Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Linux Firewall

advertisement 
Linux Firewall
Firewall topics
•
•
•
•
•
•
•
•
Why firewall?
What is a firewall?
What is the perfect firewall?
What types of firewall are there?
How do I defeat these firewalls?
How should I deploy firewalls?
What is good firewall architecture?
Firewall trends.
What are the risks?
•
•
•
•
•
•
Theft or disclosure of internal data
Unauthorized access to internal hosts
Interception or alteration of data
Vandalism & denial of service
Wasted employee time
Bad publicity, public embarassment, and law
suits
What needs to be secured?
• Crown jewels: patent work, source
code, market analysis; information
assets
• Any way into your network
• Any way out of your network
• Information about your network
Why do I need a firewall?
• Peer pressure.
• One firewall is simpler to administer
than many hosts.
• It’s easier to be security conscientious
with a firewall.
What is a firewall?
• As many machines as it takes to:
– be the sole connection between inside and
outside.
– test all traffic against consistent rules.
– pass traffic that meets those rules.
– contain the effects of a compromised
system.
Firewall components
• All of the machines in the firewall
– are immune to penetration or compromise.
– retain enough information to recreate their
actions.
The Perfect firewall
• Lets you do your business
• Works with existing security measures
• has the security “margin of error” that
your company needs.
The security continuum
Easy to use
Secure
• Ease of use vs. degree of security
• Cheap, secure, feature packed, easy to
administer? Choose three.
• Default deny or default accept
Policy for the firewall
– Who gets to do what via the Internet?
– What Internet usage is not allowed?
– Who makes sure the policy works and is
being complied with?
– When can changes be made to
policy/rules?
– What will be done with the logs?
– Will we cooperate with law enforcement?
What you firewall matters more than which
firewall you use.
• Internal security policy should show
what systems need to be guarded.
• How you deploy your firewall
determines what the firewall protects.
• The kind of firewall is how much
insurance you’re buying.
How to defeat firewalls
• Take over the firewall.
• Get packets through the firewall.
• Get the information without going
through the firewall.
A partial list of back doors.
•
•
•
•
•
personal modems
vendor modems
partner networks
home networks
loose cannon
experts
•
•
•
•
•
employee hacking
reusable passwords
viruses
“helpful” employees
off-site backup &
hosting
Even perfect firewalls can’t fix:
• Tunneled traffic.
• Holes, e.g. telnet, opened in the firewall.
• WWW browser attacks / malicious
Internet servers.
Priorities in hacking through a firewall
• Collect information.
• Look for weaknesses behind the
firewall.
• Try to get packets through the firewall.
• Attack the firewall itself.
• Subvert connections through the
firewall.
Information often leaked through firewalls
•
•
•
•
DNS host information
network configuration
e-mail header information
intranet web pages on the Internet
“Ground-floor windows”
•
•
•
•
•
mail servers
web Servers
old buggy daemons
account theft
vulnerable web browsers
Attacking the firewall
• Does this firewall pass packets when it’s
crashed?
• Is any software running on the firewall?
A fieldtrip through an IP packet
• Important fields are:
– source, destination, ports, TCP status
. . TOS . . .. . . SRC DEST opt SPORT DPORT SEQ# ACK#
..ACK,URG,SYN ….
DATA
Types of firewall
•
•
•
•
•
Packet filters
Proxy gateways
Network Address Translation (NAT)
Intrusion Detection
Logging
Packet filters
• How Packet filters work
– Read the header and filter by whether
fields match specific rules.
– SYN flags allow the router to tell if
connection is new or ongoing.
• Packet filters come in dumb, standard,
specialized, and stateful models
Standard packet filter
– allows connections as long as the ports are
OK
– denies new inbound connections, using the
SYN flag
– Examples: Cisco & other routers,
Karlbridge, Unix hosts, steelhead.
Packet filter weaknesses
– It’s easy to botch the rules.
– Good logging is hard.
– Stealth scanning works well.
– Packet fragments, IP options, and source
routing work by default.
– Routers usually can’t do authentication of
end points.
Stateful packet filters
– SPFs track the last few minutes of network
activity. If a packet doesn’t fit in, they drop
it.
– Stronger inspection engines can search for
information inside the packet’s data.
– SPFs have to collect and assemble
packets in order to have enough data.
– Examples: Firewall One, ON Technologies,
SeattleLabs, ipfilter
Weaknesses in SPF
– All the flaws of standard filtering can still
apply.
– Default setups are sometimes insecure.
– The packet that leaves the remote site is
the same packet that arrives at the client.
– Data inside an allowed connection can be
destructive.
– Traditionally SPFs have poor logging.
Proxy firewalls
• Proxy firewalls pass data between two
separate connections, one on each side
of the firewall.
– Proxies should not route packets between
interfaces.
• Types: circuit level proxy, application
proxy, store and forward proxy.
General proxy weaknesses
• The host is now involved, and
accessible to attack.
– The host must be hardened.
• State is being kept by the IP stack.
• Spoofing IP & DNS still works if
authentication isn’t used.
• Higher latency & lower throughput.
Circuit level proxy
– Client asks FW for document. FW connects
to remote site. FW transfers all information
between the two connections.
– Tends to have better logging than packet
filters
– Data passed inside the circuit could be
dangerous.
– Examples: Socks, Cycom Labyrinth
Application proxy
– FW transfers only acceptable information
between the two connections.
– The proxy can understand the protocol and
filter the data within.
– Examples: TIS Gauntlet and FWTK,
Raptor, Secure Computing
Application proxy weaknesses
• Some proxies on an “application proxy”
firewall may not be application aware.
• Proxies have to be written securely.
Store and forward , or caching, proxies
– Client asks firewall for document; the
firewall downloads the document, saves it
to disk, and provides the document to the
client. The firewall may cache the
document.
– Can do data filtering.
– Examples: Microsoft, Netscape, CERN,
Squid proxies; SMTP mail
Weaknesses of store & forward proxies
– Store and forward proxies tend to be big
new programs. Making them your primary
connection to the internet is dangerous.
– These applications don’t protect the
underlying operating system at all.
– Caching proxies can require more
administrator time and hardware.
Network Address Translation (NAT)
– NAT changes the ip addresses in a packet,
so that the address of the client inside
never shows up on the internet.
– Examples: Cisco PIX, Linux
Masquerading, Firewall One, ipfilter
Types of NAT
• Many IPs inside to many static IPs
outside
• Many IPs inside to many random IPs
outside
• Many IPs inside to one IP address
outside
• Transparent diversion of connections
Weaknesses of NAT
• Source routing & other router holes
• Can be stupid about complex protocols
– ICMP, IP options, FTP, fragments
• Can give out a lot of information about
your network.
• May need a lot of horsepower
Intrusion detection
– Watches ethernet or router for trigger
events, then tries to interrupt connections.
Logs synopsis of all events.
– Can log suspicious sessions for playback
– Tend to be very good at recognizing
attacks, fair at anticipating them
– Products: Abirnet, ISS Real Secure,
SecureNetPro, Haystack Netstalker
Weaknesses of intrusion detection
– Can only stop tcp connections
– Sometimes stops things too late
– Can trigger alarms too easily
– Doesn’t work on switched networks
Logging
• Pros:
– Very cheap
– Solves most behavioral problems
– Logfiles are crucial for legal recourse
• Cons:
– Very programmer or administrator intensive
– Doesn’t prevent damage
– needs a stable environment to be useful
Types of logging
• program logging
• syslog /NT event log
• sniffers
– Argus, Network General, HP Openview,
TCPdump
• router debug mode
– A very good tool for tracking across your
network
Commercial Logging
• Logging almost all commercial firewall
packages stinks
– No tripwires
– No pattern recognition
– No smart/expert distillation
– No way to change firewall behavior based
on log information
– No good way to integrate log files from
multiple machines
Firewall Tools
• All types of firewall are useful
sometimes.
• The more compartments on the firewall,
the greater the odds of security.
• Belt & suspenders
Firewall topology
•
•
•
•
Webserver placement
RAS server placement
Partner network placement
Internal information protection (intranet
firewalling)
Firewall deployment checklist
• Have list of what needs to be protected.
• Have all of the networks configured for
the firewall
• All rules are in place
• Logging is on.
What steps are left?
• What is the firewall allowing access to?
– Internal machines receiving data had better
be secure.
– If these services can’t be secured, what do
you have to lose?
Last checks
• Day 0 Backups made?
• Are there any gaps between our stated
policy and the rules the firewall is
enforcing?
Auditing
• A firewall works when an audit finds no
deviations from policy.
• Scanning tools are good for auditing
conformance to policy, not so good for
auditing security.
Sample configurations
• Good configurations should:
– limit Denial of Service.
– minimize complexity for inside users.
– be auditable.
– allow outside to connect to specific
resources.
Minimal restriction, good security
• Stateful packet filter, dmz, packet filter,
intrusion detection.
S
Inside
The Multimedia Nightmare
Proxy
CACHE
Inside
• secure multimedia & database content to
provided to multiple Internet destinations.
• Web server is acting as authentication &
security for access to the Finance server.
Firewalls in multiple locations
VPN over internal LAN
– Identical proxies on both sides.
Low end, good security, for low threat
environments
• Packet filter, “Sacrificial Goat” web server,
Application Firewall, bastion host running
logging & Store & Forward proxies
Store &
Forward
Inside
High end firewalls
• ATM switching firewalls
• Round robin gateways
– Don’t work with transparent proxies
• High availability
Firewall Trends
– “Toaster” firewalls
– Call-outs / co-processing firewalls
– VPNs
– Dumb protocols
– LAN equipment & protocols showing up on
the Internet
– Over-hyped content filtering
More Firewall Trends
– blurring between packet filters &
application proxies
– more services running on the firewall
– High availability, fail-over and hot swap
ability
– GUI’s
– Statistics for managers
Firewall trends & “religious” issues.
• Underlying OS for firewalls
– Any firewall OS should have little in
common with the retail versions.
• Firewall certification
– Buy your own copy of ISS and “certify”
firewalls yourself.
Source vs. Shrink-wrap
• Low end shrinkwrap solutions
• The importance of source
– Can you afford 1.5
programmer/administrators?
– Are you willing to have a non-employee
doing your security? (Whose priorities
win?)
Downside of firewalls
•
•
•
•
single point of failure
difficult to integrate into a mesh network
highlights flaws in network architecture
can focus politics on the firewall
administrator
Interesting firewall products
– Checkpoint Firewall-1
http://www.checkpoint.com
– SecureNetPro http://www.mimestar.com
– IP Filter
http://coombs.anu.edu.au/~avalon/ipfilter.html
– Seattle Labs http://www.sealabs.com
– Karlnet Karlbridge http://www.karlnet.com
– V-One inc http://www.v-one.com
– ISS Realsecure http://www.iss.net
Related documents
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
Palo Alto Networks offers a full line of purpose
Palo Alto Networks offers a full line of purpose
Clique/Trust Solution Suitable for Level 2 Grid
Clique/Trust Solution Suitable for Level 2 Grid
ITSY 2430 Intrusion Detection Chapter Quiz 09 Name: __________________
ITSY 2430 Intrusion Detection Chapter Quiz 09 Name: __________________
ITSY 2430 Intrusion Detection Chapter Quiz 11 Name: __________________
ITSY 2430 Intrusion Detection Chapter Quiz 11 Name: __________________
Chapter 10 Practice Test Answers
Chapter 10 Practice Test Answers
Download
advertisement