Transcript General

Computer Science
CSC 474
Information Systems Security
Topic 4.1 Firewalls
CSC 474
Dr. Peng Ning
1
Outline
• What are firewalls?
• Types
– Filtering
• Packet filtering
• Session filtering
– Proxy
• Circuit Level
• Application Level
• Brief introduction to Linux firewall
Computer Science
CSC 474
Dr. Peng Ning
2
What is a firewall?
• Device that provides secure connectivity between
networks (internal/external; varying levels of trust)
• Used to implement and enforce a security policy for
communication between networks
Trusted Networks
Untrusted Networks
& Servers
Firewall
Untrusted Users
Internet
Router
Intranet
DMZ
Public Accessible
Servers & Networks
Trusted Users
Computer Science
CSC 474
Dr. Peng Ning
3
Firewalls Can …
• Restrict incoming and outgoing traffic by IP
address, ports, etc.
• Block invalid packets
• It’s also convenient …
– Give insight into traffic mix via logging
– Network Address Translation
– Encryption
Computer Science
CSC 474
Dr. Peng Ning
4
Firewalls Cannot Protect…
• Traffic that does not cross it
– routing around
– Internal traffic
• When misconfigured
Computer Science
CSC 474
Dr. Peng Ning
5
Access Control
ALERT!!
Internet
Security Requirement
• Control access to network information and resources
• Protect the network from attacks
Computer Science
CSC 474
Dr. Peng Ning
6
Filtering
• Typically route packets
• Packets checked then passed
• May have different policies for inbound and
outbound packets
• Some firewalls need to understand the
application protocols
• May perform
– Fragmentation/reassembly
– Sequence number checking
Computer Science
CSC 474
Dr. Peng Ning
7
Filtering (Cont’d)
• Packet filtering
– Access Control Lists
• Session filtering
–
–
–
–
Dynamic Packet Filtering
Stateful Inspection
Smart Packet Filtering
Context Based Access Control
Computer Science
CSC 474
Dr. Peng Ning
8
Packet Filtering
• Decisions made on a per-packet basis
• No state information saved
• If dynamic protocols are in use, entire ranges
of ports must be allowed for the protocol to
work.
• Example configuration
– Deny access to ports <= 1024, and allow access to
all the others.
Computer Science
CSC 474
Dr. Peng Ning
9
Packet Filtering (Cont’d)
Applications
Applications
Presentations
Presentations
Sessions
Sessions
Transport
Transport
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
Router
Computer Science
CSC 474
Dr. Peng Ning
10
Session Filtering
• Packet decision made in the context of a
connection
• If packet is a new connection, check against
security policy
• If packet is part of an existing connection,
match it up in the state table & update table
• Example configuration
Computer Science
CSC 474
Dr. Peng Ning
11
Session Filtering (Cont’d)

Screens ALL attempts, Protects All applications

Extracts & maintains ‘state’ information

Makes an intelligent security / traffic decision
Applications
Applications
Presentations
Applications
Presentations
Sessions
Presentations
Sessions
Transport
Sessions
Transport
Network
Transport
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
Dynamic
Dynamic
Dynamic
State
Tables
State
StateTables
Tables
Computer Science
CSC 474
Dr. Peng Ning
12
Proxy Firewalls
• Relay for connections
• Client  Proxy  Server
• Two flavors
– Application level
– Circuit level
Computer Science
CSC 474
Dr. Peng Ning
13
Application Gateways
• Understands specific applications
– Limited proxies available
– Proxy ‘impersonates’ both sides of connection
• Resource intensive
– process per connection
• HTTP proxies may cache web pages
Computer Science
CSC 474
Dr. Peng Ning
14
Application Gateways
• More appropriate to TCP
• Must write a new proxy application to
support new protocols
– Not trivial!
Computer Science
CSC 474
Dr. Peng Ning
15
Application Gateways
• Clients configured for proxy communication
• Transparent Proxies
Computer Science
CSC 474
Dr. Peng Ning
16
Application Layer GW/proxy
Telnet
FTP
HTTP
Applications
Applications
Applications
Presentations
Presentations
Presentations
Sessions
Sessions
Sessions
Transport
Transport
Transport
Network
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
Application Gateway
Computer Science
CSC 474
Dr. Peng Ning
17
Circuit-Level Gateways
• Support more services than Application-level
Gateway
– less control over data
• Hard to handle protocols like FTP
– Passive FTP is usually okay
• Clients must be aware they are using a circutlevel proxy
Computer Science
CSC 474
Dr. Peng Ning
18
SOCKS
• Circuit level Gateway
• Support TCP
• SOCKS v5 supports UDP, earlier versions did
not
• See http://www.socks.nec.com
Computer Science
CSC 474
Dr. Peng Ning
19
Comparison
Service
Support
Performance
Security
Packet Filter
3
1
No dynamic w/o holes
Session Filter
Circuit GW
2
2
2
3
Dependent on vendor for
dynamic support
App. GW
1
4
Typically < 20
Lower is better for security & performance
Computer Science
CSC 474
Dr. Peng Ning
20
Comparison (Cont’d)
Modify Client Applications?
Packet Filter
No
Session Filter
No
Circuit GW
Typical, SOCKS-ify client applications
App. GW
Unless transparent, client application
must be proxy-aware & configured
Computer Science
CSC 474
Dr. Peng Ning
21
Comparison (Cont’d)
Fragmentation
ICMP
Packet Filter
Yes
No
Session Filter
Yes
Maybe
Circuit GW
(SOCKS v5)
Yes
App. GW
No
Yes
Computer Science
CSC 474
Dr. Peng Ning
22
Linux Firewall: iptables
• History
–
–
–
–
ipfw
ipfwadm
ipchains
iptables
• Based on the netfilter framework
Computer Science
CSC 474
Dr. Peng Ning
23
The Netfilter Framework
• A framework for packet mangling
Kernel
Kernel modules
Protocol stack
hooks
netfilter
…
User space
Computer Science
CSC 474
Dr. Peng Ning
24
The Netfilter Framework (Cont’d)
• Current protocols
– IPv4, IPv6, and DECnet.
• Five hooks for IPv4
– [1]: Pre-routing hook; [2]: Local-in hook;
– [3]: Forward hook; [4]: Local-out hook;
– [5]: Post-routing hook
A packet traversing the netfilter system:
[1]
[ROUTE]
[3]
[4]
[ROUTE]
[2]
[5]
Computer Science
CSC 474
Dr. Peng Ning
25
Packet Filtering
A packet traversing the netfilter system:
[1]
[ROUTE]
[3]
[4]
[ROUTE]
[2]
[5]
Packet filtering only uses
these three hooks
Computer Science
CSC 474
Dr. Peng Ning
26
IP Tables
• A packet selection system
– Direct descendent of ipchains
• Used for
– Packet filtering
– Network Address Translation (NAT)
• Masquerading, port forwarding, transparent proxying
– Packet mangling
• Actual changing of packet information
Computer Science
CSC 474
Dr. Peng Ning
27
User Space Tool: iptables
• iptables
– Command to configure and communicate with the
kernel modules
• iptables for packet filtering
– Three chains
• INPUT
• OUTPUT
• FORWARD
Computer Science
CSC 474
Dr. Peng Ning
28
Iptables for Packet Filtering
• You need three things to configure a firewall
rule
– Which chain?
– What packet pattern?
– What action to apply?
• Example
– Drop all packets from 200.200.200.1
– iptables -A INPUT -s 200.200.200.1 -j DROP
– Use “man iptables” on Linux to get more
information.
Computer Science
CSC 474
Dr. Peng Ning
29