Slides

advertisement
453 Network Security
Section 5: Firewalls
Dr. E.C. Kulasekere
Sri Lanka Institute of Information
Technology - 2006
Introduction
• Evolution of information systems
• Now everyone want to be on the Internet
and to interconnect networks
• This will generate persistent security
concerns
– can’t easily secure every system in
organization
• Organizations need "harm minimisation"
• a Firewall usually part of this
What is a Firewall?
• a choke point of control and monitoring
• interconnects networks with differing trust
• imposes restrictions on network services
– only authorized traffic is allowed
• auditing and controlling access
– can implement alarms for abnormal behavior
• is itself immune to penetration
• provides perimeter defence
What is a Firewall? …
• Firewalls essentially keeps problems of
other networks from getting into yours.
• All firewalls do some kind of packet
filtering.
• Firewalls once detected by type can be
penetrated using weak link security.
• Firewalls on software like what Linux has
can be effective in terms of easy
configuration. eg gfcc.
Firewall Limitations
• cannot protect from attacks bypassing it
– eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
• cannot protect against internal threats
– eg disgruntled employee
• cannot protect against transfer of all virus
infected programs or files
– because of huge range of O/S & file types
How Firewalls Function
• Two approaches to control access
– Everything not specifically permitted is
denied.
– Everything not specifically denied is
permitted.
• Most often recommended is everything not
specifically permitted is denied.
• This is restrictive but provides more
security with the downside of legitimate
users also getting blocked.
Firewall Types
• Mainly two+one types
– Application Gateways
– Packet filters
– Stateful Inspection screening systems.
• The application can be modeled by where
it operates in the OSI layers.
• Hybrid packet screening methods can be
implemented by combining two or more of
these together.
Firewalls and OSI Model
Firewalls – Packet Filters
Firewalls – Packet Filters (1)
• simplest of components
• foundation of any firewall system
• examine each IP packet (no context) and
permit or deny according to rules
• hence restrict access to services (ports)
• Hence a service can be disallowed but a
function within the service cannot be
disallowed.
• Example: FTP can be stopped but mget
function cannot be stopped.
Firewalls – Packet Filters (2)
• The most common implementation is on a
router or dual-homed gateway.
• Packet filtering can be done based on
– Source IP address
– Destination IP address
– Protocol type (TCP/UDP)
– Source port
– Destination port
Firewalls – Packet Filters (3)
Strengths of a Packet Filter Firewall
• Faster since the screening of packets are done
at a lower level.
• If implemented properly this type of firewall will
have little effect on network performance.
• This is less expensive and most of the hardware
and software these days have some form of a
packet filter built in.
• This type of firewall can also scale up very
easily.
• Packet filtering firewalls are application
independent. Decisions are based on
information contained in the packet's header and
not on information that relates to a specific
application.
Weaknesses of a Packet Filter Firewall
• Packet filtering firewalls allow a direct
connection to be made between the two
endpoints.
• Even though the filtering is fast it is a all-ornothing approach hence if a port is open all
traffic for the port is open and in effect it’s a
security hole.
• Hard to match the access of a client and
requirements of an organization.
• Testing of a rule set is near impossible.
• Open to attacks that use the packet header
information.
• Packet filtering firewalls do not perform user
authentication.
Attacks on Packet Filters
• IP address spoofing
– fake source address to be trusted
– add filters on router to block
• source routing attacks
– attacker sets a route other than default
– block source routed packets
• tiny fragment attacks
– split header info over several tiny packets
– either discard or reassemble before check
Firewalls – Stateful Packet Inspection (1)
• This uses the same technique as packet
filtering firewall with additional header
checking from the network layer to the
application layer to see if this packet is a
part of a legitimate connection.
• i.e. examine each IP packet in context
– keeps tracks of client-server sessions
– checks each packet validly belongs to one
• better able to detect bogus packets out of
context
Firewalls – Stateful Packet Inspection (2)
• packet header information is examined
and fed into a dynamic state table where it
is stored.
• The packets are compared to preconfigured rules or filters and allow or
deny decisions are made based on the
results of the comparison.
• The data in the state table is then used to
evaluate subsequent packets to verify that
they are part of the same connection.
Firewalls – Stateful Packet Inspection (3)
• This method can make decisions based on one
or more of the following:
–
–
–
–
–
–
Source IP address
Destination IP address
Protocol type (TCP/UDP)
Source port
Destination port
Connection state
• By having the ability to "remember" the status of
a connection, this method of packet screening is
better equipped to guard against attacks than
standard packet filtering.
Firewalls – Stateful Packet Inspection (4)
Strengths of a Stateful Packet Filter
• Like packet filtering firewalls, have very little
impact on network performance, can be
implemented transparently and are application
independent.
• Since it digs deeper into the header information
this is more secure than normal packet filter
firewalls.
• These have some logging capabilities. Logging
can help identify and track the different types of
traffic that pass though the firewall.
Weaknesses of a Stateful Packet Filter
• Like packet filtering, this does not break
the client/server model and therefore
allows a direct connection to be made
between the two endpoints.
• Rules and filters in this packet screening
method can become complex, hard to
manage, prone to error and difficult to test.
Application Level Gateway (or Proxy)
Firewall – Application Gateway/Proxy (1)
• This is considered to be the most complex
packet screening method.
• This type of firewall is usually implemented
on a secure host system configured with
two network interfaces where the firewall
acts as an intermediately between the two
interfaces.
• Operates at the application level of the
OSI model. Hence the proxy service must
be implemented for each application
protocol.
Firewall – Application Gateway/Proxy (2)
• These can be made very reliable since this
is the only connection point between the
two networks.
• Another strength of this method of packet
screening is that the interfaces on the host
system do not forward packets.
• There is no direct connection between the
host and the client.
Firewall – Application Gateway/Proxy (3)
• The operation is as follows
– The client issues a request from an untrusted
network and a connection is established with
the application/proxy.
– The proxy will determine if the request is valid
by comparing rules etc.
– Then a new request is generated by the proxy
on behalf of the client and sent to the
destination.
– The request thus sent to the destination is
also answered in the same manner.
The Proxy/Gateway View
Firewall – Application Gateway/Proxy (4)
• Unlike packet filtering and stateful packet
inspection, an application gateway/proxy can
see all aspects of the application layer so it can
look for more specific pieces of information.
• Eg. the difference between a piece of e-mail
containing text and a piece of e-mail containing
a graphic image, or the difference between a
webpage using Java and a webpage without can
be determined.
• Method is far superior to the others but not the
most practical to apply.
Strengths of an Application Level
Gateway/Proxy (1)
• No direct connection; breaks the client server
model; keeps the internal and external networks
separate.
• No routing is done. Hence this method of packet
screening inherently provides a form of Network
Address Translation.
• They can permit or deny specific applications or
specific features of an application. Many security
experts believe that application gateways /
proxies are more secure because of this
granular control.
Strengths of an Application Level
Gateway/Proxy (2)
• Enhanced filtering capabilities. Since they have
the ability to examine the payload of the packet,
they are capable of making decisions based on
content.
• These offer tight user administration that can be
coupled with systems databases.
• It is capable of logging user activity and different
types of traffic. This ability can provide a
valuable resource when dealing with security
incidents and policy implementation.
Weaknesses of an Application Level
Gateway/Proxy (1)
• When packets are screened at application level
the system performance is affected. This can
sometimes be a bottleneck.
• Each protocol (HTTP, SMTP, etc.) requires its
own gateway/proxy application. If one does not
exist, then the corresponding protocol will not be
allowed through the firewall. In addition, since
each protocol requires its own gateway/proxy,
support for new applications can become a
problem.
Weaknesses of an Application Level
Gateway/Proxy (2)
• Clients on the network may require specialized
software or configuration changes to be able to
connect to the application gateway/proxy. This
can have quite an impact on larger networks
with numerous clients.
• Performance typically degrades when the
number of clients increases or the number of
gateways/proxies located on any one host
system increases. Hence low scalability.
Weaknesses of an Application Level
Gateway/Proxy (3)
• When installed on general-purpose operating
systems are vulnerable to the security loopholes
of the underlying system. If the underlying
system is not secure, the firewall is not secure.
• It is also more susceptible to DDS attacks. If
enough data is forced on the application
gateway/proxy, it can cease to operate.
• The enhanced security of application
gateways/proxies may require the purchase of
additional hardware, software, expertise, or
support, which in turn drives up the cost of the
firewall solution.
Other Hybrid Type of Firewalls
• There are several other hybrid types.
– Adaptive proxies: Enhanced form of
application level gateways/proxies.
– Circuit level gateways: Works on sessions
rather than screening packets.
• The capabilities can be improved by hybrid
firewalls.
Adaptive Proxies
• Constructed by combining the merits of both
application gateways/proxies and packet filtering
firewalls.
• These work by inspecting the first part of a
connection at the application layer to make allow
or deny decisions.
• Then subsequent packets are inspected at the
network layer and allowed or denied at that
layer.
• If the subsequent packets are deemed new then
they are passed back into the application layer
for inspection.
• This will enhance performance since it is faster.
Firewalls - Circuit Level Gateway (1)
• Unlike the packet filtering firewall, this does not
examine individual packets.
• This will monitor TCP/UDP sessions instead.
• Once a session has been established, it leaves
the port open to allow all other packets
belonging to that session to pass. The port is
closed when the session is terminated.
• This method of packet screening resembles
application gateways/proxies and adaptive
proxies, but circuit-level gateways operate at the
transport layer (layer 4) of the OSI model.
Firewalls - Circuit Level Gateway (2)
Important Aspects of Effective Firewalls
• First, the device or host system on which the
firewall solution resides must be secure. If the
system can be compromised, then the firewall
can also be compromised. If the firewall you
choose is based on a well-known network
operating system, make sure the operating
system is fully patched and all security updates
have been applied.
• Second, for a firewall to be effective, all traffic to
and from your network must pass through it. If a
firewall can be physically or logically bypassed,
there is no guarantee that your trusted network
is safe. The architecture used for your firewall
solution is very important.
Discuss the security issues in a LAN.
• The difference between the levels of security comes
from the degree of control you have on what is
happening in the network. For a LAN you have complete
control over the hosts, however in a WAN you have little
or no control over the other hosts and services.
• User authentication: Restricting access using passwd
file and shadow passwords. The passwd files should not
be world readable. Specially the shadow passwd file.
Use pwconv to update.
• Resource protection: This can be used to restrict
which users can
• access objects, and which ones as well as do auditing to
track usage as well as abuse of privileges.
• Physical safeguards: securing the physical unit itself is
essential for security. Eg. Linux single user mode
penetrates a firewall.
Discuss the security issues in a WAN.
• In WANs you are open to an infinite number of security
risks.
• Using a firewall one can reduce the security risks by
having only a single point of control for Internet
connections.
• In TCP applications, buffer over flow can crash the
service opening a hole, by not trapping unexpected
behavior (recover by patching or updating).
• IP forging can get a stray packet into your network
which can initiate a legal connection to the outside world.
• Password theft. Use encryption and crack protocol to
set up passwords.
• Viruses and Trojan Horses.
• Forged Emails: Use digital signature to identify.
What are the firewall architectures?
• Firewall implementations can be simple or
complex based on the architecture used.
• Traffic to and fro must pass through the
Firewall.
• There are several types of architectures
– A packet filtering router.
– Screened host (Bastion host)
– Dual homed gateway
– Screened subnet of demilitarized zone (DMZ)
– Firewall appliance.
Packet Filtering Router
• This is a router configured to screen packets between
two networks.
• It will route packets between the two networks and uses
packet filtering rules to accept or deny traffic.
• Implementing this is not easy since routers are not
meant for this purpose and the command interface is
neither simple or intuitive.
Screened Host (Bastion Host) (1)
• This is generally located in the trusted network
shielded from the untrusted network by a packet
filtering router.
• All the traffic coming from the packet filter is
directed to the screened host.
Screened Host (Bastion Host) (2)
• Outbound traffic may or may not be going
through the screen host.
• It is most often software based and runs
on a general-purpose computer that is
running a secure version of the operating
system.
• Security is usually implemented at the
application level.
Dual Homed Gateway (1)
• A dual-homed gateway typically sits behind the gateway
(usually a router) to the untrusted network and most
often is a host system with two network interfaces.
• Traffic forwarding on this system is disabled, thereby
forcing all traffic between the two networks to pass
through some kind of application gateway or proxy.
Dual Homed Gateway (2)
• Only gateways or proxies for the services
that are considered essential are installed
on the system.
• This particular architecture will usually
require user authentication before access
to the gateway/proxy is allowed.
• Each proxy is independent of all other
proxies on the host system.
Screened Subnet or Demilitarized Zone (DMZ) (1)
• A screened subnet or DMZ is typically created between
two packet filtering routers.
• When using this architecture, the firewall solution is
housed on this screened subnet segment along with any
other services available to the untrusted network.
• Conceptually, this architecture is similar to that of a
screened host, except that an entire network rather than
a single host is reachable from the outside.
Firewall Appliance (1)
• A firewall appliance typically sits behind the gateway
(usually a router) to the untrusted network.
• This architecture resembles the packet filtering router
and dual-homed Gateway architectures in that all traffic
must pass through the appliance. In most instances
these appliances come pre-configured on their own box.
Firewall Appliance (2)
• They may also have other services built in,
such as Web servers and e-mail servers.
• No extensive configurations required
hence easy to use.
Selecting and Implementing a Firewall
• In order to pick the best architecture and
packet screening method for a firewall
solution, the following questions should be
considered:
– What does the firewall need to do?
– What additional services would be desirable?
– How will it fit in the existing network?
– How will it effect existing services and users?
• Note that a firewall implemented with little
thought may be worse than having no
firewall at all
Access Control
• given system has identified a user
• determine what resources they can access
• general model is that of access matrix with
– subject - active entity (user, process)
– object - passive entity (file or resource)
– access right – way object can be accessed
• can decompose by
– columns as access control lists
– rows as capability tickets
Access Control Matrix
Download