Transcript Chapter 32

Internet Security
and Firewall Design
Chapter 32
Introduction
• Levels of trust
– The Internet is used by a diverse group of users,
services, and networks separated by:
• geography
• organizational boundaries
• and politics
– Security is required on every computer and every
protocol
• Perimeter security: defines inside and outside
• Encryption
Protecting Resources
• Security refers to:
–
–
–
–
data integrity
authorized-only access to services and resources
freedom from invasion
continuity of service
• Protection of physical resources
– disks, computers, cables, bridges, routers
Protecting Resources
• Protection of abstract resources (information security)
–
–
–
–
–
–
data integrity
data availability
privacy or confidentiality
authorization
authentication
replay avoidance
• preventing problems with copies of packets left floating around
Information Policy
• All organizations need to assess risks and define a
clear policy about information access and
protection
– Who is granted access?
– How is information disseminated?
– How will the organization handle violations of this
policy?
• “A worker who is malicious, careless, or unaware of an
organization’s information policy can compromise the best
security.”
Internet Security
• Difficult because
– datagrams may pass over intermediate networks and
routers not owned or controlled by the sender or the
receiver
– datagrams may be intercepted or compromised and
contents may not be trusted
• e.g. a router can record the IP address of a passing datagram,
later send a request and intercept the reply
• Encryption may be used
– Bits in a message are rearranged according to a key
known only to the sender and the receiver
IP Security (IPsec)
• IPsec is a set of security protocols from IETF
– allows pairs of communicators to determine which
protocols to use
• An authentication header is inserted between the
IP and TCP headers
IP hdr
TCP hdr TCP data
(original)
IP hdr
Auth hdr
TCP hdr
TCP data
(when authentication header is added)
IP Security (IPsec)
• The protocol field in the IP header is changed to
51 to indicate the authentication header
– The authentication header is followed by a NEXT
header which specifies the type of information in the
datagram
Next hdr Hdr Len Reserved
Security Parameters Index
Sequence Number
Authentication Data
Security Association
• Each receiver has a security scheme defined in a
set of security parameters
– called a security association (SA)
– known by an index number specified in the header
– a sender must know the SA number to be bound with a
receiver
Encapsulating Security Payload
(ESP)
• ESP uses a value of 50 in the IP Protocol field
• ESP adds 3 areas to the datagram
– ESP header: between IP and TCP headers
– ESP trailer: after TCP data and encrypted with the
payload (TCP header and TCP data)
– ESP auth: follows the ESP trailer
authenticated
encryped
IP hdr
ESP hdr TCP hdr
TCP data
ESP trl
ESP auth
Authentication and Mutable
Header Fields
• IPsec authentication is designed to make sure that
an arriving datagram is identical to the one sent
– But we know that the TTL and checksum fields are
changed each hop
– Mutable fields are those IP headers that get changed in
transit
• We don’t want these slight changes to cause authentication
errors
• So IPsec will only authenticate the immutable fields
Secure Sockets
• SSL (Secure Sockets Layer) was developed by
Netscape
– allows each side to authenticate itself to the other
– both sides negotiate an encryption algorithm
– provides an encrypted connection
Firewalls and Internet Access
• Controlling internet access prevents users from:
– obtaining information
– changing information
– disrupting communication on an internet
• Access control involves:
– network topology
– information staging
– packet fileters
• An organization places a firewall at its connection
to external networks to separate inside and outside
Multiple Connections
• A firewall is a router
– It is named from the fireproof partition in a building
that separates parts of buildings, making each separate
part impenitrable to fire
• A major factor in using firewalls is that there may
be multiple external connections
– A firewall may be placed at each external connection
– All firewalls must be coordinated with each other
Filtering
• A firewall must have hardware and software that
can filter at high-speeds
– Filters can be configured to block specific datagrams
• from a particular source
• used by a particular application
– Each datagram is considered separately by the filter
– Some routers may configure separate filter actions for
each interface, others configure all interfaces the same
Filtering
• Example in Figure 32.6:
– a router has two interfaces
– blocks incoming datagrams for FTP, TFTP, TELNET,
WHOIS and FINGER
– blocks outgoing for hosts with prefix of 128.5.0.0
destined for e-mail service at port 25
• Problems
– listing each service like this could be tedious
– much of the traffic is not to or from a well-known port
– tunneling can circumvent security (some will slip past)
A Better Solution
• Maybe we should have the firewall decide on
which packets can be allowed in
– Block all datagrams except those destined for certain
networks, hosts and ports
The Consequences of Restricted
Access for Clients
• A client on the inside of a firewall may wish a
service from the outside, and pass it a source port
– But this port is not “known” to the filter and may be
denied when the server responds
– Users on the inside need a safe way to access outside
services
• Solution: Proxy Access
– Usually one secure computer is associated with each
firewall - called a bastion host
Firewall Architecture
• See Figure 32.8
• Like Figure 32.7, the barriers each require routers
with packet filters
– R2 implements the outer barrier
• It filters all incoming datagrams except those destined for the
bastion host
– R1 implements the inner barrier
• It blocks all incoming datagrams except those originating on
the bastion host
• The security of the firewall depends on the bastion
Stub Network
• A stub network is one that connects the two
routers and the bastion host
• Could the bastion be placed on one of the
production networks?
– The stub network isolates the organization from
incoming datagram traffic
An Alternative Firewall
Implementation
• How can one company have a single firewall, but
allow connections to multiple sites?
– Multiple routers act as the outer barrier
R2
R3
H
R4
R5
R1
Intranet
(inside)
An Alternative Firewall
Implementation
• Why do firewalls with multiple connections use a
router per connection?
– The organization running the firewall does not trust the
external organizations completely
– Although the external connections share a single
common network, no datgram from one external
connection may pass to another
Monitoring and Logging
• A network manager needs to know if attempts
have been made to bypass security of a firewall
– Active monitoring - the manager is notified when an
incident occurs
• Quick and timely, but produces much information
– Passive monitoring - a firewall logs a record of
incidents in a file on disk
• Trends can be shown
Summary
• IPsec offers 2 schemes:
– Authentication of datagrams
• an authentication header is inserted between TCP and IP hdrs
– Authentication plus privacy
• an ESP header and trailer are added, data is encrypted
• Firewalls control internet access
– Firewalls consist of two barriers and a bastion host at
each external connection
– Barriers use packet filters to restrict traffic