advanced network security – firewall implementation and
TRANSCRIPT
-
8/14/2019 Advanced Network Security Firewall Implementation And
1/32
Advanced Network SecurityAdvanced Network Security
Firewall Implementation andFirewall Implementation and
DesignDesignTerm: January 2005
Dana Epp
http://silverstr.ufies.org/blog/
COMP 4706
mailto:[email protected]:[email protected] -
8/14/2019 Advanced Network Security Firewall Implementation And
2/32
AgendaAgendaAgendaAgenda
Review from last classReview from last class Group STRIDE analysisGroup STRIDE analysis Building a firewall port matrixBuilding a firewall port matrix
Introduction to NMAPIntroduction to NMAP Hands on - Scanning ports with NMAPHands on - Scanning ports with NMAP Hands on Creating basic firewall rules onHands on Creating basic firewall rules on
LinuxLinux
-
8/14/2019 Advanced Network Security Firewall Implementation And
3/32
Learning OutcomesLearning OutcomesLearning OutcomesLearning Outcomes
Identify various types of firewalls and theirIdentify various types of firewalls and their
functions, including which firewalls operate atfunctions, including which firewalls operate atwhich OSI protocol layer, and the basicwhich OSI protocol layer, and the basic
variations of firewall architecturesvariations of firewall architectures
Describe risk mitigation techniques to varyingDescribe risk mitigation techniques to varying
threats with the use of different firewallthreats with the use of different firewall
architecturesarchitectures
Demonstrate the ability to design and deployDemonstrate the ability to design and deploy
policies on a firewallpolicies on a firewall
On successful completion of this course,On successful completion of this course,students will be able to:students will be able to:
-
8/14/2019 Advanced Network Security Firewall Implementation And
4/32
Basic Types of FirewallsBasic Types of FirewallsBasic Types of FirewallsBasic Types of Firewalls
Packet filtering firewallsPacket filtering firewalls
Stateful packet inspection firewallsStateful packet inspection firewalls
Application proxiesApplication proxies HybridsHybrids
-
8/14/2019 Advanced Network Security Firewall Implementation And
5/32
Packet filterPacket filterPacket filterPacket filter
Source IP addressSource IP address
Destination IP addressDestination IP addressTCP/UDP source portTCP/UDP source port
TCP/UDP destination portTCP/UDP destination port
A packet filter firewall is the simplesttype of firewall. Dealing with eachindividual packet, the firewall applies
its rule set to determine which packetto allow or disallow. The firewallexamines each packet based on thefollowing criteria:
-
8/14/2019 Advanced Network Security Firewall Implementation And
6/32
Packet Filter - ProsPacket Filter - ProsPacket Filter - ProsPacket Filter - Pros
They are fast because they operate on IP addresses andThey are fast because they operate on IP addresses and
TCP/UDP port numbers alone, ignoring the data contentsTCP/UDP port numbers alone, ignoring the data contents
(payload) of packets.(payload) of packets.
Due to the fact that packet payload is ignored, applicationDue to the fact that packet payload is ignored, application
independence exists.independence exists.
Least expensive of the three types of firewalls.Least expensive of the three types of firewalls.
Packet filtering rules are relatively easy to configure.Packet filtering rules are relatively easy to configure.
There are no configuration changes necessary to theThere are no configuration changes necessary to the
protected workstations.protected workstations.
-
8/14/2019 Advanced Network Security Firewall Implementation And
7/32
Packet filters - ConsPacket filters - ConsPacket filters - ConsPacket filters - Cons
Allow a direct connection between endpoints throughAllow a direct connection between endpoints throughthe firewall. This leaves the potential for athe firewall. This leaves the potential for avulnerability to be exploited.vulnerability to be exploited.
There is no screening of packet payload available. ItThere is no screening of packet payload available. Itis impossible to block users from visiting web sitesis impossible to block users from visiting web sites
deemed off limits, for example.deemed off limits, for example. Logging of network traffic includes only IP addressesLogging of network traffic includes only IP addresses
and TCP/UDP port numbers, no packet payloadand TCP/UDP port numbers, no packet payloadinformation is available.information is available.
Complex firewall policies are difficult to implementComplex firewall policies are difficult to implement
using filtering rules alone.using filtering rules alone.
There is a reliance on the IP address forThere is a reliance on the IP address forauthentication rather than user authentication.authentication rather than user authentication.
Dynamic IP addressing schemes such as DHCP mayDynamic IP addressing schemes such as DHCP maycomplicate filtering rules involving IP addresses.complicate filtering rules involving IP addresses.
-
8/14/2019 Advanced Network Security Firewall Implementation And
8/32
Stateful packet inspectionStateful packet inspectionStateful packet inspectionStateful packet inspection
Examines the contents of packetsrather than just filtering them; thatis, they consider their contents as
well as their addresses.
Stateful packet inspection firewallsalso take into account the state ofthe connections they handle so that,for example, a legitimate incomingpacket can be matched with the
outbound request for that packet and
-
8/14/2019 Advanced Network Security Firewall Implementation And
9/32
Stateful packet inspectionStateful packet inspection
- Pros- ProsStateful packet inspectionStateful packet inspection
- Pros- Pros Offers improved security over basic packetOffers improved security over basic packet
filters due to packet examination.filters due to packet examination.
Offers a degree of application independence,Offers a degree of application independence,based on level of stateful packet examination.based on level of stateful packet examination.
Better logging of activities over basic packetBetter logging of activities over basic packetfilters.filters.
Good performance.Good performance.
Configuration changes to the protectedConfiguration changes to the protected
workstations are unnecessary.workstations are unnecessary.
-
8/14/2019 Advanced Network Security Firewall Implementation And
10/32
Stateful packet inspectionStateful packet inspection
- Cons- ConsStateful packet inspectionStateful packet inspection
- Cons- Cons Allow a direct connection betweenAllow a direct connection between
endpoints through the firewall. This leavesendpoints through the firewall. This leaves
the potential for a vulnerability to bethe potential for a vulnerability to be
exploited.exploited. No hiding of your private systems.No hiding of your private systems.
Setting up stateful packet examinationSetting up stateful packet examination
rules is more complicated.rules is more complicated.
Only supported protocols at theOnly supported protocols at theapplication layer.application layer.
No user authentication.No user authentication.
-
8/14/2019 Advanced Network Security Firewall Implementation And
11/32
Application proxiesApplication proxiesApplication proxiesApplication proxies
An application proxy is a programrunning on the firewall that emulatesboth ends of a network connection.
One can think of it as a sort of"translator" in-between the twocomputers communicating.
-
8/14/2019 Advanced Network Security Firewall Implementation And
12/32
Application proxies - ProsApplication proxies - ProsApplication proxies - ProsApplication proxies - Pros
Firewall does not let end pointsFirewall does not let end pointscommunicate directly with one another.communicate directly with one another.Thus a vulnerability in a protocol whichThus a vulnerability in a protocol whichcould slip by a packet filter or statefulcould slip by a packet filter or stateful
packet inspection firewall could bepacket inspection firewall could beovercome by the proxy program.overcome by the proxy program. Has the best content filtering capability.Has the best content filtering capability. Can hide private systems.Can hide private systems.
Robust user authentication.Robust user authentication. Offers the best logging of activities.Offers the best logging of activities. Policy rules are usually easier thanPolicy rules are usually easier than
packet filtering rules.packet filtering rules.
-
8/14/2019 Advanced Network Security Firewall Implementation And
13/32
Application proxies - ConsApplication proxies - ConsApplication proxies - ConsApplication proxies - Cons
Performance problems; much slower than the otherPerformance problems; much slower than the other
twotwo
Must have a proxy for every protocol. Failure to have aMust have a proxy for every protocol. Failure to have a
proxy may prevent a protocol from being handledproxy may prevent a protocol from being handled
correctly by the firewall.correctly by the firewall. TCP is the preferred transport. UDP may not beTCP is the preferred transport. UDP may not be
supported.supported.
Limited transparency, clients may need to be modified.Limited transparency, clients may need to be modified.
Setting up the proxy server in a browser, for example.Setting up the proxy server in a browser, for example.
No protection from all protocol weaknesses.No protection from all protocol weaknesses.
-
8/14/2019 Advanced Network Security Firewall Implementation And
14/32
OSI Open SystemOSI Open System
InterconnectInterconnectOSI Open SystemOSI Open System
InterconnectInterconnect
-
8/14/2019 Advanced Network Security Firewall Implementation And
15/32
TCP/IP ProtocolTCP/IP Protocol
ArchitectureArchitectureTCP/IP ProtocolTCP/IP Protocol
ArchitectureArchitecture
-
8/14/2019 Advanced Network Security Firewall Implementation And
16/32
Three way TCP handshakeThree way TCP handshakeThree way TCP handshakeThree way TCP handshake
-
8/14/2019 Advanced Network Security Firewall Implementation And
17/32
Common Ports andCommon Ports and
ServicesServicesCommon Ports andCommon Ports and
ServicesServices Windows: %windirWindows: %windir
%\System32\drivers\etc\services%\System32\drivers\etc\services Linux:Linux:
/etc/services/etc/services Examples:Examples:
SMTP = port 25SMTP = port 25
HTTP = port 80HTTP = port 80POP3 = port 110POP3 = port 110PPTP = port 1723PPTP = port 1723
-
8/14/2019 Advanced Network Security Firewall Implementation And
18/32
The STRIDE Threat ModelThe STRIDE Threat ModelThe STRIDE Threat ModelThe STRIDE Threat Model
Spoofing identitySpoofing identity Attacker obtains something that enables authenticationAttacker obtains something that enables authentication
Tampering with dataTampering with data Unauthorized change made to stored or in-transit informationUnauthorized change made to stored or in-transit information
RepudiationRepudiation Performing an illegal operation in a system that lacks the ability toPerforming an illegal operation in a system that lacks the ability to
trace such operationstrace such operations Information disclosureInformation disclosure
Exposing critical information to unauthorized individualsExposing critical information to unauthorized individuals
Denial of Service (DoS)Denial of Service (DoS) Denies service to othersDenies service to others
Elevation of privilegesElevation of privileges
Attacker exploits a weakness to gain greater privileges on a systemAttacker exploits a weakness to gain greater privileges on a systemthan were intendedthan were intended
-
8/14/2019 Advanced Network Security Firewall Implementation And
19/32
Ranking and PrioritizingRanking and Prioritizing
ThreatsThreatsRanking and PrioritizingRanking and Prioritizing
ThreatsThreats
Chance of attack occurringChance of attack occurring 1 = high1 = high 10 = low10 = low
How much effort/cost/time is needed toHow much effort/cost/time is needed tolaunch the attack?launch the attack?
What is the cost/damage if it occurs?What is the cost/damage if it occurs? 1 = little1 = little 10 = massive10 = massive
RISK = Damage / ChanceRISK = Damage / Chance Goal is to reduce riskGoal is to reduce risk Do high risk items firstDo high risk items first
-
8/14/2019 Advanced Network Security Firewall Implementation And
20/32
How to Respond toHow to Respond to
ThreatsThreatsHow to Respond toHow to Respond to
ThreatsThreats
1.1. Do nothing.Do nothing.
2.2. Inform the user of the threat.Inform the user of the threat.
3.3. Remove the problem.Remove the problem.4.4. Fix the problem.Fix the problem.
-
8/14/2019 Advanced Network Security Firewall Implementation And
21/32
Defense in DepthDefense in DepthDefense in DepthDefense in Depth
Assume external systems are insecureAssume external systems are insecure Were secure, we have a firewall *ugh*Were secure, we have a firewall *ugh*
Assume your system(s) is the last thingAssume your system(s) is the last thingstandingstanding Plan on failurePlan on failure
More layers of security means more work toMore layers of security means more work tocompromise a targetcompromise a targetThreat risk goes down as threat difficulty goes upThreat risk goes down as threat difficulty goes up
Never depend on security through obscurityNever depend on security through obscurity
-
8/14/2019 Advanced Network Security Firewall Implementation And
22/32
Group STRIDEGroup STRIDE
AnalysisAnalysisGroup STRIDEGroup STRIDE
AnalysisAnalysis
-
8/14/2019 Advanced Network Security Firewall Implementation And
23/32
Building a firewall portBuilding a firewall port
matrixmatrixBuilding a firewall portBuilding a firewall port
matrixmatrix Determine trust zonesDetermine trust zones
Determine ports that need openingDetermine ports that need opening
Determine packet type (tcp/udp)Determine packet type (tcp/udp) Determines direction of packet flowDetermines direction of packet flow
Determine any limitations you canDetermine any limitations you can
set on src/dstset on src/dst
-
8/14/2019 Advanced Network Security Firewall Implementation And
24/32
LUNCLUNCHHLUNCLUNC
HH
-
8/14/2019 Advanced Network Security Firewall Implementation And
25/32
Introduction to NMAPIntroduction to NMAPIntroduction to NMAPIntroduction to NMAP
Can scan networks to find active (online) hostsCan scan networks to find active (online) hosts
Can scan hosts to find open portsCan scan hosts to find open ports
Can send crafted packets to fingerprint theCan send crafted packets to fingerprint the
operating systemoperating system
Can be used defensively to identifyCan be used defensively to identify
weaknesses that need to be corrected, orweaknesses that need to be corrected, or
offensively by an attacker to probe foroffensively by an attacker to probe forvulnerabilities to exploit.vulnerabilities to exploit.
-
8/14/2019 Advanced Network Security Firewall Implementation And
26/32
Interesting NMAP optionsInteresting NMAP optionsInteresting NMAP optionsInteresting NMAP options
-v = Verbose logging-v = Verbose logging
-O = OS fingerprinting-O = OS fingerprinting
-sS = SYN stealth scan-sS = SYN stealth scan
-P0 = Scan without ping probes-P0 = Scan without ping probes
nmap v O sS your.host.comnmap v O sS your.host.com
-
8/14/2019 Advanced Network Security Firewall Implementation And
27/32
Introduction to iptablesIntroduction to iptablesIntroduction to iptablesIntroduction to iptables
33rdrd generation firewall on Linuxgeneration firewall on Linux
Supports basic packet filtering asSupports basic packet filtering as
well as connection state trackingwell as connection state tracking
For our needs for this course, weFor our needs for this course, we
will use simple/basic packetwill use simple/basic packetfilteringfiltering
-
8/14/2019 Advanced Network Security Firewall Implementation And
28/32
Introduction to iptablesIntroduction to iptablesIntroduction to iptablesIntroduction to iptables# Sample firewall incomplete do not use. For discussion only
IPTABLES=/sbin/iptablesANY=0.0.0.0/0
ETHIP=10.10.1.1
ADMINNOC=10.10.1.250
# Flush chains
$IPTABLES --flush
# Set default policies$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
# Allow SSH from admin NOC
$IPTABLES -A INPUT -p tcp -s $ADMINNOC --sport 1024:65534 --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $ADMINNOC -sport 22 --dport 1024:65534 -j ACCEPT
# Allow Web access
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# Allows secure web access
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -j DROP
-
8/14/2019 Advanced Network Security Firewall Implementation And
29/32
Dropping vs RejectingDropping vs Rejecting
PacketsPacketsDropping vs RejectingDropping vs Rejecting
PacketsPackets Rejecting packets COULD resource starveRejecting packets COULD resource starve
your systemyour system
Dropping packets could cause networkDropping packets could cause networkdiagnostic hell for the other end if youdiagnostic hell for the other end if youdont respond nicelydont respond nicely
Danas Law: It is better to DROP packetsDanas Law: It is better to DROP packetsand buy your favorite network admin aand buy your favorite network admin abeer than to REJECT and have alarms gobeer than to REJECT and have alarms gooff at 2 in the morning during a DoS,off at 2 in the morning during a DoS,waking you up.waking you up.
-
8/14/2019 Advanced Network Security Firewall Implementation And
30/32
Hands onHands onLABLABHands onHands onLABLAB
-
8/14/2019 Advanced Network Security Firewall Implementation And
31/32
Good readingGood readingGood readingGood reading
IPTables Packet Filtering HOWTOIPTables Packet Filtering HOWTOhttp://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.htmlhttp://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
Building Internet FirewallsBuilding Internet Firewalls
ISBN:1-56592-124-0ISBN:1-56592-124-0
Linux FirewallsLinux FirewallsISBN: 0-7357-0900-9ISBN: 0-7357-0900-9
Threat ModelingThreat Modeling
ISBN: 0-7356-1991-3ISBN: 0-7356-1991-3
-
8/14/2019 Advanced Network Security Firewall Implementation And
32/32
Any Questions?Any Questions?