1 / 56

CMPT 471 Networking II

CMPT 471 Networking II. Firewalls. Security. When is a computer secure When the data and software on the computer are available on demand only to those people who should have access One component of keeping a computer secure can be a firewall This is not an all encompassing solution

steffi
Télécharger la présentation

CMPT 471 Networking II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMPT 471Networking II Firewalls

  2. Security • When is a computer secure • When the data and software on the computer are available on demand only to those people who should have access • One component of keeping a computer secure can be a firewall • This is not an all encompassing solution • Not all problems come from outside, you must keep in mind that an comprehensive internal security policy is also part of the solution

  3. Firewalls: why • Provide a single protected access from your machine or network to the internet • Create a single “choke” point • Concentrate attention on protecting that “choke” point • A network behind a firewall can spend less (not none) effort on host based security • not all attacks or security problems come from outside • Still need a second line of defense in many cases

  4. Firewalls: why not • Firewalls don’t protect against malicious insiders: • May prevent sending data out through the internet but cannot protect against removing the data on physical media • Firewall don’t protect you from connections that bypass them: • dial in or network access to internal machines can not be monitored unless they pass through the firewall

  5. Firewalls: why not • Protect against known threats • new threats occur regularly and counters to them must be added just as regularly • Viruses and malware can penetrate firewalls under some circumstances • Firewalls often interfere with expected behaviors of internet applications, or slow down interaction with the internet

  6. Firewalls • Different Firewall architectures are appropriate for different types of applications • A firewall is a combination of hardware software and policies • Look at some architectures and examples • Single machine with firewall (filtering) • Screening router • Dual homed host • Screened host • Screened network

  7. GIVEN TODAY’S INTERNET ENVIRONMENT NO COMPUTER WITH INTERNET CONNECTIVITY SHOULD BE UNPROTECTED BY A FIREWALL TO • Protect any private data or information • Protect the machine so it is available for your use • To prevent others from ‘hijacking’ your machine for their own purposes

  8. Security strategies • Least privilege: • any object (user, program, system, …) should have the least amount of privilege necessary to accomplish its own purpose • Depth of Defense: • Layer security mechanisms so that if one is compromised another still protects you • This protects against not only attacks but possible failures of any single layer in your defense

  9. Security strategies • Choke point: • Be sure that there is no way to circumvent the choke point • Put protections at the choke point • Weakest link: • Be aware of the weak points of your defense, this is where attacks will most likely occur • Failures • Try to make the system fail in a way that denies the attacker access, not opens access.

  10. Firewall Default Strategies • Default Deny Policy • No traffic is passed through the firewall unless is it specifically allowed • Any traffic or service not specifically permitted to pass the firewall will be permitted into the protected machine or network • Default Permit Policy • All traffic will be permitted to pass through the firewall unless it is specifically forbidden

  11. Which Default Strategy? • To maximize security use default deny • OK if you do not need to provide internet services • Limited flexibility • To maximize flexibility use default permit • More difficult to maintain • Must specifically deny sources and protocols

  12. Some types of low level attacks • Half open port scan or SYN scan: send SYN (or packet with other combination of flags) to each port, watch for ACK or RST to determine if port is open. Do not reply and complete connection (send RST). • Denial of service: exploit known weaknesses of stack to cause crashes • IP spoofing: Make the packet look like it comes from somewhere else. • Smurf: use forged source address (A) to make third party attack A • Land: send a packet with source and destination addresses the same. May cause failure of receiving machine.

  13. A single computer • Many computers (probably most) have a continuous internet connection • For a user with a single computer connected to their continuous connection • Simplest approach is a packet filtering firewall • For Windows can use the built in firewall or many other proprietary products that provide more complete protection including virus and spy-ware protection • For Linux can use iptables/netfilter to directly implement or other public domain or proprietary products

  14. A home network • It is becoming increasingly common for a household to have more than one computer. Probably the user of each computer wants it to be directly connected to the continuous Internet connection/s for the household • This means that out of the box solutions that implement basic network protection are becoming common • For a technically savvy user these solutions may also be easy but other simple options exist • Remember that out of the box solutions need configuration to optimize their effectiveness

  15. Screening Router • This is a common, inexpensive, out of the box solution that can be made more robust • You probably need the router to connect your local machines anyway. • Be sure to configure, don’t just use the defaults • Router usually includes a mechanism for implementing packet filtering (default deny or default permit strategies are usually both supported)

  16. Screening Router • This is a common, inexpensive, out of the box solution that can be made more robust • Can implement the level of security appropriate for the network being protected • you will likely also need host level security • The router will run a proprietary or reduced version of the operating system, providing fewer points of attack

  17. Using a screening router • The network needs an adequate level of host protection • If data on any of the machines is private, need host security to protect that data • Only a limited number of simple protocols and services can be supported efficiently using a screening router • Can permit or deny protocols by port number • Harder to permit or deny parts of a protocol • Difficult to be sure what is arriving on a port is really the expected protocol • Router is a single point of failure

  18. When to use a screening router • When performance is important • minimize added load on hosts by using router to filter • maximize throughput by basing security on simple filtering • When the protected network also has an adequate level of host security • The number of protocols being allowed (default deny) or blocked (default accept) is small and those protocols are simple and amenable to filtering • Most useful for networks providing services to the internet (like those of internet providers) and for internal firewalls

  19. Use a dual homed host to access the internet. Your network attaches to one or more interfaces, the internet to the another Disable forwarding: create a default deny policy All access to the Internet from internal hosts is by proxy application running on the dual homed host Each application you run/proxy on the dual homed host provides another point of attack and increases load Avoid user accounts on the dual homed host. This provides extra protection Monitor activity of each user Simple Firewall: Dual Homed Host

  20. Dual Home Host INTERNET Dual-homed host (no-forwarding) Internal Host Internal Host Internal Host Internal Host

  21. Dual homed Hosts: user accounts • Users should not be able to log into the dual homed host. • prevents a hacker from breaking in through a user account • Makes use of vulnerable services necessary to support user accounts unnecessary (printing, local mail delivery …) • Prevents inadvertent damage to the dual homed hosts security by users (poor password … ) • Easier to detect attacks if types of traffic are limited

  22. Dual Homed Host: Limitations (1) • Need an additional machine to use as dual homed host (should not be a machine used directly by users) • For a small network with modest traffic levels can even use an older less powerful machine (bonus is this is the only machine seen from outside, less attractive to hackers) • As the network size, number of services proxied, or traffic load grows more power is needed.

  23. Dual Homed Host: Limitations (2) • Provides services by proxy • Each service supported provides addition points of attack • Not all services can be proxied • Not all services that can be proxied will have appropriate proxies available • Better at supporting outbound services (local users using services on the external network) than inbound services

  24. Dual Homed Host: Limitations (3) • More overhead than an equivalent packet filtering system, proxies are more compute intensive than simple filters • Dual homed host is a single point of failure • A hacker who crashed your dual homed host cuts you off from the internet • A hacker who comprises your dual homed host has access to your local network

  25. When to use a dual homed host • Internet traffic is limited • Remember load is larger than comparable packet filter • Network protected does not contain critical data • Can be mitigated by host level protections, but there are better solutions

  26. When to use a dual homed host • No (very limited) services being provided to the internet • Each service provided adds points of attack for those trying to break in • Continuous connection to the internet is not essential, traffic to the internet is not critical to your business • Attacks may cause single “choke” point to fail or crash

  27. Variations • Many consumer routers, support NAT (network address translation). Allowing one IP address to be shared between multiple machines. • Local IP addresses are used for your network • Using the gateway (router) to packet forward on behalf of the other computers on your intranet • Good way to hide network from external eyes • Can packet filter and provide some proxy services, often provides MAC address filtering

  28. Screened Host Architecture • All communication between hosts on the local network and the internet (both directions) passes though proxies on a bastion host which communicates with the internet though a packet filtering router • Less secure versions may allow some direct communication from network hosts to the internet (definitely not initiated from the internet to network hosts) • Bastion host is the only host on the network to which hosts on the internet can make connections

  29. Screened Host Architecture • Packet filtering router protects internal hosts from direct internet attack (allowing only certain services/ protocols). • This is the primary security for the network • This prevents users from directly accessing the Internet • Bastion host provides services and runs proxies connecting to the outside world, it should not be a trusted member of the local network • Not appropriate for public web servers

  30. Screened Host INTERNET Router (packet filtering) Internal Host Bastion Host Internal Host Internal Host

  31. Bastion Host • Should run a minimum configuration to minimize points of attack • Should have all services not needed by the site disabled • Should not be trusted by hosts on the network • Should not run booting services • Must maintain a high level of host security on the bastion host

  32. Bastion Host and user accounts • Should not support user accounts • May know about users (i.e. to allow access from outside the network to machines inside the network) • Users should not be able to log into the bastion host. • Administrators should be able to log into the bastion host with individual accounts, remote login is a high security risk

  33. Bastion Hosts and user accounts • Users should not be able to log into the bastion host. • prevents a hacker from breaking in through a user account • Makes use of vulnerable services necessary to support user accounts unnecessary (printing, local mail delivery …) • Prevents inadvertent damage to the bastion hosts security by users (poor password … ) • Easier to detect attacks if types of traffic are limited

  34. Bastion Host • Provides the services your site needs to access the internet • Runs proxies for services your site provides to the internet • all services or • just services that cannot be adequately protected using filtering in the router alone (FTP, TELNET, DNS SMTP HTTP)

  35. Screening router • May allow hosts to open connections to selected servers on the internet • May disallow services forcing them to be proxied by the bastion host (or hosts)

  36. Use a Screened Host When • Few connections to the network originate from outside the network • When host security is relatively high • If you allow non bastion hosts to connect to the internet you are compromising the design, since outside users have access to IP addresses of protected hosts

  37. Comparison • Router easier to secure than multi-homed host (simpler OS fewer points of attack, fewer services running, than a multi-homed host) • Multi-homed host provides no way for packets to go directly to hosts, screened host does (can be security hole) • Multi-homed host more prone to failure (type of failure more difficult to predict) • On balance router may be more secure and simpler to administer

  38. Comparison • You can get some extra protection by isolating your bastion host and your screen hosts so most local network traffic from your screened hosts is not visible to the bastion host (broadcast traffic will still be visible) • This is part of what a screened subnet does (next topic of discussion) • Can get this part of the protection by isolating your bastion host using an appropriately secured Ethernet switch or switching hub.

  39. Screened Subnet • Place the bastion host (hosts) on a separate subnet connected to the Internet with a router. This separate subnet is known as a perimeter network. • That subnet in turn connects to your internal network through a second router (with packet filtering). • Removes the difficulties caused by a single point of failure (as in multi-homed hosts, and to a lesser extent screened hosts) • Now a hacker must break though two levels of packet filters and compromise a bastion host to reach your internal network

  40. Screened Subnet INTERNET Router (packet filtering) Perimeter network Interior Router (packet filtering) Bastion Host Bastion Host Internal Host Internal Host Internal Host Internal Host

  41. Screened subnet • No longer a single point of failure • Adds an extra layer of security by adding a perimeter network to further isolate the hosts in the screened subnet from the internet • Multiple failures are needed to reach the screened subnet • If the router’s firewall is breached the hacker can only reach the bastion hosts • If the bastion host is compromised, sensitive internal information is still protected. • The screened network still has the protection of the interior router

  42. Bastion Host/s on separate net • Locating the bastion hosts on a separate network from the protected hosts has many benefits • Sees only packets to and from bastion hosts and to and from the internet • Does not see traffic on the internal network • Accesses to sensitive files • Confidential local email • Remote logins, FTP or TELNET packets that could provide passwords

  43. Bastion Host/s on separate net • Bastion Hosts are primary point of contact for incoming connections for any supported protocols (local servers for SMTP, FTP, DNS …) • Outbound services (from our network to severs on the internet) have access controlled by • Filtering on exterior or interior router • Proxy services on the bastion hosts • If traffic is high and or multiple services are proxied on the bastion host, multiple bastion hosts may be used to distribute the load and partition risk • Services may be divided between multiple bastions hosts. Services may be grouped by • Importance, audience, security level, access level

  44. Interior router • Primary packet filtering system (choke router) • May be more restrictive than the packet filters in the exterior router • Want to assure sensitive information does not leave screened network • May allow a smaller set of services to reach interior network than can reach the exterior network • May target services from outside the screened networks to designated servers (e.g. a mail server on one on the internal hosts) • Allows services to the internet to be isolated from the screened internal network (on the perimeter network) • Protects your screened interior network from the Internet and the perimeter network

  45. Exterior Router • Exterior Router may be called the access router • Sometimes the external router is provided by another group (like an ISP) • Your access will be limited • Filter rules will not be customized to your needs • Hosts on the perimeter net must be protected by strong host security • Makes exterior filtering less critical • If you do control the exterior router you may want to duplicate a subset of the rules on your interior router

  46. Exterior Router • Should block incoming packets whose source addresses may be forged, particularly addresses that indicate packets are coming from inside the network (screened network or perimeter network) • Should block outgoing packets that do not come from one of your networks IP addresses • Prevents your users sending inappropriate packets • More importantly: prevents any hijacker using one of your machines to send packets with inappropriate IP addresses

  47. Variants • Use multiple bastion hosts • Distribute load, partition services, add redundancy • Merge interior router and exterior router • Need router that allows separate filter specifications on each interface. • Disadvantage: creates a single point of failure if router is compromised

  48. Multiple Bastion hosts INTERNET Router (packet filtering) Perimeter network Interior Router (packet filtering) Bastion Host Bastion Host Internal Host Internal Host Internal Host Internal Host

  49. Merged Internal/Exterior routers INTERNET Interior /exterior Router (packet filtering) Perimeter network Bastion Host Bastion Host Internal Host Internal Host Internal Host Internal Host

  50. Variants • Use multiple independent perimeter networks • Provide redundancy and bandwidth • Assure networks connect to different physical connections (different providers and different cables) • Both interior routers must enforce the same policies • Also used to separate incoming and outgoing services

More Related