Packet filtering and other firewall functions - zcu.czledvina/DHT/tugraz/firewalls.pdf · Packet...

IAIK, Advanced Computer Networks 2007

Martin Krammer Graz, May 25, 2007

1

Packet filtering andother firewall functions

Martin [email protected]

Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007

2


Overview

Firewalls Principles Architectures

Security aspects

Packet filtering Principles Static packet filters Dynamic packet filters

Attacks Additional functions

NAT PAT port forwarding


3


Firewalls

Principles protective device control traffic between computer networks different zones of trust interfaces between zones security policies

„default-deny“ as best practice only as good as its administrator relies heavily on network architecture


4


Types

Software protects single machine

„Personal Firewalls“ „Desktop Firewalls“

easy configuration

Hardware easy to difficult configuration built into several device types

Modems Routers Gateways Appliances ...

capable devices to secure different-sized networks


5


Architectures

Dual homed host 2 network interfaces public network talks to dual homed host internal network talks to dual homed host no direct communication, IP traffic blocked proxying as a solution


6


Architectures

Screened host security due to packet filtering separate router packet filtering on router external connections to bastion host bastion host inside internal network points-of-failure

router bastion host


7


Architectures

Screened subnet perimeter network (de-militarized zone) for additional security internal traffic doesn't pass perimeter network one or more hosts on the perimeter network internal to external connections

packet filtering on routers proxy servers on

perimeter network 2 routers

interior exterior


8


Architectures

many more possible individual network design Do

multiple bastion hosts multiple internal networks merge interior & exterior routers merge bastion host & external router ...

Don't merge bastion host & interior router

internal traffic visible to bastion host 2 or more interior routers between perimeter & internal network ...


9


Packet filtering

route packets selectively allow or block packets permit or deny services packet filter rules

due to security policies

Network layer layer 3

does not protect against faulty services on machines

Alternative proxy servers


10


Packet information

packet properties IP source address IP destination address Protocol (whether the packet is a TCP, UDP, or ICMP packet)

TCP or UDP source port TCP or UDP destination port ICMP message type

direction inbound outbound

routers decisions (the interface the packet arrives on) the interface the packet will go out on route or not

the packets content is not important for packet filtering


11


Services

services reside on different port numbers specify port number in rule-set

ranges 0-1023: fixed 1024-49151: registerable, IANA 49152-65535: dynamic, variable use


12


Advantages

one packet filtering router can protect entire network

no additional effort no user interaction no reconfiguration of client machines

widely available hardware and software products


13


Disadvantages

rule sets can be hard to configure difficult to test bugs

implementation may permit packets which should be denied


14


Rules

for each packet go through the rules find the first one that matches take action according to rule default-rule or default-deny

product specific implementations interface-based rules definition of rule-sets

tipps use addresses, not hostnames define explicit default-rule


15


Rules 2

static filtering according to fixed rules

dynamic filtering „stateful inspection“ remember outgoing

packets let corresponding

response in criteria: Socket

host port

layer 3 & 4 rules

modified on the fly time-limited


16


Application firewalls

layer 7 (application layer) separate proxy for each protocol advantages

content inspection analysis of actions

machine learning mechanisms authentication separation of networks

disadvantages ressource intense real-time requirements protocol-specific proxies needed


17


3rd generation firewalls

hybrid solutions best of

packet filtering proxy solutions

internet technology changes IPv4 vs IPv6 NAT, masquerading,...


18


Attacks

obvious things intrusion

communicate with services behind the firewall run code behind firewalls information theft

DoS flooding re-route, redirect, spoofing

eavesdropping network sniffing

things that happen misconfigured firewall systems network security problems

rendering firewall systems redundant


19


Attacks 2

Firewall piercing covert channel

communication channel that allows transfer of information that violates the systems security policy

without alerting firewalls & IDSs stealthy nature

traffic sent through permitted ports HTTP-Tunnel

http://www.nocrew.org/software/httptunnel.html http://entreelibre.com/cctt/index_en.html

ICMP-Tunnel http://www.securiteam.com/tools/5PP0M0K60O.html

DNS DNS is allowed to any internal client

http://www.nocrew.org/software/httptunnel.html

http://entreelibre.com/cctt/index_en.html

http://www.securiteam.com/tools/5PP0M0K60O.html


20


NAT

network address translation due to lack of IPv4-addresses reserved address ranges for internal uses

e.g. class C: 192.0.0.1 - 223.255.255.255

map internal to external IP-addresses NAT-device remembers mapping

convenient feature with security aspect not designed for security


21


Masquerading, PAT

port address translation port numbers rewritten

outgoing packets source-IP/port replaced by public-IP/port mapping saved in tables

incoming packets use table to lookup inquirer

external machines can't reach servers since connections can only be instantiated from internal machines solution: port forwarding


22


port forwarding

configured on routers router listens on given public port forward port on public interface to specific address/port on internal network

servers located in internal network become available to external network


23


Questions?


24


Exam Questions

Name a common firewall architecture and describe its benefits as well as its drawbacks.

What is the advantage of dynamic packet filtering over static packet filtering? Describe its mechanism in detail.


25


References

„Building internet firewalls“ D. Brent Chapman & Elizabeth D. Zwicky; O'Reilly 1995

Wikipedia, 05/2007 Firewalls OSI model Ports

„Firewalls FAQ“ http://www.interhack.net/pubs/fwfaq/, 05/2007

„Firewall Tutorial“ Dr. Udo Payer, 2005

http://www.interhack.net/pubs/fwfaq/

Packet filtering and other firewall functions - zcu.czledvina/DHT/tugraz/firewalls.pdf · Packet...

Documents

Transcript of Packet filtering and other firewall functions - zcu.czledvina/DHT/tugraz/firewalls.pdf · Packet...