Transcript Project Presentation

Protocol Specific
Extension for Firewall
Itai Almog
Eran Liberty
Oved Itzhak (Instructor)
Agenda
Who needs a firewall ?
Firewall infrastructure
Packet filtering
Proxy
Nat
Firewalls and common protocols
Case study – Age of Empires II
Who needs a firewall ?
Everyone connects to the web
The internet has doubled it’s size every
year in the last 20 years.
More and more Companies connects their
private network to the internet.
The internet is used for:
E-commerce
Public relations
Costumers support
Knowledge gain
Communication
Private users also connect to the internet
for similar reasons.
Connectivity tradeoff
When you connect your private network to
the internet, you also connect the internet
to your private network!
Your private network becomes a public
place for internet hackers.
Computers on your network are exposed
to:
Denial of service attacks.
Information steal.
Data integrity violation.
And much more…
Recent attacks
10/00 - Microsoft corporate network hacked.
Hackers claim to steal Long-Horn source code.
17/06/00 - AOL users e-mail accounts hacked.
22/12/00 - Egghead costumers credit card
numbers stolen.
02/00 - Amazon, Yahoo, CNN home page down
for couple of hours.
FBI web page filled with pornographic pictures.
CIA web page hacked, name changed to “Central
Stupidity Agency”.
Recent attacks
(cont.)
These attacks cause those
companies to loose:
Money (Amazon)
Customers (AOL)
Customers trust (Microsoft)
Pride (Everyone)
The solution
Implement an Access control policy
The policy will define which traffic
should pass from the internet to the
private network.
The policy can also control access
from the private network to the
internet (controlling the employees).
The solution
(cont.)
Firewall is the best and most common
solution for implementing access control
policy.
Firewall can give us the best balance
between gaining internet power and
preserving a secure private network.
What is a firewall ?
What can it control ?
How does it work ?
These questions takes us to the next
chapter . . .
Firewall infrastructure
What is a firewall ?
A component placed between several
networks and controls the data
transferred between them.
The firewall enforces a predefined
access control policy.
The policy can be based on IP
addresses, port numbers, user
groups, etc’.
Firewall goals
Protect the private (internal)
network from attacks that comes
from the public (external) network.
Control outgoing traffic.
Where should I place the firewall ?
In the simplest scenario with only
two network (internal and external),
the firewall should be placed
between the networks.
All the traffic should pass through
the firewall
Example . . .
Firewall location example
External Network
(e.g. Internet)
Internal (private) Network
Firewall infrastructure
Firewalls are built from one or more
of the following components:
Packet filter.
Proxy.
NAT.
Packet filter
Scans every IP packet that it receives
and decide whether to drop the
packet or to forward it.
The decision is based on a predefined
security policy.
the “Table Model” is commonly used
to describe a policy definition . . .
The “Table Model”
The table is built from allow and deny
rules.
When a packet arrives, the packet
filter scans the table rule by rule.
When a matching rule is found, the
packet perform the rule action
(allow/deny).
If no rule matches the packet, the
packet is dropped.
The “Table Model” - Example
The following table defines a policy
that blocks all traffic except for
telnet to the external network:
Rule
Source
Address
Dest.
Address
Protocol
Source
Port
Dest.
Port
ACK bit
Action
telnet
out
Internal
Any
TCP
1023>
23
Any
Permit
telnet
in
Any
Internal
TCP
23
1023>
Yes
Permit
Filtering policy
Filtering policy can be based on:
Source/Destination addresses.
Protocol (TCP/UDP).
Source/Destination Port – used mainly
to distinguish between different
applications.
ACK Bit – can be used to identify the
initiator of the TCP session.
Types of packet filters
Packet filters can be:
Stateless – same policy applied to all
packets. Usually means the table is
fixed.
Statefull – policy applied to packet
based on their context (session
context). Usually means the table is
dynamic.
Packet filters - Pros
Fast & Efficient – decisions are based
on IP header inspection.
Common – implemented in most
routers.
User transparent.
Application independent.
Easy to implement.
Packet filters - Cons
Not every security policy can be
translated to a list of allow/deny
rules.
Even if it is possible, building and
maintaining those lists is difficult.
Proxy
A component that divides between the
client and the server.
In the client-server model:
The client thinks the proxy is the server
The server thinks the proxy is the client
The proxy will only establish connections
that are allowed by the security policy.
Proxy example
Server
Client
No proxy
Client
With proxy
Proxy
Server
Proxy features
A Proxy inspects the traffic up to the
application level. This detailed inspection
can be used for implementing a much more
detailed and complex security policy.
A Proxy is commonly used for caching.
All the requests and responses pass
through the proxy.
The proxy is protocol aware.
Proxy - Pros
Prevents a direct connection
between a machine from the private
network and a machine from the
external (public) network.
Protocol aware – can implement
security policies that are based on a
specific protocol data.
Can save network traffic by caching
responses.
Proxy - Cons
Protocol specific – requires different
proxy for each application (protocol).
Inefficient – parsing application data
is expensive.
Not transparent to the client.
NAT
Stands for –
“Network Address Translation”.
A mechanism that changes source and
destination addresses (and ports).
First used as a way to overcome the
shortage in internet addresses.
NAT common use
A company can use only one
valid/public IP address for all the
communications to the external
network.
Computers in the private network will
have an internal (not – routable) IP
address.
NAT will take care of all the address
translation work for outbound traffic.
NAT Example
Client
(1) Request
Source: 10.0.0.17
Dest:
197.256.143.12
Source: 197.256.143.12
Dest:
10.0.0.17
(4) Response
(2) Request
NAT
Source: 192.154.0.10
Dest:
197.256.143.12
Source: 197.256.143.12
Dest:
192.154.0.10
(3) Response
Server
NAT security features
Hides the private network’s
configuration/structure.
Can be used to enforce the firewall as
a choke point – all the traffic that will
get around the firewall will not be
routed.
NAT - Pros
Enforces a single choke point for
outbound traffic.
Hides private network configuration.
Saves expensive public IP addresses
Can be used to filter inbound traffic.
NAT - Cons
Problematic working with protocols
that pass addressing information at
the application level (e.g. FTP).
Changing port numbers can collide
with packet filter port dependent
policy.
Firewall infrastructure - Summary
Each component has it’s own pros
and cons.
Good firewalls combine them all
together to provide a more secure
solution.
Firewalls and Common
Protocols
Introduction
All firewall components we saw have
problems dealing with certain
protocols.
We will try to locate the problems
and to solve them.
Packet filters &
dynamic port protocols
These protocols often have more them one
connection.
The first connection (primary connection)
is on a known fixed port.
On the primary connection both side
negotiate details concerning the secondary
connection.
One of the details is port number.
A secondary connection is established to a
dynamically chosen port.
Packet filters &
dynamic port protocols
(cont.)
Example – Passive FTP protocol:
FTP Server
Client
Port Number
21
5000
7000
3000
Packet filters &
dynamic port protocols
(cont.)
To allow this traffic, we should add to the
Rules table the following lines:
Rule
Source
Address
Dest.
Address
Protocol
Source
Port
Dest.
Port
ACK bit
Action
Passive
FTP Data
Out
Internal
Any
TCP
Any
Any
Any
Permit
Any
Internal
TCP
Any
Any
Yes
Permit
Passive
FTP Data
In
Packet filters &
dynamic port protocols
(cont.)
It is clear that adding those lines will
cause the packet filter to allow all TCP
traffic.
A solution – A Dynamic packet filter that
will add the following line after inspecting
the primary connection traffic:
Rule
Source
Address
Dest.
Address
Protocol
Source
Port
Dest.
Port
ACK bit
Action
Passive
FTP Data
Out
Client
IP
Server
IP
TCP
Any
3000
Any
Permit
Passive
FTP Data
In
Server
IP
Client
IP
TCP
3000
Any
Yes
Permit
Packet filters &
dynamic port protocols
(cont.)
The suggested solution will solve the
problem but requires the Packet Filter to
understand Passive FTP protocol.
Most Packet Filters parse only the IP and
TCP/UDP headers.
A solution – In a hybrid Firewall, a
protocol aware component that
understands FTP (e.g. FTP proxy) will
inspect the primary connection traffic and
pass the required information (port
number) to the packet filter.
Proxy protocol dependency
A different proxy should be used for every
protocol.
What if we use a new protocol or a private
protocol ?
Two solutions –
Don’t base the security policy on this protocol
traffic.
Use an extensible proxy –
There are proxies that are designed in a
generic form which is not protocol dependent.
This proxy can extended to understand any
protocol. In out case, develop an extension for
the new protocol.
Client’s proxy support
It is not transparent for a client to use a proxy
server. The client should connect the proxy
instead of the real server and to tell the proxy
who is the real server.
Example - schematic HTTP without a proxy:
Web Server
Client
5000
80
Client’s proxy support (cont.)
Example - schematic HTTP with a proxy:
Proxy
Client
Web Server
Client’s proxy support (cont.)
No change in the server side.
Big change in the client side.
A solution – Installing a proxy client
software on each client.
This software will steel connect requests
and will divert them to the proxy.
The proxy client should also inform the
proxy on the original server the client tried
to connect to.
NAT detection of closed sessions
Most NAT implementations store a dynamic
mapping table with all the open sessions and
their appropriate mappings.
These mappings are stored so that NAT will know
how to multiplex the responses.
A mapping is removed from the table when the
session is over – no more expected incoming
packets for the session.
NAT should have a way to know when a session is
over.
In TCP sessions, it is easy – just wait for a fin of a
reset.
How should NAT know when a UDP session is
over?
NAT detection of closed sessions
Two solutions –
Keep a timeout for every UDP mapping.
In a hybrid firewall, a protocol aware
components (e.g. proxy) will notify NAT
when a session is over.
NAT &
addressing information in application level
There are some protocols that send
addressing information (IP address, port
number) in the application level data.
E.g. - Active FTP.
This information must be translated by
NAT.
NAT doesn’t understands FTP, it works in
the IP and TCP/UDP levels.
NAT &
addressing information in application level
Two solutions –
Install a special spy application in the
client. Whenever a client application will
try to find out It’s IP address or a port
number, forward those queries to the
NAT component so that he will answer
with the correct numbers.
In a hybrid firewall, a protocol aware
components (e.g. proxy) will notify NAT
of addressing information traffic that
must be translated.
NAT &
authentication / encryption protocols
There are some protocols that perform
integrity checks on the packets received.
This checks validates that the packet was
not changed in the middle.
This is usually done by signing the data
with a secret key and appending the
signature to the data.
When NAT will change the IP/TCP/UDP
header, the Integrity check will fail and
the receiver will think that an attacker
messed up with the packet on the way.
NAT &
authentication / encryption protocols
Three solutions –
Give NAT the secret key. NAT will resign
the modified packets.
Don’t use NAT for computers using these
protocols.
Use NAT compatible
authentication/encryption protocols
Case Study:
Age Of Empires II
Introduction
In the previous chapters we gained
knowledge regarding firewall’s
infrastructure and the effect of a
firewall on different protocols.
In this chapter we will use this
knowledge to enable a specific
application (the protocols it uses) to
pass through the firewall.
Introduction
(cont.)
We will pick a widely used, network
based application.
Learn it’s underlying protocols.
Understand the difficulties of passing
this protocols through a firewall.
For each difficulty, suggest several
solutions and pick the best one.
Implement the solutions in a module
that will extend a given firewall.
The application
(cont.)
The application we choose is one of
the most popular games called
Age Of Empires II (AOE2)
This is a multiplayer strategy game.
Each player runs the game on a
different computer and plays with
the other players.
AOE2 & Direct Play
The game, like almost all other
games, uses Microsoft Direct Play
package for dealing with networking
issues.
Direct Play uses an internal (not RFC)
protocol to handle the game traffic.
In every Direct Play based game, one
of the players is a Host
The host computer is responsible for
managing the game.
Organizing a multi-player game
How can a player join a multi-player
game ?
There are several “meeting places” in
the internet.
The biggest and most famous one is
Microsoft Gaming Zone.
Microsoft Gaming Zone
The Zone also uses his own internal
protocol for organizing a multi-player
game.
The same protocol is used for all
games that can be organized from
the zone.
The goal
Let a player protected by a firewall
join a multi-player game of AOE2
with a player in the internet using
the Zone.
The firewall should enable the player
to participate the game without
tempering with the internal network
security.
The solution
Use an extensible firewall that can be
taught to handle new protocols.
The firewall will be extended with our
component that is aware of Direct Play
and the Zone protocols.
Notice:
By developing an extension that will
enable Direct Play and Zone protocols we
make almost every windows base game
ISA firewall compatible.
Internet Security and
Acceleration server 2000 (ISA)
The firewall we choose is Microsoft
Internet Security and Acceleration
Server 2000.
The firewall can be extended with
modules called application filters.
The working environment
Zone.com
Router
Firewall
Internet
AOE2 Client
Technion Network
AOE2 Client
Internal Network
Learning the protocols
This was one of the hardest tasks in
the project.
All the protocols involved are
internal – no RFC can be found.
Learning was done by reverse
engineering using Microsoft Network
Monitor
Microsoft network monitor
Implementing the solutions
A DirectXFilter application filter was
written.
It’s a COM object built in C++
using ATL.
The main API the application filter is
using is the firewall’s API (ISA).
The filter Class diagram
Legend:
Class
Interface
CComObjectRootEx
CComObjectRootEx
CComCoClass
IFWXFilter
IFWXIOCompletion
IFWXDataFilter
CFirstPhaseDataFilter
CDirectXFilter
CComObjectRootEx
IFWXIOCompletion
CSecondPhaseDataFilter
CComObjectRootEx
IFWXDataFilter
IFWXIOCompletion
CThirdPhaseDataFilter
IFWXDataFilter