Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
PROTECTION/PREVENTION I
FIREWALLS
1
Lecture 4
Quick Review2
� The security process� Assessment, protection/prevention, detection and response
� The security attack process� Reconnaissance (����������), exploitation (��� ��������),reinforcement (��������������), consolidation (�������) and pillage (���)
� Security issues in networking protocols
� Specific attacks� Denial of service, sequence number guessing…
Next Step3
� Consider protection and prevention mechanisms� Try to address direct agents of security attacks
� How do attacks succeed?� Oscar gets information (reconnaissance)� Oscar exploits vulnerabilities
� Common weaknesses in design and bugs in software services
� Protection and prevention� Stop (or block) packets that are sent with the purpose of reconnaissance or exploitation
� Authenticate and encrypt communications to prevent Oscar from obtaining information or being able to communicate
Firewalls4
� Protect buildings that were susceptible to fire� People built thick walls made of brick between such buildings
� If a building caught fire, the thick wall would prevent it from spreading to surrounding buildings
� Damages would be minimized
� The “Internet Firewall” prevents security attacks from spreading into the intranet or private network of an organization
2
What is a Firewall?5
� A network level access control mechanism
� In broad terms, a firewall is all of the following� A collection of hardware and software PLUS a security policy
� Something placed between a corporate intranet and the Internet
� Seeks to prevent unauthorized and unwanted communications into or out of the corporate intranet
� Allows the organization to implement and enforce its own traffic flow policy between the Internet and the Intranet
� Today it means many things� Ranges from a simple packet filter to a complex intrusion
prevention system
What is a Firewall? (2)
� Establishes a controlled link between the insecure public network and the secure private network
� Erects a security wall or perimeter around the network
� These days you have “host firewalls” that prevent a host machine from picking up some types of packets
� Idea of “perimeter” is not completely valid these days
6
Public Private
Firewall
“Inside”“Outside”
Design Goals7
� All traffic from inside the private network to outside and vice-versa MUST pass through the firewall
� Only authorized traffic defined by a local “security policy” will be allowed to pass
� The Firewall is as tamperproof as possible� Fewer bugs, vulnerabilities, and security loopholes
� Host security does not scale well
� Multiple Operating Systems
� Complex access controls
� Vulnerabilities in new software
� Difficult to audit
� Runs less software than most hosts and is much more controlled
Advantages and Disadvantages8
� There is only one host/machine/device to be protected -the firewall
� Simplifies security management � Possible to implement advanced logging and monitoring
� Can create a VPN using IPSec to other hosts
� Enables segmentation and isolation of problems
� Hides the IP addresses of client stations in an internal network by presenting one IP address to the outside world
� Disadvantages
� Bottleneck
� Single point of failure
� False aura of confidence
3
Services provided by a firewall9
� Service control� Determines the types of services that can be allowed inbound or outbound
� Direction control� Determines the direction in which a service may be initiated and allowed to flow
� User control� Determines access to a service depending on which user is attempting to access it (both inbound and outbound)
� Behavior Control� Controls how some services are employed
� Example: DNS, filtering e-mail, etc.
Protection with Firewalls10
� Protects against� Information theft (Reconnaissance)
�Example: Prevents requests to and responses from services within the private network reaching the outside
� Information sabotage (Exploitation/Pillage)�Example: Prevents uploading derogatory content onto a company’s web page or changing an employee’s medical records
�Denial of Service (Pillage)�Example: Prevents common DoS attacks like Smurf on internal hosts
Additional features in firewalls11
� Demilitarized zone firewalls (DMZ firewalls)� A region of the network is protected, but accessible to outsiders
� The rest of the network is NOT accessible
� Content filtering� Ensure that employees do not access particular content like stock
quotes ☺
� Can define categories of unwelcome material
� Can block certain web-sites
� Anti-virus protection� Can assist with virus detection
� Virtual Private Networks (VPNs)
Limitations of Firewalls12
� Cannot protect against
� Attacks that bypass it� Physical removal of files
� Dial-up modems from hosts on the Intranet
� Internal threats and insider attacks� Malicious employees
� Viruses in general� Viruses may come in to the network in several ways
� Firewalls are not foolproof
� They will allow what you permit them to allow
� Human errors can lead to security breach
4
Firewall Topics13
� Types of firewalls� Packet Filters, Stateful Firewalls, Proxy Firewalls
�Performance – Security tradeoffs
� Firewall policies� Implementation and pitfalls
� Firewall architectures� Where do you place firewalls?� What functions will they perform?� How do you isolate different segments of your private network?
OPERATION OF PACKET FILTERS AND GATEWAYS
14
Types of Firewalls
Types of Firewalls – based on functionality15
Types of Firewalls
Packet FiltersProxy
Firewalls
Static Packet Filters
Dynamic or StatefulPacket Filters
Circuit Level Gateways
ApplicationLevel
Gateways
Packet Filters Vs Proxies16
� Packet filters examine packets entering a network one at a time� Examination of packets involves rules set by an administrator
� Packets can be blocked to certain hosts or services (IP addresses and ports)
� Packets can be blocked if they correspond to certain protocols
� Proxies� Reproduce application layer functionality
� Isolate the protected network from the rest of the world
� Packets are not examined one-by-one but are completely decoded
� Examination after decoding reveals if it is a valid request
5
Types of Firewalls – based on device types17
� Routers� Most routers can be configured to act as packet filters� Simple and fast, but usually not very secure
� Multi-homed Hosts� Run a software application on top of an OS� Slower, but more secure
� Single host� Most new OSs come with a built in software Firewall to protect a single host
� Appliances� Hardware, software and firmware particularly optimized for firewall functionality
Some Remarks – I18
� The “type” of firewall depends on how high in the protocol stack a “packet” is examined� The higher the layer of examination, the worse the performance� Requires more processing and slows down packet flow
� The higher the layer of examination, the more secure the network is� Obtains more information about what a packet is trying to do before allowing it or dropping it
� Improvements in technology have reduced the degradation in performance, but it is still a factor
PHY
LINK
NETWORK
TCP/UDP
APP
Some Remarks – II19
� Classification of firewalls is a useful exercise, but actual products may do many things
� Most firewalls have overlapping functions
� May do some static and some dynamic filtering
� May also look at the payload of certain applications but may or may not act as a proxy
� They may have both software and hardware components
� Policies of firewalls can also fall into overlapping categories
Static Packet or Screening Filters20
� A type of firewall that blocks or allows a packet based on IP addresses or port numbers � Stateless
� Operates on IP packets individually at the network layer
� Oldest type of firewall
� Whether a packet is allowed or not depends on � A set of rules encoded in the software running the packet filter
� Parses the IP header and TCP/UDP segment header and checks for� Protocol numbers, source and destination IP addresses, TCP port numbers, TCP connection flags, ICMP etc.
� Compares the information with the rules in sequential order till the packet matches a particular rule� If no rule matches the packet, a default action is taken
6
Operation of Static Packet Filters21
•When you filter packets, what is outside and what is inside can get fuzzy depending on the interface•Need to exercise great care in setting rules as we will see next
PHY
LINK
NETWORK
TCP/UDP
Examine Packet
Packet from“outside”
Packet allowed“inside”
In and Out…
� Packets coming “in” to one interface may be going “out” of another interface
� Many access control lists are based on filtering packets coming “in” or going “out” of an interface
� Best to filter packets as they come in to avoid additional processing
22
i1
in
outi2
in
outPublic
“Outside” “Inside”
Private
Packet Filtering – Cisco IOS 23
� Cisco routers maintain what is called an access control list (ACL)� To configure a Cisco ACL, you have a command that looks like
this� > access-list <number> <criteria>� The number is a label for the type of protocol (IP, IPX etc.)� Can also use a named ACL that has the syntax
� > ip access-list <type> <name>� > permit | deny <criteria>
� Can add logging of packets that are rejected
� There are many types – standard, extended and reflexive ACLs� Standard ACL blocks only source addresses for example
� Faster at the packet filter device� Extended ACL looks at port numbers and destination addresses
IPchains and IPtables24
� Popular on Linux� IPChains is deprecated - being replaced by IPtables
� IP Chains also maintains a list of what is allowed and what is not
�> ipchains –A input –i <interface> -p <protocol> -s <source IP address> -d <destination IP address> -l –j DENY/PERMIT
�The parameter –l says that the information must be logged
�The parameter –A says that this command must be appended at the end of the current list
7
Rules for Packet Filtering
� Default:� Discard: Prohibit any packet that is not
allowed� Also called the “security-first” policy
� Forward: Allow any packet that is not forbidden� Also called the “ease-of-use-first”
policy
� Example:� Default discard policy� * is a match for anything
25
Action Ourhost Port Theirhost Port Comments
Block * * Dracula * Don’t trust’em
Allow Our-
Gateway
25 * * Connection to
SMTP Port
� What does this rule set do?� First it checks to see if the
packet is from/to Dracula
� If it is it is dropped
� Next it sees if some host not Dracula has sent a packet to port 25 of the gateway
� If yes it is allowed, otherwise it is dropped
No directionality
in this rule set
Example Continued26
� Consider the policy: Any internal host can send e-mail to outside
� Rule for this may look like this
� What are potential problems with this rule?� We cannot control the outside hosts - they may be running some malicious service on port 25
� An outside host may connect to the internal host using port 25 which is allowed!
� Better option is to allow outgoing calls to port 25, not all calls
Action Ourhost Port Theirhost Port Comments
Allow * * * 25 Allow to connect to any SMTP port
Most packet filters now support source and destination separately and allow different rules at different interfaces and in different directions
Source Address Filtering27
� There are some common terms used to indicate packet filtering by source address
� Friendly Net
� Allow some IP addresses that are from known networks
� Not advisable to use this approach - why?
� Ingress filtering
� Refers to filtering at the interface that allows packets from outside to come into the internal network
� Egress filtering
� Refers to filtering at the interface that accepts packets leaving the internal network
� Block addresses that do not belong to the internal network (why?)
� Block addresses that are NOT supposed to connect to the Internet
� Log all rejected packets - why?
Some Common Rules - IFiltering by source address
28
� Deny entry to IP packets with certain source addresses
� What addresses can we deny without fear of blocking legitimate traffic?
� RFC 1918 addresses - Block addresses such as 10.0.0.0 - 10.255.255.255, 172.16.0.0 -172.31.255.255, 198.168.0.0 - 192.168.255.255
� Loopback address 127.0.0.1, multicast addresses 224.0.0.0 - 239.255.255.255
� Internal addresses
� Perhaps addresses originating from certain domains (.in, .ru, .cn)
� Deny exit from network to IP addresses that are supposed to be used internally
� Temporarily or otherwise block certain IP source addresses
� You can identify some IP addresses that are launching DoS attacks
� There are some IRC servers that you don’t want your users to connect
� A domain like login.oscar.aol.com
8
Port Number and Destination Address Filtering
29
� Allows access for� Specific “channels” between networks
� Specific public services like DNS or web
� Specific packet types like ICMP MTU violations
� Can filter packets based on port numbers, flags in headers, specific protocol types� Additional granularity
� Slows filtering process compared to “source address only” filtering
Some Common Rules - IIFiltering by destination address and ports
30
� Friendly Net� It is possible to tighten up the friendly net rule by specifying
certain port numbers and destination hosts only
� Example: Allow host 130.215.17.13 to access 136.142.117.13 if it has port number larger than 1023 and it is connecting to port number 80 only
� Still not recommended without authentication and architectural separation
� Allowing and disallowing certain types of traffic� You can block certain types of traffic leaving your network like
IRC, Instant Messaging, Kazaa or ICMP
� Example: Block ICMP echo requests from any host to any host
� Is this a good idea? Where should an alternative be placed?
Example of Rule Set
� Identify protocol and what the rule may mean
� Assume it is applied at the interface of a filter that accepts incoming packets to the network 136.142.117.y/24
31
Rule Protocol Source Address Destination
Address
SRC-Port DEST-Port Action
1 TCP 130.215.17.0/24 136.142.117.221 > 1023 22 Allow
2 TCP Any 136.142.117.13 > 1023 80 Allow
3 TCP 136.142.117.0/24 Any Any Any Block
4 UDP Any 136.142.117.13 > 1023 53 Allow
5 UDP Any 136.142.117.14 > 1023 53 Allow
6 Any Any Any Any Any Block
Packet Filtering Rule Set - Rules of Thumb32
� Unless all parts of the rule are matched, the packet is moved down the list of rules
� Complete match test
� Better to allow stuff you need and deny the rest than specifically deny the stuff you suspect
� Specific rules must precede general rules
� Otherwise packets may be admitted or denied by a general rule before it is tested for a specific rule
� Example: In the previous rule set, Rule 6 cannot be placed prior to any other rule� What happens if it is placed first in the list?
� Adding rules in an ad hoc manner can result in catastrophes
� Great care must be exercised to ensure that rules do what they are supposed to do
9
Services to Filter33
� Common protocols
� Web� Allow outbound HTTP or HTTPS
requests
� Use architectural methods to protect your network against inbound http requests (later)
� FTP� Tricky protocol - needs more attention
than the rest
� TCP� Incoming TCP connections should not
be allowed unless they were initiated from the inside
� Hard to do with simple packet filters
� NTP� Restrict to specific hosts only
� SMTP/Mail
� Need to be checked to see if they are “valid”
� No viruses, spoofed addresses etc.
� Hard to do with packet filters
� POP3/IMAP
� Should block access from outside, but will irritate users
� Use SSL tunneling - later
� UDP
� Must block all calls - a bit draconian but sometimes necessary
� Others
� Block all other unnecessary protocols
like H.323, SMB, Kazaa, etc.
Personal Firewalls - I34
WindowsXP SP2comes withits own GUIand controlsfor the WindowsFirewall
Previously known as Internet Connection Firewall
More Windows Firewall35
Show Log
Personal Firewalls - II36
� Also called “desktop firewalls” are becoming very popular
� Protect individual hosts from malicious packets
� Perform per host packet filtering
� Many products are available
� Zone Alarm - http://www.zonelabs.com
� Tiny Firewall - http://www.tinysoftware.com
� McAfee Personal Firewall Plus -http://us.mcafee.com/default.asp
� Symantec, Sygate, Panda Software, Computer Associates etc.
10
Network Statistics on a Mandrake Firewall37
Firewall Rules38
Packet Filtering: Advantages and Disadvantages
39
� It is hard to set packet filtering rules correctly
� Error-prone process
� Order matters!
� Packet filtering is fast and a low-cost technology
� It is transparent to user applications
� It is however not very secure
� Example: Standard ACL filters based on source addresses� Source addresses can be easily spoofed
Attacks on Packet Filters40
� IP Spoofing
� The attacker can use an internal IP address or some other allowed IP address
� Countermeasures:� Deny all internal IP addresses arriving from outside
� Use IPSec for authentication
� Opening holes
� Sometimes, to accommodate certain protocols, sysads open holes in the ruleset
� Care must be taken to restrict access through the holes to a limited number of hosts
� ACK Flags
� Can fool packet filters that accept packets from “established” sessions that are not really established
11
Fragmentation41
� Fragmentation occurs when the maximum transmission unit (MTU) of a link is smaller than the size of the IP datagram� Example: In Ethernet, the MTU is 1500 bytes
� Example: In Frame Relay, the MTU is 1600 bytes
� Similarly, for a TCP segment, a maximum segment size (MSS) is also specified
� Oscar tries to mask his probes and facilitate attacks using fragmentation of IP datagrams� Many filters fail to recognize fragmented packets
� Many IDSs do not support packet reassembly
� Oscar can get through to a target network and to a victim host
� Tiny fragment attacks� IP fragmentation is used to separate the TCP header information into multiple IP
packets
� RFC 1858 defines methods to deter such attacks (drop fragments smaller than a given size)
Fragmentation Basics42
� When a packet is fragmented, all fragments reach the destination
� The destination has to reassemble the fragments� It should be able to figure out
� What fragments are associated together
� Where the fragments fit (what is the offset from the start of the packet)
� How much of data does a fragment contain (as a check)
� Whether more fragments exist or the reassembly can be undertaken
� The IP header contains the information to reassemble the fragments
� Some fields may be omitted except in the first fragment
Example
� An IP datagram of size 4000 bytes arrives at a router
� The MTU of the link is 1500 bytes
� The IP header is 20 bytes long
� So the payload has to be fragmented and sent in new IP datagrams
� Each IP datagram has the source and destination address
� The header of the payload protocol is NOT repeated
� This enables Oscar to play some tricks
43
This packet shows the
protocol that it carries
Example - 244
� Each IP header has a 16 bit identification field� This identifies the datagram sent by the host and will be the same
for all fragmented packets� The fragment id is set to this identification value
� The first IP fragment will contain the protocol header of the payload (e.g. TCP, ICMP etc.)� It has offset = 0, length = 1480 bytes
� It also has the “more fragments” field set to 1
� The second IP fragment simply contains the next 1480 bytes of payload data - offset = 1480, length = 1480, more fragments = 1
� The third IP fragment has 1020 bytes of data, more fragments = 0
12
Fragmentation and Packet Filters45
� The IP header of each fragment indicates the protocol of the payload (e.g. TCP, ICMP, etc.) but the filter often does not read the contents� Many packet filters are stateless - they are asked to block packets
to port number N from all hosts� They let the fragments into the networks blocking only the first
one
� Many services set a Do not Fragment (DF) flag� This is done to discover the smallest MTU along a route� An ICMP error message reports that the IP datagram cannot be
delivered because the MTU is smaller and reports this value
� Malicious fragmentation has led to many attacks� Now possible to block any fragmented packet
Fragmentation Attacks46
� A common port scanning tool is nmap� It can be used to fragment TCP headers into many IP datagrams
� Filters may not recognize the port number and allow all fragments into the network
� Oscar can successfully scan for open ports and services
� No final fragment� Common for DoS attacks on routers that try to reassemble
packets for broadcast over a link
� Overlapping fragments� Teardrop is a DoS attack that uses overlapping fragments to
confuse the OS and crash it
� Ping of death crafts IP packets with MTU’s greater than 65535 causing a crash
Other protocols that may bypass packet filters
47
� Tunneling � Using SSH to access services bypasses all filtering
� MBone encapsulation� MBone is the multicast backbone on the Internet� Used for example, for reaching large audiences with video traffic
� Encapsulates packets resulting in bypassing filters
� Arbitrary port creation� P2P software: BitTorrent, KaZaa, eDonkey, etc.� IP telephony
Firewall vulnerabilities48
� Since port 80 is typically open, many users abuse it by tunneling other applications within HTTP using SOAP� Read http://www.schneier.com/crypto-gram-0006.html
� Checkpoint’s FireWall-1 product vulnerabilities reported in July 2000
� Cisco’s IOS has security vulnerabilities in some versions� IOS is used in most Cisco products including packet filters and
firewalls
� IOS source code was stolen and posted on the web allegedly by a 16 year old at Uppsala, Sweden in 2004
� Symantec’s Raptor firewall� Oscar could hijack sessions passing through the firewall
13
Dynamic packet filtering49
� Idea� Create rulesets on-the-fly and tear them down when completed
� Example� A host from the internal network - say 136.142.117.221 connects to a
telnet server 130.215.17.13 on the outside� Say the port number on the client side is 1091� What is the port number at the server?
� A new ruleset would be created as follows� Allow packets from host 130.215.17.13 port = 23 to host 136.142.117.221 port =
1091
� The dynamic packet filter will examine all packets to make sure that the SYN, SYNACK and ACK were completed
� When it observes the FIN packets, it tears down the ruleset thereby disallowing further communication from 130.215.17.13
� In Cisco devices, this is called a “reflexive” access list� Can be a burden on routers in terms of performance
Attacking dynamic packet filters50
� Much harder to do this� Trojans and worms internal to the network can abuse dynamic filters
� Oscar needs to know� Existence of dynamically created access list
� Internal host connecting to external host will create the access list - nothing else can do it
� Only the host 130.215.17.13 can connect through this access list� Oscar will have to spoof this address
� The connection can be made only to host 136.142.117.221� Oscar cannot attack any arbitrary host in the internal network
� The connection can only be made to port 1091� The communication stage (state) must be precisely known
� Dynamic packet filters can keep track of sequence numbers
� If Oscar can do all this, it probably means that there are much bigger security problems with the internal network
Stateful Firewalls51
� Most advanced and secure Firewall technology
� Also called stateful packet filtering (SPI)
� Same as dynamic packet filtering in many cases
� Firewall keeps track of all requests for information from the
intranet
� Scans the destination of an inbound packet to see if it matches the source of a previous outbound request
� This can generally examine multiple layers of the protocol stack
� Typically at layers 4 and below, but sometimes at the application layer as well
� Data can also be analyzed if required
� Blocking can be done at any layer or depth
� The “state” of each packet is determined and hence the name “stateful”
More on Stateful Firewalls52
� Stateful firewalls maintain “state” in a content table� Allows them to accomplish a higher level of security than simple
packet filters
� Still possible to fool them because some incoming connections are allowed without outgoing connections being created
� Maintaining state information for UDP and ICMP is hard� There is no concept of state for these protocols
� For UDP, the port numbers are important in maintaining some pseudo-state information
� Some ICMP messages can have pseudo-states (requests and responses) but one way ICMP traffic is harder to manage
14
Some more on stateful firewalls53
� Filters typically look at only layer 3 and some layer 4 information
� This is called filtering
� It is possible to examine higher layer information, sequence numbers, and payload as well
� Example: the state of HTTP and FTP can be examined - The GET command can be examined or the port number exchange in FTP can be examined
� This is called stateful inspection
� In stateful firewalls, application layer examination is minimal and abbreviated
� The entire protocol stack is NOT implemented and it is harder for the firewall to perform a thorough examination
� It can make the rules extremely complex
Application Level Inspection54
� Typically only partial inspection is performed
� The packets used to initiate the application session are
examined
� Other packets are simply let through
� Malicious application packets afterwards are not detected
� Detection improves making it harder to attack in stealth
� Deep packet examination
� Sometimes needed to detect covert channels or malicious payloads carried by known protocols
� Example: Several worms use SQL or NetBIOS or HTTP to
travel over the Internet
� Sometimes called IPS-Lite (more when we discuss detection)
Filtering Vs Inspection55
� What is state?
� Protocol, sequence numbers, ports, flags, ack nos., application level commands (GET, etc.), timeouts, …
� Blurred line
� Dropping packets using state information is filtering?
� Examining packets using state information and application information is inspection?
� How does the firewall handle and track state information?
Examples of Stateful Firewall Products56
� Cisco PIX firewall
� Windows firewall is said to be stateful
� Checkpoint
� Very first stateful firewall products
� FireWall-1� Tracks UDP using pseudo-state information
� Juniper’s NetScreen Firewall Appliance
� Most new firewalls support dynamic packet filtering
� IPtables and Netfilter are two freely available software firewalls for Linux
15
Proxy Firewalls or Gateways57
� Act as a relay for application/lower level traffic� Client contacts the gateway with identification information
� The gateway contacts the application server and relays packets to and from it
� It acts on behalf of a client and shields either side from direct connection
� Make two separate TCP connections� One between the proxy and the outside host
� Another between the proxy and the inside host
� The gateway can be made to support only certain services and protocols� Example no javascript in html pages
More on Proxy Firewalls
� Proxies are both clients and servers� To the client connecting to it, a proxy behaves as a server
� To the server providing network services, it acts as a client
� To distinguish between the real client and server, often times we refer to the “listener” and “initiator” of the proxy
� Proxies shield the protected system from being viewed by external systems
� Proxies usually run on a dual homed host called a Bastion host
58
InternetProtected System
Proxy Firewall
Dual Homed with IPForwarding Disabled
Bastion Host59
� Bastion = fortress
� A Bastion Host is a system that serves as a platform for a proxy firewall
� It employs a secure version of the operating system
� Only required services are installed on it� E.g. you cannot have a new server installed
� No user accounts exist on the Bastion host
� Proxy modules implement simplified versions of the software
� Easy to analyze code for loopholes
How do clients work with proxies?60
� SOCKS approach� Use a protocol that allows adding modules to clients to make them “proxy - aware”
� Client sends request to proxy instead of the real server
� Client transparency� Proxy modules masquerade as clients and servers on the fly
� They intercept packets, connection requests, etc.� Client is fooled into thinking it has connected with the real server
� Proxy needs to be on the network path between client and real server
16
Types of Proxy Firewalls61
� Circuit Level Gateway� Packet filtering ++ at the TCP level� Validate and monitor sessions (like stateful packet filters)
� Application Level Gateway� Custom client/server software implemented for each service scrutinized by the firewall
� Only allows properly formatted packets to go through
Circuit-level Gateway - CLGW
� Idea:� Internal users are trustworthy while
external ones are not
� Check connections from inside to outside or vice versa to see if they are allowed
� Example: Check if SYN and ACK sequence numbers are ok
� All outbound traffic is relayed without inspection
� All inbound traffic is examined but minimally or as in the case of a packet filter
62
in
in
in
in
out
out
out
out
Circuit-Level Gateway
More on CLGWs63
� Pros� Faster than application level gateways� Provides some protection by preventing connection to/from certain internal hosts
� Shields internal network topological and host information
� Cons� Minimal examination of packets flowing into the network
� Cannot restrict protocols that do not use TCP� Does not perform application level examination of packets
Proxy Firewalls or Gateways64
� Act as a relay for application/lower level traffic� Client contacts the gateway with identification information
� The gateway contacts the application server and relays packets to and from it
� It acts on behalf of a client and shields either side from direct connection
� Make two separate TCP connections� One between the proxy and the outside host
� Another between the proxy and the inside host
� The gateway can be made to support only certain services and protocols� Example no javascript in html pages
17
Bastion Host65
� Bastion = fortress
� Bastion hosts are expected to be attacked!
� A Bastion Host is a system that typically serves as a platform for a proxy firewall
� It employs a secure version of the operating system
� Only required services are installed on it� E.g. you cannot have a new server
installed
� No user accounts exist on the Bastion host
� Proxy modules implement simplified versions of the software
� Easy to analyze code for loopholes
� Services on Bastion Hosts
� Web
� FTP
� DNS
Application-level gateway
� Prevents direct communication between external servers and internal computers � Gives users the appearance that they are communicating directly with external
servers� Recreates the application request and response and makes sure they are valid
� For example, a client accesses a server to get a web page� Server serves it with a malicious java applet� The ALGW drops the applet after examining it
� Example 2: FTP disallows “put” command to prevent writing on to internal network
66
Telnet
FTP
SMTP
HTTP
Application-Level Gateway
Client
Server
Advantages of Proxy Firewalls67
� Maintain detailed audit information� Sys Ads can monitor violations of security policies easily
� Logs are extremely useful
� Prevents information leakage� What are IP addresses in the protected network, what OSs are running (based on TTL, window size), etc.
� Better than packet filters� Not susceptible to IP spoofing� Supports user authentication� Less complex filtering rules - rules are within the proxied application itself
Other uses68
� Reverse Proxy� Earliest proxy firewalls
� Internal user trying to connect to the outside through a proxy is what we call a “forward” proxy
� User connecting from outside to internal services is called “reverse proxy”
� Enables monitoring who is accessing what data from your server
� Can require authentication at the proxy
� Web proxies can cache information enabling quicker response
� Anonymizing proxies� Help prevent digital trails of activities
� Proxychaining using SocksChain
18
Drawbacks of Proxy Firewalls69
� Could be a single point of failure
� Performance reduction due to processing of many flows at the same host
� All network protocols are not supported
� Limited number of services are available� If new applications are created, it will be hard to proxy them for a
while
� If there is a bug in the OS of the gateway, there could be a severe security breach
� Protocol issues� Security protocols like IPSec are incompatible with proxies
hurting end-to-end VPNs
Proxy Tools70
� FWTK� Stands for Firewall Toolkit
� Developed by Trusted Information Systems (TIS) through a DARPA project in 1993
� Source code is available, but development has stopped
� Check http://www.fwtk.org/fwtk/docs/ for documentation
� Does not support many new protocols like H.323
SOCKS71
� What is SOCKS?� It is a proxy toolkit that can be used with several applications
� More an enabling technology than a product� Applications need not be designed with proxying in mind
� SOCKS is a software that has the following components� A SOCKS server that runs in the firewall� A SOCKS client that runs in the internal hosts� SOCKS-ified versions of Telnet, FTP etc.
� SOCKS server � Authenticates requests (password based or Kerberos based)
� It authorizes the request� Establishes proxy connection to the other host
� Relays the data between the two connections
Versions of SOCKS72
� SOCKS V4
� Lacks strong authentication
� Uses TCP headers, IP addresses to grant access
� Needs client to resolve domain names
� SOCKS V5
� Also known as authenticated firewall traversal
� Has strong authentication (many methods are supported)
� Performs address resolution proxy services as well
� Proxy for UDP applications are possible
� Check: http://www.socks.permeo.com/ for more details
19
Remarks73
� Proxy firewalls are becoming less significant� Not many vendors are marketing proxy firewalls
� Primarily due to performance issues in high-bandwidth networks
� Secondarily due to compatibility issues
Other Proxy Firewall Software74
� Gauntlet� Available for both Windows and UNIX environments
� Offers a wide range of proxied services - FTP, Telnet, HTTP, NetMeeting, RealAudio, Microsoft SQL etc.
� PORTUS
� Squid� Open source web proxy
Other types of firewalls75
� Cutoff Proxy� Combination of CLGW (Circuit-level Gateway) and packet filters
� Initially operates as a CLGW and then switches to a dynamic packet filter
� It creates a direct connection between client and server
� No longer acts as a listener and initiator
� Provides a balance between security and performance
� Airgap Proxy� Writes the output of the “external” connection to an SCSI e-disk
from where it is read by an internal connection
� Because the direct connection is broken, it is considered to be more secure
SOME CONFIGURATIONS AND EXAMPLES
76
Firewall Architectures
20
Firewall Architectures77
� Placement of packet filters and gateways can impact the security
� Depending on the network layout and protocol Oscar could get some access, no access etc.
� Many types of architectures are possible
� Bastion host – “fortress” guards the rest of the private network
� Bastion host may be single or multi-homed
� Network segments may also be isolated
Firewall Configurations (1)
� Screened host firewall, single homed bastion
� Packet filter allows packets addressed only to or from the bastion host
to pass through
� Two levels of security
� If the packet filter is compromised, so is the network
78
Packet Filter
Private
Bastion hostOr proxy firewall
Firewall Configurations (2)
� Screened host firewall, dual homed bastion
� Prevents breach of security when the packet filter is compromised
� More secure and prevents any direct physical connection between the private network and the outside world
79
Packet Filter
Private
Bastion hostOr proxy firewall
DMZ
Example
� Gateway is in the DMZ - the outside world can contact GW but in a limited way because of the packet filter
� Limited connections are possible between Net1 or Net2 and GW
� Anything can pass between Net1 and Net2
� Outgoing calls are possible from Net1/Net2 to the outside world
80
GW Packet FilterOutside
H1 H2
Inside Net0
Inside Net1 Inside Net2
21
Firewall Configurations (3)
� Screened subnet firewall� Two packet filters are used� An isolated subnetwork containing the bastion host and other insecure
connections is created� There are three levels of defense and the private network is invisible to
the rest of the world� The rest of the world is invisible to the private network
81
Outside PacketFilter
Private
Dial-up
Inside Packet Filter
Bastion hostOr proxy firewall
DMZ
Example - FTP
� Operation
� The client (user) first opens a “control” channel to the server
� To set up the data connection, there are two options
� PORT
� Client sends a PORT command in the control channel
� Contains IP address (perhaps different) and random port number of client
� FTP server connects from port 20 to the random port at client
� PASV - Passive option
82
More Details of PORT83
Example - FTP 2
� PASV
� Client sends PASV
� Server starts listening on a random port and informs client in the response
� Client initiates the data channel
� Could be any new IP address
and port number
84
22
More Details of PASV85
Impact on Firewalls86
� Packet Filter
� If all incoming TCP connections (SYN) to random ports are disabled, FTP will not work with PORT, it will with PASV
� Similar impact with dynamic packet filters
� Stateful Firewalls
� With deep packet inspection, may allow FTP to proceed
� Proxy Firewalls
� Need to be aware of the two channels and behave appropriately
Potential attack using FTP - 1
� FTP server allows anonymous connections
� Web server also runs Telnet for administrators
� Stateful firewall blocks all inbound connections except those to port 21 on the FTP server and port 80 on the web server� Appears that we are protected if the Telnet service has vulnerabilities
87
Source: Northcutt et al, Network Perimeter Security
Screened subnet
Potential attack using FTP - 288
� What does Oscar do?
� Uses legitimate FTP connection to upload a file to the FTP server� File contains exploit commands against Telnet
� Using the control channel, sets the IP address and port number for data transfer to 136.142.117.132 and 23
� Uses command channel and “RETR” command to retrieve the malicious file
� The malicious file is however sent to the web server at port 23!
� Solution
� Allow uploads but not downloads
� Use a proxy firewall� The proxy can determine that the IP address in the port command is an
internal IP address and block the transfer
� Exercise caution
23
DNS and Firewalls89
� Implementing DNS in a DMZ topology� Prevents outsiders from accessing host names/addresses on the inside
� Still allows internal users to contact the outside world
DNS and Firewalls - 290
DNS and Firewalls - 391
Other topics of importance92
� Filtering routing information
� Given a topology where certain hosts/subnets are NOT supposed to be visible to the outside world, routers must take care not to advertise their existence
� See Section 9.1.2 FIS for issues in addressing etc.
� Building and testing firewalls
� See Chapter 11 of FIS
24
Choosing a firewall93
� Router/firmware-based firewalls� Add additional components in a router to enable firewall functionality
� Expensive and sometimes may burden the router
� Software-based firewalls� Sophisticated� Run on dedicated UNIX/Linux or WinNT hosts� Require continuous maintenance and support
�Patches
� Dedicated firewall appliances� High performance� Plug-and-play installation
Firewall Policies94
� Common policy� Everything is denied except those that are explicitly permitted
� Or those that make it inside the network anyways :-(
� Complexity of policy may make it un-enforceable and inconsistent� If a policy is not enforceable, people will ignore the rules
� Example: Report all virus attacks - people clean the virus and move on
� Must have tools that can collect information related to “MUSTS” in the policy
� Creating an organization wide policy is important� Risks must be identified, policies must be updated, policies for
mobile employees must be specified and extreme care must be taken
Example of iptable firewall95
� OSI Model
Sample of TCP/IP Data Packet96
ProtocolProtocolProtocolProtocol ContentsContentsContentsContents OSI LayerOSI LayerOSI LayerOSI Layer
Ethernet MAC address Datalink
IP IP address Network
TCP TCP header Transport
HTTP HTTP header Application
Application Data Web page Data
25
Security Business Process97
� 1. Develop a network use policy
� 2. Map out services needed outward and inward
� 3. Convert the network use policy and needed services into firewall rules
� 4. Implement and test for functionality and security
� 5. Review and test your firewall rules on a periodic basis
iptable98
� linux open source firewall
� Website: www.netfilter.org� Also available as a module for many Linux admin software
� Basic tables for rule set� input
� forward
� prerouting
� postrouting
� output
� command line argument� iptables command rule-specification extensions
Example of Commands99
CommandCommandCommandCommand DescriptionDescriptionDescriptionDescription
-A chain Append one or more rule
-I chain rulenum Insert chain at the location number
-D chain Delete the indicated chain
-L List all rules
-F Flush all the rules in the current chain
-P chain policy Set a chain for a specific policy
Example of Rule-Specification100
Rule SpecificationsRule SpecificationsRule SpecificationsRule Specifications DescriptionsDescriptionsDescriptionsDescriptions
-p protocol Specify a certain protocol for rule match
-s address/
mask/port
Specify the IP address, masking and port number
-j target This tells what to do with the packet I if it matches the specification
DROP – drop without any further action
REJECT – drop and send error packet in return
LOG – log the packet to a file
MARK – mark the packet for further action
REDIRECT – redirect the packet
26
Creating an iptables Firewall101
� 0. Assume that your local LAN subnet is 192.168.0.1 -192.168.0.254,
� eth1 interface is your local LAN connection and
� eth0 interface is your Internet or WAN connection
� 1. Start by eliminating any existing rules with a Flush command:� iptables -F FORWARD
� 2. Flush the other chains:� iptables -F INPUT iptables -F OUTPUT
� 3. Put your standard "deny all" statement right up front.� iptables -P FORWARD DROP
� iptables -A INPUT -i eth0 -j DROP
Creating an iptables Firewall (2)102
� 4. To accept fragmented packets in Iptables, this must be done explicitly.� iptables -A FORWARD -f -j ACCEPT
� 5. Prevent spoofing and smurf attack� iptables -A FORWARD -s 192.168.0.0/24 -I eth0 -j DROP
� iptables -A FORWARD -p icmp –i eth0 –d 192.168.0.0/24 –j DENY
� 6. Allow only connection initiated from inside � iptables –A FORWARD –p tcp –i eth0 –d 192.168.0.0/24 --dports www,smtp --tcp-flags SYN,ACK –j ACCEPT
� iptables –A FORWARD –p tcp –i eth0 –d 192.168.0.0/24 --sports www,smtp --tcp-flags SYN,ACK –j ACCEPT
Creating an iptables Firewall (3)103
� 7. Accept incoming connections from outside only on certain ports� iptables –A FORWARD –m multiport –p tcp –i eth0 –d 192.168.0.0/24 --dports smtp --syn –j ACCEPT
� 8. Allow outgoing connections to be initiated by users, but only on the specific protocols � iptables –A FORWARD –m multiport –p tcp –i eth0 –d 0.0.0.0 --dports www,smtp --syn –j ACCEPT
� 9. Allow certain incoming UDP packets � iptables –A FORWARD –m multiport –p udp –i eth0 –d 192.168.0.0/24 --dports domain –j ACCEPT
� iptables –A FORWARD –m multiport –p udp –i eth0 –s 192.168.0.0/24 --sports domain –j ACCEPT
Creating an iptables Firewall (4)104
� 10. Allow all types of internal ICMP outwards, but only certain types such as echo-reply inwards� iptables –A FORWARD –m multiport –p icmp –I
eth0 –d 192.168.0.0/24 --dports 0,3,11 –j
ACCEPT
� iptables –A FORWARD –m multiport –p icmp –I
eth1 –d 0.0.0.0 --dports 8,3,11 –j ACCEPT
� 11. Set up logging � iptables –A FORWARD –m tcp –p tcp –j LOG
� iptables –A FORWARD –m udp –p udp –j LOG
� iptables –A FORWARD –m udp –p icmp –j LOG