Firewalls (1)
-
Upload
david-jr-mortel -
Category
Documents
-
view
228 -
download
0
Transcript of Firewalls (1)
-
7/24/2019 Firewalls (1)
1/53
FirewallsFirewalls
-
7/24/2019 Firewalls (1)
2/53
What is a Firewall?What is a Firewall?
AA choke pointchoke pointof control and monitoringof control and monitoring
Interconnects networks with dieringInterconnects networks with diering
trusttrust
Imposes restrictions on network servicesImposes restrictions on network services only authorized traic is allowedonly authorized traic is allowed
Auditing and controlling accessAuditing and controlling access
can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior Itself immune to penetrationItself immune to penetration
ProvidesProvides perimeter defenceperimeter defence
-
7/24/2019 Firewalls (1)
3/53
Classication of FirewallClassication of Firewall
Characterized by protocol level itCharacterized by protocol level itcontrols incontrols in
Packet lteringPacket ltering
Circuit gatewaysCircuit gateways Application gatewaysApplication gateways
-
7/24/2019 Firewalls (1)
4/53
Firewalls Packet FiltersFirewalls Packet Filters
-
7/24/2019 Firewalls (1)
5/53
Firewalls Packet FiltersFirewalls Packet Filters
Simplest of componentsSimplest of components ses transport!layer information onlyses transport!layer information only
IP Source Address" #estination AddressIP Source Address" #estination Address
Protocol$%e&t 'eader ()CP" #P" IC*P" etc+Protocol$%e&t 'eader ()CP" #P" IC*P" etc+ )CP or #P source , destination ports)CP or #P source , destination ports
)CP -lags (S.%" AC/" -I%" 0S)" PS'" etc+)CP -lags (S.%" AC/" -I%" 0S)" PS'" etc+
IC*P message typeIC*P message type 1&les1&les
#%S uses port 23#%S uses port 23 %o incoming port 23 packets e&cept known trusted%o incoming port 23 packets e&cept known trusted
serversservers
-
7/24/2019 Firewalls (1)
6/53
Usage of Packet FiltersUsage of Packet Filters
-iltering with incoming or outgoing-iltering with incoming or outgoing
interfacesinterfaces14g4" Ingress ltering of spoofed IP14g4" Ingress ltering of spoofed IP
addressesaddresses
1gress ltering1gress ltering
Permits or denies certain servicesPermits or denies certain services 0e5uires intimate knowledge of )CP and0e5uires intimate knowledge of )CP and
#P port utilization on a number of#P port utilization on a number of
operating systemsoperating systems
-
7/24/2019 Firewalls (1)
7/53
How to Congure aHow to Congure a
Packet FilterPacket Filter Start with a security policyStart with a security policy
Specify allowable packets in terms ofSpecify allowable packets in terms of
logical e&pressions on packet eldslogical e&pressions on packet elds 0ewrite e&pressions in synta&0ewrite e&pressions in synta&
supported by your vendorsupported by your vendor
6eneral rules ! least privilege6eneral rules ! least privilegeAll that is not e&pressly permitted isAll that is not e&pressly permitted is
prohibitedprohibited
If you do not need it" eliminate itIf you do not need it" eliminate it
-
7/24/2019 Firewalls (1)
8/53
1very ruleset is followed by an1very ruleset is followed by an
implicit rule reading like this4implicit rule reading like this4
1&le 781&le 78
Suppose we want to allow inboundSuppose we want to allow inbound
mail (S*)P" port 92+ but only to ourmail (S*)P" port 92+ but only to ourgateway machine4 Also supposegateway machine4 Also suppose
that traic from some particularthat traic from some particular
site SPI6:) is to be blocked4site SPI6:) is to be blocked4
-
7/24/2019 Firewalls (1)
9/53
Solution 78Solution 78
1&le 981&le 98
%ow suppose that we want to%ow suppose that we want to
implement the policy ;any insideimplement the policy ;any insidehost can send mail to the outside
-
7/24/2019 Firewalls (1)
10/53
Solution 98Solution 98
)his solution allows calls to come)his solution allows calls to come
from any port on an inside machine"from any port on an inside machine"
and will direct them to port 92 onand will direct them to port 92 on
the outside4 Simple enough=the outside4 Simple enough=
So why is it wrong>So why is it wrong>
-
7/24/2019 Firewalls (1)
11/53
:ur dened restriction is based solely:ur dened restriction is based solelyon the outside host?s port number" whichon the outside host?s port number" whichwe have no way of controlling4we have no way of controlling4
%ow an enemy can access any internal%ow an enemy can access any internal
machines and port by originating hismachines and port by originating hiscall from port 92 on the outsidecall from port 92 on the outsidemachine4machine4
@hat can be a better solution >@hat can be a better solution >
-
7/24/2019 Firewalls (1)
12/53
)he AC/ signies that the packet is)he AC/ signies that the packet ispart of an ongoing conversationpart of an ongoing conversation
Packets without the AC/ arePackets without the AC/ are
connection establishment messages"connection establishment messages"which we are only permitting fromwhich we are only permitting from
internal hostsinternal hosts
-
7/24/2019 Firewalls (1)
13/53
Security Performance ofSecurity Performance of
Packet FiltersPacket Filters
)iny fragment attacks)iny fragment attacks Split )CP header info over several tinySplit )CP header info over several tiny
packetspackets 1ither discard or reassemble before check1ither discard or reassemble before check
#egradation depends on number of rules#egradation depends on number of rulesapplied at any pointapplied at any point
:rder rules so that most common traic:rder rules so that most common traic
is dealt with rstis dealt with rst Correctness is more important thanCorrectness is more important than
speedspeed
-
7/24/2019 Firewalls (1)
14/53
-
7/24/2019 Firewalls (1)
15/53
Port !um"eringPort !um"ering )CP connection)CP connection
Server port is number less than 79BServer port is number less than 79B Client port is number between 79B and 73D3Client port is number between 79B and 73D3
Permanent assignmentPermanent assignment Ports E79B assigned permanentlyPorts E79B assigned permanently
9"97 for -)P 93 for )elnet9"97 for -)P 93 for )elnet92 for server S*)P D for '))P92 for server S*)P D for '))P
Fariable useFariable use Ports G79B must be available for client to makePorts G79B must be available for client to make
any connectionany connection )his presents a limitation for stateless packet)his presents a limitation for stateless packet
lteringltering IfIf client wants to use port 9BD" rewall must allowclient wants to use port 9BD" rewall must allowincomingincoming traic on this porttraic on this port
Hetter8 stateful ltering knows outgoing re5uestsHetter8 stateful ltering knows outgoing re5uests
-
7/24/2019 Firewalls (1)
16/53
Firewalls Stateful PacketFirewalls Stateful Packet
FiltersFilters )raditional packet lters do not)raditional packet lters do not
e&amine higher layer conte&te&amine higher layer conte&t ie matching return packets with outgoingie matching return packets with outgoing
owow Stateful packet lters address this needStateful packet lters address this need
)hey e&amine each IP packet in conte&t)hey e&amine each IP packet in conte&t
/eep track of client!server sessions/eep track of client!server sessions Check each packet validly belongs to oneCheck each packet validly belongs to one
'ence are better able to detect bogus'ence are better able to detect bogus
packets out of conte&tpackets out of conte&t
f l il i
-
7/24/2019 Firewalls (1)
17/53
Stateful FilteringStateful Filtering
-
7/24/2019 Firewalls (1)
18/53
Firewall #utlinesFirewall #utlines
Packet lteringPacket lteringApplication gatewaysApplication gateways
Circuit gatewaysCircuit gateways
-
7/24/2019 Firewalls (1)
19/53
Firewall $atewaysFirewall $ateways
-irewall runs set of pro&y programs-irewall runs set of pro&y programs Pro&ies lter incoming" outgoing packetsPro&ies lter incoming" outgoing packets
All incoming traic directed to rewallAll incoming traic directed to rewall
All outgoing traic appears to come fromAll outgoing traic appears to come fromrewallrewall
Policy embedded in pro&y programsPolicy embedded in pro&y programs
)wo kinds of pro&ies)wo kinds of pro&iesApplication!level gateways$pro&iesApplication!level gateways$pro&ies
)ailored to http" ftp" smtp" etc4)ailored to http" ftp" smtp" etc4
Circuit!level gateways$pro&iesCircuit!level gateways$pro&ies
@orking on )CP level@orking on )CP level
-
7/24/2019 Firewalls (1)
20/53
Firewalls %Firewalls %&pplication&pplication
'e(el $ateway )or Pro*y+'e(el $ateway )or Pro*y+
& li i ' l
-
7/24/2019 Firewalls (1)
21/53
&pplication%'e(el&pplication%'e(el
FilteringFiltering
'as full access to protocol'as full access to protocol user re5uests service from pro&yuser re5uests service from pro&y
pro&y validates re5uest as legalpro&y validates re5uest as legal
then actions re5uest and returns result tothen actions re5uest and returns result to
useruser
%eed separate pro&ies for each service%eed separate pro&ies for each service 14g4" S*)P (1!*ail+14g4" S*)P (1!*ail+
%%)P (%et news+%%)P (%et news+ #%S (#omain %ame System+#%S (#omain %ame System+
%)P (%etwork )ime Protocol+%)P (%etwork )ime Protocol+
custom services generally not supportedcustom services generally not supported
-
7/24/2019 Firewalls (1)
22/53
&pp%le(el Firewall&pp%le(el Firewall
&rchitecture&rchitecture
#aemon spawns pro&y when communication detected =#aemon spawns pro&y when communication detected =
Network Connection
Telnetdaemon
SMTPdaemon
FTPdaemon
Telnet
proxy
FTPproxy SMTP
proxy
-
7/24/2019 Firewalls (1)
23/53
,nforce policy for specic,nforce policy for specic
protocolsprotocols 14g4" Firus scanning for S*)P14g4" Firus scanning for S*)P
%eed to understand *I*1" encoding" Jip archives%eed to understand *I*1" encoding" Jip archives
h l l l
-
7/24/2019 Firewalls (1)
24/53
Where to -eploy &pp%le(elWhere to -eploy &pp%le(el
FirewallFirewallHastion 'ost8 highly secure host systemHastion 'ost8 highly secure host system Potentially e&posed to KhostileK elementsPotentially e&posed to KhostileK elements
'ence is secured to withstand this'ence is secured to withstand this
#isable all non!re5uired servicesL keep it#isable all non!re5uired servicesL keep itsimplesimple
0uns circuit $ application level gateways0uns circuit $ application level gateways
Install$modify services you wantInstall$modify services you want :r provides e&ternally accessible:r provides e&ternally accessible
servicesservices
-
7/24/2019 Firewalls (1)
25/53
Screened HostScreened Host
&rchitecture&rchitecture
-
7/24/2019 Firewalls (1)
26/53
Screened Su"net Using .woScreened Su"net Using .wo
/outers/outers
-
7/24/2019 Firewalls (1)
27/53
Firewalls &ren0t Perfect?Firewalls &ren0t Perfect?
seless against attacks from theseless against attacks from theinsideinside 1vildoer e&ists on inside1vildoer e&ists on inside *alicious code is e&ecuted on an internal*alicious code is e&ecuted on an internal
machinemachine
:rganizations with greater insider:rganizations with greater insiderthreatthreat
Hanks and *ilitaryHanks and *ilitary Cannot protect against transfer of allCannot protect against transfer of allvirus infected programs or lesvirus infected programs or les
because of huge range of :$S , le typesbecause of huge range of :$S , le types
-
7/24/2019 Firewalls (1)
28/53
1ui21ui2 In this 5uestion" we e&plore some applicationsIn this 5uestion" we e&plore some applications
and limitations of a packet ltering rewall4and limitations of a packet ltering rewall4-or each of the 5uestion" briey e&plain 7+ can-or each of the 5uestion" briey e&plain 7+ can
stateless rewall be congured to defendstateless rewall be congured to defend
against the attack and how> and 9+ if not" whatagainst the attack and how> and 9+ if not" what
about stateful rewall >about stateful rewall > Can the rewall prevent a S.% ood denial!of!Can the rewall prevent a S.% ood denial!of!
service attack from the e&ternal network>service attack from the e&ternal network>
Can the rewall prevent a Smurf attack from theCan the rewall prevent a Smurf attack from the
e&ternal network> 0ecall that as we discussed ine&ternal network> 0ecall that as we discussed in
the class before" the Smurf attack uses thethe class before" the Smurf attack uses the
broadcast IP address of the subnet4broadcast IP address of the subnet4
Can the rewall block P9P applications" e4g4"Can the rewall block P9P applications" e4g4"
Hit)orrent>Hit)orrent>
-
7/24/2019 Firewalls (1)
29/53
Can the rewall prevent e&ternal users fromCan the rewall prevent e&ternal users from
e&ploiting a security bug in a C6I script on ane&ploiting a security bug in a C6I script on an
internal web server (the web server is servinginternal web server (the web server is serving
re5uests from the Internet+>re5uests from the Internet+> Can the rewall prevent an online passwordCan the rewall prevent an online password
dictionary attack from the e&ternal network on thedictionary attack from the e&ternal network on the
telnet port of an internal machine>telnet port of an internal machine>
Can the rewall prevent a user on the e&ternalCan the rewall prevent a user on the e&ternalnetwork from opening a window on an M server innetwork from opening a window on an M server in
the internal network> 0ecall that by default an Mthe internal network> 0ecall that by default an M
server listens for connections on port server listens for connections on port
Can the rewall block a virus embedded in anCan the rewall block a virus embedded in anincoming email>incoming email>
Can the rewall be used to block users on theCan the rewall be used to block users on the
internal network from browsing a specic e&ternalinternal network from browsing a specic e&ternal
IP address>IP address>
-
7/24/2019 Firewalls (1)
30/53
3ackup Slides3ackup Slides
-
7/24/2019 Firewalls (1)
31/53
Firewalls %Firewalls % Circuit 'e(elCircuit 'e(el
$ateway$ateway 0elays two )CP connections0elays two )CP connections
Imposes security by limiting which suchImposes security by limiting which such
connections are allowedconnections are allowed
:nce created usually relays traic:nce created usually relays traic
without e&amining contentswithout e&amining contents
)ypically used when trust internal users)ypically used when trust internal users
by allowing general outboundby allowing general outboundconnectionsconnections
S:C/S commonly used for thisS:C/S commonly used for this
-
7/24/2019 Firewalls (1)
32/53
Firewall #utlinesFirewall #utlines
Packet lteringPacket lteringApplication gatewaysApplication gateways
Circuit gatewaysCircuit gateways
Combination of above is dynamicCombination of above is dynamic
packet lterpacket lter
-
7/24/2019 Firewalls (1)
33/53
-ynamic Packet Filters-ynamic Packet Filters
*ost common*ost common
Provide good administratorsProvide good administrators
protection and full transparencyprotection and full transparency
%etwork given full control over%etwork given full control over
traictraic
Captures semantics of a connectionCaptures semantics of a connection
-
7/24/2019 Firewalls (1)
34/53
749434B
Intended connection from 749434B to 244N4D
244N4D749434B244N4D
-irewall
0edialing on a dynamic packet lter4 )he dashed arrowshows the intended connectionL the solid arrows show thconnections" to and from the relay in the rewall bo&4 )-irewall impersonates each endpoint to the other4
-
7/24/2019 Firewalls (1)
35/53
749434B244N4D7477479473244N4D
ApplicationPro&y
-irewall
Intended connection from 749434B to 244N4D
A dynamic packet lter with an application pro&y4 %ote
the change in source address
-
7/24/2019 Firewalls (1)
36/53
Figure 4567A rewall router with multiple inter
-ilter 0ule8 :pen access to %et 9means source address from %et 3
O@hy not spoof address from %et3>
!etwork .opology!etwork .opology
-
7/24/2019 Firewalls (1)
37/53
&ddress%Spoong&ddress%Spoong
#etection is virtually impossible#etection is virtually impossible
unless source!address ltering andunless source!address ltering and
logging are donelogging are done
:ne should not trust hosts outside of:ne should not trust hosts outside of
one?s administrative controlone?s administrative control
-
7/24/2019 Firewalls (1)
38/53
,*ternal 8nterface,*ternal 8nterface
/uleset/uleset Allow outgoing calls" permit incomingAllow outgoing calls" permit incoming
calls only for mail and only to gateway 6@calls only for mail and only to gateway 6@
%ote8 Specify 6@ as destination host insteadto prevent open access to %et 7
f
-
7/24/2019 Firewalls (1)
39/53
!et 9 /outer 8nterface!et 9 /outer 8nterface
/uleset/uleset 6ateway machine speaks directly only to6ateway machine speaks directly only to
other machines running trusted mailother machines running trusted mailserver softwareserver software
0elay machines used to call out to 6@ to0elay machines used to call out to 6@ topick up waiting mailpick up waiting mail
%ote8 Spoong is avoided with the specicati
-
7/24/2019 Firewalls (1)
40/53
How :any /outers -o WeHow :any /outers -o We
!eed?!eed? If routers only support outgoing ltering" weIf routers only support outgoing ltering" we
need two8need two8 :ne to use ruleset that protects against:ne to use ruleset that protects against
compromised gatewayscompromised gateways
:ne to use ruleset that guards against address:ne to use ruleset that guards against addressforgery and restricts access to gateway machineforgery and restricts access to gateway machine
An input lter on one port is e&actlyAn input lter on one port is e&actly
e5uivalent to an output lter on the other porte5uivalent to an output lter on the other port
If you trust the network provider" you can goIf you trust the network provider" you can gowithout input lterswithout input lters -iltering can be done on the output side of the-iltering can be done on the output side of the
routerrouter
-
7/24/2019 Firewalls (1)
41/53
/outing Filters/outing Filters
All nodes are somehow reachable from theAll nodes are somehow reachable from the
InternetInternet
0outers need to be able to control what0outers need to be able to control what
routes they advertise over variousroutes they advertise over variousinterfacesinterfaces
Clients who employ IP source routing makeClients who employ IP source routing make
it possible to reach unreachable? hostsit possible to reach unreachable? hosts 1nables address!spoong1nables address!spoong Hlock source routing at borders" not atHlock source routing at borders" not at
backbonebackbone
-
7/24/2019 Firewalls (1)
42/53
/outing Filters )cont+/outing Filters )cont+
Packet lters obviate the need for routePacket lters obviate the need for route
lterslters
0oute ltering becomes diicult or0oute ltering becomes diicult or
impossible in the presence of comple&impossible in the presence of comple&technologiestechnologies
0oute s5uatting Q using unoicial IP0oute s5uatting Q using unoicial IP
addresses inside rewalls that belong toaddresses inside rewalls that belong to
someone elsesomeone else #iicult to choose non!addressed address#iicult to choose non!addressed address
spacespace
-
7/24/2019 Firewalls (1)
43/53
Firewall #utlinesFirewall #utlines
Packet lteringPacket lteringApplication gatewaysApplication gateways
Circuit gatewaysCircuit gateways
Combination of above is dynamicCombination of above is dynamic
packet lterpacket lter
-
7/24/2019 Firewalls (1)
44/53
Firewalls %Firewalls % Circuit 'e(elCircuit 'e(el
$ateway$ateway
-
7/24/2019 Firewalls (1)
45/53
Figure 45;7A typical S:C/S connection throughinterface A" and rogue connection through thee&ternal interface" H4
- l H d H- l H d H t
-
7/24/2019 Firewalls (1)
46/53
-ual Homed Host-ual Homed Host
&rchitecture&rchitecture
-
7/24/2019 Firewalls (1)
47/53
&symmetric /outes&symmetric /outes
Hoth sides of the rewall knowHoth sides of the rewall know
nothing of one another?s topologynothing of one another?s topology
Solutions8Solutions8 *aintain full knowledge of the topology*aintain full knowledge of the topology
%ot feasible" too much state to keep%ot feasible" too much state to keep
*ultiple rewalls share state*ultiple rewalls share state
informationinformationFolume of messages may be prohibitive"Folume of messages may be prohibitive"
code comple&itycode comple&ity
& - i P k t& - i P k t
-
7/24/2019 Firewalls (1)
48/53
&re -ynamic Packet&re -ynamic Packet
Filters Safe?Filters Safe? Comparable to that of circuit gateways"Comparable to that of circuit gateways"
as long as the implementation strategy isas long as the implementation strategy issimplesimple
If administrative interfaces use physicalIf administrative interfaces use physicalnetwork ports as the highest!levelnetwork ports as the highest!levelconstructconstruct Regal connections are generally dened inRegal connections are generally dened in
terms of the physical topologyterms of the physical topology
%ot if evildoers e&ist on the inside%ot if evildoers e&ist on the inside Circuit or application gateways demand userCircuit or application gateways demand user
authentication for outbound traic and areauthentication for outbound traic and aretherefore more resistant to this threattherefore more resistant to this threat
-
7/24/2019 Firewalls (1)
49/53
-istri"uted Firewalls-istri"uted Firewalls
A central management node sets the securityA central management node sets the securitypolicy enforced by individual hostspolicy enforced by individual hosts
Combination of high!level policy specicationCombination of high!level policy specicationwith le distribution mechanismwith le distribution mechanism
Advantages8Advantages8 Rack of central point of failureRack of central point of failure Ability to protect machines outside topologicallyAbility to protect machines outside topologically
isolated spaceisolated space
6reat for laptops6reat for laptops #isadvantage8#isadvantage8
'arder to allow in certain services" whereas it?s'arder to allow in certain services" whereas it?seasy to blockeasy to block
-i t i" t d Fi ll-i t i" t d Fi ll
-
7/24/2019 Firewalls (1)
50/53
-istri"uted Firewalls-istri"uted Firewalls
-raw"ack-raw"ackAllowing in certain services works ifAllowing in certain services works if
and only if you?re sure the addressand only if you?re sure the address
can?t be spoofedcan?t be spoofed 0e5uires anti!spoong protection0e5uires anti!spoong protection *ust maintain ability to roam safely*ust maintain ability to roam safely
Solution8 IPsecSolution8 IPsecA machine is trusted if and only if it canA machine is trusted if and only if it can
perform proper cryptographicperform proper cryptographic
authenticationauthentication
-
7/24/2019 Firewalls (1)
51/53
Where to Filter?Where to Filter?
Halance between risk and costsHalance between risk and costs
Always a higher layer that is hard toAlways a higher layer that is hard to
lterlter 'umans'umans
-ynamic Packet Filter-ynamic Packet Filter
-
7/24/2019 Firewalls (1)
52/53
-ynamic Packet Filter-ynamic Packet Filter
8mplementation8mplementation
#ynamically update packet lter?s ruleset#ynamically update packet lter?s ruleset Changes may not be benign due to orderingChanges may not be benign due to ordering
0edialing method oers greater0edialing method oers greater
assurance of securityassurance of security %o special!case code necessary%o special!case code necessary -)P handled with user!level daemon-)P handled with user!level daemon #P handled ust as )CP e&cept for tear#P handled ust as )CP e&cept for tear
downdown IC*P handled with pseudoconnections andIC*P handled with pseudoconnections and
synthesized packetssynthesized packets
Per%8nterface .a"lesPer%8nterface .a"les
-
7/24/2019 Firewalls (1)
53/53
Per 8nterface .a"lesPer 8nterface .a"lesConsulted "y -ynamicConsulted "y -ynamic
Packet FilterPacket FilterActive Connection )ableActive Connection )able Socket structure decides whether data isSocket structure decides whether data is
copied to outside socket or sent tocopied to outside socket or sent to
application pro&yapplication pro&y :rdinary -ilter )able:rdinary -ilter )able
Species which packets may pass inSpecies which packets may pass in
stateless mannerstateless manner #ynamic )able#ynamic )able
-orces creation of local socket structures-orces creation of local socket structures