Firewalls (14)
Transcript of Firewalls (14)
-
8/10/2019 Firewalls (14)
1/60
Fall 2004 CS 395: Computer Security 1
Chapter 20: Firewalls
Special Thanks to our friends at
The Blekinge Institute of Technology, Sweden for
providing the basis for these slides.
-
8/10/2019 Firewalls (14)
2/60
Fall 2004 CS 395: Computer Security 2
Outline
Firewall Design Principles Firewall Characteristics
Types of Firewalls Firewall Configurations
Trusted Systems
Data Access Control The Concept of Trusted systems Trojan Horse Defense
-
8/10/2019 Firewalls (14)
3/60
Fall 2004 CS 395: Computer Security 3
Firewalls
Effective means of protection a localsystem or network of systems fromnetwork-based security threats whileaffording access to the outside world viaWANs or the Internet
Information systems undergo a steadyevolution (from small LAN`s to Internetconnectivity)
Strong security features for allworkstations and servers not established
-
8/10/2019 Firewalls (14)
4/60
Fall 2004 CS 395: Computer Security 4
Why?
Systems provide many services by default Many workstations provide remote access tofiles and configuration databases (for ease ofmanagement and file sharing)
Even if configured only for specific users, theycan sometimes be tricked into providingservices they shouldnt
E.g. missing bounds check in input parsers
Also, users sometimes forget to close
temporary holes E.g. leaving file system remote mountable for filesharing
-
8/10/2019 Firewalls (14)
5/60
Fall 2004 CS 395: Computer Security 5
Why? Firewalls enforce policies that centrally manage
access to services in ways that workstationsshould, but dont
Which services? Finger telnet: requires authentication, but password sent in
clear rlogin: similar to telnet, but uses IP address basedauthentication (Bad!)
ftp: Tricky because two connections, control channelfrom sender, and data connection from receiver.(passsive ftp has both sender originated)
X Windows ICMP
-
8/10/2019 Firewalls (14)
6/60
Fall 2004 CS 395: Computer Security 6
Firewall DesignPrinciples
The firewall is inserted between thepremises network and the Internet
Aims: Establish a controlled link
Protect the premises network from
Internet-based attacks Provide a single choke point
-
8/10/2019 Firewalls (14)
7/60
Fall 2004 CS 395: Computer Security 7
Firewall Characteristics
Design goals: All traffic from inside to outside must pass
through the firewall (physically blocking allaccess to the local network except via the
firewall) Only authorized traffic (defined by the local
security police) will be allowed to pass
The firewall itself is immune to penetration
(use of trusted system with a secure operatingsystem)
-
8/10/2019 Firewalls (14)
8/60
Fall 2004 CS 395: Computer Security 8
Firewall Characteristics
Four general techniques: Service control
Determines the types of Internet
services that can be accessed, inboundor outbound
Direction control Determines the direction in which
particular service requests are allowedto flow
-
8/10/2019 Firewalls (14)
9/60
Fall 2004 CS 395: Computer Security 9
Firewall Characteristics
User control Controls access to a service according to
which user is attempting to access it Behavior control
Controls how particular services are
used (e.g. filter e-mail)
-
8/10/2019 Firewalls (14)
10/60
Fall 2004 CS 395: Computer Security 10
Firewall Limitations Cannot protect against attacks that bypass
the firewall E.g. an internal modem pool
Firewall does not protect against internalthreats
Firewall cannot protect against transfer ofvirus infected programs Too many different apps and operating systems
supported to make it practical to scan allincoming files for viruses
-
8/10/2019 Firewalls (14)
11/60
Fall 2004 CS 395: Computer Security 11
Types of Firewalls
Three common types of Firewalls: Packet-filtering routers
Application-level gateways Circuit-level gateways
(Bastion host)
-
8/10/2019 Firewalls (14)
12/60
Fall 2004 CS 395: Computer Security 12
Types of Firewalls
Packet-filtering Router
-
8/10/2019 Firewalls (14)
13/60
Fall 2004 CS 395: Computer Security 13
Types of Firewalls
Packet-filtering Router Applies a set of rules to each incoming
IP packet and then forwards or discardsthe packet
Filter packets going in both directions The packet filter is typically set up as a
list of rules based on matches to fieldsin the IP or TCP header
Two default policies (discard or forward)
-
8/10/2019 Firewalls (14)
14/60
Fall 2004 CS 395: Computer Security 14
Types of Firewalls
Advantages: Simplicity
Transparency to users
High speed
Disadvantages: Difficulty of setting up packet filter rules
Lack of Authentication
Who really sent the packet?
-
8/10/2019 Firewalls (14)
15/60
Fall 2004 CS 395: Computer Security 15
Firewalls Packet Filters
-
8/10/2019 Firewalls (14)
16/60
Fall 2004 CS 395: Computer Security 16
Firewalls Packet Filters
Can be clever: Allow connections initiated from inside network
to outside, but not initiated from outside. Traffic flows both way, but if firewall only allows
incoming packets with ACK set in TCP header, thismanages the issue.
Problem: some apps require outside node to initiateconnection with inside node (e.g. ftp, Xwindows), even
if original request initiated by inside node. Solution (sort of): allow packets from outside if theyare connecting to high port number.
-
8/10/2019 Firewalls (14)
17/60
Fall 2004 CS 395: Computer Security 17
Stateful Packet Filter Changes filtering rules dynamically (by
remembering what has happened in recentpast) Example: Connection initiated from inside
node s to outside IP address d. For short
time allow incoming connections from d toappropriate ports (I.e. ftp port). In practice, much more caution
Stateful filter notices the incoming port
requested by s and only allows connections fromd to that port. Requires parsing ftp controlpackets
-
8/10/2019 Firewalls (14)
18/60
Fall 2004 CS 395: Computer Security 18
Types of Firewalls
Possible attacks andappropriate countermeasures IP address spoofing
Discard packet with inside sourceaddress if it arrives on externalinterface
Source routing attacks Discard all source routed packets
-
8/10/2019 Firewalls (14)
19/60
Fall 2004 CS 395: Computer Security 19
Types of Firewalls
Possible attacks and appropriatecountermeasures Tiny fragment attacks
Intruder uses IP fragment option to
create extremely small IP packets thatforce TCP header information intoseparate packet fragments
Discard all packets where protocol type
is TCP and IP fragment offset is small
-
8/10/2019 Firewalls (14)
20/60
Fall 2004 CS 395: Computer Security 20
Types of Firewalls
Application-level Gateway
-
8/10/2019 Firewalls (14)
21/60
Fall 2004 CS 395: Computer Security 21
Types of Firewalls
Application-level Gateway Also called proxy server Acts as a relay of application-level traffic Can act as router, but typically placed between
two packet filtering firewalls (for total ofthree boxes) Two firewalls are routers that refuse to forward
anything from the global net that is not to gateway,and anything to global net that is not from gateway.
Sometimes called a bastion host (we usethe term differently)
-
8/10/2019 Firewalls (14)
22/60
-
8/10/2019 Firewalls (14)
23/60
Fall 2004 CS 395: Computer Security 23
Types of Firewalls
Circuit-level Gateway
-
8/10/2019 Firewalls (14)
24/60
Fall 2004 CS 395: Computer Security 24
Types of Firewalls
Circuit-level Gateway Stand-alone system or
Specialized function performed by an
Application-level Gateway Sets up two TCP connections
The gateway typically relays TCPsegments from one connection to theother without examining the contents
-
8/10/2019 Firewalls (14)
25/60
Fall 2004 CS 395: Computer Security 25
Types of Firewalls
Circuit-level Gateway The security function consists of
determining which connections will be
allowed Typically use is a situation in which the
system administrator trusts the internalusers
An example is the SOCKS package
-
8/10/2019 Firewalls (14)
26/60
Fall 2004 CS 395: Computer Security 26
Types of Firewalls
Bastion Host A system identified by the firewall
administrator as a critical strong point inthe networks security
The bastion host serves as a platformfor an application-level or circuit-levelgateway
-
8/10/2019 Firewalls (14)
27/60
Fall 2004 CS 395: Computer Security 27
Firewall Configurations
In addition to the use of simpleconfiguration of a single system
(single packet filtering router orsingle gateway), more complexconfigurations are possible
Three common configurations
-
8/10/2019 Firewalls (14)
28/60
Fall 2004 CS 395: Computer Security 28
Firewall Configurations
Screened host firewall system(single-homed bastion host)
-
8/10/2019 Firewalls (14)
29/60
Fall 2004 CS 395: Computer Security 29
Firewall Configurations
Screened host firewall, single-homedbastion configuration
Firewall consists of two systems: A packet-filtering router
A bastion host
-
8/10/2019 Firewalls (14)
30/60
Fall 2004 CS 395: Computer Security 30
Firewall Configurations
Configuration for the packet-filteringrouter:
Only packets from and to the bastionhost are allowed to pass through therouter
The bastion host performsauthentication and proxy functions
-
8/10/2019 Firewalls (14)
31/60
-
8/10/2019 Firewalls (14)
32/60
Fall 2004 CS 395: Computer Security 32
Firewall Configurations
This configuration also affordsflexibility in providing direct
Internet access (public informationserver, e.g. Web server)
-
8/10/2019 Firewalls (14)
33/60
Fall 2004 CS 395: Computer Security 33
Firewall Configurations
Screened host firewall system (dual-homed bastion host)
-
8/10/2019 Firewalls (14)
34/60
Fall 2004 CS 395: Computer Security 34
Firewall Configurations
Screened host firewall, dual-homedbastion configuration
If the packet-filtering router iscompletely compromised, youre still OK
Traffic between the Internet and other
hosts on the private network has to flowthrough the bastion host
-
8/10/2019 Firewalls (14)
35/60
Fall 2004 CS 395: Computer Security 35
Firewall Configurations
Screened-subnet firewall system
-
8/10/2019 Firewalls (14)
36/60
Fall 2004 CS 395: Computer Security 36
Firewall Configurations
Screened subnet firewallconfiguration
Most secure configuration of the three Two packet-filtering routers are used
Creation of an isolated sub-network
-
8/10/2019 Firewalls (14)
37/60
Fall 2004 CS 395: Computer Security 37
Firewall Configurations
Advantages: Three levels of defense to thwart
intruders The outside router advertises only the
existence of the screened subnet to theInternet (internal network is invisible tothe Internet)
-
8/10/2019 Firewalls (14)
38/60
-
8/10/2019 Firewalls (14)
39/60
-
8/10/2019 Firewalls (14)
40/60
Fall 2004 CS 395: Computer Security 40
Why Firewalls Dont Work
If firewall allows anything through, peoplefigure out how to do what they need bydisguising their traffic as allowed traffic E.g. file transfer by sending it through email.
If size of emails limited, then user breaks theminto chunks, etc. Firewall friendly traffic (e.g. using http for
other purposes) Defeats effort of sysadmin to control traffic
Less efficient than not using http
-
8/10/2019 Firewalls (14)
41/60
-
8/10/2019 Firewalls (14)
42/60
Fall 2004 CS 395: Computer Security 42
Data Access Control
Through the user access controlprocedure (log on), a user can be
identified to the system Associated with each user, there canbe a profile that specifies permissibleoperations and file accesses
The operation system can enforcerules based on the user profile
-
8/10/2019 Firewalls (14)
43/60
Fall 2004 CS 395: Computer Security 43
Data Access Control
General models of access control: Access matrix
Access control list Capability list
-
8/10/2019 Firewalls (14)
44/60
Fall 2004 CS 395: Computer Security 44
Data Access Control
Access Matrix
-
8/10/2019 Firewalls (14)
45/60
Fall 2004 CS 395: Computer Security 45
Data Access Control
Access Matrix: Basic elements of themodel
Subject: An entity capable of accessingobjects, the concept of subject equates withthat of process
Object: Anything to which access is controlled(e.g. files, programs)
Access right: The way in which an object isaccessed by a subject (e.g. read, write,execute)
-
8/10/2019 Firewalls (14)
46/60
Fall 2004 CS 395: Computer Security 46
Data Access Control
Access Control List: Decomposition ofthe matrix by columns
-
8/10/2019 Firewalls (14)
47/60
Fall 2004 CS 395: Computer Security 47
Data Access Control
Access Control List An access control list lists users and
their permitted access right The list may contain a default or public
entry
-
8/10/2019 Firewalls (14)
48/60
Fall 2004 CS 395: Computer Security 48
Data Access Control
Capability list: Decomposition of thematrix by rows
-
8/10/2019 Firewalls (14)
49/60
Th C n pt f
-
8/10/2019 Firewalls (14)
50/60
Fall 2004 CS 395: Computer Security 50
The Concept ofTrusted Systems
Trusted Systems Protection of data and resources on the
basis of levels of security (e.g. military) Users can be granted clearances to
access certain categories of data
Th C nc pt f
-
8/10/2019 Firewalls (14)
51/60
Fall 2004 CS 395: Computer Security 51
The Concept ofTrusted Systems
Multilevel security Definition of multiple categories or levels of
data
A multilevel secure system must enforce: No read up: A subject can only read an object
of less or equal security level (Simple SecurityProperty)
No write down: A subject can only write into anobject of greater or equal security level (*-Property)
The Concept of
-
8/10/2019 Firewalls (14)
52/60
Fall 2004 CS 395: Computer Security 52
The Concept ofTrusted Systems
Reference Monitor Concept:Multilevel security for a data
processing system
The Concept of
-
8/10/2019 Firewalls (14)
53/60
Fall 2004 CS 395: Computer Security 53
The Concept ofTrusted Systems
The Concept of
-
8/10/2019 Firewalls (14)
54/60
Fall 2004 CS 395: Computer Security 54
The Concept ofTrusted Systems
Reference Monitor Controlling element in the hardware and
operating system of a computer thatregulates the access of subjects toobjects on basis of security parameters
The monitor has access to a file
(security kernel database) The monitor enforces the security rules(no read up, no write down)
The Concept of
-
8/10/2019 Firewalls (14)
55/60
Fall 2004 CS 395: Computer Security 55
The Concept ofTrusted Systems
Properties of the Reference Monitor Complete mediation: Security rules are
enforced on every access Isolation: The reference monitor anddatabase are protected fromunauthorized modification
Verifiability: The reference monitorscorrectness must be provable(mathematically)
The Concept of
-
8/10/2019 Firewalls (14)
56/60
Fall 2004 CS 395: Computer Security 56
The Concept ofTrusted Systems
A system that can provide suchverifications (properties) is referred
to as a trusted system
-
8/10/2019 Firewalls (14)
57/60
Fall 2004 CS 395: Computer Security 57
Trojan Horse Defense
Secure, trusted operating systemsare one way to secure against Trojan
Horse attacks
-
8/10/2019 Firewalls (14)
58/60
Fall 2004 CS 395: Computer Security 58
Trojan Horse Defense
-
8/10/2019 Firewalls (14)
59/60
Fall 2004 CS 395: Computer Security 59
Trojan Horse Defense
-
8/10/2019 Firewalls (14)
60/60
Recommended Reading
Chapman, D., and Zwicky, E. BuildingInternet Firewalls. OReilly, 1995
Cheswick, W., and Bellovin, S. Firewalls andInternet Security: Repelling the WilyHacker. Addison-Wesley, 2000
Gasser, M. Building a Secure ComputerSystem. Reinhold, 1988
Pfleeger, C. Security in Computing. PrenticeHall, 1997