firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a...
Transcript of firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a...
Firewalls
StevenM.Bellovinhttps://www.cs.columbia.edu/~smb
Matsuzaki ‘maz’Yoshinobu<[email protected]>
1
What’saFirewall?
• Abarrierbetween“us”andtheInternet• Alltraffic,inboundoroutbound,mustpassthroughit
• Firewallsenforcepolicy:onlycertaintrafficisallowedtoflow
2
insideandoutside
2-3-4.firewalls 3
• “good”users• thesamesecuritypolicy
• bad/untrustedusers
Inside OutsideFirewall
WhyUseFirewalls?
• Firewallsareascalable solution:youdon’thavetomanagemanyboxes
• Firewallsareunderyourcontrol• Usualpurpose:keepattackersawayfrombuggycodeonhosts
• Generallyspeaking,firewallsarenot networksecuritydevices;they’rethenetwork’sresponsetobuggy,insecurehosts– Asuitablyhardenedhostisn’thelpedmuchbyafirewall
4
Policies
• Firewallscanenforcepoliciesatanylayerofthenetworkstack
• Accept/rejectMACaddresses,IPaddresses,portnumbers,variousformsofapplicationcontent,etc.
• Policiesreflectorganizationalneeds– Generalphilosophy:accept“safe”,necessary traffic;rejectallelse
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Link
1 Physical
5
FirewallsImplementPolicy• Ifyoudonothaveasecuritypolicy,afirewallcan’thelpyou– Firewallsarenotmagicsecuritydevices– Simplyhavingonedoesn’tprotectyou;whatmattersisthepolicytheyenforce
• Ifthereisnosinglepolicyfortheentirenetwork,afirewalldoesn’tdomuchgood– Example:ISPnetworkscan’tbefirewalled,becauseeverycustomerhasdifferentsecurityneedsandpolicies
– But—theISP’sowncomputerscanbefirewalled
6
failuremodels
2-3-4.firewalls 7
Firewall
• “good”and“bad”users• exceptionsandcomplexpolicy
Inside Outside
otherinternetconnections
SomeSamplePolicyRules
• AllowinboundTCPport25(SMTP)destinedforthemailhost
• BlockandlogoutboundTCPport25unlessit’sfromtheauthorizedmailhost
• AllowoutboundTCPports80or443or…
AllowoutboundTCPports80or443onlyfromthedesignatedwebproxy
8
CraftingPolicyRules
• Acomplexprocess:mustbalancebusinessneedsagainstnetworkthreats– Bothareconstantlychanging– Generally,nosinglepersonknowsbothwell
• It’seasytogetitwrong;boththepolicyanditsimplementationcanhaveerrors
• Iterativeprocess:deployasetofrules,andwatchforerrorsandcomplaints– Checkyourlogfilesandflowrecords!
9
Topology
• Threeclassesofnets:untrusted(theoutside),trusted,andsemi-trusted(DMZ=“DemilitarizedZone”)
• Servicehosts—mail,DNS,web,etc.—gointheDMZ– Mostlyprotectedfromthe
outside,butnotfullytrustedbecauseofoutsideexposure
10
Inside
DMZ
Internet
ImplementingFirewalls• AnyrouterorLinux/BSDhostcanfilteratlayers3and4
• Therealtroublesarehigherup:emailedviruses,infectedPDFs,webpageswithJavascript thatexploitsbrowserbugs,andmore
• Someprotocols,e.g.,FTPandSIP,can’tbehandledjustatthelowerlayers,becausetheyrequireotherportstobeopenedupdynamically
• Must haveapplicationproxiesformanyprotocols;eitherrulesormechanismsmustbeabletodiverttraffictotheseproxies
11
TheTroublewithFirewalls
• Thereistoomuchconnectivitythatdoesn’tfitthesimplemodel– Speciallinkstocustomers,suppliers,jointventurepartners,contractors,etc.
– Verymanyconnectionstotheoutside– Branchoffices– Laptopsandsmartphones!
• Differentthreatmodels• Theclassicmodelofthefirewalldoesn’tworkthatwellanymoreforlargeorganizations
12
MobileDevices
• Bydefinition,mobiledevicessometimesliveoutsidethefirewall
• Thisisnecessaryifpeoplearetogettheirjobsdone
• Buttheyhavetohaveinsideconnectivity(oratleastsensitiveinsidedata),too
• Risk:devicescanbecompromisedwhenoutside,andbringtheinfectionhome
• Risk:devicescanbestolen
13
FirewallsandThreatModels
• Firewallsgenerally(butnotalways)deflectunskilledhackers
• Opportunistichackersmayormaynotbekeptout;theycanoftenpenetrateasingleinsidehostandworkfromthere
• Disgruntledemployeesarealreadyontheinside• Intelligenceagencieswon’tbekeptoutbysimpleschemes– TheNSAreputedlyhascannedtoolstoattackcommoncommercialfirewalls
14
WhattoDo?
• Multiplelayersofdefense– Large,enterprisefirewalltoprotectthecompany,completewithcentralservicehosts
– Departmentalfirewallstoisolateprinters,fileservers,etc.
– Hardenedhosts,plusautomatedtoolstomaintainthem
– Lotsofloggingandmonitoring
15