Firewalls Ingress Filtering Ingress Filtering

advertisement
Firewalls
Network Security
• Access lists
• Ingress filtering
• Egress filtering
Firewalls
• NAT
2
Drivers of Performance
RequirementsTraffic Volume and
Complexity of Filtering
Complexity
of Filtering:
Number of
Filtering
Rules,
Complexity
Of rules, etc.
Static IP Packet Filter Firewall
Corporate Network
Permit
(Pass)
Performance
Requirements
Deny
(Drop)
Log
File
Traffic Volume (Packets per Second)
Static
Packet
Filter
Firewall
The Internet
IP-H
TCP-H Application Message
IP-H
UDP-H Application Message
IP-H
ICMP Message
Arriving Packets
Examined One at a Time, in Isolation
Only IP, TCP, UDP
and ICMP Headers Examined
3
4
Ingress Filtering
Ingress Filtering
• Deny Known Fallacious Source Addresses
• Prevent attack packets from entering
the protected network
• Rules are applied in order
• See Figure 5.6 for generic rule format
5
– Private addresses
• 10.*.*.*
• 172.16.*.* to 172.31.*.*,
• 192.168.*.*
– Internal Address Ranges
– Other obvious or known common addresses
• 1.2.3.4, 0.0.0.0, 0.0.0.1, etc.
6
1
Ingress Filtering
Ingress Filtering
1. If UDP destination port=69,
DENY [Trivial File Transfer
Protocol; no login necessary]
• Deny Known TCP Vulnerabilities
– Syn flood (TCP SYN=1 AND FIN=1)
– FTP (TCP destination port = 20)
• Supervisory control connection (TCP destination port = 21)
–
–
–
–
Telnet (TCP destination port = 23)
NetBIOS (TCP destination port = 135 through 139)
UNIX rlogin (TCP destination port = 513)
UNIX rsh launch shell without login (TCP port 514)
7
Egress Filtering
2. If ICMP Type = 0, PASS
[allow incoming echo reply
messages]
3. DENY ALL
8
Egress Filtering
• Allow
• Deny Destinations
– ICMP Type = 8, PASS [outgoing echo messages]
– private IP address range =
• Deny
• 10.*.*.*
• 172.16.*.* to 172.31.*.*
• 192.168.*.*
• Deny
– Protocol=ICMP [all other outgoing ICMP]
– TCP RST=1[outgoing resets; used in host scanning]
– not in internal address range
• 60.47.*.*
9
10
Egress Filtering
Firewalls
• Deny Connections to Well-known
ports
• Types of Firewalls
• Inspection Methods
– TCP source port=0 through 49151
– UDP source port=0 through 49151
• Allow Outgoing Client Connections
– UDP source port = 49152 … 65,536
– TCP source port =49152 through 65,536
11
–
–
–
–
Static Packet Inspection
Stateful Packet Inspection
NAT
Application Firewalls
• Firewall Architecture
• Configuring, Testing, and Maintenance
12
2
Stateful Inspection Firewalls
Stateful Inspection Firewalls
• By default, permit connections openings
from internal clients to external servers
• State of Connection
– Open or Closed
• By default, deny connection openings from
the outside to inside servers
• State
• Default behaviors can be changed with ACLs
– Order of packet within a dialog
– Often simply whether the packet is
part of an open connection
13
• Can prevent
• Hides the IP address of internal
hosts to thwart sniffers
– Syn flood
• Benignly spoofs source IP
addresses in outgoing packets
– Port switching
– Session hijacking
– Etc.
15
Network Address Translation
(NAT)
1
14
Network Address Translation
Stateful Inspection Firewalls
From 192.168.5.7,
Port 61000
• Accept future packets between hosts and
ports in open connections with little or no
more inspection
16
Application Firewall Operation
1. HTTP Request
From 192.168.6.77
From 60.5.9.8,
Port 55380
2.
Filtering
2
Internet
Client
192.168.5.7
4
NAT
Firewall
To 192.168.5.7,
Port 61000
To 60.5.9.8,
Port 55380
IP Addr
Webserver
Application
Sniffer
FTP
Proxy
External
Port
192.168.5.7 61000
...
HTTP Proxy
Server
Host
Internal
Translation
Table
Browser
3
...
IP Addr
Port
60.5.9.8
55380
...
. .17
.
Client PC
192.168.6.77
Outbound
Filtering on Put
SMTP
(E-Mail)
Proxy
Application Firewall
60.45.2.6
Webserver
123.80.5.34
Inbound and Outbound
Filtering on Obsolete
18
Commands, Content
3
Application Firewall Operation
Application Firewall Operation
3. Examined
HTTP Request
From 60.45.2.6
4. HTTP
HTTP Proxy
Response to Webserver
5.
Application
60.45.2.6
Filtering on Post Out,
Hostname, URL, MIME,
etc. In
Browser
FTP
Proxy
Client PC
192.168.6.77
Outbound
Filtering on Put
SMTP
(E-Mail)
Proxy
Application Firewall
60.45.2.6
Webserver
123.80.5.34
Inbound and Outbound
Filtering on Obsolete
19
Commands, Content
Browser
6. Examined
HTTP
Response To
192.168.6.77
HTTP Proxy
5.
Filtering on Post Out,
Hostname, URL, MIME,
etc. In
FTP
Proxy
Client PC
192.168.6.77
Outbound
Filtering on Put
Webserver
Application
SMTP
(E-Mail)
Proxy
Webserver
123.80.5.34
Inbound and Outbound
Filtering on Obsolete
20
Commands, Content
Application Firewall
60.45.2.6
Header Destruction With
Application Firewalls
13Application Firewall Operation
Header Removed
Arriving Packet
Browser
HTTP Proxy
Webserver
Application
X
Orig. Orig.
App
IP
MSG TCP
(HTTP) Hdr Hdr
Need one Proxy Program
On the Application Firewall
For Each Protocol Filtered
FTP
Proxy
Client PC
192.168.6.77
Outbound
Filtering on Put
Webserver
123.80.5.34
Inbound and Outbound
Filtering on Obsolete
21
Commands, Content
22
Internal
Client PC
60.55.33.12
Circuit Firewall
2. Protocol is Not HTTP
Firewall Stops
The Transmission
1. Trojan Transmits
on Port 80
to Get Through
Simple Packet
Filter Firewall
3. Passed
TransmissionNo
Filtering
4. Reply
1. Authentication
2. Transmission
X
Application
Firewall
Webserver
123.80.5.34
Application Firewall Strips Original Headers from Arriving Packets
Creates New Packet with New Headers
This Stops All Header-Based Packet Attacks
Protocol Spoofing
Trojan
Horse
App
New New
MSG TCP
IP
(HTTP) Hdr Hdr
Application Firewall
60.45.2.6
Attacker
1.2.3.4
SMTP
(E-Mail)
Proxy
Application Firewall
60.45.2.6
New Packet
App
MSG
(HTTP)
Attacker
1.2.3.4
23
Webserver
60.80.5.34
Circuit Firewall
(SOCKS v5)
60.34.3.31
5. Passed
ReplyNo
Filtering
External
Client
123.30.82.5
24
4
Single-Site Firewall Architecture for
a Larger Firm with a Single Site
2. Main Firewall
3. Internal Firewall
Last Rule=Deny All
Traffic Between Subnets
DMZ
1. Screening Router
60.47.1.1 Last
Rule=Permit All
Internet
• Demilitarized Zone
• For Servers That Must be Accessed From the
Outside
172.18.9.x Subnet
– Public webservers
4.
Client
Host
Firewall
External
DNS Server
60.47.3.4
Public
Webserver
60.47.3.9
– DNS server that only knows the IP addresses of hosts
in the firewall
DMZ
Marketing
Client on
172.18.5.x
Subnet
HTTP
Proxy
Server
60.47.3.1
SMTP
Relay
Proxy
60.47.3.10
Accounting
Server on
172.18.7.x
Subnet
– Hosts must be specially hardened because they
certainly will be attacked
25
Internet Service Provider
PC
Firewall
Ethernet Switch
UTP
Always-On
Connection
Coaxial
Cable
26
SOHO Firewall Router
Home Firewall
Internet
Service Provider
– Application (proxy) firewalls
UTP
User PC
UTP
Broadband
Modem
UTP
Cord
Home PC
27
Broadband
Modem
(DSL or
Cable)
SOHO
Router
--Router
DHCP Sever,
NAT Firewall, and
Limited Application Firewall
Many Access Routers Combine the Router
and Ethernet Switch in a Single Box
User PC
User PC
28
SOHO: Small office or home owner
Distributed Firewall Architecture
Management Console
Internet
Home PC
Firewall
Site A
21Other Security Architecture
Issues
• Host and Application Security (Chapters 6
and 9)
• Antivirus Protection (Chapter 4)
• Intrusion Detection Systems (Chapter 10)
• Virtual Private Networks (Chapter 8)
• Policy Enforcement System
Site B
29
30
5
22Configuring, Testing, and
Maintaining Firewalls
22Configuring, Testing, and
Maintaining Firewalls
• Firewall Misconfiguration is a Serious
Problem
• Create Policies Before ACLs
– Policies are easier to read than ACLs
– ACL rules must be executed in series
– Easy to make misordering problems
– Can be reviewed by others more easily than
ACLs
– Easy to make syntax errors
– Policies drive ACL development
– Policies also drive testing
31
22Configuring, Testing, and
Maintaining Firewalls
32
23FireWall-1 Modular
Management Architecture
Log Files
• Must test Firewalls with Security Audits
– Only way to tell if policies are being supported
– Must be driven by policies
Application Module
(GUI)
Create, Edit
Policies
– ACLs must be updated constantly if firewall is
33
to be effective
24FireWall-1 Service
Architecture
Internal
Client
34
Connection
External
Server
4. Content Vectoring Protocol
5.
Statefully Filtered Packet
Plus Application
Inspection
Firewall Module
Enforces Policy
Sends Log
Entries
Application Module
(GUI)
Read Log Files
25Security Level-Based Stateful
Filtering
in PIX Firewalls
Automatically Accept
1. Arriving Packet
3. DoS
FireWall-1
Protection
Firewall
Optional
Authentications
Log File
Entry
Log File
Data
– New threats appear constantly
Firewall Module
Enforces Policy
Sends Log
Entries
Management
Module Stores
Policies Stores
Log Files
• Maintaining Firewalls
2. Statefully Filtered
Packet
Policy
Policy
Security Level
Inside=100
Security Level
Outside=0
Router
Automatically
Reject Connection
Security Level=60
Internal Network
Internet
Connections Are Allowed
from More Secure
Networks to Less Secure
Networks
Third-Party
Application
Inspection
Firewall
35
36
6
Questions?
37
7
Download