Transcript Security and Firewalls

Security and Firewalls
Ref: Keeping Your Site Comfortably Secure: An
Introduction to Firewalls
John P. Wack and Lisa J. Carnahan
NIST Special Publication 800-10
What
• A firewall is a barrier that prevents
something bad from passing and doing
harm
• Network Firewalls are systems through
which must pass all traffic going into or out
of a protected network environment
– The gateway becomes the guardian, protecting
the network by selectively forbidding access
Why
• TCP/IP services were not all designed with
security in mind
– a determined attacker takes advantage of
security risks inherent in some service
implementations
• Networks and computing resources,
including the data stored, are increasingly
critical to an organization’s survival
What, more
• Firewall
–
–
–
–
systems
routers
policy
central connection
• Restrict
– access to or from selected systems
– block certain TCP/IP services
Authentication
• Weak authentication
– password files are accessible
• password attacks are sophisticated
• finding one vulnerable password gives access to the
system
– Granularity of authentication
• user level or host level
• trusted user may come from a host accessible to
many untrusted users.
Monitoring
• Unencrypted passwords cross networks
when using telnet or ftp
• Monitoring traffic on a LAN is easy
• Information displayed may be critical
Spoofing
• Source routing of IP packets allows an
intruder to masquerade as a trusted site
• Many services determine access rights
based on the IP address, assuming that
traffic from a trusted domain is safe
• Mail is easily spoofed and allows an
intruder to gain access to the mail privileges
of a legitimate user.
• More can be said, but we probably all know
that the networks are vulnerable to attack.
Structure
The Internet
A barrier
Our
network
to be
protected
Firewall Services
•
•
•
•
•
Protection from vulnerable services
Controlled access to specific systems
Concentrated security
Enhanced privacy
Logging and statistics on network use,
misuse
• Policy enforcement
Service restriction
• Refuse to respond to source-routed packets
• Restrict NFS and NIS service access
– Constrain them to a local network where the
services are needed
– Disallow remote access
Site access restriction
• A Policy matter
– What internal sites should be accessible from
outside?
– Base: no access unless there is a reason for it
Concentrated security
• Only one place needs to be configured and
maintained for control of access to the
systems.
– Reduces the burden of configuring many
systems
– Increases the likelihood of well maintained
access control
Privacy
• Blocking some service access
– finger on unix systems
• in addition to information about the user that might
be better restricted to internal use, it gives
information on when the user last logged in.
• usage patterns can be useful to intruders
– DNS
• knowledge about the configuration of network
internals can be useful in attacks.
Logging
• If all access to network resources goes
through one site, comprehensive logging of
activity becomes feasible.
• What might look unimportant when logs of
one host are examined, may be serious
when aggregated with information about
access to other hosts on the same network.
Policy
• A reasonable policy
– allows access that is needed and useful
– denies access that serves no good use and might
be dangerous
• A firewall is a way to enforce a good policy
Issues, problems with Firewalls
• Restricted access adds a burden to
legitimate users
• Firewall provides no protection from attacks
that originate behind the firewall
• A false sense of security may lead to
carelessness
Firewall components
• network policy
– what restrictions
– how enforced
• advanced authentication mechanisms
– one-time passwords, biometrics, smartcards, etc.
• packet filtering
– source, destination IP address or port
• application gateways
– proxy service
Packet filtering
• Flexibility in what you allow
• Perhaps allow http or smtp access to specific
internal hosts, but no access to others
• Example:
(port 23= telnet; 25 = smtp; 119 = nntp; 123 = NTP )
Type
Src addr
Tcp
Tcp
Dst addr
Action
*
*
Src port Dst
Port
123.4.5.6 >1023
23
123.4.5.7 >1023
25
Tcp
*
123.4.5.8 >1023
25
Permit
Tcp
129.6.48.254 123.4.5.9 >1023
119
permit
Udp
*
*
*
123
*
Permit
deny
123.4.*.* >1023
*
*
permit
Permit
What to restrict
• tftp, port 69, trivial FTP, used for booting diskless workstations,
terminal servers and routers, can also be used to read any file on the
system if set up incorrectly
• X Windows, OpenWindows, ports 6000+, port 2000, can leak
information from X window displays including all keystrokes
• RPC, port 111, Remote Procedure Call services including NIS and
NFS, which can be used to steal system information such as passwords
and read and write to files
• rlogin, rsh, and rexec, ports 513, 514, and 512, services that if
improperly configured can permit unauthorized access to accounts and
commands.
Quoted from the reference source
More restrictions
• TELNET, port 23, often restricted to only certain systems,
• FTP, ports 20 and 21, like TELNET, often restricted to only certain
systems,
• SMTP, port 25, often restricted to a central e-mail server,
• RIP, port 520, routing information protocol, can be spoofed to redirect
packet routing,
• DNS, port 53, domain names service zone transfers, contains names of
hosts and information about hosts that could be helpful to attackers,
could be spoofed,
• UUCP, port 540, UNIX-to-UNIX CoPy, if improperly configured can
be used for unauthorized access,
• NNTP, port 119, Network News Transfer Protocol, for accessing and
reading network news, and
• gopher, http ports 70 and 80, information servers and client programs
for gopher and WWW clients, should be restricted to an application
gateway that contains proxy services.
Examples
• Firewalls come in several types
– Packet filtering
• simplest, common, block addresses and/or protocols
– Dual homed
• proxy for all services that are needed
– Screened host
• more flexible, less secure
– Screened subnet
• no need for dual homed host
Dual homed host
Internet
Application
Gateway
IP filtering
Mail, telnet, ftp,
http, etc.
Info server
Complete block to IP traffic between the
protected network and the Internet
Service only available by proxy servers
on the Application Gateway
Host based application
must accept all requests
for specific services and
pass on or not.
Screened host
Internet
IP filtering
Application
Gateway
Info server
Application traffic from Internet to App Gateway ok; all other incoming traffic
rejected; application from App Gateway to Internet ok; all other traffic from the
network to the Internet rejected
Screened subnet
Internet
2
1
Info server
Application
Gateway
E-mail server
Similar in function to a dual homed host
Firewall summary
• The goal: impose a barrier between the
protected network and the potential intruder
• The problem: provide protection without
undo restriction on services to legitimate
users.
• Most important: have a policy
• Options available for how to implement the
policy