of 45/45
CSCE 522 Firewalls

CSCE 522 Firewalls. CSCE 522 - Farkas2 Readings Pfleeger: 7.4

  • View
    229

  • Download
    4

Embed Size (px)

Text of CSCE 522 Firewalls. CSCE 522 - Farkas2 Readings Pfleeger: 7.4

  • CSCE 522 Firewalls

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*ReadingsPfleeger: 7.4

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Traffic Control FirewallBrick wall placed between apartments to prevent the spread of fire from one apartment to the nextSingle, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewallsecurity wall between private (protected) network and outside wordPrivate NetworkExternal NetworkFirewall

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewall ObjectivesKeep intruders, malicious code and unwanted traffic or information out Keep proprietary and sensitive information inProprietary dataExternal attacks

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Without firewalls, nodes:Are exposed to insecure services Are exposed to probes and attacks from outsideCan be defenseless against new attacksNetwork security totally relies on host security and all hosts must communicate to achieve high level of security almost impossible

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Common firewall featuresRouting information about the private network can't be observed from outsidetraceroute and ping -o can't see internal hosts Users wishing to log on to an internal host must first log onto a firewall machine

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Trade-Off between accessibility and SecurityAccessibilitySecurityService Access Policy

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewall AdvantagesProtection for vulnerable servicesControlled access to site systemsConcentrated securityEnhanced PrivacyLogging and statistics on network use, misusePolicy enforcement

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Controlled Access A site could prevent outside access to its hosts except for special cases (e.g., mail server).Do not give access to a host that does not require accessSome hosts can be reached from outside, some can not.Some hosts can reach outside, some can not.

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Concentrated SecurityFirewall less expensive than securing all hostsAll or most modified software and additional security software on firewall only (no need to distribute on many hosts)Other network security (e.g., Kerberos) involves modification at each host system.

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Enhanced PrivacyEven innocuous information may contain clues that can be used by attackersE.g., finger: information about the last login time, when e-mail was read, etc.Infer: how often the system is used, active users, whether system can be attacked without drawing attention

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Logging and Statistics on Network Use, MisuseIf all access to and from the Internet passes through the firewall, the firewall can theoretically log accesses and provide statistics about system usageAlarm can be added to indicate suspicious activity, probes and attacks double duty as IDS on smaller networks

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Policy enforcementMeans for implementing and enforcing a network access policyAccess control for users and servicesCant replace a good education/awareness program, however:Knowledgeable users could tunnel traffic to bypass policy enforcement on a firewall

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewall DisadvantagesRestricted access to desirable servicesLarge potential for back doorsNo protection from insider attacksNo protection against data-driven attacksCannot protect against newly discovered attacks policy/situation dependentLarge learning curve

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Restricted Access to Desirable ServicesMay block services that users wantE.g., telnet, ftp, X windows, NFS, etc.Need well-balanced security policySimilar problems would occur with host access controlNetwork topology may not fit the firewall design E.g., using insecure services across major gatewaysNeed to investigate other solutions (e.g., Kerberos)

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Back DoorsFirewalls DO NOT protect against back doors into the sitee.g., if unrestricted modem access is still permitted into a site the attacker could jump around the firewallLegacy network topology in large networks

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Little Protection from Insider AttacksGenerally does not provide protection from insider threatsSneaker Net - insider may copy data onto tape or print it and take it out of the facility

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Data-Driven AttacksViruses: users downloading virus-infected personal computer programsExecutable Content: Java appletsActiveX ControlsJavaScript, VBScriptEnd to End EncryptionTunneling/Encapsulation

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Other IssuesThroughput: potential bottleneck (all connections must pass through firewall)Single point of failure: concentrates security in one spot => compromised firewall is disasterComplexity - feature bloatSome services do not work well with firewallsLack of standard performance measurements or techniques

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewall ComponentsFirewall AdministratorFirewall policyPacket filterstransparentdoes not change traffic, only passes itProxiesActiveIntercepts traffic and acts as an intermediary

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewall AdministratorKnowledge of underpinnings of network protocols (e.g., TCP/IP, ICMP)Knowledge of workings of applications that run over the lower level protocolsKnowledge of interaction between firewall implementation and trafficVendor specific knowledge

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewall PolicyHigh-level policy: service access policy

    Low-level policy: firewall design policyFirewall policy should be flexible!

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Service Access PolicyPart of the Network Security PolicyGoal: Keep outsiders outMust be realistic and reflect required security levelFull security vs. full accessibility

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewall Design Policy Refinement of service access policy for specific firewall configurationDefines: How the firewall achieves the service access policy Unique to a firewall configuration Difficult!

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewall Design PolicyApproaches: Open system: Permit any service unless explicitly denied (maximal accessibility)

    Closed system: Deny any service unless explicitly permitted (maximal security)

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Simple Packet FiltersApplies a set of rules to each incoming IP packet to decide whether it should be forwarded or discarded.Header information is used for filtering ( e.g, Protocol number, source and destination IP, source and destination port numbers, etc.)Stateless: each IP packet is examined isolated from what has happened in the past.Often implemented by a router (screening router).

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Simple Packet FilterPlacing a simple router (or similar hardware) between internal network and outside

    Allow/prohibit packets from certain servicesPrivate NetworkPacketFilterOutsidePacket-level rules

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Simple Packet FiltersAdvantages:Does not change the traffic flow or characteristics passes it through or doesntSimpleCheapFlexible: filtering is based on current rules

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Simple Packet Filters Disadvantages: Direct communication between multiple hosts and internal network Unsophisticated (protects against simple attacks) Calibrating rule set may be tricky Limited auditing Single point of failure

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Stateful Packet FiltersCalled Stateful Inspection or Dynamic Packet FilteringCheckpoint patented this technology in 1997Maintains a history of previously seen packets to make better decisions about current and future packets Check out:CheckPoint, Stateful Inspection Technology, http://www.checkpoint.com/products/downloads/Stateful_Inspection.pdf

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Proxy FirewallsViewPrivate NetworkOutsidePrivate NetworkOutsideProxy ServerReality

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Proxy FirewallsApplication GatewaysWorks at the application layer must understand and implement application protocolCalled Application-level gateway or proxy serverCircuit-Level GatewayWorks at the transport layerE.g., SOCKS

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Application GatewaysInterconnects one network to another for a specific applicationUnderstands and implements application protocolGood for higher-level restrictionsClientServerApplication Gateway

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Application GatewaysAdvantages: by permitting application traffic directly to internal hostsInformation hiding: names of internal systems are not known to outside systemsCan limit capabilities within an application Robust authentication and logging: application traffic can be pre-authenticated before reaching host and can be loggedCost effective: third-party software and hardware for authentication and logging only on gatewayLess-complex filtering rules for packet filtering routers: need to check only destinationMost secure

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Application GatewaysDisadvantages:Keeping up with new applicationsNeed to know all aspects of protocolsMay need to modify application client/protocols

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Circuit-Level GatewaysIs basically a generic proxy server for TCPWorks like an application-level gateway, but at a lower levelSOCKS most widely know circuit-level gateway

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Circuit-Level GatewaysAdvantages:Dont need a separate proxy server for each applicationProvides an option for applications for which proxy servers dont yet existSimpler to implement than application specific proxy serversMost Open-Source packages can be easily extended to use SOCKS

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Circuit-Level GatewaysDisadvantages:No knowledge of higher level protocols cant scan for active content or disallowed commandsCan only handle TCP connections new extensions proposed for UDPProprietary packages, TCP/IP stacks must be modified by vendor to use circuit-level gateways

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Home UsersHome routers:Come with built-in firewallGenerally simple packet filtersCan block all incoming connections on all ports if desired Open connections as neededExamples: Download files from outside using FTP: allow incoming connections on Port 21

    CSCE 522 - Farkas

  • Windows FirewallCSCE 522 - Farkas*Functionality:Help block computer viruses and worms from reaching your computerAsk for your permission to block or unblock certain connection requestsAllow to create a record (a security log), if you want one, that records successful and unsuccessful attempts to connect to your computer

    CSCE 522 - Farkas

  • Windows FirewallWhat it does not support:Detect or disable computer viruses and worms if they are already on your computerStop you from opening e-mail with dangerous attachmentsBlock spam or unsolicited e-mail from appearing in your inboxCSCE 522 - Farkas*

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Third Party FirewallRanging in price between FREE and $50 on average ZoneAlarm Pro 5PC-Cillin 2004 Internet SecurityNorton Personal Firewall 2005McAfee Personal Firewall 6.0 2005

    CSCE 522 - Farkas

  • CSCE 522 - Farkas*Firewall EvaluationLevel of protection on the private network ?Prevented attacksMissed attacksAmount of damage to the networkHow well the firewall is protected?Possibility of compromiseDetection of the compromiseEffect of compromise on the protected network Ease of use Efficiency, scalability, redundancy Expense

    CSCE 522 - Farkas

  • NEXT CLASS:

    INTRUSION DETECTIONCSCE 522 - Farkas*

    CSCE 522 - Farkas