Cryptography and Network Security Chapter 20 Firewalls Fourth Edition by William Stallings Lecture...
-
Upload
derick-hill -
Category
Documents
-
view
230 -
download
1
Transcript of Cryptography and Network Security Chapter 20 Firewalls Fourth Edition by William Stallings Lecture...
Cryptography and Cryptography and Network SecurityNetwork Security
Chapter 20 FirewallsChapter 20 Firewalls
Fourth EditionFourth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown extended and adopted by Hans extended and adopted by Hans
HedbomHedbom
Chapter 20 – FirewallsChapter 20 – Firewalls
The function of a strong position is to make The function of a strong position is to make the forces holding it practically the forces holding it practically unassailableunassailable
——On War, On War, Carl Von ClausewitzCarl Von Clausewitz
IntroductionIntroduction
seen evolution of information systemsseen evolution of information systems now everyone want to be on the Internet now everyone want to be on the Internet and to interconnect networks and to interconnect networks has persistent security concernshas persistent security concerns
can’t easily secure every system in orgcan’t easily secure every system in org typically use a typically use a FirewallFirewall to provide to provide perimeter defenceperimeter defence as part of comprehensive security strategyas part of comprehensive security strategy
What is a Firewall?What is a Firewall?
a a choke pointchoke point of control and monitoring of control and monitoring interconnects networks with differing trustinterconnects networks with differing trust imposes restrictions on network servicesimposes restrictions on network services
only authorized traffic is allowed only authorized traffic is allowed auditing and controlling accessauditing and controlling access
can implement alarms for abnormal behaviorcan implement alarms for abnormal behavior provide NAT & usage monitoringprovide NAT & usage monitoring implement VPNs using IPSecimplement VPNs using IPSec must be immune to penetrationmust be immune to penetration
Firewall LimitationsFirewall Limitations
cannot protect from attacks bypassing itcannot protect from attacks bypassing it eg sneaker net, utility modems, trusted eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)organisations, trusted services (eg SSL/SSH) cannot protect against internal threatscannot protect against internal threats
eg disgruntled or colluding employeeseg disgruntled or colluding employees cannot protect against transfer of all virus cannot protect against transfer of all virus
infected programs or filesinfected programs or files because of huge range of O/S & file typesbecause of huge range of O/S & file types
Firewalls – Packet FiltersFirewalls – Packet Filters
simplest, fastest firewall component simplest, fastest firewall component foundation of any firewall system foundation of any firewall system examine each IP packet (no context) and examine each IP packet (no context) and
permit or deny according to rules permit or deny according to rules hence restrict access to services (ports)hence restrict access to services (ports) possible default policiespossible default policies
that not expressly permitted is prohibited that not expressly permitted is prohibited that not expressly prohibited is permittedthat not expressly prohibited is permitted
88
Screeing policy actionsScreeing policy actions
ForwardForward The package is forwarded to the intended recipientThe package is forwarded to the intended recipient
DropDrop The packages is dropped (without notification)The packages is dropped (without notification)
RejectReject The package is rejected (with notification)The package is rejected (with notification)
LogLog The packages appearance is logged (to be combined)The packages appearance is logged (to be combined)
AlarmAlarm The packages appearance triggers an alarm (to be combined)The packages appearance triggers an alarm (to be combined)
99
Screening policiesScreening policies
There should always be some default There should always be some default rulesrules The last rule should be „Drop everything from The last rule should be „Drop everything from
everyone“ which enforce a defensive strategyeveryone“ which enforce a defensive strategy Network monitoring and control messages Network monitoring and control messages
should be consideredshould be considered
Attacks on Packet FiltersAttacks on Packet Filters
IP address spoofingIP address spoofing fake source address to be trustedfake source address to be trusted add filters on router to blockadd filters on router to block
source routing attackssource routing attacks attacker sets a route other than defaultattacker sets a route other than default block source routed packetsblock source routed packets
tiny fragment attackstiny fragment attacks split header info over several tiny packetssplit header info over several tiny packets either discard or reassemble before checkeither discard or reassemble before check
Firewalls – Stateful Packet FiltersFirewalls – Stateful Packet Filters
traditional packet filters do not examine traditional packet filters do not examine higher layer contexthigher layer context ie matching return packets with outgoing flowie matching return packets with outgoing flow
stateful packet filters address this needstateful packet filters address this need they examine each IP packet in contextthey examine each IP packet in context
keep track of client-server sessionskeep track of client-server sessions check each packet validly belongs to onecheck each packet validly belongs to one
hence are better able to detect bogus hence are better able to detect bogus packets out of context packets out of context
1313
Advantage/DisadvantageAdvantage/Disadvantage
One screening router One screening router can protect a whole can protect a whole networknetwork
Packet filtering is Packet filtering is extremely efficientextremely efficient
Packet filtering is Packet filtering is widely availablewidely available
Current filtering tools Current filtering tools are not perfectare not perfect
Some policies are Some policies are difficult to enforcedifficult to enforce
Packet filtering Packet filtering generates extra load generates extra load for the routerfor the router
++ --
Firewalls - Firewalls - Application Level Application Level Gateway (or Proxy)Gateway (or Proxy)
have application specific gateway / proxy have application specific gateway / proxy has full access to protocol has full access to protocol
user requests service from proxy user requests service from proxy proxy validates request as legal proxy validates request as legal then actions request and returns result to userthen actions request and returns result to user can log / audit traffic at application level can log / audit traffic at application level
need separate proxies for each service need separate proxies for each service some services naturally support proxying some services naturally support proxying others are more problematic others are more problematic
1515
Different modesDifferent modes
Proxy-aware application softwareProxy-aware application software The application software knows how to connect to the proxy The application software knows how to connect to the proxy
and forward the final destinationand forward the final destination Proxy-aware operating system softwareProxy-aware operating system software
The operating system checks and eventually modify the IP The operating system checks and eventually modify the IP addresses to use the proxyaddresses to use the proxy
Proxy-aware user proceduresProxy-aware user procedures The user has to follow some procedures. He tells the client The user has to follow some procedures. He tells the client
software where to connect and also the proxy the software where to connect and also the proxy the destination addressdestination address
Proxy-aware routerProxy-aware router The client attempts to make connections as usual and the The client attempts to make connections as usual and the
router intercepts and redirects packages to the proxyrouter intercepts and redirects packages to the proxy
Firewalls - Firewalls - Circuit Level GatewayCircuit Level Gateway
relays two TCP connectionsrelays two TCP connections imposes security by limiting which such imposes security by limiting which such
connections are allowedconnections are allowed once created usually relays traffic without once created usually relays traffic without
examining contentsexamining contents typically used when trust internal users by typically used when trust internal users by
allowing general outbound connectionsallowing general outbound connections SOCKS is commonly usedSOCKS is commonly used
1919
Advantage/DisadvantageAdvantage/Disadvantage
Proxies can do Proxies can do intelligent filteringintelligent filtering
Proxies can provide Proxies can provide logging and cachinglogging and caching
Proxies can provide Proxies can provide user-level user-level authenticationauthentication
Proxies cause a delayProxies cause a delay Proxies can require Proxies can require
modifications to clientsmodifications to clients Proxies may require a Proxies may require a
different server for different server for each serviceeach service
++ --
2020
Network Adress TransalationNetwork Adress Transalation NAT allows to use a set of NAT allows to use a set of
network addresses internally network addresses internally and a different set externallyand a different set externally
Do not generate security itself Do not generate security itself but force connection over one but force connection over one pointpoint
2121
ModesModes
Static allocationStatic allocation The translation scheme is staticThe translation scheme is static
Dynamic allocation of addressesDynamic allocation of addresses The connection addresses are determined on The connection addresses are determined on
a per session basea per session base Dynamic allocation of addresses and portsDynamic allocation of addresses and ports
Both addresses and ports are dynamicBoth addresses and ports are dynamic
2222
Advantage/DisadvantageAdvantage/Disadvantage
NAT helps to enforce the NAT helps to enforce the firewalls control over firewalls control over outbound trafficoutbound traffic
NAT helps to restrict NAT helps to restrict incoming trafficincoming traffic
NAT hides the internal NAT hides the internal network configurationnetwork configuration
Embedded IP can become Embedded IP can become a problema problem
Dynamic allocation may Dynamic allocation may interfere with encryption interfere with encryption and authenticationand authentication
Dynamic allocation of port Dynamic allocation of port may interfere with package may interfere with package filtersfilters
++ --
Bastion HostBastion Host
highly secure host system highly secure host system runs circuit / application level gateways runs circuit / application level gateways or provides externally accessible servicesor provides externally accessible services potentially exposed to "hostile" elements potentially exposed to "hostile" elements hence is secured to withstand thishence is secured to withstand this
hardened O/S, essential services, extra authhardened O/S, essential services, extra auth proxies small, secure, independent, non-privileged proxies small, secure, independent, non-privileged
may support 2 or more net connectionsmay support 2 or more net connections may be trusted to enforce policy of trusted may be trusted to enforce policy of trusted
separation between these net connectionsseparation between these net connections
2727
Mulitple Screened SubnetsMulitple Screened Subnets
Split-Screened subnetSplit-Screened subnet Multiple networks between the exterior and Multiple networks between the exterior and
interior router. The networks are usually interior router. The networks are usually connected by dual-homed hosts.connected by dual-homed hosts.
Independent Screened SubnetsIndependent Screened Subnets n Screened Subnetsn Screened Subnets
2828
Hybrid - Example StructureHybrid - Example Structure
DMZ
DMZ
DMZDMZ
InternetInternet Supplier Net
Supplier Net
DMZEmployee Lan Back End
Application
Database
DMZ
2929
Evaluating a FirewallEvaluating a Firewall
ScalabilityScalability Reliability and RedundancyReliability and Redundancy AuditabilityAuditability Price (Hardware, Software, Setup, Price (Hardware, Software, Setup,
Maintenance)Maintenance) Management and ConfigurationManagement and Configuration
3030
Firewalls and MalwareFirewalls and Malware
Should preferably control both Should preferably control both ingoingingoing and and outgoingoutgoing traffic traffic Windows XP firewall controls only ingoing trafficWindows XP firewall controls only ingoing traffic Trojans can start up servers on the insideTrojans can start up servers on the inside
Firewall should preferable inspect packets Firewall should preferable inspect packets on the on the application layerapplication layer Network layer based packet filters do not Network layer based packet filters do not
provide adequate protectionprovide adequate protection
3131
Firewalls and MalwareFirewalls and Malware
New worms/viruses often tries to kill firewall New worms/viruses often tries to kill firewall and anti virus processesand anti virus processes
““Tunneled Worms”Tunneled Worms” Tunnel IP packet within other IP packet to hide Tunnel IP packet within other IP packet to hide
real IP headerreal IP header Tunneling program can be built in in TrojansTunneling program can be built in in Trojans
Tunneled IP packet
3232
IP- TablesIP- Tables IP Tables is the IP Tables is the
standard kernel firewall standard kernel firewall system for Linux since system for Linux since Kernel 2.4.xKernel 2.4.x
Packet Filtering and Packet Filtering and NAT for linuxNAT for linux
3333
RuleRule
-t table-t table Nat (PREROUTING, POSTROUTING)Nat (PREROUTING, POSTROUTING) Mangle (PREROUTING, POSTROUTING)Mangle (PREROUTING, POSTROUTING) Filter (default) (FORWARD, INPUT, OUTPUT)Filter (default) (FORWARD, INPUT, OUTPUT)
iptables [-t table] command [match] [traget/jump]
3434
RuleRule
CommandCommand -P, --policy-P, --policy -A, --append-A, --append -D, --delete-D, --delete -R, --replace-R, --replace -L, --list-L, --list ......
iptables [-t table] command [match] [traget/jump]
3535
RuleRule
Match (generic)Match (generic) -p, --protocoll (TCP, UDP, ICMP)-p, --protocoll (TCP, UDP, ICMP) -s, --source (IP Adresse/port)-s, --source (IP Adresse/port) -d, --destination (IP Adresse/port)-d, --destination (IP Adresse/port) -i, --in-interface (eth0, eth1, ppp1)-i, --in-interface (eth0, eth1, ppp1) -o, --out-interface (eth0, eth1, ppp1)-o, --out-interface (eth0, eth1, ppp1) -m, --match (special commands)-m, --match (special commands)
iptables [-t table] command [match] [traget/jump]
3636
RuleRule
Target/jumpTarget/jump -j ACCEPT-j ACCEPT -j DROP-j DROP -j LOG-j LOG -j MAQUERADE-j MAQUERADE ......
iptables [-t table] command [match] [traget/jump]
3737
Example RulesExample Rules
iptable –P FORWARD DROPiptable –P FORWARD DROP Introduce the general policy to drop all packagesIntroduce the general policy to drop all packages
Iptable –t nat –P PREROUTING ACCEPTIptable –t nat –P PREROUTING ACCEPT Accept prerouting nat trafficAccept prerouting nat traffic
iptable –A FORWARD -i eth1 –p TCPiptable –A FORWARD -i eth1 –p TCP–d 193.10.221.184 -–dport 80 –j ACCEPT–d 193.10.221.184 -–dport 80 –j ACCEPT
Accept all tcp connections to port 80 coming in at my second Accept all tcp connections to port 80 coming in at my second network interface to my ipnetwork interface to my ip
iptables –A FORWARD –m limit –-limit 3/minutes –j iptables –A FORWARD –m limit –-limit 3/minutes –j LOGLOG
Log all refused connections but max. 3 per minuteLog all refused connections but max. 3 per minute
3838
Additional LiteratureAdditional Literature
Building Internet FirewallsBuilding Internet FirewallsZwicky, CooperZwicky, CooperISBN 1565928717; O‘ReillyISBN 1565928717; O‘Reilly
iptables Tutorial 1.1.16iptables Tutorial 1.1.16Oskar AndreassonOskar Andreassonhttp://iptables-tutorial.frozentux.net/iptables-tutorial.html