Upload
koh-hong-wei
View
212
Download
0
Tags:
Embed Size (px)
DESCRIPTION
com sec
Citation preview
Computer/Information SecurityDR M Y Siyal P9-1
Computer/Information SecurityDR M Y Siyal P9-2
FIREWALLS
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-3
A firewall is hardware or software (or a combination of hardware andsoftware) that monitors the transmission of packets of digital information thatattempt to pass through the perimeter or a network.
HARDWARE FIREWALLS
Protect an entire network
Implemented on the router level
Usually more expensive, harder to configure
SOFTWARE FIREWALLS
Protect a single computer
Usually less expensive, easier to configure
HOW DOES A SOFTWARE FIREWALL WORK?
Inspects each individual “packet” of data as it arrives at either side of thefirewall (Inbound to or outbound from your computer)
Determines whether it should be allowed to pass through or if it should beblocked
FIRE WALLS
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-4
When you request something from the internet, the firewall pretends that itmade the request, not your computer.
Since the internet never even sees your computer, there’s nothing for theworms or crackers to probe or attack other than your firewall.
And your firewall is just a dumb box.
KEEPING WORMS AND CRACKERS OUT
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-5
A firewall is said to provide “perimeter security” because it sits on the outerboundary, or perimeter, or a network. The network boundary is the point atwhich one network connects to another.
PERIMETER DEFENSE
Computer/Information SecurityComputer/Information Security
BASIC FIREWALL OPERATION
DR M Y Siyal P9-6
Computer/Information SecurityComputer/Information Security
BASIC FIREWALL OPERATION
1.Legitimate hosts send innocent packets.
Attackers send attack packets.
2.Ingress packets come into a site.Egress packets go out from a site.
DR M Y Siyal P9-7
Computer/Information SecurityComputer/Information Security
Firewalls drop and logprovable attack packets
DR M Y Siyal P9-8
BASIC FIREWALL OPERATION
Computer/Information SecurityComputer/Information Security
Firewalls do not drop packets unless they are provably attack packets.
This means that some attack packets that are not provably attack packets get
through the firewall.
DR M Y Siyal P9-9
BASIC FIREWALL OPERATION
Computer/Information SecurityComputer/Information Security
To protect private networks and individual machines from the dangers of thegreater Internet, a firewall can be employed to filter incoming or outgoingtraffic based on a predefined set of rules called firewall policies.
Trusted Internal Network
FIREWALL POLICIES
Un-trusted Internet
DR M Y Siyal P9-10
FIREWALL POLICIES
Computer/Information SecurityComputer/Information Security
FIREWALL RULES
ALLOW: Traffic that flows automatically because it has been deemed as“safe”
BLOCK: Traffic that is blocked because it has been deemed dangerous toyour computer
ASK: Asks the user whether or not the traffic is allowed to pass through
There are two approaches to creating firewall policies
1. BLACK LIST APPROACH
All packets are allowed through except those that fit the rules definedspecifically in a blacklist.
This configuration is flexible, but naive as it assumes the networkadministrator can enumerate all of the properties of malicious traffic.
2. WHITE LIST APPROACH
A safer approach to defining a firewall rule set is the default-denypolicy, in which packets are dropped or rejected unless they arespecifically allowed by the firewall.
POLICY ACTIONS
DR M Y Siyal P9-11
Computer/Information SecurityComputer/Information Security
A personal firewall (sometimes called a desktop firewall) is a softwareapplication used to protect a single Internet-connected computer fromintruders
WHAT A PERSONAL FIREWALL CAN DO
Stop hackers from accessing your computer
Protects your personal information
Blocks “pop up” ads and certain cookies
Determines which programs can access the Internet
WHAT A PERSONAL FIREWALL CANNOT DO
Cannot prevent e-mail viruses
Only an antivirus product with updated definitions can prevent e-mailviruses
After setting it initially, you can forget about it
The firewall will require periodic updates to the rule sets and thesoftware itself
DR M Y Siyal P9-12
PERSONAL FIREWALL
Computer/Information SecurityComputer/Information Security
Five processing modes by which firewalls can be categorized
1. Packet filtering
2. Application gateways
3. Circuit gateways
Packet filtering firewalls examine header information of datapackets
Most often based on combination of:
Internet Protocol (IP) source and destination address
Direction (inbound or outbound)
Transmission Control Protocol (TCP) or User DatagramProtocol (UDP) source and destination port requests
Simple firewall models enforce rules designed to prohibitpackets with certain addresses or partial addresses
DR M Y Siyal P9-13
FIREWALLS PROCESSING MODES
Computer/Information SecurityComputer/Information Security
Packet filtering firewalls is low cost and low impact on network performance
Three subsets of packet filtering firewalls
STATIC FILTERING: If a packet matches the packet filter's set of rules,the packet filter will drop or accept it.
DYNAMIC FILTERING: Allows firewall to react to emergent event andupdate or create rules to deal with event by understanding how theprotocol functions, based on information in the packet header.
STATEFUL INSPECTION: Firewalls that keep track of each networkconnection between internal and external systems using a state table.
DR M Y Siyal P9-14
PACKET FILTERING FIREWALLS
Sample Firewall Rule and Format
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-15
PACKET FILTERING FIREWALLS
Computer/Information SecurityComputer/Information Security
A stateless firewall doesn’t maintain any remembered context (or “state”) withrespect to the packets it is processing. Instead, it treats each packetattempting to travel through it in isolation without considering packets that ithas processed previously.
Trusted internalnetwork
SYNSeq = xPort=80
SYN-ACKSeq = y
Ack = x + 1
ACKSeq = x + 1Ack = y + 1
Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80
Client
Server
Firewall
DR M Y Siyal P9-16
STATIC PACKET FILTERING FIREWALL
Computer/Information SecurityComputer/Information Security
Stateless firewalls may have to be fairly restrictive in order to prevent mostattacks.
Trusted internalnetwork
SYNSeq = yPort=80
Allow outbound SYN packets, destination port=80
Drop inbound SYN packets,
Allow inbound SYN-ACK packets, source port=80
Client Attacker(blocked)
Firewall
DR M Y Siyal P9-17
STATIC PACKET FILTERING FIREWALL
Computer/Information SecurityComputer/Information Security
This was the earliest firewall filtering mechanism.
Examines packets one at a time, in isolation.
Only looks at some internet and transport headers.
Consequently, unable to stop many types of attacks.
It can stop attacks Packets with spoofed IP addresses.
No longer used as the main filtering mechanism for border firewalls.
May be used as a secondary filtering mechanism on main border firewalls.
18DR M Y Siyal P9-18
STATIC PACKET FILTERING FIREWALL
Computer/Information SecurityComputer/Information Security
Stateful Packet Inspection Firewalls (SPI): Reviews the same packetinformation but also records information about TCP connections.
Keeps track of each network connection established between internal andexternal systems using a state table.
Tracks the state and context of each packet in the conversation byrecording which station sent what packet and when.
SPI firewalls can tell when packets are part of legitimate sessions originatingwithin a trusted network.
SPI firewalls maintain tables containing information on each activeconnection, including the IP addresses, ports, and sequence numbers ofpackets.
Using these tables, SPI can allow only inbound TCP packets that are inresponse to a connection initiated from within the internal network.
Primary disadvantage: Additional processing requirements of managingand verifying packets against the state table which can possibly expose thesystem to a DoS attack.
DR M Y Siyal P9-19
SPI FIREWALL
Computer/Information SecurityComputer/Information Security
Connections have distinct states or stages
Different states are subject to different attacks
SPI firewalls use different filtering rules for different states
20
Connection Opening
State
Ongoing Communication
State
Connection Closing
State
DR M Y Siyal COMPUTER SECURITY P9-20
STATES IN CONNECTION
Computer/Information SecurityComputer/Information Security21DR M Y Siyal COMPUTER SECURITY P9-21
SPI RULES WITH TWO STATES
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal COMPUTER SECURITY P9-22
SPI for a Packet that Does Not Attempt to Open a Connection 1
Computer/Information SecurityComputer/Information Security23DR M Y Siyal COMPUTER SECURITY P9-23
SPI for a Packet that Does Not Attempt to Open a Connection 2
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-24
LOW COST
Most packets are not part of packet-opening attempts
These can be handled very simply and therefore inexpensively
Connection-opening attempt packets are more expensive processbut are rare
SAFETY
Attacks other than application-level attacks usually fail to getthrough SPI firewalls
In addition, SPI firewalls can use other forms of filtering whenneeded
DOMINANCE
The combination of high safety and low cost makes SPI firewallsextremely popular
Nearly all main border firewalls today use stateful packet inspection
PERSPECTIVE ON SPI FIREWALL
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-25
Frequently installed on a dedicated computer; also known as a proxy server
Since proxy server is often placed in unsecured area of the network (e.g.,DMZ), it is exposed to higher levels of risk from less trusted networks
With this configuration the proxy server, rather than the Web server, isexposed to the outside world.
Additional filtering routers can be implemented behind the proxy server.
Gateway that is configured to be a web proxy will not allow any ftp, gopher,telnet or other traffic through
Has full access to protocol
User requests service from proxy.
Proxy validates request as legal.
Then actions request and returns result to user.
Tends to be more secure than packet filters
Need only scrutinize a few allowable apps.
Easy to log and audit all incoming traffic.
APPLICATION GATEWAYS
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-26
PROXY FIREWALLAPPLICATION GATEWAYS
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-27
APPLICATION PROXY FIREWALL OPERATION
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-28
ROLES FOR APPLICATION PROXY FIREWALLS TODAY
Computer/Information SecurityComputer/Information Security
Protections for Internal Clients against Malicious Web Servers URL blacklists for known attack sites Protection against some or all scripts in webpages
Protections against Misbehaving Internal Clients Disallowing the HTTP POST method, which can be use to send out
sensitive files Protections for Internal Web Servers against Malicious Clients
Disallow HTTP POST methods, which could allow malware files to beplaced on the server
Indications of SQL injection attacks Automatic Protections The hiding of internal host IP addresses from sniffers The data link, internet, and transport headers are discarded—along with
any attacks they may have contained If the client or server does not follow the protocol of the indicated port
number, communication with the firewall automatically breaks down
DR M Y Siyal P9-29
APPLICATION PROXY FIREWALL PROTECTION
Computer/Information SecurityDR M Y Siyal P9-30
Circuit level gateways work at the session layer of the OSI model, orthe TCP layer of TCP/IP
They monitor TCP handshaking between packets to determinewhether a requested session is legitimate
Like filtering firewalls, do not usually look at data traffic flowingbetween two networks, but prevent direct connections between onenetwork and another
Accomplished by creating tunnels connecting specific processes orsystems on each side of the firewall, and allow only authorized traffic inthe tunnels
Circuit level gateways are
Inexpensive
Have the advantage of hiding information about the private networkthey protect.
CIRCUIT GATEWAY S
Computer/Information SecurityDR M Y Siyal P9-31
CIRCUIT LEVEL FIREWALLS
Computer/Information SecurityDR M Y Siyal P9-32
GENERAL PERFORMANCE
TECHNOLOGY SPEED FLEXIBILITY INTELLIGENCE
Packet Filtering V Good V Good Low
Application Proxy Low Low V Good
Stateful Inspection Good Good Good
Circuit Level Proxy Low Low Low
SECURITY PERFORMANCE
Packet Filter 3 1
SPI 2 2
Circuit GW 2 3
App. GW 1 4
LOWER IS BETTER FOR SECURITY & PERFORMANCE
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-33
FIREWALLS CATEGORIZED BY GENERATION
FIRST GENERATION
Static packet filtering firewalls
SECOND GENERATION
Application-level firewalls or proxy servers
THIRD GENERATION
Stateful inspection firewalls
FOURTH GENERATION
Dynamic packet filtering firewalls; allow only packets withparticular source, destination, and port addresses to enter
FIFTH GENERATION
Kernel proxies; specialized form working under kernel ofWindows NT
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-34
FIREWALL ARCHITECTURES
Firewall devices can be configured in a number of network connectionarchitectures
Best configuration depends on three factors:
Objectives of the network
Organization’s ability to develop and implement architectures
Budget available for function
Four common architectural implementations of firewalls: packet filteringrouters, screened host firewalls, dual-homed firewalls, screened subnetfirewalls
PACKET FILTERING ROUTERSMost organizations with Internet connection have a router serving as
interface to Internet
Many of these routers can be configured to reject packets that organizationdoes not allow into network
Drawbacks include a lack of auditing and strong authentication
Computer/Information SecurityDR M Y Siyal P9-35
PACKET FILTERING ROUTER
Packet filtering routerused as a first generation
firewall TRUSTED NETWORK
Untrusted Network
FilteredData Packets
UnrestrictedData Packets
BlockedData Packets
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-36
SCREENED HOST FIREWALLS
Combines packet filtering router with separate, dedicated firewall such asan application proxy server
Allows router to prescreen packets to minimize traffic/load on internalproxy
Separate host (referred to as bastion host or sacrificial host) and can berich target for external attacks and should be very thoroughly secured
BASTION HOST
The bastion host is the system that any outsiders - friends or possiblefoes - must ordinarily connect with to access a system or a service that'sinside your firewall.
Only services that the network administrator considers essential areinstalled on the bastion host (e.g. Telnet, DNS, FTP, and userauthentication).
The system could have single, dual or multiple bastion hosts.
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-37
FilteredData
Packets
SCREENED-HOST FIREWALL
Trusted network
Untrusted Network
UnrestrictedData Packets
BlockedData Packets
Bastion-host
Application Level Firewall
Proxy access
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-38
There are single homed-bastion and dual homed-bastion based firewalls. SINGLE-HOMED BASTION: ADVANTAGES Has greater security than simply a packet filtering router or an application
level gateway alone.Implements both packet-level and application-level filtering, allowing for
considerable flexibility in defining security policy.An intruder must generally penetrate two separate systems before the
security of the internal network is compromised. Affords flexibility in providing direct Internet access. DUAL-HOMED BASTION The bastion-host contains two NICs (network interface cards). One NIC connected to the external network, and one connected to the
internal network. With two NICs all traffic must physically go through the firewall to move
between the internal and external networks.A technology known as network-address translation (NAT) is
implemented with this architecture, creating another barrier to intrusionfrom external attackers
BASTION HOST
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-39
SINGLE-HOMED BASTION
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-40
DUAL-HOMED BASTION
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-41
DUAL-HOMED HOST FIREWALL
Trusted network
Untrusted Network
UnrestrictedData Packets
Blocked ExternalData Packets
Dual-homed Host used as a firewall providing Network Address Translation
(NAT)External
filtering router
Internalfiltering router
Public IP Addresses NAT assigned local addresses
Blocked InternalData Packets
Proxy Access
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-42
SCREENED-SUBNET FIREWALLS Consists of two or more internal bastion-hosts, behind a packet-filtering router,
with each host protecting the trusted network. The first general model consists of two filtering routers, with one or more dual-
homed bastion-host between them. The second general model involves the connection from the outside or un-
trusted network going through this path:Through an external filtering router.Into and then out of a routing firewall to the separate network segment
known as the DMZ Connections into the trusted internal network are allowed only from the DMZ
bastion-host servers. ADVANTAGES There are now three levels of defense to thwart intruders. The outside router advertises only the existence of the screened subnet to the
Internet; therefore, the internal network is invisible to the Internet. Similarly, the inside router advertises only the existence of the screened subnet
to the internal network; therefore, the systems on the inside network cannotconstruct direct routes to the Internet.
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-43
Trusted network
Untrusted Network
BlockedData Packets
Proxy access
External filtering router Internal
filtering router
Controlled access
Demilitarized zone (DMZ)
Servers
SCREENED-SUBNET FIREWALLS
Computer/Information SecurityComputer/Information Security
PROTECTING THE PERIMETER IS NO LONGER POSSIBLE
There are too many ways to get through the perimeter
AVOIDING THE BORDER FIREWALL
Internal attackers are inside the firewall already
Compromised internal hosts are inside the firewall
Wireless LAN drive-by hackers enter through access points that are insidethe site
Home notebooks, mobile phones, and media brought into the site
Internal firewalls can address some of these threats
EXTENDING THE PERIMETER
Remote employees must be given access
Consultants, outsourcers, customers, suppliers, and other subsidiariesmust be given access
Essentially, all of these tend to use VPNs to make external parties“internal” to your site
DR M Y Siyal P9-44
THE DEATH OF THE PERIMETER
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-45
SELECTING THE RIGHT FIREWALL
What type of firewall technology offers the right balance of protectionfeatures and cost for the needs of the organization?
What features are included in the base price? What features are available atextra cost? Are all cost factors known?
How easy is it to set up and configure the firewall? How accessible are stafftechnicians with the mastery to do it well?
Can the candidate firewall adapt to the growing network in the targetorganization?
CONFIGURING AND MANAGING FIREWALLS
Each firewall device will have its own set of configuration rules that regulateits actions.
Simple mistakes can turn the device into a choke point.
When security rules conflict with the performance of business, security losessince organizations are much more willing to live with a potential risk than acertain failure.
Computer/Information SecurityComputer/Information SecurityDR M Y Siyal P9-46
RECOMMENDED PRACTICES
All traffic from the trusted network is allowed out.
The firewall device is always inaccessible directly from the public network.
Allow Simple Mail Transport Protocol (SMTP) data to pass through yourfirewall, but insure it is all routed to a well-configured SMTP gateway to filterand route messaging traffic securely.
All Internet Control Message Protocol (ICMP) data should be denied.
Block telnet (terminal emulation) access to all internal servers from thepublic networks.
When Web services are offered outside the firewall, deny HTTP traffic fromreaching your internal networks by using some form of proxy access or DMZarchitecture.
TRADEOFF
Degree of communication with outside world, level of security!
Remember many highly protected sites still suffer from attacks.