1 / 42

FireWalls

FireWalls. David Palmi and Scott Bauer. What is a Firewall?. “Firewall” means a fireproof wall. Narrow point of access for traffic entering or leaving a network. Positioned at the entry point to control access. First to see incoming, and last to see outgoing traffic.

jana
Télécharger la présentation

FireWalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FireWalls David Palmi and Scott Bauer

  2. What is a Firewall? • “Firewall” means a fireproof wall. • Narrow point of access for traffic entering or leaving a network. • Positioned at the entry point to control access. • First to see incoming, and last to see outgoing traffic. • First line of defense against attack. • Acts as the gatekeeper between adjoining networks. • Can be a hardware device or a software application .

  3. Firewall can protect against: • Data corruption or theft due to unauthorized access to the network. • Exploitation of software application bugs. • Spoofing (IP or DNS) • Denial-of-Service (disrupting, crashing, jamming, or flooding) • Unwanted access to services not offered (ftp, http, etc) • Network-borne attack s

  4. Firewall can’t protect against: • Attacks that don't go through firewall (laptop, floppy, etc). • Traitors (industrial spy can use telephone, fax, or floppy disk). • Stupidity (Reveal sensitive information, "helpful" employee fooled into giving access). • Tunneling over application protocols to poorly written clients. (Tunneling “bad'‘ things over HTTP, SMTP, and other protocols). • Data-driven attacks (buried in data).

  5. Types of Firewalls: • Hardware: Many home routers have built-in hardware firewalls that are simple packet filters. (Linksys Cable/DSL router with 4-port 10/100 switch, NAT firewall configured through web browser) • Software: Software applications (personal firewalls) exist that monitor incoming and outgoing traffic as well as what services are trying to interact. Many free software firewalls are available on the internet: • http://www.homenethelp.com/web/howto/free-firewall.asp.

  6. Application Gateway (service control) Proxy Server (direction control) Circuit Level Gateway (user control) Packet Filtering (behavior control) Software Firewalls:

  7. Application Gateway (AG): • Control point for applications that access the web. • Provides set of proxy servers to link clients on a secure network with Internet services (ftp, http, etc) • Client connects to AG. If allowed AG connects to destination. • Filters information on layer 7 of the OSI model. • Re-address so outgoing traffic appears to originate from the firewall (Masquerading). • Maintains list of requests so it knows what computer to forward reply. • Considered more advanced and secure. (Deny-all) • Uses more memory and processor power. Requires special purpose code for each service that is relayed. • Typically used by companies offering a wide variety of services (require more security).

  8. Proxy Server: • Application that mediates traffic between protected network and the web. • Contains extra logging or support for client authentication. • Accepts request; if permitted does authentication and makes a connection for client to a remote destination. • Proxy servers are application-specific. Proxy server required for each service (ie FTP,HTTP, TELNET, etc). • Since proxies understand application protocol being used, they can implement protocol specific security (FTP proxy can be configured to permit incoming and block outgoing). • Typical use is to improve performance by filtering unwanted information (can also act as a firewall). • Located between a client (ie browser) and a real server.

  9. Circuit-Level Gateway: • Blocks incoming traffic to any host but itself. • Does not interpret application protocols but authenticates the client before establishing circuits. • Client machines have software allowing them to communicate with the circuit-level gateway. • From outside it appears that communication is originating from the circuit-level gateway. • Provide services for a wide range of protocols. • Require special client software that has system calls replaced with secure equivalents from a library (ie socks) • Application Gateways use modified procedures and Circuit-Level Gateways use modified clients. • Typically used to only allow specific clients.

  10. Packet Filtering: • Evaluates incoming and outgoing packets (at the Bastion host) against rules you define. • Can filter traffic by allowing or disallowing certain IP addresses or certain ports. (Complex filter rules, Accept-all, Deny-all) • Faster and Easier to implement. • Susceptible to attack from users faking their source IP address (IP Spoofing) or faking their source port in an attempt to trick your firewall into thinking that the traffic should be allowed through. • Typically used within routers or personal firewalls, where minimal security is required.

  11. A little packet review: • Network access layer or Data-link layer is considered to be the Ethernet layer. • IP packets are the most likely packets to be contained in an Ethernet frame/packet, but they may also be AppleTalk, Novell, or DECNET packets. We will be focusing on the IP packets and the packets they contain. • IP packets contain packets of the Transport layer: (ie TCP,UDP or ICMP)

  12. An IP packet picture Fields in red are our focus.

  13. What Packets, What Ports? • Packets arrive at port addresses and are accepted, ignored, or an error message is sent. • Stateful firewalls ignore bad packets and conditionally block ports. • Over 60,000 ports means configuration rules for packets or for blocking ports can be a headache. • But there are some specific kinds of packets to reject and some ports that should be blocked. • Access to ports should be restricted to those where services are offered.

  14. Rules for incoming Packets: • Forged source addresses. • IP Options Field. • Sequence Number. • Fragmentation field

  15. Broadcast and Multicast used as source address: • IP Broadcast and Multicast addresses are not meant to be source addresses, but they can be used by an attacker. • They can cause the answering machine to reply with a unicast address and a broadcast destination. • An attacker can use this to get another machine to do the broadcasting. (relaying) • Can also be used to get information about your system.

  16. Your own IP address: • Shouldn’t see your own IP address as the source address for any entering packet. • Packets claiming to be from your machine are forged!

  17. Class A, B, and C private addresses: • Private addresses in these classes are reserved for private LAN addresses and should not be seen in source addresses in any incoming packets. Range for private addresses: Class A: 10.0.0.0 to 10.255.255.255 Class B: 172.16.0.0 to 172.31.255.255 Class C: 192.168.0.0 to 192.168.255.255

  18. Reserved IP addresses: • Class E reserved addresses are reserved for future use and should not be seen in source addresses for incoming packets. • Range: 240.0.0.0 to 247.255.255.255

  19. Loopback interface addresses • Loopback interface is a private network interface used by Unix. • Loopback goes back to system generating it, not the network or internet. • Packets with source addresses numbered 127.0.0.0 to 127.255.255.255 contain forged source addresses (Loopback).

  20. Strategy for incoming Packets: What should your machine do if it receives a packet with a forged address? Deny or Reject? • Rejecting a packet sends an ICMP error message to the sender and gives the attacker knowledge that a machine is there. • Denying a packet is simply throwing it away.

  21. Options Field: • IP Options field can be set to override router tables and set it’s own route. • It can be used by attackers, to circumvent security measures by causing packets to follow unexpected routes. • The options field should be examined to identify unusual attempts to override routing tables

  22. Fragmentation: (a TCP issue) • Fragmentation of packets can occur in any router. Since the destination machine is expecting a packet designated first, it will collect and hold packets following, filling buffers while waiting for the first packet. • Attackers fragment packets and send nothing but non-first packets until the receiving machine has it’s buffers filled • This is a type of “denial of service” attack.

  23. More Fragmentation: • Fragmented packets can confuse the system (attempting to assemble them) and crash it. • Fragmentation can also be used to hide fake headers. • TCP header is only expected in the first packet, a packet filter may not be set to see a TCP header in a following packet. This kind of attack can be used to access other service ports. • Specially fragmented packets can also conceal data, constructing data units whose elements overlap.

  24. Overlapping illustration: normal overlap Overlapping data Overlapping headers

  25. The last Fragment: • When a host gives up trying to reassemble a packet it sends an ICMP message “packet reassembly time expired:” • This tells the attacker the host exists, and why the connection didn’t succeed. This may give the attacker enough information to look for other vulnerabilities in your system.

  26. Rules for Fragments: • Packet filter should reassemble any incoming or outgoing fragments before fragmenting them again and sending them on their way.

  27. What Port in a Storm? • Ports are addresses at the TCP level. • Ports are places where processes can be found and daemons may be running, waiting for some process to contact it from another machine. • 0 – 1024 are considered to be privileged ports. • Above 1024 are considered to be user ports. • The privileged ports are addresses of common processes (including internet and Ethernet processes.) • User ports are “user” defined.

  28. Ports and TCP packets: • Drop your shields and prepare to be probed. • We’ll stop here for a short demonstration showing what ports are open or are active listeners on this system. • The web site is www.grc.com. • It gives a free, graphic review of your system security.

  29. More TCP issues: (Options fields) • TCP connect can be blocked by blocking the first packet. Causes any other data to not be reassembled. • The ACK bit is not set in the first packet and therefore it is recognized as a start of connection packet. • A firewall can prevent these packets from entering the network and only allows these packets outbound.

  30. Options: • URG (Urgent) and PSH(push) are two other options fields the TCP(Transport) layer needs to be concerned with. • Both fields are rarely used in practice but can be used by an attacker to cause a buffer to be emptied directly to an application.

  31. How TCP security is dealt with: • Packet Filter must be able to recognize the “start of connection” TCP packets. • A rule list should not allow start of connection from outside the system. • Only allow start of connection from the client side.

  32. TCP level attacks only possible under following circumstances: • Attacker able to forge TCP/IP packets • Attacker knows initial sequence no. • Attacker has knowledge of a desirable connection. • Attacker knows when the connection started. • Attacker redirects traffic causing you to get responses.

  33. Programs are available to cause trouble: • TCP attacks are difficult. but programs exist to allow users of minimal ability to launch attacks. (Script Kiddies). • Script Kiddies is the name for kids who search the net for malicious programs to use for mischievous purposes.

  34. What about Outgoing packets? • Rules need to be set to insure that the source address is your machine’s address for packets leaving your machine. • This protects against an attacker or malicious insider using your machine to send out spoofed packets – until the attacker gains administrative privileges and shuts down the firewall • Shut down unused ports to narrow the flow of traffic and allow easy monitoring of the same. • Demo?

  35. Daemons: • In Greek mythology, a daemon was between the gods and men; a guardian spirit; a helping/inspiring angel. Hence background processes on Unix computers came to be known as Daemons. • Daemons are "always on" maintenance processes that run in the background (or are spawned on demand) attending to various tasks without human intervention. ("mailer-daemons“) • Processes like httpd (80), ftpd (21), mysqld are server processes that monitor ports for incoming requests. • If each port is a different door into a building, imagine a daemon as the receptionist that writes down required information and processes your request to the appropriate people.

  36. The Linux example: • Linux is a variety of Unix that can be run on a personal computer. • It offers detailed configuration of packet filtering rules – both incoming and outgoing. • Essentially Iptables allows us to selectively block source addresses.

  37. Iptables • Iptables is a Linux program that allows a list of rules to be set for filtering packets. • Running iptables results in a file in scripting language that sets up a list of rules for filtering incoming and outgoing packets.

  38. Some Constants in Iptables

  39. A portion of the Linux rules table.

  40. Conclusion: • Firewall helps prevent intruders from accessing your system, but may block legitimate traffic as well. • Decision to install a firewall represents a compromise between security and productivity. • Many firewalls are a combination of the various schemes discussed. • No firewall is a substitute for proper system management and monitoring. • New vulnerabilities and defects are found daily, which could allow a hacker to take control of your computer to; steal private information, destroy your data, or use in a denial-of-service attack. Keeping software updated and running a current antivirus is important, but having a firewall control traffic is also wise. No security solution solves everything. The more lines of defense you have, the safer your system will be. • No way to provide all information pertaining to firewalls (intro only)

  41. Sources • Building Internet Firewalls: Zwicky, Cooper, and Chapman (An O’Reilly book) • Linux Firewalls: Robert L. Ziegler • Securing Optimizing Linux; the Ultimate Solution: Gerhard Mourani • www.grc.com • http://www.hu-berlin.de/bsi/gshb97/english/s/s273.htm • http://freebooks.by.ru/view/LinuxNetworkSolution/31620071.htm • http://www.cert.org • http://www.peacefulpackers.com/it_solutions/fw_isa03.htm • http://www.peacefulpackers.com/it_solutions/fw_isa01.htm • http://www.devcentre.org/ossbook/node83.html • http://supportnet.merit.edu/m-intsec/t-firewa/index.html • http://supportnet.merit.edu/m-intsec/t-firewa/text/3kinds.html • http://www.wynsoft.co.uk/Hardware-shop/firewalls-direct.htm • http://www.linuxquestions.org/questions/history/76168 • http://www.tampa-bay.net/BitsAndBytes/BnBOnline/0501/FirewallBasics.htm

  42. T. Q’s. • You are a system administrator, your firewall is receiving packets from a machine with source address 255.255.255.255. What should your machine do with them? Deny Them. • What can you do to prevent attacks at the TCP level (hint: 3 things). Packet Filter must be able to recognize the “start of connection” TCP packets. A rule list should not allow start of connection from outside the system. Only allow start of connection from the client side.

More Related