20 - firewalls
DESCRIPTION
firewTRANSCRIPT
-
Firewalls
CS461/ECE422 Spring 2012
-
Reading Material
Text chapter 9 Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin.
-
Firewall Goal
Insert a"er the fact security by wrapping or interposing a filter on network traffic
Inside Outside
-
Firewall Requirements
All traffic between network secTon A and network secTon B (and visa versa) must pass through the firewall (or a consistently controlled set of firewalls)
Only authorized traffic (as specified by the security policy) is allowed to pass
The firewall itself is immune to penetraTon
-
Typical corporate network
Web Server
Mail forwarding
Mail server DNS (internal)
DNS (DMZ)
Internet
File Server
User machines User machines User machines
Web Server
Demilitarized Zone (DMZ)
Intranet Firewall
Firewall
-
Packet Filter Firewall
Operates at Layer 3 in router or HW firewall Has access to the Layer 3 header and Layer 4 header Can block traffic based on source and desTnaTon address, ports, and protocol
Does not reconstruct Layer 4 payload, so cannot do reliable analysis of layer 4 or higher content
-
Rule Scenario
-
Example Packet Filter Rules
Rules a^ached to outside interface
Rules a^ached to inside interface
Ac#on Source Addr
Src port
Dest Addr Dest Port
Protocol Comment
Block Outside host * * * * Dont trust
Allow * * Our Mail Server
25 Tcp Allow mail traffic
Ac#on Source Addr
Source Port
Dest Addr Dest Port Protocol Comment
Block * * Outside host
* * Dont trust
Allow Our Mail Server
25 * * Tcp Allow Mail traffic
-
Same Rules in iptables Rules in the filter table -A FORWARD p ip -s outside_host j REJECT
-A FORWARD p ip d outside_host j REJECT -A FORWARD i outside p tcp d our_mail_server m tcp --dport 25 j ACCEPT -A FORWARD i inside p tcp s our_mail_server m tcp --sport 25 j ACCEPT -A FORWARD j REJECT
-
More Example Pack Filter Rules
Rules a^ached to inside interface
Rules a^ached to outside interface
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Comment
Allow * * * 25 TCP Allow traffic to all mail servers
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Comment
Allow * 25 * * TCP Allow return traffic from all mail servers
-
A Be^er Example
Rules a^ached to inside interface
Rules a^ached to outside interface
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Comment
Allow Inside networks
* * 25 TCP Allow traffic to all mail servers
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Flags Comment
Allow * 25 Inside networks
* TCP ACK Allow return traffic from all mail servers
-
FTP Example Rules a^ached to inside interface
Rules a^ached to outside interface
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Flags Comment
Allow Inside networks
* * 21 TCP Allow Control channel traffic out
Allow Inside networks
> 1024 * * TCP ACK Allow data traffic back
Ac#on Source Addr
Source Port
Dest Addr
Dest Port
Proto Flags Comment
Allow * 21 Inside networks
* TCP ACK Allow return traffic for FTP control channel
Allow * * Inside networks
>1024 TCP IniTate data traffic
-
Stateful InspecTon Firewall Evolved as packet filters aimed for proxy funcTonality In addiTon to Layer 3 reassembly, it can reconstruct layer 4 traffic Some applicaTon layer analysis exists, e.g., for HTTP, FTP, H.323
Called context-based access control (CBAC) on IOS Configured by fixup command on PIX
Some of this analysis is necessary to enable address translaTon and dynamic access for negoTated data channels
ReconstrucTon and analysis can be expensive. Must be configured on specified traffic streams At a minimum the user must tell the Firewall what kind of traffic to
expect on a port Degree of reconstrucTon varies per plaform, e.g. IOS does not do IP
reassembly
-
Circuit Firewall
Actually creates two separate TCP connecTons Completely reconstructs TCP connecTons SOCKS is an example implementaTon
-
Example Stateful Rules
Rules a^ached to outside interface
Rules a^ached to inside interface
Ac#on Source Addr
Src port
Dest Addr Dest Port
Protocol Comment
Block Outside host * * * * Dont trust
Allow * * Our Mail Server
25 Tcp Allow mail traffic
Ac#on Source Addr
Source Port
Dest Addr Dest Port Protocol Comment
Block * * Outside host
* * Dont trust
-
Same Rules in iptables Rules in the filter table -A FORWARD p ip -s outside_host j REJECT
-A FORWARD p ip d outside_host j REJECT -A FORWARD m state --state ESTABLISHED, RELATED j ACCEPT -A FORWARD i outside m state state NEW p tcp d our_mail_server m tcp --dport 25 j ACCEPT -A FORWARD j REJECT
-
ApplicaTon Proxy Firewall
Firewall sogware runs in applicaTon space on the firewall
The traffic source must be aware of the proxy and add an addiTonal header Now transparent proxy support is available (TPROXY)
Leverage basic network stack funcTonality to saniTze applicaTon level traffic Block java or acTve X Filter out bad URLs Ensure well formed protocols or block suspect aspects of protocol
-
Traffic reconstrucTon
X Y
FTP: X to YGET /etc/passwd
GET command causes firewall to dynamically
open data channel initiate from Y to X
Might have filter for files to block, like /etc/passwd
-
Ingress and Egress Filtering Ingress filtering
Filter out packets from invalid addresses before entering your network Egress filtering
Filter out packets from invalid addresses before leaving your network
Inside Outside
Owns network X
Egress FilteringBlock outgoing traffic not sourced from network X
Ingress FilteringBlock incoming traffic from
one of the set of invalid networks
-
Denial of Service
Example a9acks Smurf A9ack TCP SYN A9ack Teardrop
DoS general exploits resource limita#ons Denial by ConsumpTon Denial by DisrupTon Denial by ReservaTon
-
Teardrop A^ack
Send series of fragments that don't fit together Poor stack implementaTons would crash Early windows stacks
Offset 0, len 60
Offset 30, len 90
Offset 41, len 173
-
Address TranslaTon TradiTonal NAT RFC 3022 Reference RFC Map real address to alias address
Real address associated with physical device, generally an unroutable address
Alias address generally a routeable associated with the translaTon device
Originally moTvated by limited access to publicly routable IP addresses Folks didnt want to pay for addresses and/or hassle with gemng
official addresses Later folks said this also added security
By hiding structure of internal network Obscuring access to internal machines
Adds complexity to firewall technology Must dig around in data stream to rewrite references to IP addresses
and ports Limits how quickly new protocols can be firewalled
-
Address Hiding (NAPT)
Many to few dynamic mapping Packets from a large pool of private addresses are mapped to a small pool of public addresses at runTme
Port remapping makes this sharing more scalable Two real addresses can be rewri^en to the same alias address
Rewrite the source port to differenTate the streams Traffic must be iniTated from the real side Called masquerading in iptables if the interface IP is used for the alias address
-
NAT example
EnforcingDevice192.168.1.0/24
10.10.10.0/24
Internet
Hide from inside to outside192.168.1.0/24 behind 128.274.1.1
Static map from inside to DMZ192.168.1.5 to 128.274.1.5
inside
DMZ
outside
Src=192.168.1.100Dst=microsoft.com
Src=128.274.1.1Dst=microsoft.com
-
StaTc Mapping
One-to-one fixed mapping One real address is mapped to one alias address at configuraTon Tme Traffic can be iniTated from either side
Used to staTcally map out small set of servers from a network that is otherwise hidden
StaTc port remapping is also available
-
NAT example
EnforcingDevice192.168.1.0/24
10.10.10.0/24
Internet
Hide from inside to outside192.168.1.0/24 behind 128.274.1.1
Static map from DMZ to Internet10.10.10.5 to 128.274.1.5
inside
DMZ
outside
Src=XDst=10.10.10.5
Src=XDst=128.274.1.5
-
Deployment Hardware Firewall Buy firewall from vendor
They provide sogware and hardware Depending on cost, may include hardware accelerators
Sogware Firewall on hardened basTon server Buy sogware from vendor or use open source Harden server to reduce a^ack surface
Host-based firewall AddiTonal layer of defense for applicaTon server
Personal firewall Protect desktops/laptops from undesired probing
-
DMZ Network
Web Server
Mail forwarding
Mail server DNS (internal)
DNS (DMZ)
Internet
File Server
User machines User machines User machines
Web Server
Demilitarized Zone (DMZ)
Intranet Firewall
Firewall
-
VPN Network
-
Distributed Firewalls
-
Intrusion PrevenTon
Discussed in the Intrusion DetecTon lecture Enables more dynamic rules and access rules that rely on more communicaTon details Can download new signatures or adapt anomaly rules on a daily basis
-
Unified Threat Management (UTM)
Firewalls at the border provide a nice point for analysis Might as well perform other analysis as long as flows have been tracked
Deploy one box instead of N boxes AddiTonal acTons could be Virus scanning URL filtering IDS/IPS/anomaly detecTon Spam filtering
-
Limits to firewalls Cannot analyze encrypted traffic
Beyond header informaTon Everything is driven through port 80
Relies on port as indicator of service Newer firewalls dynamically analyze traffic to determine protocol
Cannot react to new a^acks on protocols that must be allowed IPS can help
Tracking IP addresses instead of people Costs too much to manage firewalls
-
Summary
Different types of firewalls for different needs Packet filtering/stateful/applicaTon Network/Host/personal
Firewalls have been a stalwart element of network security for decades Not the end all soluTon But sTll beneficial