Firewall Basics
advertisement
Firewall Basics Everything you’ve ever wanted to know about a firewall but didn’t have the time to ask. (Well, almost everything) Credits: PowerPoint in its entirety created by Ken Diliberto, Network Analyst I&IT Networks, Cal Poly Pomona 1 Disclaimer: The following presentation represents a compilation of obscure bits of information known by the author (me). No representation of accuracy, applicability, usefulness or anything else you can think of is implied. Batteries not included, some assembly required, don’t operate heavy equipment while reading this, not all buyers will qualify, must take delivery before 1/1/1980, your mileage may vary, no user serviceable parts inside, big brother may be watching. 2 Goals (Besides killing an hour and a half) –Gain a better understanding of what a firewall is. –Understand different firewall types. –Understand where firewalls fit. 3 What is a firewall? A firewall is a device (or software feature) designed to control the flow of traffic into and out-of a network. In general, firewalls are installed to prevent attacks. 4 What is an attack? 1. 2. 3. 4. 5 Attack covers many things: Someone probing a network for computers. Someone attempting to crash services on a computer. Someone attempting to crash a computer (Win nuke). Someone attempting to gain access to a computer to use resources or information. Edge Firewall An edge firewall is usually software running on a server or workstation. An edge firewall protects a single computer from attacks directed against it. Examples of these firewalls are: ZoneAlarm BlackIce IPFW on OSX 6 Firewall Appliance An appliance firewall is a device whose sole function is to act as a firewall. Examples of these firewalls are: Cisco PIX. Netscreen series. 7 Network Firewall Router/Bridge based Firewall – Computer-based Network Firewall – 8 A firewall running on a bridge or a router protects from a group of devices to an entire network. Cisco has firewall feature sets in their IOS operating system. A network firewall runs on a computer (such as a PC or Unix computer). These firewalls are some of the most flexible. Many free products are available including IPFilter (the first package we tried), PF (the current package we are using found on OpenBSD 3.0 and later) and IPTables (found on Linux). Commercial products include: Checkpoint Firewall-1. Apple OSX includes IPFW (included in an operating system you gotta purchase). Why use a firewall? 9 Protect a wide range of machines from general probes and many attacks. Provides some protection for machines lacking in security. Great first line of defense. 10 Having a firewall is a necessary evil. It’s like living in a gated community. The gate may stop 99% of unwanted visitors. The locks on your doors stop the remaining 1% (maybe, but you get the idea). Don’t let the firewall give you a false sense of security. Harden your machines by turning off services you don’t need. How does a firewall work? Blocks packets based on: Source IP Address or range of addresses. Source IP Port Destination IP Address or range of addresses. Destination IP Port Some allow higher layers up the OSI model. Other protocols (How would you filter DecNET anyway?). Common ports 80 443 20 & 21 23 22 25 11 HTTP HTTPS FTP (didn’t know 20 was for FTP, did you?) Telnet SSH SMTP Sample firewall rules Protected server: 134.71.1.25 Protected subnet: 134.71.1.0/24 $internal refers to the internal network interface on the firewall. $external refers to the external network interface on the firewall. 12 Sample rules: Can you find the problem? (For this example, when a packet matches a rule, rule processing stops.) Pass in on $external from any proto tcp to 134.71.1.25 port = 80 Pass in on $external from any proto tcp to 134.71.1.25 port = 53 Pass in on $external from any proto udp to 134.71.1.25 port = 53 Pass in on $external from any proto tcp to 134.71.1.25 port = 25 Block in log on $external from any to 134.71.1.25 Block in on $external from any to 134.71.1.0/24 Pass in on $external from any proto tcp to 134.71.1.25 port = 22 Pass out on $internal from 134.71.1.0/24 to any keep state 13 Sample rules: Can you find the problem? (For this example, when a rules matches a packet, rule processing stops.) Pass in on $external from any proto tcp to 134.71.1.25 port = 80 Pass in on $external from any proto tcp to 134.71.1.25 port = 53 Pass in on $external from any proto udp to 134.71.1.25 port = 53 Pass in on $external from any proto tcp to 134.71.1.25 port = 25 Block in log on $external from any to 134.71.1.25 Block in on $external from any to 134.71.1.0/24 Pass in on $external from any proto tcp to 134.71.1.25 port = 22 Pass out on $internal from 134.71.1.0/24 to any keep state The SSH rule would never have a chance to be evaluated. All traffic to 134.71.1.25 is blocked with the previous two rules. 14 To log or not to log… Logging is both good and bad. If you set your rules to log too much, your logs will not be examined. If you log too little, you won’t see things you need. If you don’t log, you have no information on how your firewall is operating. 15 Sample log file Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul 16 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 11:00:06 11:00:07 11:00:08 11:00:10 11:00:15 11:50:02 11:50:02 11:50:02 11:50:05 11:50:17 11:50:20 11:50:20 11:50:24 11:50:24 11:50:27 11:50:27 11:50:30 11:50:30 11:52:48 11:52:51 11:52:54 11:52:56 11:52:57 11:53:00 12:00:24 12:00:26 12:00:28 12:00:34 12:00:46 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: 11:00:06.786765 11:00:07.366515 11:00:08.526751 11:00:10.856705 11:00:15.515785 11:50:02.619311 11:50:02.629271 11:50:02.642610 11:50:05.633338 11:50:16.882433 11:50:20.401561 11:50:20.414682 11:50:24.127364 11:50:24.144581 11:50:27.761458 11:50:27.778617 11:50:30.771581 11:50:30.772833 11:52:47.511993 11:52:50.501969 11:52:53.501498 11:52:55.703527 11:52:56.500682 11:52:59.500694 12:00:24.220209 12:00:26.040009 12:00:28.794944 12:00:34.302899 12:00:45.284181 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 xl0 @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN @1:10 b 134.71.4.100,50258 -> 134.71.202.57,23 PR tcp len 20 48 -S IN @0:3 b 213.244.12.136,4588 -> 134.71.202.37,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,4597 -> 134.71.202.44,80 PR tcp len 20 44 -S IN @1:10 b 213.244.12.136,4610 -> 134.71.202.57,80 PR tcp len 20 44 -S IN @1:10 b 213.244.12.136,4610 -> 134.71.202.57,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,1406 -> 134.71.203.35,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,1688 -> 134.71.203.47,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,1701 -> 134.71.203.60,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,1944 -> 134.71.203.103,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,1957 -> 134.71.203.108,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,2243 -> 134.71.203.168,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,2260 -> 134.71.203.185,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,2243 -> 134.71.203.168,80 PR tcp len 20 44 -S IN @0:3 b 213.244.12.136,2260 -> 134.71.203.185,80 PR tcp len 20 44 -S IN @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN @1:10 b 142.163.9.225,6346 -> 134.71.202.57,3343 PR tcp len 20 40 -A IN @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN @1:10 b 207.45.69.69,1610 -> 134.71.202.57,113 PR tcp len 20 44 -S IN @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN Had enough yet? Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul 17 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 12:00:58 12:01:01 12:01:01 12:01:03 12:01:03 12:01:05 12:01:05 12:01:06 12:01:07 12:01:07 12:01:08 12:01:08 12:01:09 12:01:09 12:01:12 12:01:14 12:01:14 12:01:28 12:01:29 12:01:36 12:01:39 12:02:02 12:02:05 12:02:10 12:02:11 12:02:13 12:02:14 12:02:20 12:07:59 12:33:33 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 kd2 ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: ipmon[14110]: 12:00:58.200613 12:01:00.236672 12:01:01.192960 12:01:02.868846 12:01:03.161480 12:01:05.010881 12:01:05.282234 12:01:05.796431 12:01:07.240923 12:01:07.251735 12:01:07.963357 12:01:08.229151 12:01:09.209297 12:01:09.212097 12:01:11.704343 12:01:13.969454 12:01:14.230632 12:01:28.256761 12:01:29.105610 12:01:36.257674 12:01:39.338642 12:02:02.588716 12:02:05.555511 12:02:10.610751 12:02:11.565107 12:02:13.530261 12:02:14.729242 12:02:19.529568 12:07:58.606378 12:33:32.920644 xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 24.27.2.83,3363 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 65.31.146.125,55989 -> 134.71.202.57,10336 PR tcp len 20 65 -R IN xl0 @1:10 b 61.98.116.133,4510 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 12.251.174.163,2403 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 24.166.24.65,3816 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 24.159.69.143,1834 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 166.102.153.16,4886 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 134.71.204.115,3792 -> 134.71.202.57,1065 PR udp len 20 36 IN xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 66.25.162.252,2868 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN 2x xl0 @0:3 b 134.71.203.92,138 -> 134.71.203.255,138 PR udp len 20 269 IN xl0 @1:10 b 68.69.142.167,2613 -> 134.71.202.57,10336 PR tcp len 20 48 -S IN xl0 @1:10 b 65.80.163.98,60325 -> 134.71.202.57,9074 PR tcp len 20 48 -S IN xl0 @0:3 b 80.145.78.83,4286 -> 134.71.202.47,80 PR tcp len 20 48 -S IN What is a state? When your computer makes a connection with another computer on the network, several things are exchanged including the source and destination ports. In a standard firewall configuration, most inbound ports are blocked. This would normally cause a problem with return traffic since the source port is randomly assigned (different from the destination port). A state is a dynamic rule created by the firewall containing the source-destination port combination, allowing the desired return traffic to pass the firewall. 18 How many states can a computer have? A single computer could have hundreds of states depending on the number of established connections. Consider a server supporting POP3, FTP, WWW and Telnet/SSH access. It could have thousands of states. 19 What happens without state? Without state, your request for traffic would leave the firewall but the reply would be blocked. 20 Sample state table. kd2.ec.csupomona.edu - IP Filter: v3.4.28 Src = 0.0.0.0 Dest = 0.0.0.0 Proto = any Source IP Destination IP 134.71.202.57,4738 64.160.215.222,1677 134.71.202.57,4744 64.160.215.222,1677 134.71.202.57,1039 134.71.204.115,1410 134.71.203.168,138 134.71.203.255,138 134.71.202.57,4727 64.160.215.222,1677 134.71.203.168,137 134.71.203.255,137 134.71.202.57 239.255.255.250 134.71.202.57,137 134.71.203.255,137 134.71.202.57,1028 134.71.4.100,53 134.71.202.57,1038 216.136.175.142,5050 134.71.202.57,138 134.71.203.255,138 134.71.203.168,138 134.71.203.255,138 134.71.203.168,137 134.71.203.255,137 134.71.202.57,1036 239.255.255.250,1900 134.71.202.57 239.255.255.250 134.71.202.57,4727 64.160.215.222,1677 134.71.202.57,1031 134.71.184.58,445 134.71.202.57,1033 134.71.184.58,445 21 state top Sorted by = # bytes ST PR #pkts #bytes ttl 4/4 tcp 551 368024 119:59:56 4/4 tcp 399 258160 119:59:59 4/4 tcp 33 6872 119:59:16 0/0 udp 2 458 0:06 0/6 tcp 5 200 1:58:03 0/0 udp 2 156 0:13 0/0 igmp 1 32 1:20 0/0 udp 62 5844 1:51 0/0 udp 35 4910 0:11 4/4 tcp 35 4208 119:59:59 0/0 udp 16 3520 1:49 0/0 udp 14 3026 2:00 0/0 udp 16 1536 1:59 0/0 udp 7 1127 1:58 0/0 igmp 10 320 1:54 0/6 tcp 5 200 1:53:26 2/0 tcp 3 128 0:47 2/0 tcp 3 128 0:48 07:50:50 Where does a firewall fit in the security model? The firewall is the first layer of defense in any security model. It should not be the only layer. A firewall can stop many attacks from reaching target machines. If an attack can’t reach its target, the attack is defeated. 22 Ruleset design Two main approaches to designing a ruleset are: 1. 2. 23 Block everything then open holes. Block nothing then close holes. Ruleset design – Block Everything Blocking everything provides the strongest security but the most inconvenience. Things break and people complain. The block everything method covers all bases but creates more work in figuring out how to make some applications work then opening holes. 24 Ruleset design – Block Nothing Blocking nothing provides minimal security by only closing holes you can identify. Blocking nothing provides the least inconvenience to our users. Blocking nothing means you must spend time figuring out what you want to protect yourself from then closing each hole. 25 What is IDS? IDS is an Intrusion Detection System. IDS can identify many attacks and traffic patterns crossing a border device. 26 An IDS sounds good. Is it? Yes and no. An IDS can identify port scans, different web attacks, known buffer overflow attacks, etc. An IDS can also produce many false positive hits. AOL Instant Messenger triggers port scan hits because it talks to several AOL Ad servers within a few seconds. An IDS can create more information on a small network than a network administrator can deal with. 27 Filtering bad traffic (RFC 1918, bad headers, options, etc.) Sending bad traffic or malformed packets is a form of attack easily blocked at a firewall. The firewall inspects every packet and rejects those that are not properly formed or are intentionally malformed, protecting devices that may be succeptible. 28 Filtering bad traffic (RFC 1918, bad headers, options, etc.) Private IP address traffic should never be seen on the IT.UU.SE network. Private IP address blocks (RFC 1918): – – – 29 10.0.0.0 – 10.255.255.255 (255.0.0.0 mask) 172.16.0.0 – 172.240.0.0 (255.240.0.0 mask) 192.168.0.0 – 192.168.255.255 (255.255.0.0 mask) Black hole or Return-RST (or how to respond to things you don’t want.) Should you tell a sending machine that their traffic was blocked or let them wait until they timeout? For some traffic, it’s better to let the sending machine wait. This slows down the rate of attack. For other traffic (such as SMTP) it may be nice to tell the sender that the SMTP port is closed. 30 Poking holes How to allow traffic and expose yourself. OK. You’ve decided to block traffic. Do you have to block all traffic? No. You can allow select traffic in. The criteria for allowing traffic are the same as blocking traffic. 31 Compromised Machines Just a note about compromised machines: When a machine is compromised, you have no way to determine exactly what was hacked. Cleaning what you think is the problem may not rid yourself of everything. Most instances require a reformat and reinstall of the operating system for proper cleaning. 32
