Firewall
-
Upload
manikyam -
Category
Technology
-
view
14.012 -
download
2
Transcript of Firewall
CS 6262 Fall 02CS 6262 Fall 02
Firewalls
Firewall Technologies
Julie SchneiderJulie Schneider
What is a firewall?
• Device that provides secure connectivity between Device that provides secure connectivity between networks (internal/external; varying levels of trust)networks (internal/external; varying levels of trust)
• Used to implement and enforce a security policy for Used to implement and enforce a security policy for communication between networkscommunication between networks
Trusted Networks
Untrusted Networks & ServersFirewall
Router
Internet
Intranet
DMZ Public Accessible Servers & Networks
Trusted Users
Untrusted Users
Firewalls
• From Webster’s Dictionary: From Webster’s Dictionary: a wall a wall constructed to prevent the spread of fireconstructed to prevent the spread of fire
• Internet firewalls are more the moat around Internet firewalls are more the moat around a castle than a building firewalla castle than a building firewall
• Controlled access pointControlled access point
Firewalls can:
Restrict incoming and outgoing traffic by IP Restrict incoming and outgoing traffic by IP address, ports, or usersaddress, ports, or users
Block invalid packetsBlock invalid packets
Convenient
Give insight into traffic mix via loggingGive insight into traffic mix via logging Network Address TranslationNetwork Address Translation EncryptionEncryption
Firewalls Cannot Protect…
Traffic that does not cross itTraffic that does not cross it routing around routing around Internal trafficInternal traffic
When misconfiguredWhen misconfigured
InternetInternet
DMZ NetWeb Server Pool
Corporate
Network
ALERT!!ALERT!!ALERT!!
Security Requirement• Control access to network information and resources• Protect the network from attacks
Access Control
Filtering
Packets checked then passedPackets checked then passed Inbound & outbound affect when policy is Inbound & outbound affect when policy is
checkedchecked
Filtering
Packet filtering Packet filtering Access Control ListsAccess Control Lists
Session filteringSession filtering Dynamic Packet FilteringDynamic Packet Filtering Stateful InspectionStateful Inspection Context Based Access ControlContext Based Access Control
Filtering
Fragmentation/reassemblyFragmentation/reassembly Sequence number checkingSequence number checking ICMPICMP
Packet Filtering
Decisions made on a per-packet basisDecisions made on a per-packet basis No state information savedNo state information saved
Typical Configuration
Ports > 1024 left openPorts > 1024 left open If dynamic protocols are in use, If dynamic protocols are in use, entire entire
ranges of ports must be allowed ranges of ports must be allowed for the for the protocol to workprotocol to work..
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
DataLinkDataLink
PhysicalPhysical
RouterRouter
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
NetworkNetwork NetworkNetwork
Packet Filter
Session Filtering
Packet decision made in the context of a Packet decision made in the context of a connection connection
If packet is a new connection, check against If packet is a new connection, check against security policysecurity policy
If packet is part of an existing connection, If packet is part of an existing connection, match it up in the state table & update tablematch it up in the state table & update table
Typical Configuration
All denied unless specifically allowedAll denied unless specifically allowed Dynamic protocols (FTP, H323, RealAudio, Dynamic protocols (FTP, H323, RealAudio,
etc.) allowed only if supportedetc.) allowed only if supported
Session Filtering
Applications
Presentations
Sessions
Transport
DataLink
Physical
DataLink
Physical
Applications
Presentations
Sessions
Transport
DataLink
Physical
Network Network
Network
Presentations
Sessions
Transport
ApplicationsApplications
Dynamic Dynamic State TablesState Tables
Dynamic Dynamic State TablesState Tables
Dynamic State Tables
Screens ALL attempts, Protects All applications
Extracts & maintains ‘state’ information
Makes an intelligent security / traffic decision
Telnet
“PORT 1234”
“ACK”
Telnet ClientTelnet Server
23 1234
Client opens channel to server; tells server its port number. The ACK bit is not set while establishing the connection but will be set on the remaining packets.
Server acknowleges.
Format:
access-list <rule number> <permit|deny> <protocol> <SOURCE host with IP address| any|IP address and mask> [<gt|eq port number>] <DEST host with IP address| any|IP address and mask> [<gt|eq port number>]
The following allows user to telnet from an IP address (172.168.10.11) to any destination, but not vice-versa:
access-list 100 permit tcp host 172.168.10.11 gt 1023 any eq 23 ! Allows packets out to remote Telnet serversaccess-list 101 permit tcp any eq 23 host 172.168.10.11 established ! Allows returning packets to come back in. It verifies that the ACK bit is set
interface Ethernet 0 access-list 100 out ! Apply the first rule to outbound traffic access-list 101 in ! Apply the second rule to inbound traffic!
Note: anything not explicitly permitted in an access-list is denied.
Example: Telnet
“PORT 5151”
“OK”
DATA CHANNEL
TCP ACK
FTP ClientFTP Server
20Data
21Command 5150 5151
Client opens command channel to server; tells server second port number.
Server acknowleges.
Server opens data channel to client’s second port.
Client Acknowledges.
FTP
Example FTP – Packet FilterFormat:
access-list <rule number> <permit|deny> <protocol> <SOURCE host with IP address| any|IP address and mask> [<gt|eq port number>] <DEST host with IP address| any|IP address and mask> [<gt|eq port number>]
The following allows a user to FTP (not passive FTP) from any IP address to the FTP server (172.168.10.12) :
access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20 ! Allows packets from any client to the FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023 ! Allows the FTP server to send packets back to any IP address with TCP ports > 1023
interface Ethernet 0 access-list 100 in ! Apply the first rule to inbound traffic access-list 101 out ! Apply the second rule to outbound traffic!
“PASV”
“OK 3267”
TCP ACK
DATA CHANNEL
FTP ClientFTP Server
20Data
21Command 5150 5151
Client opens command channel to server; requests passive mode.
Server allocates port for data channel; tells client port number.
Client opens data channel to server’s second port. Server Acknowledges.
FTP – Passive Mode
Example FTP : Session Filter
Proxy Firewalls
Relay for connectionsRelay for connections Client Client Proxy Proxy ServerServer Two flavorsTwo flavors
Application level Application level Circuit levelCircuit level
Application Gateways
Understands specific applicationsUnderstands specific applications Limited proxies availableLimited proxies available Proxy ‘impersonates’ both sides of connectionProxy ‘impersonates’ both sides of connection
Resource intensiveResource intensive process per connectionprocess per connection
HTTP proxies may cache web pagesHTTP proxies may cache web pages
Application Gateways
More appropriate to TCPMore appropriate to TCP ICMP difficultICMP difficult Block all unless specifically allowedBlock all unless specifically allowed Must write a new proxy application to Must write a new proxy application to
support new protocolssupport new protocols Not trivial!Not trivial!
Application Gateways
Clients configured for proxy Clients configured for proxy communicationcommunication
Transparent ProxiesTransparent Proxies
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
Application GatewayApplication Gateway
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
NetworkNetwork NetworkNetwork
TelnetTelnetTelnetTelnet HTTPHTTPHTTPHTTPFTPFTPFTPFTPApplication Layer GW/proxy
Circuit-Level Gateways
Support more services than Application-Support more services than Application-level Gatewaylevel Gateway less control over dataless control over data
Hard to handle protocols like FTPHard to handle protocols like FTP Clients must be aware they are using a Clients must be aware they are using a
circuit-level proxycircuit-level proxy Protect against fragmentation problemProtect against fragmentation problem
SOCKS
Circuit level GatewayCircuit level Gateway Support TCP Support TCP SOCKS v5 supports UDP, earlier versions SOCKS v5 supports UDP, earlier versions
did notdid not See See http://http://www.socks.nec.comwww.socks.nec.com
Comparison
Security
Security
Perform
anceP
erformance
Service S
upportS
ervice Support
Packet FilterPacket Filter 33 11 No dynamic w/o holesNo dynamic w/o holes
Session FilterSession Filter 22 22 Dependent on vendor Dependent on vendor for dynamic supportfor dynamic supportCircuit GWCircuit GW 22 33
App. GWApp. GW 11 44 Typically < 20 Typically < 20
Lower is better for security & performance
Comparison
Modify Client Applications?Modify Client Applications?
Packet FilterPacket Filter NoNo
Session FilterSession Filter NoNo
Circuit GWCircuit GW Typical, SOCKS-ify client Typical, SOCKS-ify client applicationsapplications
App. GWApp. GW Unless transparent, client Unless transparent, client application must be proxy-aware application must be proxy-aware & configured& configured
Comparison
ICM
PIC
MP
Fragm
en-F
ragmen-
tationtation
Packet FilterPacket Filter YesYes NoNo
Session FilterSession Filter YesYes MaybeMaybe
Circuit GWCircuit GW (SOCKS v5)(SOCKS v5) YesYes
App. GWApp. GW NoNo yesyes
Proxying UDP/ICMP
Why isn’t UDP or ICMP proxied as much Why isn’t UDP or ICMP proxied as much as TCP?as TCP?
TCP’s connection-oriented nature easier to TCP’s connection-oriented nature easier to proxyproxy
UDP & ICMP harder (but not impossible) UDP & ICMP harder (but not impossible) since each packet is a separate transactionsince each packet is a separate transaction
Session filters determine which packets Session filters determine which packets appear to be repliesappear to be replies
Circuit Level GW
Operate at user level in OSOperate at user level in OS Have circuit program ‘route’ packets Have circuit program ‘route’ packets
between interfaces instead of OS routing between interfaces instead of OS routing codecode
NAT
Useful if organization does not have enough Useful if organization does not have enough real IP addressesreal IP addresses
Extra security measure if internal hosts do Extra security measure if internal hosts do not have valid IP addresses (harder to trick not have valid IP addresses (harder to trick firewall)firewall)
Only really need real IP addresses for Only really need real IP addresses for services outside networks will originate services outside networks will originate connections toconnections to
NAT
Many-to-1 (n-to-m) mappingMany-to-1 (n-to-m) mapping 1-to-1 (n-to-n) mapping1-to-1 (n-to-n) mapping Proxies provide many-to-1Proxies provide many-to-1 NAT not required on filtering firewallsNAT not required on filtering firewalls
Encryption (VPNs)
Allows trusted users to access sensitive Allows trusted users to access sensitive information while traversing untrusted information while traversing untrusted networksnetworks
Useful for remote users/sitesUseful for remote users/sites IPSecIPSec
Encrypted Tunnels
What kind of traffic allowed? Only IP?What kind of traffic allowed? Only IP? Can the tunnel traffic be examined? Or are Can the tunnel traffic be examined? Or are
firewalls blind to internal tunnel traffic?firewalls blind to internal tunnel traffic? Can services and users be limited in their Can services and users be limited in their
tunnel traffic?tunnel traffic?
Attacks
Take advantage of allowed client-server Take advantage of allowed client-server communicationscommunications
Get around connectionsGet around connections
IP Spoofing
Intruder attempts to gain access by altering Intruder attempts to gain access by altering a packet’s IP address to make it appear as a packet’s IP address to make it appear as though the packet originated in a part of the though the packet originated in a part of the network with higher access privilegesnetwork with higher access privileges
Anti-Spoofing
Must have network level access to packetsMust have network level access to packets Match up packets with allowed addresses Match up packets with allowed addresses
per interfaceper interface With proxies, the IP headers are lost and With proxies, the IP headers are lost and
never reach the application levelnever reach the application level
Anti-Spoofing
Internet
130.207.5.0 130.207.3.0
130.207.4.0
e1
e2e3
e4
Allowed Networks:E1: 130207.4.0/24E2: 130.207.3.0/24E3: 130.207.5.0/24E4: All except E1,E2,E3
Mitnick & Shimomura
IP spoofing IP spoofing Sequence number predictionSequence number prediction See http://www.takedown.comSee http://www.takedown.com
Telnet ClientTelnet Server
23 1234
Allow only if ACK bit set, Send 2 fragments with the ACK bit set; when the server re-assembles the packet, the fragment offset are chosen so the full datagram forms a packet with the SYN bit set (the fragment offset of the second packet overlaps into the space of the first packet)
All following packets will have the ACK bit set
FRAG1 (with ACK)
FRAG2 (with ACK)
SYN packet (no ACK)
ACK
Fragmentation: The 1st Wave
Data Link Layer HeaderData Link Layer Header
Ver/IHLVer/IHL Type of ServiceType of Service Total LengthTotal Length
IdentifierIdentifier FlagsFlags Fragment OffsetFragment Offset
Time To LiveTime To Live ProtocolProtocol Header ChecksumHeader Checksum
Source AddressSource Address
Destination AddressDestination Address
Options + PaddingOptions + Padding
Source PortSource Port Destination PortDestination Port
Sequence NumberSequence Number
Acknowledgement NumberAcknowledgement Number
Offset/ReservedOffset/Reserved U U AA P R S F P R S F WindowWindow
ChecksumChecksum Urgent PointerUrgent Pointer
Options + PaddingOptions + Padding
DataData
Data Link Layer TrailerData Link Layer Trailer
IP D
atag
ram
IP H
eade
rT
CP
Hea
der
Fragmentation
Fragemtation: 2nd Wave
Instead fragmenting TCP header, fragment Instead fragmenting TCP header, fragment data portion or ICMP to attack OS of clientsdata portion or ICMP to attack OS of clients
OS – not all do bounds checking ‘early OS – not all do bounds checking ‘early Friday bug’ Friday bug’ oversized ICMP reassembled on client too oversized ICMP reassembled on client too
large, caused buffer overrun and BSODlarge, caused buffer overrun and BSOD Fragment a URL or ftp put commandFragment a URL or ftp put command
Proxy would catch Proxy would catch
Chargen Service
Character Generation, debugging toolCharacter Generation, debugging tool Make a connection & receive a stream of dataMake a connection & receive a stream of data
Trick machine into making a connection to Trick machine into making a connection to itself itself CPU locksCPU locks
Anti-spoofing will catch Anti-spoofing will catch
Sendmail
Typically handled by a proxyTypically handled by a proxy Almost never want the outside world to Almost never want the outside world to
have direct access to sendmailhave direct access to sendmail