Transcript Firewall
Overview
•
•
•
•
•
Security
Type of attacks
Firewalls
Protocols
Packet filter
Computer Net Lab/Praktikum Datenverarbeitung 2
1
Security
• Security means, protect information (during and after processing)
against impairment and loss of confidentiality, integrity and
availability.
Given by:
– increasing of availability and storage strategies:
Backup, Redundant Systems, Raid-Systems
– protection against unauthorized access:
Firewalls, encryption algorithm, etc.
Computer Net Lab/Praktikum Datenverarbeitung 2
2
Security requirements
• Availability
ensures that authorized persons are able to access data and
communication services at every time.
• Integrity
guarantees that the data are authentic and undamaged.
• Privacy
protects confidential information against unintended access.
Computer Net Lab/Praktikum Datenverarbeitung 2
3
Threats
• Active attacks
– Intrusion of unauthorized persons
– Impairment and disturbance of networking
– Data modification
• Passive Attacks
– Password listening
– Data listening
– Network traffic analysis
Computer Net Lab/Praktikum Datenverarbeitung 2
4
Aggressor
Who is aggressive
–
–
–
–
Competitors
Hacker/Cracker (Beginners, Professional)
Professional Hacker (industrial espionage)
Colleagues (approx. 70% of all attacks come from
Colleagues)
Computer Net Lab/Praktikum Datenverarbeitung 2
5
Examples
• Februay2001
Hacker stole around 80.000 DIN-A-4 Pages with privacy
information like credit card numbers, passwords, etc. from the
server of the World Economic Forum.
• October 2000
by use of so called trojans, hackers got access to passwords of
Microsoft employees. So the hackers were able to stole the
newest source code release of a Microsoft operation system.
• February 2000
Yahoo was a victim of a Denial-Of-Service Attack. The Website
of yahoo was more than 3 hours not available.
Computer Net Lab/Praktikum Datenverarbeitung 2
6
Kind of attacks
•
•
•
•
•
•
•
Password attack
Data attack
Malicious Code
Scanner
Spoofing
FTP, MAIL, Telnet
DOS-Attack
Computer Net Lab/Praktikum Datenverarbeitung 2
7
Password attack
• 3 Methods
– Guess on base of known or speculated user accounts
(names).
– Brute force attack on a password file by use of special
applications, i.e. Crack.
– Listening on connections in order to find out user names and
their passwords.
Computer Net Lab/Praktikum Datenverarbeitung 2
8
Data attack
• Data attack are done by use of so called sniffers.
• Sniffer respectively network monitoring tools are applications
which are originally used in order to monitor and analyse network
traffic.
• Usually a computer receives via its network interface card only
these packages which are destined for itself.
• But it is possible to get access to all traffic. This could be done
when the network interface card is running in a special mode, the
promiscuous mode.
Extremely dangerous: A sniffer is installed on a server
Computer Net Lab/Praktikum Datenverarbeitung 2
9
Malicious Code
• Malicious Code is unauthorized code (could be in a legal
application) doing jobs which are unknown by the user and
usually undesired.
• Examples:
– Viruses
– Trojan horses
– Worms
Computer Net Lab/Praktikum Datenverarbeitung 2
10
Scanner
• Scanner are security tools which are originally used in order to
find out some weak points of a system. There are system
scanner and network scanner.
• System scanner:
scans its local host in order to find out security gaps or
configuration problems.
• Network scanner:
scans computer connected to a network. They check services
and ports und deliver therefore information about possible
security gaps.
Computer Net Lab/Praktikum Datenverarbeitung 2
11
Spoofing
• Spoofing is used in order to outwit authentification and
identification mechanism which are basing on trustworthy
addresses and/or hostnames.
• a distinction is drawn between:
– IP-Spoofing
denotes the corruption of the sender-IP address.
– DNS-Spoofing
means the corruption of entries in DNS-servers.
Computer Net Lab/Praktikum Datenverarbeitung 2
12
FTP, Mail, Telnet
• FTP:
– Authentification by use of user name and password.
– No encryption of data and password.
• Mail:
– Sending of big mails affects the mail servers availability (Mail
bombing).
– Sending of mails with wrong sender information.
• Telnet:
– No password encryption.
– No data encryption.
Computer Net Lab/Praktikum Datenverarbeitung 2
13
DOS-Attacks
• DOS = Denial of Service.
• Most common attack (simple and fast).
• Goal is to knock out the attacked system or at least to interfere
the access for valid users.
• Not easy to intercept.
• Next step: DDOS = Distributed Denial of Service
Several machines start an attack at the same time.
Example: TCP-SYN Flooding, PING
Computer Net Lab/Praktikum Datenverarbeitung 2
14
Firewall Basics
• A Firewall is a hurdle between to nets which must be cleared in
order to allow communication from one net to the other. Each
communication between the nets must be done over the firewall.
Internet
private,
local net
Firewall
Computer Net Lab/Praktikum Datenverarbeitung 2
15
Definition Firewall
• A firewall consists of one or more hard- and software
components.
• A firewall connects two networks in a way that all traffic between
the networks must pass the firewall.
• A Firewall implements a security strategy, which realises access
restrictions and if required attack recording.
• A Firewall let only pass those data packages which fulfil the
security strategy.
Computer Net Lab/Praktikum Datenverarbeitung 2
16
What a Firewall can do
• Restriction of traffic between two networks.
• Access only to special machines or services.
• Network monitoring and recording => protocols.
• Manipulation of network traffic by use of special (i.e. traffic
limitation, IP-Address replacement, etc.).
Computer Net Lab/Praktikum Datenverarbeitung 2
17
What a Firewall can‘t do
• Closing security gaps directly.
• Correction of configuration or installation mistakes.
• Find out viruses or Trojans.
• Making a network totally secure.
Computer Net Lab/Praktikum Datenverarbeitung 2
18
Firewall-Concepts
• Packet filter
Filtering on network layer (IP-Addresses and Ports).
• Proxy-Gateways
– Circuit Level Gateway
Filtering on transport layer.
– Application Level Gateway
Filtering on application level (protocol dependent).
• Graphical Firewall
All internet applications running outside of the protected network.
Only graphical information are delivered.
Computer Net Lab/Praktikum Datenverarbeitung 2
19
Proxy-Gateway
• Proxy=lock keeper
• A Proxy firewall act as a server for the client and as a client for
the server.
HTTP Gateway
FTP Gateway
private,
local Net
Internet
Firewall with application dependent
Proxy-Services
Computer Net Lab/Praktikum Datenverarbeitung 2
20
Proxy-Gateway
• Offers application specific services for clients.
• Control and observe functions for a specific application
• Example:
– Avoid that a client uses ftp in order to transfer data in (via
„put“ command) to an external ftp-server.
– Access forbidden for special HTTP-Sites
• In opposite to packet filters the connection is really interrupted.
• IP-Addresses of the internal net are invisible.
Computer Net Lab/Praktikum Datenverarbeitung 2
21
Protocols
Application
Transport
HTTP FTP SMTP
DNS SNMP RIP
TCP
UDP
IP
Internet
Phys. Network
Ethernet
Token-Ring
Computer Net Lab/Praktikum Datenverarbeitung 2
ATM
22
IP
•
•
•
It carries the transport protocols TCP and UDP.
It builds IP-Packages out of the data which have to be
transmitted.
It adds additional information, the IP-Header. It contains source
and destination address.
Computer Net Lab/Praktikum Datenverarbeitung 2
23
TCP
• TCP (Transmission Control Protocol) confirms every received
data package.
• TCP repeats each data package until its receiving is confirmed.
• TCP is reliable, that means the transmission is guaranteed.
32 BIT
Computer Net Lab/Praktikum Datenverarbeitung 2
24
Port Communication
• Communication via TCP/IP operates by IP-Addresses and Ports.
16
• Each IP-Address has 2 potential ports.
• The ports below 1024 are standardized (standard ports), which
are allocated to dedicated services, i.e.:
23 telnet
25 smtp
134.91.100.1
80 http
443 https
23 25 80
. . . . . . . 30000
.
Computer Net Lab/Praktikum Datenverarbeitung 2
25
Packet filter
• Filtering of Data packages:
– Sender/Destination IP-Addresses
– Sender/ Destination -Ports (Services)
– Protocols (TCP,UDP, ICMP)
• Separate Filtering of incoming Packages (INPUT) und outgoing
Packages (OUTPUT).
• Different rules for Input-Filter and Output-Filter.
• List of rules are so called chains.
• A package is checked by one rule after the other until either one
rule matches or the end of list is reached.
Computer Net Lab/Praktikum Datenverarbeitung 2
26
Packet filter (Chains)
network interface
incoming packet
IINPUT-CHAIN
rule 3 matches
no
rule 1 matches
rule 2 matches
no
no
rule 2 matches
rule 1 matches
no
OUTPUT-CHAIN
rule 3 matches
outgoing packet
Computer Net Lab/Praktikum Datenverarbeitung 2
27
Packet filter (Policies)
• Every chain has a default setting for package treatment, the so
called policies. The policies come into play after a data package
were checked by all rules of a chain.
• If no rule matches the default policy applies.
• There are two different strategies:
– Deny every package. Only well defined kind of packages are
allowed. (Better).
– Allow every package. Only well defined kind of packages are
forbidden.
Computer Net Lab/Praktikum Datenverarbeitung 2
28
Packet filter (Reject vs. Drop)
• Packet filters have two different methods to handle a non
accepted package.
– Reject: The Package will be deleted and an ICMP-Error
message is delivered to the sender.
– Drop: The Package will be deleted.
• Drop is the better choice, because:
– less traffic,
– the package could be part of a attack,
– even an error message could be an useful information for an
aggressor.
Computer Net Lab/Praktikum Datenverarbeitung 2
29
Filtering of incoming packages
• Filtering according to Sender- IP
There a some groups of IP-Addresses which could be generally
dropped. For example: IP-Addresses of the own Subnet, etc.
• Filtering according to Destination-IP
Only packages addressing the own network are accepted.
• Filtering according sender/destination Port
We have to distinguish between requests of external clients to
our own servers and incoming answers of external servers
destined for local clients.
Computer Net Lab/Praktikum Datenverarbeitung 2
30
Filtering of outgoing packages
• Filtering according Sender IP
Only packages with correct IP-Addresses of our own network are
allowed to pass.
• Filtering according Destination IP
Depends on requested services, i.e.: request to an external mail
server.
• Filtering according Sender-Ports
Client-Requests to external resources are usually done by ports
above 1024. Local servers use well defined ports (below 1024)
when they send an answer to external clients.
• Filtering according Destination-Ports
All destination ports of external clients (accessing local servers)
are above 1024. Internal clients will use well defined ports below
1024 for access to external servers.
Computer Net Lab/Praktikum Datenverarbeitung 2
31
Stateful Filtering
• Stateful Filtering means the capability to store the state and
contextual information of a TCP network connection.
=>Dynamic packet filter analyse the state of an TCP-Connection.
Connection request of client: SYN
Acknowledgement of server: ACK-SYN
Acknowledgement of client: ACK
Further transfer (from both sides): ACK
• Packages (containing a ACK-Flag) from outside to inside are
only accepted if a package from inside to outside (containing a
SYN-Flag) was sent before.
Computer Net Lab/Praktikum Datenverarbeitung 2
32
Iptables (1)
• Iptables (Packet filter under Linux)
• Three Chains: INPUT, OUTPUT, FORWARD.
• Routing decides if a package is delivered to the INPUT-Chain or
to the FORWARD-Chain.
• Packages for the machine itself are checked at first by the
INPUT-Chain. If the INPUT Chain accepts the packages it
reaches the actual machine.
• Packets for foreign machines (in out local protected net) are
running through the FORWARD-Chain. If the packages is
accepted it is delivered to the appropriated network interface.
Computer Net Lab/Praktikum Datenverarbeitung 2
33
IPTables (2)
Routing
ForwardChain
Drop
InputChain
Drop
Local
Processes
OutputChain
Drop
Computer Net Lab/Praktikum Datenverarbeitung 2
34
IPTables (some commands)
• Delete rules
iptables --flush
• Drop all packages
iptables –policy INPUT DROP
iptables –policy OUTPUT DROP
iptables –policy FORWARD DROP
• Reject incoming packages coming from the IP-Address of
our own external interface
iptables – A input –i eth0 –s <myipadress> -j DROP
Computer Net Lab/Praktikum Datenverarbeitung 2
35
Firewall example
Computer Net Lab/Praktikum Datenverarbeitung 2
36
How can I protect my own PC
• Deactivate all services which are not required.
• Deinstall all programs which are not permanently used.
• Deinstall all programs with well known security gaps. (even when
you need them).
• Inform yourself about security gaps and use updates.
• Install a virus scanner (Freeware: AntiVir).
• Install a personal firewall (Freeware:ZoneAlarm).
Computer Net Lab/Praktikum Datenverarbeitung 2
37