1 / 34

Firewalls

Firewalls. CS461/ECE422 Spring 2012. Reading Material. Text chapter 9 “Firewalls and Internet Security: Repelling the Wily Hacker”, Cheswick, Bellovin , and Rubin. Firewall Goal. Insert after the fact security by wrapping or interposing a filter on network traffic. Firewall Requirements.

sue
Télécharger la présentation

Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls CS461/ECE422 Spring 2012

  2. Reading Material • Text chapter 9 • “Firewalls and Internet Security: Repelling the Wily Hacker”, Cheswick, Bellovin, and Rubin.

  3. Firewall Goal • Insert after the fact security by wrapping or interposing a filter on network traffic

  4. Firewall Requirements • All traffic between network section A and network section B (and visa versa) must pass through the firewall (or a consistently controlled set of firewalls) • Only authorized traffic (as specified by the security policy) is allowed to pass • The firewall itself is immune to penetration

  5. “Typical” corporate network Firewall Demilitarized Zone (DMZ) Intranet Mail forwarding DNS (DMZ) File Server Web Server Web Server Firewall Mail server DNS (internal) User machines User machines User machines Internet

  6. Packet Filter Firewall • Operates at Layer 3 in router or HW firewall • Has access to the Layer 3 header and Layer 4 header • Can block traffic based on source and destination address, ports, and protocol • Does not reconstruct Layer 4 payload, so cannot do reliable analysis of layer 4 or higher content

  7. Rule Scenario

  8. Example Packet Filter Rules • Rules attached to outside interface • Rules attached to inside interface

  9. Same Rules in iptables • Rules in the filter table • -A FORWARD –p ip -s outside_host –j REJECT-A FORWARD –p ip –d outside_host –j REJECT -A FORWARD –i outside –p tcp –d our_mail_server –m tcp --dport 25 –j ACCEPT-A FORWARD –i inside –p tcp –s our_mail_server –m tcp --sport 25 –j ACCEPT-A FORWARD –j REJECT

  10. More Example Pack Filter Rules • Rules attached to inside interface • Rules attached to outside interface

  11. A Better Example • Rules attached to inside interface • Rules attached to outside interface

  12. FTP Example • Rules attached to inside interface • Rules attached to outside interface

  13. StatefulInspection Firewall • Evolved as packet filters aimed for proxy functionality • In addition to Layer 3 reassembly, it can reconstruct layer 4 traffic • Some application layer analysis exists, e.g., for HTTP, FTP, H.323 • Called context-based access control (CBAC) on IOS • Configured by fixup command on PIX • Some of this analysis is necessary to enable address translation and dynamic access for negotiated data channels • Reconstruction and analysis can be expensive. • Must be configured on specified traffic streams • At a minimum the user must tell the Firewall what kind of traffic to expect on a port • Degree of reconstruction varies per platform, e.g. IOS does not do IP reassembly

  14. Circuit Firewall • Actually creates two separate TCP connections • Completely reconstructs TCP connections • SOCKS is an example implementation

  15. Example Stateful Rules • Rules attached to outside interface • Rules attached to inside interface

  16. Same Rules in iptables • Rules in the filter table • -A FORWARD –p ip -s outside_host –j REJECT-A FORWARD –p ip –d outside_host –j REJECT -A FORWARD –m state --state ESTABLISHED, RELATED –j ACCEPT-A FORWARD –i outside –m state –state NEW –p tcp –d our_mail_server –m tcp --dport 25 –j ACCEPT-A FORWARD –j REJECT

  17. Application Proxy Firewall • Firewall software runs in application space on the firewall • The traffic source must be aware of the proxy and add an additional header • Now transparent proxy support is available (TPROXY) • Leverage basic network stack functionality to sanitize application level traffic • Block java or active X • Filter out “bad” URLs • Ensure well formed protocols or block suspect aspects of protocol

  18. Traffic reconstruction

  19. Ingress and Egress Filtering • Ingress filtering • Filter out packets from invalid addresses before entering your network • Egress filtering • Filter out packets from invalid addresses before leaving your network

  20. Denial of Service • Example attacks • Smurf Attack • TCP SYN Attack • Teardrop • DoS general exploits resource limitations • Denial by Consumption • Denial by Disruption • Denial by Reservation

  21. Teardrop Attack • Send series of fragments that don't fit together • Poor stack implementations would crash • Early windows stacks Offset 0, len 60 Offset 30, len 90 Offset 41, len 173

  22. Address Translation • Traditional NAT RFC 3022 Reference RFC • Map real address to alias address • Real address associated with physical device, generally an unroutable address • Alias address generally a routeable associated with the translation device • Originally motivated by limited access to publicly routable IP addresses • Folks didn’t want to pay for addresses and/or hassle with getting official addresses • Later folks said this also added security • By hiding structure of internal network • Obscuring access to internal machines • Adds complexity to firewall technology • Must dig around in data stream to rewrite references to IP addresses and ports • Limits how quickly new protocols can be firewalled

  23. Address Hiding (NAPT) • Many to few dynamic mapping • Packets from a large pool of private addresses are mapped to a small pool of public addresses at runtime • Port remapping makes this sharing more scalable • Two real addresses can be rewritten to the same alias address • Rewrite the source port to differentiate the streams • Traffic must be initiated from the real side • Called masquerading in iptables if the interface IP is used for the alias address

  24. NAT example

  25. Static Mapping • One-to-one fixed mapping • One real address is mapped to one alias address at configuration time • Traffic can be initiated from either side • Used to statically map out small set of servers from a network that is otherwise hidden • Static port remapping is also available

  26. NAT example

  27. Deployment • Hardware Firewall • Buy firewall from vendor • They provide software and hardware • Depending on cost, may include hardware accelerators • Software Firewall on hardened bastion server • Buy software from vendor or use open source • Harden server to reduce attack surface • Host-based firewall • Additional layer of defense for application server • Personal firewall • Protect desktops/laptops from undesired probing

  28. DMZ Network Firewall Demilitarized Zone (DMZ) Intranet Mail forwarding DNS (DMZ) File Server Web Server Web Server Firewall Mail server DNS (internal) User machines User machines User machines Internet

  29. VPN Network

  30. Distributed Firewalls

  31. Intrusion Prevention • Discussed in the Intrusion Detection lecture • Enables more dynamic rules and access rules that rely on more communication details • Can download new signatures or adapt anomaly rules on a daily basis

  32. Unified Threat Management (UTM) • Firewalls at the border provide a nice point for analysis • Might as well perform other analysis as long as flows have been tracked • Deploy one box instead of N boxes • Additional actions could be • Virus scanning • URL filtering • IDS/IPS/anomaly detection • Spam filtering

  33. Limits to firewalls • Cannot analyze encrypted traffic • Beyond header information • Everything is driven through port 80 • Relies on port as indicator of service • Newer firewalls dynamically analyze traffic to determine protocol • Cannot react to new attacks on protocols that must be allowed • IPS can help • Tracking IP addresses instead of people • Costs too much to manage firewalls

  34. Summary • Different types of firewalls for different needs • Packet filtering/stateful/application • Network/Host/personal • Firewalls have been a stalwart element of network security for decades • Not the end all solution • But still beneficial

More Related