Transcript COMP 4706
COMP 4706
Advanced Network Security –
Firewall Implementation and Design
Term: January 2005
Dana Epp
[email protected]
http://silverstr.ufies.org/blog/
Agenda
Review from last class
Group STRIDE analysis
Building a firewall port matrix
Introduction to NMAP
Hands on - Scanning ports with NMAP
Hands on – Creating basic firewall rules on Linux
Learning Outcomes
On successful completion of this course, students will be
able to:
Identify various types of firewalls and their functions,
including which firewalls operate at which OSI protocol
layer, and the basic variations of firewall architectures
Describe risk mitigation techniques to varying threats
with the use of different firewall architectures
Demonstrate the ability to design and deploy policies on
a firewall
Basic Types of Firewalls
Packet filtering firewalls
Stateful packet inspection firewalls
Application proxies
Hybrids
Packet filter
A packet filter firewall is the simplest type of firewall.
Dealing with each individual packet, the firewall applies
its rule set to determine which packet to allow or
disallow. The firewall examines each packet based on
the following criteria:
Source IP address
Destination IP address
TCP/UDP source port
TCP/UDP destination port
Packet Filter - Pros
They are fast because they operate on IP addresses
and TCP/UDP port numbers alone, ignoring the data
contents (payload) of packets.
Due to the fact that packet payload is ignored,
application independence exists.
Least expensive of the three types of firewalls.
Packet filtering rules are relatively easy to configure.
There are no configuration changes necessary to the
protected workstations.
Packet filters - Cons
Allow a direct connection between endpoints through the firewall.
This leaves the potential for a vulnerability to be exploited.
There is no screening of packet payload available. It is impossible to
block users from visiting web sites deemed off limits, for example.
Logging of network traffic includes only IP addresses and TCP/UDP
port numbers, no packet payload information is available.
Complex firewall policies are difficult to implement using filtering
rules alone.
There is a reliance on the IP address for authentication rather than
user authentication.
Dynamic IP addressing schemes such as DHCP may complicate
filtering rules involving IP addresses.
Stateful packet inspection
Examines the contents of packets rather than just
filtering them; that is, they consider their contents as
well as their addresses.
Stateful packet inspection firewalls also take into
account the state of the connections they handle so
that, for example, a legitimate incoming packet can
be matched with the outbound request for that
packet and allowed in.
Stateful packet inspection - Pros
Offers improved security over basic packet filters
due to packet examination.
Offers a degree of application independence,
based on level of stateful packet examination.
Better logging of activities over basic packet
filters.
Good performance.
Configuration changes to the protected
workstations are unnecessary.
Stateful packet inspection - Cons
Allow a direct connection between endpoints
through the firewall. This leaves the potential for
a vulnerability to be exploited.
No hiding of your private systems.
Setting up stateful packet examination rules is
more complicated.
Only supported protocols at the application layer.
No user authentication.
Application proxies
An application proxy is a program running on the
firewall that emulates both ends of a network
connection. One can think of it as a sort of "translator"
in-between the two computers communicating.
Application proxies - Pros
Firewall does not let end points communicate directly
with one another. Thus a vulnerability in a protocol
which could slip by a packet filter or stateful packet
inspection firewall could be overcome by the proxy
program.
Has the best content filtering capability.
Can hide private systems.
Robust user authentication.
Offers the best logging of activities.
Policy rules are usually easier than packet filtering
rules.
Application proxies - Cons
Performance problems; much slower than the other two
Must have a proxy for every protocol. Failure to have a
proxy may prevent a protocol from being handled
correctly by the firewall.
TCP is the preferred transport. UDP may not be
supported.
Limited transparency, clients may need to be modified.
Setting up the proxy server in a browser, for example.
No protection from all protocol weaknesses.
OSI – Open System Interconnect
TCP/IP Protocol Architecture
Three way TCP handshake
Common Ports and Services
Windows:
%windir%\System32\drivers\etc\services
Linux:
/etc/services
Examples:
SMTP = port 25
HTTP = port 80
POP3 = port 110
PPTP = port 1723
The STRIDE Threat Model
Spoofing identity
Tampering with data
Exposing critical information to unauthorized individuals
Denial of Service (DoS)
Performing an illegal operation in a system that lacks the ability to trace
such operations
Information disclosure
Unauthorized change made to stored or in-transit information
Repudiation
Attacker obtains something that enables authentication
Denies service to others
Elevation of privileges
Attacker exploits a weakness to gain greater privileges on a system than
were intended
Ranking and Prioritizing Threats
Chance of attack occurring
1 = high
10 = low
How much effort/cost/time is needed to launch the
attack?
What is the cost/damage if it occurs?
1 = little
10 = massive
RISK = Damage / Chance
Goal is to reduce risk
Do high risk items first
How to Respond to Threats
1.
2.
3.
4.
Do nothing.
Inform the user of the threat.
Remove the problem.
Fix the problem.
Defense in Depth
Assume external systems are insecure
Assume your system(s) is the last thing
standing
Plan on failure
More layers of security means more work to
compromise a target
“We’re secure, we have a firewall” *ugh*
Threat risk goes down as threat difficulty goes up
Never depend on security through obscurity
Group STRIDE Analysis
Building a firewall port matrix
Determine trust zones
Determine ports that need opening
Determine packet type (tcp/udp)
Determines direction of packet flow
Determine any limitations you can set on src/dst
LUNCH
Introduction to NMAP
Can scan networks to find active (online) hosts
Can scan hosts to find open ports
Can send crafted packets to fingerprint the
operating system
Can be used defensively to identify weaknesses
that need to be corrected, or offensively by an
attacker to probe for vulnerabilities to exploit.
Interesting NMAP options
-v = Verbose logging
-O = OS fingerprinting
-sS = SYN stealth scan
-P0 = Scan without ping probes
nmap –v –O –sS your.host.com
Introduction to iptables
3rd generation firewall
on Linux
Supports basic packet filtering as well as
connection state tracking
For our needs for this course, we will use
simple/basic packet filtering
Introduction to iptables
# Sample firewall – incomplete… do not use. For discussion only
IPTABLES=/sbin/iptables
ANY=“0.0.0.0/0”
ETHIP=“10.10.1.1”
ADMINNOC=“10.10.1.250”
# Flush chains
$IPTABLES --flush
# Set default policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
# Allow SSH from admin NOC
$IPTABLES -A INPUT -p tcp -s $ADMINNOC --sport 1024:65534 --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $ADMINNOC -sport 22 --dport 1024:65534 -j ACCEPT
# Allow Web access
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# Allows secure web access
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -j DROP
Dropping vs Rejecting Packets
Rejecting packets COULD resource starve your
system
Dropping packets could cause network
diagnostic hell for the other end if you don’t
respond ‘nicely’
Dana’s Law: It is better to DROP packets and
buy your favorite network admin a beer than to
REJECT and have alarms go off at 2 in the
morning during a DoS, waking you up.
Hands on LAB
Good reading
IPTables Packet Filtering HOWTO
http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
Building Internet Firewalls
ISBN:1-56592-124-0
Linux Firewalls
ISBN: 0-7357-0900-9
Threat Modeling
ISBN: 0-7356-1991-3
Any Questions?