Packet filtering and other firewall functions - zcu.czledvina/DHT/tugraz/firewalls.pdf · Packet...
Transcript of Packet filtering and other firewall functions - zcu.czledvina/DHT/tugraz/firewalls.pdf · Packet...
IAIK, Advanced Computer Networks 2007
Martin Krammer Graz, May 25, 2007
1
Packet filtering andother firewall functions
Martin [email protected]
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
2
IAIK, Advanced Computer Networks 2007
Overview
Firewalls Principles Architectures
Security aspects
Packet filtering Principles Static packet filters Dynamic packet filters
Attacks Additional functions
NAT PAT port forwarding
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
3
IAIK, Advanced Computer Networks 2007
Firewalls
Principles protective device control traffic between computer networks different zones of trust interfaces between zones security policies
„default-deny“ as best practice only as good as its administrator relies heavily on network architecture
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
4
IAIK, Advanced Computer Networks 2007
Types
Software protects single machine
„Personal Firewalls“ „Desktop Firewalls“
easy configuration
Hardware easy to difficult configuration built into several device types
Modems Routers Gateways Appliances ...
capable devices to secure different-sized networks
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
5
IAIK, Advanced Computer Networks 2007
Architectures
Dual homed host 2 network interfaces public network talks to dual homed host internal network talks to dual homed host no direct communication, IP traffic blocked proxying as a solution
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
6
IAIK, Advanced Computer Networks 2007
Architectures
Screened host security due to packet filtering separate router packet filtering on router external connections to bastion host bastion host inside internal network points-of-failure
router bastion host
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
7
IAIK, Advanced Computer Networks 2007
Architectures
Screened subnet perimeter network (de-militarized zone) for additional security internal traffic doesn't pass perimeter network one or more hosts on the perimeter network internal to external connections
packet filtering on routers proxy servers on
perimeter network 2 routers
interior exterior
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
8
IAIK, Advanced Computer Networks 2007
Architectures
many more possible individual network design Do
multiple bastion hosts multiple internal networks merge interior & exterior routers merge bastion host & external router ...
Don't merge bastion host & interior router
internal traffic visible to bastion host 2 or more interior routers between perimeter & internal network ...
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
9
IAIK, Advanced Computer Networks 2007
Packet filtering
route packets selectively allow or block packets permit or deny services packet filter rules
due to security policies
Network layer layer 3
does not protect against faulty services on machines
Alternative proxy servers
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
10
IAIK, Advanced Computer Networks 2007
Packet information
packet properties IP source address IP destination address Protocol (whether the packet is a TCP, UDP, or ICMP packet)
TCP or UDP source port TCP or UDP destination port ICMP message type
direction inbound outbound
routers decisions (the interface the packet arrives on) the interface the packet will go out on route or not
the packets content is not important for packet filtering
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
11
IAIK, Advanced Computer Networks 2007
Services
services reside on different port numbers specify port number in rule-set
ranges 0-1023: fixed 1024-49151: registerable, IANA 49152-65535: dynamic, variable use
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
12
IAIK, Advanced Computer Networks 2007
Advantages
one packet filtering router can protect entire network
no additional effort no user interaction no reconfiguration of client machines
widely available hardware and software products
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
13
IAIK, Advanced Computer Networks 2007
Disadvantages
rule sets can be hard to configure difficult to test bugs
implementation may permit packets which should be denied
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
14
IAIK, Advanced Computer Networks 2007
Rules
for each packet go through the rules find the first one that matches take action according to rule default-rule or default-deny
product specific implementations interface-based rules definition of rule-sets
tipps use addresses, not hostnames define explicit default-rule
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
15
IAIK, Advanced Computer Networks 2007
Rules 2
static filtering according to fixed rules
dynamic filtering „stateful inspection“ remember outgoing
packets let corresponding
response in criteria: Socket
host port
layer 3 & 4 rules
modified on the fly time-limited
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
16
IAIK, Advanced Computer Networks 2007
Application firewalls
layer 7 (application layer) separate proxy for each protocol advantages
content inspection analysis of actions
machine learning mechanisms authentication separation of networks
disadvantages ressource intense real-time requirements protocol-specific proxies needed
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
17
IAIK, Advanced Computer Networks 2007
3rd generation firewalls
hybrid solutions best of
packet filtering proxy solutions
internet technology changes IPv4 vs IPv6 NAT, masquerading,...
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
18
IAIK, Advanced Computer Networks 2007
Attacks
obvious things intrusion
communicate with services behind the firewall run code behind firewalls information theft
DoS flooding re-route, redirect, spoofing
eavesdropping network sniffing
things that happen misconfigured firewall systems network security problems
rendering firewall systems redundant
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
19
IAIK, Advanced Computer Networks 2007
Attacks 2
Firewall piercing covert channel
communication channel that allows transfer of information that violates the systems security policy
without alerting firewalls & IDSs stealthy nature
traffic sent through permitted ports HTTP-Tunnel
http://www.nocrew.org/software/httptunnel.html http://entreelibre.com/cctt/index_en.html
ICMP-Tunnel http://www.securiteam.com/tools/5PP0M0K60O.html
DNS DNS is allowed to any internal client
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
20
IAIK, Advanced Computer Networks 2007
NAT
network address translation due to lack of IPv4-addresses reserved address ranges for internal uses
e.g. class C: 192.0.0.1 - 223.255.255.255
map internal to external IP-addresses NAT-device remembers mapping
convenient feature with security aspect not designed for security
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
21
IAIK, Advanced Computer Networks 2007
Masquerading, PAT
port address translation port numbers rewritten
outgoing packets source-IP/port replaced by public-IP/port mapping saved in tables
incoming packets use table to lookup inquirer
external machines can't reach servers since connections can only be instantiated from internal machines solution: port forwarding
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
22
IAIK, Advanced Computer Networks 2007
port forwarding
configured on routers router listens on given public port forward port on public interface to specific address/port on internal network
servers located in internal network become available to external network
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
23
IAIK, Advanced Computer Networks 2007
Questions?
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
24
IAIK, Advanced Computer Networks 2007
Exam Questions
Name a common firewall architecture and describe its benefits as well as its drawbacks.
What is the advantage of dynamic packet filtering over static packet filtering? Describe its mechanism in detail.
Martin Krammer Packet filtering and other firewall functions Graz, May 25, 2007
25
IAIK, Advanced Computer Networks 2007
References
„Building internet firewalls“ D. Brent Chapman & Elizabeth D. Zwicky; O'Reilly 1995
Wikipedia, 05/2007 Firewalls OSI model Ports
„Firewalls FAQ“ http://www.interhack.net/pubs/fwfaq/, 05/2007
„Firewall Tutorial“ Dr. Udo Payer, 2005