Myles firewalls
-
Upload
shmulik-avidan -
Category
Documents
-
view
1.682 -
download
2
Transcript of Myles firewalls
![Page 1: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/1.jpg)
Where firewalls fit in the corporate landscape
![Page 2: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/2.jpg)
Firewall topics
• Why firewall?• What is a firewall?• What is the perfect firewall?• What types of firewall are there?• How do I defeat these firewalls?• How should I deploy firewalls?• What is good firewall architecture?• Firewall trends.
![Page 3: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/3.jpg)
What are the risks?
• Theft or disclosure of internal data• Unauthorized access to internal hosts• Interception or alteration of data• Vandalism & denial of service• Wasted employee time• Bad publicity, public embarassment, and law suits
![Page 4: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/4.jpg)
What needs to be secured?
• Crown jewels: patent work, source code, market analysis; information assets
• Any way into your network
• Any way out of your network
• Information about your network
![Page 5: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/5.jpg)
Why do I need a firewall?
• Peer pressure.
• One firewall is simpler to administer than many hosts.
• It’s easier to be security conscientious with a firewall.
![Page 6: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/6.jpg)
What is a firewall?
• As many machines as it takes to:– be the sole connection between inside and
outside.– test all traffic against consistent rules.– pass traffic that meets those rules.– contain the effects of a compromised system.
![Page 7: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/7.jpg)
Firewall components
• All of the machines in the firewall– are immune to penetration or compromise.– retain enough information to recreate their
actions.
![Page 8: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/8.jpg)
The Perfect firewall
• Lets you do your business
• Works with existing security measures
• has the security “margin of error” that your company needs.
![Page 9: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/9.jpg)
The security continuum
• Ease of use vs. degree of security
• Cheap, secure, feature packed, easy to administer? Choose three.
• Default deny or default accept
Easy to use Secure
![Page 10: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/10.jpg)
Policy for the firewall
– Who gets to do what via the Internet?– What Internet usage is not allowed?– Who makes sure the policy works and is being
complied with? – When can changes be made to policy/rules?– What will be done with the logs?– Will we cooperate with law enforcement?
![Page 11: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/11.jpg)
What you firewall matters more than which firewall you use.
• Internal security policy should show what systems need to be guarded.
• How you deploy your firewall determines what the firewall protects.
• The kind of firewall is how much insurance you’re buying.
![Page 12: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/12.jpg)
How to defeat firewalls
• Take over the firewall.
• Get packets through the firewall.
• Get the information without going through the firewall.
![Page 13: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/13.jpg)
A partial list of back doors.
• personal modems• vendor modems• partner networks• home networks• loose cannon experts
• employee hacking • reusable passwords• viruses• “helpful” employees• off-site backup &
hosting
![Page 14: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/14.jpg)
Even perfect firewalls can’t fix:
• Tunneled traffic.
• Holes, e.g. telnet, opened in the firewall.
• WWW browser attacks / malicious Internet servers.
![Page 15: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/15.jpg)
Priorities in hacking through a firewall
• Collect information.
• Look for weaknesses behind the firewall.
• Try to get packets through the firewall.
• Attack the firewall itself.
• Subvert connections through the firewall.
![Page 16: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/16.jpg)
Information often leaked through firewalls
• DNS host information
• network configuration
• e-mail header information
• intranet web pages on the Internet
![Page 17: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/17.jpg)
“Ground-floor windows”
• mail servers
• web Servers
• old buggy daemons
• account theft
• vulnerable web browsers
![Page 18: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/18.jpg)
Attacking the firewall
• Does this firewall pass packets when it’s crashed?
• Is any software running on the firewall?
![Page 19: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/19.jpg)
A fieldtrip through an IP packet
• Important fields are:– source, destination, ports, TCP status
. . TOS . . .. . . SRC DEST opt SPORT DPORT
DATA
SEQ# ACK#
..ACK,URG,SYN ….
![Page 20: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/20.jpg)
Types of firewall
• Packet filters
• Proxy gateways
• Network Address Translation (NAT)
• Intrusion Detection
• Logging
![Page 21: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/21.jpg)
Packet filters
• How Packet filters work– Read the header and filter by whether fields
match specific rules. – SYN flags allow the router to tell if connection
is new or ongoing.
• Packet filters come in dumb, standard, specialized, and stateful models
![Page 22: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/22.jpg)
Standard packet filter
– allows connections as long as the ports are OK– denies new inbound connections, using the
SYN flag– Examples: Cisco & other routers, Karlbridge,
Unix hosts, steelhead.
![Page 23: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/23.jpg)
Packet filter weaknesses
– It’s easy to botch the rules.– Good logging is hard.– Stealth scanning works well.– Packet fragments, IP options, and source
routing work by default.– Routers usually can’t do authentication of end
points.
![Page 24: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/24.jpg)
Stateful packet filters
– SPFs track the last few minutes of network activity. If a packet doesn’t fit in, they drop it.
– Stronger inspection engines can search for information inside the packet’s data.
– SPFs have to collect and assemble packets in order to have enough data.
– Examples: Firewall One, ON Technologies, SeattleLabs, ipfilter
![Page 25: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/25.jpg)
Weaknesses in SPF
– All the flaws of standard filtering can still apply.
– Default setups are sometimes insecure. – The packet that leaves the remote site is the
same packet that arrives at the client. – Data inside an allowed connection can be
destructive.– Traditionally SPFs have poor logging.
![Page 26: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/26.jpg)
Proxy firewalls
• Proxy firewalls pass data between two separate connections, one on each side of the firewall.– Proxies should not route packets between
interfaces.
• Types: circuit level proxy, application proxy, store and forward proxy.
![Page 27: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/27.jpg)
General proxy weaknesses
• The host is now involved, and accessible to attack.– The host must be hardened.
• State is being kept by the IP stack.
• Spoofing IP & DNS still works if authentication isn’t used.
• Higher latency & lower throughput.
![Page 28: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/28.jpg)
Circuit level proxy
– Client asks FW for document. FW connects to remote site. FW transfers all information between the two connections.
– Tends to have better logging than packet filters – Data passed inside the circuit could be
dangerous.– Examples: Socks, Cycom Labyrinth
![Page 29: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/29.jpg)
Application proxy
– FW transfers only acceptable information between the two connections.
– The proxy can understand the protocol and filter the data within.
– Examples: TIS Gauntlet and FWTK, Raptor, Secure Computing
![Page 30: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/30.jpg)
Application proxy weaknesses
• Some proxies on an “application proxy” firewall may not be application aware.
• Proxies have to be written securely.
![Page 31: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/31.jpg)
Store and forward , or caching, proxies
– Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document.
– Can do data filtering. – Examples: Microsoft, Netscape, CERN, Squid
proxies; SMTP mail
![Page 32: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/32.jpg)
Weaknesses of store & forward proxies
– Store and forward proxies tend to be big new programs. Making them your primary connection to the internet is dangerous.
– These applications don’t protect the underlying operating system at all.
– Caching proxies can require more administrator time and hardware.
![Page 33: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/33.jpg)
Network Address Translation (NAT)
– NAT changes the ip addresses in a packet, so that the address of the client inside never shows up on the internet.
– Examples: Cisco PIX, Linux Masquerading, Firewall One, ipfilter
![Page 34: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/34.jpg)
Types of NAT
• Many IPs inside to many static IPs outside
• Many IPs inside to many random IPs outside
• Many IPs inside to one IP address outside
• Transparent diversion of connections
![Page 35: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/35.jpg)
Weaknesses of NAT
• Source routing & other router holes
• Can be stupid about complex protocols – ICMP, IP options, FTP, fragments
• Can give out a lot of information about your network.
• May need a lot of horsepower
![Page 36: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/36.jpg)
Intrusion detection
– Watches ethernet or router for trigger events, then tries to interrupt connections. Logs synopsis of all events.
– Can log suspicious sessions for playback– Tend to be very good at recognizing attacks,
fair at anticipating them – Products: Abirnet, ISS Real Secure,
SecureNetPro, Haystack Netstalker
![Page 37: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/37.jpg)
Weaknesses of intrusion detection
– Can only stop tcp connections– Sometimes stops things too late– Can trigger alarms too easily – Doesn’t work on switched networks
![Page 38: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/38.jpg)
Logging
• Pros: – Very cheap– Solves most behavioral problems – Logfiles are crucial for legal recourse
• Cons:– Very programmer or administrator intensive– Doesn’t prevent damage – needs a stable environment to be useful
![Page 39: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/39.jpg)
Types of logging
• program logging
• syslog /NT event log
• sniffers– Argus, Network General, HP Openview,
TCPdump
• router debug mode– A very good tool for tracking across your
network
![Page 40: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/40.jpg)
Commercial Logging
• Logging almost all commercial firewall packages stinks– No tripwires– No pattern recognition– No smart/expert distillation– No way to change firewall behavior based on log
information– No good way to integrate log files from multiple
machines
![Page 41: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/41.jpg)
Firewall Tools
• All types of firewall are useful sometimes.
• The more compartments on the firewall, the greater the odds of security.
• Belt & suspenders
![Page 42: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/42.jpg)
Firewall topology
• Webserver placement
• RAS server placement
• Partner network placement
• Internal information protection (intranet firewalling)
![Page 43: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/43.jpg)
Firewall deployment checklist
• Have list of what needs to be protected.
• Have all of the networks configured for the firewall
• All rules are in place
• Logging is on.
![Page 44: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/44.jpg)
What steps are left?
• What is the firewall allowing access to?– Internal machines receiving data had better be
secure.– If these services can’t be secured, what do you
have to lose?
![Page 45: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/45.jpg)
Last checks
• Day 0 Backups made?
• Are there any gaps between our stated policy and the rules the firewall is enforcing?
![Page 46: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/46.jpg)
Auditing
• A firewall works when an audit finds no deviations from policy.
• Scanning tools are good for auditing conformance to policy, not so good for auditing security.
![Page 47: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/47.jpg)
Sample configurations
• Good configurations should:– limit Denial of Service.– minimize complexity for inside users.– be auditable.– allow outside to connect to specific resources.
![Page 48: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/48.jpg)
Minimal restriction, good security
• Stateful packet filter, dmz, packet filter, intrusion detection.
S Inside
![Page 49: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/49.jpg)
The Multimedia Nightmare
• secure multimedia & database content to provided to multiple Internet destinations.
• Web server is acting as authentication & security for access to the Finance server.
Proxy
CACHE
Inside
![Page 50: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/50.jpg)
Firewalls in multiple locations
– Identical proxies on both sides.
VPN over internal LAN
![Page 51: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/51.jpg)
Low end, good security, for low threat environments
• Packet filter, “Sacrificial Goat” web server, Application Firewall, bastion host running logging & Store & Forward proxies
Store & Forward
Inside
![Page 52: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/52.jpg)
High end firewalls
• ATM switching firewalls
• Round robin gateways– Don’t work with transparent proxies
• High availability
![Page 53: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/53.jpg)
Firewall Trends
– “Toaster” firewalls– Call-outs / co-processing firewalls – VPNs– Dumb protocols– LAN equipment & protocols showing up on the
Internet– Over-hyped content filtering
![Page 54: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/54.jpg)
More Firewall Trends
– blurring between packet filters & application proxies
– more services running on the firewall– High availability, fail-over and hot swap ability– GUI’s– Statistics for managers
![Page 55: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/55.jpg)
Firewall trends & “religious” issues.
• Underlying OS for firewalls – Any firewall OS should have little in common
with the retail versions.
• Firewall certification– Buy your own copy of ISS and “certify”
firewalls yourself.
![Page 56: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/56.jpg)
Source vs. Shrink-wrap
• Low end shrinkwrap solutions
• The importance of source – Can you afford 1.5 programmer/administrators?– Are you willing to have a non-employee doing
your security? (Whose priorities win?)
![Page 57: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/57.jpg)
Downside of firewalls
• single point of failure
• difficult to integrate into a mesh network
• highlights flaws in network architecture
• can focus politics on the firewall administrator
![Page 58: Myles firewalls](https://reader036.fdocuments.net/reader036/viewer/2022081504/554a3d9db4c905293a8b4dd4/html5/thumbnails/58.jpg)
Interesting firewall products
– Checkpoint Firewall-1 http://www.checkpoint.com
– SecureNetPro http://www.mimestar.com
– IP Filter http://coombs.anu.edu.au/~avalon/ip-filter.html
– Seattle Labs http://www.sealabs.com
– Karlnet Karlbridge http://www.karlnet.com
– V-One inc http://www.v-one.com
– ISS Realsecure http://www.iss.net