Transcript Firewalls

Chapter 20: Firewalls
Special Thanks to our friends at
The Blekinge Institute of Technology, Sweden for
providing the basis for these slides.
Fall 2004
CS 395: Computer Security
1
Outline
• Firewall Design Principles
– Firewall Characteristics
– Types of Firewalls
– Firewall Configurations
• Trusted Systems
– Data Access Control
– The Concept of Trusted systems
– Trojan Horse Defense
Fall 2004
CS 395: Computer Security
2
Firewalls
• Effective means of protection a local
system or network of systems from
network-based security threats while
affording access to the outside world via
WANs or the Internet
• Information systems undergo a steady
evolution (from small LAN`s to Internet
connectivity)
• Strong security features for all
workstations and servers not established
Fall 2004
CS 395: Computer Security
3
Why?
• Systems provide many services by default
– Many workstations provide remote access to
files and configuration databases (for ease of
management and file sharing)
– Even if configured only for specific users, they
can sometimes be tricked into providing
services they shouldn’t
• E.g. missing bounds check in input parsers
– Also, users sometimes forget to close
temporary holes
• E.g. leaving file system remote mountable for file
sharing
Fall 2004
CS 395: Computer Security
4
Why?
• Firewalls enforce policies that centrally manage
access to services in ways that workstations
should, but don’t
• Which services?
– Finger
– telnet: requires authentication, but password sent in
clear
– rlogin: similar to telnet, but uses IP address based
authentication (Bad!)
– ftp: Tricky because two connections, control channel
from sender, and data connection from receiver.
(passsive ftp has both sender originated)
– X Windows
– ICMP
Fall 2004
CS 395: Computer Security
5
Firewall Design
Principles
• The firewall is inserted between the
premises network and the Internet
• Aims:
– Establish a controlled link
– Protect the premises network from
Internet-based attacks
– Provide a single choke point
Fall 2004
CS 395: Computer Security
6
Firewall Characteristics
• Design goals:
– All traffic from inside to outside must pass
through the firewall (physically blocking all
access to the local network except via the
firewall)
– Only authorized traffic (defined by the local
security police) will be allowed to pass
– The firewall itself is immune to penetration
(use of trusted system with a secure operating
system)
Fall 2004
CS 395: Computer Security
7
Firewall Characteristics
• Four general techniques:
• Service control
– Determines the types of Internet
services that can be accessed, inbound
or outbound
• Direction control
– Determines the direction in which
particular service requests are allowed
to flow
Fall 2004
CS 395: Computer Security
8
Firewall Characteristics
• User control
– Controls access to a service according to
which user is attempting to access it
• Behavior control
– Controls how particular services are
used (e.g. filter e-mail)
Fall 2004
CS 395: Computer Security
9
Firewall Limitations
• Cannot protect against attacks that bypass
the firewall
– E.g. an internal modem pool
• Firewall does not protect against internal
threats
• Firewall cannot protect against transfer of
virus infected programs
– Too many different apps and operating systems
supported to make it practical to scan all
incoming files for viruses
Fall 2004
CS 395: Computer Security
10
Types of Firewalls
• Three common types of Firewalls:
–
–
–
–
Fall 2004
Packet-filtering routers
Application-level gateways
Circuit-level gateways
(Bastion host)
CS 395: Computer Security
11
Types of Firewalls
• Packet-filtering Router
Fall 2004
CS 395: Computer Security
12
Types of Firewalls
• Packet-filtering Router
– Applies a set of rules to each incoming
IP packet and then forwards or discards
the packet
– Filter packets going in both directions
– The packet filter is typically set up as a
list of rules based on matches to fields
in the IP or TCP header
– Two default policies (discard or forward)
Fall 2004
CS 395: Computer Security
13
Types of Firewalls
• Advantages:
– Simplicity
– Transparency to users
– High speed
• Disadvantages:
– Difficulty of setting up packet filter rules
– Lack of Authentication
• Who really sent the packet?
Fall 2004
CS 395: Computer Security
14
Firewalls – Packet Filters
Fall 2004
CS 395: Computer Security
15
Firewalls – Packet Filters
• Can be clever:
– Allow connections initiated from inside network
to outside, but not initiated from outside.
• Traffic flows both way, but if firewall only allows
incoming packets with ACK set in TCP header, this
manages the issue.
• Problem: some apps require outside node to initiate
connection with inside node (e.g. ftp, Xwindows), even
if original request initiated by inside node.
• Solution (sort of): allow packets from outside if they
are connecting to high port number.
Fall 2004
CS 395: Computer Security
16
Stateful Packet Filter
• Changes filtering rules dynamically (by
remembering what has happened in recent
past)
• Example: Connection initiated from inside
node s to outside IP address d. For short
time allow incoming connections from d to
appropriate ports (I.e. ftp port).
• In practice, much more caution
– Stateful filter notices the incoming port
requested by s and only allows connections from
d to that port. Requires parsing ftp control
packets
Fall 2004
CS 395: Computer Security
17
Types of Firewalls
• Possible attacks and
appropriate countermeasures
– IP address spoofing
• Discard packet with inside source
address if it arrives on external
interface
– Source routing attacks
• Discard all source routed packets
Fall 2004
CS 395: Computer Security
18
Types of Firewalls
• Possible attacks and appropriate
countermeasures
– Tiny fragment attacks
• Intruder uses IP fragment option to
create extremely small IP packets that
force TCP header information into
separate packet fragments
• Discard all packets where protocol type
is TCP and IP fragment offset is small
Fall 2004
CS 395: Computer Security
19
Types of Firewalls
• Application-level Gateway
Fall 2004
CS 395: Computer Security
20
Types of Firewalls
• Application-level Gateway
– Also called proxy server
– Acts as a relay of application-level traffic
– Can act as router, but typically placed between
two packet filtering firewalls (for total of
three boxes)
• Two firewalls are routers that refuse to forward
anything from the global net that is not to gateway,
and anything to global net that is not from gateway.
• Sometimes called a bastion host (we use
the term differently)
Fall 2004
CS 395: Computer Security
21
Types of Firewalls
• Advantages:
– Higher security than packet filters
– Only need to scrutinize a few allowable
applications
– Easy to log and audit all incoming traffic
• Disadvantages:
– Additional processing overhead on each
connection (gateway as splice point)
Fall 2004
CS 395: Computer Security
22
Types of Firewalls
• Circuit-level Gateway
Fall 2004
CS 395: Computer Security
23
Types of Firewalls
• Circuit-level Gateway
– Stand-alone system or
– Specialized function performed by an
Application-level Gateway
– Sets up two TCP connections
– The gateway typically relays TCP
segments from one connection to the
other without examining the contents
Fall 2004
CS 395: Computer Security
24
Types of Firewalls
• Circuit-level Gateway
– The security function consists of
determining which connections will be
allowed
– Typically use is a situation in which the
system administrator trusts the internal
users
– An example is the SOCKS package
Fall 2004
CS 395: Computer Security
25
Types of Firewalls
• Bastion Host
– A system identified by the firewall
administrator as a critical strong point in
the network´s security
– The bastion host serves as a platform
for an application-level or circuit-level
gateway
Fall 2004
CS 395: Computer Security
26
Firewall Configurations
• In addition to the use of simple
configuration of a single system
(single packet filtering router or
single gateway), more complex
configurations are possible
• Three common configurations
Fall 2004
CS 395: Computer Security
27
Firewall Configurations
• Screened host firewall system
(single-homed bastion host)
Fall 2004
CS 395: Computer Security
28
Firewall Configurations
• Screened host firewall, single-homed
bastion configuration
• Firewall consists of two systems:
– A packet-filtering router
– A bastion host
Fall 2004
CS 395: Computer Security
29
Firewall Configurations
• Configuration for the packet-filtering
router:
– Only packets from and to the bastion
host are allowed to pass through the
router
• The bastion host performs
authentication and proxy functions
Fall 2004
CS 395: Computer Security
30
Firewall Configurations
• Greater security than single
configurations because:
– This configuration implements both
packet-level and application-level
filtering (allowing for flexibility in
defining security policy)
– An intruder must generally penetrate
two separate systems
Fall 2004
CS 395: Computer Security
31
Firewall Configurations
• This configuration also affords
flexibility in providing direct
Internet access (public information
server, e.g. Web server)
Fall 2004
CS 395: Computer Security
32
Firewall Configurations
• Screened host firewall system (dualhomed bastion host)
Fall 2004
CS 395: Computer Security
33
Firewall Configurations
• Screened host firewall, dual-homed
bastion configuration
– If the packet-filtering router is
completely compromised, you’re still OK
– Traffic between the Internet and other
hosts on the private network has to flow
through the bastion host
Fall 2004
CS 395: Computer Security
34
Firewall Configurations
• Screened-subnet firewall system
Fall 2004
CS 395: Computer Security
35
Firewall Configurations
• Screened subnet firewall
configuration
– Most secure configuration of the three
– Two packet-filtering routers are used
– Creation of an isolated sub-network
Fall 2004
CS 395: Computer Security
36
Firewall Configurations
• Advantages:
– Three levels of defense to thwart
intruders
– The outside router advertises only the
existence of the screened subnet to the
Internet (internal network is invisible to
the Internet)
Fall 2004
CS 395: Computer Security
37
Firewall Configurations
• Advantages:
– The inside router advertises only the
existence of the screened subnet to the
internal network (the systems on the
inside network cannot construct direct
routes to the Internet)
• Reduces ``chewyness’’ of inside
Fall 2004
CS 395: Computer Security
38
Why Firewalls Don’t Work
• Assume all bad guys are on outside, and
everyone inside can be trusted.
• Firewalls can be defeated if malicious code
can be injected into corporate network
– E.g. trick someone into launching an executable
from an email message or into downloading
something from the net.
• Often make it difficult for legitimate
users to get their work done.
– Misconfiguration, failure to recognize new app
Fall 2004
CS 395: Computer Security
39
Why Firewalls Don’t Work
• If firewall allows anything through, people
figure out how to do what they need by
disguising their traffic as allowed traffic
– E.g. file transfer by sending it through email.
If size of emails limited, then user breaks them
into chunks, etc.
– Firewall friendly traffic (e.g. using http for
other purposes)
• Defeats effort of sysadmin to control traffic
• Less efficient than not using http
Fall 2004
CS 395: Computer Security
40
Trusted Systems
• One way to enhance the ability of a
system to defend against intruders
and malicious programs is to
implement trusted system technology
Fall 2004
CS 395: Computer Security
41
Data Access Control
• Through the user access control
procedure (log on), a user can be
identified to the system
• Associated with each user, there can
be a profile that specifies permissible
operations and file accesses
• The operation system can enforce
rules based on the user profile
Fall 2004
CS 395: Computer Security
42
Data Access Control
• General models of access control:
– Access matrix
– Access control list
– Capability list
Fall 2004
CS 395: Computer Security
43
Data Access Control
• Access Matrix
Fall 2004
CS 395: Computer Security
44
Data Access Control
• Access Matrix: Basic elements of the
model
– Subject: An entity capable of accessing
objects, the concept of subject equates with
that of process
– Object: Anything to which access is controlled
(e.g. files, programs)
– Access right: The way in which an object is
accessed by a subject (e.g. read, write,
execute)
Fall 2004
CS 395: Computer Security
45
Data Access Control
• Access Control List: Decomposition of
the matrix by columns
Fall 2004
CS 395: Computer Security
46
Data Access Control
• Access Control List
– An access control list lists users and
their permitted access right
– The list may contain a default or public
entry
Fall 2004
CS 395: Computer Security
47
Data Access Control
• Capability list: Decomposition of the
matrix by rows
Fall 2004
CS 395: Computer Security
48
Data Access Control
• Capability list
– A capability ticket specifies authorized
objects and operations for a user
– Each user have a number of tickets
Fall 2004
CS 395: Computer Security
49
The Concept of
Trusted Systems
• Trusted Systems
– Protection of data and resources on the
basis of levels of security (e.g. military)
– Users can be granted clearances to
access certain categories of data
Fall 2004
CS 395: Computer Security
50
The Concept of
Trusted Systems
• Multilevel security
– Definition of multiple categories or levels of
data
• A multilevel secure system must enforce:
– No read up: A subject can only read an object
of less or equal security level (Simple Security
Property)
– No write down: A subject can only write into an
object of greater or equal security level (*Property)
Fall 2004
CS 395: Computer Security
51
The Concept of
Trusted Systems
• Reference Monitor Concept:
Multilevel security for a data
processing system
Fall 2004
CS 395: Computer Security
52
The Concept of
Trusted Systems
Fall 2004
CS 395: Computer Security
53
The Concept of
Trusted Systems
• Reference Monitor
– Controlling element in the hardware and
operating system of a computer that
regulates the access of subjects to
objects on basis of security parameters
– The monitor has access to a file
(security kernel database)
– The monitor enforces the security rules
(no read up, no write down)
Fall 2004
CS 395: Computer Security
54
The Concept of
Trusted Systems
• Properties of the Reference Monitor
– Complete mediation: Security rules are
enforced on every access
– Isolation: The reference monitor and
database are protected from
unauthorized modification
– Verifiability: The reference monitor’s
correctness must be provable
(mathematically)
Fall 2004
CS 395: Computer Security
55
The Concept of
Trusted Systems
• A system that can provide such
verifications (properties) is referred
to as a trusted system
Fall 2004
CS 395: Computer Security
56
Trojan Horse Defense
• Secure, trusted operating systems
are one way to secure against Trojan
Horse attacks
Fall 2004
CS 395: Computer Security
57
Trojan Horse Defense
Fall 2004
CS 395: Computer Security
58
Trojan Horse Defense
Fall 2004
CS 395: Computer Security
59
Recommended Reading
• Chapman, D., and Zwicky, E. Building
Internet Firewalls. O’Reilly, 1995
• Cheswick, W., and Bellovin, S. Firewalls and
Internet Security: Repelling the Wily
Hacker. Addison-Wesley, 2000
• Gasser, M. Building a Secure Computer
System. Reinhold, 1988
• Pfleeger, C. Security in Computing. Prentice
Hall, 1997
Fall 2004
CS 395: Computer Security
60