Add to collection(s) Add to saved
  1. Business

Firewalls and Info Services

advertisement 
Firewalls and Info Services
• Prevent unathorized access between nets
• Most of the protection is based upon
examination of the IP packets
• There is always a tradeoff between security
and ease of use
PROTECT
inside
outside
and
outside
inside
Primary Types of Firewalls
Dual-Homed Gateway
Internet
bastion host
Inner
Network
Screened Host Gateway
Internet
Inner
Network
router
screened host
Dual-Homed Gateway
Internet
Inner
Network
bastion host
passes through
no agent
ftp proxy
X
ftp request
telnet request
• Any data wanting to pass through to/from the bastion
host should be required to pass through a PROXY
agent.
• Proxy software can be configured to use encryption.
• Clients may need to be replaced with proxy clients
Screened Host Gateway
Internet
router
Inner
Network
screened host
Router
for other
nodes
X
not allowed
for bastion
host
passes through
Inner
Network
Screened
Host
• Only data allowed through is data for the screened host
• Router can allow holes to certain hosts on inner net.
• Router uses IP addresses and port numbers to control
the flow of data
Some Risks
• Once you allow holes in the router, the nodes
to which you allow “extra” access increase
your ZONE OF RISK.
• Those machines need to be as secure as your
screened/bastion host or represent your weak
link.
• The larger the program, the more susceptible
to errors and security leaks.
– Browsers are good examples of large programs
Two Other Types of Firewalls
Screening Router
Internet
router
router
Inner
Network
bastion host
Router-only Gateway
Internet
router
Inner
Network
Planning Steps
• Know the details of how client-server
connections are made
• Determine physical location of equipment
• Decide who gets access in either direction
– Screening router is on basis of IP/port not user
• Determine a strategy for logging activity
– What to write
– How to monitor
– Under what conditions do you take specific actions
• Must develop a failure plan if firewall breaks
• Develop a thorough testing procedure
Software for Firewall Support
Cern WEB server
• Proxy mode to handle requests for internal clients
• Handles http AND OTHER PROTOCOLS
– browser clients usually handle other protocols NOT SERVERS
• Requires the client to be configurable to use proxy
mode. Not sure how common the is in the client
p.504 of text
setenv http_proxy “http://web.bastion.host:80/”
setenv ftp_proxy “http://web.bastion.host:80/”
• What if the client doesn’t go through the WEB server?
– bastion serves as a router of sorts and doesn’t let any other data
through
– router will deny passge if not through the screened host
• Has caching features so only one copy needed for
entire inner net
Software for Firewall Support
SOCKS
• Freeware running on bastion host
• Presumably configures the bastion to do
filtering of data passing through
• SOCKS is a proxy server dealing with TCP
streams, not client dependent
• The specific client must be written to be
SOCKsified
• SOCKsified versions are available for PCs
and unix environments
• Check it out at ftp.nec.com
Software for Firewall Support
Firewall Toolkit
• tn-gw, ftp-gw, plug-gw(socket to socket)
• Does NOT requires a special client
• Client must RUN the program differently
instead of:
you must:
telnet remotehost
tn-gw
tn-gw>connect remotehost
OTHER FEATURES
• “netacl” can be used with inetd.conf to check
server requests against an access list first
• A scaled down ftp to allow anonymous ftp to
the bastion and to proxy other requests
Where does the server go?
WWW
• Dual homed gateway
– Outside the firewall
» may be difficult to connect at service entry
» sacrificial lamb
– On bastion host
» software is avialable
» if server cracked, the whole inner net is vulnerable
– Behind the firewall
» internal access is easy / external access is difficult
» needs a socksified browser
– One inside and one outside
» inside company confidential
» outside for public info
Where does the server go?
WWW
• Screened host
– Outside firewall (as before)
– On screened host segment
» router only sends outside requests to a SPECIFIC
port on the server
– On the Screened Host itself
» It controls too much access in and out
Preferred
• With a screened subnet
– On the screened subnet
» SECOND ROUTER ONLY ALLOWS ACCESS FROM
THE server/port TO THE INSIDE
» if server cracked, can’t get inside
Where does the server go?
FTP
• Connections are initiated from both directions
SERVER
CLIENT
connects to port 21
(command channel)
time
NET
connects
from port 20
(data channel)
get “file”
Where does the server go?
FTP
• Dual Homed Gateway
– Possible to have your service provider handle it
» the ftp clients would require the provider agent to proxy ftp
– Suggest putting it on the bastion host
» ftp to chroot() ed area of the disk
» run daemon as a non-priviledged user
• Screened host
– Preferred to be inside... preferred with screened subnet
– run ftp server in proxy mode
– if possible, run clients in proxy (PASV) mode so client creates
both end of the connection
– router allows IN->OUT not OUT->IN, no inward server
connections
– router allows incoming on 21 and outgoing on 20
Safeguards for internal servers
• Strip inner network priviledges
– hostp.equiv and .rhosts
• Internal machines should NOT trust server
• Strip the server of networking clients
– telnet, ftp, rlogin, rsh, etc.
• NFS & NIS should be disabled
• Kernel should not route IP packets
• Disable all services in inetd.conf which do not
support the service
• USED IN CONJUNCTION WITH SCREENED
SUBNET, THESE DO THE BEST JOB
Other things to do
for Protection
• Leave traps for attackers
– If hackers gain access to your server, they will try to
access other machines by clients like telnet, rsh, etc
– Change the client to look like it has errors and use it to
mail the sys admin that a problem exists
» error messages and delays to occupy attacker
• Periodically run software to verify the
integrity of your system.
– Store files with encryption signatures
– Files which are public relations (or more) for your
business should be protected.
– This way you verify no one has misrepresented you
• Run servers in a chroot()ed area
– Should do this anyway
Helping clients access through the firewall
TELNET
• Always on port 23
• Screened host
– an access list in the router can typically be configured to
allow outgoing on port 23
• Dual Homed
– use a proxy
– use socks
– use firewall toolkit
Helping clients access through the firewall
ARCHIE
• Interesting because it uses UDP not TCP
– The routers look at acceptable connections by looking at
the CONNECT sequence
– UDP does not do connections to consider acceptable
data (don’t know who started it)
• So how do you know whether your archie
server is ok?
• Special solution: only a limited (about 20)
Archie servers on the net. Set router to accept
from any of them
• DH Gateway use a proxy
– must also proxy ftp since archie uses ftp
Helping clients access through the firewall
Web clients
• Web clients must access lots of types of
servers
• Easiest solution is to use cern web server and
let it proxy for you
• Otherwise must provide individual proxies
• Routers allowing messages from inside to out
solves the problem for most... not for ftp.
PCs
• Screened hosts can use holes in router ...
• Some ftps support PASV mode so that it can
be used with a screened host
• For Dual Homed Gateway, use SOCKS
• SOCKS is available for pc software
• DLLs are (being made) available for a
SOCKsified version of winsock.dll
Related documents
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Firewalls - Application Level Gateway
Firewalls - Application Level Gateway
Exercise 8
Exercise 8
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
User control
User control
Chapter 1 - shaieb.net
Chapter 1 - shaieb.net
The Impact Map
The Impact Map
Download
advertisement