Related Chapters. Firewalls: CHAPTER 29, Firewalls

Transcription

1 Firewalls

2 Related Chapters Firewalls: CHAPTER 29, Firewalls 2

3 OSI Reference Model END USER A END USER B Application Layer Application Layer higher level protocols Presentation Layer Session Layer Transport Layer End user functions Presentation Layer Session Layer Transport Layer higher level protocols lower level protocols or network services Network Layer Data Link Layer Physical Layer Network functions PHYSICAL MEDIUM Network Layer Data Link Layer Physical Layer lower level protocols or network services 3

4 OSI Reference Model END USER A END USER B higher level protocols higher level protocols lower level protocols or network services SOURCE NODE INTERMEDIATE NETWORK NODE DESTINATION NODE lower level protocols or network services 4

5 Basic Protocols on TCP/IP Protocol Stack layer 5-7 TELNET FTP SMTP HTTP 4 TCP UDP 3 2 IP Ethernet Token-Ring ATM 5

6 Basic Protocols on TCP/IP Protocol Stack IP (Internet Protocol) connectionless routing of packets UDP (User Datagram Protocol) unreliable datagram protocol TCP (Transmission Control Protocol) connection-oriented, reliable, transport protocol 6

7 Basic Protocols on TCP/IP Protocol Stack TELNET: remote terminal FTP (File Transfer Protocol) TFTP (Trivial File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) RPC (Remote Procedure Call) HTTP (Hyper Text Transfer Protocol) and others 7

8 Some Security related Protocols Apps S/MIME, Proxies, SET, PGP Application Layer TCP SOCKS Transport Layer IP Net driver Packet filtering Tunneling (L2TP, PPTP, L2F), CHAP (challenge handshake protocol) PAP (password auth. protocol), MS-CHAP Network Layer Data link Layer 8

9 More Security related Protocols layer TELNET FTP SMTP HTTP DNS SSL RIP EGP TCP UDP BGP 3 ICMP IPSEC IP ARP RARP 2 Ethernet Token-Ring ATM 9

10 IP Packet header data carries a layer 4 protocol TCP, UDP or a layer 3 protocol ICMP, IPSEC, IP 10

11 TCP inside IP IP HEADER TCP HEADER 11

12 IP Header Format version: 4bit, currently v4 header length: 4 bit, length in 32 bit words TOS (type of service): unused total length: 16 bits, length in bytes identification, flags, fragment offset: total 16 bits used for packet fragmentation and reassembly TTL (time to live): 8 bits, used as hop count Protocol: 8 bit, protocol being carried in IP packet, usually TCP, UDP but also ICMP, IPSEC, IP header checksum: 16 bit checksum source address: 32 bit IP address destination address: 32 bit IP address 12

13 IP Header Format options source routing enables route of a packet and its response to be explicitly controlled route recording timestamping security labels 13

14 TCP Header Format source port number source IP address + source port number is a socket: uniquely identifies sender destination port number destination IP address + destination port number is a socket : uniquely identifies receiver SYN and ACK flags sequence number acknowledgement number 14

15 UDP Header Format source port number source IP address + source port number is a socket: uniquely identifies sender destination port number destination IP address + destination port number is a socket: uniquely identifies receiver 15

16 Basic TCP/IP Vulnerabilities many dangerous implementations of protocols sendmail many dangerous protocols NFS, X11, RPC many of these are UDP based 16

17 Basic TCP/IP Vulnerabilities solution allow a restricted set of protocols between selected external and internal machines otherwise known as firewalls 17

18 Ultimate Vulnerability IP packet carries no authentication of source address IP spoofing is possible IP spoofing is a real threat on the Internet IP spoofing occurs on other packet-switched networks also, such as Novell s IPX 18

19 Network Threat Examples - IP Spoofing A common first step to many threats. Source IP address cannot be trusted! SRC: source DST: destination IP Header SRC: DST: IP Payload Is it really from Columbia University? 19

20 Similar to US Mail (or ) From: President White House To: John Smith UNCC US mail maybe better in that there is a stamp put on the envelope at the location (e.g., town) of collection... 20

21 Most Routers Only Care About Destination Address xx Rtr src: dst: CS.Harvard.edu Rtr xx.xx xx Rtr UNCC Stanford src: dst:

22 Router Filtering Decide whether this packet, with certain source IP address, should come from this side of network. Hey, you shouldn t be here! xx Rtr Stanford src: dst: Not standard - local policy. 22

23 Router Filtering Very effective for some networks (ISP should always do that!) At least be sure that this packet is from some particular subnet Problems: Hard to handle frequent add/delete hosts/subnets or mobileip Upsets customers should legitimate packets get discarded Need to trust other routers 23

24 TCP Handshake client SYN seq=x server SYN seq=y, ACK x+1 ACK y+1 connection established 24

25 TCP Handshake xx Rtr seq=y, ACK x+1 CS.Harvard.edu Rtr xx.xx xx Stanford Rtr src: dst: x UNCC The handshake prevents the attacker from establishing a TCP connection pretending to be

26 TCP Handshake Very effective for stopping most such attacks Problems: The attacker can succeed if y can be predicted Other DoS attacks are still possible (e.g., TCP SYN-flood) 26

27 Good References for Internetworking Dauglas Comer, Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 6th edition, 2013, Pearson. Kevin R. Fall & W. Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols, 2/E, 2012, Pearson. 27

28 DOMAIN NAME SERVICES (DNS) 28

29 Domain Name Services The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses DNS My Example Blog Spot Vacation Savings 29

30 DNS DNS provides a distributed database over the internet that stores various resource records, including: Address (A) record: IP address associated with a host name Mail exchange(mx) record: mail server of a domain Name server (NS) record: authoritative server for a domain Example DNS entries from 30

31 Name Servers Name Servers Domain names: Two or more labels, separated by dots (e.g., cs166.net) Rightmost label is the top-level domain (TLD) Hierarchy of authoritative name servers Information about root domain Information about its subdomains (A records) or references to other name servers (NS records) The authoritative name server hierarchy matches the domain hierarchy: root servers point to DNS servers for TLDs, etc. Root servers, and servers for TLDs change infrequently DNS servers refer to other DNS servers by name, not by IP: sometimes must bootstrap by providing an IP along with a name, called a glue record 31

32 DNS Tree google.com A google.com A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.google.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### A xxx.com ########### com microsoft.com Amicrosoft.com A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### A xxx.microsoft.com ########### edu xyz.edu abc.edu A stanford.edu A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### A xxx.stanford.edu ###.### resource records A brown.edu A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.brown.edu ###.### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ########### A xxx.edu ###########... it.abc.edu A cs.brown.edu A xxx.brown.edu ### A xxx.brown.edu ### A xxx.brown.edu ### A xxx.brown.edu ### A xxx.brown.edu ### A xxx.brown.edu ### A xxx.brown.edu ### A xxx.brown.edu ### A xxx.brown.edu ### 32

33 Namespace Management ICANN: Internet Corporation for Assigned Names and Numbers ICANN has the overall responsibility for managing DNS. It controls the root domain, delegating control over each top-level domain to a domain name registry Along with a small set of general TLDs, every country has its own TLD -- (ctlds) controlled by the government. ICANN is the governing body for all general TLDs Until 1999 all.com,.net and.org registries were handled by Network Solutions Incorporated. After November, 1999, ICANN and NSI had to allow for a shared registration system and there are currently over 500 registrars in the market 33

34 Top Level Domains Started in 1984 Originally supposed to be named by function.com for commercial websites,.mil for military Eventually agreed upon unrestricted TLDs for.com,.net,.org,.info In 1994 started allowing country TLDs such as.it,.us Tried to move back to hierarchy of purpose in 2000 with creation of.aero,.museum, etc. 34

35 Name Resolution Zone: collection of connected nodes with the same authoritative DNS server Resolution method when answer not in cache: Client Where is ISP DNS Server Where is Try com nameserver Where is Try example.com nameserver Where is root name server com name server example.com name server 35

36 Recursive Name Resolution Server B Resolver cache Local Machine Application Resolver cache Server A Resolver cache 36

37 Iterative Name Resolution. (root) Resolver 1 cache.com Local Name Server Application Resolver cache 2 google.com Resolver Resolver cache 3 cache 37

38 Authoritative Name Servers Control distributed among authoritative name servers (ANSs) Responsible for specific domains Can designate other ANS for subdomains ANS can be master or slave (M+S) Master contains original zone table Slaves are replicas, automatically updating M+S make DNS fault tolerant, automatically distributes load ANS must be installed as a NS in parents' zone 38

39 Dynamic Resolution Many large providers have more than one authoritative name server for a domain Problem: need to locate the instance of domain geographically closest to user Proposed solution: include first 3 octets of requester's IP in recursive requests to allow better service Content distribution networks already do adaptive DNS routing 39

40 DNS Caching There would be too much network traffic if a path in the DNS tree would be traversed for each query Root zone would be rapidly overloaded DNS servers cache results for a specified amount of time Specified by ANS reply's time-to-live field Operating systems and browsers also maintain resolvers and DNS caches View in Windows with command ipconfig /displaydns Associated privacy issues DNS queries are typically issued over UDP on port bit request identifier in payload 40

41 DNS Caching Step 1: query yourdomain.org Local Machine Application Resolver cache query Local NS Resolver cache query Authoritative Name Server Step 2: receive reply and cache at local NS and host Local Machine Application Resolver cache answer Local NS Resolver cache answer Authoritative Name Server 41

42 DNS Caching (con'd) Step 3: use cached results rather than querying the ANS Local Machine 1 Application Resolver Local NS Resolver Local Machine 2 Application cache Resolver cache query answer cache Step 4: Evict cache entries upon ttl expiration 42

43 Pharming: DNS Hijacking Changing IP associated with a server maliciously: Normal DNS Pharming attack My Premium Blog Spot My Premium Blog Spot userid: password: Phishing: the different web sites look the same. userid: password: 43

44 DNS Cache Poisoning Basic idea: give DNS servers false records and get it cached DNS uses a 16-bit request identifier to pair queries with answers Cache may be poisoned when a name server: Disregards identifiers Has predictable ids Accepts unsolicited DNS records 44

45 DNS Prevention Cache of Poisoning DNS Cache Prevention Poisoning Use random identifiers for queries Always check identifiers Port randomization for DNS requests Deploy DNSSEC Challenging because it is still being deployed and requires reciprocity 45

46 DNSSEC (Signed DNS) Guarantees Authenticity of DNS answer origin Integrity of reply Authenticity of denial of existence Accomplishes this by digitally signing DNS replies at each step of the way Typically use trust anchors, entries in the OS to bootstrap the process 46

47 DNS Signing 47

48 Notes DNSSEC DNS replies are NOT encrypted --- no confidentiality DNSCrypt/DNSCurve encrypts all DNS traffic; but confidentiality evaporates millisecs later when visiting the returned IP address. Does the added cost worth it? Entries on DNS servers are signed offline; signing keys not loaded & no on-the-fly signing For fear of DoS attack For fear of the all-important signing keys being compromised 48

49 DNSSEC Deployment As the internet becomes regarded as critical infrastructure there is a push to secure DNS NIST is in the process of deploying it on root servers now May add considerable load to DNS servers with packet sizes considerably larger than 512 byte size of UDP packets There are political concerns with the US controlling the root level of DNS 49

50 DNS Tools dig dig domain_name dig Reverse lookup dig x ip_address host command host domain_name Reserver lookup host ip_address 50

51 MORE EXAMPLES OF ATTACKS 51

52 IP Spoofing & Sync Flooding X establishes a TCP connection with B assuming A s IP address A (4) SYN(seq=n)ACK(seq=m+1) (2) predict B s TCP seq. behavior B (1) SYN Flood (3) X 52

53 icmp echo request icmp echo reply ping icmp echo request to a broadcast address: from victim attacker victim icmp echo reply from all hosts to victim smurf 53

54 Smurf Attack Generate ping stream (ICMP echo request) to a network broadcast address with a spoofed source IP set to a victim host Every host on the ping target network will generate a ping reply (ICMP echo reply) stream, all towards the victim host Amplified ping reply stream can easily overwhelm the victim s network Fraggle and Pingpong exploit UDP in a similar way 54

55 Distributed DoS (DDoS) Attacks masters zombies attacker victim 55

56 Amplification Attack Public server (abused as amplifier) Attacker Compromised hosts Target 56

57 Examples of Amplification Attack 1. DNS Amplification Attack 2. NTP Amplification Attack Public server NTP (network time protocol) server Amplification factor REQ_MON_GETLIST 3660 REQ_MON_GETLIST_

58 The new attack Monday used a technique called NTP reflection that involves sending requests with spoofed source IP addresses to NTP servers with the intention of forcing those servers to return large responses to the spoofed addresses instead of the real senders. 58

59 FIREWALLS: TYPES & DEPLOYMENT 59

60 What Is a Firewall? External network Firewall internal network 60

61 Ultimate Firewall. Or Is it? External network Air Gap internal network 61

62 62

63 Firewall From Webster s Dictionary: a wall constructed to prevent the spread of fire Internet firewalls are more the moat around a castle than a building firewall Controlled access point 63

64 Firewalls A firewall is responsible for controlling access among devices, such as computers, networks, and servers. The most common deployment is between a secure and an insecure network (see next slide). The main functionality of a firewall is allow/block network traffic; however, advanced firewalls may provide other functions. 64

65 Firewall Deployment 65

66 Firewalls Can: Restrict incoming and outgoing traffic by IP address, ports, or users Block invalid packets 66

67 Firewall in action Device that provides secure connectivity between networks (internal/external; varying levels of trust) Used to implement and enforce a security policy for communication between networks Trusted Networks Intranet Router + Firewall Untrusted Networks & Servers Internet Untrusted Users DMZ Public Accessible Servers & Networks Trusted Users 67

68 Convenient Give insight into traffic mix via logging Network Address Translation Encryption Forms Software packages Dedicated firewall devices Part of comprehensive/unified security appliance Firewall, VPN, IDS, filter, router, etc 68

69 Firewalls Cannot Protect traffic that does not cross it routing around Internal traffic when misconfigured connections which bypass firewall services through the firewall introduce vulnerabilities insiders can exercise internal vulnerabilities 69

70 Access Control ALERT!! Internet Security Requirement Control access to network information and resources Protect the network from attacks 70

71 Firewall Types Types Firewalls can be categorized into three general classes: packet filters, stateful firewalls, and application layer firewalls Also called proxy firewalls, and application gateways Deployment locations Host Firewalls. typically protect only one computer. Host firewalls reside on the computer they are intended to protect and are implemented in software Network Firewalls. typically standalone devices. Located at the gateway(s) of a network (for example, the point at which a network is connected to the Internet), a network firewall is designed to protect all the computers in the internal network. 71

72 Packet Filters Basic firewall type. Filters at network and transport layers. Accepts or rejects based on policy Considers IP address, port numbers, and transport protocol type Only examines the packet header 72

73 Packet Filters Applications Presentations Sessions Transport Network DataLink Physical DataLink Physical Router Applications Presentations Sessions Transport Network DataLink Physical 73

74 Network layer simplified 74

75 Stateful Packet Firewalls Perform the same operations as packet filters but also maintain state about the packets that have arrived. Understand communication "sessions" or "protocols" Allow connection tracking Can associate arriving packets with an accepted departing connection. Can do "deep" packet and session inspection More powerful than packet filtering firewalls Require more resources 75

76 Application Layer Firewalls Application layer firewalls can filter traffic at the network, transport, and application layer. introduces new services, such as proxies. As a result of the proxy the firewall can potentially inspect the contents of the packets Firewalls can be combined with other devices Intrusion Prevention System = Firewall + Intrusion detection systems 76

77 Application Layer Firewalls A good "man-in-themiddle" proxy! Relay for connections Client Proxy Server Mainly used at Application level Understands specific applications Limited proxies available Proxy impersonates both sides of connection Resource intensive process per connection HTTP proxies may cache web pages 77

78 Application Gateways More appropriate to TCP ICMP difficult Block all unless specifically allowed Must write a new proxy application to support new protocols Not trivial! Clients may need to be configured for proxy communication Transparent Proxies 78

79 Application Layer GW/proxy Telnet FTP HTTP Applications Presentations Sessions Transport Network DataLink Physical Applications Presentations Sessions Transport Network DataLink Physical Application Gateway Applications Presentations Sessions Transport Network DataLink Physical 79

80 Choosing The Correct Firewall Which technology to choose: packet filter, stateful firewall, or application firewall host or network firewall software or hardware firewall One needs to understand the current/future security needs. Advanced firewalls are needed for complex tasks. Performance of the firewall must be considered. 80

81 NAT: NETWORK ADDRESS TRANSLATION 81

82 Advance Firewall Features Network Address Translation (NAT), which allows multiple computers to share a limited number of network addresses. Service Service differentiation (such as VoIP) Inspecting packet contents (data). 82

83 NAT IPV4 only Useful if organization does not have enough real IP addresses Extra security measure if internal hosts do not have valid IP addresses (harder to trick firewall) Can use a single fixed IP address for services which must be accessible from outside Dynamic IP address Ok too if external applications are informed of new IP address 83

84 NAT Many-to-1 (n-to-m) mapping 1-to-1 (n-to-n) mapping Proxies provide many-to-1 NAT not required on filtering firewalls 84

85 Encryption (VPNs) Allows trusted users to access sensitive information while traversing untrusted networks Useful for remote users/sites VPNs can be built on IPSec Fast, but require installation of dedicated VPN client on a remote machine SSL Slower, but generally no need to install VPN client 85

86 DMZ: DE-MILITARIZED ZONE 86

87 Network Topology A simple firewall typically separates two networks: one trusted (internal, the corporate network) and one untrusted (external, the Internet). Not all computers in the internal network have the same duties, we need different policies. Introduce Demilitarized Zones (DMZs) most webservers are located in the DMZ instead of the internal network. 87

88 DMZ De-Militarized Zone Usually, a firewall has three interfaces (internal, external, and DMZ). Each interface has a policy to be enforced. If an attacker compromised the DMZ, the internal network is still protected. Front yard = DMZ 88

89 Firewalls and DMZs 89

90 FIREWALL POLICIES AND RULES 90

91 Firewall Security Policies When a packet arrives at a firewall, a security policy is applied to determine the appropriate action. Firewall actions on a packet: Allow a packet. Deny/Drop a packet. Log information about a packet. Firewall policy is a set of ordered rules, each rule consists of a set of tuples and an action. 91

92 Firewall Policies filter incoming and/or outgoing traffic based on a predefined set of rules called firewall policies. Firewall policies Untrusted Internet Trusted internal network 92

93 Firewall Rules Each firewall rule consists of a set of tuples and an action. Each tuple corresponds to a field in the packet header, and there are five such fields for an Internet packet: Protocol, Source Address, Source Port, Destination Address, and Destination Port. Firewall rule tuples can be fully specified or contain wildcards (*) 93

94 Firewall Policy Example 94

95 Rule Matching Process As packets pass through a firewall, their header information is sequentially compared to the fields of a rule. If a packet s header information is a subset of a rule, it is said to be a match, and the associated action, to accept or reject, is performed. Otherwise, the packet is compared to the next sequential rule. This is considered a first-match policy since the action associated with the first rule that is matched is performed. 95

96 Set Theory A tuple can be modeled as a set. For example, assume the tuple for IP source addresses is *. Then this tuple represents the set of 256 addresses that range from to Each tuple of a packet consists of a single value, which is expected, since a packet only has one source and one destination. 96

97 Set Theory The comprehensive sets of a firewall policy are: The set of all accepted packets A(R) The set of all dropped packets D(R) The set of all unmatched packets U(R) All sets are non-overlapping 97

98 Policy Optimization Rules reordering. More commonly matched rules appear earlier Benefits by reducing the number of rule comparisons, speeding processing Must maintain integrity (intent) of the policy. Reordering rules may change the semantic of the policy. Combining rules to form a smaller policy is better in terms of performance as well as management. 98

99 OPEN SOURCE FIREWALLS 99

100 Widely Used Firewalls Technology Linux IPtable OpenBSD PF FreeBSD PFSense For Debian/Ubuntu end users UFW Open Source Firewall Packages Endian Smoothwall Untangle IPCop IPFire Build your own firewall A used desktop computer + 2 network cards 100