1 / 38

Firewalls

Firewalls. Dan Fleck CS 469: Security Engineering Slides modified with permission from original by Arun Sood. 1. 1. 1. References. Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 – 29.

qamar
Download Presentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls Coming up: References Dan Fleck CS 469: Security Engineering Slides modified with permission from original by ArunSood 1 1 1

  2. References • Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. • Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 – 29. • Avishai Wool, A Quantitative Study of Firewall Configuration Errors, IEEE Computer, June 2004, p 62 – 67. • Steven Bellovin and William Cheswick, Network Firewalls, IEEE Communications Magazine, Sept 1994, p 50 – 57. • William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer, June 2003, p 112 – 113. • Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and Efficiency of Firewall Policy Deployment, IEEE Symposium on Security and Privacy, 2007. • Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its Properties, Proc of the 2005 International Conference on Dependable Systems and Networks, 2005. Coming up: Firewall as Network Access Control 2 2 2

  3. Firewall as Network Access Control • Access Control • Authentication • Authorization • Single Sign On • Firewall • Interface between networks • Usually external (internet) and internal • Allows traffic flow in both directions Coming up: Firewall 3 3 3

  4. Firewall Internal Internet Coming up: Firewall • Interface between networks • Usually external (internet) and internal • Allows traffic flow in both directions • Controls the traffic 4 4 4

  5. Firewall as Secretary • A firewall is like a secretary • To meet with an executive • First contact the secretary • Secretary decides if meeting is reasonable • Secretary filters out many requests • You want to meet chair of CS department? • Secretary does some filtering • You want to meet President of US? • Secretary does lots of filtering! Coming up: Security Strategies 5 5 5 [1]

  6. Security Strategies • Least privilege • Objects have the lowest privilege to perform assigned task • Defense in depth • Use multiple mechanisms • Best if each is independent: minimal overlap • Choke point • Facilitates monitoring and control Coming up: Security Strategies - 2 6 6 6 [2]

  7. Security Strategies - 2 • Weakest link - • Fail-safe • If firewall fails, it should go to fail-safe that denies access to avoid intrusions • Default deny • Default permit • Universal participation • Everyone has to accept the rules Coming up: Security Strategies - 3 7 7 7 [2]

  8. Security Strategies - 3 • Diversity of defense • Inherent weaknesses • Multiple technologies to compensate for inherent weakness of one technology • Common heritage • If systems configured by the same person, may have the same weakness • Simplicity • Security through obscurity Coming up: Security Strategies - 4 8 8 8 [2]

  9. Security Strategies - 4 • Configuration errors can be devastating • Testing is not perfect • Ongoing trial and error will identify weaknesses • Enforcing a sound policy is critical Coming up: Types of Firewall 9 9 9 [2]

  10. Types of Firewall No Standard Terminology • Packet Filtering (network layer) • Simplest firewall • Filter packets based on specified criteria • IP addresses, subnets, TCP or UDP ports • Does NOT read the packet payload • Vulnerable to IP spoofing • Stateful inspection (transport layer) • In addition to packet inspection • Validate attributes of multi-packet flows • Keeps track of connection state (e.g. TCP streams, active connections, etc…) Coming up: Types of Firewall - 2 10 10 10 [2]

  11. Types of Firewall - 2 • Application Based Firewall (application layer) • Allows data into/out of a process based on that process’ type • Can act on a single computer or at the network layer • e.g. allowing only HTTP traffic to a website • Log access – attempted access and allowed access • Personal firewall – single user, home network Coming up: Types of Firewall - 3 11 11 11 [2]

  12. Types of Firewall - 3 • Proxy • Intermediate connection between servers on internet and internal servers. • For incoming data • Proxy is server to internal network clients • For outgoing data • Proxy is client sending out data to the internet • Very secure • Less efficient versus packet filters Coming up: Types of Firewall - 4 No IP packets pass through firewall. Firewall creates new packets. 12 12 12 [2]

  13. Types of Firewall - 4 • Network Address Translation • Hides internal network from external network • Private IP addresses – expands the IP address space • Creates a choke point • Virtual Private Network • Employs encryption and integrity protection • Use internet as part of a private network • Make remote computer “act like” it is on local network Coming up: Packet Filter 13 13 13 [2]

  14. Packet Filter • Advantages • Simplest firewall architecture • Works at the Network layer – applies to all systems • One firewall for the entire network • Disadvantages • Can be compromised by many attacks • Source spoofing Coming up: Packet Filter - Example 14 14 14

  15. Packet Filter - Example Coming up: Packet Filter - Example 15 15 15 [2]

  16. Packet Filter - Example Coming up: Packet Filter - Example 16 16 16 [2]

  17. Packet Filter - Example • Attack succeeds because of rules B and D • More secure to add source ports to rules Coming up: Packet Filter - Example 17 17 17

  18. Packet Filter - Example Coming up: Packet Filter - Example 18 18 18 [2]

  19. Packet Filter - Example • These packets would be admitted. To avoid this add an ACK bit to the rule set Coming up: Packet Filter - Example 19 19 19 [2]

  20. Packet Filter - Example • Attack fails, because the ACK bit is not set. ACK bit is set if the connection originated from inside. • Incoming TCP packets must have ACK bit set. If this started outside, then no matching data, and packet will be rejected. • Note: This rule means we allow no services other than request that we originate. Coming up: TCP Ack for Port Scanning 20 20 20

  21. TCP Ack for Port Scanning • Attacker sends packet with ACK set (without prior handshake) using port p • Violation of TCP/IP protocol • Packet filter firewall passes packet • Firewall considers it part of an ongoing connection • Receiver sends RST • Indicates to the sender that the connection should be terminated • Receiving RST indicates that port p is open!! Coming up: TCP Ack Port Scan 21 21 21 [1]

  22. TCP Ack Port Scan • RST confirms that port 1209 is open • Problem: packet filtering is stateless; the firewall should track the entire connection exchange Coming up: Stateful Packet Filter 22 22 22 [1]

  23. application transport network link physical Stateful Packet Filter • Remembers packets in the TCP connections (and flag bits) • Adds state info to the packet filter firewalls. • Operates at the transport layer. • Pro: Adds state to packet filter and keeps track of ongoing connection • Con: Slower, more overhead. Packet content info not used Coming up: Application Proxy 23 23 23 [1]

  24. Application Proxy • A proxy acts on behalf the system being protected. • Application proxy examines incoming app data – verifies that data is safe before passing it to the system. • Pros • Complete view of the connections and app data • Filter bad data (viruses, Word macros) • Incoming packet is terminated and new packet is sent to internal network • Con • Speed Coming up: Firewalk – Port Scanning 24 24 24 [1]

  25. Firewalk – Port Scanning • Scan ports through firewalls • Requires knowledge of • IP address of firewall • IP address of one system in internal network • Number of hops to the firewall • Set TTL (time to live) = Hops to firewall +1 • Set destination port to be p • If firewall does not pass data for port p, then no response • If data passes thru firewall on port p, then time exceeded error message Coming up: Firewalk and Proxy Firewall 25 25 25 Lets try it Applications->Utilities->Network Utility [1]

  26. Packet filter Router Router Router Trudy Dest port 12343, TTL=4 Dest port 12344, TTL=4 Dest port 12345, TTL=4 Time exceeded Firewalk and Proxy Firewall • Attack would be stopped by proxy firewall • Incoming packet destroyed (old TTL value also destroyed) • New outgoing packet will not exceed TTL. Coming up: Firewalls and Defense in Depth 26 26 26 [1]

  27. Firewalls and Defense in Depth • Example security architecture DMZ FTP server WWW server DNS server Coming up: Research: Firewall Policy Verification Intranet with Personal Firewalls Packet Filter Application Proxy Internet 27 27 27 [1]

  28. Research: Firewall Policy Verification • Firewall design: consistency, completeness, and compactness • Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness," Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol., no., pp.320,327, 2004 • Lesson: Practical firewalls have complex rulesets. They are hard to get right. Research in place to help validate the configuration for errors • Lets see some simple ones Coming up: Lets do some examples 28 28 28

  29. Lets do some examples iptables is a common tool to build firewalls Well supported in Linux: iptables –A INPUT –p tcp –dport 22 –j ACCEPT -A: append to list of rules -p:match protocol tcp --dport 22: match destination port 22 (ssh) -j ACCEPT: if rule matches, ACCEPT the packet. 1st matching rule wins… order matters! Final rule typically rejects anything that doesn’t match: security says deny all, and only allow in who you want. Coming up: iptables - chains 29 29

  30. iptables - chains • INPUT – anything with a destination of the firewall box • OUTPUT – anything with a source of the firewall box • FORWARD – anything going through the firewall box (neither source or dest is the firewall box) • iptables –A INPUT –p tcp –dport 22 –j ACCEPT • # This allows SSH TO THE FIREWALL BOX! Coming up: iptables – matching rules 30 30

  31. iptables – matching rules Jump targets – what to do upon match? -j ACCEPT – allow it -j REJECT -- send a rejection message -j DROP – drop it, don’t send any message -j logaccept, logdrop, logreject (there are others) Protocol matching rules -p tcp , udp, icmp, all (0 means all) Port matching rules --dport destination port --sport source port Coming up: iptables – more rules 31 31

  32. iptables – more rules Physical device interface: -i vlan0 # Packets coming in on that physical interface -o eth1 # packets going out on that physical interface -i only valid for INPUT, FORWARD chain -o only valid for OUTPUT, FORWARD chain (Note: Specific interface differs by hardware) Time-based Limiting --limit 5/minute (rule matches a maximum of 5 times per minute (or second or hour, or day, etc…) Syn-flood protection: iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT Coming up: iptables - examples 32 32

  33. iptables - examples • Lets stop all http access • Lets stop ping • Lets allow www.gmu.edu though (but only GMU!) • --destination www.gmu.edu • Lets allow only my IP to get to HTTP • --source 192.168.3.10 Coming up: iptables – more rules 33 33

  34. iptables – more rules State matching: -m state –state ESTABLISHED, RELATED NEW - A packet which creates a new connection. ESTABLISHED - A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies). RELATED - A packet which is related to, but not part of, an existing connection, such as an ICMP error, or (with the FTP module inserted), a packet establishing an ftp data connection. INVALID - A packet which could not be identified for some reason: this includes running out of memory and ICMP errors which don't correspond to any known connection. Generally these packets should be dropped. Coming up: iptables – more rules 34 34

  35. iptables – more rules TCP bit matching: iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP --tcp-flags <string 1> <string2> string 1 = the set of bits to look at string 2 = the subset of 1 which should be ones Above command says look at all the bits (‘ALL’ is synonymous with `SYN,ACK,FIN,RST,URG,PSH’) and verify that only the SYN and ACK bits are set. Coming up: Would a GUI help? 34 35

  36. iptables - Tunneling • In our network we have one outward facing server, so to get in from home we must travel (tunnel) through that server. • We really use SSH tunnels: • ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p 10024 localhost • However if everyone needed to use it we could use a firewall based tunnel: • iptables -t nat -A PREROUTING -p tcp -d dslsrv.gmu.edu --dport 10024 -j DNAT --to-destination sr1s4.mesa.gmu.edu:22

  37. Would a GUI help? Coming up: Lessons 36

  38. Lessons • There are many firewall types • Each provides a different level of security versus performance • Multiple firewalls can be used to segment networks into security zones • iptables is a powerful example of how to create/manage firewalls End of presentation 29 35 37

More Related