Firewalls. CIT304 University of Sunderland Harry R. Erwin, PhD

Transcription

1 Firewalls CIT304 University of Sunderland Harry R. Erwin, PhD

2 Resources Garfinkel and Spafford, 1996, Practical UNIX and Internet Security, O Reilly, ISBN: Schneier, 2000, Secrets and Lies, Wiley, ISBN: Anderson, 2001, Security Engineering, Wiley, ISBN: Zwicky, Cooper & Chapman, 2001, Building Internet Firewalls, O Reilly.

3 Definition Firewall (Schneier) Originally an iron wall that protected train passengers from engine fires. Didn t protect the engineer there may be a lesson for sysadmins here. In early networks, a device that protected a segment of a network from failures in other segments Now a device that protects an internal network from malicious intruders. Does not deal with the 70+% of attacks that come from inside. Does not deal with most vulnerabilities (see next slide) only those associated with network connections.

4 Top 20 Vulnerabilities ( 4 Dec 2006) Operating Systems Internet Explorer Windows Libraries Microsoft Office and Outlook Express Windows Services Internet Explorer (IE) Windows Configuration Weaknesses Mac OS X Unix Configuration Weaknesses Network Devices VoIP Servers and Phones Network and Other Devices Common Configuration Weaknesses Cross-Platform Applications Web Applications Database Software P2P File Sharing Applications Instant Messaging Media Players DNS Servers Backup Software Security, Enterprise, and Directory Management Servers Security Policy and Personnel Excessive User Rights and Unauthorized Devices Users (Phishing/Spear Phishing) Special Section Zero Day Attacks and Prevention Strategies

5 Perimeter Defense No good against internal uprisings Denial of service will remains threat Must be complete otherwise the hacker will go around it. Must still contain gateways, which become the main vulnerabilities.

6 Boundary Protection The careful use of boundary mechanisms allows the designer to segment the network into protected domains, isolated from the internet and telephone service. This limits damage and prevents malicious attackers from gaining entry.

7 Hub and Ring Architectures Hub architecture packets transmitted by one device are reflected to all devices. Can be digital or analog. Analog hubs reduce signal strength, limiting the number of devices. Speed of light delays also limit the spatial extent of the LAN. Ring architecture each device connects to a ring of connections. One packet at a time circulates around the ring. If it arrives back at the device unchanged, it is deemed to have been successfully transmitted. Otherwise it is retransmitted.

8 Gateway Typically a router connected to the hub or ring. Has external connections. Uses routing tables to find a route to a server. Sends the packet out that route. If a server isn t reachable, an ICMP DEST_UNREACH packet is generated and eventually returns to the source.

9 Switch Smart hubs that transfer packets between networks. Fast switches are based on state machine architectures. Can block a sniffer from accessing local traffic. Virtual LANs can be isolated and connected via switches Not a security mechanism. Performance is too important for switches to do much processing.

10 Virtual Private Network (VPN) Encrypted tunneling (stunnel or ssh) can be used to link distant LANs via switches. Usually handled peer-to-peer with the routers and firewalls passing encrypted packets. This is message-level encryption. Can also be handled using link-level or packetlevel encryption. Link-level uses military COMSEC devices and has a high maintenance overhead.

11 Boundary Mechanisms Used to Secure Networks Note: Firewalls and routers are basic tools of network security. Filtering routers Firewalls: Packet Filters Proxies NAT (network address translation) Screens Personal firewalls Demilitarized Zones (DMZs)

12 Attacks on Boundary Mechanisms Three approaches: 1. Go around it. Internet connections from photocopiers, soft drink machines, and other devices Maintenance ports on network devices Unauthorized modems Attack trusted peers instead 2. Sneak past it. 3. Take the firewall over. Buggy software Insecure operating systems

13 Filtering Router A basic router that provides stateless protection: Only passes legitimate packets, which is good. What packets are legitimate is a policy decision. Two basic strategies: Default permit easier to configure but riskier Default deny safer but inflexible (UoS policy) Neither is a panacea. A filtering router doesn t connect SYN ACKs to the related SYN packets or other packets involved in the connection. This can be exploited by a smart attacker.

14 Firewall Smarter than a simple filtering router. Enforces your chosen policies. May sniff traffic. Blocks access as part of a defense in depth strategy. Can serve as a proxy for the clients behind it. Can encrypt traffic between separate locations. Can even be stateful, tracking connections, not just packets reducing throughput, but harder to fool. (Remains vulnerable to slow attacks.) Note however, a filtering router plus strong endpoint security (hardened workstations) is more secure than an isolated firewall.

15 Firewall Anatomy Based on chokes and gates (Garfinkel and Spafford): Choke A component that restricts the free flow of packets between networks based on some policy. Gate Handles port connections. Single machines that handle all ports are bastion hosts Programs that might be supported include network clients (undesirable), proxy servers, and network servers.

16 How to Program a Simple Packet Filtering Choke Block all packets for services not used. Block all packets with IP source routing options Allow incoming TCP connections to predetermined network servers. Allow outgoing TCP connections. (You might want to some used by malware.)

17 Pros and Cons of Packet Filtering Pros Cheap and easy Flexible Cons Usually lacks logging Complex rulesets that are hard to configure and untestable ftp not handled well unless passive mode is set (due to the high port numbers used by ftp) Security can be silently compromised Remote administration can be compromised Insider attacks are easy Packet contents are not monitored

18 Firewall Types Packet filters Usually based on a filtering router, but stateful Proxy-based firewalls Services are provided by the visible firewall Packet-rewriting firewalls (NAT) Transparent to applications Screens No IP address; run in stealth mode

19 How Network Address Translation (NAT) Works A server anonymises traffic by replacing the true address on the LAN with its own address and vice versa. Incoming packets from inside addresses can be quietly dropped. Aka proxying with network address translation. Can also cache data received to save on network bandwidth

20 Personal Firewalls This is a router/firewall installed on your personal PC. Usually a simple packet filter. Now available for most modern operating systems. MacOS X, BSD Unix, and Linux use ipfw. Windows XP has a proprietary firewall. Mediocre. Commercial firewalls either manage the firewall provided by the OS or replace it with their own. Watch out for snake oil.

21 Personal Firewalls for Windows Machines Some Free Ones Microsoft Internet Connection Firewall (XP default) ZoneAlarm (good, better than ipfw) Tiny Firewall (good, USAF uses) Sygate Personal Firewall (good) More Expensive Black Ice Defender (well-regarded) ZoneAlarm Pro (good) Norton Personal Firewall (OK) McAfee Personal Firewall (subscription)

22 Demilitarized Zone (DMZ) A place on your network where you put your public services. Reduces the external threat, but protects your private network. External firewall (to the internet) has a limited number of restrictions. Internal firewall (to your private network) has more restrictions.

23 Running a Windows Firewall If you are responsible for a Windows firewall (incomplete): Enable auditing, accounting, and full logging. Monitor them. Use strong authentication. Install a logon banner. Rename the Administrator account. No user or guest accounts. Generally, block all user access. Manually configure the machine. Install all security patches. Use NTFS. Protect the bios configuration. Block removable devices and unused ports. Support only TCP/IP. You may need to enable SMNP. Disable unneeded services, in particular WINS TCP/IP, Computer Browser, NetBIOS, RPC, Server, and Workstation. Check that patches/ hotfixes/updates don t reenable them.

24 Running a UNIX Firewall If you are responsible for a UNIX firewall: Enable auditing, accounting, and full logging. Monitor them. Use strong authentication. Firewall machines should not have user accounts. Block X11 server ports. Do not mount NFS (etc.). Export databases read-only. Disks should be mounted read-only where possible. Remove binaries not needed for the firewall. Disable unneeded network services. chmod all system directories to 711. Remove /etc/hosts.equiv and /etc/hosts.lpd Use process and disk quotas and monitor them.

25 This Week s Tutorial Meet on the terraces. We will explore helpful resources available on the web.

26 Conclusions You may need a firewall, but you will need a lot more and probably more urgently: Start by ensuring you have strong end-point security. Make sure you have the latest service pak installed. Install/enable personal firewalls on all machines. Use a filtering router as a minimum. Finally consider using a firewall. Watch for snake oil! Manage your security actively! Good luck!