Transcript 10a-Firewalls

ECE-8843
http://www.csc.gatech.edu/copeland/jac/8843/
Prof. John A. Copeland
[email protected]
404 894-5177
fax 404 894-0035
Office: GCATT Bldg 579
email or call for office visit, or call Kathy Cheek, 404 894-5696
Chapter 10 - Firewalls
Computer System Evolution
Central Data Processing System: - with directly attached peripherals (card
reader, magnetic tapes, line printer).
Local Area Networks: - connects PC’s (in “terminal emulation” mode),
remote terminals (next building) and mini-computers.
Premises Network: - connects LANs and LAN-attached devices to each
other.
Enterprise-wide Network: - leased data lines (T1, DS-3) connect various
offices.
Internet Connectivity: - initially for email, now for Web access, ecommerce, ... . Makes the world accessible, but now the world also has
access to you.
2
Connectivity Provided by the
Georgia Backbone Network
• Schools
• Libraries
• Kiosks
WWW
• Citizens
• Contractors
• City & County
Governments
State WWW Gateway
State Internet
Agency Gateway &
Web Server
Other Agencies
Agency Virtual
Private Network
LANs at Agency
Offices across Georgia
Agency
Server
Private Virtual
Connection
Non-Agency
State Server
3
Agency Firewall -- Protects
Protects Agency
Agency Subnets
Subnets
from Unwanted Connections
Subnet 1
Subnet 2
Gateway
WAN
Gateway
Firewalls (and many routers) can reject:
• Packets with certain source and destination addresses
• Packets with certain high-level protocols (UDP, Telnet)
Proxy Servers - for specific applications
• Email messages assembled and inspected, then passed to
internal email server machine.
Prevent Cyber Loafing - Exploring the Internet for fun.
4
Browser
Web Server
Application
Layer
(HTTP)
Port 80
Transport
Layer
(TCP,UDP)
Segment No.
Network
Layer (IP)
IP Address
130.207.22.5
E'net Data
Link Layer
Ethernet
Phys. Layer
Router-Firewall
can drop packets
based on
source or destination,
ip address and/or port
Network
Layer
Network
Layer
Token Ring
E'net Data
Link Layer Data Link Layer
E'net Phys.
Layer
Token Ring
Phys. Layer
Application
Layer
(HTTP)
Port 31337
Transport
Layer
(TCP,UDP)
Segment No.
Network
Layer (IP)
IP Address
24.88.15.22
Token Ring
Data-Link Layer
Token Ring
Phys. Layer
5
Process
Application
Layer (HTTP,
FTP, TELNET,
SMTP)
Transport or
App.-Layer
Gateway, or Proxy
Transport
Transport
Layer
Layer
(TCP, UDP)
(TCP, UDP)
Network
Network
Layer (IP)
Layer (IP)
E'net Data
TR Data
E'net Data
Link Layer
Link
Link
Layer
Layer
E'net Phys.
Layer
E'net Phys.
TR Phys.
Layer
Layer
Transport
Layer
(TCP, UDP)
Network
Layer (IP)
Process
Application
Layer
(HTTP(HTTP,
FTP, TELNET,
SMTP)
Transport
Layer
(TCP,UDP)
Network
Layer (IP)
TR Data
Link Layer
TR Phys.
Layer
6
Policy
No outside Web access.
Firewall Setting
Drop all outgoing packets to any IP, Port 80
Outside connections to Public Web
Server Only.
Drop all incoming TCP SYN packets to any IP
except 130:207:244.203, port 80
Prevent Web-Radios from eating up
the available bandwidth.
Drop all incoming UDP packets - except DNS
and Router Broadcasts.
Prevent your network from being
used for a Smuft DoS attack.
Drop all ICMP packets going to a “broadcast”
address (130.207.255.255 or 130.207.0.0).
Prevent your network from being
tracerouted or Ping scanned.
Drop all incoming ICMP, UDP, or TCP echorequest packets, drop all packets with TTL < 5.
7
Firewall Attacks
Firewall Defense
IP Internal-Address Spoofing.
Drop all incoming packets with local address.
Source Routing (External Spoof).
Drop all IP packets with Source-Routing Option.
Tiny Fragment Attacks.
Drop all incoming packets with small offset.
2nd-Fragment Probes.
Assemble IP fragments (hard work).
SYN-ACK Probes.
Be “Stateful” -keep track of TCP outgoing SYN
packets (start of all TCP connections) (hard work).
Internal Hacking
Drop all outgoing packets which do not have an
"internal" source IP address.
8
A Firewall is a single point that a Network Administrator can
control, even if individual computers are managed by workers or
departments.
------Over half of corporate computer misfeasance is caused by
employees who are already behind the main firewall.
Solution 1 - isolate subnets with firewalls (usually routers or
Ethernet switches with “filter” capabilities). Protect Finance
department from Engineering department [Problem: Internal
network is much higher bit rate, firewalls more expensive].
Solution 2 - implement /etc/hosts.allow, “IP Chains”, or “IP
Tables” (PC “Personal Firewalls”) to limit access except from
individual computers on certain ports for specific hosts and
subnets.
9
"inetd" and "xinetd" hosts.allow
#cat /etc/hosts.deny
ALL:ALL
#cat /etc/hosts.allow
in.telnetd: 199.77.146
24.88.154.17
in.ftpd: 199.77.146.19
199.77.146.102
UNIX and Linux computers allow network contact to be limited
to individual hosts or subnets (199.77.146 means 199.77.146.any).
Above, telnet connection is available to all on the 199.77.146.0
subnet, and a single off-subnet host, 24.88.154.17 FTP service is
available to only to two local hosts, .19 and .102.
The format for each line is “daemon:host-list”
10
IP Chains
The kernel starts with three lists of rules; these lists are called
firewall chains or just chains. The three chains are called input,
output and forward. When a packet comes in (say, through the
Ethernet card) the kernel uses the input chain to decide its fate. If it
survives that step, then the kernel decides where to send the packet
next (this is called routing). If it is destined for another machine, it
consults the forward chain. Finally, just before a packet is to go out,
the kernel consults the output chain.
A chain is a checklist of rules. Each rule says `if the packet header
looks like this, then here's what to do with the packet'. If the rule
doesn't match the packet, then the next rule in the chain is consulted.
Finally, if there are no more rules to consult, then the kernel looks at
the chain policy to decide what to do. In a security-conscious system,
this policy usually tells the kernel to reject or deny the packet.
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html#ss4.2
11
---------------------------------------------------------------|
ACCEPT/
"lo" (local) interface |
v
REDIRECT
_______
|
C --> S --> ______ --> D --> ~~~~~~~~ -->|forward|----> _______ -->
h
a
|input |
e
{Routing }
|Chain |
|output |ACCEPT
e
n
|Chain |
m
{Decision}
|_______| --->|Chain |
c
i
|______|
a
~~~~~~~~
|
| ->|_______|
k
t
|
s
|
|
| |
|
s
y
|
q
|
v
| |
|
u
|
v
e
v
DENY/ | |
v
m
|
DENY/
r
Local Process
REJECT | |
DENY/
|
v
REJECT
a
|
| | REJECT
|
DENY
d
--------------------- |
v
e ----------------------------DENY
ipchains -A good-if -i ! eth1 -j DENY
ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A good-if -j icmp-acc
12
# iptables -L
Chain INPUT (policy DROP)
target prot opt source
destination
DROP
tcp -- anywhere
anywhere tcp flags:SYN,RST/SYN,RST
DROP
tcp -- anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
ACCEPT udp -- anywhere
anywhere udp spt:domain
ACCEPT tcp -- localhost
anywhere tcp spt:smtp
ACCEPT tcp -- anywhere
anywhere tcp spt:smtp state ESTABL
anywhere
anywhere udp spt:ntp
ACCEPT icmp -- 1.185.lancope.com anywhere
DROP
all -- 0.0.0.0/8
anywhere
DROP
all -- anywhere
127.0.0.0/8
DROP
icmp -- anywhere
anywhere state NEW
DROP
all -- anywhere
anywhere
ACCEPT
udp --
Chain FORWARD (policy DROP)
target prot opt source
destination
DROP
all -- anywhere
anywhere
Chain OUTPUT (policy DROP)
target prot opt source
ACCEPT icmp -- anywhere
ACCEPT icmp -- anywhere
destination
10.0.0.0/24
anywhere state RELATED,ESTABLISHED
13
Router Setup with Network Address Translation (NAT)
Addresses 10.0.0.0 and 192.168.0.0 reserved for private networks.
14
15
16
FTP Client
130.27.8.35
Internet
To 24.88.48.47:23
from 130.27.8.35:x
To 130.27.8.35:x
from 24.88.48.47:23
Router 24.88.48.47 with NAT that Masquerades
could be a “dual-homed bastion host”
To 192.168.0.40:23
from 130.27.8.35:x
Host
192.168.0.10
Web Server
port 80
Host
192.168.0.20
To 130.27.8.35:x
from 192.168.0.40:23
Host
192.168.0.30
Host
192.168.0.40
FTP Server
port 21
Note: x is a high port number, 1024-65,535
17
Web Host
130.27.8.35
Internet
To 24.88.48.47:x
from 130.27.8.35:80
To 130.27.8.35:80
from 24.88.48.47:x
Router 24.88.48.47 with NAT that Masquerades
To 192.168.0.20:x
from 130.27.8.35:80
Host
192.168.0.10
Web Server
port 80
Web Client
192.168.0.20
To 130.27.8.35:80
from 192.168.0.20:x
Host
192.168.0.30
Host
192.168.0.40
FTP Server
port 21
18
Combined Firewalls and IDS
(see also: ISS Proventia)
19
Protocol Anomaly Detection
WatchGuard Transparent Application layer proxies examine entire connection data streams, identifying and
destroying protocol anomalies and discarding harmful or questionable information.
In addition, WatchGuard firewalls perform:
* Packet Handling - prevents packets from entering the network until they are reassembled and examined.
* Packet Reassembly - reassembles packet fragments to prevent fragment overlap attacks such as
Teardrop and other Layer 3 protocol anomaly based attacks.
Signature Element Analysis
Rather than using signatures that precisely identify specific attacks, WatchGuard systems look at what any
attack of a certain type (e.g., e-mail) must do to succeed (e.g., auto-execute an attachment). With rule sets,
you can choose to allow or deny traffic, or even deny all traffic from a source for a specific period.
In addition to rigorous rule sets, the firewall processes policy-based configurations, and management
subsystems perform state and content analysis. These processes protect against entire known and unknown
attack classes, and can narrow the vulnerability window without having to make you wait for updated attackspecific signatures.
Behavior-Based Analysis
Although behavior-based intrusion detection is a relatively new technology, WatchGuard already has
mechanisms in place within the firewall to identify known attack behaviors, such as:
* Port scans and probes
* Spoofing
* SYN flood attacks
* DoS and DDoS attacks
* The misuse of IP options such as source routing
20