Omer Shaukat Malik (2003-02-0148) LUMS Linux Utility Module for Security Syed Ali Abbas Gardezi (2003-02-0194) Overview Of Firewall Concepts:A system designed to prevent unauthorized access to or from a private network. firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. firewalls could also be used as the last line of defense for an internal security breech where sensitive data is being reported from within the network of a company to parties outside or as the first line of defense if the scenario is reversed. There are several types of firewall techniques: · Network Layer Firewalls: Packet filter:(Layer 3 Firewall) Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. In practice, many firewalls use two or more of these techniques in concert. Omer Shaukat Malik (2003-02-0148) LUMS Linux Utility Module for Security Syed Ali Abbas Gardezi (2003-02-0194) A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted if the attack is being carried out from the outside. Application level firewalls provide a high level of intelligence. However, there is a tradeoff for this high functionality, in that application or gateway firewalls operate slower than stateful inspection firewalls. They also present greater complexity when adding new applications. One thing that is an important distinction about many network level firewalls is that they route traffic directly through them. Meaning they scan for source and destination information and allow or disallow packets based on this information. Network firewalls are typically used when speed is essential. Since packets are not passed to the application layer and the contents of the packet are not being analyzed, packets can be processed quicker. This can be advantageous for firewalls that scan for connections to web and email servers, especially ones that have high amounts of traffic. This is due to the fact that latency is your enemy when it comes to people accessing your site. This offers a layer of protection to your network and does not impede connectivity. They depend on an access control list and thus can only detect the connection on the basis of source and destination pairs and not the contents of the packets like in application level gateways. A general architecture of network protocols is given below. It is based on the OSI model. Omer Shaukat Malik (2003-02-0148) LUMS Linux Utility Module for Security Syed Ali Abbas Gardezi (2003-02-0194) SCOPE OF THE PROJECT: On the bastion host would be running our firewall. To forward packets from the external router to out bastion host we would be using the linux application ipwafdm. There are 2 possible ways depending on the configuration of this application that ipwafdm will forward packets to our bastion host. 1) Either by modifying the IP in the IP header.(however this way we lose the information about the destination) and this approach would be workable with a single destination of a particular application( for example if there is only one FTP server running on the network then this approach would be workable). 2) The application puts the MAC address of our bastion host in the packet so that the packet is automatically forwarded to our machine. This way no information is lost and there is no limit on the number of servers running in the network.(we might need to develop a sniffer to gather these packets). The packet would be passed all the way up to the application layer in the bastion host where certain necessary attributes of the packet would be appropriately logged. If a packet needs to be dropped according to the security policy we would drop it here. Otherwise it would be appropriately forwarded it. In forwarding it the machine in the intranet we would have to resolve the IP address to the MAC address preferably using ARP. This packet would be forwarded to the internal router and this would to take control thereafter. We would keep our security policy in a database so that It could be reusable by firewalls being used within the network. This would be there to keep the application scalable. Our application running on the bastion host would be programmed in JAVA and C++. We would also use the following libraries: 1)Libpcap 2)GTK Omer Shaukat Malik (2003-02-0148) LUMS Linux Utility Module for Security Syed Ali Abbas Gardezi (2003-02-0194) we would also provide the functionality to filter outbound packets. There would be 2 options for this. One of them would restrict the packets from reaching a particular destination. The other would scrap the packet if there is something in the data portion of the packet and if that literal is defined as prohibited for leaving the network. HARDWARE REQUIRED: 2 routers(basically 2 mochines with 2 NIC(network identification cards)) 1 machine USAGE OF HARDWARE: one of the hardware would be used as the external router. This would be connected to the 1 external world(the internet) on one of the NIC and to the intermediate network on the other NIC. This router would forward all the data which we want to monitor to our bastion host where we would monitor the data, and forward it as appropriate. The forwarded data would in effect go through the other router to forward it. This is the screened subnet architecture. 1 We have codenamed the project LUMS. It’s a recursive definition for LUMS utility module for security. Omer Shaukat Malik (2003-02-0148) LUMS Linux Utility Module for Security Syed Ali Abbas Gardezi (2003-02-0194) The other machine would work as the bastion host. Bastion Host sits on the internal network. The packet filtering on the screening router is set up in such a way that the bastion host is the only system on the internal network that hosts on the Internet can open connections to. The bastion host thus needs to maintain a high level of host security. This implementation depends on the hardware availability of 2 machines with 2 NIC cards. However if we are able to requisition only one machine with 2 NIC’s we would be forced to go for the second ( much less secure option) which is the Screened Host Architecture. SCREENED HOST ARCHITECTURE: Fig. Screened Host Architecture Screened Host is the only host on the private network that can be accessed from the Internet and usually will run proxy programs for the allowed services. The other hosts on the private network must communicate with the Internet through proxy servers located on the Screened Host. Bastion Host sits on the internal network. The packet filtering on the screening router is set up in such a way that the bastion host is the only system on the internal network that Omer Shaukat Malik (2003-02-0148) LUMS Linux Utility Module for Security Syed Ali Abbas Gardezi (2003-02-0194) hosts on the Internet can open connections to. The bastion host thus needs to maintain a high level of host security. The packet filtering configuration in the screening router may either allow other internal hosts to open connections to hosts on the Internet for certain services or disallow all connections from internal hosts forcing those hosts to use proxy services via the bastion host. The architecture is more flexible than that of Dual-Homed Host with proxy services, because some secure services for which proxy software does not exist can be allowed to pass through Screening Router directly to a host on the private network. Screened Host Architecture This architecture consists of the Screening Router and Screened Host. Screened Host Architecture provides services from a host that is attached to only the internal network, using a separate router. Packet filtering provides the primary security in this architecture. Packet filtering prevents people from going around proxy servers to make direct connections. Screening Router is placed between the Private Network and the Internet which contributes in blocking all the traffic between those two networks but the one that originates on the Internet and goes to the Screened Host or the one that originates on the Screened Host and goes to the Internet. That’s how the Screening Router stops all the attempts to setup direct communication between host on the private network and the host on the Internet. Omer Shaukat Malik (2003-02-0148) LUMS Linux Utility Module for Security Syed Ali Abbas Gardezi (2003-02-0194) WORK BREAKDOWN STRUCTURE: Dec 23 Developing Project Plan Omer Research and Data Omer/Ali Jan 10 Jan 20 Jan30 Feb 7 Collection Project Management & Omer Scheduling Risk Mitigation Plan Omer Environment Setup Ali Software Ali Integration/Development Preliminary Omer/Ali Implementation Testing/Debuging Omer/Ali Result Analysis Omer/Ali Final Omer/Ali Report/Demonstration Omer Shaukat Malik (2003-02-0148) LUMS Linux Utility Module for Security Destination Internet External router Bastion Host Internal router Source within the local network Syed Ali Abbas Gardezi (2003-02-0194) Packets Leaving the Network Omer Shaukat Malik (2003-02-0148) LUMS Linux Utility Module for Security Syed Ali Abbas Gardezi (2003-02-0194) Source Internet External router Packets Entering the Network Bastion Host Internal router Destination within the local network(if it is approved according to the rules)