Transcript Session 8b
Internet and Intranet Fundamentals Class 9 Session A Topics • Firewalls (continued) Firewalls (Continued) • Bastion Hosts • Packet Filtering Bastion Hosts • Public Presence on the Internet • The “Lobby” Analogy • Public Exposure Implies Increased Security Requirements – focus special attention on building a Bastion host – host security • some principles apply to other hosts as well Bastion Hosts Various Types • Non-routing Dual-homed Hosts – make sure they are non-routing! • Victim Machines – sacrificial goat – don’t let users put valuables on them • Internal, semi-Bastion Hosts – inside the firewall – communicate with external bastion Bastion Hosts General Design Guidelines • Minimize the Number of Services Provided – keep it simple, scholar – server software may have bugs that can be exploited • Expect Bastion Host to be Compromised – expect the worst and plan for it – most likely to be attacked – bastion host considered untrusted host Bastion Hosts • What Platform? – Unix, NT, etc. ? • Criteria – your experience – firewall tools availability • Class of Machine – minimal – not a supercomputer – RAM more important than CPU Bastion Hosts Location • Physical Location – safe • Network Location – preferably on a perimeter network – or a network not susceptible to spoofing • ATM, Ethernet switch Bastion Host Services • Proxy and Relay Services – – – – HTTP Proxy SMTP Server NNTP Server FTP Server • Public Services – HTTP – SMTP Bastion Hosts Construction Steps • Secure the Machine – – – – start with minimal, clean operating system fix all known system bugs use a security checklist safeguard the system logs • requires lots of logging Bastion Hosts Construction Steps • Disable Non-required Services • Install or Modify Services • Reconfigure Machine from Development to Deployment • Perform Security Audit • Connect Machine to Network Packet Filtering Topics • • • • What is it? Advantages and Disadvantages Configuring a Packet Filtering Router Various Kinds of Filtering Packet Filtering What is it? • Selectively reject IP packets based on: – – – – source address destination address incoming physical port tcp application port Packet Filtering Advantages and Disadvantages • Advantages – one router protects an entire network – doesn’t require user knowledge or cooperation – widely available • Disadvantages – current filtering tools not perfect • can be hard to configure, test, and maintain • may have bugs – some protocols don’t lend themselves to filtering Packet Filtering Configuring a PF Router • Protocols Bidirectional • Inbound vs. Outbound Semantics – packets vs. services – think “packets” • Default Security Policy – permit or deny? • Returning ICMP Error Codes – destination unreachable, for example Various Kinds of Filtering • Rules – – – – – Direction Source Address Destination Address ACK Set Action Various Kinds of Filtering Rules Rule Direction Source Address Dest Address ACK Set Action A Inbound Internal Any Permit B Outbound Internal Trusted Any external host Permit C Either Any Deny Trusted external host Any Any Various Kinds of Filtering Risks of Address Filtering • Address Forgery – source • does not hope to get any packets back – man-in-the-middle • must intercept return packets • must alter network topology to get in the middle Various Kinds of Filtering Filtering by Service • More Complicated • TELNET – outgoing • • • • • local host’s IP source address remote host’s IP destination address TCP packet type TCP destination port is 23 content: your keystrokes Various Kinds of Filtering Filtering by Service • TELNET – incoming • • • • • • remote host’s IP source address local host’s IP destination address TCP packet type TCP source port is 23 TCP destination port is same as prior source port ACK set Various Kinds of Filtering Filtering by Service • TELNET – Rules • permit output on port 23 • permit inbound on port 23 if ACK is set • deny both outbound and inbound for everything else – default rule • Risks – some other service on port 23?