Topics NS HS12 2 CINS/F1-01

Transcription

1 Firewalls Carlo U. Nicola, SGI FHNW With extracts from slides/publications of : John Mitchell, Stanford U.; Marc Rennhard, ZHAW; E.H. Spafford, Purdue University.

2 CINS/F1-01 Topics 1. Purpose of firewalls 2. Packet-filtering and application layer firewalls 3. Basic firewall scenarios 4. The Linux architecture 5. Fundamental concept 6. Stateful and stateless firewalls 7. Configuring packet-filtering firewalls with NS HS12 2

3 Firewalls: a metapher IN/OUT Specially defended compartments NS HS12 3

4 Datagrams: Recap Application message TCP Header Application message - data Transport (TCP, UDP) segment TCP data TCP data TCP data Network (IP) packet IP TCP data Link Layer frame ETH IP TCP data ETF IP Header Link (Ethernet) Header Link (Ethernet) Trailer NS HS12 5

5 Firewalls (1) A firewall is a computer (HW and SW) that sits between two or more networks to control the datagram flow between them. As with any security components, firewalls must be configured according to a security policy. Notice that the firewall itself is a critical security component and it should be hardened: that means deployment of a trusted system with a secure operating system. At the most basic level, firewalls offer the following functionality:! Service control: Determines the types of Internet services that can be accessed, inbound or outbound.! Direction control: Determines the direction in which particular service requests are allowed to flow.! User control: Controls access to a service according to which user is attempting to access it.! Behavior control: Controls how particular services are used (e.g. filter ). NS HS12 6

6 Firewalls (2) Concrete examples of functionality:! Control access to the Internet for users within a company (e.g. web and, but no file sharing applications)! Control access from the Internet to internal computers and services (e.g. only to web server (port 80, 443) and server (port 25))! Make sure port 80 is only used for traffic and not for other protocols! Block malicious web traffic (e.g. requests with known attack signatures, replies containing driven by malware links) NS HS12 7

7 Firewalls (3) Three common (and one uncommon) types of firewalls: 1. Packet-filtering routers 2. Application-level gateways 3. Circuit-level gateways 4. Bastion host NS HS12 8

8 Packet filtering routers They represent the most common type. They operate at the network layer level using predefined rules dictated by the local security policy, they decide whether or not to forward packets to their destination. Basically they are extended routers.! They do not split end-to-end communications! Inspect network and transport protocol headers and have very limited means to inspect application data Example: allow traffic from any host on the network /24 to host :80 but block access to other ports! Advantages: very fast, relatively simple because they must only understand layer 3 and 4 protocols, transparent to users.! Disadvantages: control only who is allowed to talk to whom, but they do not control the content that is exchanged; they cannot authenticate; the implementation of efficient rules is not trivial. Products: Cisco PIX, Check Point Firewall 1, Linux NS HS12 9

9 Packet filtering characteristics It uses only information available at the transport-layer level: IP Source Address, Destination Address Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source and destination ports TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ICMP message type Examples: DNS uses port 53:! Rule: No incoming port 53 packets except from known trusted servers. Problems: No stateful filtering (later) No encapsulation i.e.: no address translation Vulnerable to fragmentation attacks NS HS12 10

10 Packet filtering router: summary Packet-filtering router:! Applies a set of rules to each incoming IP packet and then forwards or discards the packet.! Filter packets going in both directions.! The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header.! Two default policies (discard (block) or forward (allow)). NS HS12 11

11 Application-level gateways: Proxy firewalls They work at the application layer and they do split end-to-end communications: i.e. a TCP connection results in one from the client to the proxy and one from the proxy to the server. They inspect all application layer data according to rules and ( if the data are legitimate ) they act as a relay of application-level traffic between client and server. They are mainly used for inspection of web and mail traffic. Examples:! Make sure incoming connections to port 80 does not carry any crackers code! Make sure outgoing traffic to port 80 contains indeed http traffic! Filter incoming http replies for malicious content NS HS12 12

12 Application level gateway Proxy server: i.e. SQUID Advantages: Higher security than packet filters because they allow deep inspection of all data exchanged, and hide the internal IP addresses of clients/servers to the outside world. Only need to scrutinize a few allowable applications. Easy to log and audit all incoming traffic. Disadvantages: Additional processing overhead on each connection (gateway is a splice point). Slow, must understand individual application layer protocols, limitations with encrypted data. Products: Check Point Web Intelligence, F5 Traffic Shield, ModSecurity... NS HS12 13

13 Circuit level gateway Stand-alone system or specialized function performed by an applicationlevel gateway:! Sets up two TCP connections.! The gateway typically relays TCP segments from one connection to the other without examining the contents.! Typically it is used when the system administrator trusts the internal users.! An example is the package a protocol which via a proxy server connects two trusted machines. RFC 1928 describes the current version (5) of. NS HS12 14

14 Bastion host Definition: A system (HW + SW) identified by the firewall administrator as a critical strong point in the network s security. M. Ranum says: a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software. The bastion host serves as a platform for an application-level or circuitlevel gateway. In a certain sense either a firewall or a router are bastion hosts that operates on datagrams. NS HS12 15

15 Firewalls' configurations In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible. Three common configurations: 1. Screened host firewall, single-homed bastion configuration; 2. Screened host firewall, dual-homed bastion host configuration; 3. Screened-subnet firewall system (DMZ: demilitarised zone). NS HS12 16

16 Single homed bastion host configuration (1) Firewall consists of two systems: Single user may Use the Internet directly A packet-filtering router A bastion host Configuration for the packet-filtering router: Only packets from and to the bastion host are allowed to pass through the router The bastion host performs authentication and proxy functions NS HS12 17

17 Single homed bastion host configuration (2) Greater security than single configurations for two reasons:! This configuration implements both packet-level and application-level filtering (allowing a flexible security policy).! An intruder must generally penetrate two separate systems. This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server). NS HS12 18

18 Dual homed bastion host configuration! The packet-filtering router is not a single point of failure if it is completely compromised.! The traffic between the Internet and other hosts on the private network must flow through the bastion host NS HS12 19

19 Screened subnet configuration (1) Two packet-filtering routers are used 1 and 2. Router 2 creates an isolated sub-network connected to the outside world through a DMZ: Demilitarized Zone. In a typical DMZ configuration for a small company, a separate computer (or host in network terms) receives requests from users within the private network for access to Web sites or other companies accessible on the public network. The DMZ host then initiates sessions for these requests on the public network. However, the DMZ host is not able to initiate a session back into the private network. It can only forward packets that have already been requested. It is the most secure configuration of the three and the one which is used more often in practice. NS HS12 20

20 Screened subnet configuration (2) Advantages: 1. Three levels of defense to thwart intruders. They can namely only attack hosts in the DMZ without affecting the internal networks. 2. The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet); 3. The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet). NS HS12 21

21 Types of attacks on firewalls All known attacks' strategies are applicable: IP address spoofing: see previous slides "Taxonomy of networks attacks" Source routing attacks: see previous slides "Taxonomy of networks attacks" Tiny fragment attacks : is a class of attack on Internet firewalls that takes advantage of the possibility to impose an unusually small fragment size on outgoing packets. If the fragment size is made small enough to force some of a TCP packet's header fields into the second fragment, filter rules that specify patterns for those fields will not match. If the filtering implementation does not enforce a minimum fragment size, a disallowed packet might be passed. NS HS12 22

22 Tiny fragment attack Fragmentation is the term given to the process of breaking down an IP datagram into smaller packets to be transmitted over different types of network media and then reassembling them at the other end. (See RFC 791). If the fragment is tiny enough to split part of the TCP header into the next fragment then the TCP flags field is forced into the second fragment and filters that attempt to drop connection requests will be unable to test these flags in the first octet thereby ignoring them in subsequent fragments. Normal situation Abnormal situations: Cracker's attack NS HS12 23

23 Some remarks about proxies At the application level! dedicated proxy (e.g. HTTP) At the circuit level! generic proxy almost generic proxy for Microsoft But some protocols are natural to proxy because they use daemons per default : ( ) (Net news) (Domain Name System) (Network Time Protocol) NS HS12 24

24 Firewall architecture with daemons Telnet proxy FTP proxy Proxy can pre- and post-process information before reaching the target SMTP proxy Telnet daemon FTP daemon SMTP daemon Network Connection Daemon spawns proxy when communication is detected NS HS12 25

25 Linux netfilter/iptables NS HS12 26

26 Linux is part of Linux kernel since 2.4.x as successor of and. It enables packetfiltering, network address translation ( ) and general packet mangling (i.e. it refers to the normal process of intentionally altering data in IP packet headers before or after the routing process).! is a mechanism that allows to extract any packet from the network stack to analyse, modify and re-inject it.! is a generic table structure inside the kernel for the definition of rule sets on the packets is also the name of a Linux command line tool to configure the tables.! Three tables are defined in the kernel:,,! and are primarily used to implement a packet-filtering firewall NS HS12 27

27 Structure of Every table contains chains where rules can be inserted:! There are five pre-defined chains in the kernel! The rules in the chains are applied to the packets as they travel to a host! The chain defines the moment at which the rules are applied Not all chains types can be used in every table:! table:, and! table:, and (rarely used)! table: all chains NS HS12 28

28 How a chain works A chain contains rules that decide what to do with a packet:! A rule has packet criteria (for matching) and an associated action;! Rules are checked in the order they are inserted in the chain;! If a rule matches, the corresponding action is performed;! After a rule has matched, the rest of the chain is ignored!! Every chain has a policy that decides what to do with a packet if no rule matches NS HS12 29

29 Rules for commands can be entered manually or via a shell script: Specify the table (-t, default filter), the chain, the packet criteria and target. Specification of packet criteria:! : incoming or outgoing interface (e.g. eth0, eth1, ppp0)! : source and destination IP address or network (e.g , /24)! : Protocol (e.g. tcp, udp, icmp)! : source and destination port (e.g. 22, 25, 80, 200:210, ssh, smtp, www)! : ICMP type (e.g. echo-request, destination-unreachable)! : TCP flags (e.g. SYN, RST) Actions for filter table (target) -j:! : accept the packet! : silently drop the packet! : drop the packet and send back an ICMP error-message NS HS12 30

30 An example of usage of Firewall configuration: Direction of data traffic NS HS12 31

31 entries (1) General rule: Deny everything that is not explicitly allowed. 1. Setting up the policy for the filter chains: Without any further rules, the firewall will now simply block everything. This is an excellent starting point to add rules. 2. Flushing (emptying) a/all chain(s), should be always done before adding the firewall rules: 3. Listing the rules (of a chain): NS HS12 32

32 entries (2) Allow any host from the external network (eth2) to communicate with the DNS server ( ) in the DMZ (eth1)!! This is not enough, we must also allow traffic to be sent back:!! Allow internal hosts (eth0, /24) to ping the firewall:!!!! Allow internal hosts to connect to web servers on the external network:!!!! NS HS12 33

33 Stateless firewalls It is quite cumbersome to always configure a rule for both directions. This is necessary because we have assumed a stateless packet-filter, i.e.:! Each IP packet is handled in complete isolation from all others;! The firewall does not keep track of the on-going communications; Stateless packet-filtering firewalls have additional limitations:! Firewalls are more open than needed: replies from a server are allowed without a previous request from a client! They have limited support for complex protocols (ftp, multimedia protocols) where a control connections opens additional data connections. NS HS12 34

34 Stateful firewalls The solution to many of these problems is given by the stateful firewalls. Stateful means that the firewall not only checks individual packets, but tracks sessions and maintains a state table until they are closed. A typical entry in this state table consists of: protocol, source/destination IP addresses, ports, session duration, protocol phase (TCP).! TCP sessions are easy to track: from SYN to FIN;! More difficult are UDP/ICMP protocols, but requests/replies can be associated to them (IP addresses, ports with UDP), and one can use timeouts to remove state information. Stateful firewalls have significant advantages:! They are easier to configure because fewer rules need to be specified;! They allow return traffic only on demand, no static rules for return traffic are necessary;! They allow support for complex protocols, often together with application data inspection (e.g. scan traffic for Port commands, only open this port). NS HS12 35

35 Stateful packet filtering with support stateful packet-filtering.! Provided by the kernel module! Additional modules provide support for some complex protocols (ftp etc.)! Using the state option allows to configure rules that take the state information currently stored into account. A packet can be in one of four states, which is specified with the option:! : a packet which creates a new session (no state stored yet)! : a packet which belongs to an existing session (e.g. any TCP packet following the initial SYN or an ICMP echo reply message).! : a packet which is related to an existing session, such as an ICMP error packet, or a packet establishing an ftp data connection.! : a packet which is not associated with a known session, e.g. an ICMP error packet which doesn't correspond to any known session; packets should be dropped. NS HS12 36

36 Stateful filtering examples with Allow everything that belongs to an established or related session!!! Allow any host from the external network (eth2) to communicate with the DNS server ( ) in the DMZ (eth1)!! Allow internal hosts (eth0, /24) to ping the firewall:!!! Allow internal hosts to connect to web servers on the external network:!! NS HS12 37

37 Network Address Translation (NAT) NAT means that source or destination addresses of packets are rewritten as they travel through a router or through a firewall. We have different NAT combinations: here we consider only source port address translation (named source PAT or simply source NAT). Remember that hosts in a network behind a NAT router/firewall should have private IP, i.e.:! Addresses ( /8, /12 and /16)! Private IP addresses are not routed in the public Internet So the NAT router/firewall translates source IP address and port of packets to its own public external IP address and an own port! Maintains an internal state table to translate packets coming back;! Traditionally used to save IP addresses! but also a good idea from a security point of view! Typically used for the internal network;! Hides the internal network structure from the outside;! Prevents the internal hosts/services from being accessed from the outside (unless destination NAT is used). NS HS12 38

38 NAT with support source and destination NAT. Scenario:! Internal network (interface eth0) has IP addresses /24! Perform source NAT when communicating from internal to external network! is necessary, because we are building the table! The action (target) simply uses the IP address of the outgoing interface ( ) to translate the internal IP addresses NS HS12 39

39 Firewalls are not the silver bullet solution Firewalls are important security components and are definitely beneficial. They blocks a lot of unwanted traffic before it enters the environment they should defend. They control access from and to the outside at centralised points: this is much simpler than controlling the services on each individual host and more important they can hide the internal network structure from outsiders. But they do not solve all the security problems.! Firewalls usually assume the bad guys are on the outside - this is not always the case (consider mobile users connecting internally with their virus-infected laptops)! Firewalls always allow some traffic to some servers, which can themselves have vulnerabilities (e.g. application layer attacks)! Circumventing firewalls (usually unwanted) often happens: internal users installing modems, rogue access points! More and more programs use firewall-friendly protocols such as http on port 80 for anything, it is difficult to control/block such traffic.! Everything can be tunnelled trough an encrypted connection. NS HS12 40

40 Bibliography E. D. Zwicky, S. Cooper, D. B. Chapman : Building Internet Firewalls" 2 nd Edition,2005, O'Reilly W. R Cheswick, S. M. Bellovin, A. D. Rubin : "Firewall and Internet security" 2 nd Edition 2004, Addison-Wesley Professional Series NS HS12 41

41 Appendix A: options (1) -A Appends the rule to the end of the specified chain. This is the command used to add a rule when rule order in the chain does not matter. -C Checks a particular rule before adding it to the user-specified chain. This command can help you construct complicated rules by prompting you for additional parameters and options. -D Deletes a rule in a particular chain by number (such as 5 for the fifth rule in a chain). You can also type the entire rule, and deletes the rule in the chain that matches it. -E Renames a user-defined chain. This does not affect the structure of the table. -F Flushes the selected chain, which effectively deletes every rule in the the chain. If no chain is specified, this command flushes every rule from every chain. -h Provides a list of command structures, as well as a quick summary of command parameters and options. -I Inserts a rule in a chain at a point specified by a user-defined integer value. If no number is specified, places the command at the top of the chain. Caution: Be aware when using the -A or -I option that the order of the rules within a chain are important for determining which rules apply to which packets. NS HS12 42

42 Appendix A: options (2) -L Lists all of the rules in the chain specified after the command. To list all rules in all chains in the default filter table, do not specify a chain or table. Otherwise, the following syntax should be used to list the rules in a specific chain in a particular table: -N Creates a new chain with a user-specified name. -P Sets the default policy for the specified chain, so that when packets traverse an entire chain without matching a rule, they are sent on to the specified target, such as ACCEPT or DROP. -R Replaces a rule in the specified chain. The rule's number must be specified after the chain's name. The first rule in a chain corresponds to rule number one. -X Deletes a user-specified chain. Deleting a built-in chain for any table is not allowed. -Z Zeros the byte and packet counters in all chains for a table. NS HS12 43

43 Appendix B: shell script for (2) NS HS12 44

44 Appendix B: shell script for (2) NS HS12 45