1 / 56

Lecture 08 Firewalls

Lecture 08 Firewalls. Dr. Supakorn Kungpisdan supakorn@mut.ac.th. Roadmap. Firewall Overviews Firewall Functions Address Translation at Firewall DMZ IPTables Example. Primary Concerns. Confidentiality of information Unauthorized access External and internal attacks.

prudence-bender
Download Presentation

Lecture 08 Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITEC4621: Network Security Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th

  2. ITEC4621: Network Security Roadmap • Firewall Overviews • Firewall Functions • Address Translation at Firewall • DMZ • IPTables Example

  3. ITEC4621: Network Security Primary Concerns • Confidentiality of information • Unauthorized access • External and internal attacks

  4. ITEC4621: Network Security Defining Access Control Policy • Access Control Policy is a corporate policy that states which type of access is allowed across an organizations’ network perimeter. • For example, • Allow SSH request only to the machine with IP 203.148.145.2 from outside network • Reject the request from any hosts inside the network to the web server that has IP 203.147.23.2 • Controlling such accesses mainly relies on FIREWALL • Even has ACLs on router, TCP wrappers on Unix, Intrusion Prevention Systems (IPSs)

  5. ITEC4621: Network Security Firewall • Firewall is a gateway or access server (HW or SW based) or several gateways or access servers that act as buffers between any connected public network and a private network • It separates a trusted network from an untrusted network • Firewall can be a router, a PC running specialized software, or a combination of devices. • It enforces an access control policy on network traffic as it passes through access points. • Firewalls filter traffic mainly based on various factors e.g. src/dest IP addresses, src/dest port no., interfaces, protocols, etc.

  6. ITEC4621: Network Security Firewall (cont’d)

  7. ITEC4621: Network Security When Is a Firewall Required? • Dial-in modem pool and client-initiated VPN • E.g. allow dial-in or VPN to access only email server • External connections to business partners • Used to filter access among permanent link btw business partners • Between departments • Internal firewall may be required to specify clearance level • Hosts • Software firewall e.g. ZoneAlarm may be used in individual desktop computers

  8. ITEC4621: Network Security Roadmap • Firewall Overviews • Firewall Functions • Packet Filtering • Stateful Firewall • Application-level Firewall or Proxy • Address Translation at Firewall • DMZ • IPTables Example

  9. ITEC4621: Network Security Packet Filtering • Least-intelligent firewall • Control traffic using information stored in packet headers • Either passed or dropped • The information filtered • Source/destination IP address or subnet • TCP/UDP source/destination port • Flag (TCP only) • Etc.

  10. ITEC4621: Network Security Filtering TCP Flags • “Our internal users can access any service out on the Internet, but all Internet traffic headed to the internal network should be blocked” • Generally, to establish a TCP connection, a sender sends a packet with SYN=1 and all other flags equal to 0. • Thus, more correctly, • “All Internet traffic headed to the internal network with SYN=1 and all other flags equal to 0 should be blocked”

  11. ITEC4621: Network Security TCP SYN Scan • The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handshake process. • When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as "half open" scanning.

  12. ITEC4621: Network Security TCP SYN Scan (cont.) Closed port Open port http://www.networkuptime.com/nmap/page3-2.shtml

  13. ITEC4621: Network Security TCP SYN Stealth Port Scan root@REDHATBOX root]#nmap -sS 192.168.0.1 Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 05:07 EST Interesting ports on 192.168.0.4: (The 1637 ports scanned but not shown below are in state: closed) Port State Service 21/tcp filtered ftp 22/tcp open ssh 23/tcp open telnet 139/tcp open netbios-ssn 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 3.194 seconds

  14. ITEC4621: Network Security TCP SYN Scan (cont.) SMB, running on top of netbios Remote desktop

  15. ITEC4621: Network Security FIN Scanners • Normally a port scanner will check if any services are open on a host by sending SYN=1, ACK=1 packet.This can be blocked by a firewall • Instead, an attacker sends FIN=1, ACK=1 packet to a host with destination to a port number. • If ACK=1, RST=1 packet returns, no service on particular port • If ACK=1, FIN=1 packet returns, the service is monitoring that port • FIN scan can identify services and OS of remote machine • root@REDHATBOX root]#nmap -sF 192.168.0.1

  16. ITEC4621: Network Security Packet Filtering ICMP • Internet Control Message Protocol: provides background support for the IP protocol • ICMP does not use ports. • Type identifies ICMP packet type • Code provides detailed explanation about the current session • E.g. • Type 3 = Destination unreachable • Type 0 = Echo reply • Code 3 = Port unreachable • Code 0 = Network Unreachable

  17. ITEC4621: Network Security Example of Filtering ICMP • Avoid a “Ping Flood” attack… > iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT • As input is default DROP, this allows only 1 ping per second to be accepted.

  18. ITEC4621: Network Security Packet Filtering - Pros • Fast: operate on IP addresses and TCP/UDP port numbers alone, ignoring the data contents (payload) of packets. • Application independence : ignore packet payload • Least expensive of types of firewalls. • Packet filtering rules are relatively easy to configure. • There are no configuration changes necessary to the protected workstations.

  19. ITEC4621: Network Security Packet Filtering - Cons • Allow a direct connection between endpoints through the firewall. • Leaves the potential for a vulnerability to be exploited. • No screening of packet payload available. • Impossible to block users from visiting web sites deemed off limits, for example. • Logging of network traffic includes only IP addresses and TCP/UDP port numbers, no packet payload information is available. • Complex firewall policies are difficult to implement using filtering rules alone. • Authentication based on IP addresses rather than user

  20. ITEC4621: Network Security Stateful Firewall • Extend feature of Packet Filtering • maintaining a connection table in order to monitor the state of a communication session • Attacker cannot fool the firewall by sending a message with ACK=1 • Can remember state information • Suitable for UDP traffic

  21. ITEC4621: Network Security Packet Filtering VS Stateful Firewall • ACL • Allow the protected host to establish any service sessions with the remote server • Allow any session that has already been established to pass • Drop all other traffic

  22. ITEC4621: Network Security Packet Filtering VS Stateful Firewall (cont’d) Port 1037 Port 80 Port 1037 Port 80

  23. ITEC4621: Network Security Packet Filtering VS Stateful Firewall (cont’d) Port 1037 Port 80 Port 1037 Port 80

  24. ITEC4621: Network Security Packet Filtering VS Stateful Firewall (cont’d) Only the protected host can establish a connection with the server

  25. ITEC4621: Network Security Packet Filtering VS Stateful Firewall (cont’d) Port 1037 Port 80 Thought that the attacker has already established a connection with the host Port 1037 Port 80 Look up the table and found that the host has not established the connection with the attacker yet

  26. ITEC4621: Network Security IPTables Rules Based on Network State • Packets can be in a number of different states: • NEW – a packet which starts a new connection • RELATED – new connection, but part of an old session • ESTABLISHED – connection already running • INVALID – something else (?) > iptables –t filter –A INPUT –i ppp+ state --state RELATED,ESTABLISHED –j ACCEPT

  27. ITEC4621: Network Security Stateful Firewall - Pros • Offers improved security over basic packet filters due to packet examination • Better logging of activities over basic packet filters • Good performance • Configuration changes to the protected workstations are unnecessary

  28. ITEC4621: Network Security Stateful Firewall - Cons • Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. • No hiding of your private systems. • Setting up stateful packet examination rules is more complicated. • Only supported protocols at the application layer. • No user authentication.

  29. ITEC4621: Network Security Proxy • Also called “application gateway” or “forwarder” • Is an application that mediates traffic between two network segments • Used instead of filtering to prevent traffic from passing directly between networks • Source and destination never actually “connect”

  30. ITEC4621: Network Security How a Proxy Passes Traffic • Proxy does not route traffic, but being “interpreter” • Protocol specific: web proxy, email proxy, your app proxy

  31. ITEC4621: Network Security How a Proxy Passes Traffic (cont’d) • Internal host sends an http request to the proxy • Proxy found that the host has requested a web page. It then passes the request to an http application inside the proxy • Check with ACL. If ok, the proxy creates a new request containing the internal host’s request by setting the proxy as the source • The web server responds to the proxy. The http applicationchecks with ACL. If ok, the proxy creates a http response tothe internal host

  32. ITEC4621: Network Security Proxies - Pros • Firewall does not let end points communicate directly with one another. • Has the best content filtering capability. • Can hide private systems. • Robust user authentication. • Offers the best logging of activities. • Policy rules are usually easier than packet filtering rules.

  33. ITEC4621: Network Security Proxies - Cons • Performance problems; much slower than the other two • Must have a proxy for every protocol. Failure to have a proxy may prevent a protocol from being handled correctly by the firewall. • TCP is the preferred transport. UDP may not be supported. • Limited transparency, clients may need to be modified. Setting up the proxy server in a browser, for example.

  34. ITEC4621: Network Security Roadmap • Firewall Overviews • Firewall Functions • Address Translation at Firewall • DMZ • IPTables Example

  35. ITEC4621: Network Security Address Translation • Translate IP address from one to another • Hide the system from outside network • Using Network Address Translation (NAT) • Map between public IPs and private IPs • Range of private IPs • 10.0.0.0-10.255.255.255/8 • 172.16.0.0-172.31.255.255/12 • 192.168.0.0-192.168.255.255/16 • Types of NATs • Static NAT • Hiding (or Dynamic) NAT • Port Address Translation (PAT)

  36. ITEC4621: Network Security Static NAT • One private IP is mapped to one public IP • Can access the internal system from the Internet • Allow both inbound and outbound traffic • Does not need to change the source port • Most NAT devices allow some systems to use static NAT, while hiding the rest • Suitable for assigning to servers in DMZ

  37. ITEC4621: Network Security Hiding (or Dynamic) NAT • Firewall converts local IP to its IP for outgoing and incoming packets • Many-to-many relationship: multiple private IPs are mapped to a single public IP depending on a list of available IPs • Outbound traffic can be mapped into the firewall IP or any other legal IPs • Does not allow inbound connection • Local machines cannot operate as servers • Increase security  cannot be accessed from outside firewall

  38. ITEC4621: Network Security Port Address Translation (PAT) • Utilized by most proxies • must use firewall IP, not any public IP • Also allow inbound traffic • For inbound traffic, PAT checks port no. and forwards the packet to specified internal system

  39. ITEC4621: Network Security PAT (cont’d)

  40. ITEC4621: Network Security Roadmap • Firewall Overviews • Firewall Functions • Address Translation at Firewall • DMZ • IPTables Example

  41. ITEC4621: Network Security DMZ • Demilitarized Zone (DMZ) is the subnet that is not in a private or public network. • DMZ provides additional protection since attacker may be able to break in the web server and get inside the internal network • Using static filtering at router to provide multilayer protection • Place proxy behind the firewall to secure internet connection • All the DMZ servers may be statically NATed

  42. ITEC4621: Network Security DMZ (cont’d)

  43. ITEC4621: Network Security Roadmap • Firewall Overviews • Firewall Functions • Address Translation at Firewall • Firewall Deployment • IPTables Example

  44. ITEC4621: Network Security IPtables • Since kernel 2.4, the standard for firewall on Linux is iptables. • It implements its rules using three “tables” • Filter – handles standard “firewall” things • NAT – rewriting of source/destination IPs • Mangle –packet information manipulation

  45. ITEC4621: Network Security IPTables – Filter Table • The filter table is divided up into three chains. • INPUT • OUTPUT • FORWARD • Chains have a default policy (either ACCEPT, REJECT, or DROP). • Packets will only be dealt with using one of the three chains.

  46. ITEC4621: Network Security Internal network Public Network eth1 192.168.1.1 App server 192.168.1.254: 6001 eth0 eth2 203.148.145.1 10.1.1.1 DMZ Web server 10.1.1.254

  47. ITEC4621: Network Security Rule Structure • Append or Delete Rule: iptables [-t table] -[AD] chain rule-specification [options] • Insert New Rule: iptables [-t table] -I chain [rulenum] rule-specification [options] • Replace Rule: iptables [-t table] -R chain rulenum rule-specification [options] • Delete Rule: iptables [-t table] -D chain rulenum [options] • List Rules, Flush Rules, Zero counters: iptables [-t table] -[LFZ] [chain] [options] • New Chain iptables [-t table] -N chain • Delete Chain: iptables [-t table] -X [chain] • Set Chain Policy (Accept, Drop): iptables [-t table] -P chain target [options] • Rename Chain: iptables [-t table] -E old-chain-name new-chain-name

  48. ITEC4621: Network Security Adding Rules • Rules can be added, removed, and changed using the iptables command. > iptables –t filter –A INPUT –i lo –j ACCEPT Append to the INPUT chain that packets arriving on the LOOPBACK device should be ACCEPTed

  49. ITEC4621: Network Security IPTables Example • Scenario: Personal Firewall that should allow all outbound connections and restrict all inbound traffic to just an SSH server running on port 22.

  50. ITEC4621: Network Security IPTables Example (cont’d) Initial Rules: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

More Related