Routers, Filtering, firewall, and NAT

Download Report

Transcript Routers, Filtering, firewall, and NAT

Cosc 4765
Network Security:
Routers, Firewall, filtering, NAT,
and VPN
Network Security
• At this point, we are looking to secure all
of the computers in "our" network from
outside and inside attack.
– If a machine is compromised, we would like to
avoid it compromising the rest of network or at
least contain/minimize the damage.
Where to start?
• First internal security, by looking at the
computers
– What category do they fall into?
• personal, business workstation, server, sensitive systems.
– That determines which computer need access to
other computers (ie servers to workstations, etc).
– From there we can isolate computers on our network
from each other
• limiting access and limiting damage
Layer security pieces
• Once the "computers" are sorted, then
layer the security to maximize protection.
– Firewalls on top (and where needed for more
security)
– filtering with routers, so parts of the internal
network that don't need to "talk" to each other,
don't.
– IDS and Monitoring to make sure attempts to
breach security are not successful.
VLANS in summary
• VLANs combine shared hubs, switching, routing,
and network management
– remove physical boundaries on switches
– Better control of broadcasts domains
• VLANs are invisible to end users
• Offer significant cost and performance benefits
in switched LANS
– better use of switches
– easy to add or move network stations
– tighten security
Routers
• Packet routing, forwarding and filtering,
and vlans
– Once a set of computer is classified, they can
go into vlans.
– The router can be configured so that packets
can't be routed between two vlans
– Or packets can be forwarded between the
vlans as needed.
• Newer routers can also route based on types of
packets as well (ICMP, TCP, UDP, etc).
Proxy
• Proxy servers
– Allow a client to access a server through a
intermediate computer.
• The proxy server is secured and it excepts
requests for access to a server (or even the
internet), then makes the request to server.
• The proxy server is allowed to talk to server, while
the client is not allowed to talk to the server
directly.
– Many firewalls with NAT work as type of
Proxy.
Firewall
• Definition: A system that can not be
broken in to.
– It monitors traffic, and "protects" the
computer.
• Configured so that only certain inbound and
outbound ports are "open"
• i.e. blocking port 6000, means that nothing can
remotely talk to that port and the computer can't
use that port to talk to a remote machine.
– Can be configured for only outbound or only inbound as
well.
Firewall Categories
• Packet filtering gateway
– Simple firewall, works like router filtering, but
at a higher OSI layer.
• Stateful inspection firewalls
– Maintains more information about network
connections
• Personal firewalls (software firewalls)
– Normally on users computers
Networks firewalls
• Packet Filtering
– Not only IP addresses like routers, but ports, and
types of packets, such as allowing only TCP, while
blocking UDP and all ICMP packets.
– NFS are blocked, but not ssh packets.
• Firewalls may provide Network Address
Translation (NAT)
• May Provide Zones of security
– Unrestricted access, Protected zones (called DMZs)
and no access.
Stateful
• Included in most high end firewall and many
person firewalls as well.
– Since each packet of data has no context
• the packet may fragmented as well.
– It’s difficult to figure out what packet of data is doing.
Is it an attack?
• A classic attack is to fragment up a packet, so it’s hard to
detect an attack signature.
• Also remember packets may arrive in any order, the
receiving computer (with TCP) will order them correctly.
• So stateful firewall will track the sequence of
packets in order to “thwart” this type of attack.
software firewalls
• Good for personal computers
– Limited by the O/S and what the computer is doing
– Provide little protection from DoS attacks.
• Very good for adding more protection to a single
machine, in conjunction with an upstream hardware
firewall .
• For department or enterprise firewalls
– A computer (several computers) is tasked as a firewall and does
nothing else.
• Many security experts recommend using a hardware
firewall appliance with software firewalls whenever
possible.
Why use firewalls?
• Three aspects referred to as the CIA:
Confidentiality, Integrity, and Availability
– Confidentiality: protect data/ information you
want private.
– Integrity: Make sure data/computer has not be
tampered with
– Availability: So an remote attack does not
bring down the computer.
Zones of Security
• Firewalls can be configured for zones of
security.
– An area where there is no protection
• for personal/home computers
– An area where machines can be accessed from the
internet, but only certain ports (called DMZ)
• for web, ftp, DNS, VPN servers, etc.
– An area where there no inbound access
• For workstations etc. No one needs to access them from the
internet.
– An area where there is no inbound and outbound
access
• "Sensitive" computers
Zones of Security (2)
• Each zone can be configured with the
necessary security
• Each zone can also be protected for other
zones.
– A server zone: Allow no inbound access from
the internet, No inbound traffic from the
unprotected zone and the DMZ, but all
connections from workstations.
NAT
• Network Address translation
– The internal computers have a 10.x.x.x or 192.168.x.x
IP numbers
– When a packet is sent from a computer to the
"internet", the firewall receives the packet, changes
the packet to it's address, then sends it to the internet
and waits for a response
• Also changes the source port number as well.
– When a response is received the firewall forwards the
packet onto the computer.
• NAT can be a separate appliances or used in
other devices (including routers and firewalls)
NAT
• Since the firewall acts as the go between,
the internal computer is protected.
• Side effect is that you only need a limited
number of real IP numbers, while using
the 10.x.x.x IP set for the internal network.
• Firewall configured to have real IP
numbers on machines accessed from the
outside, such as web servers.
NAT issues
• NAT works great if all network applications
follow the OSI model standards.
– Of course there are many app’s that don’t.
– Example: FTP
• The IP and Port number are in the layer 7 data of
packet. Big problem.
– Ftp has two modes Active and Passive.
• In passive mode, which is for firewalls, the server sends
it’s IP number and a port number for the client to make
a connection for file transfers.
– Since the IP number and port are in the layer 7 data, the
NAT must read and change the IP and Port number the
“world” sees.
What Firewalls can’t do
• Don’t protect data outside the perimeter
• Don’t protect computer to computer attack inside
of the firewall, Except between zones.
– If it doesn’t pass through the firewall, then it can’t offer
any protection.
• Don’t necessary protect open ports.
– If port 80 is open to the outside world, then the
firewall can’t protect it against every attack.
• Some attacks will look like normal traffic.
• And firewalls themselves are also targets of
attacks.
Example web site security
How are web sites constructed?
TIER 4
Database
TIER 3
Applications
TIER 2
Server
TIER 1
SOURCE: INTERSHOP
VPN
• VPN: virtual private network
– A method to provide a secure connection
between two networks over an insecure line
– A VPN client connects to the VPN server. All
networking from the client is directed to the
server, which acts as the network gateway.
• So your network traffic is behind the firewall and
you can access every like normal.
VPN (2)
• A VPN client connects to the VPN server.
– All networking from the client is directed to the
server, which acts as the network gateway.
• So the client functions as if it was behind a firewall
and could access everything like normal.
– Example
• Employee goes on a business trip. Connect up to
an unsecured network. Connects to the VPN
server (via the client) and now has a secure
connection to "work" over the unsecured network.
VPN Issues
• Split Tunneling
– Traffic to the “protected” network goes through the
VPN connection
– Everything else goes out the default route
– Much more efficient but not as secure.
• When a user is working from say a hotel and
VPNs to campus/office
– Only traffic to the campus goes over the VPN
– So now if there is an attacker in the hotel, they can for
the laptop, attack it and now have direct access into
the campus/office via the comprised laptop.
• Remember VPN servers are deployed behind the firewall.
• In the VPN lecture, we look at how VPN
the encrypted tunnel is created using
either IPSEC or SSL/TLS.
• Then other defensive measures can be
used in conjunction with firewalls
– IDS/NIPS
– Smoke and mirrors defensives
References
•
•
•
Easttom, “Computer Security
Fundamentals”, Prentice Hall
Bueno, Pedro. “Defending Dynamic Web
Sites: A Simple Case Study About the
Use of Correlated Log Analysis in
Forensics”. http://isc.sans.org
Comer, Douglas. “Internetworking with
TCP/IP”. Volume 1
Q&A