Firewalls. Chapter 3

Transcription

1 Firewalls Chapter 3 1

2 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border Firewall Internal Corporate Network (Trusted) Attacker 2

3 Types of Firewall Inspection Packet Inspection Examines IP, TCP,UDP, and ICMP header contents Static packet filtering looks at individual packets in isolation. Misses many attacks Stateful inspection inspects packets in the context of the packet s role in an ongoing or incipient conversation Stateful inspection is the proffered packet inspection method today 3

4 Types of Firewall Inspection Application Inspection Examines application layer messages Stops some attacks that packet inspection cannot Network Address Translation Hides the IP address of internal hosts to thwart sniffers Benignly spoofs source IP addresses in outgoing packets 4

5 Types of Firewall Inspection Denial-of-Service Inspection Recognizes incipient DoS attacks and takes steps to stop them Limited to a few common types of attacks Authentication Only packets from users who have proven their identity are allowed through Not commonly user, but can be valuable 5

6 Types of Firewall Inspection Virtual Private Network Handling Virtual private networks offer message-bymessage confidentiality, authentication, message integrity, and anti-replay protection VPN protection often works in parallel with other types of inspection instead of being integrated with them 6

7 Types of Firewall Inspection Integrated Firewalls Most commercial products combine multiple types of filtering Some freeware and shareware firewall products offer only one types of filtering 7

8 Firewalls Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance 8

9 Firewall Hardware and Software Screening Router Firewalls Add firewall software to router Usually provide light filtering only Expensive for the processing power usually must upgrade hardware, too 9

10 Firewall Hardware and Software Screening Router Firewalls Screens out incoming noise of simple scanning attacks to make the detection of serious attacks easier Good location for egress filtering can eliminate scanning responses, even from the router 10

11 Firewall Hardware and Software Computer-Based Firewalls Add firewall software to server with an existing operating system: Windows or UNIX Can be purchased with power to handle any load Easy to use because know operating system 11

12 Firewall Hardware and Software Computer-Based Firewalls Firewall vendor might bundle software with hardened hardware and operating system software General-purpose operating systems result in slower processing 12

13 Firewall Hardware and Software Computer-Based Firewalls Security: Attackers may be able to hack the operating system Change filtering rules to allow attack packets in Change filtering rules to drop legitimate packets 13

14 Firewall Hardware and Software Firewall Appliances Boxes with minimal operating systems Therefore, difficult to hack Setup is minimal Not customized to specific firm s situation Must be able to update 14

15 Firewall Hardware and Software Host Firewalls Installed on hosts themselves (servers and sometimes clients) Enhanced security because of host-specific knowledge For example, filter out everything but webserver transmissions on a webserver 15

16 Firewall Hardware and Software Host Firewalls Defense in depth Normally used in conjunction with other firewalls Although on single host computers attached to internet, might be only firewall 16

17 Firewall Hardware and Software Host Firewalls If not centrally managed, configuration can be a nightmare Especially if rule sets change frequently 17

18 Firewall Hardware and Software Host Firewalls Client firewalls typically must be configured by ordinary users Might misconfigure or reject the firewall Need to centrally manage remote employee computers 18

19 Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Complexity of Filtering: Number of Filtering Rules, Complexity Of rules, etc. Performance Requirements Traffic Volume (Packets per Second) 19

20 Firewalls Types of Firewalls Inspection Methods Static Packet Inspection Stateful Packet Inspection NAT Application Firewalls Firewall Architecture Configuring, Testing, and Maintenance 20

21 Static Packet Filter Firewall Corporate Network The Internet Permit (Pass) IP-H TCP-H Application Message IP-H UDP-H Application Message Deny (Drop) IP-H ICMP Message Log File Static Packet Filter Firewall Arriving Packets Examined One at a Time, in Isolation Only IP, TCP, UDP and ICMP Headers Examined 21

22 Access Control List (ACL) For Ingress Filtering at a Border Router 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = *.* to *.*, DENY [private IP address range] 3. If source IP address = *.*, DENY [private IP address range] 4. If source IP address = *.*, DENY [internal address range] 22

23 Access Control List (ACL) for Ingress Filtering at a Border Router 5. If source IP address = , DENY [black-holed address of attacker] 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet] 7. If destination IP address = AND TCP destination port=80 OR 443, PASS [connection to a public webserver] 23

24 Access Control List (ACL) for Ingress Filtering at a Border Router 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside] 9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 24

25 Access Control List (ACL) for Ingress Filtering at a Border Router 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients] 13. If TCP destination port = 513, DENY [UNIX rlogin without password] 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login] 25

26 Access Control List (ACL) for Ingress Filtering at a Border Router 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure] 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 17. If ICMP Type = 0, PASS [allow incoming echo reply messages] DENY ALL 26

27 Access Control List (ACL) for Egress Filtering at a Border Router 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = *.* to *.*, DENY [private IP address range] 3. If source IP address = *.*, DENY [private IP address range] 4. If source IP address NOT = *.*, DENY [not in internal address range] 27

28 Access Control List (ACL) for Egress Filtering at a Border Router 5. If ICMP Type = 8, PASS [allow outgoing echo messages] 6. If Protocol=ICMP, DENY [drop all other outgoing ICMP messages] 7. If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning] 8. If source IP address = and TCP source port = 80 OR 443, PERMIT [public webserver] 28

29 Access Control List (ACL) for Egress Filtering at a Border Router 9. If TCP source port=0 through 49151, DENY [well-known and registered ports] 10. If UDP source port=0 through 49151, DENY [well-known and registered ports] 11. If TCP source port =49152 through 65,536, PASS [allow outgoing client connections] 29

30 Access Control List (ACL) for Egress Filtering at a Border Router 12. If UDP source port = through 65,536, PERMIT [allow outgoing client connections] 13. DENY ALL 30

32 Stateful Inspection Firewalls State of Connection: Open or Closed State: Order of packet within a dialog Often simply whether the packet is part of an open connection 32

33 Stateful Inspection Firewalls Stateful Firewall Operation For TCP, record two IP addresses and port numbers in state table as OK (open) (Figure 5-9) By default, permit connections from internal clients (on trusted network) to external servers (on untrusted network) This default behavior can be changed with an ACL Accept future packets between these hosts and ports with little or no inspection 33

34 Stateful Inspection Firewall Operation I 1. TCP SYN Segment From: :62600 To: :80 2. Establish Connection 3. TCP SYN Segment From: :62600 To: :80 Internal Client PC Note: Outgoing Connections Allowed By Default Stateful Firewall External Webserver Connection Table Type Internal IP Internal Port External IP External Port Status TCP OK 34

35 Stateful Inspection Firewall Operation I Internal Client PC TCP SYN/ACK Segment From: :80 To: :62600 Stateful Firewall 5. Check Connection OK 4. TCP SYN/ACK Segment External From: :80 Webserver To: : Connection Table Type Internal IP Internal Port External IP External Port Status TCP OK 35

36 Stateful Inspection Firewalls Stateful Firewall Operation For UDP, also record two IP addresses in port numbers in the state table Connection Table Type Internal IP Internal Port External IP External Port Status TCP OK UDP OK 36

37 Stateful Inspection Firewalls Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection But stateful firewalls can (Figure 5-10) 37

38 Stateful Firewall Operation II Stateful Firewall Internal Client PC Connection Table 2. Check Connection Table: No Connection Match: Drop 1. Spoofed TCP SYN/ACK Segment From: :80 To: :64640 Attacker Spoofing External Webserver Type Internal IP Internal Port External IP External Port Status TCP OK UDP OK 38

39 Stateful Inspection Firewalls Static Packet Filter Firewalls are Stateless Filter one packet at a time, in isolation Cannot deal with port-switching applications But stateful firewalls can (Figure 5-11) 39

40 Port-Switching Applications with Stateful Firewalls 1. TCP SYN Segment From: :62600 To: :21 2. To Establish Connection 3. TCP SYN Segment From: :62600 To: :21 Internal Client PC State Table Stateful Firewall External FTP Server Type Internal IP Internal Port External IP External Port Status Step 2 TCP OK 40

41 Port-Switching Applications with Stateful Firewalls Internal Client PC TCP SYN/ACK Segment From: :21 To: :62600 Use Ports 20 and for Data Transfers Stateful Firewall 5. To Allow, Establish Second Connection 4. TCP SYN/ACK Segment From: :21 To: :62600 Use Ports 20 and for Data Transfers External FTP Server State Table Type Internal IP Internal Port External IP External Port Status Step 2 TCP OK Step 5 TCP OK 41

42 Stateful Inspection Firewalls Stateful Inspection Access Control Lists (ACLs) Primary allow or deny applications Simple because probing attacks that are not part of conversations do not need specific rules because they are dropped automatically In integrated firewalls, ACL rules can specify that messages using a particular application protocol or server be authenticated or passed to an application firewall for inspection 42

44 Network Address Translation (NAT) From , Port From , 1 Port Internet Client To , Port NAT Firewall Translation Table 3 To , Port IP Addr Internal Port Sniffer IP Addr External Server Host Port

46 Application Firewall Operation 1. HTTP Request From Filtering 3. Examined HTTP Request From Examined 4. HTTP Browser HTTP Proxy Response to Webserver HTTP Application Response To Filtering on Post Out, Hostname, URL, MIME, etc. In Client PC FTP Proxy Outbound Filtering on Put Application Firewall SMTP ( ) Proxy Inbound and Outbound Filtering on Obsolete Commands, Content Webserver

47 Header Destruction With Application Firewalls Arriving Packet App MSG (HTTP) Orig. TCP Hdr Orig. IP Hdr Header Removed App MSG (HTTP) App MSG (HTTP) New Packet New TCP Hdr New IP Hdr Attacker Application Firewall Webserver Application Firewall Strips Original Headers from Arriving Packets Creates New Packet with New Headers This Stops All Header-Based Packet Attacks 47

48 Protocol Spoofing Trojan Horse 2. Protocol is Not HTTP Firewall Stops The Transmission Internal Client PC Trojan Transmits on Port 80 to Get Through Simple Packet Filter Firewall Application Firewall X Attacker

49 Circuit Firewall Webserver Passed Transmission: No Filtering 4. Reply Circuit Firewall (SOCKS v5) Authentication 2. Transmission 5. Passed Reply: No Filtering External Client

50 Firewalls Types of Firewalls Inspection Methods Firewall Architecture Single site in large organization Home firewall SOHO firewall router Distributed firewall architecture Configuring, Testing, and Maintenance 50

51 Single-Site Firewall Architecture for a Larger Firm with a Single Site 3. Internal Firewall x Subnet 2. Main Firewall Last Rule=Deny All 1. Screening Router Last Rule=Permit All Internet 4. Client Host Firewall Public Webserver External DNS Server DMZ Marketing Client on x Subnet Accounting Server on x Subnet 5. Server Host Firewall SMTP Relay Proxy HTTP Proxy Server

52 Home Firewall PC Firewall Internet Service Provider Always-On Connection Coaxial Cable Broadband Modem UTP Cord Home PC 52

53 SOHO Firewall Router Internet Service Provider Broadband Modem (DSL or Cable) UTP UTP SOHO Router --- Router DHCP Sever, NAT Firewall, and Limited Application Firewall Ethernet Switch UTP User PC User PC Many Access Routers Combine the Router and Ethernet Switch in a Single Box User PC 53

54 Distributed Firewall Architecture Management Console Internet Home PC Firewall Site A Site B 54

55 Other Security Architecture Issues Host and Application Security Antivirus Protection Intrusion Detection Systems Virtual Private Networks Policy Enforcement System 55

56 Firewalls Types of Firewalls Inspection Methods Firewall Architecture Configuring, Testing, and Maintenance 56

57 Configuring, Testing, and Maintaining Firewalls Firewall Misconfiguration is a Serious Problem ACL rules must be executed in series Easy to make misordering problems Easy to make syntax errors 57

58 Configuring, Testing, and Maintaining Firewalls Create Policies Before ACLs Policies are easier to read than ACLs Can be reviewed by others more easily than ACLs Policies drive ACL development Policies also drive testing 58

59 Configuring, Testing, and Maintaining Firewalls Must test Firewalls with Security Audits Only way to tell if policies are being supported Must be driven by policies Maintaining Firewalls New threats appear constantly ACLs must be updated constantly if firewall is to be effective 59

60 FireWall-1 Modular Management Architecture Application Module (GUI) Create, Edit Policies Policy Log Files Management Module Stores Policies Stores Log Files Policy Firewall Module Enforces Policy Sends Log Entries Application Module (GUI) Read Log Files Log File Data Log File Entry Firewall Module Enforces Policy Sends Log Entries 60

61 FireWall-1 Service Architecture 2. Statefully Filtered Packet 1. Arriving Packet Internal Client 3. DoS Protection Optional Authentications FireWall-1 Firewall 4. Content Vectoring Protocol External Server 5. Statefully Filtered Packet Plus Application Inspection Third-Party Application Inspection Firewall 61

62 Security Level-Based Stateful Filtering in PIX Firewalls Automatically Accept Connection Security Level Inside=100 Security Level Outside=0 Router Internet Automatically Reject Connection Security Level=60 Internal Network Connections Are Allowed from More Secure Networks to Less Secure Networks 62