1 12. Firewalls Content 12. Firewalls 12.1 Definition
advertisement
Security in Communication Networks WS‘00/01 12. Firewalls Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall 12.6 Examples Security in Communication Networks WS‘00/01 12. Firewalls 12.1 Definition 2 / 17 Def.: A firewall is any security system protecting the boundary of an internal network. A bastion host is a computer system with strong security as it is exposed to the outside world. Tasks of a firewall: • access control based on sender or receiver address • access control based on services requested • hiding the internal network, e.g. topology, addresses, etc. • virus checking on incoming files • authentication based on the source of traffic • logging of Internet activities Two fundamental mechanisms used by firewalls are 1. Packet filtering 2. Proxy servers 1 Security in Communication Networks WS‘00/01 12. Firewalls 12.2 Packet Filtering & Proxy Servers 3 / 17 Placement of firewall components: (1) packet filter (2) circuit-level proxy (3) application-level proxy Application process application (3) transport (2) network (1) End System Security in Communication Networks WS‘00/01 Application process Intermediate System Internetworking Device End System 12. Firewalls 12.2 Packet Filtering & Proxy Servers Packet Filtering Packet filtering can be based on the following information: • source address • destination address • protocol • connection (stateful inspection) A packet filter behaves like a simple bridge. If it also provides routing functionality it is called a screening router. 4 / 17 Proxy Server • controlled invocation • intercepts client’s request and decides whether it is permitted according to its security rules • if so, request is passed on to the real service • proxy server is the only entity seen by the outside world • appears transparent to the internal users • can apply protocol-specific access rules, perform access control based on user identities and on packet contents • proxy server needed for each service to be protected 2 Security in Communication Networks WS‘00/01 12. Firewalls 12.2.1 Proxy Servers 5 / 17 Application Level Proxy • works at the application layer Circuit Level Proxy • works at the transport layer • application gateway only system reachable from the outside • application gateway provides proxy for each service to be used (e.g SMTP, FTP, HTTP) • dual-homed, i.e. complete control over packets transmitted between the internal and external network • user has to authenticate himself to the gateway before using the service • gateway is communication partner of source, not the real destination • service, for which no application level proxy is available, can use circuit level proxies for communication via application gateway • generic proxy which can be used with several services • relationship is n:1, i.e. proxy allows several clients to communicate with one server on the other side, as the communication is addressed via the port number of the port relay Security in Communication Networks WS‘00/01 12. Firewalls 12.2.2 Communication via Application Level Proxy Source Application Proxy 6 / 17 Destination Connection establishment User authentication Connection establishment Data transfer Connection termination 3 Security in Communication Networks WS‘00/01 12. Firewalls 12.2.3 SOCKS 7 / 17 SOCKS • standardised environment for the transparent and secure use of firewalls • intercepts TCP and UDP connection requests and transforms them into the SOCKS format • communication via SOCKS is restricted to the communication between SOCKS client and SOCKS server (tunnel) • tunnel defines security association and provides authentication, confidentiality and integrity • combines possibilities of circuit level and application level proxies • SOCKS requires modifications of the client Application Layer Socks Layer Transport Layer Network Layer Link Layer Security in Communication Networks WS‘00/01 12. Firewalls 12.2.4 Pros and Cons Packet Filtering + simplicity Proxy Servers + user authentication + low cost – correctly specifying packet filters is a difficult and error-prone process – reordering packet filter rules makes correctly specifying rules even more difficult + application protocol control + logging + accounting – proxy needed for each application protocol – circuit level proxies usually not able to scan application data 8 / 17 4 Security in Communication Networks WS‘00/01 12. Firewalls 12.3 Architectures - Dual-Homed Host Firewall 9 / 17 Dual-Homed Host Firewall • machine with two network interfaces • routes packets and processes them according to its security rules • “all-in-one” firewall as it can provide packet filtering and proxy servers • clients on the internal network can access services on the Internet either by using a proxy server in the firewall or by logging on to the firewall directly Internet Dual-homed host Security in Communication Networks WS‘00/01 Internal network 12. Firewalls 12.4 Architectures - Screened Hosts Firewall 10 / 17 Screened Hosts Firewall • consists of a screening router and a bastion host on the internal network • screening router performs packet filtering and provides the interface to the Internet • screening router sends all permitted incoming traffic to the bastion host, where further access control decision can be made before packets are forwarded • screening router accepts internal packets only from the bastion host Internet Screening router Internal network Bastion host 5 Security in Communication Networks WS‘00/01 12. Firewalls 12.5 Architectures - Screened Subnet Firewall 11 / 17 Screened Subnet Firewall • combines traits of the previous two approaches Security in Communication Networks WS‘00/01 • a peripheral network, called demilitarised zone (DMZ), is placed between the internal network and the Internet • screening router between the Internet and the peripheral network • dual-homed host firewall between the peripheral and the internal network applies more complex policies governing the internal users • peripheral network is a suitable location for non-sensitive hosts accessible to the outside world (e.g. web server) 12. Firewalls 12.5 Architectures - Screened Subnet Firewall (cont.) Web server 12 / 17 Internet Screening router Peripheral network (DMZ) Firewall Internal network 6 Security in Communication Networks WS‘00/01 12. Firewalls 12.6.1 Example: IP Access List 13 / 17 Criteria: • allow all incoming TCP traffic if the session was initiated within the internal corporate network Security in Communication Networks WS‘00/01 • allow FTP control and FTP data traffic to the FTP server with the address 144.254.1.4 • allow HTTP traffic to the Web server with the address 144.254.1.3 • deny all other traffic from entering the corporate network • log all access list violations 12. Firewalls 12.6.1 Example: IP Access List access-list 101 permit tcp any any established access-list 101 permit tcp any host 144.254.1.4 eq access-list 101 permit tcp any host 144.254.1.4 eq access-list 101 permit tcp any host 144.254.1.3 eq access-list 101 deny ip any any log ! Interface Serial 0/0 description to the Internet ip address 161.71.73.33 255.255.255.248 ip access-list 101 in 14 / 17 ftp ftp-data www 7 Security in Communication Networks WS‘00/01 12. Firewalls 12.6.1 Example: Packet Filter Flowchart 15 / 17 Receive Packet Parse Protocol Headers Apply Next Filter Rule Ok to forward? Forward Packet Yes No Need to block? Block Packet Yes No Last Filter Rule? Yes No Security in Communication Networks WS‘00/01 12. Firewalls 12.6.2 Example: Protection against SYN Flooding TCP connection establishment: Client Server 16 / 17 SYN Flooding: Client Server SYN SYN SYN, ACK SYN, ACK SYN ACK SYN, ACK SYN SYN, ACK . . . SYN SYN, ACK 8 Security in Communication Networks WS‘00/01 12. Firewalls 12.6.2 Example: Protection against SYN Flooding (cont.) Firewall External Host 17 / 17 Internal Host SYN SYN, ACK 1. ACK SYN SYN, ACK ACK 2. SYN SYN SYN, ACK SYN, ACK ACK ACK 9
