firewalls and packet filters
Post on 22-Jul-2016
23 Views
Preview:
TRANSCRIPT
Firewalls
04/28/23 1
What is a Firewall ?• A firewall :
– Acts as a security gateway between two networks• Usually between trusted
and untrusted networks– Tracks and controls
network communications• Decides whether to pass
or reject
Internet
Corporate Site
Corporate Network Gateway
04/28/23 2
Firewall
• A choke point of control and monitoring • Interconnects networks with differing trust• Imposes restrictions on network services
– only authorized traffic is allowed • Auditing and controlling access
– can implement alarms for abnormal behavior• Itself immune to penetration
04/28/23 3
Firewall Gateways• Firewall runs set of proxy programs
– Proxies filter incoming, outgoing packets– All incoming traffic directed to firewall – All outgoing traffic appears to come from firewall
• Policy embedded in proxy programs• Two kinds of proxies
– Application-level gateways/proxies• Tailored to http, ftp, smtp, etc.
– Circuit-level gateways/proxies• Working on Network level
04/28/23 4
Why Firewalls are Needed?
• Prevent attacks from untrusted networks• Protecting Confidential Information • Protect data integrity of critical information
04/28/23 5
Evolution of Firewalls
PacketFilter
StatefulInspection
Stage of Evolution
ApplicationProxy
04/28/23 6
Packet Filter• Packets examined at the network layer• Commonly deployed on routers• Simple accept or reject decision model• No awareness of higher protocol layers
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network
Presentations
Sessions
Transport
Applications
Network Network
04/28/23 7
Application Gateway or Proxy• Packets examined at the application layer• Application/Content filtering possible - prevent
FTP “put” commands, for example• Modest performance• Limited scalability
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network NetworkNetwork
Presentations
Sessions
Transport
Applications
04/28/23 8
Stateful Inspection• Packets Inspected between data link layer and network
layer in the OS kernel• State tables are created to maintain connection context• Invented by Check Point
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
INSPECT Engine
Applications
Dynamic Dynamic State TablesState TablesDynamic Dynamic
State TablesState TablesDynamic State Tables
04/28/23 9
Classification of Firewall
• Packet filtering• Circuit gateways• Application gateways• Combination of above is dynamic packet
filter
04/28/23 10
Firewalls – Packet Filters
04/28/23 11
Firewalls – Packet Filters• Simplest type• Uses transport-layer information only
– IP Source Address, Destination Address– Protocol/Next Header (TCP, UDP, ICMP, etc)– TCP or UDP source & destination ports– TCP Flags (SYN, ACK, FIN, RST, PSH, etc)– ICMP message type
04/28/23 12
Packet Filtering Gateways• Make decision based on header of a packet
– Header contains source and destination addresses and port numbers, port numbers can be used to infer type of packet • 80 -> Web, 22 -> SSH• E.g., allow Web, but not SSH
• Ignore payload of packet• Can drop spoofed traffic
– XY’s firewall could drop all packets originating from XY whose source address is not of the form 129.97.a.b
– Any traffic originating from outside of XY whose source address is of the form 129.97.a.b
04/28/23 13
Usage of Packet Filters• Filtering with incoming or outgoing interfaces
– E.g., Ingress filtering – controls inbound traffic– Egress filtering – control outgoing traffic
• Permits or denies certain services– Requires intimate knowledge of TCP and UDP port utilization on
a number of operating systems
04/28/23 14
Types of Packet Filtering
1. Stateless Packet Filters• A router configured to pass or reject packets
based on information in the header of each individual packet
2. Stateful Packet Filters • Record the state of all connections flowing
through the firewall and use the connection state as the basis for dropping packets
04/28/23 15
Stateless Packet Filters
• A border router configured to pass or reject packets based on information in the header of each individual packet– Can be configured to pass/reject based on any field
but usually done based on:– protocol type– IP address– TCP/UDP port– Fragment number– Source routing information
04/28/23 16
Protocol Filtering• Filtering based on the IP protocol field allows rejecting
of entire protocol suites– UDP– TCP– ICMP– IGMP
• This is almost too general– ex suppose you block UDP then any TCP based application
won’t be able to convert host/domain to IP address(DNS is based on UDP)
• so it is seldom used.
04/28/23 17
IP Address Filtering• Pass/reject packets based on membership in a set of
acceptable IP addresses• Usually not used to block specific hosts• Usually block source routed packets
– big security hole
• If a hacker knows an address that the filter will pass then they can easily forge a packet that will pass through the filter
04/28/23 18
Port Filtering• Accept or reject packet based on port number• Most commonly used filtering method• Pass all but those specified• Reject all but those specified• Important ports/protocol to block:
– telnet– NetBIOS– POP– NFS– X Windows– Windows Terminal Services
04/28/23 19
Source Routed Filtering• Source routed packed should never be allowed into your
network• Source routed
– Allows you to specify the path a packet will take through your network
• Strict Source Routing– Specifies the exact path to be taken
• Loose Source Routing– Indicates one or more hosts the packet must go
through– A hacker can plug in their own address and force
packets to travel through a machine that they can sniff
04/28/23 20
Loose Source Routing• A packet is given a list of hops to be taken• Each packet carries same source address, destination is
whatever the next IP in the hop path is; the hop path is in the IP Option field.
• 131 is the type for Loose Source Routing• Length – total length of the option• Offset – byte offset to next IP to hop to
IP Option field1 byte 1 byte 1byte 4 bytes 4 bytes
Type Length offset IP 1 IP2 ………
131
04/28/23 21
Fragmentation Filtering• Fragmentation was added to IP to facilitate passing through a
network that only supports small packet sizes• Security considerations
– TCP or UDP port number is provided only at the beginning of a packet; appears only in fragments numbered 0
– Fragments numbered 1 or higher will be passed through the filter
– If a hacker modifies an IP header to start all fragment numbers of a packet at 1 or higher, all fragments will go through the filter
• Filtering by Fragmentation Flags– Configure firewall/packet filter to drop all fragmented
packets, or– Have firewall reassemble fragmented packets and allow
only complete packets to pass through04/28/23 22
Problems with Stateless Filters
• Effectiveness of stateless filters is limited due to:
– They cannot check the payload of the packets• service related filtering can only be done by
application level proxies– They do not retain the state of the connections
04/28/23 23
Stateful Packet Filtering• Record the state of all connections flowing
through the firewall and use the connection state as the basis for dropping packets– create an in memory state table for the state of all
Network and session layers– allows only packets that result from connections that
have already been established
• More sophisticated and secure• Has a rule base and a state table• Newer Firewalls all provide Stateful packet
filtering– some also provide higher level protocol proxying
04/28/23 24
Stateful Packet Filters
• Traditional packet filters do not examine higher layer context– ie matching return packets with outgoing flow
• Stateful packet filters address this need• They examine each IP packet in context
– Keep track of client-server sessions– Check each packet validly belongs to one
• Hence are better able to detect bogus packets out of context
04/28/23 25
Stateful Packet Filtering
04/28/23 26
Stateful Packet Filtering
04/28/23 27
Packet-Filtering – Example Filtering RulesService-Dependent Filtering
• Permit incoming Telnet sessions only to a specific list of internal hosts• Permit incoming FTP sessions only to specific internal hosts• Permit all outbound Telnet sessions• Permit all outbound FTP sessions• Deny all incoming traffic from specific external networks
Service-Independent Filtering• Source IP Address Spoofing Attacks• Source Routing Attacks• Tiny Fragment Attacks
04/28/23 28
Other common Firewall Services• Encrypted Authentication
– Allows users on the external network to authenticate to the Firewall to gain access to the private network
• Virtual Private Networking– Establishes a secure connection between two private
networks over a public network• This allows the use of the Internet as a connection medium rather
than the use of an expensive leased line
04/28/23 29
Additional Services Provided• Virus Scanning
– Searches incoming data streams for virus signatures so they may be blocked
– Done by subscription to stay current • McAfee / Norton
• Content Filtering– Allows the blocking of internal users from certain types of
content.
04/28/23 30
How to Configure a Packet Filter
• Start with a security policy• Specify allowable packets in terms of logical
expressions on packet fields• Rewrite expressions in syntax supported by your
vendor• General rules - least privilege
– All that is not expressly permitted is prohibited– If you do not need it, eliminate it
04/28/23 31
Every ruleset is followed by an Every ruleset is followed by an implicit rule reading like this.implicit rule reading like this.
04/28/23 32
Solution 1:
Example 1: Suppose we want to allow inbound
mail (SMTP, port 25) but only to our gateway machine. Also suppose
that mail from some particular site SPIGOT is to be blocked.
04/28/23 33
Solution 2
This solution allows calls to come from any port on an inside machine, and will direct them to port 25 on
the outside. Simple enough…
Example 2 Now suppose that we want to implement the policy “any inside
host can send mail to the outside”.
04/28/23 34
The ACK signifies that the packet is part of an ongoing conversation
Packets without the ACK are connection establishment messages, which we are only permitting from internal hosts
04/28/23 35
Hacking Through Packet Filters– TCP can only be filtered in the 0th fragment
• setting the fragment number to 1 the packet will usually passe through the packet filter
– Older packet filters only filter ports below 1024
• HTTP used higher numbered ports for passing data back to web browsers
• Many new applications use ports above 1024 for normal communication
– Public services must be forwarded
• services like the updating of web pages via Netscape Composer must be controlled to limit public access
04/28/23 36
Best Practices• Use a proxy
– physically breaks the network path• Use Stateful Packet Filters
– can’t be bypassed like stateless filters• Disable all Ports by Default
– enable only what is absolutely needed• Secure the Base Operating System
– apply all patches provided by vendor• check the vendor web site frequently
– always use a hardened protocol stack
04/28/23 37
Security & Performance of Packet Filters• IP address spoofing
– Fake source address to be trusted– Add filters on router to block
• Tiny fragment attacks– Split TCP header info over several tiny packets– Either discard or reassemble before check
• Degradation depends on number of rules applied at any point
• Order rules so that most common traffic is dealt with first
• Correctness is more important than speed
04/28/23 38
Application-Level Filtering• Has full access to protocol
– user requests service from proxy – proxy validates request as legal – then actions for request and returns result to user
• Need separate proxies for each service – E.g., SMTP (E-Mail)– NNTP (Net news)– DNS (Domain Name System)– NTP (Network Time Protocol)– custom services generally not supported
04/28/23 39
Firewalls - Application Level Gateway (Proxy)
04/28/23 40
App-level Firewall Architecture
Daemon spawns proxy when communication detected …
Network Connection
Telnet daemon
SMTP daemon
FTP daemon
Telnet
proxy
FTP proxy SMTP
proxy
04/28/23 41
Network Address Translation (NAT)
• Converts a network’s illegal IP addresses to legal or public IP addresses– Hides the true addresses of individual hosts, protecting
them from attack– Allows more devices to be connected to the network
InternetInternet
InternalIP Addresses
219.22.165.1
Corporate LAN
192.172.1.1-192.172.1.254
PublicIP Address(es)
04/28/23 42
Address Translation—Hiding
192.168.0.15
10.0.0.3
10.0.0.2
PATGlobal
Dest: 192.168.0.15Source: 172.30.0.50
Dest: Dest: 192.168.0.192.168.0.1515Source: Source: 172.30.0.50172.30.0.50
Dest: 10.0.0.2Source: 172.30.0.50
Dest: 10.0.0.3Source: 172.30.0.50
04/28/23 43
Firewalls - Circuit Level Gateway
04/28/23 44
Firewalls - Circuit Level Gateway• A virtual "circuit" exists between the internal client and the
proxy server
• Different clients inside the network are all mapped to the public IP address (firewall)
• Internet requests go through this circuit to the proxy server
• Proxy server delivers those requests to the Internet after changing the IP address.
• Circuit-level firewalls hide the network itself from the outside
• IP spoofing tedious
• operates at the Network Layer. Relays traffic without examining contents
04/28/23 45
Firewall Deployment
• Corporate Network Gateway– Protect internal
network from attack– Most common
deployment point
Internet
Human Resources Network
Corporate Site
Demilitarized Zone(DMZ)
Public Servers
DMZ
Corporate Network Gateway
04/28/23 46
Firewall Deployment• Corporate Network
Gateway• Internal Segment
Gateway– Protect sensitive
segments (Finance, HR, Product Development)
– Provide second layer of defense
– Ensure protection against internal attacks and misuse
Internet
Human Resources Network
Corporate Site
Public Servers
Internal Segment Gateway
04/28/23 47
Firewall Deployment
• Corporate Network Gateway
• Internal Segment Gateway
• Server-Based Firewall– Protect individual
application servers– Files protect
Internet
Human Resources Network
Corporate Site
Server-BasedFirewall
SAP Server
Public ServersDMZ
04/28/23 48
Firewall Deployment
• Hardware appliance based firewall– Single platform, software pre-installed– Can be used to support small organizations or
branch offices with little IT support• Software based firewall
– Flexible platform deployment options– Can scale as organization grows
04/28/23 49
Firewall Architectures
• Dual-Homed Host• Screened Host• Screened Subnet Host
04/28/23 50
Dual-Homed Host Architecture• Dual-Homed Host is a computer that has separate
network connections to two networks • act as a router between the two networks but routing
function is disabled when dual-homed hosts are used in firewall architectures
• ability to see traffic on both networks • Systems inside the internal network can communicate
with the dual homed host via one network interface, and systems on the Internet via the other
• Such hosts are often referred to as Bastion Hosts in the firewall literature
• Trusted network is vulnerable if the bastion host is compromised
04/28/23 51
Dual-Homed Host Architecture
04/28/23 52
Screened Host Architecture• Security is provided by packet filtering and a bastion
host sits on the internal network• Bastion host is the only host accessible from the
Internet• Connections to the Internet may be routed through
the bastion host. In some cases, allowed directly through the screening router, depending on the network security policy
• Trusted network is vulnerable if the bastion host is compromised
04/28/23 53
Screened Host Architecture
04/28/23 54
Screened Subnet Host Architecture
• Isolating bastion host on a perimeter network• The simplest way to provide a perimeter
network is to add an additional screening router to the screened host architecture
• The bastion host is then located on the perimeter network between the two screening routers.
04/28/23 55
Screened Subnet Host Architecture
04/28/23 56
Free Firewall Software Packages
• IP Chains & IP Tables– comes with most linux distributions
• SELinux (Security Enabled Linux – NSA)– comes with some Linux distributions
• Fedora, RedHat
• IPCop – specialized linux distribution
04/28/23 57
Home & Personal Routers
• Provide – configurable packet filtering– NAT/DHCP
• Linksys – single board RISC based linux computer
• D-Link
04/28/23 58
Enterprise Firewalls
• Check Point FireWall-1• Cisco PIX (product family)• MS Internet Security & Acceleration Server• GAI Gauntlet
04/28/23 59
Firewalls Aren’t Perfect?• Useless against attacks from the inside
– Evildoer exists on inside– Malicious code is executed on an internal machine
• Organizations with greater insider threat– Banks and Military
• Protection must exist at each layer– Assess risks of threats at every layer
• Cannot protect against transfer of all virus infected programs or files– because of huge range of O/S & file types
04/28/23 60
top related