1 / 25

Security and Firewalls

Security and Firewalls. Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication 800-10. What. A firewall is a barrier that prevents something bad from passing and doing harm

hasad-zimmerman
Télécharger la présentation

Security and Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication 800-10

  2. What • A firewall is a barrier that prevents something bad from passing and doing harm • Network Firewalls are systems through which must pass all traffic going into or out of a protected network environment • The gateway becomes the guardian, protecting the network by selectively forbidding access

  3. Why • TCP/IP services were not all designed with security in mind • a determined attacker takes advantage of security risks inherent in some service implementations • Networks and computing resources, including the data stored, are increasingly critical to an organization’s survival

  4. What, more • Firewall • systems • routers • policy • central connection • Restrict • access to or from selected systems • block certain TCP/IP services

  5. Authentication • Weak authentication • password files are accessible • password attacks are sophisticated • finding one vulnerable password gives access to the system • Granularity of authentication • user level or host level • trusted user may come from a host accessible to many untrusted users.

  6. Monitoring • Unencrypted passwords cross networks when using telnet or ftp • Monitoring traffic on a LAN is easy • Information displayed may be critical

  7. Spoofing • Source routing of IP packets allows an intruder to masquerade as a trusted site • Many services determine access rights based on the IP address, assuming that traffic from a trusted domain is safe • Mail is easily spoofed and allows an intruder to gain access to the mail privileges of a legitimate user. • More can be said, but we probably all know that the networks are vulnerable to attack.

  8. Structure Our network to be protected The Internet A barrier

  9. Firewall Services • Protection from vulnerable services • Controlled access to specific systems • Concentrated security • Enhanced privacy • Logging and statistics on network use, misuse • Policy enforcement

  10. Service restriction • Refuse to respond to source-routed packets • Restrict NFS and NIS service access • Constrain them to a local network where the services are needed • Disallow remote access

  11. Site access restriction • A Policy matter • What internal sites should be accessible from outside? • Base: no access unless there is a reason for it

  12. Concentrated security • Only one place needs to be configured and maintained for control of access to the systems. • Reduces the burden of configuring many systems • Increases the likelihood of well maintained access control

  13. Privacy • Blocking some service access • finger on unix systems • in addition to information about the user that might be better restricted to internal use, it gives information on when the user last logged in. • usage patterns can be useful to intruders • DNS • knowledge about the configuration of network internals can be useful in attacks.

  14. Logging • If all access to network resources goes through one site, comprehensive logging of activity becomes feasible. • What might look unimportant when logs of one host are examined, may be serious when aggregated with information about access to other hosts on the same network.

  15. Policy • A reasonable policy • allows access that is needed and useful • denies access that serves no good use and might be dangerous • A firewall is a way to enforce a good policy

  16. Issues, problems with Firewalls • Restricted access adds a burden to legitimate users • Firewall provides no protection from attacks that originate behind the firewall • A false sense of security may lead to carelessness

  17. Firewall components • network policy • what restrictions • how enforced • advanced authentication mechanisms • one-time passwords, biometrics, smartcards, etc. • packet filtering • source, destination IP address or port • application gateways • proxy service

  18. Packet filtering • Flexibility in what you allow • Perhaps allow http or smtp access to specific internal hosts, but no access to others • Example: (port 23= telnet; 25 = smtp; 119 = nntp; 123 = NTP )

  19. What to restrict • tftp, port 69, trivial FTP, used for booting diskless workstations, terminal servers and routers, can also be used to read any file on the system if set up incorrectly • X Windows, OpenWindows, ports 6000+, port 2000, can leak information from X window displays including all keystrokes • RPC, port 111, Remote Procedure Call services including NIS and NFS, which can be used to steal system information such as passwords and read and write to files • rlogin, rsh, and rexec, ports 513, 514, and 512, services that if improperly configured can permit unauthorized access to accounts and commands. Quoted from the reference source

  20. More restrictions • TELNET, port 23, often restricted to only certain systems, • FTP, ports 20 and 21, like TELNET, often restricted to only certain systems, • SMTP, port 25, often restricted to a central e-mail server, • RIP, port 520, routing information protocol, can be spoofed to redirect packet routing, • DNS, port 53, domain names service zone transfers, contains names of hosts and information about hosts that could be helpful to attackers, could be spoofed, • UUCP, port 540, UNIX-to-UNIX CoPy, if improperly configured can be used for unauthorized access, • NNTP, port 119, Network News Transfer Protocol, for accessing and reading network news, and • gopher, http ports 70 and 80, information servers and client programs for gopher and WWW clients, should be restricted to an application gateway that contains proxy services.

  21. Examples • Firewalls come in several types • Packet filtering • simplest, common, block addresses and/or protocols • Dual homed • proxy for all services that are needed • Screened host • more flexible, less secure • Screened subnet • no need for dual homed host

  22. Dual homed host Internet Application Gateway IP filtering Mail, telnet, ftp, http, etc. Info server Complete block to IP traffic between the protected network and the Internet Service only available by proxy servers on the Application Gateway Host based application must accept all requests for specific services and pass on or not.

  23. Screened host Internet IP filtering Application Gateway Info server Application traffic from Internet to App Gateway ok; all other incoming traffic rejected; application from App Gateway to Internet ok; all other traffic from the network to the Internet rejected

  24. Screened subnet Internet 2 1 Info server Application Gateway E-mail server Similar in function to a dual homed host

  25. Firewall summary • The goal: impose a barrier between the protected network and the potential intruder • The problem: provide protection without undo restriction on services to legitimate users. • Most important: have a policy • Options available for how to implement the policy

More Related