17 firewalls
TRANSCRIPT
-
8/8/2019 17 Firewalls
1/17
CEN 448Security and Internet Protocols
Chapter 20Firewalls
Dr. Mostafa Hassan DahshanComputer Engineering Department
College of Computer and Information SciencesKing Saud University
Firewalls
Internet connectivity essential to organization
Internet provide benefits
But enables outside to reach local resources
Not practical to secure all workstations
Alternative is firewalls
Inserted between local network and Internet
Single choke point to impose security, audit
-
8/8/2019 17 Firewalls
2/17
Design Goals
All traffic must pass thru firewall from inside to outside or outside to inside
block all access to LAN except thru firewall
Only authorized traffic is allowed to pass
defined by security policy
Firewall immune to penetrationmust be running secure operating system
access control must be defined
Capabilities
Single choke point
simplify security managementprovide protection from various attack types
Monitoring security related events
implement audits and alarms
Can provide non-security related services
DNS, network management Platform for IPSec
using tunnel mode or implement VPN
-
8/8/2019 17 Firewalls
3/17
What Firewalls Cannot Protect
Attacks that bypass firewalldial-out or dial-in service inside LAN
violates single choke point rule
Internal threats
disgruntled employee cooperate with attacker
Transfer of virus-infected programsvarious types of operating systems
impossible to scan all file types
Types of Firewalls
Packet-filtering router
Stateful inspection firewalls
Application-level gateway
Circuit-level gateway
-
8/8/2019 17 Firewalls
4/17
Packet-Filtering Routers
Apply set of rules to each in or out IP packet
Packet is then forwarded or discarded
Filtering rules based on
source IP address: e.g., 192.168.1.1
destination IP address: e.g. 192.168.1.2
transport protocol: TCP, UDP, DCCP, SCTP
transport port number interface: inside, outside, or multiple interfaces
-
8/8/2019 17 Firewalls
5/17
Packet-Filtering Routers
Filter set up as list of rules Rules match fields in IP or TCP header
If packet matches one of rules, role invoked
If no match, apply default rule
Default rule can either be
deny: discard all packets except permitted by rule
permit: forward all packets except denied by rule
Packet Filtering Examples
Inbound mail allowed, but only to gateway host
Packets from SPIGOT host are blocked
SPIGOT has history of sending massive email
-
8/8/2019 17 Firewalls
6/17
Packet Filtering Examples
Explicit statement of default policy
Conservative approach, everything is blocked
Services must be added on a case by case basis
More secure, but inconvenient for users With default allow, admin must identify all threats
Packet Filtering Examples
Any inside host can send mail to outside
TCP packets with remote port 25 are allowed
Problems
some SMTP may not use default port 25
attacker run have different service on port 25 attacker can send packets using source port 25
-
8/8/2019 17 Firewalls
7/17
Packet Filtering Examples
Solve problems with C
Take advantage of TCP ACK flag
sent in response to locally established connection
Allow packets from local host with dest port 25 Allow incoming packets from port 25 with ACK
only replies to local connections
Packet Filtering Examples
Allow
packets originated internally
reply packets to connection initiated internally
packets destined to high-numbered port on internal host
Most servers use low numbered ports < 1024
Most attack targets are in this range
-
8/8/2019 17 Firewalls
8/17
Packet Filtering Firewalls
Advantagessimple: few variables
fast: only check TCP/IP headers
transparent to users
Disadvantages
cannot prevent application-level attacksvulnerable to attacks on problems within TCP/IP
few variables: possible weak configurations
Attacks on Packet-Filtering Routers
IP address spoofing
use fake source IP address (e.g. internal IP)goal: penetrate source address based security
countermeasure: discard packets from externalinterface with internal IP address as source
Source routing attackssource routing overwrites routing decision
goal: allow packet get into private IP networkcountermeasure: discard packets with this option
-
8/8/2019 17 Firewalls
9/17
Attacks on Packet-Filtering Routers
Tiny fragments attacksuse IP fragmentation option
create very small fragments
force transport header into separate fragments
goal: circumvent transport header filtering rules
countermeasure: enforce minimum fragment sizeto predefined min amount of transport header
Stateful Inspection Firewalls
Simple packet-filtering is only based on
individual packets TCP sessions involve multiple connections
Simple packet filter must allow all inboundtraffic on ports 1024-65535
Can create vulnerability
Stateful packet inspection (SPI)maintain directory for established connectionsonly allow inbound packets with existing session
-
8/8/2019 17 Firewalls
10/17
Stateful Inspection Firewalls
Application-Level Gateway
Also called proxy server
Acts as relay of application-level traffic
Local host contacts gateway
provide authentication information
provide remote host information
Gateway contacts remote host
application service must be supported by GW
relay TCP segments between local, remote
-
8/8/2019 17 Firewalls
11/17
Application-Level Gateway
Advantagesmore secure than packet filter
restrict to few allowable applications, services
can protect on application level
Disadvantage
additional processing overheadmaintain two spliced connections
Circuit-Level Gateway
Can be standalone or part of application GW
Shim layer between application, transport No direct end-to-end TCP connection
Two separate TCP connections
one between inside host gateway
one between gateway outside host
Once setup, doesnt filter individual packets Security is which connections to allow
-
8/8/2019 17 Firewalls
12/17
Bastion Host
Also called demilitarized zone (DMZ) Computer host or network inserted between
internal network and Internet
Provides service interface to outside users(web, email, FTP)
Prevents outside users from getting direct
access to companys data Strong point in the security of network
Platform for application, circuit-level gateway
Bastion HostSource: en.wikipedia.org/wiki/Demilitarized_zone_(computing)
DMZ or Bastion Host
-
8/8/2019 17 Firewalls
13/17
Bastion Host Characteristics
Runs secure operating system Must not contain sensitive data
Only essential services installed
determined by admin
e.g. SSH, DNS, FTP, SMTP, authentication
May require auth, also for each proxy Each proxy allow access to specific hosts
Proxy maintain audit info, log all connections
Firewall Configurations
Screened host firewall, single-homed bastion
Screened host firewall, dual-homed bastion
Screened-subnet firewall
-
8/8/2019 17 Firewalls
14/17
Screened Host Firewall,Single-Homed Bastion Host
Screened Host Firewall,Single-Homed Bastion Host
Consists of two systems
packet filtering router
bastion host: proxy, authentication
IP packets from Internet only allowed to BH
IP packets to Internet only allowed from BH
Advantages
both packet, app level filtering: 2 layers security
flexibility: public access for web/info server
-
8/8/2019 17 Firewalls
15/17
Screened Host Firewall,Dual-Homed Bastion Host
Screened Host Firewall,Dual-Homed Bastion Host
Two separate subnets
BH has two network interfaces
Two levels of defense: router, BH
Protect internal hosts if router compromised
Also, same features of previous config
-
8/8/2019 17 Firewalls
16/17
Screened-Subnet Firewall
Screened-Subnet Firewall
Two packet filtering routers
Creates isolated subnet containing BHmay also contain modems, public servers
can be accessed from Internet or internal net
through traffic is blocked
Advantages
three levels of defense: router, BH, router internal network is invisible to Internet
Internet is invisible to internal network
-
8/8/2019 17 Firewalls
17/17
Finally
The most secure computer is a one whichis disconnected from the network, ANDTURNED OFF!
Additional References
Microsoft Security Bulletin (MS99-038),www.microsoft.com/technet/security/bulletin/fq99-038.mspx
Stateful Inspection Firewall,www.juniper.net/products/integrated/stateful_inspection_firewall.pdf
Doug Lowe, Networking All-in-One Desk Reference ForDummies, ISBN 0764599399,books.google.com/books?id=GnGDds-1OekC
Home Computer Security Glossary,www.cert.org/homeusers/HomeComputerSecurity/glossary.
html Syngress et al., The Best Da*n Firewall Book Period, ISBN
1931836906, books.google.com/books?id=q7rlxtIlOsEC