firewalls - syddansk universitetimada.sdu.dk/~jamik/dm557-16/material/firewalls.pdf · ptcl source...
TRANSCRIPT
![Page 1: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/1.jpg)
1
FIREWALLS
![Page 2: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/2.jpg)
FIREWALLSFirewall: isolates organization’s internal net from larger Internet,allowing some packets to pass, blocking others
![Page 3: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/3.jpg)
2 . 1
FIREWALLS: WHYPrevent denial of service attacks:
SYN �ooding: attacker establishes many bogus TCP connections, noresources left for “real” connections
Prevent illegal modi�cation/access of internal data
e.g., attacker replaces CIA’s homepage with something else
Allow only authorized access to inside network
set of authenticated users/hosts
![Page 4: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/4.jpg)
2 . 22 . 3
TYPESThree types of �rewalls:
1. stateless packet �lters
2. stateful packet �lters
3. application gateways
![Page 5: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/5.jpg)
STATELESS PACKET FILTERING
![Page 6: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/6.jpg)
3 . 1
STATELESS PACKET FILTERINGinternal network connected to Internet via router �rewall
router �lters packet-by-packet, decision to forward/drop packet based on:
source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits
![Page 7: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/7.jpg)
3 . 23 . 3
EXAMPLE 1Block incoming and outgoing datagrams with IP protocol �eld = 17 and with
either source or dest port = 23
result: all incoming, outgoing UDP �ows and telnet connections areblocked
![Page 8: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/8.jpg)
3 . 4
EXAMPLE 2block inbound TCP segments with ACK=0.
result: prevents external clients from making TCP connections withinternal clients, but allows internal clients to connect to outside.
![Page 9: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/9.jpg)
MORE EXAMPLESPolicy Firewall Setting
No outside Web access. Drop all outgoing packets to any IPaddress, port 80
No incoming TCP connections,except those for institution’s publicWeb server only.
Drop all incoming TCP SYN packetsto any IP except 130.207.244.203,port 80
Prevent Web-radios from eating upthe available bandwidth.
Drop all incoming UDP packets -except DNS and router broadcasts.
![Page 10: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/10.jpg)
3 . 5
MORE EXAMPLESPolicy Firewall Setting
Prevent your network from beingused for a smurf DoS attack.
Drop all ICMP packets going to a“broadcast” address (e.g.130.207.255.255).
Prevent your network from beingtracerouted
Drop all outgoing ICMP TTL expiredtraf�c
![Page 11: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/11.jpg)
3 . 63 . 7
ACCESS CONTROL LISTSACL: Table of rules, applied top to bottom to incoming packets: (action,condition) pairs
![Page 12: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/12.jpg)
ACCESS CONTROL LISTS (1)action source
addressdestaddress
protocol sourceport
destport
�ag bit
allow 222.22/16 outside222.22/16
TCP > 1023 80 any
allow outside222.22/16
222.22/16 TCP 80 > 1023 ACK
allow 222.22/16 outside222.22/16
UDP > 1023 80 -
![Page 13: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/13.jpg)
3 . 8
ACCESS CONTROL LISTS (2)action source
addressdestaddress
protocol sourceport
destport
�agbit
allow outside222.22/16
222.22/16 UDP 80 > 1023 -
deny all all all all all all
![Page 14: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/14.jpg)
3 . 9
STATEFUL PACKET FILTERINGStateless packet �lter: heavy handed tool
Admits packets that "make no sense," e.g., dest port = 80, ACK bit set, eventhough no TCP connection established:
action sourceaddress
destaddress
protocol sourceport
destport
�ag bit
allow outside222.22/16
222.22/16 TCP 80 > 1023 ACK
![Page 15: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/15.jpg)
4 . 14 . 2
STATEFUL PACKET FILTERINGTrack status of every TCP connection
track connection setup (SYN), teardown (FIN): determine whetherincoming, outgoing packets "makes sense"
timeout inactive connections at �rewall: No longer admit packets
![Page 16: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/16.jpg)
4 . 3
ACLACL augmented to indicate need to check connection state table before
admitting packet
![Page 17: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/17.jpg)
ACL (1)action source
addressdestaddress
ptcl sourceport
destport
�agbit
checkconxion
allow 222.22/16 outside222.22/16
TCP >1023
80 any
allow outside222.22/16
222.22/16 TCP 80 >1023
ACK X
allow 222.22/16 outside222.22/16
UDP >1023
80 -
![Page 18: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/18.jpg)
4 . 4
ACL (2)action source
addressdestaddress
ptcl sourceport
destport
�agbit
checkconxion
allow outside222.22/16
222.22/16 UDP 80 >1023
- X
deny all all all all all all
![Page 19: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/19.jpg)
4 . 55 . 1
APPLICATION GATEWAYSFilters packets on application data as well as on IP/TCP/UDP �elds.
![Page 20: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/20.jpg)
EXAMPLE: TELNETAllow selected internal users to telnet outside.
Require all telnet users to telnet through gateway.
For authorized users, gateway sets up telnet connection to dest host.Gateway relays data between 2 connections
Router �lter blocks all telnet connections not originating from gateway.
![Page 21: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/21.jpg)
5 . 2
EXAMPLE: TELNET
![Page 22: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/22.jpg)
5 . 35 . 4
EXAMPLE: TELNET
![Page 23: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/23.jpg)
LIMITATIONS OF FIREWALLS, GATEWAYSIP spoo�ng: router can’t know if data “really” comes from claimed source
if multiple app’s. need special treatment, each has own app. gateway
client software must know how to contact gateway.
e.g., must set IP address of proxy in Web browser
�lters often use all or nothing policy for UDP
tradeoff: degree of communication with outside world, level of security
many highly protected sites still suffer from attacks
![Page 24: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/24.jpg)
67 . 1
INTRUSION DETECTION SYSTEMS
![Page 25: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/25.jpg)
7 . 2
WHYFor packet �ltering:
operates on TCP/IP headers only
no correlation check among sessions
![Page 26: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/26.jpg)
IDS: INTRUSION DETECTION SYSTEMDeep packet inspection: look at packet contents (e.g., check characterstrings in packet against database of known virus, attack strings)
Examine correlation among multiple packets
Port scanning
Network mapping
DoS attack
![Page 27: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/27.jpg)
7 . 3
INTRUSION DETECTION SYSTEMSMultiple IDSs: different types of checking at different locations
![Page 28: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/28.jpg)
7 . 47 . 5
INTRUSION PREVENTION SYSTEMSIntrusion detection systems typically raises an alarm by email/sms to thenetwork admin
An Intrusion Prevention Systems simply closes the connection in the�rewall, if something suspicious is detected.
![Page 29: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/29.jpg)
SIGNATURE-BASED IDSMaintains an extensive database of attack signatures
A signature is a set of rules describing an intrusion activity
May simply be a list of characteristics of a single packet (src, dest,portnumbers)
Can be related to a series of packages
Signatures normally made by skilled network security engineers
Local system administrators can customize and add own
![Page 30: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/30.jpg)
8 . 18 . 2
SIGNATURE-BASED IDSOperations of a signature based IDS
Sniffs every packet passing by it
Compares packet with each signature in database
If it matches → generate an alert
![Page 31: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/31.jpg)
8 . 3
SIGNATURE-BASED IDSLimitations
Require previous knowledge of attack to generate signature
Can generate false positives
Large processing load, and may fail in detection of malicious packets
![Page 32: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/32.jpg)
9 . 1
ANOMALY-BASED IDSCreates a pro�le of standard network traf�c
As observed in normal operation
Then looks for packet streams that are statistically different
Example: Exponention growth in portscans or ping sweeps
![Page 33: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/33.jpg)
ANOMALY-BASED IDSPositive
Does not require prior knowledge to an attack
Limitation
Extremely challenging to distinguis between normal an unusual traf�c
Most systems today are signature based
![Page 35: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/35.jpg)
11
EXAMPLE IDS: SNORT# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12;)
![Page 36: FIREWALLS - Syddansk Universitetimada.sdu.dk/~jamik/dm557-16/material/Firewalls.pdf · ptcl source port dest port ag bit check ... LIMITATIONS OF FIREWALLS, GATEWAYS ... url,](https://reader031.vdocuments.us/reader031/viewer/2022020315/5abb0e287f8b9a8f058c12c5/html5/thumbnails/36.jpg)
12
QUESTIONS?