Transcript circuit-level gateway

Firewalls
Overview
• In days of old, brick walls were built between buildings in
apartment complexes so that if a fire broke out, it would not
spread from one building to another
• Quite naturally, these walls were called firewalls
• Today, when a private network (i.e., intranet) is connected to a
public network (i.e., Internet), its users are enabled to
communicate with the outside world
• At the same time, however, the outside world can interact with the
private network and its computer systems
• Consequently, the computer systems are visible and can be
attacked from the outside world (with a potentially very large
number of attackers)
Overview
• In this situation, an intermediate system can be plugged between
the private network and the public network to establish a
controlled link, and to erect a security wall or perimeter
• The aim of the intermediate system is to protect the private
network from network-based attacks that may originate from the
outside world, and to provide a single choke point where security
and audit may be imposed
• These intermediate systems are called firewall systems or
firewalls (alternative terms comprise security gateways and
secure Internet gateways)
• There are many real-world analogies for firewalls
Overview
• According to RFC 2828, the term firewall refers to an internetwork gateway that restricts data communication traffic to and
from one of the connected networks and thus protects that
network's system resources against threats from the other network
• According to Cheswick and Bellovin, a firewall (system) refers to
a collection of components placed between two networks that
collectively have the following properties
– All traffic from inside to outside, and vice versa, must pass through
the firewall
– Only authorized traffic, as defined by the local security policy, will
be allowed to pass
– The firewall itself is immune to penetration
Overview
• Still another possibility to define the term is to call a system a
firewall if it is able
– To enforce strong authentication for users who wish to establish
inbound or outbound connections
– To associate data streams that are allowed to pass through the
firewall with previously authenticated and authorized users
• It is a policy decision if a data stream is allowed to pass through a
firewall
• Consequently, the definition leads to the necessity of an explicitly
defined firewall policy
• This is similar to the definition of Cheswick and Bellovin
Firewall Characteristics
• Four general techniques:
• Service control
– Determines the types of Internet
services that can be accessed, inbound
or outbound
• Direction control
– Determines the direction in which
particular service requests are allowed
to flow
Firewall Characteristics
• User control
– Controls access to a service according to
which user is attempting to access it
• Behavior control
– Controls how particular services are
used (e.g. filter e-mail)
Overview
• In either case, a firewall provides perimeter security and does not
protect against insider attacks
• Components
– Firewall policy
• Service access policy
• Firewall design policy
– Packet filters
• Staticaly filtering devices
• Dynamically filtering devices
– Application gateways
• Circuit-level gateways
• Application-level gateways or proxy servers
Firewall Limitations
• cannot protect from attacks bypassing it
– eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
• cannot protect against internal threats
– eg disgruntled employee
• cannot protect against transfer of all virus
infected programs or files
– because of huge range of O/S & file types
Types of Firewalls
• Packet-filtering Router
Packet Filtering
• All information that is found in an IP packet can be used to
selectively filter it (i.e., forward or drop it)
IP header
TCP/UDP
header
Application data
• The idea evolved in the late 1980s and early 1990s to provide
access control services to TCP/IP-based networks
• Today, most commercial router products (e.g., Cisco routers)
provide the capability to filter IP packets in accordance with a set
of packet filter rules that implement a service access policy
• These routers are sometimes called screening routers
Packet Filtering
• The following fields should be taken into account by any packetfiltering device
– Network interface
– IP header
• Source IP address
• Destination IP address
• Protocol number
– TCP header
•
•
•
•
Source port number
Destination port number
TCP connection flags
Other options
 UDP header
Source port number
Destination port number
Firewalls – Packet Filters
Packet Filtering
• A packet filter is stateless, meaning that each IP packet is treated
individually
• Practical problems occur if inbound connections must be
established to dynamically assigned port numbers (e.g., FTP data
connection)
# r1 (e.g., 1565)
# 21
ftp-control (outbound)
# r2 (e.g., 1567)
FTP Client
# 20
ftp-data (inbound)
FTP Server
Packet Filtering
• In the case of FTP, passive mode FTP solves the problem
• In passive mode FTP, the FTP data connection is also established
outbound
• Unfortunately, the underlying problem is more general and also
applies to an increasingly large number of applications (e.g.,
CORBA IIOP and many UDP-based and realtime application
protocols)
• One way to address the problem is to have packet filters establish
and maintain state information to more intelligently filter TCP
connections or UDP datagram transport sessions
Packet Filtering
• This technology was originally developed, pioneered, and
patented by Check-Point Software Technologies Ltd.
• It was named stateful inspection and is used in the Firewall-1
PORT # r2
# r1
# 21
ftp-control
# r2 (e.g., 1567)
ftp-data
# 20
Firewalls – Stateful Packet Filters
• examine each IP packet in context
– keeps tracks of client-server sessions
– checks each packet validly belongs to one
• better able to detect bogus packets out of
context
Attacks on Packet Filters
• IP address spoofing
– fake source address to be trusted
– add filters on router to block
• source routing attacks
– attacker sets a route other than default
– block source routed packets
• tiny fragment attacks
– split header info over several tiny packets
– either discard or reassemble before check
Types of Firewalls
• Circuit-level Gateway
Circuit-Level Gateways
• In essence, a circuit-level gateway is a proxy server for
transport layer associations (i.e., TCP connections)
• A circuit-level gateway differs from a port-forwarding
mechanism
– Contrary to a port-forwarding mechanism, the client must
be made aware of the circuit-level gateway
– Contrary to a port-forwarding mechanism, the circuitlevel gateway is generic in the sense that it can handle any
TCP connection (if enabled in its configuration)
Circuit-Level Gateways
Origin server
Circuit-level gateway
Client
3) The circuit-level gateway connects to the origin
server and copies back and forth data between
the two TCP connections
2) The circuit-level gateway
- checks the client IP address,
- authenticates and eventually authorizes the client
according to a given network security policy
User
1) The client establishes a TCP connection to the circuit-level
gateway and requests a second TCP connection to a remote
server (origin server)
Types of Firewalls
• Circuit-level Gateway
– The security function consists of
determining which connections will be
allowed
– Typically use is a situation in which the
system administrator trusts the internal
users
– An example is the SOCKS package
Circuit-Level Gateways
• The most important circuit-level gateway is SOCKS as developed
by David and Michelle Koblas in 1992
• The original implementation consisted of two components
– A SOCKS server or daemon (i.e., sockd)
– A SOCKS library that can be used to replace regular Sockets calls
in client software
• More specifically, the application developer has to recompile and
link the client software with a few preprocessor directives to
intercept and replace the regular TCP/IP networking Sockets calls
with SOCKS counterparts
Circuit-Level Gateways
• The design goal of SOCKS was to provide a general framework
for TCP/IP applications to securely use (and traverse) a firewall
• Consequently, SOCKS is independent of any supported TCP/IP
application protocol
• When a socksified intranet client requires access to an origin
server on the Internet, it must first open a TCP connection to the
appropriate port on the SOCKS server residing on the firewall
system (the SOCKS server conventionally listens at TCP port
1080)
• If this first TCP connection is established, the client uses the
SOCKS protocol to have the SOCKS server establish a second
TCP connection to the origin server
Circuit-Level Gateways
• The SOCKS protocol consists of two commands
– The CONNECT command requests that the SOCKS server
establishes a TCP connection to a given IP address and port number
using a specific username
– The BIND command requests that the SOCKS server registers a
client IP address and a username in case the application protocol
requires the client to accept connections back from the origin server
(e.g., FTP)
• In either case, the username is a string that is passed from the
requesting client to the SOCKS server for the purpose of
authentication, authorization, and accounting
Circuit-Level Gateways
• After having received a request, the SOCKS server evaluates the
information provided by the client
• The evaluation is performed against the sockd configuration file
that may include a ruleset
• Each rule either permits or denies communications with one or
several systems
• The SOCKS server sends a reply back to the client (e.g.,
information indicating whether the request was successful)
• Once the requested second connection is established, the SOCKS
server simply relays data back and forth between the two TCP
connections
Circuit-Level Gateways
• The original SOCKS implementation was further refined into a
SOCKS software package and a protocol that is widely deployed
and commonly referred to as SOCKS protocol version 4 (SOCKS
V4)
• Refer to http://www.socks.nec.com
• Many client software packages have been socksified (e.g., most
Web browsers in use today) using SOCKS V4
• After the successful deployment of SOCKS V4, the IETF
chartered an Authenticated Firewall Traversal (AFT) WG to
„start with the SOCKS system“ and to „specify a protocol to
address the issue of application-layer support for firewall
traversal“ in 1994 (http://www.ietf.org/
html.charters/aft-charter.html)
Circuit-Level Gateways
• The major result of the IETF AFT WG was the specification of the
SOCKS protocol version 5 (SOCKS V5) in 1996
• As such, SOCKS V5 has been submitted to the Internet standards
track as a Proposed Standard and it is very likely that the protocol
will become an Internet Standard
• Additional features in SOCKS 5
– Alternative user authentication schemes
– Cryptographic protection of data exchanged between the socksified
client and the SOCKS server
– Support for UDP-based application protocols
– Extended addressing schemes
Application-Level Gateways
• An application gateway works at either the transport layer (
circuit-level gateways) or the application layer ( applicationlevel gateways)
• The major difference is that a circuit-level gateway is generic and
is able to proxy any TCP-based application protocol, whereas an
application-level gateway is specific and is generally able to
proxy only one TCP-based application protocol
• Consequently, a firewall must have specific application-level
gateways (or proxy servers) for every application protocol that
must traverse the firewall
• This is a serious disadvantage of application-level gate-ways
(e.g., proprietary protocols)
Types of Firewalls
• Application-level Gateway
Application-Level Gateways
• In general, the use of an application gateway requires some
customization and modification of either the user procedures or
the client software
• Both approaches have disadvantages
• Consequently, it would be nice to have a firewall that maintains
all software modifications required for application gateway
support in the firewall
• This idea led to the development of so-called transparent
firewalls
• Today, many vendors provide transparent firewall products
Application-Level Gateways
• In short, a transparent firewall is configured to listen on the
network segment of the firewall for outgoing TCP connections
and to autonomously relay these connections on the client's behalf
• Note that
– Transparency is not necessarily provided in both directions (e.g.,
inbound transparency is seldom required or used)
– A transparent firewall still requires that all messages to and from the
Internet be transmitted through the firewall
• Similar functionality is required for network address translation
(NAT)
Application-Level Gateways
• The application-level gateway must be able to authenticate and
authorize user requests
– List of IP addresses that are allowed to connect inbound or outbound
– Weak authentication schemes (e.g., password)
– Strong authentication schemes
• In practice, the firewall policy must define the authentication and
authorization schemes that must be used in either direction and
for each service
• Many policies use the simplest scheme mentioned above for
outbound connections and a strong authentication scheme for
inbound connections
Application-Level Gateways
• The application-level gateway or proxy server must have access to
some reference information to verify whether the authentication
information provided by the client (or user) is valid and legitimate
(e.g., a one-way hash value of a user password or the public key
certificate for a specific user)
• The reference information can be stored either locally or remotely
• The second approach is preferable since it makes it possible to
aggregate security information and functions for several firewall
systems and network access servers at a single point
Application-Level Gateways
• Typically, a standardized protocol is used to retrieve the reference
information from a centralized security server
• Protocols
– Remote Authentication Dial-In User Service (RADIUS)
developed and proposed by Livingston Enterprises, Inc.
– Terminal access controller access control system (TACACS) and
its derivates (i.e., TACACS+, XTACACS, ... ) developed and
proposed by Cisco Systems
• Both protocols are widely supported by commercial firewall
systems and network access servers
Firewall Configurations
• Many contemporary firewall systems provide support for
network address translation (NAT)
• NAT basically means that an organization can use private IP
addresses on its own network (i.e., intranet) to increase the
address space
• In RFC 1918 (BCP 5), the following blocks of the IP address
space have been reserved for private use
– 10.0.0.0 - 10.255.255.255
– 172.16.0.0 - 172.31.255.255
– 192.168.0.0 - 192.168.255.255
24-bit block
20-bit block
16-bit block
Firewall Configurations
• A NAT firewall works similarly to a transparent firewall
• IP packets with unknown destination IP addresses are routed to the
network segment that hosts the NAT firewall
• The NAT firewall, in turn, grabs the IP packets that request a TCP
connection establishment, establishes the connection on behalf of
the client, and copies data back and forth
• In addition, the NAT firewall substitutes the private IP addresses
(used on the intranet) with officially assigned IP addresses (used
on the Internet) and vice-versa
Firewall
f@F > 21@S
c@C > 21@S
FTP Client
FTP Server
Proxy
21@S > c@C
21@S > f@F
Firewall Configurations
• Protection against TCP SYN flooding and other (D)DoS attacks
requires modifications in TCP (e.g., SYN cookies)
• In the meantime, one can use ad-hoc solutions (e.g., Check-Point‘s
SYNDefender, Cisco IOS TCP Intercept, ... )
Bastion Host
– A system identified by the firewall
administrator as a critical strong point in
the network´s security
– The bastion host serves as a platform
for an application-level or circuit-level
gateway
Firewall Configurations
• In addition to the use of simple
configuration of a single system
(single packet filtering router or
single gateway), more complex
configurations are possible
• Three common configurations
Firewall Configurations
• Screened host firewall system
(single-homed bastion host)
Firewall Configurations
• Screened host firewall, single-homed
bastion configuration
• Firewall consists of two systems:
– A packet-filtering router
– A bastion host
Firewall Configurations
• Configuration for the packet-filtering
router:
– Only packets from and to the bastion
host are allowed to pass through the
router
• The bastion host performs
authentication and proxy functions
Firewall Configurations
• Greater security than single
configurations because of two
reasons:
– This configuration implements both
packet-level and application-level
filtering (allowing for flexibility in
defining security policy)
– An intruder must generally penetrate
two separate systems
Firewall Configurations
• This configuration also affords
flexibility in providing direct
Internet access (public information
server, e.g. Web server)
Firewall Configurations
• Screened host firewall system (dualhomed bastion host)
Firewall Configurations
• Screened host firewall, dual-homed
bastion configuration
– The packet-filtering router is not
completely compromised
– Traffic between the Internet and other
hosts on the private network has to flow
through the bastion host
Firewall Configurations
• Screened-subnet firewall system
Firewall Configurations
• Screened subnet firewall
configuration
– Most secure configuration of the three
– Two packet-filtering routers are used
– Creation of an isolated sub-network
Firewall Configurations
• Advantages:
– Three levels of defense to thwart
intruders
– The outside router advertises only the
existence of the screened subnet to the
Internet (internal network is invisible to
the Internet)
Firewall Configurations
• Advantages:
– The inside router advertises only the
existence of the screened subnet to the
internal network (the systems on the
inside network cannot construct direct
routes to the Internet)
Firewalls
Review
Firewalls:
prevent denial of service attacks:
– SYN flooding: attacker establishes many bogus
TCP connections, no resources left for “real”
connections.
prevent illegal modification/access of internal data.
– e.g., attacker replaces CIA’s homepage with
something else
allow only authorized access to inside network (set of
authenticated users/hosts)
two types of firewalls:
– application-level
– packet-filtering
Packet
Should arriving
Filtering packet be allowed
in? Departing packet
let out?
• internal network connected to Internet via router firewall
• router filters packet-by-packet, decision to forward/drop
packet based on:
–
–
–
–
source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits
Packet Filtering
• Example 1: block incoming and outgoing datagrams with
IP protocol field = 17 and with either source or dest port
= 23.
– All incoming and outgoing UDP flows and telnet
connections are blocked.
• Example 2: Block inbound TCP segments with ACK=0.
– Prevents external clients from making TCP
connections with internal clients, but allows internal
clients to connect to outside.
Application gateways
• Filters packets on application
data as well as on
IP/TCP/UDP fields.
• Example: allow select
internal users to telnet
outside.
host-to-gateway
telnet session
application
gateway
gateway-to-remote
host telnet session
router and filter
1. Require all telnet users to telnet through gateway.
2. For authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating
from gateway.
Limitations of firewalls and gateways
• IP spoofing: router can’t
know if data “really”
comes from claimed
source
• if multiple app’s. need
special treatment, each has
own app. gateway.
• client software must know
how to contact gateway.
– e.g., must set IP address of
proxy in Web browser
• filters often use all or
nothing policy for
UDP.
• tradeoff: degree of
communication with
outside world, level of
security
• many highly protected
sites still suffer from
attacks.
Conclusions and Outlook
1/3
• If properly designed, implemented, deployed and administered a
firewall can provide effective access control services for corporate
intranets
• Consequently, more and more network administrators are setting
up firewalls as their first line of defense against out-side attacks
( perimeter security)
• Firewalls are a fact of life on the Internet and it is not likely that
they will disappear in the future
• In fact, the firewall technology is the most widely deployed
security technology on the Internet
• Also, the firewall technology is mature and vendors must compete
with each other providing some additional features, (e.g., virus
scanning, VPN, IDS, ... )
Conclusions and Outlook
2/3
• Against this background, interoperability is increasingly
important
• CheckPoint Software Technologies, Inc., founded the open
platform for security (OPSEC)
• Initiatives like OPSEC are very important for the evolution of the
firewall technology in the future
• In spite of its commercial success, the firewall technology has
remained an emotional topic within the Internet community
• Firewalls are not a panacea or a magic bullet for all network and
Internet-related security problems
Trusted Systems
• One way to enhance the ability of a
system to defend against intruders
and malicious programs is to
implement trusted system technology
Data Access Control
• General models of access control:
– Access matrix
– Access control list
– Capability list
Data Access Control
• Access Matrix
Data Access Control
• Access Matrix: Basic elements of the
model
– Subject: An entity capable of accessing
objects, the concept of subject equates with
that of process
– Object: Anything to which access is controlled
(e.g. files, programs)
– Access right: The way in which an object is
accessed by a subject (e.g. read, write,
execute)
Data Access Control
• Access Control List: Decomposition of
the matrix by columns
Data Access Control
• Access Control List
– An access control list lists users and
their permitted access right
– The list may contain a default or public
entry
Data Access Control
• Capability list: Decomposition of the
matrix by rows
Data Access Control
• Capability list
– A capability ticket specifies authorized
objects and operations for a user
– Each user have a number of tickets
The Concept of
Trusted Systems
• Trusted Systems
– Protection of data and resources on the
basis of levels of security (e.g. military)
– Users can be granted clearances to
access certain categories of data
The Concept of
Trusted Systems
• Multilevel security
– Definition of multiple categories or levels of
data
• A multilevel secure system must enforce:
– No read up: A subject can only read an object
of less or equal security level (Simple Security
Property)
– No write down: A subject can only write into an
object of greater or equal security level (*Property)
The Concept of
Trusted Systems
• Reference Monitor Concept:
Multilevel security for a data
processing system
The Concept of
Trusted Systems
The Concept of
Trusted Systems
• Reference Monitor
– Controlling element in the hardware and
operating system of a computer that
regulates the access of subjects to
objects on basis of security parameters
– The monitor has access to a file
(security kernel database)
– The monitor enforces the security rules
(no read up, no write down)
The Concept of
Trusted Systems
• Properties of the Reference Monitor
– Complete mediation: Security rules are
enforced on every access
– Isolation: The reference monitor and
database are protected from
unauthorized modification
– Verifiability: The reference monitor’s
correctness must be provable
(mathematically)
The Concept of
Trusted Systems
• A system that can provide such
verifications (properties) is referred
to as a trusted system
Trojan Horse Defense
• Secure, trusted operating systems
are one way to secure against Trojan
Horse attacks
Trojan Horse Defense
Trojan Horse Defense
Evaluation of IT Security
• governments can evaluate IT systems
• against a range of standards:
– TCSEC, IPSEC and now Common Criteria
• define a number of “levels” of evaluation
with increasingly stringent checking
• have published lists of evaluated products
– though aimed at government/defense use
– can be useful in industry also
Common criteria for IT security evaluation
• Target of Evaluation (TOE)
• Requirements:
- Functional
- Assurance
• Class – collection of requirements (families)
• Family – one or more components
• Protection profiles
• Security targets
Organization of Common Criteria Requirements