Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Transcription

1 s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware or software Which of the following is true about firewalls? a) They are used to protect a whole network against attacks b) They are used to protect single computers against attacks c) Both a and b. 2 Test your knowledge (cont) Which of the following is true about firewalls? a) They are configured to monitor inbound traffic and protect against attacks by intruders b) They are configured to monitor outbound traffic and prevent specific types of messages from leaving the protected network. c) Both a and b 3 1

2 : definition Hardware or software tool used to protect a single host 1 or an entire network 2 by sitting between a trusted network (or a trusted host) and an untrusted network Applying preconfigured rules and/or traffic knowledge to allow or deny access to incoming and outgoing traffic Trusted network PC with based PC with based Network-Based Untrusted network 1 -based or personal firewall 2 network-based firewall 4 Questions What is the main advantage of having a host-based firewall in addition to having a network-based one? Answer: What kind of security issue could be associated with having host-based firewall on users PCs? Answer: Trusted network PC with based PC with based Network-Based Untrusted network 5 Architecture Most firms have multiple firewalls. Their arrangement is called the firm s firewall architecture Internal Screening Router x Main Border Public Webserver Demilitarized Zone (DMZ) External DNS Server Marketing Client on x Accounting Server on x Server on x SMTP Application Proxy Server HTTP Application Proxy Server

3 Architecture Internal Marketing Client on x x Accounting Server on x Main Border Server on x Public Webserver Screening Router Demilitarized Zone (DMZ) External DNS Server The DMZ is a subnet that includes most vulnerable hosts to attacks; i.e. hosts that SMTP provide services HTTP to outside users. Application Common hosts Application in DMZ: Public Proxy web servers, Server Public Proxy DNS Server servers, public FTP servers, proxy servers. 7 in DMZ must be heavily protected. Questions What is a DMZ? Why are public web servers usually put in the DMZ? Why are public DNS servers usually put in the DMZ? Which of the following may be placed in a DMZ? a) A SMTP proxy server b) A server that contains files available for downloading by employees c) An File Transfer Protocol server d) A SQL (Structured Query Language) database server What IP addresses should a DNS server in the DMZ be able to find? a) All company s IP addresses b) Only the IP addresses of the computers in the internal subnet c) Only the IP addresses of the computers in the DMZ You work as the security administrator at King.com. King.com has been receiving a high volume of attacks on the king.com web site. You want to collect information on the attackers so that legal action can be taken. Which of the following can you use to accomplish this? a) A DMZ (Demilitarized Zone). b) A honey pot. c) A firewall. d) None of the above. 8 Basic Operation Passed Legitimate Packet (Ingress) Legitimate Packet 1 Legitimate Packet 2 Border Attack Packet 1 Dropped Packet (Ingress) Log File Internal Corporate Network (Trusted) Passed Packet (Egress) Legitimate Packet 2 Attack Packet 1 1. (Not Trusted) Legitimate Packet 1 Attacker Legitimate User Egress filtering: filtering packets leaving to external networks Ingress filtering: filtering packets coming from external networks 9 3

4 IP-H IP-H Types of s TCP-H UDP-H Static Packet Filtering s (1 st generation) Inspect TCP, UDP, IP headers to make filtering decisions Do static filtering of individual packets based on configured ruleset (or Access Control List) Prevent attacks that use IP or port spoofing, etc. Stateful Packet Filtering s (2 nd generation) Inspect TCP, UDP, IP headers to make filtering decisions Do stateful filtering by checking the firewall s state table for relation of packets to packets already filtered If packet does not match existing connect, ruleset (static filt.) is used If packet matches existing connection, it is allowed to pass Prevent SYN attacks, teardrops, etc. State Table Connection Source IP Destination IP State Application Layer Message Application Layer Message Connection :80 TCP opening Connection :80 Data transfer 10.. Types of s (cont.) Application s (3 rd generation) Also called proxy firewalls Inspect the Application Layer message (e.g. HTTP requests, s, etc. Specialized proxy firewalls more effective than general-purpose HTTP proxy firewalls for HTTP requests SMTP proxy firewalls for SMTP s FTP proxy firewall for FTP-based file transfer requests Prevent malware attacks IP-H IP-H TCP-H UDP-H Application Layer Message Application Layer Message 1. HTTP Request HTTP Proxy 2. Passed inspected HTTP Request Browser 4. Passed inspected HTTP Response Log File 3. HTTP Response Webserver Application 11 Types of s (cont.) Network Address Translation Replace IP address in outgoing message by a spoof IP address Hide internal hosts IP address to outsiders Help prevent IP spoofing attacks using internal IP addresses IP Address Outgoing IP Address Request ID

5 Network Address Translation (Cont) From , Port From , 1 Port Client NAT Sniffer Server Translation Table Internal IP Addr Port External IP Addr Port Network Address Translation (Cont) Client To , Port NAT 3 To , Port Sniffer Server Translation Table Internal IP Addr Port External IP Addr Port Perspective on NAT NAT/PAT NAT does more than network (IP) address translation Also does port number translation Should be called NAT/PAT, but NAT is the common term 15 5

6 s configuration Default configuration (default Rulesets or ACLs) Pass connections initiated by an internal host Deny connections initiated by an external host Can change default configuration with access control lists (ACLs) for ingress and egress filtering ACLs are sets of IF-THEN rules applied in sequential order Automatically Pass Connection Attempt Router Automatically Deny Connection Attempt 16 Trusted network Ingress ACL Untrusted network 1 If Source IP Address = 10.*.*.*, DENY [Private IP Address Range] 2 If Source IP Address = *.*, DENY [Private IP Address Range] 3 If Source IP Address = *.*, DENY [Private IP Address Range] 4 If Destination IP Address = AND TCP Destination Port = 80 or 443, PASS 5 If Destination IP Address = *.*, DENY 6 If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside] 7 If TCP Destination Port = 20, DENY 8 If TCP Destination Port = 135 Trough 139, DENY 9 If UDP Destination Port = 69, DENY 10 DENY ALL Port Number Primary Protocol Application 20 TCP FTP Data Traffic 21 TCP FTP Supervisory Connection. Passwords sent in the clear 23 TCP Telnet. Passwords sent in the clear 25 TCP Simple Mail Transfer Protocol (SMTP) 69 UDP Trivial File Transfer Protocol (TFTP). No login necessary 80 TCP Hypertext Transfer Protocol (HTTP) TCP NETBIOS service for peer-to-peer file sharing in older versions of Windows 443 TCP HTTP over SSL/TLS 17 Trusted network Ingress ACL Untrusted network 1 If Source IP Address = 10.*.*.*, DENY [Private IP Address Range] 2 If Source IP Address = *.*, DENY [Private IP Address Range] 3 If Source IP Address = *.*, DENY [Private IP Address Range] 4 If Destination IP Address = AND TCP Destination Port = 80 or 443, PASS 5 If Destination IP Address = *.*, DENY 6 If Incoming packet TCP SYN = 1 and ACK = 0, DENY [Attempt to open connection form the outside] 7 If TCP Destination Port = 20, DENY 8 If TCP Destination Port = 135 Trough 139, DENY 9 If UDP Destination Port = 69, DENY 10 DENY ALL What kind of messages does Rule 7 block? Why does Rule 5 have to come after Rule 4? Why does Rule 6 have to come after Rule 4? You work as the security administrator for the trusted network. Employees often download files from a FTP (File Transfer Protocol) server located in the untrusted network. What TCP port do you open in the firewall configuration? a) Open port 69 to all inbound connections. b) Open port 69 to all outbound connections. c) Open port 20/21 to all inbound connections. 18 d) Open port 20/21 to all outbound connections. 6

7 Flag Fields (6 bits) URG ACK SYN FIN RST Typical attacks and firewall config. Attacks Typical configuration Comments Ping of death Any packet with Total Length more than maximum allowed is dropped Stateful firewall PSH IP fragmentationbased attacks (e.g. Teardrop) The firewall intercepts all fragments for an IP packet and attempts to reassemble them before forwarding to destination. If any problems or errors are found during reassembly, the fragments are dropped. Stateful firewall Smurf Attack The firewall drops any ping responses that are not part of an active session. Stateful firewall Attacks that send TCP URG packets Any TCP packets that have the URG flag set are discarded by the firewall. Land Attack Any packets with the same source and destination IP addresses are discarded. IP broadcast Packets with a broadcast source or destination IP address are discarded. TCP SYN/ACK attack TCP Opening segments that have SYN and ACK flags set AND that are not linked to a TCP SYN request are discarded. Stateful firewall Invalid TCP Segment Number The sequence numbers for every active TCP session are maintained in the firewall session database. If the firewall received a segment with an unexpected (or invalid) sequence number, the packet is dropped. Stateful firewall 19 Principles Danger of Overload If a firewall is overloaded and cannot handle the traffic, it drops unprocessed packets This is the safest choice, because attack packets cannot enter the network However, this creates a self-inflicted denialof-service attack 20 Principles (Continued) Danger of Overload So firewalls must have the capacity to handle the traffic Some can handle normal traffic but cannot handle traffic during heavy attacks Need to regularly check firewalls logs: If too much unchecked packets are dropped, then need to upgrade the firewall. 21 7

8 Centralized Management System Management Console Remote Management is needed to reduce management labor Dangerous because if an attacker compromises it, they own the network Remote PCs must be actively managed centrally Home PC Site A Site B 22 Management s are Ineffective without Planning and Maintenance Planning Asset Assessment: identify all assets and their relative sensitivities Threat Assessment: what threats can attack each asset? Design a Policy for Each Asset Design a Architecture 23 Management (Continued) Implementation Operating System Hardening appliances are hardened at the factory vendors often sell firewalls that are general-purpose computers that have prehardened versions of Unix or Windows If a firm purchases a general purpose computer and firewall software, strong actions must be taken to harden the operating system 24 8

9 Management (Continued) Implementation Select Implementation Options e.g., Turn off remote management if not needed ACL Rule Configuration Complex and therefore error-prone Driven by firewall policies Vulnerability Testing After Configuration Must do vulnerability test even after trivial changes Driven by firewall policies 25 Management (Continued) Maintenance Constantly change firewall policies and ACLs to deal with new threats Document each change carefully! Read log files daily to understand the current threat environment Read log files daily to detect problems (the dropping of legitimate traffic, etc.) Update the firewall software when there are new releases 26 s, IDSs, and IPSs s IDSs IPSs Drops Packets? Yes No Yes Logs Packets Yes Yes Yes Sophistication in Medium High High Filtering Creates Alarms? No Yes Sometimes 27 9

10 s, IDSs, and IPSs (Cont) Sophistication in Filtering Message stream analysis, not just individual packets Reassemble fragmented application messages Deep packet inspection: both internet-level headers and application headers 28 10