Firewalls Mahalingam Ramkumar
Evolution of Networks Centralized data processing LANs Premises network interconnection of LANs and mainframes Enterprise-wide network interconnection of LANs in a private WAN LANs interconnected using the Internet and using virtual private networks
What is a Firewall? A choke point A location for monitoring security related events Audits and alarms Non-security related functions NAT, network management An end-point for IPSec
Firewall Limitations Cannot protect from attacks bypassing it eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) Cannot protect against internal threats eg disgruntled employee Cannot protect against transfer of virus infected programs or files because of huge range of O/S & file types
Firewall Basic Types Packet-Filtering Router Stateful Inspection Firewalls Application Level Gateway Circuit Level Gateway
Packet Filters
Packet Filters Filtering based on Source IP address Destination IP address Source and Destination transport-level address IP protocol field Interface (physical) Rules! Configuration files Explicit allow / block
Packet Filtering Example
Attacks on Packet Filtering IP address spoofing Source routing attacks Tiny fragment attacks
Firewalls Stateful Packet Filters Examine each IP packet in context keeps tracks of client-server sessions checks each packet belongs to a valid session Better ability to detect bogus packets out of context A session might be pinned down by Source IP and Port, Dest IP and Port, Protocol, and Connection State
Firewalls - Application Level Gateway (or Proxy)
Application Level Gateway Application specific gateway / proxy has full access to protocol user requests service from proxy proxy validates request as legal acts on behalf of the user, returns result to user need to separate proxies for each service some services naturally support proxying others are more problematic custom services generally not supported
Firewalls - Circuit Level Gateway
Circuit Level Gateway Relays two TCP connections Imposes security by limiting types of connections that are allowed Once created, usually relays traffic without examining contents Typically used with trusted internal users (by allowing general outbound connections) SOCKS (RFC 1928) SOCKS server SOCKS client library SOCKSified versions of application programs
SOCKS
Bastion Host Highly secure host system Exposed to "hostile" elements hence secured to withstand attacks Trusted System May be single or multi-homed Enforce trusted separation between network connections Run circuit / application level gateways Provide externally accessible services
Firewall Configurations Screened Host Single Homed Bastion Host Screened Host Dual Homed Bastion Host Screened Subnet
Screened Host Single Homed Bastion Host
Screened Host Dual Homed Bastion Host
Screened-subnet Firewall
Access Control Given that system has identified a user Determine what resources they can access General model - access matrix subject - active entity (user, process) object - passive entity (file or resource) access right way object can be accessed can decompose by columns as access control lists rows as capability tickets
Access Control Matrix
Trusted Computer Systems Varying degrees of sensitivity of information military classifications: confidential, secret, TS, etc Subjects (people or programs) have varying rights of access to objects (information) Need to consider ways of increasing confidence in systems to enforce these rights Multilevel security subjects have maximum & current security level objects have a fixed security level classification
Bell LaPadula (BLP) Model One of the well-known security models Implemented as mandatory policies on system Two key policies: no read up (simple security property) a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object no write down (*-property) a subject can only append/write to an object if the current security level of the subject is dominated by (<=) the classification of the object