Transcript PMfirewalls

Firewalling Techniques
Prabhaker Mateti
ACK
Not linux specific
 Some figures are from 3com

Components of the Firewall System
Bastion Host
 Packet-filtering router
 Application-level gateway (or proxy server)
 Circuit-level gateway

Dual Homed Gateway

A system that has


two or more network interfaces, each of which
is connected to a different network.
Acts to block or filter some or all of the
traffic trying to pass between the networks.
Bastion Host


Runs general purpose
operating system
hardened to resist
attack
Proxy services

Proxy servers on a bastion host can prohibit
direct connections from the outside and reduce
data-driven attacks.
Circuit Relay


Determines if the connection is
valid according to rules
opens a session and permits
traffic



only from the allowed source and
possibly only for a limited period
of time.
Whether a connection is valid is
based upon:






destination IP address and/or port
source IP address and/or port
time of day
protocol
user
password
Demilitarized Zone (DMZ)
a neutral zone between the private LAN
and the public Internet.
 FTP servers, Web servers and the like are
located in DMZ.

Location of a Firewall
Untrusted
Network
External LAN
Firewall
Internal LAN
DMZ
www
SMTP
An Application Gateway: Problem



Allow select internal users to telnet
outside.
Users authenticate themselves to
create telnet connection
A “gateway” used in this sense is
different from a standard gateway.
An Application Gateway: Solution


Router filter blocks all telnet connections not originating
from gateway.
For authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
gateway-to-remote
host telnet session
host-to-gateway
telnet session
application
gateway
router and filter
Packet Filtering Router
Packet Filtering Router


Decide not only how, but should a packet be
forwarded
Not best when detail protocol knowledge
required for decision



Proxy may be a better choice
Lots of leverage as all hosts behind are
protected
Can provide unique capabilities


Rejecting forged internal or external packets (address
spoofing)
Recognition of malformed packets
Packet-Filtering Router

Service-Dependent Filtering


Some typical filtering rules include:
Permit incoming Telnet sessions only to a
specific list of internal hosts
Permit incoming FTP sessions only to
specific internal hosts
Permit all outbound Telnet sessions
Permit all outbound FTP sessions
Deny all incoming traffic from specific
external networks

Service-Independent Filtering


Source IP Address Spoofing Attacks. Source Routing Attacks. In Tiny
Fragment Attacks. Tiny fragment attacks are designed to circumvent
userdefined filtering rules; the hacker hopes that a filtering router
will examine only the first fragment and allows all other fragments to
pass. A tiny fragment attack can be defeated by discarding all packets
where the protocol type is TCP and the IP FragmentOffset is equal to
1.

Defining packet filters can be a complex task

Generally, the packet throughput of a router decreases as the number
of filters increases.













Filtering by Service

Characteristics of internal to external telnet
connection







Source is inside,
destination is outside,
is TCP, destination port 23,
source port > 1023,
first packet an outbound SYN
Characteristics of ext to int ‘opposite’
Risk: trusting the port implies trusting the server
on that port


Any service can be run from any port by root
Can telnet from port 23, for example
Security Policy




“It is important to note that an Internet firewall is not just a router, a
bastion host, or a combination of devices that provides security for a
network.
“The firewall is part of an overall security policy that creates a
perimeter defense designed to protect the information resources of
the organization.
“This security policy must include published security guidelines to
inform users of their responsibilities; corporate policies defining
network access, service access, local and remote user
authentication, dial-in and dialout, disk and data encryption, and
virus protection measures; and employee training. All potential
points of network attack must be protected with the same level of
network security. Setting up an Internet firewall without a
comprehensive security policy is like placing a steel door on a tent.”
[From a web based article]
Security Policy Describes a
Perimeter Defense
A Connection Circumventing an
Internet Firewall
Benefits of an Internet Firewall





Without a firewall, each host system on the private
network is exposed to attacks from other hosts on the
Internet.
Firewalls offer a convenient point where Internet security
can be monitored and alarms generated.
An Internet firewall is a logical place to deploy a Network
Address Translator (NAT) that can help alleviate the
address space shortage and eliminate the need to
renumber when an organization changes Internet service
providers (ISPs).
An Internet firewall is the perfect point to audit or log
Internet usage.
An Internet firewall can also offer a central point of
contact for information delivery service to customers.
Limitations of an Internet Firewall





Creates a single point of failure.
Cannot protect against attacks that do not go through the
firewall.
Cannot protect against the types of threats posed by
traitors or unwitting users.
Cannot protect against the transfer of virus-infected
software or files.
Cannot protect against data-driven attacks. A data-driven
attack occurs when seemingly harmless data is mailed
or copied to an internal host and is executed to launch
an attack.
Limitations of firewalls and
gateways

IP spoofing



If multiple app’s. need special treatment, each
has own app. gateway.
client software must know how to contact
gateway.


router can’t know if data “really” comes from claimed
source
e.g., must set IP address of proxy in Web browser
Tradeoff


degree of communication with outside world, level of
security
Performance problem
Three Myths of Firewalls



Firewalls make the assumption that the only way in or out of a corporate
network is through the firewalls; that there are no "back doors" to your
network. In practice, this is rarely the case, especially for a network which
spans a large enterprise. Users may setup their own backdoors, using
modems, terminal servers, or use such programs as "PC Anywhere" so that
they can work from home. The more inconvenient a firewall is to your user
community, the more likely someone will set up their own "back door"
channel to their machine, thus bypassing your firewall.
Firewalls make the assumption that all of the bad guys are on the outside of
the firewall, and everyone on the inside of the can be considered
trustworthy. This neglects the large number of computer crimes which are
committed by insiders.
Newly evolving systems are blurring the lines between data and
executables more and more. With macros, JavaScript, Java, and other
forms executable fragments which can be embedded inside data, a security
model which neglects this will leave you wide open to a wide range of
attacks.