slides

Download Report

Transcript slides 

Firewalls
Original slides prepared by
Theo Benson
Unix Firewalls
• FreeBSD: ipfw
• Linux: ipfw → ipchains → iptables
• MacOS X: ipfw
ipfw example rules:
# SSH
# Allow ssh from unc.edu hosts
/sbin/ipfw -f add allow tcp from 152.2.0.0/16 to any 22 setup
/sbin/ipfw -f add allow tcp from 152.19.0.0/16 to any 22 setup
/sbin/ipfw -f add allow tcp from 152.23.0.0/16 to any 22 setup
Stateful Firewalls
• A bit more complicated
• Keep track of transport layer
connections (e.g., TCP, UDP) that
may comprise multiple packets
• Often allow only connections
initiated from behind the firewall
How are they deployed?
The firewall is
the gatekeeper
The Internet
AKA “Everything evil”
“circle of trust”
Only one way in or out into the circle
Similar to streaming a Video …
Loading Youtube
Browser
HTTP Requests
Get: image.png
HTTP Requests
Get: video.avi
Network
Similar to streaming a Video …
Loading Youtube
Browser
HTTP Requests
Get: image.png
HTTP Requests
Get: video.avi
Network
Similar to streaming a Video …
Loading Youtube
Browser
HTTP Requests
Get: image.png
HTTP Requests
Get: video.avi
Network
Similar to streaming a Video …
Loading Youtube
Browser
HTTP Requests
Get: image.png
HTTP Requests
Get: video.avi
Network
Similar to streaming a Video …
Loading Youtube
Browser
HTTP Requests
Get: image.png
HTTP Requests
Get: video.avi
Network
Similar to streaming a Video …
Loading Youtube
Browser
HTTP Requests
Get: image.png
HTTP Requests
Get: video.avi
Network
Similar to streaming a Video …
Loading Youtube
Browser
HTTP Requests
Get: image.png
HTTP Requests
Get: video.avi
Network
Allowing Outbound Connections Only
SYN
The Internet
AKA “Everything evil”
“circle of trust”
• Why would someone from the outside want to start a connection?
Allowing Outbound Connections Only
SYN
The Internet
AKA “Everything evil”
“circle of trust”
• Why would someone from the outside want to start a connection?
– They would if you were running a web-server, an email-server, a gaming
server …. Pretty much any ‘server’ service.
– Firewall configuration may allow “punching holes” to specific
addresses/ports
Traversing Firewalls
• Two hosts behind separate firewalls may try to fool their
firewalls by simultaneously establishing outbound
connections.
• An external server may help coordinate which source ports,
sequence numbers, to use. (E.g., STUN protocol.)
Network Address Translation (NAT)
Src:
192.168.1.100:32532
192.168.1.100
Src:
128.2.205.42:45323
128.2.205.42
• For outbound packets, the translator replaces (typically)
private address with it’s own public address, and rewrites
the source port.
• Translator remembers the mapping.
• For inbound packets, the reverse translation is performed.
NAT versus Firewall
• A network address translator is not
intrinsically a firewall, but
– Often the two are combined in one device
– Traffic cannot be sent directly to private addresses
used behind a NAT from the public Internet
– A NAT may block incoming connections by
necessity because it does not know which private
address to forward the traffic to
What Happens When you Connect to a
Website?
Loading SoundCloud
Browser
Network
HTTP Requests
Get: image.png
HTTP Requests
Get: sound.mp3
What happens if the virus/worm is hidden in an email? Picture? Or if the security
exploit is in an HTML page?
Deep Packet Inspection
• Examine payload (data) portion of packet as
well as headers
IP Header
TCP/UDP Header
Payload
Application Level Firewall
• Why are they needed?
• Attackers are tricky
– When exploiting security vulnerabilities
– Attacks span multiple packets
• Need a system to scan across multiple packets
for Virus/Worm/Vulnerability exploits
Application Level Firewalls
• Similar to Packet-filters except:
– Supports regular expression
– Search across different packets for a match
– Reconstructs objects (images,pictures) from
packets and scans objects.
Application Level Firewalls
• Similar to Packet-filters except:
– Supports regular expression
– Searches across different packets for a match
– Reconstructs objects (images,pictures) from
packets and scans objects.
Appy reg-ex to the object:
HTTP Requests
Get: image.png
Application Level Firewalls
• Similar to Packet-filters except:
– Supports regular expression
– Searches across different packets for a match
– Reconstructs objects (images,pictures) from
packets and scans objects.
HTTP Requests
Get: image.png
Why doesn’t everyone use App level
firewalls?
• Object re-assembly requires a lot of memory
• Regular-expressions require a lot of CPU
• App level firewalls are a lot more expensive
– And also much slower 
– So you need more -- a lot more.
How do you Attack the Firewall?
• Most Common: Denial-of-Service attacks
– Figure out a bug in the Firewall code
– Code causes it to handle a packet incorrectly
– Send a lot of ‘bug’ packets and no one can use the
firewall