Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network...
Transcript of Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network...
Network Security Fundamentals
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2013
Network Security Fundamentals
Module 6 Firewalls & VPNs
Topics
• Firewall Fundamentals • Case study: Linux iptables • Virtual Private Networks (VPNs)
3 04/13 cja 2013
Firewalls
04/13 4 cja 2013
Firewalls
5 04/13 cja 2013
Firewalls
• A firewall limits the extent to which hosts on different networks can interact with one another
6 04/13 cja 2013
Types of firewalls
• Packet level • Application level • Host-based
7 04/13 cja 2013
Packet level firewalls
• Firewall inspects incoming packets • Blocks packets violating policy rules
=> packets dropped without acknowledgement
• Rules allow blocking based on Source and destination IP address Source and destination port Protocol, flags, TOS, …
8 04/13 cja 2013
Statelessness
• Traditional packet level firewalls treated every packet independently Stateless firewalling
• Problem Doesn’t relate packet information to overall packet
flow Doesn’t remember anything
• Results in coarse-grained control Forces overly liberal or conservative policies
9 04/13 cja 2013
Example
• H.323 video streaming protocol Initiates two TCP connections and several
RTP (real-time transport protocol) streams The RTP streams contain no information
relating them to the H.323 application How should a stateless firewall decide if
these streams are to be blocked?
10 04/13 cja 2013
Example
• IP Fragmentation All but the first fragment don’t specify ports
11 04/13 cja 2013
Statefulness
• Solution: firewall keeps state about recent packet flows Decides to block packet based on packet
contents plus stored state More fine-grained control Obviates application-level firewalls
• Problem All that state consumes firewall resources
12 04/13 cja 2013
Canonical firewalled network
13 04/13 cja 2013
Zones
Collection of networks with specified security properties
• Perimeter • DMZ • Wireless • Intranet
14 04/13 cja 2013
Perimeter zone
The outside world Untrusted zone No control over hosts in this zone Internet rules
15 04/13 cja 2013
DMZ
Demilitarized zone • Contains an organization’s publicly
visible services (email, Web, DNS, FTP, …) Hardened hosts Proxies
• Semi-trusted zone
16 04/13 cja 2013
Intranet zone
• Most trusted zone • Organizational assets placed here • Access blocked from untrusted zones
Access via proxies in the DMZ only
17 04/13 cja 2013
Wireless zone
A perimeter zone! • Untrusted hosts • Semi-trusted network
18 04/13 cja 2013
Application-level firewalls
Application proxy server • Accepts client traffic • Maintains state, validates traffic • Passes validated traffic to server
19 04/13 cja 2013
Application-level firewalls
• Firewall worries about security Obviates security-related server changes Hampers defense-in-depth
• Firewall must understand application protocol Increased complexity
• Stateful packet-level firewalls are an alternative
20 04/13 cja 2013
Host-based firewalls
• Firewall run on individual hosts • Placed between incoming packets and
the host network stack • Acts like a packet-level firewall
21 04/13 cja 2013
Host-based firewalls
• Each host requires policy management Administration headache Simple default policies in distributions
• Defense-in-depth
22 04/13 cja 2013
References
• The Tao of Network Security Monitoring, Richard Bejtlich, Addison-Wesley, 2005. ISBN 0-321-24677-2
• Information Security Illuminated, Michael G.Solomon and Mike Chapple, Jones and Bartlett, 2005.
• http://en.wikipedia.org/wiki/Firewall_(computing) (accessed March 2013)
23 04/13 cja 2013
iptables
04/13 24 cja 2013
IP Tables
• Linux packet-level firewall • Successor to IP Chains • NAT/NAPT support • Extended functionality via modules • Stateful filter support • Applications
Host based firewall Stateful packet firewall net.ipv4.ip_forward=1 in /etc/sysctl.conf
25 04/13 cja 2013
IP Tables Architecture
• Three tables for organization filter, nat, mangle
• Each table contains several chains built-in (invoked at fixed points in network layer) user-defined
• Each chain contains several rules first rule matched determines action taken
• Each rule contains matching criteria and target • Built-in chains have policies
specifies default target if no rule in chain matches
26 04/13 cja 2013
Rules
• (Standard) matching criteria protocol source IP (address/mask) dest IP (address/mask) port (source/dest/both) interface (input/output)
• Target
27 04/13 cja 2013
Rules
• Extended matching criteria Implemented via modules
• Connection state matching INVALID
packet not associated with any connection NEW
packet is starting a new connection ESTABLISHED
packet is associated with existing connection RELATED
packet is starting a new connection, but is associated with an existing connection
» FTP DATA, ICMP error • Several other extended matching criteria
28 04/13 cja 2013
Predefined targets
• All terminate processing in this chain for this packet ACCEPT accept packet for processing
DROP drop packet
QUEUE pass packet to userland (not common)
RETURN return to calling chain (use policy if no calling
chain)
29 04/13 cja 2013
Extended targets
• Both terminating and non-terminating targets REJECT (terminating) return packet indicating error
LOG (non-terminating) generate log entry
…
30 04/13 cja 2013
filter table
• Default table • Built-in chains
INPUT incoming network packets
FORWARD packets being routed by the host
OUTPUT locally-generated packets output to
network
31 04/13 cja 2013
nat table
• For network address translation • Built-in chains
PREROUTING (DNAT) alter packets as they arrive
OUTPUT alter locally-generated packets before
routing POSTROUTING (SNAT) alter packets as they depart
32 04/13 cja 2013
mangle table
• For specialized packet changes change TOS/DSCP header set netfilter mark value …
• Built-in chains PREROUTING INPUT OUTPUT FORWARDING POSTROUTING
33 04/13 cja 2013
Firewall traversal
34
Prerouting
Route
Postrouting
Forward
Output
Local
Input
04/13 cja 2013
Firewall Traversal
35
Rob Mayoff
04/13 cja 2013
Some caveats
• iptables and ipchains don’t mix • rule additions are atomic
… rule set additions are not
• avoid leaving firewall open while editing … use DROP, DENY, REJECT policies
• policy actions do not log • rules are not removed when an interface goes
down • raw sockets are unaffected by rules
36 04/13 cja 2013
iptables lab
• Examine iptables man page man iptables
• Examine existing firewall settings sudo service iptables status sudo iptables -L
• Add firewall rules sudo iptables -I …
37 04/13 cja 2013
Virtual Private Networks (VPNs)
04/13 38 cja 2013
Roadmap
• Definition • VPN Uses • Types of VPNs • Protocol Details
39 04/13 cja 2013
Definition
A VPN is a link over a shared public network, typically the Internet, that simulates the behavior of dedicated WAN links over leased lines.
A VPN uses encryption to authenticate the
communications endpoints and to secure your data as it travels over an insecure network .
40 04/13 cja 2013
VPN motivators
• Confidentiality, Integrity & Authentication Encryption
• Bypass blocks Border Local ISP
• Extends the office network VoIP Drive mapping
• Collaboration • Enabling technology
41 04/13 cja 2013
Some VPNs
• Protocol IPSec
Standards-based Varied Encryption Levels Flexible
SSL Clientless (Web Browser)
• Application SSH
VPN is not a single solution
42 04/13 cja 2013
IPSec Details
IPSec protocol • Internet Standard • Two complementary protocols
Authentication Headers (AH) Prevents tampering with packet headers
Encapsulating Security Protocol (ESP) Provides confidentiality and integrity of packet contents
43 04/13 cja 2013
IPSec Details – AH (Protocol 51)
• AH Transport – Used to authenticate the integrity of the datagram
All Authenticated (except non mutable fields), e.g., TTL
As the entire packet is authenticated, there are some limitations. If
using NAT or a firewall where a gateway changes your address, then the packet will fail to authenticate at the far end as the source IP has changed. This is not to say that you cannot use IPSec with a NAT gateway, just that the Gateway will have to be considered the endpoint.
44
IP Header (with options)
AH
Transport Layer Header
Transport Layer Data
04/13 cja 2013
IPSec Details – ESP (Protocol 50)
• Encapsulation Security Payload ESP will encrypt the payload so that it is private as it passed through
the network
As you can note, the ESP authentication does not authenticate the IP header so this does not have a problem with working behind NAT.
45
IP Header (with options)
ESP Header
Transport Layer Header
Transport Layer Data
ESP Trailer
ESP Authentication
Encrypted
Authenticated
04/13 cja 2013
Logical Connection to VPN Concentrator
Remote Access client(Split Tunnel )
Public Network
Ethernet
C I S C O SY S T E M S Cisco 3030
Ethernet
ARBL COOL
ARBL COOL
141.211.255.196
192.168.4.6 Pool 192.168.4.10 – 192.168.7.249
UMBackbone
Tunneled
Yahoo
Pool 141.211.12.10 – 141.211.12.250
Wireless User (non-split tunnel)
Internal Server
46 04/13 cja 2013