Firewalls and Info Services • Prevent unathorized access between nets • Most of the protection is based upon examination of the IP packets • There is always a tradeoff between security and ease of use PROTECT inside outside and outside inside Primary Types of Firewalls Dual-Homed Gateway Internet bastion host Inner Network Screened Host Gateway Internet Inner Network router screened host Dual-Homed Gateway Internet Inner Network bastion host passes through no agent ftp proxy X ftp request telnet request • Any data wanting to pass through to/from the bastion host should be required to pass through a PROXY agent. • Proxy software can be configured to use encryption. • Clients may need to be replaced with proxy clients Screened Host Gateway Internet router Inner Network screened host Router for other nodes X not allowed for bastion host passes through Inner Network Screened Host • Only data allowed through is data for the screened host • Router can allow holes to certain hosts on inner net. • Router uses IP addresses and port numbers to control the flow of data Some Risks • Once you allow holes in the router, the nodes to which you allow “extra” access increase your ZONE OF RISK. • Those machines need to be as secure as your screened/bastion host or represent your weak link. • The larger the program, the more susceptible to errors and security leaks. – Browsers are good examples of large programs Two Other Types of Firewalls Screening Router Internet router router Inner Network bastion host Router-only Gateway Internet router Inner Network Planning Steps • Know the details of how client-server connections are made • Determine physical location of equipment • Decide who gets access in either direction – Screening router is on basis of IP/port not user • Determine a strategy for logging activity – What to write – How to monitor – Under what conditions do you take specific actions • Must develop a failure plan if firewall breaks • Develop a thorough testing procedure Software for Firewall Support Cern WEB server • Proxy mode to handle requests for internal clients • Handles http AND OTHER PROTOCOLS – browser clients usually handle other protocols NOT SERVERS • Requires the client to be configurable to use proxy mode. Not sure how common the is in the client p.504 of text setenv http_proxy “http://web.bastion.host:80/” setenv ftp_proxy “http://web.bastion.host:80/” • What if the client doesn’t go through the WEB server? – bastion serves as a router of sorts and doesn’t let any other data through – router will deny passge if not through the screened host • Has caching features so only one copy needed for entire inner net Software for Firewall Support SOCKS • Freeware running on bastion host • Presumably configures the bastion to do filtering of data passing through • SOCKS is a proxy server dealing with TCP streams, not client dependent • The specific client must be written to be SOCKsified • SOCKsified versions are available for PCs and unix environments • Check it out at ftp.nec.com Software for Firewall Support Firewall Toolkit • tn-gw, ftp-gw, plug-gw(socket to socket) • Does NOT requires a special client • Client must RUN the program differently instead of: you must: telnet remotehost tn-gw tn-gw>connect remotehost OTHER FEATURES • “netacl” can be used with inetd.conf to check server requests against an access list first • A scaled down ftp to allow anonymous ftp to the bastion and to proxy other requests Where does the server go? WWW • Dual homed gateway – Outside the firewall » may be difficult to connect at service entry » sacrificial lamb – On bastion host » software is avialable » if server cracked, the whole inner net is vulnerable – Behind the firewall » internal access is easy / external access is difficult » needs a socksified browser – One inside and one outside » inside company confidential » outside for public info Where does the server go? WWW • Screened host – Outside firewall (as before) – On screened host segment » router only sends outside requests to a SPECIFIC port on the server – On the Screened Host itself » It controls too much access in and out Preferred • With a screened subnet – On the screened subnet » SECOND ROUTER ONLY ALLOWS ACCESS FROM THE server/port TO THE INSIDE » if server cracked, can’t get inside Where does the server go? FTP • Connections are initiated from both directions SERVER CLIENT connects to port 21 (command channel) time NET connects from port 20 (data channel) get “file” Where does the server go? FTP • Dual Homed Gateway – Possible to have your service provider handle it » the ftp clients would require the provider agent to proxy ftp – Suggest putting it on the bastion host » ftp to chroot() ed area of the disk » run daemon as a non-priviledged user • Screened host – Preferred to be inside... preferred with screened subnet – run ftp server in proxy mode – if possible, run clients in proxy (PASV) mode so client creates both end of the connection – router allows IN->OUT not OUT->IN, no inward server connections – router allows incoming on 21 and outgoing on 20 Safeguards for internal servers • Strip inner network priviledges – hostp.equiv and .rhosts • Internal machines should NOT trust server • Strip the server of networking clients – telnet, ftp, rlogin, rsh, etc. • NFS & NIS should be disabled • Kernel should not route IP packets • Disable all services in inetd.conf which do not support the service • USED IN CONJUNCTION WITH SCREENED SUBNET, THESE DO THE BEST JOB Other things to do for Protection • Leave traps for attackers – If hackers gain access to your server, they will try to access other machines by clients like telnet, rsh, etc – Change the client to look like it has errors and use it to mail the sys admin that a problem exists » error messages and delays to occupy attacker • Periodically run software to verify the integrity of your system. – Store files with encryption signatures – Files which are public relations (or more) for your business should be protected. – This way you verify no one has misrepresented you • Run servers in a chroot()ed area – Should do this anyway Helping clients access through the firewall TELNET • Always on port 23 • Screened host – an access list in the router can typically be configured to allow outgoing on port 23 • Dual Homed – use a proxy – use socks – use firewall toolkit Helping clients access through the firewall ARCHIE • Interesting because it uses UDP not TCP – The routers look at acceptable connections by looking at the CONNECT sequence – UDP does not do connections to consider acceptable data (don’t know who started it) • So how do you know whether your archie server is ok? • Special solution: only a limited (about 20) Archie servers on the net. Set router to accept from any of them • DH Gateway use a proxy – must also proxy ftp since archie uses ftp Helping clients access through the firewall Web clients • Web clients must access lots of types of servers • Easiest solution is to use cern web server and let it proxy for you • Otherwise must provide individual proxies • Routers allowing messages from inside to out solves the problem for most... not for ftp. PCs • Screened hosts can use holes in router ... • Some ftps support PASV mode so that it can be used with a screened host • For Dual Homed Gateway, use SOCKS • SOCKS is available for pc software • DLLs are (being made) available for a SOCKsified version of winsock.dll