Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security Before we start Something Interesting I found about XEN And something more: http://kerneltrap.org/OpenBSD/Virtualiz ation_Security A little bit on HW 2, problem 1 & 2 Not discussing problem 3 & 4 as they are fairly simple What are we protecting Data Private Data Secret Integrity Availability Resources Network resources Other computer resources Reputation Your reputation Means for Protection Anti-Virus Why doesn’t it work? Rather why is it ineffective Firewall Does it suffer from same problems as above What is a firewall Is it just a wall that we are burning? No, I guess bad joke Ok, it is a barrier between your computer and the outside world Rather protects the boundary of an intranet against the Internet Computer networks are designed to exchange data So why do we want to restrict data flow? Ideal World Everyone is good No attacker No one can compromise data No one will try to steal data No one will try to install backdoor No one …. (basically a really good world) Unfortunately, this can never exist Working World There are attackers People will try and steal data People will try opening ports on your machine for remote exploitation Individual users are not smart enough to configure network connections So we need some service that can at least differentiate between good & bad connections In practice may not be the case Firewall Your Network Outside Network Tasks of a Firewall Access control based on sender/receiver address or on addressed services Hiding Internal network Logging of traffic Implements Packet Filter & Proxy server 7 Layered OSI Application Layer Supports end – user processes, Telnet, FTP Presentation Layer Session Layer Transport Layer Flow Control Network Layer Switching, routing Data Link Layer Data encoded and coded into bits Physical Layer Packet Filter Analyzes network traffic and filters based on rules in layers 3 & 4 Typically can be Source / Dest Addr If firewall is combined with a router, it is called screening router Simple, Cheap Packet Filter Possible Principles Everything that is not explicitly allowed is denied Everything that is not explicitly denied is allowed Example Lame Example 1: Let your SMTP server be 149.169.0.1, and port be 40 Rule1 From (IP *), (port *) TO (149.169.0.1) (40) : DENY From (149.169.0.1), (40) TO (*) (*): Allow Rules are applied in order listed Proxy Server Controls access to a service Proxy is the only known computer to outside Internet Access control can be done based on user identity, content, used protocol Packet Filter vs Proxy Server PF Simple, Cheap Correctly specifying filters is error prone If you re-order rules, then policy may change Proxy User authentication possible Application Protocol control can be integrated Logging Circuit level proxies/Application level proxies AL proxies more expensive, but versatile Need one ALP for each application Circuit level Proxies hide network info apart from providing packet filter functionalities Firewall Generations First – Packet Filter Second – Stateful Filters Third – Application Layer First generation Just checks for the individual packets Which means most filtering is done based on a strict set of rules Lame example: Drop packets coming from a specific IP address The filter does not care whether the incoming/outgoing packet is part of an existing connection 2nd Gen - Stateful Filters Also called circuit level firewalls Do not examine each packet It maintains records of all connections passing through the firewall Can determine whether a packet is part of an existing connection or a new connection There are static rules that configure firewall behaviour 3rd generation Application layer firewall it can "understand" certain applications and protocols can detect whether an unwanted protocol is being sneaked through on a non-standard port whether a protocol is being abused in a known harmful way. Firewall Architectures Single Box Architecture Screened Host Architecture Screened Subnet Architectures Other Variations Single Box Architecture Screening Router Dual Homed Host Screening router Internet Screener Internal Network PC 1 PC n Features You can configure connections at one place So the firewall is installed in the router Can deny by port numbers/IP addr Not flexible Useful where network inside is considered secure Dual-Homed Host Internet eth1 eth0 DualHomedHost Internal Network PC 1 PC n Features The protected network cannot directly communicate to the Internet Applications should not be real time or business critical Traffic to Internet is small Users do not perform only Internet based jobs Packet filter & Proxy server together Bastion Host special purpose computer on a network specifically designed and configured to withstand attack Contains very few applications proxy server services the requests of its clients by forwarding requests to other servers Why? To reduce threats and vulnerabilities Screened Host Architecture Internet Screener Internal Network Bastion Host PC 1 PC n Features Bastion Host provides proxy Screening router provides packet filtering of incoming traffic Personal Firewall A software installed on a PC Part of OS to protect user machines Learning filter Annoying at times Honeypot Show a machine with weak security to outside world Monitor all the attacks that it experiences NAT - Network address translation Technique for transmitting/receiving network traffic through a router Re-writing of source/destination addresses Re-writing of TCP port number NAT is a popular way of dealing with IPv4 address shortage NAT enables multiple hosts on a private network to use a single public IP address NAT A host typically uses 192.168.x.x 10.x.x.x 172.16-31.x.x The router has a public address Example My router’s add 75-167-48-xxx My PC address 192.168.1.100 NAT When traffic moves from local network to Internet Router performs address change on source IP Router stores data about outgoing connection When reply returns to router, it uses stored data to forward packets to corresponding machine Drawbacks True end to end connectivity not there Cannot participate in some network protocols Services that require initiation from outside network cannot function Benefits NAT helps prevent many malicious attacks External network cannot initiate a connection I wont receive any malicious data unless my machine initiated it Can my machine initiate it? Practical solution to exhaustion of IPv4 address Can a firewall inside a computer be bypassed Yes It is just a service A program can disable it Bagle Bagz So it all boils down to Is my PC secure I believe that this problem is not in P A little refresher Digital signature Challenge Response – midterm The mid term problem 1: