CIT 480: Securing Computer Systems. Firewalls

Transcription

1 CIT 480: Securing Computer Systems Firewalls

2 Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring the Linux Firewall 4. Firewall Architectures and DMZs

3 What is a Firewall? A software or hardware component that restricts network communication between two computers or networks. In buildings, a firewall is a fireproof wall that restricts the spread of a fire. Network firewall prevents threats from spreading from one network to another.

4 What is a Firewall? (2) A security control to enforce network policy ACLs on a host/network level. Policy Decisions: What traffic should be allowed into network? Integrity: protect integrity of internal systems. Availability: protection from DoS attacks. What traffic should be allowed out? Confidentiality: protection from data leakage.

5 Network Perimeter A boundary between two networks. Most often, a boundary between a private locally controlled network (intranet, LAN) and a public network (Internet, WAN). A firewall is often deployed to enforce access control at the network perimeter.

6 Problems with Perimeters When firewalls were invented Organizations had a single link to the Internet. Devices on the intranet were mostly trusted. Devices on the intranet had many open ports. Protocols could be identified by port numbers. Wireless networks and NAT did not exist. In modern networks Organizations have multiple links to other networks. Employees bring their own devices to the intranet. Devices on the intranet have few open ports. Protocols are often built on top of HTTP. Wireless networks and NAT are ubiquitous.

7 Are firewalls still useful? Yes, but we deploy multiple firewalls on our internal network instead of relying on one perimeter firewall. Put firewalls in front of devices that still have many open ports, such as printers. Put firewalls in front of devices that cannot be patched because they only work with legacy software. Use a firewall to separate wireless network which allows employee devices from internal wired network. We also supplement firewalls with other security technologies like VPNs and NIDS.

8 Types of Firewalls Packet Filters (Stateless) Apply access rules to individual packets. Filters on network and transport layer data. Stateful Filters Apply access rules to network flows or sessions. Filters on network and transport layer data. Application Layer Firewalls A proxy server that relays byte streams from client to server and vice versa. Use deep packet inspection (DPI) to filter on application layer data.

9 Stateless Firewalls A stateless firewall doesn t maintain any remembered context (or state ) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. SYN Seq = x Port=80 Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 Firewall Server Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80

10 Stateless Restrictions Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. Client (blocked) SYN Seq = y Port=80 Attacker Trusted internal network Firewall Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80

11 Packet Filtering Information Forward or drop packets based on TCP/IP header information, most often: IP source and destination addresses Protocol (ICMP, TCP, or UDP) TCP/UDP source and destination ports TCP Flags, especially SYN and ACK ICMP message type Multi-homed hosts also make decisions based on: Network interface the packet arrived on. Network interface the packet will depart on.

12 Stateful Firewall Example SYN Seq = x Port=80 Server Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 (blocked) SYN-ACK Seq = y Port=80 Attacker Allow outbound TCP sessions, destination port=80 Firewall Established TCP session: ( , ) Firewall state table

13 Stateful Packet Filters Identify network flows by Protocol (TCP, UDP) Source IP address Source port Destination IP address Destination port Apply access rules on initial connection. Check if later packets are part of flow. Apply same decision to them.

14 Netfilter and IPtables Tables do specific tasks such as filtering or NAT. Each table consists of one or more chains of rules. Chains can be built-in or user defined.

15 Filter Table Built-In Chains # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

16 Chains are Lists of Rules Packet traverses a chain sequentially until A rule matches the packet and makes a final decision to ACCEPT or REJECT it. A rule matches the packet and sends it to another chain. The end of the chain is reached. If the end is reached, the packet either Returns to being processed by the calling chain. Is processed by the default policy of the chain.

17 Chain Configuration Append a Rule to a Chain iptables A chain firewall-rule List Rules in a Chain iptables L chain Delete a Rule from a Chain iptables D chain rule-number Set Chain Default Policy iptables P chain DROP or append a rule that drops all packets to the end. iptables A chain j DROP

18 Packet Matching Options -i: incoming network interface (ex: lo0, eth0) -s: source IP address (ex: , /8) -d: destination IP address -p: protocol (tcp, udp, icmp, etc.) --icmp-type: ICMP type (if p icmp) --sport: source port (if p tcp or udp) --dport: destination port (if p tcp or udp) --tcp-flags: TCP flags (ex: ACK, SYN, etc.)

19 Stateful Matching Options -m state: enable stateful filtering module --state NEW: allow new connections Matches packets with TCP SYN flag set. Adds connection (IPs, ports) to state table. --state ESTABLISHED: allow established. Matches packet if ACK flag set and source IP, source port, destination IP, destination port found in state table.

20 Rule Targets (-j options) ACCEPT: let the packet through. DROP: do not let the packet through. REJECT: do not allow + send ICMP error. RETURN: stop processing on this chain and return to the next rule in the calling chain. chain: continue processing packet with the named chain.

21 Writing Firewall Rules Allow incoming SSH using stateful rules iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT Allow server to be pinged iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

22 Ingress/Egress Filtering Block spoofed IP addresses Ingress Filtering Drop packets arriving on external interface whose source IP addresses claims to be from internal network. Egress Filtering Drop packets arriving on internal interface whose source IP address is not from internal network.

23 Proxy Servers Proxy servers are servers that act as an intermediary between a client seeking resources from any server, typically used to protect clients. Reverse proxy servers are proxy servers that act as an intermediary between all clients and a dedicated set of servers, typically used to protect the servers.

24 Proxy Servers Proxy host relays connections Packet filter blocks direct connections. Client makes connection to proxy. Proxy forwards connection to server. Proxy can provide multiple security features: Access Control Authentication Logging Anonymity

25 Example: SOCKS v5 Socks Server Socks Client Library Clients must be linked against library. Library offers replacements for UNIX network TCP and UDP socket system calls. User Authentication Protocols Cleartext username/password. GSS-API authentication.

26 Forward Proxy Servers Advantages: User-level authentication possible. Efficient logging, as proxy deals with circuit connections instead of individual packets. Disadvantages: Clients have to be recompiled or reconfigured to use proxy service. Some services can t be proxied. Cannot protect you from all protocol weaknesses.

27 Application Layer Firewalls Reverse proxy servers that filter a single protocol HTTP: URLs, headers, etc. SMTP: spam statistics More complex Only 2 16 ports, but An infinite number of URLs, HTTP headers, bodies, etc.

28 Single Firewall Architecture One firewall deployed on gateway between two networks to protect network perimeter.

29 DMZ Firewall Architecture

30 Single Firewall DMZ

31 DMZ Isolate servers with external access requirements Compromise of a DMZ server doesn t directly compromise internal network. DMZ servers also can t sniff internal traffic, since they re on a different subnet. No single point of failure Attacker must compromise both exterior and interior routers to gain access to internal net. Advantages: greater security Disadvantages: higher cost and complexity

32 Firewall Limitations Cannot protect from internal attacks May be able to limit access with internal firewalls to a segment of your network. Cannot protect you from user error Users will still run Trojan horses that make it past your AV scanner. Users visiting malicious sites run malicious JavaScript inside the firewalls. Firewall mechanism may not precisely enforce your security policy.

33 Key Points 1. Firewall types 1. Packet filtering (stateless) 2. Stateful firewalls 3. Proxy servers (including application layer firewalls) 2. Netfilter and Iptables 1. Tables and chains 2. Rules and actions 3. Firewall Architectures 1. Single firewall 2. DMZ 3. Single firewall DMZ

34 References 1. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3 rd edition, O Reilly & Associates, Goodrich and Tammasia, Introduction to Computer Security, Pearson, Ed Skoudis, Counter Hack Reloaded, Prentice Hall, Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2 nd edition, O Reilly & Associates, 2000.

35 Released under CC BY-SA 3.0 This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share to copy and redistribute the material in any medium to Adapt to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at