Security Comparing network firewalls to web application firewalls ...
FIREWALLS - SDUimada.sdu.dk/~jamik/dm557-15/material/Firewalls.pdf · ptcl source port dest port...
Transcript of FIREWALLS - SDUimada.sdu.dk/~jamik/dm557-15/material/Firewalls.pdf · ptcl source port dest port...
FIREWALLS
Firewall: isolates organization’s internal net from larger Internet, allowingsome packets to pass, blocking others
FIREWALLS: WHY
Prevent denial of service attacks:
SYN flooding: attacker establishes many bogus TCP connections, noresources left for “real” connections
Prevent illegal modification/access of internal data
e.g., attacker replaces CIA’s homepage with something else
Allow only authorized access to inside network
set of authenticated users/hosts
TYPES
TYPESThree types of firewalls:
1. stateless packet filters
2. stateful packet filters
3. application gateways
STATELESS PACKET FILTERINGinternal network connected to Internet via router firewall
router filters packet-by-packet, decision to forward/drop packet basedon:
source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits
EXAMPLE 1Block incoming and outgoing datagrams with IP protocol field = 17 and
with either source or dest port = 23
result: all incoming, outgoing UDP flows and telnet connections areblocked
EXAMPLE 2block inbound TCP segments with ACK=0.
result: prevents external clients from making TCP connections withinternal clients, but allows internal clients to connect to outside.
MORE EXAMPLESPolicy Firewall Setting
No outside Web access. Drop all outgoing packets to anyIP address, port 80
No incoming TCP connections,except those for institution’spublic Web server only.
Drop all incoming TCP SYNpackets to any IP except130.207.244.203, port 80
Prevent Web-radios from eatingup the available bandwidth.
Drop all incoming UDP packets -except DNS and routerbroadcasts.
MORE EXAMPLESPolicy Firewall Setting
Prevent your network from beingused for a smurf DoS attack.
Drop all ICMP packets going to a“broadcast” address (e.g.130.207.255.255).
Prevent your network from beingtracerouted
Drop all outgoing ICMP TTLexpired traffic
ACCESS CONTROL LISTS
ACL: Table of rules, applied top to bottom to incoming packets: (action,condition) pairs
ACCESS CONTROL LISTS (1)action source
addressdestaddress
protocol sourceport
destport
flagbit
allow 222.22/16 outside222.22/16
TCP >1023
80 any
allow outside222.22/16
222.22/16 TCP 80 >1023
ACK
allow 222.22/16 outside222.22/16
UDP >1023
80 -
ACCESS CONTROL LISTS (2)action source
addressdestaddress
protocol sourceport
destport
flagbit
allow outside222.22/16
222.22/16 UDP 80 >1023
-
deny all all all all all all
STATEFUL PACKET FILTERINGStateless packet filter: heavy handed tool
Admits packets that "make no sense," e.g., dest port = 80, ACK bit set, eventhough no TCP connection established:
action sourceaddress
destaddress
protocol sourceport
destport
flagbit
allow outside222.22/16
222.22/16 TCP 80 >1023
ACK
STATEFUL PACKET FILTERING
Track status of every TCP connection
track connection setup (SYN), teardown (FIN): determine whetherincoming, outgoing packets "makes sense"
timeout inactive connections at firewall: No longer admit packets
ACL (1)action source
addressdestaddress
ptcl sourceport
destport
flagbit
checkconxion
allow 222.22/16 outside222.22/16
TCP >1023
80 any
allow outside222.22/16
222.22/16 TCP 80 >1023
ACK X
allow 222.22/16 outside222.22/16
UDP >1023
80 -
ACL (2)action source
addressdestaddress
ptcl sourceport
destport
flagbit
checkconxion
allow outside222.22/16
222.22/16 UDP 80 >1023
- X
deny all all all all all all
EXAMPLE: TELNETAllow selected internal users to telnet outside.
Require all telnet users to telnet through gateway.
For authorized users, gateway sets up telnet connection to dest host.Gateway relays data between 2 connections
Router filter blocks all telnet connections not originating from gateway.
LIMITATIONS OF FIREWALLS, GATEWAYSIP spoofing: router can’t know if data “really” comes from claimedsource
if multiple app’s. need special treatment, each has own app. gateway
client software must know how to contact gateway.
e.g., must set IP address of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff: degree of communication with outside world, level of security
many highly protected sites still suffer from attacks
IDS: INTRUSION DETECTION SYSTEMDeep packet inspection: look at packet contents (e.g., check characterstrings in packet against database of known virus, attack strings)
Examine correlation among multiple packets
Port scanning
Network mapping
DoS attack
INTRUSION PREVENTION SYSTEMSIntrusion detection systems typically raises an alarm by email/sms to thenetwork admin
An Intrusion Prevention Systems simply closes the connection in thefirewall, if something suspicious is detected.
SIGNATURE-BASED IDSMaintains an extensive database of attack signatures
A signature is a set of rules describing an intrusion activity
May simply be a list of characteristics of a single packet (src, dest,portnumbers)
Can be related to a series of packages
Signatures normally made by skilled network security engineers
Local system administrators can customize and add own
SIGNATURE-BASED IDS
SIGNATURE-BASED IDSOperations of a signature based IDS
Sniffs every packet passing by it
Compares packet with each signature in database
If it matches → generate an alert
SIGNATURE-BASED IDS
SIGNATURE-BASED IDSLimitations
Require previous knowledge of attack to generate signature
Can generate false positives
Large processing load, and may fail in detection of malicious packets
ANOMALY-BASED IDS
ANOMALY-BASED IDSCreates a profile of standard network traffic
As observed in normal operation
Then looks for packet streams that are statistically different
Example: Exponention growth in portscans or ping sweeps
ANOMALY-BASED IDSPositive
Does not require prior knowledge to an attack
Limitation
Extremely challenging to distinguis between normal an unusual traffic
Most systems today are signature based
EXAMPLE IDS: SNORT
Multi platform
Open source
https://www.snort.org/
# a l e r t t c p $ H O M E _ N E T 6 6 6 - > $ E X T E R N A L _ N E T a n y ( m s g : " M A L W A R E - B A C K D O O R S a t a n s B a c k d o o r . 2 . 0 . B e t a " ; f l o w : t o _ c l i e n t , e s t a b l i s h e d ; c o n t e n t : " R e m o t e | 3 A | " ; d e p t h : 1 1 ; n o c a s e ; c o n t e n t : " Y o u a r e c o n n e c t e d t o m e . | 0 D 0 A | R e m o t e | 3 A | R e a d y f o r c o m m a n d s " ; d i s t a n c e : 0 ; n o c a s e ; m e t a d a t a : r u l e s e t c o m m u n i t y ; r e f e r e n c e : u r l , w w w . m e g a s e c u r i t y . o r g / t r o j a n s / s / s a t a n z b a c k d o o r / S B D 2 . 0 b . h t m l ; r e f e r e n c e : u r l , w w w 3 . c a . c o m / s e c u r i t y a d v i s o r / p e s t / p e s t . a s p x ? i d = 5 2 6 0 ; c l a s s t y p e : t r o j a n - a c t i v i t y ; s i d : 1 1 8 ; r e v : 1 2 ; )