Transcript Slides - GMU Computer Science

Dan Fleck
CS 469: Security Engineering
Coming up: References
Firewalls
Slides modified with permission from original by Arun Sood
1
1. Mark Stamp, Information Security: Principles and Practice, Wiley
Interscience, 2006.
2. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 –
29.
3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors,
IEEE Computer, June 2004, p 62 – 67.
4. Steven Bellovin and William Cheswick, Network Firewalls, IEEE
Communications Magazine, Sept 1994, p 50 – 57.
5. William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer,
June 2003, p 112 – 113.
6. Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and
Efficiency of Firewall Policy Deployment, IEEE Symposium on
Security and Privacy, 2007.
7. Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its
Properties, Proc of the 2005 International Conference on
Dependable Systems and Networks, 2005.
Coming up: Firewall as Network
Access Control
References
2
Firewall as Network Access Control
• Access Control
• Authentication
• Authorization
• Firewall
• Interface between networks
• Usually external (internet) and internal
• Allows traffic flow in both directions
Coming up: Firewall
• Single Sign On
3
Firewall
Internal
– Interface between networks
Coming up: Firewall
Internet
• Usually external (internet) and internal
– Allows traffic flow in both directions
– Controls the traffic
4
Firewall as Secretary
• A firewall is like a secretary
• To meet with an executive
Coming up: Security Strategies
– First contact the secretary
– Secretary decides if meeting is reasonable
– Secretary filters out many requests
• You want to meet chair of CS department?
– Secretary does some filtering
• You want to meet President of US?
– Secretary does lots of filtering!
5
[1]
Security Strategies
• Least privilege
• Objects have the lowest privilege to perform assigned task
Coming up: Security Strategies
-2
• Defense in depth
• Use multiple mechanisms
• Best if each is independent: minimal overlap
• Choke point
• Facilitates monitoring and control
6
[2]
Security Strategies - 2
• Weakest link • Fail-safe
• If firewall fails, it should go to fail-safe that denies access to avoid
intrusions
Coming up: Security Strategies
-3
• Default deny
• Default permit
• Universal participation
• Everyone has to accept the rules
7
[2]
Security Strategies - 3
• Diversity of defense
• Inherent weaknesses
• Multiple technologies to compensate for inherent weakness of
one technology
Coming up: Security Strategies
-4
• Common heritage
• If systems configured by the same person, may have the same
weakness
• Simplicity
• Security through obscurity
8
[2]
Security Strategies - 4
Configuration errors can be devastating
Testing is not perfect
Ongoing trial and error will identify weaknesses
Enforcing a sound policy is critical
Coming up: Types of Firewall
•
•
•
•
9
[2]
Types of Firewall
No Standard Terminology
• Simplest firewall
• Filter packets based on specified criteria
• IP addresses, subnets, TCP or UDP ports
• Does NOT read the packet payload
• Vulnerable to IP spoofing
•Stateful inspection (transport layer)
• In addition to packet inspection
• Validate attributes of multi-packet flows
• Keeps track of connection state (e.g. TCP streams, active connections,
etc…)
[2]
Coming up: Types of Firewall - 2
•Packet Filtering (network layer)
10
Types of Firewall - 2
• Application Based Firewall (application layer)
• Allows data into/out of a process based on that process’ type
• Can act on a single computer or at the network layer
• e.g. allowing only HTTP traffic to a website
Coming up: Types of Firewall - 3
• Log access – attempted access and allowed access
• Personal firewall – single user, home network
11
[2]
Types of Firewall - 3
• Proxy
• Intermediate connection between servers on internet and
internal servers.
• For incoming data
Coming up: Types of Firewall - 4
• Proxy is server to internal network clients
• For outgoing data
• Proxy is client sending out data to the internet
No IP packets pass through firewall. Firewall creates new packets.
• Very secure
• Less efficient versus packet filters
12
[2]
Types of Firewall - 4
• Network Address Translation
Coming up: Packet Filter
• Hides internal network from
external network
• Private IP addresses –
expands the IP address space
• Creates a choke point
• Virtual Private Network
• Employs encryption and integrity protection
• Use internet as part of a private network
• Make remote computer “act like” it is on local network
13
[2]
Packet Filter
• Advantages
• Disadvantages
• Can be compromised by many attacks
• Source spoofing
Coming up: Packet Filter Example
• Simplest firewall architecture
• Works at the Network layer – applies to all systems
• One firewall for the entire network
14
Coming up: Packet Filter Example
Packet Filter - Example
15
[2]
Coming up: Packet Filter Example
Packet Filter - Example
16
[2]
Coming up: Packet Filter Example
Packet Filter - Example
• Attack succeeds because of rules B and D
• More secure to add source ports to rules
17
Coming up: Packet Filter Example
Packet Filter - Example
18
[2]
• These packets would be admitted. To avoid this add an ACK bit to
the rule set
Coming up: Packet Filter Example
Packet Filter - Example
19
[2]
Coming up: TCP Ack for Port
Scanning
Packet Filter - Example
• Attack fails, because the ACK bit is not set. ACK bit is set if the connection
originated from inside.
20
• Incoming TCP packets must have ACK bit set. If this started outside, then
no matching data, and packet will be rejected.
• Note: This rule means we allow no services other than request that we
originate.
TCP Ack for Port Scanning
• Attacker sends packet with ACK set (without prior
handshake) using port p
Coming up: TCP Ack Port Scan
• Violation of TCP/IP protocol
• Packet filter firewall passes packet
• Firewall considers it part of an ongoing connection
• Receiver sends RST
• Indicates to the sender that the connection should be
terminated
• Receiving RST indicates that port p is open!!
21
[1]
• RST confirms that port 1209 is open
• Problem: packet filtering is stateless; the firewall should track the
entire connection exchange
Coming up: Stateful Packet
Filter
TCP Ack Port Scan
22
[1]
Stateful Packet Filter
• Pro: Adds state to packet filter and
keeps track of ongoing connection
• Con: Slower, more overhead. Packet
content info not used
application
transport
network
link
physical
Coming up: Application Proxy
• Remembers packets in the TCP
connections (and flag bits)
• Adds state info to the packet filter
firewalls.
• Operates at the transport layer.
23
[1]
Application Proxy
Coming up: Firewalk – Port
Scanning
• A proxy acts on behalf the system being
protected.
• Application proxy examines incoming app data –
verifies that data is safe before passing it to the
system.
• Pros
• Complete view of the connections and app data
• Filter bad data (viruses, Word macros)
• Incoming packet is terminated and new packet is sent
to internal network
• Con
• Speed
24
[1]
Firewalk – Port Scanning
• Scan ports through firewalls
• Requires knowledge of
Coming up: Firewalk and Proxy
Firewall
• IP address of firewall
• IP address of one system in internal network
• Number of hops to the firewall
• Set TTL (time to live) = Hops to firewall +1
• Set destination port to be p
• If firewall does not pass data for port p, then no
response
• If data passes thru firewall on port p, then time
exceeded error message
Lets try it Applications->Utilities->Network Utility
25
[1]
Firewalk and Proxy Firewall
Trudy
Router
Router
Packet
filter
Router
Coming up: Firewalls and
Defense in Depth
Dest port 12343, TTL=4
Dest port 12344, TTL=4
Dest port 12345, TTL=4
Time exceeded
• Attack would be stopped by proxy firewall
• Incoming packet destroyed (old TTL value also destroyed)
• New outgoing packet will not exceed TTL.
[1]
26
Firewalls and Defense in Depth
• Example security architecture
DMZ
Coming up: Research: Firewall
Policy Verification
WWW server
FTP server
DNS server
Internet
Packet
Filter
Application
Proxy
Intranet with
Personal
Firewalls 27
[1]
Research: Firewall Policy
Verification
• Firewall design: consistency, completeness, and compactness
• Lesson: Practical firewalls have complex rulesets. They
are hard to get right. Research in place to help validate
the configuration for errors
• Lets see some simple ones
Coming up: Lets do some
examples
• Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness,"
Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol.,
no., pp.320,327, 2004
28
Lets do some examples
Well supported in Linux:
iptables –A INPUT –p tcp –dport 22 –j ACCEPT
-A: append to list of rules
-p:match protocol tcp
--dport 22: match destination port 22 (ssh)
-j ACCEPT: if rule matches, ACCEPT the packet.
1st matching rule wins… order matters!
Final rule typically rejects anything that doesn’t match: security
says deny all, and only allow in who you want.
Coming up: iptables - chains
iptables is a common tool to build firewalls
29
iptables - chains
• iptables –A INPUT –p tcp –dport 22 –j ACCEPT
• # This allows SSH TO THE FIREWALL BOX!
Coming up: iptables – matching
rules
• INPUT – anything with a destination of the firewall box
• OUTPUT – anything with a source of the firewall box
• FORWARD – anything going through the firewall box (neither
source or dest is the firewall box)
30
Jump targets – what to do upon match?
-j ACCEPT – allow it
-j REJECT -- send a rejection message
-j DROP – drop it, don’t send any message
-j logaccept, logdrop, logreject
(there are others)
Protocol matching rules
-p tcp , udp, icmp, all (0 means all)
Port matching rules
--dport destination port
--sport source port
Coming up: iptables – more
rules
iptables – matching rules
31
Physical device interface:
-i vlan0 # Packets coming in on that physical interface
-o eth1 # packets going out on that physical interface
-i only valid for INPUT, FORWARD chain
-o only valid for OUTPUT, FORWARD chain
(Note: Specific interface differs by hardware)
Time-based Limiting
--limit 5/minute (rule matches a maximum of 5 times per
minute (or second or hour, or day, etc…)
Syn-flood protection:
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Coming up: iptables - examples
iptables – more rules
32
iptables - examples
• Lets stop all http access
• Lets allow www.gmu.edu though (but only GMU!)
• --destination www.gmu.edu
• Lets allow only my IP to get to HTTP
• --source 192.168.3.10
Coming up: iptables – more
rules
• Lets stop ping
33
iptables – more rules
NEW - A packet which creates a new connection.
ESTABLISHED - A packet which belongs to an existing connection (i.e., a
reply packet, or outgoing packet on a connection which has seen
replies).
RELATED - A packet which is related to, but not part of, an existing
connection, such as an ICMP error, or (with the FTP module inserted), a
packet establishing an ftp data connection.
INVALID - A packet which could not be identified for some reason: this
includes running out of memory and ICMP errors which don't
correspond to any known connection. Generally these packets should
be dropped.
Coming up: iptables – more
rules
State matching:
-m state –state ESTABLISHED, RELATED
34
iptables – more rules
TCP bit matching:
--tcp-flags <string 1> <string2>
string 1 = the set of bits to look at
string 2 = the subset of 1 which should be ones
Above command says look at all the bits (‘ALL’ is synonymous with
`SYN,ACK,FIN,RST,URG,PSH’) and verify that only the SYN and ACK bits
are set.
Coming up: Would a GUI help?
iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
35
34
iptables - Tunneling
• In our network we have one outward facing server, so to get in
from home we must travel (tunnel) through that server.
• We really use SSH tunnels:
• ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p
10024 localhost
• However if everyone needed to use it we could use a firewall
based tunnel:
• iptables -t nat -A PREROUTING -p tcp -d dslsrv.gmu.edu --dport 10024
-j DNAT --to-destination sr1s4.mesa.gmu.edu:22
Coming up: Lessons
Would a GUI help?
36
• There are many firewall types
• Each provides a different level of security versus performance
• Multiple firewalls can be used to segment networks into
security zones
• iptables is a powerful example of how to create/manage
firewalls
End of presentation
Lessons
37
35
29