Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet Military Doctrine: Defense in depth We use firewalls to set up a perimeter defense» they vs. we : outside vs. inside, Yosemite Sam vs. Bunny» single choke point to impose security on a LAN» Auditing for identifying problems afterwards Understand what is going on We still need to secure end hosts Final Time Conflict EE 406 001: W 1630-1830 HOLM 248 1 Firewall Design Goals All traffic between inside and outside must pass through firewall Only authorized traffic is allowed to pass Firewall rules, policies The firewall itself is immune to penetration Firewalls for access control and enforce policies Service control: which service is allowed Direction control: from outside/inside to access» NAT: network address translation User control: internal user policies vs. external ones Behavior control: spam filter 2 1
Firewall Capabilities & Limits capabilities: defines a single choke point provides a location for monitoring security events convenient platform for some Internet functions» such as NAT, usage monitoring, IPSEC VPNs limitations: cannot protect against attacks bypassing firewall may not protect fully against internal threats improperly secure wireless LAN laptop, PDA, portable storage device infected outside then used inside 3 Types of Firewalls: General Setting 4 2
Types of Firewalls: packet filtering Packet filters: only based on header info Stateful filters: consider info related in a protocol 5 Types of Firewalls: packet filtering application proxy: authenticated user for specific apps circuit-level proxy Both have two separate TCP connections Combination: inbound app proxy, outbound circuit-level 6 3
Packet Filtering Firewall: Simplicity applies rules to packets in/out of firewall Transparent to users fast based on information in packet header src/dest IP addr & port, IP protocol, interface typically a list of rules of matches on fields if match rule says if forward or discard packet two default policies: discard - prohibit unless expressly permitted» more conservative, controlled, visible to users forward - permit unless expressly prohibited» easier to manage/use but less secure 7 Packet Filter Block Rules spam sender; Inbound to our mail server Default last rule: blocking all not allowed outbound to a mail server; remote 25 may be sth. else outbound to a mail server w/ ACK back ftp server: difficulty for app 8 4
Packet Filter Weaknesses weaknesses cannot prevent attack on application bugs limited logging functionality do not support advanced user authentication vulnerable to attacks on TCP/IP protocol bugs improper configuration can lead to breaches» Too many rules attacks IP address spoofing Source-routing attacks tiny fragment attacks» evading content inspect by cut packets into multiple 9 Stateful Inspection Firewall reviews packet header information but also keeps info on TCP connections low, known port # for servers: <1024 high, dynamically assigned port # for clients: >1023 simple packet filter must allow all return high port numbered packets back in: a security threat Assume to a non-server port stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections only allow incoming traffic to high-numbered ports for packets matching an entry in this directory may also track TCP seq numbers as well 10 5
Stateful Proxy TCP Table TCP port 79 Finger - User Information Protocol 11 Application-Level Gateway acts as a relay of application-level traffic (1) user contacts gateway with a remote host name; (2) authenticates themselves with pwd and u_name; (3) gateway contacts application on the remote host and relays TCP segments between server and user Features: allowing clients to communicate with known server ports converting the network layer address information in an app payload between the addresses acceptable by both side of firewall/nat recognizing application-specific commands and offering security controls» Deep packet-inspection: understands the protocol used by apps» but have higher overheads of examining pkts synchronizing between multiple streams/sessions of data between two hosts exchanging data, a FTP ALG must have proxy code for each application may restrict application features supported more secure than packet filters 12 6
Circuit-Level Gateway sets up two TCP connections to an inside user and to an outside host relays TCP segments from one connection to the other without examining contents hence independent of application logic just determines whether relay is permitted typically used when inside users trusted may use application-level gateway inbound and circuit-level gateway outbound hence lower overheads 13 SOCKS Circuit-Level Gateway SOCKS (RFC1928) allow TCP/UDP applications to securely use firewall components: A SOCKS server on a firewall, port 1080 A SOCKS client library on all internal hosts SOCKS-ified client applications A client app contacts SOCKS server, authenticates itself, and sends relay request A server evaluates & establishes a relay connection A TCP connection to the server for handling all UDP packets 14 7
Firewall Basing A standalone machine running a firewall Security and performance several options for locating firewall: bastion host individual host-based firewall personal firewall 15 Bastion Hosts A critical strongpoint in network Usually hosts application/circuit-level gateways common characteristics: runs secure O/S, only essential services» E.g., no remote login service may require user auth to an access proxy» EE wireless access point each proxy can restrict features, hosts accessed each proxy small, simple, checked for security each proxy is independent, non-privileged limited disk use, hence read-only code 16 8
Host-Based Firewalls A module to secure individual hosts available in many O/S: Linux iptables Or an add-on module Similar to standard firewall to filter packet flows often used on servers advantages: tailored filter rules for the specific host needs protection from both internal/external attacks Another layer of protection, additional to network firewall 17 Personal Firewall A module on a PC to control traffic flow in/out E.g., Windows firewall for both home or corporate use on home cable/dsl router/gateway typically much less complex primary role to deny unauthorized access may also monitor outgoing traffic to detect/block worm/malware activity Potential problems: Block some applications or services which are not sepecifically allowed by the firewall 18 9
Windows Firewall 19 Linux Firewall: iptables http://www.linuxhomenetworking.com/wiki/index.php/quic k_howto_:_ch14_:_linux_firewalls_using_iptables Linux Firewalls Using iptables Iptables: default firewall package installed under RedHat and Fedora Linux. [root@bigboy tmp]# service iptables start [root@bigboy tmp]# service iptables stop [root@bigboy tmp]# service iptables restart Mangle: TCP header modification NAT: network address translation Filter: packet filtering 20 10
Firewall Locations: Where to put? How many? Demilitarized Zone: DMZ Separate services for outside from internal hosts Internal network Internal servers Internal Firewall More strict rules Two-way protection» Between DMA and internal Between internal subnets 21 Virtual Private Networks (VPNs) VPNs are cheap for implementing distributed systems IPsec: using encryption and authentication in the network layer to provide a secure connection Different sites 22 11
Distributed Firewalls A central control + Standalone firewalls + host-based firewalls Internal DMZ External DMZ 23 Firewall Topologies host-resident firewall screening router packet filtering single bastion inline firewall inside vs. outside single bastion T: inside vs. outside vs. DMZ has a third network interface double bastion inline DMZ Between two firewalls double bastion T: outside, internal servers, users distributed firewall configuration 24 12
Intrusion Prevention Systems (IPS) recent addition to security products which inline net/host-based IDS that can block traffic functional addition to firewall that adds IDS capabilities can block traffic like a firewall using IDS algorithms may be network-based or host-based 25 Host-Based IPS identifies attacks using both: signature techniques» malicious application packets anomaly detection techniques» behavior patterns that indicate malware Sample Malicious behaviors Modification of system resources Privilege-escalation exploits Buffer-overflow exploits Access to email contact list Directory traversal can be tailored to the specific platform e.g. general purpose, web/database server specific can also sandbox applets to monitor behavior Protect system call, file, registry, and I/O 26 13
Network-Based IPS inline NIDS that can discard packets or terminate TCP connections uses signature and anomaly detection may provide flow data protection monitoring full application flow content can identify malicious packets using: pattern matching stateful matching protocol anomaly traffic anomaly statistical anomaly SNORT inline can drop/modify packets Honeypot modify packet content to prevent an attacker to learn what happens 27 Unified Threat Management (UTM) Products Antivirus, antiworm, antispam, IDS, IPS, firewalls Combine them all! Throughput & latency Functions Decrypted by inspect Initial firewall Parallel processing Assembling packets for analysis Encryption Logging Bandwidth shaping 28 14
Summary introduced need for & purpose of firewalls types of firewalls packet filter, stateful inspection, application and circuit gateways firewall hosting, locations, topologies intrusion prevention systems HW-CH9, due on 4/27 Questions: 9.8, 9.11 Problems: 9.4, 9.5 29 15