Transcript William Stallings, Cryptography and Network Security 3/e

FIREWALLS
The function of a strong position is to make
the forces holding it practically unassailable
—On War, Carl Von Clausewitz
On the day that you take up your command,
block the frontier passes, destroy the official
tallies, and stop the passage of all emissaries
—The Art of War, Sun Tzu
Introduction
•
•
•
•
seen evolution of information systems
now everyone want to be on the Internet
and to interconnect networks
has persistent security concerns
– can’t easily secure every system in org
• need "harm minimisation"
• a Firewall usually part of this
What is a Firewall?
• A firewall is hardware or software (or a
combination of hardware and software) that
monitors the transmission of packets of digital
information that attempt to pass through the
perimeter or a network.
• A firewall is simply a program or hardware device
that filters the information coming through the
Internet connection into your private network or
computer system. If an incoming packet of
information is flagged by the filters, it is not
allowed through.
What is a Firewall?
• a choke point of control and monitoring
• interconnects networks with differing trust
• imposes restrictions on network services
– only authorized traffic is allowed
• auditing and controlling access
– can implement alarms for abnormal behavior
• is itself immune to penetration
• provides perimeter defense
Perimeter Defense
A firewall is said to provide “perimeter security” because it sits on the
outer boundary, or perimeter, or a network. The network boundary is
the point at which one network connects to another.
Firewall Limitations
• cannot protect from attacks bypassing it
• cannot protect against internal threats
– e.g. disgruntled employee
• cannot protect against transfer of all virus
infected programs or files
– because of huge range of O/S & file types
Firewalls – Packet Filters
Firewalls – Packet Filters
A packet filtering router applies a set of rules to each
incoming IP packet and then forwards or discards the
packet. The router is typically configured to filter packets
going in both directions (from and to the internal network).
Filtering rules are based on information contained in a
network packet:
• Source IP address: The IP address of the system that
originated the IP packet (e.g., 192.168.1.1)
• Destination IP address: The IP address of the system the
IP packet is trying to reach (e.g. 192.168.1.2)
• Source and destination transport-level address: The
transport level (e.g., TCP or UDP) port number, which
defines applications such as SNMP or TELNET
Firewalls – Packet Filters
• IP protocol filed: Defines the transport protocol
• Interface: For a router with three or more ports, which
interface of the router the packet came for or which
interface of the router the packet is destined for
• Source and destination transport-level address: The
transport level (e.g., TCP or UDP) port number, which
defines applications such as SNMP or TELNET
Firewalls – Packet Filters:
Default Policies
Packet filtering is typically set up as a list of rules based
on matches to fields in the IP or TCP header. When
there is no match to any rule, a default action is taken.
• possible default policies
–Default = discard: that not expressly permitted is prohibited
more conservative, everything is blocked—services must be
added on a case-by-case basic, more visible to users who
are more likely to see the firewall as a hindrance
–Default = forward: that not expressly prohibited is permitted
increases ease of use for end users but provides reduced
security; the security administrator must, in essence, react
to each new security threat as it becomes available
Firewalls – Packet Filters
Attacks on Packet Filters
• IP address spoofing
– fake source address to be trusted
– add filters on router to block
• source routing attacks
– attacker sets a route other than default
– block source routed packets
• tiny fragment attacks
– split header info over several tiny packets
– either discard or reassemble before check
Firewalls – Stateful Packet Filters
• examine each IP packet in context
– keeps tracks of client-server sessions
– checks each packet validly belongs to one
• better able to detect bogus packets out of
context
Firewalls - Application Level
Gateway (or Proxy)
Firewalls - Application Level
Gateway (or Proxy)
• use an application specific gateway / proxy
• has full access to protocol
– user requests service from proxy
– proxy validates request as legal
– then actions request and returns result to user
• tend to be more secure than packet filters
– need only scrutinize a few allowable apps
– easy to log and audit all incoming traffic
Firewalls - Application Level
Gateway (or Proxy)
• Main Disadvantage
– Additional Processing overhead on each
connection.
• need separate proxies for each service
– some services naturally support proxying
– others are more problematic
– custom services generally not supported
Firewalls - Circuit Level Gateway
Firewalls - Circuit Level Gateway
• relays two TCP connections (one between itself and a
TCP user on an inner host and one between itself and a TCP user
on an outside host)
• imposes security by limiting which such
connections are allowed
• once created usually relays traffic without
examining contents
• typically used when trust internal users by
allowing general outbound connections
• SOCKS (a protocol) commonly used for this
Bastion Host
• highly secure host system that serves as a platform
for an application-level or circuit-level gateway.
• host hardware platform executes a secure version of
it’s operating system, making it a trusted system.
• only services that the network administrator
considers essential are installed on the bastion host
(e.g. Telnet, DNS, FTP, and user authentication)
• may require additional authentication
• each proxy maintains detailed audit information by
logging all traffic, each connection, and the duration
of each connection. The audit log is an essential
tool for discovering and terminating intruder attacks.
Bastion Host
• Each proxy module is a very small software package
specifically designed for network security. Because of it’s
relative simplicity, it is easier to check such modifications
for security flaws.
• Each proxy is independent of other proxies on the bastion
host—a problem with one will not affect the others.
• A proxy generally performs no disk access other than to
read its initial configuration file. This makes it difficult for
an intruder to install Trojan horse sniffers or other
dangerous files on the bastion host.
• Each proxy runs as a nonprivileged user in a private and
secured directory on the bastion host.
Firewall Configurations
Single-Homed Bastion: Advantages
• Has greater security than simply a packet filtering
router or an application level gateway alone.
– Implements both packet-level and application-level
filtering, allowing for considerable flexibility in defining
security policy.
– An intruder must generally penetrate two separate
systems before the security of the internal network is
compromised.
• Affords flexibility in providing direct Internet
access.
Firewall Configurations
Firewall Configurations
Screened Subnet Firewall: Advantages
• There are now three levels of defense to thwart
intruders.
• The outside router advertises only the existence
of the screened subnet to the Internet; therefore,
the internal network is invisible to the Internet.
• Similarly, the inside router advertises only the
existence of the screened subnet to the internal
network; therefore, the systems on the inside
network cannot construct direct routes to the
Internet.
11.2 Trusted Systems
One way to enhance the ability of a system
to defend against intruders and malicious
programs is to implement a trusted system
technology.
Access Control
• given system has identified a user
• determine what resources they can access
• general model is that of access matrix with
– subject - active entity (user, process)
– object - passive entity (file or resource)
– access right – way object can be accessed
• can decompose by
– columns as access control lists
– rows as capability tickets
Access Control Matrix
Trusted Computer Systems
• information security is increasingly important
• have varying degrees of sensitivity of information
– eg. military info classifications: confidential, secret etc
• subjects (people or programs) have varying
rights of access to objects (information)
• want to consider ways of increasing confidence
in systems to enforce these rights
• known as multilevel security
– subjects have maximum & current security level
– objects have a fixed security level classification
Bell LaPadula (BLP) Model
•
•
•
•
one of the most famous security models
implemented as mandatory policies on system
has two key policies:
no read up (simple security property)
– a subject can only read/write an object if the current
security level of the subject dominates (>=) the
classification of the object
• no write down (*-property)
– a subject can only append/write to an object if the
current security level of the subject is dominated by
(<=) the classification of the object
Reference Monitor
Reference Monitor
• Properties
– Complete mediation: The security rules are enforced
on every access, not just for example, when a file is
opened.
– Isolation: The reference monitor and database are
protected form unauthorized modification.
– Verifiability: The reference monitor’s correctness must
be provable. That is, it must be possible to
demonstrate mathematically that the reference
monitor enforces the security rules and provides
complete mediation and isolation. A system that can
provide this kind of verification is referred to as a
trusted system.
Summary
• have considered:
– firewalls
– types of firewalls
– configurations
– access control
– trusted systems