Firewall Security Presented by: Daminda Perera 1
Firewalls Improve network security Cannot completely eliminate threats and a=acks Responsible for screening traffic entering and/or leaving a computer network Each packet that passes is screened following a set of rules stored in the firewall rulebase Several types of firewalls Several common topologies for arranging firewalls 2
Packet Filtering An early technology for screening packets passing through a network Each packet is screened in isolafon Firewall reads and analyzes the packet headers Offers considerable flexibility in what can be screened Can be used for performance enhancement by screening non crifcal traffic, for example, by day or Fme 3
Stateful InspecFon A next generafon firewall technology Overcomes the limitafon of packet filtering that treats packets in isolafon Treats packets as pieces of a connecfon Maintains data about legifmate open connecfons that packets belong to Keeps idenfty of ports being used for a connecfon Traffic is allowed to pass unfl connecfon is closed or Fmes out 4
Firewall Topologies Firewalls should be placed between the protected network (or subnet) and potenfal entry points Access points can include dial up modems and broadband lines Three common firewall topologies BasFon host, DMZ, Dual firewalls Firewall installafons can include combinafons of these topologies for layered protecfon 5
BasFon Host Firewall is sole link between the protected network and the untrusted network Firewall has two network interface cards One to protected network One to untrusted network RelaFvely inexpensive and easy to implement If services are offered to clients outside of the protected network, there is a significant security risk Port 80 has to stay open Hackers can potenfally compromise the network through this port and get access to full system 6
DMZ Single firewall, three network interface cards One to protected network One to screened subnet One to untrusted network Screened subnet contains systems that provide services to external users (Web or SMTP servers etc.) If subnet is compromised, access is sfll limited to the rest of the network 7
Dual Firewalls Uses two firewalls, each with two network cards One firewall connects to the untrusted network and a subnet The other firewall connects to the subnet and the protected network The screened subnet again provides a buffer between the networks For more security, use two different firewalls Unlikely to have the same security vulnerabilifes 8
Network Firewall Architectures Screening Router Simple Firewall MulF Legged firewall Firewall Sandwich Layered Security Architecture
Screening Router Access Lists provide security Routers are not applicafon aware Only inspects network level informafon Layer 3 of the OSI model Does not provide a great deal of security Very fast Not commonly used alone for security
Screening Router Internet/ Untrusted Network Routes or blocks packets, as determined by security policy Screening Router Internal Trusted Network Server Mainframe Database Desktop
Simple Firewall Small Companies with limited security needs Only uflizes two interfaces Trusted Un trusted Provides modest security Does not offer dmz sandbox Inherently allows some level of connecfons between trusted and un trusted networks
Simple Firewall Routes or blocks packets, as determined by security policy Firewall then handles traffic additionally to maintain more security Internet/ Untrusted Network Screening Router Firewall Internal Trusted Network Server web, smtp Mainframe Database Desktop
Multi-Legged Firewall Small to large sized business Security need is expanded Provides stronger security Creates a secure sandbox for semi trusted services Flexible and secure
Multi-Legged Firewall Routes or blocks packets, as determined by security policy Internet/ Untrusted Network Firewall then handles traffic additionally to maintain more security DMZ now offers a secure sandbox to handle un-trusted connections to internet services Screening Router Firewall DMZ Semi-Trusted Network Internal Trusted Network Web Server SMTP Server Server Server Mainframe Database Desktop
Firewall Sandwich Medium to large businesses Higher costs More serious need for security Provides a physical separafon of networks Provides policy segregafon between inside and outside firewalls Reduces administrafve holes
Firewall Sandwich Internet/ Untrusted Network Routes or blocks packets, as determined by security policy Firewall then handles traffic additionally to maintain more security DMZ now offers a secure network to handle un-trusted connections to internet services Separation of security policy controls between inside and outside firewalls Screening Router Outside Firewall DMZ Semi-trusted network DMZ Semi-Trusted Network Inside Firewall Web Server SMTP Server Server Internal Trusted Network App Server Mainframe Database Desktop
Layered Firewall Approach Large enterprises with low risk tolerance Separates internal environments Reduces computer crimes Most a=acks are internally based Deters malicious acfvifes Controls overhead administrafve traffic Allows IDS to work more effecfvely
Layered Firewall Routes or blocks packets, as determined by security policy Firewall then handles traffic additionally to maintain more security DMZ now offers a secure network to handle un-trusted connections to internet services Separation of security policy controls networks within your trusted network as well as you semi and un-trusted networks Fences keep honest people honest! Internet /Untrusted Network Inside Firewall DMZ Semi-trusted network Inside Firewall User Network Internal Firewall HR Network Internal Firewall Mainframe Network Internal Firewall Development Network
Defense in depth Security has no single right answer Use every tool available to bolster security Layered security is always the best approach Strong security controls coupled with audit, administrafve reviews, and an effecfve security response plans will provide a strong holisfc defense
Firewall Rulebases Rulebase describes what traffic is allowable and what is not Firewall administrators spend most of their Fme on the rulebase Most firewalls have good user interfaces to support rule definifon General syntax is <acfon><protocol> from <source_address><source_port> to <desfnafon_address><desfnafon_port> Most firewalls have advanced funcfonality to supplement the basic fields above 21
Special Rules Cleanup Rule Deny everything that is not explicitly allowed. Last rule in any firewall rulebase Many firewalls include this rule implicitly in the installafon Stealth Rule Prevents anyone from directly connecfng to the firewall over the network (to protect from a=acks) First rule in the firewall rulebase (unless limited connecfons are explicitly allowed by previous rules) 22
Perimeter Security Topologies Any network that is connected (directly or indirectly) to your organizafon, but is not controlled by your organizafon, represents a risk. Firewalls deployed on the network edge enforce security policies and create choke points on network perimeters. Include demilitarized zones (DMZs) extranets, and intranets continued
Perimeter Security Topologies The firewall must be the gateway for all communicafons between trusted networks, untrusted and unknown networks. The firewall should selecfvely admit or deny data flows from other networks based on several criteria: Type (protocol) Source DesFnaFon Content
CreaFng and Developing Your Security Design Know your enemy Security measures can t stop all unauthorized tasks; they can only make it harder. The goal is to make sure that security controls are beyond the a=acker's ability or mofvafon. Know the costs and weigh those costs against the potenfal benefits. IdenFfy assumpfons For example, you might assume that your network is not tapped, that a=ackers know less than you do, that they are using standard sofware, or that a locked room is safe.
CreaFng and Developing Your Security Design Control secrets What knowledge would enable someone to circumvent your system? Know your weaknesses and how it can be exploited Limit the scope of access create appropriate barriers in your system so that if intruders access one part of the system, they do not automafcally have access to the rest of the system. Understand your environment AudiFng tools can help you detect those unusual events. Limit your trust: people, sofware and hardware
DMZ Used by a company to host its own Internet services without sacrificing unauthorized access to its private network Sits between Internet and internal network s line of defense, usually some combinafon of firewalls and basfon hosts Traffic originafng from it should be filtered
DMZ Typically contains devices accessible to Internet traffic Web (HTTP) servers FTP servers SMTP (e mail) servers DNS servers OpFonal, more secure approach to a simple firewall; may include a proxy server
DMZ Design Goals Minimize scope of damage Protect sensifve data on the server Detect the compromise as soon as possible Minimize effect of the compromise on other organizafons The basfon host is not able to inifate a session back into the private network. It can only forward packets that have already been requested.
DMZ Design Goals A useful mechanism to meet goals is to add the filtering of traffic inifated from the DMZ network to the Internet, impairs an a=acker's ability to have a vulnerable host communicate to the a=acker's host keep the vulnerable host from being exploited altogether keep a compromised host from being used as a trafficgenerafng agent in distributed denial of service a=acks. The key is to limit traffic to only what is needed, and to drop what is not required, even if the traffic is not a direct threat to your internal network
DMZ Design Goals Filtering DMZ traffic would idenffy traffic coming in from the DMZ interface of the firewall or router that appears to have a source IP address on a network other the DMZ network number (spoofed traffic). the firewall or router should be configured to inifate a log message or rule alert to noffy administrator
Intranet Typically a collecfon of all LANs inside the firewall (campus network.) Either a network topology or applicafon (usually a Web portal) used as a single point of access to deliver services to employees Shares company informafon and compufng resources among employees Allows access to public Internet through firewalls that screen communicafons in both direcfons to maintain company security
Extranet Private network that uses Internet protocol and public telecommunicafon system to provide various levels of accessibility to outsiders Requires security and privacy Firewall management Issuance and use of digital cerfficates or other user authenfcafon EncrypFon of messages Use of VPNs that tunnel through the public network
Extranet Companies can use an extranet to: Exchange large volumes of data Share product catalogs exclusively with wholesalers or those in the trade Collaborate with other companies on joint development efforts Jointly develop and use training programs with other companies Provide or access services provided by one company to a group of other companies, such as an online banking applicafon managed by one company on behalf of affiliated banks Share news of common interest exclusively with partner companies
Network Address TranslaFon (NAT) Internet standard that enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic Provides a type of firewall by hiding internal IP addresses Enables a company to use more internal IP addresses.
NAT Most ofen used to map IPs from nonroutable private address spaces defined by RFC 1918 that either do not require external access or require limited access to outside services A 10.0.0.0 10.255.255.255 B 172.16.0.0 172.31.255.255 C 192.168.0.0 192.168.255.255
NAT StaFc NAT and dynamic NAT Dynamic NAT is more complex because state must be maintained, and connecfons must be rejected when the pool is exhausted. Unlike stafc NAT, dynamic NAT enables address reuse, reducing the demand for legally registered public addresses.
PAT Port Address TranslaFon (PAT) VariaFon of dynamic NAT Allows many hosts to share a single IP address by mulfplexing streams differenfated by TCP/UDP port numbers suppose private hosts 192.168.0.2 and 192.168.0.3 both send packets from source port 1108. A PAT router might translate these to a single public IP address 206.245.160.1 and two different source ports, say 61001 and 61002. Because PAT maps individual ports, it is not possible to "reverse map" incoming connecfons for other ports unless another table is configured
PAT and NAT In some cases, stafc NAT, dynamic NAT, PAT, and even bidirecfonal NAT or PAT may be used together Web servers can be reached from the Internet without NAT, because they live in public address space. Simple Mail Transfer Protocol (SMTP) must be confnuously accessible through a public address associated with DNS entry, the mail server requires stafc mapping (either a limited purpose virtual server table or stafc NAT). For most clients, public address sharing is usually pracfcal through dynamically acquired addresses (either dynamic NAT with a correctly sized address pool, or PAT). ApplicaFons that hold onto dynamically acquired addresses for long periods could exhaust a dynamic NAT address pool and block access by other clients. To prevent this, PAT is used because it enables higher concurrency (thousands of port mappings per IP address)
Tunneling Enables a network to securely send its data through untrusted/ shared network infrastructure Encrypts and encapsulates a network protocol within packets carried by second network Replacing WAN links because of security and low cost An opfon for most IP connecfvity requirements
Example of a Tunnel a router with Internet Protocol Security (IPSec) encrypfon capabilifes is deployed as a gateway on each LAN's Internet connecfon. The routers are configured for a point to point VPN tunnel, which uses encrypfon to build a virtual connecfon between the two offices. When a router sees traffic on its LAN that is desfned for the VPN, it communicates to the other side instrucfng it to build the tunnel Once the two routers have negofated a secure encrypted connecfon, traffic from the originafng host is encrypted using the agreed upon setngs and sent to the peer router.
Virtual Local Area Networks (VLANs) Deployed using network switches Used throughout networks to segment different hosts from each other Ofen coupled with a trunk, which allows switches to share many VLANs over a single physical link
Benefits of VLANs Network flexibility Scalability Increased performance Some security features
Security Features of VLANs Can be configured to group together users in same group or team, no ma=er the locafon Offer some protecfon when sniffers are inserted Protect unused switch ports by moving them all to a separate VLAN Use an air gap to separate trusted from untrusted networks: Do not allow the same switch or network of switches to provide connecfvity to networks segregated by firewalls. A switch that has direct connecfons to untrusted networks (Internet) or semitrusted networks (DMZs), should never be used to contain trusted network segments as well.
Standard Network Setup Extranet Perimeter Firewall DMZ (Hosted ApplicaFons) Internal Firewall LAN VPN Firewall VPN Secure Server Zone
Standard Network Setup with Details
Network Security Firewall to be introduced at Head Office to enhance the data security (LAN/WAN) Intrusion DetecFon System (IDS) & Intrusion PrevenFon System (IPS) should be implemented. Database servers should be secured from the LAN (LAN is considered to be no more secure) Internal firewall can be introduced to network to protect internal mission crifcal servers
High Availability & Disaster Recovery switching Enable HA for crifcal services Implement a proper DR plan Enable DR switching
Link level high availability Topology wise HA Server cluster at producfon site for high availability ProducFon data replicafon at DR servers. HA on hosfng Implement HA & DR of an applicafon
Disaster Recovery (Stage 1)
Disaster Recovery (Stage 2)