Upload
julian-johnson
View
241
Download
4
Tags:
Embed Size (px)
Citation preview
CSCE 522
Firewalls
CSCE 522 - Farkas 2
Readings
Pfleeger: 7.4
CSCE 522 - Farkas 3
Traffic Control – Firewall Brick wall placed between apartments to
prevent the spread of fire from one apartment to the next
Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it
CSCE 522 - Farkas 4
Firewall
security wall between private (protected) network and outside word
Private Network
External Network
Firewall
CSCE 522 - Farkas 5
Firewall Objectives
Keep intruders, malicious code and
unwanted traffic or
information out
Keep proprietary and sensitive
information in
Private Network
External Network
Proprietary data
External attacks
CSCE 522 - Farkas 6
Without firewalls, nodes: Are exposed to insecure services Are exposed to probes and attacks from outside Can be defenseless against new attacks Network security totally relies on host security
and all hosts must communicate to achieve high level of security – almost impossible
CSCE 522 - Farkas 7
Common firewall features
Routing information about the private network can't be observed from outside
traceroute and ping -o can't “see” internal hosts Users wishing to log on to an internal host must
first log onto a firewall machine
CSCE 522 - Farkas 8
Trade-Off between accessibility and Security
Accessibility Security
Service Access Policy
CSCE 522 - Farkas 9
Firewall Advantages Protection for vulnerable services Controlled access to site systems Concentrated security Enhanced Privacy Logging and statistics on network use,
misuse Policy enforcement
CSCE 522 - Farkas 10
Controlled Access A site could prevent outside access to its
hosts except for special cases (e.g., mail server).
Do not give access to a host that does not require access
Some hosts can be reached from outside, some can not.
Some hosts can reach outside, some can not.
CSCE 522 - Farkas 11
Concentrated Security Firewall less expensive than securing all
hosts All or most modified software and additional
security software on firewall only (no need to distribute on many hosts)
Other network security (e.g., Kerberos) involves modification at each host system.
CSCE 522 - Farkas 12
Enhanced Privacy Even innocuous information may contain
clues that can be used by attackers E.g., finger:
information about the last login time, when e-mail was read, etc.
Infer: how often the system is used, active users, whether system can be attacked without drawing attention
CSCE 522 - Farkas 13
Logging and Statistics on Network Use, Misuse
If all access to and from the Internet passes through the firewall, the firewall can theoretically log accesses and provide statistics about system usage
Alarm can be added to indicate suspicious activity, probes and attacks – double duty as IDS on smaller networks
CSCE 522 - Farkas 14
Policy enforcement Means for implementing and enforcing a
network access policy Access control for users and services Can’t replace a good education/awareness
program, however: Knowledgeable users could tunnel traffic to
bypass policy enforcement on a firewall
CSCE 522 - Farkas 15
Firewall Disadvantages Restricted access to desirable services Large potential for back doors No protection from insider attacks No protection against data-driven attacks Cannot protect against newly discovered
attacks – policy/situation dependent Large learning curve
CSCE 522 - Farkas 16
Restricted Access to Desirable Services
May block services that users want E.g., telnet, ftp, X windows, NFS, etc. Need well-balanced security policy Similar problems would occur with host access
control Network topology may not fit the firewall design
E.g., using insecure services across major gateways Need to investigate other solutions (e.g., Kerberos)
CSCE 522 - Farkas 17
Back Doors Firewalls DO NOT protect against back
doors into the site e.g., if unrestricted modem access is still
permitted into a site the attacker could jump around the firewall
Legacy network topology in large networks
CSCE 522 - Farkas 18
Little Protection from Insider Attacks
Generally does not provide protection from insider threats
Sneaker Net - insider may copy data onto tape or print it and take it out of the facility
CSCE 522 - Farkas 19
Data-Driven Attacks Viruses:
users downloading virus-infected personal computer programs
Executable Content: Java applets ActiveX Controls JavaScript, VBScript
End to End Encryption Tunneling/Encapsulation
CSCE 522 - Farkas 20
Other Issues
Throughput: potential bottleneck (all connections must pass through firewall)
Single point of failure: concentrates security in one spot => compromised firewall is disaster
Complexity - feature bloat Some services do not work well with firewalls Lack of standard performance measurements
or techniques
CSCE 522 - Farkas 21
Firewall Components Firewall Administrator Firewall policy Packet filters
transparent does not change traffic, only passes it
Proxies Active Intercepts traffic and acts as an intermediary
CSCE 522 - Farkas 22
Firewall Administrator Knowledge of underpinnings of network
protocols (e.g., TCP/IP, ICMP) Knowledge of workings of applications that
run over the lower level protocols Knowledge of interaction between firewall
implementation and traffic Vendor specific knowledge
CSCE 522 - Farkas 23
Firewall Policy
High-level policy: service access policy
Low-level policy: firewall design policy
Firewall policy should be flexible!
CSCE 522 - Farkas 24
Service Access Policy Part of the Network Security Policy Goal: Keep outsiders out Must be realistic and reflect required
security level Full security vs. full accessibility
CSCE 522 - Farkas 25
Firewall Design Policy Refinement of service access policy for specific firewall configuration
Defines:
– How the firewall achieves the service access policy
– Unique to a firewall configuration
– Difficult!
CSCE 522 - Farkas 26
Firewall Design Policy
Approaches: Open system: Permit any service unless explicitly denied (maximal accessibility)
Closed system: Deny any service unless explicitly permitted (maximal security)
CSCE 522 - Farkas 27
Simple Packet Filters Applies a set of rules to each incoming IP packet
to decide whether it should be forwarded or discarded.
Header information is used for filtering ( e.g, Protocol number, source and destination IP, source and destination port numbers, etc.)
Stateless: each IP packet is examined isolated from what has happened in the past.
Often implemented by a router (screening router).
CSCE 522 - Farkas 28
Simple Packet Filter
Placing a simple router (or similar hardware) between internal network and “outside”
Allow/prohibit packets from certain services
Private Network
PacketFilter
PacketFilter
Outside
Packet-level rules
CSCE 522 - Farkas 29
Simple Packet Filters
Advantages: Does not change the traffic flow or
characteristics –passes it through or doesn’t Simple Cheap Flexible: filtering is based on current rules
CSCE 522 - Farkas 30
Simple Packet Filters
Disadvantages:
– Direct communication between multiple hosts and internal network
– Unsophisticated (protects against simple attacks)
– Calibrating rule set may be tricky
– Limited auditing
– Single point of failure
CSCE 522 - Farkas 31
Stateful Packet Filters Called Stateful Inspection or Dynamic Packet Filtering Checkpoint patented this technology in 1997 Maintains a history of previously seen packets to make
better decisions about current and future packets Check out:
CheckPoint, Stateful Inspection Technology, http://www.checkpoint.com/products/downloads/Stateful_Inspection.pdf
CSCE 522 - Farkas 32
Proxy Firewalls
BastionHost
ViewPrivate Network
Outside
Private Network
Outside
Proxy Server
Reality
CSCE 522 - Farkas 33
Proxy Firewalls Application Gateways
Works at the application layer must understand and implement application protocol
Called Application-level gateway or proxy server
Circuit-Level Gateway Works at the transport layer E.g., SOCKS
CSCE 522 - Farkas 34
Application Gateways Interconnects one network to another for a specific
application Understands and implements application protocol Good for higher-level restrictions
Client ServerApplication Gateway
CSCE 522 - Farkas 35
Application Gateways
Advantages: by permitting application traffic directly to internal hosts
Information hiding: names of internal systems are not known to outside systems
Can limit capabilities within an application Robust authentication and logging: application traffic can be pre-
authenticated before reaching host and can be logged Cost effective: third-party software and hardware for
authentication and logging only on gateway Less-complex filtering rules for packet filtering routers: need to
check only destination Most secure
CSCE 522 - Farkas 36
Application Gateways Disadvantages:
Keeping up with new applications Need to know all aspects of protocols May need to modify application
client/protocols
CSCE 522 - Farkas 37
Circuit-Level Gateways Is basically a generic proxy server for TCP Works like an application-level gateway,
but at a lower level SOCKS – most widely know circuit-level
gateway
CSCE 522 - Farkas 38
Circuit-Level Gateways Advantages:
Don’t need a separate proxy server for each application
Provides an option for applications for which proxy servers don’t yet exist
Simpler to implement than application specific proxy servers
Most Open-Source packages can be easily extended to use SOCKS
CSCE 522 - Farkas 39
Circuit-Level Gateways Disadvantages:
No knowledge of higher level protocols – can’t scan for active content or disallowed commands
Can only handle TCP connections – new extensions proposed for UDP
Proprietary packages, TCP/IP stacks must be modified by vendor to use circuit-level gateways
CSCE 522 - Farkas 40
Home Users
Home routers: Come with built-in firewall Generally simple packet filters
Can block all incoming connections on all ports if desired Open connections as needed Examples:
Download files from outside using FTP: allow incoming connections on Port 21
Windows Firewall
CSCE 522 - Farkas 41
Functionality: Help block computer viruses and worms from reaching
your computer Ask for your permission to block or unblock certain
connection requests Allow to create a record (a security log), if you want
one, that records successful and unsuccessful attempts to connect to your computer
Windows Firewall
What it does not support: Detect or disable computer viruses and worms if they
are already on your computer Stop you from opening e-mail with dangerous
attachments Block spam or unsolicited e-mail from appearing in your
inbox
CSCE 522 - Farkas 42
CSCE 522 - Farkas 43
Third Party Firewall
Ranging in price between FREE and $50 on average ZoneAlarm Pro 5 PC-Cillin 2004 Internet Security Norton Personal Firewall 2005 McAfee Personal Firewall 6.0 2005
CSCE 522 - Farkas 44
Firewall Evaluation
Level of protection on the private network ? Prevented attacks Missed attacks Amount of damage to the network
How well the firewall is protected? Possibility of compromise Detection of the compromise Effect of compromise on the protected network
Ease of use Efficiency, scalability, redundancy Expense
NEXT CLASS:
INTRUSION DETECTION
CSCE 522 - Farkas 45