Download ppt - CSCE 201 Network Security Firewalls Fall 2015. CSCE 201 - Farkas2 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread

CSCE 201CSCE 201Network Security Network Security

Firewalls Firewalls Fall 2015Fall 2015

CSCE 201 - Farkas 2

Traffic Control – FirewallTraffic Control – FirewallBrick wall placed between apartments to

prevent the spread of fire from one apartment to the next

Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it

CSCE 201 - Farkas 3

FirewallFirewall

security wall between private (protected) network and outside word

Private Network

External Network

Firewall

CSCE 201 - Farkas 4

Firewall ObjectivesFirewall Objectives

Keep intruders, malicious code and

unwanted traffic or

information out Keep proprietary

and sensitive information in

Private Network

External Network

Proprietary data

External attacks

CSCE 201 - Farkas 5

Without firewalls, nodes:Without firewalls, nodes:– Are exposed to insecure services – Are exposed to probes and attacks from outside– Can be defenseless against new attacks– Network security totally relies on host security

and all hosts must communicate to achieve high level of security – almost impossible

CSCE 201 - Farkas 6

Network Address Translation (NAT)

Organization uses private IP addresses on its network increase address spaceSend packet to Internet: convert private IP address to globally assigned IP addressReceive packer from Internet: globally assigned IP addresses converted to private IP addressesFirewalls may

Establish connections on behalf of the clientSupport NAT

CSCE 201 - Farkas 7

Common firewall features

Routing information about the private network can't be observed from outside

traceroute and ping -o can't `see' internal hosts Users wishing to log on to an internal host must

first log onto a firewall machine (or else start `behind' the firewall).

CSCE 201 - Farkas 8

Trade-Off between accessibility Trade-Off between accessibility and Securityand Security

Accessibility Security

Service Access Policy

CSCE 201 - Farkas 9

Firewall AdvantagesFirewall AdvantagesProtection for vulnerable servicesControlled access to site systemsConcentrated securityEnhanced PrivacyLogging and statistics on network use,

misusePolicy enforcement

CSCE 201 - Farkas 10

Controlled Access Controlled Access A site could prevent outside access to its

hosts except for special cases (e.g., mail server).

Do not give access to a host that does not require access.

Some hosts can be reached from outside, some can not.

Some hosts can reach outside, some can not.


Concentrated SecurityConcentrated SecurityFirewall less expensive than securing all

hosts– All or most modified software and additional

security software on firewall only (no need to distribute on many hosts)

Other network security (e.g., Kerberos) involves modification at each host system.


Enhanced PrivacyEnhanced PrivacyEven innocuous information may contain

clues that can be used by attackers– E.g., finger:

information about the last login time, when e-mail was read, etc.

Infer: how often the system is used, active users, whether system can be attacked without drawing attention


Logging and Statistics on Logging and Statistics on Network Use, MisuseNetwork Use, Misuse

If all access to and from the Internet passes through the firewall, the firewall can theoretically log accesses and provide statistics about system usage

Alarm can be added to indicate suspicious activity, probes and attacks – double duty as IDS on smaller networks


Policy enforcementPolicy enforcementMeans for implementing and enforcing a

network access policyAccess control for users and servicesCan’t replace a good education/awareness

program, however:– Knowledgeable users could tunnel traffic to

bypass policy enforcement on a firewall


Firewall DisadvantagesFirewall DisadvantagesRestricted access to desirable servicesLarge potential for back doorsNo protection from insider attacksNo protection against data-driven attacksCannot protect against newly discovered

attacks – policy/situation dependentLarge learning curve


Firewall ComponentsFirewall ComponentsFirewall AdministratorFirewall policyPacket filters

– transparent– does not change traffic, only passes it

Proxies– Active– Intercepts traffic and acts as an intermediary


Firewall AdministratorFirewall AdministratorKnowledge of underpinnings of network

protocols (ex. TCP/IP, ICMP)Knowledge of workings of applications that

run over the lower level protocolsKnowledge of interaction between firewall

implementation and trafficVendor specific knowledge


Firewall PolicyFirewall Policy High-level policy: service access policy

Low-level policy: firewall design policy

Firewall policy should be flexible!


Service Access PolicyService Access Policy Part of the Network Security Policy Defines:

– TCP/IP protocols– Services that are allowed or denied– Service usage– Exception handling


Service Access PolicyService Access PolicyGoal: Keep outsiders outMust be realistic and reflect required

security levelFull security v.s. full accessibility


Firewall Design PolicyFirewall Design Policy Refinement of service access policy for specific firewall configurationDefines:

– How the firewall achieves the service access policy

– Unique to a firewall configuration

– Difficult!


Firewall Design PolicyFirewall Design PolicyApproaches: Open system: Permit any service unless explicitly denied (maximal accessibility)

Closed system: Deny any service unless explicitly permitted (maximal security)


Simple Packet FiltersSimple Packet Filters Applies a set of rules to each incoming IP packet

to decide whether it should be forwarded or discarded.

Header information is used for filtering ( e.g, Protocol number, source and destination IP, source and destination port numbers, etc.)

Stateless: each IP packet is examined isolated from what has happened in the past.

Often implemented by a router (screening router).


Simple Packet Filter

Placing a simple router (or similar hardware) between internal network and “outside”

Allow/prohibit packets from certain services

Private Network

PacketFilter

Outside

Packet-level rules


Simple Packet FiltersSimple Packet FiltersAdvantages:

– Does not change the traffic flow or characteristics –passes it through or doesn’t

– Simple– Cheap– Flexible: filtering is based on current rules


Simple Packet FiltersSimple Packet Filters Disadvantages:

– Direct communication between multiple hosts and internal network

–Unsophisticated (protects against simple attacks)

– Calibrating rule set may be tricky

– Limited auditing

– Single point of failure


Stateful Packet FiltersStateful Packet FiltersCalled Stateful Inspection or Dynamic

Packet FilteringCheckpoint patented this technology in

1997Maintains a history of previously seen

packets to make better decisions about current and future packets


Proxy Firewalls

BastionHost

ViewPrivate Network

Outside

Private Network

Outside

Proxy Server

Reality


Proxy FirewallsProxy FirewallsApplication Gateways

– Works at the application layer must understand and implement application protocol

– Called Application-level gateway or proxy server

Circuit-Level Gateway– Works at the transport layer– E.g., SOCKS


Application GatewaysApplication Gateways Interconnects one network to another for a specific

application Understands and implements application protocol Good for higher-level restrictions

Client ServerApplication Gateway


Application GatewaysApplication Gateways

Advantages: by permitting application traffic directly to internal hosts– Information hiding: names of internal systems are not known to

outside systems– Can limit capabilities within an application – Robust authentication and logging: application traffic can be pre-

authenticated before reaching host and can be logged– Cost effective: third-party software and hardware for

authentication and logging only on gateway– Less-complex filtering rules for packet filtering routers: need to

check only destination– Most secure


Application GatewaysApplication GatewaysDisadvantages:

– Keeping up with new applications– Need to know all aspects of protocols– May need to modify application

client/protocols


Firewall EvaluationFirewall Evaluation Level of protection on the private network ?

– Prevented attacks– Missed attacks– Amount of damage to the network

How well the firewall is protected?– Possibility of compromise– Detection of the compromise– Effect of compromise on the protected network

Ease of use Efficiency, scalability, redundancy Expense