Transcript firewall
Firewalls, etc.
Outline
• Intro
• Various firewall technologies:
–
–
–
–
Static Packet Filtering (or nonstateful packet filter)
Dynamic Packet Filtering (or stateful packet filter)
Circuit-level gateways
Application-level gateways (aka. Proxy servers)
• Firewall configurations
T. A. Yang
Network Security
2
Firewalls
•
•
•
•
•
A firewall, in the real world, is built between buildings to
prevent a fire started in one building from spreading to
another
A digital firewall serves similar purpose, by preventing
security breaches that occur in one zone from
spreading to another zone
In a way, firewalls can be considered as delimiters that
together define the perimeter of a network
A firewall prevents unwanted and/or unauthorized traffic
from entering into or getting out of a given network (the
‘protected’ network)
Also called ‘secure Internet gateways’ or ‘security
gateways’
T. A. Yang
Network Security
3
RFC2828 Internet Security Glossary (by R. Shirey, May 2000)
$ filtering router
• An internetwork router that selectively prevents the
passage of data packets according to a security policy.
•
•
•
A filtering router may be used as a firewall or part of a firewall.
A router usually receives a packet from a network and decides
where to forward it on a second network. A filtering router does the
same, but first decides whether the packet should be forwarded at
all, according to some security policy.
The policy is implemented by rules (packet filters) loaded into the
router. The rules mostly involve values of data packet control fields
(especially IP source and destination addresses and TCP port
T. A. Yang
Network Security
4
RFC2828 Internet Security Glossary (by R. Shirey, May 2000)
$ bastion host
• A strongly protected computer that is in a network
protected by a firewall (or is part of a firewall) and is the
only host (or one of only a few hosts) in the network
that can be directly accessed from networks on the
other side of the firewall.
•
•
•
Filtering routers in a firewall typically restrict traffic from the
outside network to reaching just one host, the bastion host, which
usually is part of the firewall.
Since only this one host can be directly attacked, only this one host
needs to be very strongly protected, so security can be maintained
more easily and less expensively.
However, to allow legitimate internal and external users to access
application resources through the firewall, higher layer protocols
and services need to be relayed and forwarded by the bastion
host. Some services (e.g., DNS and SMTP) have forwarding built
in; other services (e.g., TELNET and FTP) require a proxy server
on the bastion host.
T. A. Yang
Network Security
5
Firewalls
•
According to RFC2828 Internet Security Glossary (by R. Shirey, May
2000):
$ firewall
- An internetwork gateway that restricts data
communication traffic to and from one of the
connected networks (the one said to be "inside" the
firewall) and thus protects that network's system
resources against threats from the other network
(the one that is said to be "outside" the firewall).
-
T. A. Yang
A firewall typically protects a smaller, secure network (such as
a corporate LAN, or even just one host) from a larger network
(such as the Internet). The firewall is installed at the point
where the networks connect, and the firewall applies security
policy rules to control traffic that flows in and out of the
protected network.
Network Security
6
Firewalls
-
-
T. A. Yang
A firewall is not always a single computer. For example, a
firewall may consist of a pair of filtering routers and one or
more proxy servers running on one or more bastion hosts,
all connected to a small, dedicated LAN between the two
routers. The external router blocks attacks that use IP to break
security (IP address spoofing, source routing, packet
fragments), while proxy servers block attacks that would
exploit a vulnerability in a higher layer protocol or service. The
internal router blocks traffic from leaving the protected network
except through the proxy servers.
The difficult part is defining criteria by which packets are
denied passage through the firewall, because a firewall not
only needs to keep intruders out, but usually also needs to let
authorized users in and out.
Network Security
7
Firewalls
- a more precise definition
•
•
According to Cheswick & Bellovin (1994)
A firewall system is a collection of components
placed btwn two networks that collectively have the
following 3 properties:
1. All traffic (inside out, or outside in) must pass through
the firewall.
2. Only authorized traffic (as defined by the local security
policy) are allowed to pass. firewall policy
3. The firewall itself is immune to penetration.
T. A. Yang
Network Security
8
Firewalls
- additional, stronger features
•
A firewall is able to:
1. enforce strong authentication for users who wish to
establish inbound or outbound connections
2. associate data streams that are allowed to pass through
the firewall with previously authenticated and authorized
users
•
Use of application gateways is needed to support
these higher-level features.
T. A. Yang
Network Security
9
Compare Various Firewall
Technologies
Types
Packet filters
Application gateways
Sub-types Static
Dynamic
Circuit-level
Application-level
OSI
layers
Transport layer or higher
T. A. Yang
Network layer
(or Internet layer in TCP/IP)
Network Security
10
T. A. Yang
Network Security
11
Static Packet Filtering
• Aka ‘screening routers’
• Stateless, meaning that each IP packet must be
examined in isolation from what has happened in the
past (and what may happen in the future), forcing the
filter to make a decision to permit or deny each packet
individually based on the packet-filtering rules
no concept of session
lead to problems when more than one connection is created in a
protocol such as FTP
T. A. Yang
Network Security
12
T. A. Yang
Network Security
13
Dynamic Packet Filtering
• Aka stateful packet filter
• A dynamic packet filter maintains state information about
past IP packets to make more intelligent decisions about
the legitimacy of present and future IP packets
• State information are stored in an internal database
• Subsequent packets belonging to the same association
can pass quickly through the stateful inspection device
T. A. Yang
Network Security
14
Circuit-level Gateways/Firewalls
• A proxy server for TCP or UDP (at the transport layer)
• Goal: To allow a TCP/IP application to traverse (i.e., securely use) a
firewall
• Is Located and running on a firewall
• Relays TCP connections:
- They intercept TCP connection being made to a host behind them and
complete the handshake on behalf of that host.
- As soon as the connection is made, only data packets belonging to the
connection are allowed to go through.
• It does not interfere with the data stream. Making it different from
an application-level gateway
• Example: SOCKS (RFC1928
SOCKS Protocol Version 5. By M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, L. Jones.
March 1996)
T. A. Yang
Network Security
15
SOCKS
• The implementation of the SOCKS protocol typically involves
the recompilation or relinking of TCP-based client
applications to use the appropriate encapsulation routines in
the SOCKS library. ‘socksified’ clients
• Procedure for TCP-based clients
– When a TCP-based client wishes to establish a connection to an object
that is reachable only via a firewall, it must open a TCP connection to
the appropriate SOCKS port on the SOCKS server system. The
SOCKS service is conventionally located on TCP port 1080.
– If the connection request succeeds, the client enters a negotiation for
the authentication method to be used, authenticates with the chosen
method, then sends a relay request.
– The SOCKS server evaluates the request, and either establishes the
appropriate connection or denies it.
T. A. Yang
Network Security
16
T. A. Yang
Network Security
17
Application-level Gateways
• A proxy server that allows a specific application protocol
to traverse a firewall.
• A sample scenario: The packet filter of a firewall blocks
all inbound Telent and FTP sessions, unless the
sessions are terminated by a bastion host.
– Multiple application gateways may be running on the bastion
host a proxy server for FTP, a proxy server for Telent, …
– A user who wishes to connect inbound to an intranet server must
have his Telnet or FTP client connect to the application gateway.
T. A. Yang
Network Security
18
T. A. Yang
Network Security
19
Application-level Gateways
• To properly authenticate the user, an application
gateway must have access to authentication and
authorization information, either locally or
remotely:
– User-level authentication info may be stored locally
on the firewall
– User-level authentication info may be stored in a
centralized authentication server (e.g., RADIUS,
TACACS+)
T. A. Yang
Network Security
20
Trade-offs of Firewalls
•
Advantages:
1. Provides basic access control services for an intranet
2. Provides a centralized filtering/gateway function
3. (To some degree) Relieves individual hosts the
responsibility of having a filter or firewall itself
4. Centralized management of filtering rules
•
Limitations: next
T. A. Yang
Network Security
21
Trade-offs of Firewalls
•
Limitations:
1.
Cannot protect sites and corporate intranets against insider attacks
internal / intranet firewalls
2.
Can be circumvented by tunneling unauthorized application
protocols in authorized ones
3.
Little protection against attacks embedded in the data field of a
packet (e.g., virus-infected programs or data files, malicious Java
applets, malicious ActiveX controls, …)
4.
May foster a false sense of security lax security within the
firewall perimeter
T. A. Yang
Network Security
22
Positioning of Firewalls
• Positioning a firewall is as important as using the right type of
firewall and configuring it correctly.
• Goals:
– The positioning of the firewall should effectively screen the types of
traffic.
– The positioning of the firewall should ensure there are no back doors
into the protected network. (The firewall cannot be bypassed.)
• Some guidelines:
– Position the firewall to clearly delimit the public network and the private
network.
– Use an additional firewall to protect a critical segment.
– Build a DMZ to hold servers that need to be accessed from the public
network. Do not put them inside the private network!
– Most firewalls are stateful, so avoid ‘asymmetric routing’!
– Use layering (stacked) firewalls.
Why? 2 reasons (a. layered protection; b. allowing different filtering
rules)
T. A. Yang
Network Security
23
Dual-Homed Firewalls
• A dual-homed host is a host with two network interfaces,
each of which is connected to a different network.
• A dual-homed firewall is a dual-homed host on which IP
routing and forwarding are disabled.
– IP packets can no longer be routed or forwarded between the
two networks.
– Data can only be transferred from one network to the other if
there is an application gateway running on the firewall to do that.
– See diagram next.
T. A. Yang
Network Security
24
inner screening
router
T. A. Yang
Network Security
outer screening
router
25
Dual-Homed Firewalls
• The outer screening router makes sure that
– All incoming packets have the bastion host as the
destination address.
– All outgoing packets have the bastion host as the
source address.
• The inner screening router makes sure that
– All incoming packets have the bastion host as the
source address.
– All outgoing packets have the bastion host as the
destination address.
• Packet filtering rules need to be configured.
T. A. Yang
Network Security
26
Screened Subnet Firewalls
• Two separate screening routers: outer, inner
(see diagram next)
• DMZ: the subnet in between the two screening
routers
• The bastion host is part of the DMZ.
• A packet must pass both screening routers
before it reach the intranet.
• When configured properly (e.g., using NAT),
only the bastion host and other servers in the
DMZ can be seen from the Internet.
T. A. Yang
Network Security
27
outer screening
router
inner screening
router
the DMZ
T. A. Yang
Network Security
28
Layering Firewalls
• Examples:
The DCSL Network
T. A. Yang
Network Security
29