Firewalling Techniques Prabhaker Mateti
ACK • Not linux specific • Some figures are from 3com
Components of the Firewall System • Bastion Host • Packet-filtering router • Application-level gateway (or proxy server) • Circuit-level gateway
Dual Homed Gateway • A system that has • two or more network interfaces, each of which is connected to a different network. • Acts to block or filter some or all of the traffic trying to pass between the networks.
Bastion Host • Runs general purpose operating system • hardened to resist attack
Proxy services • Proxy servers on a bastion host can prohibit direct connections from the outside and reduce data-driven attacks.
Circuit Relay • Determines if the connection is valid according to rules • opens a session and permits traffic • only from the allowed source and • possibly only for a limited period of time. • Whether a connection is valid is based upon: • destination IP address and/or port • source IP address and/or port • time of day • protocol • user • password
Demilitarized Zone (DMZ) • a neutral zone between the private LAN and the public Internet. • FTP servers, Web servers and the like are located in DMZ.
UntrustedNetwork External LAN www DMZ Firewall SMTP Internal LAN Location of a Firewall
An Application Gateway: Problem • Allow select internal users to telnet outside. • Users authenticate themselves to create telnet connection • A “gateway” used in this sense is different from a standard gateway.
gateway-to-remote host telnet session host-to-gateway telnet session application gateway router and filter An Application Gateway: Solution • Router filter blocks all telnet connections not originating from gateway. • For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections
Packet Filtering Router • Decide not only how, but should a packet be forwarded • Not best when detail protocol knowledge required for decision • Proxy may be a better choice • Lots of leverage as all hosts behind are protected • Can provide unique capabilities • Rejecting forged internal or external packets (address spoofing) • Recognition of malformed packets
Packet-Filtering Router • Service-Dependent Filtering • Some typical filtering rules include: • Permit incoming Telnet sessions only to a • specific list of internal hosts • Permit incoming FTP sessions only to • specific internal hosts • Permit all outbound Telnet sessions • Permit all outbound FTP sessions • Deny all incoming traffic from specific • external networks • Service-Independent Filtering • Source IP Address Spoofing Attacks. Source Routing Attacks. In Tiny • Fragment Attacks. Tiny fragment attacks are designed to circumvent • userdefined filtering rules; the hacker hopes that a filtering router • will examine only the first fragment and allows all other fragments to • pass. A tiny fragment attack can be defeated by discarding all packets • where the protocol type is TCP and the IP FragmentOffset is equal to • 1. • Defining packet filters can be a complex task • Generally, the packet throughput of a router decreases as the number • of filters increases.
Filtering by Service • Characteristics of internal to external telnet connection • Source is inside, • destination is outside, • is TCP, destination port 23, • source port > 1023, • first packet an outbound SYN • Characteristics of ext to int ‘opposite’ • Risk: trusting the port implies trusting the server on that port • Any service can be run from any port by root • Can telnet from port 23, for example
Security Policy • “It is important to note that an Internet firewall is not just a router, a bastion host, or a combination of devices that provides security for a network. • “The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization. • “This security policy must include published security guidelines to inform users of their responsibilities; corporate policies defining network access, service access, local and remote user authentication, dial-in and dialout, disk and data encryption, and virus protection measures; and employee training. All potential points of network attack must be protected with the same level of network security. Setting up an Internet firewall without a comprehensive security policy is like placing a steel door on a tent.” • [From a web based article]
Benefits of an Internet Firewall • Without a firewall, each host system on the private network is exposed to attacks from other hosts on the Internet. • Firewalls offer a convenient point where Internet security can be monitored and alarms generated. • An Internet firewall is a logical place to deploy a Network Address Translator (NAT) that can help alleviate the address space shortage and eliminate the need to renumber when an organization changes Internet service providers (ISPs). • An Internet firewall is the perfect point to audit or log Internet usage. • An Internet firewall can also offer a central point of contact for information delivery service to customers.
Limitations of an Internet Firewall • Creates a single point of failure. • Cannot protect against attacks that do not go through the firewall. • Cannot protect against the types of threats posed by traitors or unwitting users. • Cannot protect against the transfer of virus-infected software or files. • Cannot protect against data-driven attacks. A data-driven attack occurs when seemingly harmless data is mailed or copied to an internal host and is executed to launch an attack.
Limitations of firewalls and gateways • IP spoofing • router can’t know if data “really” comes from claimed source • If multiple app’s. need special treatment, each has own app. gateway. • client software must know how to contact gateway. • e.g., must set IP address of proxy in Web browser • Tradeoff • degree of communication with outside world, level of security • Performance problem