Transcript Why we all care: the changing home

Firewalls
Fred P. Baker
CCIE, CCIP(security), CCSA,
MCSE+I, MCSE(2000)
Firewalls are not just for companies any
more: the changing home
High Speed Internet Connections Drive
the importance of security
The home Network: always on the Net
Always on, all hackers all the time
• For me to attack your system, I must send packets
to it
• With dial, you get a different IP address for each
call and in relative terms that call is not long
• Big issue is that you will have the same IP address
for a long time with persistent connections
• You may have the same IP address ALL the time.
• So plenty of time for someone to go after you
Personal PCs have the standard OS vulnerabilities
• Private Web servers easy targets
Windows file sharing does not help
• Admin Shares
– $c
– On by default in Win 9* and older NT
• Browser Service
– Network Neighborhood
– Could see everyone else's PCs
• Hard to turn it off on Internet facing interfaces
interfaces
• Who cares? QDATA.*
Multiple security problems
Defense in Depth
The tradeoffs
Costs
• Dollars for the software
• Download of updates
• Customization
– most software out of the box works fine
– File and print sharing on your home LAN
– special apps
• Checking logs
Example of customization
The firewall: The first line of defense
What a firewall does not do
Firewall technologies
• Network Address Translation
A digression, TCP/IP
Internet Protocol
TCP
TCP connection flow
• the syn is unique to session start
TCP Ports Identify the App
IP addresses
‘Private’ IP addresses
• Routable IP addresses are scarce
• Not every system in the world needs direct and
always on access to the Internet
• Private addresses allows you to address many
more systems than the ‘public’ address space
(public addresses can be routed over the internet
• For a private addressed system to access the
internet it must be translated to a public address
• Private addresses are defined by RFC 1918
– 10.*.*.*, 172.16.*.*-172.31.*.*, 192.168.*.*
Public IP address assignment
• If you are dialing up, you get one for the duration
of the call and it will change
• If you are on a ‘always on’ you MAY get a one
– Providers charge for more than 1 permanent IP
addresses
– Some cable systems change your address so you cant
host a server without them knowing (and of course you
paying)
• To address multiple PCs and have them access the
internet you must NAT
Network Address Translation
Enterprise NAT
• NAT is also used to ‘hide’ addresses
– Remote end can only see the NATed address not the
real one
• Both ends use private addresses
• And will often have duplicates (10.1.1.1)
• So will often ‘dual nat’ that is translate both source
and destination
• Can even map ports so 1 address, multiple servers
– 200.200.200.200 port 80; 10.1.1.1
– 200.200.200.200 port 25; 10.1.1.2
– 200.200.200.200 port 20: 10.1.1.3
Pat
• Port address translation
• Allows many stations to share 1 ip address
• Depends on keeping track what source port
and IP address for each connection
• Then select a unique port to associate with
the single public IP address
Packet Filtering the basis of a
firewall
Packet Filtering
• Firewalls will trust inside addresses
• Spoofing: attacker makes their address look like
an inside address
• Will rely on the TCP ACK bit to determine if a
connection is inbound or outbound
– will permit all outbound (you to the Inet) by default
• Can configure what inbound connections you want
to allow (home web server)
• Does not work well with certain applications
– FTP opens connections from the outside
– Media and VOIP use dynamic ports
Stateful Inspection
Stateful inspection
• Look at outbound connection request to the
Internet
• Remember the addresses and the ports
• Only permit traffic from the Internet if it
saw that it was initiated from the inside
network
• All modern firewalls work this way
Proxy Server
Proxy Server
•
•
•
•
•
Since application is intercepted
Can authenticate by user
Can log content
Can block content by looking at the URLs
All web access is via proxy
Authentication w/o proxy
• Telnet or web to the firewall the login
– then can access all other services
• Dedicated client
– Firewall-1 has a custom client
– Firewall contacts client code when user tries to
access a service
– ask for login and if ok grants it.
A firewall:
•
•
•
•
•
Always does packet filters
Always does stateful packet filtering
Always logs
May have a proxy
May do authentication
Corporate Firewalls
• Appliance based
–
–
–
–
–
PIX, FW1 Nokia
more expensive
Dedicated OS
Harder to crack as fewer OS issues
Harder to scale (as based on specific hardware)
• ‘Computer’ based
– Runs on NT or Unix
– Can leverage existing computers
– Easier to learn at home
Home Firewalls
• Device Based
– Part of your access box or can get a dedicated appliance
– May be ‘free’ with a box you are already getting
– Does not touch your OS but then may need more
configuration
– Do not have to touch multiple computers
– Does not impact ‘inside the house’
• OS based
– Tied into the network stack
– Can easily deal with custom apps
– May need to modify for home access
Linksys Router (appliance)
Linksys Router Filtering
Linksys Router logs
Norton Personal Firewall (part of
OS)
Application list
Summary
• If you access the internet at all get an OS
based firewall
• If you have always on get an appliance
based
• Or even better use both.