Transcript General
Computer Science CSC 474 Information Systems Security Topic 4.1 Firewalls CSC 474 Dr. Peng Ning 1 Outline • What are firewalls? • Types – Filtering • Packet filtering • Session filtering – Proxy • Circuit Level • Application Level • Brief introduction to Linux firewall Computer Science CSC 474 Dr. Peng Ning 2 What is a firewall? • Device that provides secure connectivity between networks (internal/external; varying levels of trust) • Used to implement and enforce a security policy for communication between networks Trusted Networks Untrusted Networks & Servers Firewall Untrusted Users Internet Router Intranet DMZ Public Accessible Servers & Networks Trusted Users Computer Science CSC 474 Dr. Peng Ning 3 Firewalls Can … • Restrict incoming and outgoing traffic by IP address, ports, etc. • Block invalid packets • It’s also convenient … – Give insight into traffic mix via logging – Network Address Translation – Encryption Computer Science CSC 474 Dr. Peng Ning 4 Firewalls Cannot Protect… • Traffic that does not cross it – routing around – Internal traffic • When misconfigured Computer Science CSC 474 Dr. Peng Ning 5 Access Control ALERT!! Internet Security Requirement • Control access to network information and resources • Protect the network from attacks Computer Science CSC 474 Dr. Peng Ning 6 Filtering • Typically route packets • Packets checked then passed • May have different policies for inbound and outbound packets • Some firewalls need to understand the application protocols • May perform – Fragmentation/reassembly – Sequence number checking Computer Science CSC 474 Dr. Peng Ning 7 Filtering (Cont’d) • Packet filtering – Access Control Lists • Session filtering – – – – Dynamic Packet Filtering Stateful Inspection Smart Packet Filtering Context Based Access Control Computer Science CSC 474 Dr. Peng Ning 8 Packet Filtering • Decisions made on a per-packet basis • No state information saved • If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work. • Example configuration – Deny access to ports <= 1024, and allow access to all the others. Computer Science CSC 474 Dr. Peng Ning 9 Packet Filtering (Cont’d) Applications Applications Presentations Presentations Sessions Sessions Transport Transport Network Network DataLink DataLink DataLink Physical Physical Physical Router Computer Science CSC 474 Dr. Peng Ning 10 Session Filtering • Packet decision made in the context of a connection • If packet is a new connection, check against security policy • If packet is part of an existing connection, match it up in the state table & update table • Example configuration Computer Science CSC 474 Dr. Peng Ning 11 Session Filtering (Cont’d) Screens ALL attempts, Protects All applications Extracts & maintains ‘state’ information Makes an intelligent security / traffic decision Applications Applications Presentations Applications Presentations Sessions Presentations Sessions Transport Sessions Transport Network Transport Network Network DataLink DataLink DataLink Physical Physical Physical Dynamic Dynamic Dynamic State Tables State StateTables Tables Computer Science CSC 474 Dr. Peng Ning 12 Proxy Firewalls • Relay for connections • Client Proxy Server • Two flavors – Application level – Circuit level Computer Science CSC 474 Dr. Peng Ning 13 Application Gateways • Understands specific applications – Limited proxies available – Proxy ‘impersonates’ both sides of connection • Resource intensive – process per connection • HTTP proxies may cache web pages Computer Science CSC 474 Dr. Peng Ning 14 Application Gateways • More appropriate to TCP • Must write a new proxy application to support new protocols – Not trivial! Computer Science CSC 474 Dr. Peng Ning 15 Application Gateways • Clients configured for proxy communication • Transparent Proxies Computer Science CSC 474 Dr. Peng Ning 16 Application Layer GW/proxy Telnet FTP HTTP Applications Applications Applications Presentations Presentations Presentations Sessions Sessions Sessions Transport Transport Transport Network Network Network DataLink DataLink DataLink Physical Physical Physical Application Gateway Computer Science CSC 474 Dr. Peng Ning 17 Circuit-Level Gateways • Support more services than Application-level Gateway – less control over data • Hard to handle protocols like FTP – Passive FTP is usually okay • Clients must be aware they are using a circutlevel proxy Computer Science CSC 474 Dr. Peng Ning 18 SOCKS • Circuit level Gateway • Support TCP • SOCKS v5 supports UDP, earlier versions did not • See http://www.socks.nec.com Computer Science CSC 474 Dr. Peng Ning 19 Comparison Service Support Performance Security Packet Filter 3 1 No dynamic w/o holes Session Filter Circuit GW 2 2 2 3 Dependent on vendor for dynamic support App. GW 1 4 Typically < 20 Lower is better for security & performance Computer Science CSC 474 Dr. Peng Ning 20 Comparison (Cont’d) Modify Client Applications? Packet Filter No Session Filter No Circuit GW Typical, SOCKS-ify client applications App. GW Unless transparent, client application must be proxy-aware & configured Computer Science CSC 474 Dr. Peng Ning 21 Comparison (Cont’d) Fragmentation ICMP Packet Filter Yes No Session Filter Yes Maybe Circuit GW (SOCKS v5) Yes App. GW No Yes Computer Science CSC 474 Dr. Peng Ning 22 Linux Firewall: iptables • History – – – – ipfw ipfwadm ipchains iptables • Based on the netfilter framework Computer Science CSC 474 Dr. Peng Ning 23 The Netfilter Framework • A framework for packet mangling Kernel Kernel modules Protocol stack hooks netfilter … User space Computer Science CSC 474 Dr. Peng Ning 24 The Netfilter Framework (Cont’d) • Current protocols – IPv4, IPv6, and DECnet. • Five hooks for IPv4 – [1]: Pre-routing hook; [2]: Local-in hook; – [3]: Forward hook; [4]: Local-out hook; – [5]: Post-routing hook A packet traversing the netfilter system: [1] [ROUTE] [3] [4] [ROUTE] [2] [5] Computer Science CSC 474 Dr. Peng Ning 25 Packet Filtering A packet traversing the netfilter system: [1] [ROUTE] [3] [4] [ROUTE] [2] [5] Packet filtering only uses these three hooks Computer Science CSC 474 Dr. Peng Ning 26 IP Tables • A packet selection system – Direct descendent of ipchains • Used for – Packet filtering – Network Address Translation (NAT) • Masquerading, port forwarding, transparent proxying – Packet mangling • Actual changing of packet information Computer Science CSC 474 Dr. Peng Ning 27 User Space Tool: iptables • iptables – Command to configure and communicate with the kernel modules • iptables for packet filtering – Three chains • INPUT • OUTPUT • FORWARD Computer Science CSC 474 Dr. Peng Ning 28 Iptables for Packet Filtering • You need three things to configure a firewall rule – Which chain? – What packet pattern? – What action to apply? • Example – Drop all packets from 200.200.200.1 – iptables -A INPUT -s 200.200.200.1 -j DROP – Use “man iptables” on Linux to get more information. Computer Science CSC 474 Dr. Peng Ning 29