Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Firewalls 1 Dan Fleck CS 469: Security Engineering

advertisement 
Dan Fleck
CS 469: Security Engineering
Coming up: References
Firewalls
Slides modified with permission from original by Arun Sood
1
1. Mark Stamp, Information Security: Principles and Practice, Wiley
Interscience, 2006.
2. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 –
29.
3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors,
IEEE Computer, June 2004, p 62 – 67.
4. Steven Bellovin and William Cheswick, Network Firewalls, IEEE
Communications Magazine, Sept 1994, p 50 – 57.
5. William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer,
June 2003, p 112 – 113.
6. Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and
Efficiency of Firewall Policy Deployment, IEEE Symposium on
Security and Privacy, 2007.
7. Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its
Properties, Proc of the 2005 International Conference on
Dependable Systems and Networks, 2005.
Coming up: Firewall as Network
Access Control
References
2
Firewall as Network Access Control
• Access Control
• Authentication
• Authorization
• Firewall
• Interface between networks
• Usually external (internet) and internal
• Allows traffic flow in both directions
Coming up: Firewall
• Single Sign On
3
Firewall
Internal
– Interface between networks
Coming up: Firewall
Internet
• Usually external (internet) and internal
– Allows traffic flow in both directions
– Controls the traffic
4
Firewall as Secretary
• A firewall is like a secretary
• To meet with an executive
Coming up: Security Strategies
– First contact the secretary
– Secretary decides if meeting is reasonable
– Secretary filters out many requests
• You want to meet chair of CS department?
– Secretary does some filtering
• You want to meet President of US?
– Secretary does lots of filtering!
5
[1]
Security Strategies
• Least privilege
• Objects have the lowest privilege to perform assigned task
Coming up: Security Strategies
-2
• Defense in depth
• Use multiple mechanisms
• Best if each is independent: minimal overlap
• Choke point
• Facilitates monitoring and control
6
[2]
Security Strategies - 2
• Weakest link • Fail-safe
• If firewall fails, it should go to fail-safe that denies access to avoid
intrusions
Coming up: Security Strategies
-3
• Default deny
• Default permit
• Universal participation
• Everyone has to accept the rules
7
[2]
Security Strategies - 3
• Diversity of defense
• Inherent weaknesses
• Multiple technologies to compensate for inherent weakness of
one technology
Coming up: Security Strategies
-4
• Common heritage
• If systems configured by the same person, may have the same
weakness
• Simplicity
• Security through obscurity
8
[2]
Security Strategies - 4
Configuration errors can be devastating
Testing is not perfect
Ongoing trial and error will identify weaknesses
Enforcing a sound policy is critical
Coming up: Types of Firewall
•
•
•
•
9
[2]
Types of Firewall
No Standard Terminology
• Simplest firewall
• Filter packets based on specified criteria
• IP addresses, subnets, TCP or UDP ports
• Does NOT read the packet payload
• Vulnerable to IP spoofing
•Stateful inspection (transport layer)
• In addition to packet inspection
• Validate attributes of multi-packet flows
• Keeps track of connection state (e.g. TCP streams, active connections,
etc…)
[2]
Coming up: Types of Firewall - 2
•Packet Filtering (network layer)
10
Types of Firewall - 2
• Application Based Firewall (application layer)
• Allows data into/out of a process based on that process’ type
• Can act on a single computer or at the network layer
• e.g. allowing only HTTP traffic to a website
Coming up: Types of Firewall - 3
• Log access – attempted access and allowed access
• Personal firewall – single user, home network
11
[2]
Types of Firewall - 3
• Proxy
• Intermediate connection between servers on internet and
internal servers.
• For incoming data
Coming up: Types of Firewall - 4
• Proxy is server to internal network clients
• For outgoing data
• Proxy is client sending out data to the internet
No IP packets pass through firewall. Firewall creates new packets.
• Very secure
• Less efficient versus packet filters
12
[2]
Types of Firewall - 4
• Network Address Translation
Coming up: Packet Filter
• Hides internal network from
external network
• Private IP addresses –
expands the IP address space
• Creates a choke point
• Virtual Private Network
• Employs encryption and integrity protection
• Use internet as part of a private network
• Make remote computer “act like” it is on local network
13
[2]
Packet Filter
• Advantages
• Disadvantages
• Can be compromised by many attacks
• Source spoofing
Coming up: Packet Filter Example
• Simplest firewall architecture
• Works at the Network layer – applies to all systems
• One firewall for the entire network
14
Coming up: Packet Filter Example
Packet Filter - Example
15
[2]
Coming up: Packet Filter Example
Packet Filter - Example
16
[2]
Coming up: Packet Filter Example
Packet Filter - Example
• Attack succeeds because of rules B and D
• More secure to add source ports to rules
17
Coming up: Packet Filter Example
Packet Filter - Example
18
[2]
• These packets would be admitted. To avoid this add an ACK bit to
the rule set
Coming up: Packet Filter Example
Packet Filter - Example
19
[2]
Coming up: TCP Ack for Port
Scanning
Packet Filter - Example
• Attack fails, because the ACK bit is not set. ACK bit is set if the connection
originated from inside.
20
• Incoming TCP packets must have ACK bit set. If this started outside, then
no matching data, and packet will be rejected.
• Note: This rule means we allow no services other than request that we
originate.
TCP Ack for Port Scanning
• Attacker sends packet with ACK set (without prior
handshake) using port p
Coming up: TCP Ack Port Scan
• Violation of TCP/IP protocol
• Packet filter firewall passes packet
• Firewall considers it part of an ongoing connection
• Receiver sends RST
• Indicates to the sender that the connection should be
terminated
• Receiving RST indicates that port p is open!!
21
[1]
• RST confirms that port 1209 is open
• Problem: packet filtering is stateless; the firewall should track the
entire connection exchange
Coming up: Stateful Packet
Filter
TCP Ack Port Scan
22
[1]
Stateful Packet Filter
• Pro: Adds state to packet filter and
keeps track of ongoing connection
• Con: Slower, more overhead. Packet
content info not used
application
transport
network
link
physical
Coming up: Application Proxy
• Remembers packets in the TCP
connections (and flag bits)
• Adds state info to the packet filter
firewalls.
• Operates at the transport layer.
23
[1]
Application Proxy
Coming up: Firewalk – Port
Scanning
• A proxy acts on behalf the system being
protected.
• Application proxy examines incoming app data –
verifies that data is safe before passing it to the
system.
• Pros
• Complete view of the connections and app data
• Filter bad data (viruses, Word macros)
• Incoming packet is terminated and new packet is sent
to internal network
• Con
• Speed
24
[1]
Firewalk – Port Scanning
• Scan ports through firewalls
• Requires knowledge of
Coming up: Firewalk and Proxy
Firewall
• IP address of firewall
• IP address of one system in internal network
• Number of hops to the firewall
• Set TTL (time to live) = Hops to firewall +1
• Set destination port to be p
• If firewall does not pass data for port p, then no
response
• If data passes thru firewall on port p, then time
exceeded error message
Lets try it Applications->Utilities->Network Utility
25
[1]
Firewalk and Proxy Firewall
Trudy
Router
Router
Packet
filter
Router
Coming up: Firewalls and
Defense in Depth
Dest port 12343, TTL=4
Dest port 12344, TTL=4
Dest port 12345, TTL=4
Time exceeded
• Attack would be stopped by proxy firewall
• Incoming packet destroyed (old TTL value also destroyed)
• New outgoing packet will not exceed TTL.
[1]
26
Firewalls and Defense in Depth
• Example security architecture
DMZ
Coming up: Research: Firewall
Policy Verification
WWW server
FTP server
DNS server
Internet
Packet
Filter
Application
Proxy
Intranet with
Personal
Firewalls 27
[1]
Research: Firewall Policy
Verification
• Firewall design: consistency, completeness, and compactness
• Lesson: Practical firewalls have complex rulesets. They
are hard to get right. Research in place to help validate
the configuration for errors
• Lets see some simple ones
Coming up: Lets do some
examples
• Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness,"
Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol.,
no., pp.320,327, 2004
28
Lets do some examples
Well supported in Linux:
iptables –A INPUT –p tcp –dport 22 –j ACCEPT
-A: append to list of rules
-p:match protocol tcp
--dport 22: match destination port 22 (ssh)
-j ACCEPT: if rule matches, ACCEPT the packet.
1st matching rule wins… order matters!
Final rule typically rejects anything that doesn’t match: security
says deny all, and only allow in who you want.
Coming up: iptables - chains
iptables is a common tool to build firewalls
29
iptables - chains
• iptables –A INPUT –p tcp –dport 22 –j ACCEPT
• # This allows SSH TO THE FIREWALL BOX!
Coming up: iptables – matching
rules
• INPUT – anything with a destination of the firewall box
• OUTPUT – anything with a source of the firewall box
• FORWARD – anything going through the firewall box (neither
source or dest is the firewall box)
30
Jump targets – what to do upon match?
-j ACCEPT – allow it
-j REJECT -- send a rejection message
-j DROP – drop it, don’t send any message
-j logaccept, logdrop, logreject
(there are others)
Protocol matching rules
-p tcp , udp, icmp, all (0 means all)
Port matching rules
--dport destination port
--sport source port
Coming up: iptables – more
rules
iptables – matching rules
31
Physical device interface:
-i vlan0 # Packets coming in on that physical interface
-o eth1 # packets going out on that physical interface
-i only valid for INPUT, FORWARD chain
-o only valid for OUTPUT, FORWARD chain
(Note: Specific interface differs by hardware)
Time-based Limiting
--limit 5/minute (rule matches a maximum of 5 times per
minute (or second or hour, or day, etc…)
Syn-flood protection:
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Coming up: iptables - examples
iptables – more rules
32
iptables - examples
• Lets stop all http access
• Lets allow www.gmu.edu though (but only GMU!)
• --destination www.gmu.edu
• Lets allow only my IP to get to HTTP
• --source 192.168.3.10
Coming up: iptables – more
rules
• Lets stop ping
33
iptables – more rules
NEW - A packet which creates a new connection.
ESTABLISHED - A packet which belongs to an existing connection (i.e., a
reply packet, or outgoing packet on a connection which has seen
replies).
RELATED - A packet which is related to, but not part of, an existing
connection, such as an ICMP error, or (with the FTP module inserted), a
packet establishing an ftp data connection.
INVALID - A packet which could not be identified for some reason: this
includes running out of memory and ICMP errors which don't
correspond to any known connection. Generally these packets should
be dropped.
Coming up: iptables – more
rules
State matching:
-m state –state ESTABLISHED, RELATED
34
iptables – more rules
TCP bit matching:
--tcp-flags <string 1> <string2>
string 1 = the set of bits to look at
string 2 = the subset of 1 which should be ones
Above command says look at all the bits (‘ALL’ is synonymous with
`SYN,ACK,FIN,RST,URG,PSH’) and verify that only the SYN and ACK bits
are set.
Coming up: Would a GUI help?
iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
35
34
iptables - Tunneling
• In our network we have one outward facing server, so to get in
from home we must travel (tunnel) through that server.
• We really use SSH tunnels:
• ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p
10024 localhost
• However if everyone needed to use it we could use a firewall
based tunnel:
• iptables -t nat -A PREROUTING -p tcp -d dslsrv.gmu.edu --dport 10024
-j DNAT --to-destination sr1s4.mesa.gmu.edu:22
Coming up: Lessons
Would a GUI help?
36
• There are many firewall types
• Each provides a different level of security versus performance
• Multiple firewalls can be used to segment networks into
security zones
• iptables is a powerful example of how to create/manage
firewalls
End of presentation
Lessons
37
35
29
Related documents
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
Chapter 10 Practice Test Answers
Chapter 10 Practice Test Answers
ITSY 2430 Intrusion Detection Chapter Quiz 11 Name: __________________
ITSY 2430 Intrusion Detection Chapter Quiz 11 Name: __________________
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
Why we all care: the changing home
Why we all care: the changing home
Network Security (Firewalls) - Presentation
Network Security (Firewalls) - Presentation
Download
advertisement