CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access One component of keeping a computer secure can be a firewall This is not an all encompassing solution Not all problems come from outside, you must keep in mind that an comprehensive internal security policy is also part of the solution Janice Regan, 2006-2013 2 Firewalls: why Provide a single protected access from your machine or network to the internet Create a single choke point Concentrate attention on protecting that choke point A network behind a firewall can spend less (not none) effort on host based security not all attacks or security problems come from outside Still need a second line of defense in many cases Janice Regan, 2006-2013 3 1
Firewalls: why not Firewalls don t protect against malicious insiders: May prevent sending data out through the internet but cannot protect against removing the data on physical media Firewall don t protect you from connections that bypass them: dial in or network access to internal machines can not be monitored unless they pass through the firewall Janice Regan, 2006-2013 4 Firewalls: why not Protect against known threats new threats occur regularly and counters to them must be added just as regularly Viruses and malware can penetrate firewalls under some circumstances Firewalls often interfere with expected behaviors of internet applications, or slow down interaction with the internet Janice Regan, 2006-2013 5 Firewalls Different Firewall architectures are appropriate for different types of applications A firewall is a combination of hardware software and policies Look at some architectures and examples Single machine with firewall (filtering) Screening router Dual homed host Screened host Screened network Janice Regan, 2006-2013 6 2
GIVEN TODAY S INTERNET ENVIRONMENT NO COMPUTER WITH INTERNET CONNECTIVITY SHOULD BE UNPROTECTED BY A FIREWALL TO Protect any private data or information Protect the machine so it is available for your use To prevent others from hijacking your machine for their own purposes Janice Regan, 2006-2013 7 Security strategies Least privilege: any object (user, program, system, ) should have the least amount of privilege necessary to accomplish its own purpose Depth of Defense: Layer security mechanisms so that if one is compromised another still protects you This protects against not only attacks but possible failures of any single layer in your defense Janice Regan, 2006-2013 8 Security strategies Choke point: Be sure that there is no way to circumvent the choke point Put protections at the choke point Weakest link: Be aware of the weak points of your defense, this is where attacks will most likely occur Failures Try to make the system fail in a way that denies the attacker access, not opens access. Janice Regan, 2006-2013 9 3
Firewall Default Strategies Default Deny Policy No traffic is passed through the firewall unless is it specifically allowed Any traffic or service not specifically permitted to pass the firewall will be permitted into the protected machine or network Default Permit Policy All traffic will be permitted to pass through the firewall unless it is specifically forbidden Janice Regan, 2006-2013 10 Which Default Strategy? To maximize security use default deny OK if you do not need to provide internet services Limited flexibility To maximize flexibility use default permit More difficult to maintain Must specifically deny sources and protocols Janice Regan, 2006-2013 11 Some types of low level attacks Half open port scan or SYN scan: send SYN (or packet with other combination of flags) to each port, watch for ACK or RST to determine if port is open. Do not reply and complete connection (send RST). Denial of service: exploit known weaknesses of stack to cause crashes IP spoofing: Make the packet look like it comes from somewhere else. Smurf: use forged source address (A) to make third party attack A Land: send a packet with source and destination addresses the same. May cause failure of receiving machine. Janice Regan, 2006-2013 12 4
A single computer Many computers (probably most) have a continuous internet connection For a user with a single computer connected to their continuous connection Simplest approach is a packet filtering firewall For Windows can use the built in firewall or many other proprietary products that provide more complete protection including virus and spy-ware protection For Linux can use iptables/netfilter to directly implement or other public domain or proprietary products Janice Regan, 2006-2013 13 A home network It is becoming increasingly common for a household to have more than one computer. Probably the user of each computer wants it to be directly connected to the continuous Internet connection/s for the household This means that out of the box solutions that implement basic network protection are becoming common For a technically savvy user these solutions may also be easy but other simple options exist Remember that out of the box solutions need configuration to optimize their effectiveness Janice Regan, 2006-2013 14 Screening Router This is a common, inexpensive, out of the box solution that can be made more robust You probably need the router to connect your local machines anyway. Be sure to configure, don t just use the defaults Router usually includes a mechanism for implementing packet filtering (default deny or default permit strategies are usually both supported) Janice Regan, 2006-2013 15 5
Screening Router This is a common, inexpensive, out of the box solution that can be made more robust Can implement the level of security appropriate for the network being protected you will likely also need host level security The router will run a proprietary or reduced version of the operating system, providing fewer points of attack Janice Regan, 2006-2013 16 Using a screening router The network needs an adequate level of host protection If data on any of the machines is private, need host security to protect that data Only a limited number of simple protocols and services can be supported efficiently using a screening router Can permit or deny protocols by port number Harder to permit or deny parts of a protocol Difficult to be sure what is arriving on a port is really the expected protocol Router is a single point of failure Janice Regan, 2006-2013 17 When to use a screening router When performance is important minimize added load on hosts by using router to filter maximize throughput by basing security on simple filtering When the protected network also has an adequate level of host security The number of protocols being allowed (default deny) or blocked (default accept) is small and those protocols are simple and amenable to filtering Most useful for networks providing services to the internet (like those of internet providers) and for internal firewalls Janice Regan, 2006-2013 18 6
Simple Firewall: Dual Homed Use a dual homed host to access the internet. Your network attaches to one or more interfaces, the internet to the another Disable forwarding: create a default deny policy All access to the Internet from internal hosts is by proxy application running on the dual homed host Each application you run/proxy on the dual homed host provides another point of attack and increases load Avoid user accounts on the dual homed host. This provides extra protection Monitor activity of each user Janice Regan, 2006-2013 19 Dual Home INTERNET Dual-homed host (no-forwarding) Janice Regan, 2006-2013 20 Dual homed s: user accounts Users should not be able to log into the dual homed host. prevents a hacker from breaking in through a user account Makes use of vulnerable services necessary to support user accounts unnecessary (printing, local mail delivery ) Prevents inadvertent damage to the dual homed hosts security by users (poor password ) Easier to detect attacks if types of traffic are limited Janice Regan, 2006-2013 21 7
Dual Homed : Limitations (1) Need an additional machine to use as dual homed host (should not be a machine used directly by users) For a small network with modest traffic levels can even use an older less powerful machine (bonus is this is the only machine seen from outside, less attractive to hackers) As the network size, number of services proxied, or traffic load grows more power is needed. Janice Regan, 2006-2013 22 Dual Homed : Limitations (2) Provides services by proxy Each service supported provides addition points of attack Not all services can be proxied Not all services that can be proxied will have appropriate proxies available Better at supporting outbound services (local users using services on the external network) than inbound services Janice Regan, 2006-2013 23 Dual Homed : Limitations (3) More overhead than an equivalent packet filtering system, proxies are more compute intensive than simple filters Dual homed host is a single point of failure A hacker who crashed your dual homed host cuts you off from the internet A hacker who comprises your dual homed host has access to your local network Janice Regan, 2006-2013 24 8
When to use a dual homed host Internet traffic is limited Remember load is larger than comparable packet filter Network protected does not contain critical data Can be mitigated by host level protections, but there are better solutions Janice Regan, 2006-2013 25 When to use a dual homed host No (very limited) services being provided to the internet Each service provided adds points of attack for those trying to break in Continuous connection to the internet is not essential, traffic to the internet is not critical to your business Attacks may cause single choke point to fail or crash Janice Regan, 2006-2013 26 Variations Many consumer routers, support NAT (network address translation). Allowing one IP address to be shared between multiple machines. Local IP addresses are used for your network Using the gateway (router) to packet forward on behalf of the other computers on your intranet Good way to hide network from external eyes Can packet filter and provide some proxy services, often provides MAC address filtering Janice Regan, 2006-2013 27 9
Screened Architecture All communication between hosts on the local network and the internet (both directions) passes though proxies on a bastion host which communicates with the internet though a packet filtering router Less secure versions may allow some direct communication from network hosts to the internet (definitely not initiated from the internet to network hosts) host is the only host on the network to which hosts on the internet can make connections Janice Regan, 2006-2013 28 Screened Architecture Packet filtering router protects internal hosts from direct internet attack (allowing only certain services/ protocols). This is the primary security for the network This prevents users from directly accessing the Internet host provides services and runs proxies connecting to the outside world, it should not be a trusted member of the local network Not appropriate for public web servers Janice Regan, 2006-2013 29 Screened INTERNET Router Janice Regan, 2006-2013 30 10
Should run a minimum configuration to minimize points of attack Should have all services not needed by the site disabled Should not be trusted by hosts on the network Should not run booting services Must maintain a high level of host security on the bastion host Janice Regan, 2006-2013 31 and user accounts Should not support user accounts May know about users (i.e. to allow access from outside the network to machines inside the network) Users should not be able to log into the bastion host. Administrators should be able to log into the bastion host with individual accounts, remote login is a high security risk Janice Regan, 2006-2013 32 s and user accounts Users should not be able to log into the bastion host. prevents a hacker from breaking in through a user account Makes use of vulnerable services necessary to support user accounts unnecessary (printing, local mail delivery ) Prevents inadvertent damage to the bastion hosts security by users (poor password ) Easier to detect attacks if types of traffic are limited Janice Regan, 2006-2013 33 11
Provides the services your site needs to access the internet Runs proxies for services your site provides to the internet all services or just services that cannot be adequately protected using filtering in the router alone (FTP, TELNET, DNS SMTP HTTP) Janice Regan, 2006-2013 34 Screening router May allow hosts to open connections to selected servers on the internet May disallow services forcing them to be proxied by the bastion host (or hosts) Janice Regan, 2006-2013 35 Use a Screened When Few connections to the network originate from outside the network When host security is relatively high If you allow non bastion hosts to connect to the internet you are compromising the design, since outside users have access to IP addresses of protected hosts Janice Regan, 2006-2013 36 12
Comparison Router easier to secure than multi-homed host (simpler OS fewer points of attack, fewer services running, than a multi-homed host) Multi-homed host provides no way for packets to go directly to hosts, screened host does (can be security hole) Multi-homed host more prone to failure (type of failure more difficult to predict) On balance router may be more secure and simpler to administer Janice Regan, 2006-2013 37 Comparison You can get some extra protection by isolating your bastion host and your screen hosts so most local network traffic from your screened hosts is not visible to the bastion host (broadcast traffic will still be visible) This is part of what a screened subnet does (next topic of discussion) Can get this part of the protection by isolating your bastion host using an appropriately secured Ethernet switch or switching hub. Janice Regan, 2006-2013 38 Screened Subnet Place the bastion host (hosts) on a separate subnet connected to the Internet with a router. This separate subnet is known as a perimeter network. That subnet in turn connects to your internal network through a second router (with packet filtering). Removes the difficulties caused by a single point of failure (as in multi-homed hosts, and to a lesser extent screened hosts) Now a hacker must break though two levels of packet filters and compromise a bastion host to reach your internal network Janice Regan, 2006-2013 39 13
Screened Subnet Router INTERNET Perimeter network Interior Router Janice Regan, 2006-2013 40 Screened subnet No longer a single point of failure Adds an extra layer of security by adding a perimeter network to further isolate the hosts in the screened subnet from the internet Multiple failures are needed to reach the screened subnet If the router s firewall is breached the hacker can only reach the bastion hosts If the bastion host is compromised, sensitive internal information is still protected. The screened network still has the protection of the interior router Janice Regan, 2006-2013 41 /s on separate net Locating the bastion hosts on a separate network from the protected hosts has many benefits Sees only packets to and from bastion hosts and to and from the internet Does not see traffic on the internal network Accesses to sensitive files Confidential local email Remote logins, FTP or TELNET packets that could provide passwords Janice Regan, 2006-2013 42 14
/s on separate net s are primary point of contact for incoming connections for any supported protocols (local servers for SMTP, FTP, DNS ) Outbound services (from our network to severs on the internet) have access controlled by Filtering on exterior or interior router Proxy services on the bastion hosts If traffic is high and or multiple services are proxied on the bastion host, multiple bastion hosts may be used to distribute the load and partition risk Services may be divided between multiple bastions hosts. Services may be grouped by Importance, audience, security level, access level Janice Regan, 2006-2013 43 Interior router Primary packet filtering system (choke router) May be more restrictive than the packet filters in the exterior router Want to assure sensitive information does not leave screened network May allow a smaller set of services to reach interior network than can reach the exterior network May target services from outside the screened networks to designated servers (e.g. a mail server on one on the internal hosts) Allows services to the internet to be isolated from the screened internal network (on the perimeter network) Protects your screened interior network from the Internet and the perimeter network Janice Regan, 2006-2013 44 Exterior Router Exterior Router may be called the access router Sometimes the external router is provided by another group (like an ISP) Your access will be limited Filter rules will not be customized to your needs s on the perimeter net must be protected by strong host security Makes exterior filtering less critical If you do control the exterior router you may want to duplicate a subset of the rules on your interior router Janice Regan, 2006-2013 45 15
Exterior Router Should block incoming packets whose source addresses may be forged, particularly addresses that indicate packets are coming from inside the network (screened network or perimeter network) Should block outgoing packets that do not come from one of your networks IP addresses Prevents your users sending inappropriate packets More importantly: prevents any hijacker using one of your machines to send packets with inappropriate IP addresses Janice Regan, 2006-2013 46 Variants Use multiple bastion hosts Distribute load, partition services, add redundancy Merge interior router and exterior router Need router that allows separate filter specifications on each interface. Disadvantage: creates a single point of failure if router is compromised Janice Regan, 2006-2013 47 Multiple hosts INTERNET Router Perimeter network Interior Router Janice Regan, 2006-2013 48 16
Merged /Exterior routers INTERNET Interior /exterior Router Perimeter network Janice Regan, 2006-2013 49 Variants Use multiple independent perimeter networks Provide redundancy and bandwidth Assure networks connect to different physical connections (different providers and different cables) Both interior routers must enforce the same policies Also used to separate incoming and outgoing services Janice Regan, 2006-2013 50 Multiple perimeter networks Exterior Router Perimeter network INTERNET Exterior Router Perimeter network Interior Router Interior Router Janice Regan, 2006-2013 51 17
Variants Use multiple exterior routers (one exterior router with multiple interfaces) Multiple internet connections (i.e. multiple providers, for redundancy or bandwidth) Internet connection plus direct connections to other sites (though internal firewall) Minor security compromise because of two attack points into perimeter network Janice Regan, 2006-2013 52 Multiple Exterior routers Router INTERNET Router Interior Router Perimeter network Janice Regan, 2006-2013 53 Variants Merge bastion host and exterior router Use a single dual-homed host for both Limits performance, less efficient for routing than router Depending on operating system may not have flexible filtering available Need better protections on the dual homed host Appropriate only for serving a very small number of low bandwidth services Janice Regan, 2006-2013 54 18
Merge host/exterior router INTERNET host And exterior Router Perimeter network Interior Router Janice Regan, 2006-2013 55 Dangerous Variants Do not merge bastion host and interior router Do not use multiple interior routers Do not use both screened subnets and screened hosts Janice Regan, 2006-2013 56 19