CSC 474/574 Information Systems Security Outline • What are firewalls?
advertisement
Computer Science CSC 474/574 Information Systems Security Topic 7.4 Firewalls CSC 474/574 Dr. Peng Ning 1 Outline • What are firewalls? • Types – Filtering • Packet filtering • Session filtering – Proxy • Circuit Level • Application Level • Brief introduction to Linux firewall Computer Science CSC 474/574 Dr. Peng Ning 2 What is a firewall? • Device that provides secure connectivity between networks (internal/external; varying levels of trust) • Used to implement and enforce a security policy for communication between networks Trusted Networks Untrusted Networks & Servers Firewall Untrusted Users Internet Router Intranet DMZ Public Accessible Servers & Networks Trusted Users Computer Science CSC 474/574 Dr. Peng Ning 3 Firewalls • • • From Webster’s Dictionary: a wall constructed to prevent the spread of fire Internet firewalls are more the moat around a castle than a building firewall Controlled access point Computer Science CSC 474/574 Dr. Peng Ning 4 Firewalls can: • Restrict incoming and outgoing traffic by IP address, ports, or users • Block invalid packets Computer Science CSC 474/574 Dr. Peng Ning 5 Convenient • Give insight into traffic mix via logging • Network Address Translation • Encryption Computer Science CSC 474/574 Dr. Peng Ning 6 Firewalls Cannot Protect… • traffic that does not cross it – routing around – Internal traffic • when misconfigured Computer Science CSC 474/574 Dr. Peng Ning 7 Access Control te ora r p rk C o et w o N T!! ER ALER ALALERT!! T!! Internet DMZ Net Web Server Pool Security Requirement • Control access to network information and resources • Protect the network from attacks Computer Science CSC 474/574 Dr. Peng Ning 8 Filtering • Typically route packets • Packets checked then passed • Inbound & outbound affect when policy is checked • Client Server Computer Science CSC 474/574 Dr. Peng Ning 9 Dr. Peng Ning 10 Filtering • Packet filtering – Access Control Lists • Session filtering – – – – Dynamic Packet Filtering Stateful Inspection Smart packet filtering Context Based Access Control Computer Science CSC 474/574 Filtering • Fragmentation/reassembly • Sequence number checking • ICMP Computer Science CSC 474/574 Dr. Peng Ning 11 Packet Filtering • Decisions made on a per-packet basis • No state information saved Computer Science CSC 474/574 Dr. Peng Ning 12 Typical Configuration • Ports > 1024 left open • If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work. Computer Science CSC 474/574 Dr. Peng Ning 13 Packet Filter Applications Applications Presentations Presentations Sessions Sessions Transport Transport Network Network DataLink DataLink DataLink Physical Physical Physical Router Computer Science CSC 474/574 Dr. Peng Ning 14 Session Filtering • Packet decision made in the context of a connection • If packet is a new connection, check against security policy • If packet is part of an existing connection, match it up in the state table & update table Computer Science CSC 474/574 Dr. Peng Ning 15 Typical Configuration • All denied unless specifically allowed • Dynamic protocols (FTP, H323, RealAudio, etc.) allowed only if supported Computer Science CSC 474/574 Dr. Peng Ning 16 Session Filtering Screens ALL attempts, Protects All applications Extracts & maintains ‘state’ information Makes an intelligent security / traffic decision Applications Applications Presentations Applications Presentations Sessions Presentations Sessions Transport Sessions Transport Network Transport DataLink DataLink DataLink Physical Physical Physical Network Network Dynamic Dynamic Dynamic State Tables State StateTables Tables Computer Science CSC 474/574 Dr. Peng Ning 17 Dr. Peng Ning 18 Proxy Firewalls • Relay for connections • Client Proxy Server • Two flavors – Application level – Circuit level Computer Science CSC 474/574 Application Gateways • Understands specific applications – Limited proxies available – Proxy ‘impersonates’ both sides of connection • Resource intensive – process per connection • HTTP proxies may cache web pages Computer Science CSC 474/574 Dr. Peng Ning 19 Application Gateways • • • • More appropriate to TCP ICMP difficult Block all unless specifically allowed Must write a new proxy application to support new protocols – Not trivial! Computer Science CSC 474/574 Dr. Peng Ning 20 Application Gateways • Clients configured for proxy communication • Transparent Proxies Computer Science CSC 474/574 Dr. Peng Ning 21 Application Layer GW/proxy Telnet FTP HTTP Applications Applications Applications Presentations Presentations Presentations Sessions Sessions Sessions Transport Transport Transport Network Network Network DataLink DataLink DataLink Physical Physical Physical Application Gateway Computer Science CSC 474/574 Dr. Peng Ning 22 Circuit-Level Gateways • Support more services than Application-level Gateway – less control over data • Hard to handle protocols like FTP • Clients must be aware they are using a circutlevel proxy • Protect against fragmentation problem Computer Science CSC 474/574 Dr. Peng Ning 23 SOCKS • Circuit level Gateway • Support TCP • SOCKS v5 supports UDP, earlier versions did not • See http://www.socks.nec.com Computer Science CSC 474/574 Dr. Peng Ning 24 Comparison Service Support Performance Security Packet Filter 3 1 No dynamic w/o holes Session Filter Circuit GW App. GW 2 2 1 2 3 4 Dependent on vendor for dynamic support Typically < 20 Lower is better for security & performance Computer Science CSC 474/574 Dr. Peng Ning 25 Comparison (Cont’d) Modify Client Applications? Packet Filter No Session Filter No Circuit GW Typical, SOCKS-ify client applications App. GW Unless transparent, client application must be proxy-aware & configured Computer Science CSC 474/574 Dr. Peng Ning 26 Comparison (Cont’d) Fragmentation ICMP Packet Filter Yes No Session Filter Yes Maybe Circuit GW (SOCKS v5) Yes App. GW No Yes Computer Science CSC 474/574 Dr. Peng Ning 27 Dr. Peng Ning 28 Linux Firewall: iptables • History – – – – ipfw ipfwadm ipchains iptables • Based on the netfilter framework Computer Science CSC 474/574 The Netfilter Framework • A framework for packet mangling Kernel Kernel modules Protocol stack hooks netfilter … User space Computer Science CSC 474/574 Dr. Peng Ning 29 The Netfilter Framework (Cont’d) • Current protocols – IPv4, IPv6, and DECnet. • Five hooks for IPv4 – [1]: Pre-routing hook; [2]: Local-in hook; – [3]: Forward hook; [4]: Local-out hook; – [5]: Post-routing hook A packet traversing the netfilter system: [1] [ROUTE] [3] [4] [ROUTE] [2] [5] Computer Science CSC 474/574 Dr. Peng Ning 30 Packet Filtering A packet traversing the netfilter system: [1] [ROUTE] [3] [4] [ROUTE] [2] [5] Packet filtering only uses these three hooks Computer Science CSC 474/574 Dr. Peng Ning 31 IP Tables • A packet selection system – Direct descendent of ipchains • Used for – Packet filtering – Network Address Translation (NAT) • Masquerading, port forwarding, transparent proxying – Packet mangling • Actual changing of packet information Computer Science CSC 474/574 Dr. Peng Ning 32 User Space Tool: iptables • iptables – Command to configure and communicate with the kernel modules • iptables for packet filtering – Three chains • INPUT • OUTPUT • FORWARD Computer Science CSC 474/574 Dr. Peng Ning 33 Iptables for Packet Filtering • You need three things to configure a firewall rule – Which chain? – What packet pattern? – What action to apply? • Example – Drop all packets from 200.200.200.1 – iptables -A INPUT -s 200.200.200.1 -j DROP – Use “man iptables” on Linux to get more information. Computer Science CSC 474/574 Dr. Peng Ning 34
