Firewalls

advertisement
Firewalls
firewall
Isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
public
Internet
administered
network
firewall
Network Security
7-1
Firewalls: Why
Prevent denial of service attacks:
 Denial-of-Service (DoS) attack:
• Send many fake requests to congest link or consume
server resource (CPU, memory)

SYN flooding:
• attacker sends many SYNs to victim; victim has to
allocate connection resource; victim has no resource
left for real connection requests any more.
• Usually with spoofed source IP address
Prevent illegal modification/access of internal data.
 e.g., attacker replaces CIA’s homepage with
something else
Network Security
7-2
Firewalls: Why
Allow only authorized access to inside network


Set of authenticated users
Set of authorized IP addresses
Two types of firewalls:
 application-level
• Checking application level data

packet-filtering
• Checking TCP or IP packets only
Network Security
7-3
Packet Filtering
Should arriving
packet be allowed
in? Departing packet
let out?
 internal network connected to Internet via
router firewall
 router filters packet-by-packet, decision to
forward/drop packet based on:




source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits
Network Security
7-4
Packet Filtering
 Example 1: block incoming and outgoing
datagrams with IP protocol field = 17 and with
either source or dest port = 23.
 All incoming and outgoing UDP flows and telnet
connections are blocked.
 Example 2: Block inbound TCP segments with
SYN=1.
 Prevents external clients from making TCP
connections with internal clients, but allows
internal clients to connect to outside.
Example of Windows XP
service pack 2 firewall
(control panelsecurity centerwindows firewall)
Network Security
7-5
Stateless packet filtering: more examples
Policy
Firewall Setting
No outside Web access.
Drop all outgoing packets to any IP
address, port 80, 443
No incoming TCP connections,
except those for institution’s
public Web server
130.207.244.203 only.
Drop all incoming TCP SYN packets to
any IP except 130.207.244.203, port
80,443
Prevent Web-radios (UDP based)
from eating up the available
bandwidth.
Drop all incoming UDP packets - except
DNS and router broadcasts.
Prevent your network from being
used for a smurf DoS attack.
Drop all ICMP packets going to a
“broadcast” address (eg
130.207.255.255).
Prevent your network from being
tracerouted
Drop all outgoing ICMP TTL expired
traffic
Network Security
7-6
A Real Example: Lab setup when I
was a PhD student
DMZ
 Gateway: a cheap Linux machine runs Iptables
 Web server: Linux machine runs Apache web server
 Main server: Linux machine runs SSH, Sendmail
(SMTP and IMAPS)
 Allow a specific machine outside to print to main
server’s printer
Network Security
7-7
DMZ
Traffic Allowance Policy:
 (1). Internet ==> LAN




To Main Server: SSH, SMTP,IMAP+SSL, LPD request from a
trusted IP.
(2). Internet ==> DMZ Web Server ---- SSH, Web request.
(3). Internet ==> Gateway ---- SSH only (for admin)
(4). DMZ Web Server==> LAN, Internet
SSH to Internet and only to Main Server in LAN;
DNS request; WWW/FTP request to Internet.
(5). LAN ==> Internet, DMZ WebServer ---- SSH, DNS,
WWW/FTP, SMTP, RealPlay.
Network Security
7-8
DMZ
 HTTP forwarding from Internet to DMZ web server (port 80)


iptables -t nat -A PREROUTING -p tcp --sport
$UNPRIVPORTS -d $out.IP --dport 80 -j DNAT --todestination $DMZ_SERVER
iptables -A FORWARD -o $eth2 -p tcp --sport
$UNPRIVPORTS -d $DMZ_SERVER --dport 80 -m state -state NEW -j ACCEPT
 SMTP from internal mail server to external Mail Server

iptables -A FORWARD -i $eth1 -o $eth0 -p tcp -s $LAN_MAINSERVER -sport $UNPRIVPORTS --dport 25 -m state --state NEW -j ACCEPT
 Allow Telnet to outside from LAN

iptables -A FORWARD -i $LAN_IF -o $EXT_IF -p tcp --sport
$UNPRIVPORTS --dport 23 -m state --state NEW -j ACCEPT
Network Security
7-9
Application gateways
 Filters packets on
gateway-to-remote
host telnet session
host-to-gateway
telnet session
application data as well
as on IP/TCP/UDP fields.
 Example: allow select
internal users to telnet
outside.
application
gateway
router and filter
1. Require all telnet users to telnet through gateway.
2. For authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating
from gateway.
 Example: block user access to know porn websites

Check if the Web URL is in a “black-list”
Network Security 7-10
Limitations of firewalls and gateways
 IP spoofing: router can’t
know if data “really”
comes from claimed
source


SYN flood attack
UDP traffic
 client software must
know how to contact
application gateway.

e.g., must set IP address
of proxy in Web browser
 Speed constraint on
high-bandwidth link

Application-level firewall is
time consuming
 filters often use all or
nothing policy for UDP


Usually most incoming UDP
ports are blocked
The trouble caused to
real-time Internet video
Network Security
7-11
Limitations of firewalls and gateways
 tradeoff: degree of communication with
outside world, level of security
 Trend --- remote office
Blurred boundary between inside <-> outside
 Employee laptop threat

 many highly protected sites still suffer
from attacks
Network Security 7-12
Internet security threats
Mapping:
before attacking: “case the joint” – find out
what services are implemented on network
 Use ping to determine what hosts have
addresses on network
 Port-scanning: try to establish TCP connection
to each port in sequence (see what happens)
 nmap (http://www.insecure.org/nmap/) mapper:
“network exploration and security auditing”

Countermeasures?
Network Security 7-13
Internet security threats
Mapping: countermeasures
record traffic entering network
 look for suspicious activity (IP addresses, pots
being scanned sequentially)
 Firewall to block incoming TCP/SYN to ports or
computers not providing the services
 Block ping traffic

Network Security 7-14
Internet security threats
Packet sniffing:
broadcast media
 promiscuous NIC reads all packets passing by
 can read all unencrypted data (e.g. passwords)
 e.g.: C sniffs B’s packets

C
A
src:B dest:A
payload
B
Countermeasures?
Network Security 7-15
Internet security threats
Packet sniffing: countermeasures
all hosts in orgnization run software that
checks periodically if host interface in
promiscuous mode.
 one host per segment of broadcast media
(switched Ethernet at hub)

C
A
src:B dest:A
payload
B
Network Security 7-16
Internet security threats
IP Spoofing:
can generate “raw” IP packets directly from
application, putting any value into IP source
address field
 receiver can’t tell if source is spoofed
 e.g.: C pretends to be B

C
A
src:B dest:A
Countermeasures?
payload
B
Network Security 7-17
Internet security threats
IP Spoofing: egress filtering
routers should not forward outgoing packets
with invalid source addresses (e.g., datagram
source address not in router’s network)
 great, but egress filtering can not be mandated
for all networks

C
A
src:B dest:A
payload
B
Network Security 7-18
Internet security threats
Denial of service (DOS):
flood of maliciously generated packets “swamp”
receiver
 Distributed DOS (DDOS): multiple coordinated
sources swamp receiver
 e.g., C and remote host SYN-attack A

C
A
SYN
SYN
SYN
SYN
SYN
B
Countermeasures?
SYN
SYN
Network Security 7-19
Internet security threats
Denial of service (DOS): countermeasures

filter out flooded packets (e.g., SYN) before
reaaching host
• Cooperation with source routers
• Detect spoofed SYN based on TTL values

traceback to source of floods (most likely an
innocent, compromised machine)
C
A
SYN
SYN
SYN
SYN
SYN
B
SYN
SYN
Network Security 7-20
Pretty good privacy (PGP)
 Internet e-mail encryption
scheme, de-facto standard.
 uses symmetric key
cryptography, public key
cryptography, hash
function, and digital
signature as described.
 provides secrecy, sender
authentication, integrity.
 inventor, Phil Zimmerman,
was target of 3-year
federal investigation.
A PGP signed message:
---BEGIN PGP SIGNED MESSAGE--Hash: SHA1
Bob:My husband is out of town
tonight.Passionately yours,
Alice
---BEGIN PGP SIGNATURE--Version: PGP 5.0
Charset: noconv
yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJ
hFEvZP9t6n7G6m5Gw2
---END PGP SIGNATURE---
Network Security 7-21
Secure sockets layer (SSL)
 provides transport layer security to any TCP-based
application using SSL services.

e.g., between Web browsers, servers for e-commerce (shttp)
 security services:
 server authentication, data encryption, client authentication
(optional)
Application
TCP
socket
Application
TCP
SSL sublayer
TCP
IP
IP
TCP API
SSL
socket
TCP enhanced with SSL
Network Security 7-22
Secure sockets layer (SSL)
 transport layer
security to any TCPbased app using SSL
services.
 used between Web
browsers, servers for
e-commerce (shttp).
 security services:



server authentication
data encryption
client authentication
(optional)
 server authentication:
 SSL-enabled browser
includes public keys for
trusted CAs.
 Browser requests
server certificate,
issued by trusted CA.
 Browser uses CA’s
public key to extract
server’s public key from
certificate.
 check your browser’s
security menu to see
its trusted CAs.
Network Security 7-23
SSL (continued)
Encrypted SSL session:
 Browser generates
symmetric session key,
encrypts it with server’s
public key, sends
encrypted key to server.
 Using private key, server
decrypts session key.
 Browser, server know
session key

All data sent into TCP
socket (by client or server)
encrypted with session key.
 SSL: basis of IETF
Transport Layer
Security (TLS).
 SSL can be used for
non-Web applications,
e.g., IMAP.
 Client authentication
can be done with client
certificates.

Not widely used since
too many clients
Network Security 7-24
SSL: three phases
1. Handshake:
 Bob establishes TCP
connection to Alice
 authenticates Alice
via CA signed
certificate
 creates, encrypts
(using Alice’s public
key), sends master
secret key to Alice

nonce exchange not
shown
create
Master
Secret
(MS)
decrypt using
KAto get MS
Network Security 7-25
SSL: three phases
2. Key Derivation:
 Alice, Bob use shared secret (MS) to generate 4
keys:




EB: Bob->Alice data encryption key
EA: Alice->Bob data encryption key
MB: Bob->Alice MAC key (message authentication code)
MA: Alice->Bob MAC key
 encryption and MAC algorithms negotiable between
Bob, Alice
 why 4 keys?


Different keys by each person
Different keys for encryption and integrity checking
Network Security 7-26
SSL: three phases
3. Data transfer
TCP byte stream
block n bytes together
b1b2b3 … bn
d
.
MB
H( )
d
H(d)
.
H( )
SSL record
format
Type Ver Len
d
H(d)
d
H(d)
EB
SSL
seq. #
compute
MAC
encrypt d,
MAC, SSL
seq. #
(why ssl#?)
unencrypted encrypted using EB
Network Security 7-27
IPsec: Network Layer Security
 network-layer secrecy:
sending host encrypts the
data in IP datagram
 TCP and UDP segments;
ICMP and SNMP
messages.
 network-layer authentication
 destination host can
authenticate source IP
address
 two principal protocols:
 authentication header
(AH) protocol
 encapsulation security
payload (ESP) protocol

 for both AH and ESP, source,
destination handshake:
 create network-layer
logical channel called a
security association (SA)
 each SA unidirectional.
 uniquely determined by:
 security protocol (AH or
ESP)
 source IP address
 32-bit connection ID
Network Security 7-28
Authentication Header (AH) Protocol
 provides source
authentication, data
integrity, no
confidentiality
 AH header inserted
between IP header,
data field.
 protocol field: 51
 intermediate routers
process datagrams as
usual
IP header
AH header
AH header includes:
 connection identifier
 authentication data:
source- signed message
digest calculated over
original IP datagram.
 next header field:
specifies type of data
(e.g., TCP, UDP, ICMP)
data (e.g., TCP, UDP segment)
Network Security 7-29
Download