Transcript Firewalls
Firewalls : usage • • • • • • • • • • Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts (machines) Monitoring for further auditing Packet filtering Compliance with the specified protocols Virus detection Isolation of the internal network from the Internet Connection proxies (masking of the internal network) Application proxies (masking of the « real » software) Firewalls : basics • All packets exchanged between the internal and the external domains go through the FW that acts as a gatekeeper – external hosts « see » the FW only – internal and external hosts do not communicate directly – the FW can take very sophisticated decisions based on the protocol implemented by the messages – the FW is the single access point => authentication + monitoring site – a set of “flow rules” allows decision taking Firewalls : architecture (I) servers Interior router Exterior router Outside world Firewall DMZ (DeMilitarized Zone) Internal network Firewalls : architecture (II) : merging exterior and interior FW servers DMZ Outside world Exterior/Interior Firewall Internal network Firewalls : architecture (III) : merging exterior FW and servers Outside world External Firewall + servers DMZ Internal Firewall Internal network Bof… Firewalls : architecture (IV) : managing multiple subnetworks servers DMZ Firewall Outside world Internal subnetwork A Exterior/Interior Firewall Firewall Backbone Internal subnetwork B Firewalls : architecture (V) : managing multiple exterior FW E.g. supplier network Exterior Firewall A Sub-DMZ A Exterior Firewall B Interior Firewall Internal network Sub-DMZ B Internet servers DMZ Firewalls : architecture (VI) : managing multiple DMZ E.g. supplier network Servers A DMZ A Exterior/Interior Firewall A Servers B DMZ B Exterior/Interior Firewall B Internet Internal network Firewalls : architecture (VII) : internal FW servers DMZ Outside world Exterior/Interior Firewall Internal network Sensitive area Firewall Sensitive area Firewalls : some recommendations • Bastion hosts – – – – – – – better to put the bastions in a DMZ than in an internal network disable non-required services do not allow user accounts fix all OS bugs safeguard the logs run a security audit do secure backups • Avoid to put in the same area entities which have very different security requirements Using proxies (I) • Proxies can be used to « hide » the real servers • Interior => Exterior traffic – Give the internal user the illusion that she/he accesses to the exterior server – But intercept the traffic to/from the server, analyze the packets (check the compliance with the protocol, search for keywords, etc.), log the requests • Exterior => Interior traffic – Give the external user the illusion that she/he accesses to the interior server – But intercept the traffic to the server, analyze the packets (check the compliance with the protocol, search for keywords, etc.), log the requests Using proxies (II) • Advantage – knowledge of the service/protocol => efficiency and « intelligent » filtering – Ex : session tracking, stateful connection • Disadvantages – one proxy per service ! – may require modifications of the client – do not exist for all services Static Network Address Translation (NAT) (I) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy Internal network From Arkoon Inc. tutorial Static Network Address Translation (NAT) (II) • The FW maintains an address translation table • The FW transforms address xxx.xxx.xxx.xxx into yyy.yyy.yyy.yyy in the field « source address » xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx • The FW transforms addressyyy.yyy.yyy.yyy yyy.yyy.yyy.yyy into address xxx.xxx.xxx.xxx in the field « destination address » xxx.xxx.xxx.xxx • This operation is transparent for both the exterior Internal network and the interior hosts yyy.yyy.yyy.yyy Internal network yyy.yyy.yyy.yyy Applications • • • • • Non TCP/UDP based protocols Pre-defined partnership addresses Web server, mail….(traffic to Internet) Application server (hidden behind a FW) Host known/authenticated outside with a specific address • … PAT : Port Address Translation (I) Internal network From Arkoon Inc. tutorial PAT : Port Address Translation (II) • Connections are open from an exterior host • Translation table • Use of lesser public addresses • Flexible management of server ports PAT : Port Address Translation (III) FW, @IP 'P' U→P:80 U → IP1:80 P:80 → U IP1:80 → U Web Webserver server @IP1, port 80 U → P:81 U → IP2:80 P:8 → U user, @IP'U' IP2:80 → U Web server @IP2, port 80 Internal network Translation Table @IP « P » port 80 → @IP1 : port 80 port 81 → @IP2 : port 80 From Arkoon Inc. tutorial Masking (I) Internal network From Arkoon Inc. tutorial Masking (II) • Connections are open by internal hosts • Dynamic connection table (IP address + source port number) • One single address is known outside (the FW address) • Spare IP addresses FW, @IP 'M' Arkoon, @IP 'M' M:10000->W 1:1025->W W->1:1025 user @IP1 W->M:10000 2:1025->W W->2:1025 2:1026->W2 user @IP2 Internal network W2->2:1026 M:10001->W W->M:10001 M:10000->W2 W2->M:10000 Translation table @IP « M » 1:1025(10000)->W 2:1025(10001)->W 2:1026(10000)->W2 Web server @IP'W' Web server @IP 'W2' From Arkoon Inc. tutorial