Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Transcription

1 CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University Firewalls Internet connectivity essential to organization Internet provide benefits But enables outside to reach local resources Not practical to secure all workstations Alternative is firewalls Inserted between local network and Internet Single choke point to impose security, audit

2 Design Goals All traffic must pass thru firewall from inside to outside or outside to inside block all access to LAN except thru firewall Only authorized traffic is allowed to pass defined by security policy Firewall immune to penetration must be running secure operating system access control must be defined Capabilities Single choke point simplify security management provide protection from various attack types Monitoring security related events implement audits and alarms Can provide non-security related services DNS, network management Platform for IPSec using tunnel mode or implement VPN

3 What Firewalls Cannot Protect Attacks that bypass firewall dial-out or dial-in service inside LAN violates single choke point rule Internal threats disgruntled employee cooperate with attacker Transfer of virus-infected programs various types of operating systems impossible to scan all file types Types of Firewalls Packet-filtering router Stateful inspection firewalls Application-level gateway Circuit-level gateway

4 Packet-Filtering Routers Apply set of rules to each in or out IP packet Packet is then forwarded or discarded Filtering rules based on source IP address: e.g., destination IP address: e.g transport protocol: TCP, UDP, DCCP, SCTP transport port number interface: inside, outside, or multiple interfaces

5 Packet-Filtering Routers Filter set up as list of rules Rules match fields in IP or TCP header If packet matches one of rules, role invoked If no match, apply default rule Default rule can either be deny: discard all packets except permitted by rule permit: forward all packets except denied by rule Packet Filtering Examples Inbound mail allowed, but only to gateway host Packets from SPIGOT host are blocked SPIGOT has history of sending massive

6 Packet Filtering Examples Explicit statement of default policy Conservative approach, everything is blocked Services must be added on a case by case basis More secure, but inconvenient for users With default allow, admin must identify all threats Packet Filtering Examples Any inside host can send mail to outside TCP packets with remote port 25 are allowed Problems some SMTP may not use default port 25 attacker run have different service on port 25 attacker can send packets using source port 25

7 Packet Filtering Examples Solve problems with C Take advantage of TCP ACK flag sent in response to locally established connection Allow packets from local host with dest port 25 Allow incoming packets from port 25 with ACK only replies to local connections Packet Filtering Examples Allow packets originated internally reply packets to connection initiated internally packets destined to high-numbered port on internal host Most servers use low numbered ports < 1024 Most attack targets are in this range

8 Packet Filtering Firewalls Advantages simple: few variables fast: only check TCP/IP headers transparent to users Disadvantages cannot prevent application-level attacks vulnerable to attacks on problems within TCP/IP few variables: possible weak configurations Attacks on Packet-Filtering Routers IP address spoofing use fake source IP address (e.g. internal IP) goal: penetrate source address based security countermeasure: discard packets from external interface with internal IP address as source Source routing attacks source routing overwrites routing decision goal: allow packet get into private IP network countermeasure: discard packets with this option

9 Attacks on Packet-Filtering Routers Tiny fragments attacks use IP fragmentation option create very small fragments force transport header into separate fragments goal: circumvent transport header filtering rules countermeasure: enforce minimum fragment size to predefined min amount of transport header Stateful Inspection Firewalls Simple packet-filtering is only based on individual packets TCP sessions involve multiple connections Simple packet filter must allow all inbound traffic on ports Can create vulnerability Stateful packet inspection (SPI) maintain directory for established connections only allow inbound packets with existing session

10 Stateful Inspection Firewalls Application-Level Gateway Also called proxy server Acts as relay of application-level traffic Local host contacts gateway provide authentication information provide remote host information Gateway contacts remote host application service must be supported by GW relay TCP segments between local, remote

11 Application-Level Gateway Advantages more secure than packet filter restrict to few allowable applications, services can protect on application level Disadvantage additional processing overhead maintain two spliced connections Circuit-Level Gateway Can be standalone or part of application GW Shim layer between application, transport No direct end-to-end TCP connection Two separate TCP connections one between inside host gateway one between gateway outside host Once setup, doesn t filter individual packets Security is which connections to allow

12 Bastion Host Also called demilitarized zone (DMZ) Computer host or network inserted between internal network and Internet Provides service interface to outside users (web, , FTP) Prevents outside users from getting direct access to company s data Strong point in the security of network Platform for application, circuit-level gateway Bastion Host Source: en.wikipedia.org/wiki/demilitarized_zone_(computing) DMZ or Bastion Host

13 Bastion Host Characteristics Runs secure operating system Must not contain sensitive data Only essential services installed determined by admin e.g. SSH, DNS, FTP, SMTP, authentication May require auth, also for each proxy Each proxy allow access to specific hosts Proxy maintain audit info, log all connections Firewall Configurations Screened host firewall, single-homed bastion Screened host firewall, dual-homed bastion Screened-subnet firewall

14 Screened Host Firewall, Single-Homed Bastion Host Screened Host Firewall, Single-Homed Bastion Host Consists of two systems packet filtering router bastion host: proxy, authentication IP packets from Internet only allowed to BH IP packets to Internet only allowed from BH Advantages both packet, app level filtering: 2 layers security flexibility: public access for web/info server

15 Screened Host Firewall, Dual-Homed Bastion Host Screened Host Firewall, Dual-Homed Bastion Host Two separate subnets BH has two network interfaces Two levels of defense: router, BH Protect internal hosts if router compromised Also, same features of previous config

16 Screened-Subnet Firewall Screened-Subnet Firewall Two packet filtering routers Creates isolated subnet containing BH may also contain modems, public servers can be accessed from Internet or internal net through traffic is blocked Advantages three levels of defense: router, BH, router internal network is invisible to Internet Internet is invisible to internal network

17 Finally The most secure computer is a one which is disconnected from the network, AND TURNED OFF! Additional References Microsoft Security Bulletin (MS99-038), Stateful Inspection Firewall, wall.pdf Doug Lowe, Networking All-in-One Desk Reference For Dummies, ISBN , books.google.com/books?id=gngdds-1oekc Home Computer Security Glossary, html Syngress et al., The Best Da*n Firewall Book Period, ISBN , books.google.com/books?id=q7rlxtilosec