Network Security
Part 2: protocols and systems
(f) Firewalls and VPNs (overview)
Università degli Studi di Brescia
Dipartimento di Ingegneria dell’Informazione
2014/2015
Security perimeter
Outsider
Insider
Outsider
Firewall
Internet
-  Access control, monitoring
and management. Differentiate
between insiders and outsiders
Protected resources
-  Different types of outsiders
Protected resources
Perimeter
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Other networks
Security perimeter’s main components:
firewalls
Outsider
Insider
Firewall
Internet
Outsider
•  Firewalls separate
insiders from outsiders,
and differentiate between
different insider’s traffic
types
•  Filtering policies can be
▫  Stateless
Protected resources ▫  Stateful
Protected resources
Perimeter
•  Application Level
Gateway (ALG) must be
implemented for protocols
that do not respect
layering (e.g., FTP), and
when NATs are involved
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Security perimeter’s main components:
firewalls
Outsider
Insider
SSL tunnel
Firewall
Internet
•  In some cases, certain
outsiders can temporarily
become insiders
▫  Independently of the
traffic type, in case of
proper (layer-3) Virtual
Private Networks
▫  Only for certain traffic
classes, in the case of
Protected resources
SSL/TLS, SSH, etc.
  These are layer-4 VPNs
VPN (e.g.,
IPSec)
Protected resources
•  Firewalls not only block
unwanted traffic: they also
need to limit dangerous
traffic, such as DoS, etc.
Perimeter
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Firewall architectures
•  SW-only on general purpose processors
▫  Most economical and flexible approach
▫  Main problem: limited throughput, especially when
encryption is needed (for VPNs)
•  SW on general purpose processors + cryptographic HW
acceleration
•  Dedicated HW (router)
▫  Costly solution, usually based on proprietary architectures
▫  In many circumstances, e.g., when Gb/s links are
involved, this is the only viable solution
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Firewalled network architectures
De-Militarized Zones (DMZ)
•  A DMZ is (inappropriately) defined as a
set of one or more subnets that are
attached to the firewall’s interface with
the lowest security policies
Internet
▫  The actual DMZ, with respect to “military
terminology”, should be the firewall’s
interface towards Internet
Firewall
Protected resources
DMZ
Protected resources
•  Servers that must be accessible both
from the Internet and from the internal
networks are placed on the DMZ
▫  E.g.: e-mail servers, VPN servers, DNS
servers, etc.
Protected resources
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Firewalled network architectures
DMZ with two firewalls
Internet
Firewall 1
Firewall 2
Protected resources
DMZ
Protected resources
Protected resources
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Configuring a firewall: a complex procedure
•  Never use “generic” rules
▫  For example, traffic to port 25 (SMTP) should be allowed only towards e-mail
servers on the DMZ, never towards all servers on the DMZ
•  Careful with what you filter
▫  Never filter (completely) ICMP!
▫  An example of a correct configuration:
  Block ICMP packets that can carry attacks such as redirect, timestamp-request and reply,
information request, etc.
  Filter and limit other ICMP types, such as echo-request, destination-unreachable, etc.
•  Problems with many legitimate applications that violate layering
▫  FTP
▫  H.323
▫  Chat, etc.
•  Managing the DMZ, especially when the configuration of servers changes
frequently, is a boring and complex task
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Layer-3 VPN technologies
Outsider
Insider
Firewall
Internet
VPN Tunnel
(e.g., IPSec)
Protected resources
Outsider
•  Two main types:
▫  IPSec
▫  PPTP/L2TP
•  Open a virtual, secure
layer-3 channel to the
inside of a network
Protected resources
▫  The client
temporarily
becomes an insider
at layer-3
Perimeter
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Layer-4 VPN technologies
Outsider
Insider
SSL Tunnel
Firewall
Internet
Protected resources
Outsider
•  Main approaches:
▫  SSL/TLS (stunnel)
▫  SSH
•  The tunnel in this
case is at the
application layer
•  Potential problems
Protected resources
with long-term TCPover-TCP
connections
Perimeter
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Download

Network Security - Ingegneria - Università degli Studi di Brescia