Firewalls (14)

8/10/2019 Firewalls (14)

1/60

Fall 2004 CS 395: Computer Security 1

Chapter 20: Firewalls

Special Thanks to our friends at

The Blekinge Institute of Technology, Sweden for

providing the basis for these slides.

8/10/2019 Firewalls (14)

2/60


Outline

Firewall Design Principles Firewall Characteristics

Types of Firewalls Firewall Configurations

Trusted Systems

Data Access Control The Concept of Trusted systems Trojan Horse Defense

8/10/2019 Firewalls (14)

3/60


Firewalls

Effective means of protection a localsystem or network of systems fromnetwork-based security threats whileaffording access to the outside world viaWANs or the Internet

Information systems undergo a steadyevolution (from small LAN`s to Internetconnectivity)

Strong security features for allworkstations and servers not established

8/10/2019 Firewalls (14)

4/60


Why?

Systems provide many services by default Many workstations provide remote access tofiles and configuration databases (for ease ofmanagement and file sharing)

Even if configured only for specific users, theycan sometimes be tricked into providingservices they shouldnt

E.g. missing bounds check in input parsers

Also, users sometimes forget to close

temporary holes E.g. leaving file system remote mountable for filesharing

8/10/2019 Firewalls (14)

5/60


Why? Firewalls enforce policies that centrally manage

access to services in ways that workstationsshould, but dont

Which services? Finger telnet: requires authentication, but password sent in

clear rlogin: similar to telnet, but uses IP address basedauthentication (Bad!)

ftp: Tricky because two connections, control channelfrom sender, and data connection from receiver.(passsive ftp has both sender originated)

X Windows ICMP

8/10/2019 Firewalls (14)

6/60


Firewall DesignPrinciples

The firewall is inserted between thepremises network and the Internet

Aims: Establish a controlled link

Protect the premises network from

Internet-based attacks Provide a single choke point

8/10/2019 Firewalls (14)

7/60


Firewall Characteristics

Design goals: All traffic from inside to outside must pass

through the firewall (physically blocking allaccess to the local network except via the

firewall) Only authorized traffic (defined by the local

security police) will be allowed to pass

The firewall itself is immune to penetration

(use of trusted system with a secure operatingsystem)

8/10/2019 Firewalls (14)

8/60



Four general techniques: Service control

Determines the types of Internet

services that can be accessed, inboundor outbound

Direction control Determines the direction in which

particular service requests are allowedto flow

8/10/2019 Firewalls (14)

9/60



User control Controls access to a service according to

which user is attempting to access it Behavior control

Controls how particular services are

used (e.g. filter e-mail)

8/10/2019 Firewalls (14)

10/60


Firewall Limitations Cannot protect against attacks that bypass

the firewall E.g. an internal modem pool

Firewall does not protect against internalthreats

Firewall cannot protect against transfer ofvirus infected programs Too many different apps and operating systems

supported to make it practical to scan allincoming files for viruses

8/10/2019 Firewalls (14)

11/60


Types of Firewalls

Three common types of Firewalls: Packet-filtering routers

Application-level gateways Circuit-level gateways

(Bastion host)

8/10/2019 Firewalls (14)

12/60


Types of Firewalls

Packet-filtering Router

8/10/2019 Firewalls (14)

13/60


Types of Firewalls

Packet-filtering Router Applies a set of rules to each incoming

IP packet and then forwards or discardsthe packet

Filter packets going in both directions The packet filter is typically set up as a

list of rules based on matches to fieldsin the IP or TCP header

Two default policies (discard or forward)

8/10/2019 Firewalls (14)

14/60


Types of Firewalls

Advantages: Simplicity

Transparency to users

High speed

Disadvantages: Difficulty of setting up packet filter rules

Lack of Authentication

Who really sent the packet?

8/10/2019 Firewalls (14)

15/60


Firewalls Packet Filters

8/10/2019 Firewalls (14)

16/60


Firewalls Packet Filters

Can be clever: Allow connections initiated from inside network

to outside, but not initiated from outside. Traffic flows both way, but if firewall only allows

incoming packets with ACK set in TCP header, thismanages the issue.

Problem: some apps require outside node to initiateconnection with inside node (e.g. ftp, Xwindows), even

if original request initiated by inside node. Solution (sort of): allow packets from outside if theyare connecting to high port number.

8/10/2019 Firewalls (14)

17/60


Stateful Packet Filter Changes filtering rules dynamically (by

remembering what has happened in recentpast) Example: Connection initiated from inside

node s to outside IP address d. For short

time allow incoming connections from d toappropriate ports (I.e. ftp port). In practice, much more caution

Stateful filter notices the incoming port

requested by s and only allows connections fromd to that port. Requires parsing ftp controlpackets

8/10/2019 Firewalls (14)

18/60


Types of Firewalls

Possible attacks andappropriate countermeasures IP address spoofing

Discard packet with inside sourceaddress if it arrives on externalinterface

Source routing attacks Discard all source routed packets

8/10/2019 Firewalls (14)

19/60


Types of Firewalls

Possible attacks and appropriatecountermeasures Tiny fragment attacks

Intruder uses IP fragment option to

create extremely small IP packets thatforce TCP header information intoseparate packet fragments

Discard all packets where protocol type

is TCP and IP fragment offset is small

8/10/2019 Firewalls (14)

20/60


Types of Firewalls

Application-level Gateway

8/10/2019 Firewalls (14)

21/60


Types of Firewalls

Application-level Gateway Also called proxy server Acts as a relay of application-level traffic Can act as router, but typically placed between

two packet filtering firewalls (for total ofthree boxes) Two firewalls are routers that refuse to forward

anything from the global net that is not to gateway,and anything to global net that is not from gateway.

Sometimes called a bastion host (we usethe term differently)

8/10/2019 Firewalls (14)

22/60

8/10/2019 Firewalls (14)

23/60


Types of Firewalls

Circuit-level Gateway

8/10/2019 Firewalls (14)

24/60


Types of Firewalls

Circuit-level Gateway Stand-alone system or

Specialized function performed by an

Application-level Gateway Sets up two TCP connections

The gateway typically relays TCPsegments from one connection to theother without examining the contents

8/10/2019 Firewalls (14)

25/60


Types of Firewalls

Circuit-level Gateway The security function consists of

determining which connections will be

allowed Typically use is a situation in which the

system administrator trusts the internalusers

An example is the SOCKS package

8/10/2019 Firewalls (14)

26/60


Types of Firewalls

Bastion Host A system identified by the firewall

administrator as a critical strong point inthe networks security

The bastion host serves as a platformfor an application-level or circuit-levelgateway

8/10/2019 Firewalls (14)

27/60


Firewall Configurations

In addition to the use of simpleconfiguration of a single system

(single packet filtering router orsingle gateway), more complexconfigurations are possible

Three common configurations

8/10/2019 Firewalls (14)

28/60



Screened host firewall system(single-homed bastion host)

8/10/2019 Firewalls (14)

29/60



Screened host firewall, single-homedbastion configuration

Firewall consists of two systems: A packet-filtering router

A bastion host

8/10/2019 Firewalls (14)

30/60



Configuration for the packet-filteringrouter:

Only packets from and to the bastionhost are allowed to pass through therouter

The bastion host performsauthentication and proxy functions

8/10/2019 Firewalls (14)

31/60

8/10/2019 Firewalls (14)

32/60



This configuration also affordsflexibility in providing direct

Internet access (public informationserver, e.g. Web server)

8/10/2019 Firewalls (14)

33/60



Screened host firewall system (dual-homed bastion host)

8/10/2019 Firewalls (14)

34/60



Screened host firewall, dual-homedbastion configuration

If the packet-filtering router iscompletely compromised, youre still OK

Traffic between the Internet and other

hosts on the private network has to flowthrough the bastion host

8/10/2019 Firewalls (14)

35/60



Screened-subnet firewall system

8/10/2019 Firewalls (14)

36/60



Screened subnet firewallconfiguration

Most secure configuration of the three Two packet-filtering routers are used

Creation of an isolated sub-network

8/10/2019 Firewalls (14)

37/60



Advantages: Three levels of defense to thwart

intruders The outside router advertises only the

existence of the screened subnet to theInternet (internal network is invisible tothe Internet)

8/10/2019 Firewalls (14)

38/60

8/10/2019 Firewalls (14)

39/60

8/10/2019 Firewalls (14)

40/60


Why Firewalls Dont Work

If firewall allows anything through, peoplefigure out how to do what they need bydisguising their traffic as allowed traffic E.g. file transfer by sending it through email.

If size of emails limited, then user breaks theminto chunks, etc. Firewall friendly traffic (e.g. using http for

other purposes) Defeats effort of sysadmin to control traffic

Less efficient than not using http

8/10/2019 Firewalls (14)

41/60

8/10/2019 Firewalls (14)

42/60


Data Access Control

Through the user access controlprocedure (log on), a user can be

identified to the system Associated with each user, there canbe a profile that specifies permissibleoperations and file accesses

The operation system can enforcerules based on the user profile

8/10/2019 Firewalls (14)

43/60


Data Access Control

General models of access control: Access matrix

Access control list Capability list

8/10/2019 Firewalls (14)

44/60


Data Access Control

Access Matrix

8/10/2019 Firewalls (14)

45/60


Data Access Control

Access Matrix: Basic elements of themodel

Subject: An entity capable of accessingobjects, the concept of subject equates withthat of process

Object: Anything to which access is controlled(e.g. files, programs)

Access right: The way in which an object isaccessed by a subject (e.g. read, write,execute)

8/10/2019 Firewalls (14)

46/60


Data Access Control

Access Control List: Decomposition ofthe matrix by columns

8/10/2019 Firewalls (14)

47/60


Data Access Control

Access Control List An access control list lists users and

their permitted access right The list may contain a default or public

entry

8/10/2019 Firewalls (14)

48/60


Data Access Control

Capability list: Decomposition of thematrix by rows

8/10/2019 Firewalls (14)

49/60

Th C n pt f

8/10/2019 Firewalls (14)

50/60


The Concept ofTrusted Systems

Trusted Systems Protection of data and resources on the

basis of levels of security (e.g. military) Users can be granted clearances to

access certain categories of data

Th C nc pt f

8/10/2019 Firewalls (14)

51/60



Multilevel security Definition of multiple categories or levels of

data

A multilevel secure system must enforce: No read up: A subject can only read an object

of less or equal security level (Simple SecurityProperty)

No write down: A subject can only write into anobject of greater or equal security level (*-Property)

The Concept of

8/10/2019 Firewalls (14)

52/60



Reference Monitor Concept:Multilevel security for a data

processing system

The Concept of

8/10/2019 Firewalls (14)

53/60



The Concept of

8/10/2019 Firewalls (14)

54/60



Reference Monitor Controlling element in the hardware and

operating system of a computer thatregulates the access of subjects toobjects on basis of security parameters

The monitor has access to a file

(security kernel database) The monitor enforces the security rules(no read up, no write down)

The Concept of

8/10/2019 Firewalls (14)

55/60



Properties of the Reference Monitor Complete mediation: Security rules are

enforced on every access Isolation: The reference monitor anddatabase are protected fromunauthorized modification

Verifiability: The reference monitorscorrectness must be provable(mathematically)

The Concept of

8/10/2019 Firewalls (14)

56/60



A system that can provide suchverifications (properties) is referred

to as a trusted system

8/10/2019 Firewalls (14)

57/60


Trojan Horse Defense

Secure, trusted operating systemsare one way to secure against Trojan

Horse attacks

8/10/2019 Firewalls (14)

58/60



8/10/2019 Firewalls (14)

59/60



8/10/2019 Firewalls (14)

60/60

Recommended Reading

Chapman, D., and Zwicky, E. BuildingInternet Firewalls. OReilly, 1995

Cheswick, W., and Bellovin, S. Firewalls andInternet Security: Repelling the WilyHacker. Addison-Wesley, 2000

Gasser, M. Building a Secure ComputerSystem. Reinhold, 1988

Pfleeger, C. Security in Computing. PrenticeHall, 1997

Firewalls (14)

Documents

Transcript of Firewalls (14)