Transcript Perimeter Protection - Lyle School of Engineering

Firewalls
SMU
CSE 5349/7349
Firewalls
• Most widely sold solution for Internet
security
– Solution in a box appeal
• Not a substitute for proper configuration
management
• Firewall needs to be configured properly
for intended protection
SMU
CSE 5349/7349
Types of Firewalls
• IP packet level
– Packet filtering
• TCP session level
– Circuit gateways
• Application level
– Application relays/gateway
• Dynamic packet filtering
– Combination of packet filtering and circuit-level
gateways, often with application level semantics
• NATs, IDSs, Logging
• Ingress vs. Egress filtering
SMU
CSE 5349/7349
Firewalls and OSI Layers
OSI Model Layer
Firewall Functionality
7 - Application
Application Level Proxies, forward and
reverse proxies
6 - Presentation
5 - Session
Stateful Firewall
4 – Transport – TCP/UDP
Port filtering, circuit level proxy
3 – Network - IP
Packet filtering, Address filtering, packet
filtering firewall
2 – Data Link
1- Physical
SMU
CSE 5349/7349
Packet Filters
• Read the header and filter by whether fields
match specific rules
– Administrator makes a list of acceptable/unacceptable
field values
– Ingress/Egress filtering
• Come in standard, specialized, and stateful models
• Weaknesses
– Easy to botch rules
– Logging difficult
– Lack of authentication between end points
SMU
CSE 5349/7349
Network Topology and
Address Spoofing
• Consider a three network (N1, N2, and N3) system
with one router firewall
– N1 the DMZ net connecting the GW
– Very limited connection between GW and outside
– Very limited connection (different set) between GW and
N2/N3 (Why?)
– Anything can pass between N2 and N3
– Outgoing connections only from N2 or N3
• How to set the packet filter rules
– External nodes can spoof internal addresses – block all
the source addresses same as internal addresses
SMU
CSE 5349/7349
Routing Filters
• Perfect security if the node is completely
unreachable
– Routers do not advertise internal routes
• Output route filtering
– Input route filtering ?
• To prevent subversion by route confusion
– Route leaks
SMU
CSE 5349/7349
Stateful Packet Filters (SPFs)
– Track last few minutes of network activity.
– If a packet doesn’t fit in, drop it
– Stronger inspection engines search for
information inside the packet’s data
– Have to collect and assemble packets in order
to have enough data
– Examples:
• Firewall One, SeattleLabs, ipfilter
SMU
CSE 5349/7349
Packet Filtering Performance
• May affect the router optimization in
handling packets
• Still the serial link from the router to the
Internet may be the bottleneck
• Keep the rules simple and uniform
• Ordering the rules to get the most common
type traffic through, first
SMU
CSE 5349/7349
Proxy Firewalls
• Pass data between two separate
connections, one on each side of the
firewall.
• Types:
– Circuit level proxy
– Application proxy
– Store and forward proxy
• Higher latency and lower throughput
SMU
CSE 5349/7349
Circuit Level Proxy
• Client asks connects to the relay host and
request a connection to the server
• FW connects to server
– Server usually do not get details such as IP
address of the client
– All IP tricks are stopped at the relay host
• Fragments
• Fire walking probes
SMU
CSE 5349/7349
Application Proxy
• FW transfers only acceptable information
between the two connections
• The proxy can understand the protocol and
filter the data within
– Example mail proxies
• Usually sore-and-forward
SMU
CSE 5349/7349
Caching Proxies
• Client asks firewall for document; the
firewall downloads the document, saves it
to disk, and provides the document to the
client. The firewall may cache the
document
• Can do data filtering.
• More administration time, hardware, and
cost
SMU
CSE 5349/7349
Network Address Translation
(NAT)
• Changes ip addresses in a packet
– Address of the client inside never shows up
outside
– Many IPs inside to many static IPs outside
– Many IPs inside to many random IPs outside
– Many IPs inside to one IP address outside
• Examples: Cisco PIX, Linux Masquerading,
Firewall One, ipfilter
SMU
CSE 5349/7349
Logging
• Cheap solution to most behavioral problems
– program logging
– syslog /NT event log
– sniffers
• TCPdump, SSLdump Argus, Network General, HP
Openview
• Down side
– Overhead intensive
– Does not prevent damage (more reactive than
proactive)
SMU
CSE 5349/7349
Firewall Pitfalls
• Single point of failure
• Useful ones are difficult to configure and
integrate
• Performance requirements tend to create
back doors
• False sense of security
– May be 40% protection against the top attacks
SMU
CSE 5349/7349
Where to Put FW
SMU
CSE 5349/7349
Where (cont’d)
SMU
CSE 5349/7349
SMU
CSE 5349/7349
DMZ
• Neither internal nor external
• Placed between the external router and
the bastion host
• Idea is to minimize the services and hence
potential attacks
• Example: For a web server stop everything
but http
• Multiple zones for increased
availability/security
SMU
CSE 5349/7349
Distributed Firewalls (DFWs)
•
•
•
•
To avoid S-P-O-F
To distribute risks
Better scalability
Trend to use sophisticated protocols
– IPSec
– Instead of IP headers use authentication codes
SMU
CSE 5349/7349
Switched Firewalls
(Air-gap Technology)
SMU
CSE 5349/7349