Defense in Depth / Firewalls Presentation
Download
Report
Transcript Defense in Depth / Firewalls Presentation
COEN 350
Network Defense in Depth
Firewalls
Terms of the Trade
Border Router
DMZ
First / last router under control of
system administration.
Demilitarized zone.
Security is low, since not protected
by firewall. Locate webservers and
other services there that generate
potentially unsafe traffic.
Firewall
Filters packages based on a
variety of rules.
Terms of the Trade
IDS
Intrusion Detection System.
VPN
NIDS: glean intrusion signatures
from traffic.
HIDS: monitor activity at a host on
which they are located.
Virtual private network
Screened subnet
Area protected by an internal
firewall.
Terms of the Trade
Configuration Management
Known vulnerabilities account for
most of actually perpetrated
exploits.
For most of them, patches were
available, but not installed.
CM tries to enforce uniform
security policies.
Backdoors
An entrance into the system that
avoids perimeter defenses.
Defense in Depth
Rule 1: Multitude of security measures.
Do not relay on one security mechanism.
Rule 2: Do not make security so
expensive / burdensome that you give
legitimate users an incentive to
circumvent security.
Defense in Depth
Example: External tcp packet passes:
Internet Perimeter Router
Internet perimeter firewall
DMZ firewall
Network IPS
NetFlow
Analyzes connections on network
Antivirus on host
Host IPS
Firewalls
Firewalls are perimeter defense:
Keep the bad stuff outside, enjoy life inside.
Filtering
Signature
Any distinctive characteristic that identifies
something (with a high degree of
probability)
Signature Types
Atomic Signatures
Single packet, single event, single activity is
examined.
Stateful Signatures
State: Needed when analyzing multiple pieces of
information that are not available at the same time.
Filtering
Atomic vs. Stateful Signatures
LAND attack
Attacker sends TCP-SYN packet with same source and
destination address.
Caused TCP stacks to crash.
Can be discovered looking at a single packet.
Search for string “etc/password” in a URL
Attacker fragments the packet so that the string is not in
either fragment.
State is needed in order to recognize the attack.
Filtering
Signature Triggers
Pattern Detection
Simple string search
Protocol decoders search for string only in protocol
fields.
ARP request with source address FF:FF:FF:FF:FF:FF
Anomaly Detection
Search for string “etc/passwords” ARP
Traffic going to an unusual port.
Protocol compliance for http traffic
Behavior Detection
Abnormally large / small fragmented packets
Search for RPC requests that do not initially utilize the
PortMapper
Filtering
Signature Actions
Generating an alert
Dropping / preventing an activity
Logging the activity
Resetting a TCP connection
Blocking future activity
Allow activity
Packet Filtering
Static Packet Filtering
Allow or deny access to packets based on
internal characteristics.
access list 111 deny ip host 205.205.205.205.1 any
access list 111 permit tcp host 205.205.205.205.1 any
access list 111 deny icmp any any echo-request
access list 111 permit icmp any any packet-to-big
access list 111 deny icmp any any
Cisco extended ACL
Static Packet Filtering
Difficult to design efficient rules.
Easy to get the rules tables wrong and allow bad
traffic.
Security risks
People can piggy-back bad messages in harmless
ones.
http traffic is known to be used as a backdoor.
Loki uses unused fields in normal TCP packets.
Fragmentation allows the filter to look only at a
fragment
Most only look at the first fragment
Static Packet Filtering
Configuring a packet filter:
Security Policy: what is allowed, what is
not allowed.
Allowable types of packets must be
specified logically, in terms of logical
expression on packet fields.
Expressions need to be rewritten in the
firewall vendor’s language.
Static Packet Filtering
Example
Security Policy:
Allow inbound mail messages (SMTP, port 25), but only
to gateway.
Block host faucet.
action
Our host
port
Their host
port
comment
block
*
*
faucet
*
We don’t trust
these people.
allow
OUR-GW
25
*
*
Connection to our
SMTP server
Static Packet Filtering
Example
If no rule applies, then the packet is dropped.
Without additional rules, our rule set would drop all non-mail
packets. There would also be no replies.
Beware of a rule like this (intended to allow acks)
action
Our host
port
Their host
port
comment
allow
*
*
*
25
Connection to
their SMTP port
Based solely on outside host’s port number.
Port 25 is usually the mail port.
But there is no guarantee.
Static Packet Filtering
Example
Expand rule set to allow connection with the
outside:
action
Our host
port
Their host
port
block
*
*
faucet
*
allow
OUR-GW
25
*
*
allow
(our host)
*
*
25
allow
*
25
*
*
Flag
comment
Our packets to their port
ACK
Their replies
Specify the names of all machines allowed to send mail to the outside here.
Static Packet Filtering
Combating Address Spoofing
At a minimum:
Don’t allow inside source addresses coming in.
Don’t allow outside source addresses going out.
Block source routing at the border routers.
Static Packet Filtering
Routing Information
If a node is unreachable from the outside then the node is
almost (but not quite) as safe as a node disconnected from
the net.
Internal routers should not advertise paths to such nodes to
the outside.
Filter routes learned from the outside:
Protects against subversion by route confusion.
Route squatting:
Use internal addresses that belong to a different domain.
The nodes are de facto unreachable from the outside.
Use non-announced addresses. (e.g. 10.x.x.x)
But beware, when companies merge, these addresses tend
to be incompatible.
So pick addresses in unpopular address ranges.
Static Packet Filtering
Performance
Packet filtering is done at the border.
No degradation for the internal network.
Typically, connection to ISP is the
bottleneck.
However:
Degradation depends on the number of rules
applied.
Can be mitigated by careful ordering of rules.
Application Level Filtering
Packet filters only look at
The source address
The destination address
TCP / UDP port numbers
TCP / UDP flags.
Application filters deals with the details of the
service they are checking.
E.g. a mail application filter looks at
RFC 822 headers.
MIME attachments.
Might identify virus infected attachments.
Application Level Filtering
Snort:
Allows to set up rules that pass a packet
on to another service.
Commercial firewalls
Include application level filters for many
products.
Use non-disclosure agreement to obtain
proprietary protocols
Dynamic Packet Filtering
Stateful Firewall
Still look at each packet.
Maintains a state of each connection.
Implements connection filtering.
Dynamically adjust a filtering table of current
connections.
Implementation
Adjust the filtering rules dynamically.
E.g.: We started an HTTP connection to a given host.
Now HTTP packages from that host are allowed.
OR: Terminate the connection at the firewall and then
have the firewall call the ultimate destination (proxying).
Proxy Firewalls
Proxies act on behalf of a client.
Proxy firewall
Reverse Proxy
Receives packages on one card.
Processes requests.
Translates them into internal requests on other card.
Receives answers from inside and translates to the outside.
Proxy Firewalls
Proxy firewall
Forward Proxy
Receives requests from the inside.
Processes requests.
Translates them into requests to
the outside on other card.
Receives answers from outside
and translates to the inside.
Acts on behalf of inside machine
that is protected from the vagaries
of the internet.
Proxy Firewalls
Application level proxies work at the
level of application.
Circuit-level proxies
does not understand the application
makes filtering decisions by validating and
monitoring sessions.
Application Inspection
Dynamic Firewalls allow selective
inspection of applications:
http
ftp
dns
icmp
…
Application Inspection
DNS example (Cisco ASA DNS
inspection)
Guarantees that the ID of the DNS
machine matches the ID of the DNS query
Allows translation of DNS packets using
NAT
Reassembles DNS packets to verify its
length.
Application Inspection
SMTP (Cisco ASA protection)
Protects against SMTP-based attacks by
restricting the types of SMTP commands.
Illegal command is modified and forwarded.
Typically, receiver replies with an SMTP error
500 (command not recognized)
Checks size, …
Network Address Translation
Originally designed to address the IPv4
address shortage:
Use internal IP addresses
192.168.x.x
172.16.x.x, 172.32.x.x
10.x.x.x
NAT box is dual hosted:
One connection to interior network
Other connection to exterior network
with “overloaded” or “public” address
Network Address Translation
Internal host initiates TCP connection to the
outside.
NAT box takes TCP package, replaces source
IP with its public IP, port with a port chosen
for that connection
When reply return to NAT box, forwards
package to internal host.
NAT uses stored connection data to
determine the interior address
Network Address Translation
NAT increases security:
NAT hides host identities
NAT hides weak sequence number generating
hosts by randomizing sequence numbers.
NAT disables inbound TCP connections
NAT breaks most UDP protocols
NAT allow load balancing and transparent
failover
Network Address Translation
Full Cone NAT (one to one NAT)
all requests from same internal IP address
and port are mapped to the same external
IP address and port.
Allows external host to send package to
the host by using the mapped external
address.
Network Address Translation
Restricted Cone NAT
All requests from same internal IP address
and port are mapped to the same external
IP address and port.
External host can only send package to
internal host if the connection has already
been established
Network Address Translation
Port Restricted Cone NAT
Like restricted cone NAT,
Symmetric NAT
but only for certain port numbers
All request from the same internal IP address and port to a
specific destination IP and port are mapped to a unique
external source IP address and port.
If the same hosts sends to the same port, but another IP
address, then a different mapping is used.
External host needs to receive a packet before sending a
UDP packet back to the internal host.
In practice:
combinations between these behaviors.
Virtual Private Networks
Virtual Private Networks
VPN uses connections over an existing
public network
Connection secured with encryption
Host to Host
Host to Gateway
Gateway to Gateway
Virtual Private Networks
Virtual Private Networks
Encryption can be done at
Application level.
Transport level.
Network level.
Data link level.
Virtual Private Networks
VPN Technologies
Application Level
Pretty Good Privacy
Secure Shell (SSH)
Transport Level
Secure Socket Layer
Does not protect the package, but its content.
Typically runs at the application level of the OS, so OS does not need to be
changed.
Network Level
IPSec
Encrypts package itself.
Encrypted package receives a new package header.
IPSec protects port address, but not destination address.
OS need to be changed (but only once: Win2000, WinXP)
Data Link
Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP)
Encrypts packets on the data layer.
L2TP (Layer 2 Tunneling)
Virtual Private Networks
Alternatives are dedicated point-to-point
connections such as a private T1 line.
Most secure.
Most expensive.
Takes time to set-up.