can beprocessed beforebeing passedbetween the twoconnections.
Transport Layer
ALG
KTH STHSlide 38Slide 38 Micael LundvallMicael Lundvall
Bastion Host
A system identified by the firewall administratoras a critical strongpoint in the networks security.
Typically a platform with hardened OS for ALG
or CLG.
-
8/2/2019 F2 - Brandvgg 2
20/22
20
KTH STHSlide 39Slide 39 Micael LundvallMicael Lundvall
Screened host firewall system(single homed)
From Internet: Only IP packets destined for thebastion host are allowed in.
From internal Network: Only packets from
bastion host are allowed out.
Direct Internet access with IS may be allowed
Internet
Informationserver
Private network
BastionHost
Packet
filter
First line ofdefence
KTH STHSlide 40Slide 40 Micael LundvallMicael Lundvall
Screened host firewall system(dual homed)
From Internet: Only IP packets destined forthe bastion host are allowed in.
From internal Network: Only packets from
bastion host are allowed out.Direct Internet access with IS may be allowed
Internet
Informationserver
Private network
BastionHost
Packetfilter
First line ofdefence
-
8/2/2019 F2 - Brandvgg 2
21/22
21
KTH STHSlide 41Slide 41 Micael LundvallMicael Lundvall
Screened subnet firewall system(Three levels of defense)
Both Internet and Private network haveaccess to hosts on screened subnet.
Private network are hidden for Internet.
Traffic across the screened network isblocked in both directions.
Internet
Informationserver
Private network
BastionHost
Packet
filter
First line ofdefence
Packet
filter
KTH STHSlide 42Slide 42 Micael LundvallMicael Lundvall
Trusted Systems
Defence against intruders and maliciousprograms.
Data access control
User Access ControlPermissions to operations and file access
All access data is saved in an access
matrix
Critical operations are logged
-
8/2/2019 F2 - Brandvgg 2
22/22
KTH STHSlide 43Slide 43 Micael LundvallMicael Lundvall
Access Control Structure
Elements of access matrix
Subject:
Users, groups, applications
Object:
Files, programs, segments of memory
Access rights:
Read, write, execute
KTH STHSlide 44Slide 44 Micael LundvallMicael Lundvall
Summary
To get a secure system you need to disign acombination of different components.
Defence on the depth.
There are no standard solution for everycompany.
Price/Performance