Firewalls Topics Firewall design principles Characteristics Types Configurations Trusted systems Common Criteria for Information Technology Security Evaluation Firewalls Internet connectivity has become a necessity in corporations and organizations However, this allows outsiders to interact with network assets An organization may own thousands of computers Could install strong security software on every computer… A security patch is released Now thousands of computers need to be patched Firewalls Easier solution? Place a firewall between the Internet and the organization’s network Protects a network from Internet-based attacks Impose security and auditing on one choke point Special hardware, a computer, or many computers can function as a firewall Firewall characteristics Goals: All traffic is directed towards the firewall. There must be no way to access the network without going through the firewall first Only authorized traffic is allowed to pass through the firewall, as defined by local security policies The firewall is immune to penetration. Implies use of a trusted system and a secure operating system Firewall characteristics Four techniques used to control access: Service control Determine what Internet services are allowed to be accessed May filter traffic based on IP address or port May act as proxy software (receive and interpret services before passing them on) May host service software itself Direction control Determine what direction service requests may be initiated or allowed to pass through Firewall characteristics User control Control which services can be accessed by particular users (inside or outside the network) Behaviour control Control how services are used (e.g., spam firewall or website filter) Firewall characteristics Other features: Monitoring of security-related events Non-security-related Internet functions Network address translation (NAT) Log Internet usage Platform for IPSec Firewall characteristics Limitations: Cannot protect against attacks that bypass the firewall Cannot protect against internal threats For example, an angry employee deleting files Or, an employee cooperating with an outside attacker Cannot protect against the transfer of viruses Different operating systems and applications inside the network Need to scan all incoming data…impractical, perhaps impossible Types of firewalls Packet-filtering router Application-level gateway Circuit-level gateway Packet-filtering router Applies a set of rules to each incoming and outgoing packet Possible rules: Source or destination IP address Port number Transport protocol (TCP or UDP) Other information contained in a network packet Filters are a list of rules If a rule is matched, either forward or discard the packet Default action may be either forward or discard Happens when a packet is not filtered Packet-filtering router Packet-filtering router Advantages: Fast, simple, transparent Disadvantages: Cannot prevent attacks on specific application weaknesses Limiting logging capabilities Typically no support for user authentication Vulnerable to exploits that take advantage of problems in the TCP/IP specification Easy to make mistakes when creating rules Application-level gateway Also called a proxy server Usage: User contacts gateway through an application (e.g., telnet or FTP) User must authenticate and provide name of remote host Gateway connects to remote host and relays data back to the user If code for an application is not implemented, gateway will not support that application May be configured to support only certain features of an application Application-level gateway Advantages: Tend to be more secure than packet filters Whole applications can be allowed or blocked, rather than many possible combinations of packets Easy to log and audit traffic at the application level Disadvantage: Additional overhead due to splicing every connection Circuit-level gateway Does not permit end-to-end connections Sets ups two TCP connection (inner host to gateway, gateway to outer host) Gateway relays segments from one connection to the other Does not examine contents of segments Security function is to determine what connections are allowed Could be a standalone system or function performed by application-level gateway for some applications Circuit-level gateway Example implementation: SOCKS Consists of a server, client library, and client programs that have been linked with or are compatible with SOCKS A client wants to access an object beyond the firewall A TCP connection is opened on port 1080 on the SOCKS server Client is authenticated Client makes relay request SOCKS either accepts (and establishes connection) or rejects Bastion host A system identified to be a critical strong point in a network’s security Typically used as platform for application-level or circuitlevel gateways Characteristics: Runs a secure version of an operating system Only essential services are installed Requires user authentication to access proxy services Each proxy is a tiny software package that runs independently and requires little configuration Each proxy may only support a subset of application features, may only access specific hosts, and maintains detailed logs Firewall configurations A single router or gateway are simple configurations More complex configurations are possible and are more common: Screened host firewall, single-homed bastion Screened host firewall, dual-homed bastion Screened subnet firewall Screened host firewall, singlehomed bastion A packet-filtering router with a bastion host Router’s configuration: Only packets destined for the bastion host may pass Only packets from the bastion host may leave Bastion host performs authentication and proxy functions Internal network is protected by two systems Screened host firewall, singlehomed bastion Allows for flexibility: For example, a web server does not need strong security; router can be configured to allow traffic directly to it Problem: A compromised router will allow traffic to flow directly through to the internal network, bypassing the bastion Screened host firewall, dual-homed bastion All of the same features and functionality of a single- homed bastion setup However, physically prevents traffic from going anywhere but through the bastion first Solves problem with single-homed bastion setup Screened subnet firewall Two packet-filtering routers and one bastion host One router between Internet and bastion Another between bastion and internal network Creates an isolated, screened sub-network Besides bastion, could also contain servers, modems, etc. Three levels of defense Internet only sees the screened sub-network Internal network cannot construct direct routes to the Internet Trusted systems Trusted system technologies enhance the ability to defend against intruders and malicious programs Data access control Need a way to state what sort of permissions a user may have in a system (e.g., file access, database access, etc.) Access matrix A general model of access control used by file or database management systems Data access control Elements: Subject: An entity that can access objects. Usually a user or application is represented by a process, since a process gains access to an object Object: Anything to which access is controlled (e.g., files or memory) Access right: The way in which an object is accessed (e.g., read, write, or execute) One axis lists the subject, the other lists objects Each entry consists of access rights of a subject on an object Data access control Data access control Access matrix is usually implemented by decomposing it Access control list (ACL) Decomposition by column Lists subjects and their access rights for each object May include a default set of rights Capability tickets Decomposition by row Lists objects and associated access rights for each subject Concept of trusted systems Multilevel security Multiple groups (or levels) of data are defined Idea is a high level subject cannot convey information to a lower level subject Two rules need to be enforced: No read up: A subject only reads objects less or equal to their security level No write down: A subject only writes into an object equal or greater than their security level Concept of trusted systems Reference monitor Element of hardware or operating system Regulates the access of objects by subjects on the basis of security parameters A security kernel database stores all access privileges and object levels Properties: Complete mediation: Security rules are enforced on every single access to an object Isolation: No unauthorized modification to reference monitor and database Verifiability: The reference monitor’s correctness must be mathematically provable An audit file may be used to log security violations or changes to the kernel database Concept of trusted systems A trusted system provides the amount of verification as seen in the reference monitor Trojan horse defense A trusted operating system can prevent Trojan horse attacks A user’s documents and programs are classified under a high security level A Trojan horse is planted by a user who has gained access, but under a low security level The Trojan horse can read the documents, but cannot copy them to a low security level file Common Criteria for Information Technology Security Evaluation Defines a set of potential security requirements for use in evaluating part of a system Requirements: Functional: Defines desired security behaviour Assurance: Basis for gaining confidence that security measures are effective and implemented correctly Profiles that can be generated: Protection: Defines a set of security requirements and objectives of a category of systems Security: Contains security requirements and objectives of a target system and functional and assurance measures offered to meet those requirements