Traffic Management for Point-to-Point and
Download
Report
Transcript Traffic Management for Point-to-Point and
Firewalls and Firewall Testing
Techniques
Sonia Fahmy
Department of Computer Sciences
Purdue University
[email protected]
http://www.cs.purdue.edu/homes/fahmy/
Purdue University
Sonia Fahmy
1
Overview
What is a firewall?
Firewall types and architectures
Firewall operations
Firewall testing
Purdue University
Sonia Fahmy
2
What is a
Firewall?
Gateway (DMZ)
A firewall is a method of achieving security between
trusted and untrusted networks
The choice, configuration and operation of a firewall is
defined by policy, which determines the the services and
type of access permitted
Firewall = policy+implementation
Firewall = “zone of risk” for the trusted network
Purdue University
Sonia Fahmy
3
Firewalls Should…
Support and not impose a security policy
Use a “deny all services except those specifically
permitted” policy
Accommodate new facilities and services
Contain advanced authentication measures
Employ filtering techniques to permit or deny services
to specific hosts and use flexible and user-friendly
filtering
Use proxy services for applications
Handle dial-in
Log suspicious activity
Purdue University
Sonia Fahmy
4
Firewalls Cannot…
Protect against malicious insiders
Protect against connections that do not go through
them (e.g., dial-up)
Protect against new threats or new viruses
Purdue University
Sonia Fahmy
5
Firewalls in Relation to 7 Layers
Packet Level
Filter
Purdue University
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Link Layer
Physical Layer
Application
Level Filter
Sonia Fahmy
6
Simple Packet Filters
Example:
Interface
2
1
Source
*
128.5.*.*
Dest. Prot.
*
TCP
*
TCP
SPort Dport
*
21 (FTP)
*
25 (SMTP)
Internal network
Internet
1
Filter
2
Internal
Difficult to handle X-Windows, RPC (including NFS and
NIS), rlogin, rsh, rexec, rcp, and TFTP
Purdue University
Sonia Fahmy
7
Stateful Inspection
Also known as dynamic packet filtering (dynamic rule set)
Requires storing state for each stream, assuming:
If there is one packet, there will be more
If there is one packet, responses will be returned
Prime candidate for resource starvation attacks
What should be done when table is full?
Least recently used
Random early drop
Time out entries
Wait for FIN messages, etc.
Purdue University
Sonia Fahmy
8
Bastion Host
Internet
R1
R2
Internal
Inside users log onto the bastion host to use outside
services
Outside snoopers cannot see internal traffic even if they
break in the firewall (perimeter = stub network = DMZ)
Purdue University
Sonia Fahmy
9
Firewall Architectures
Internet
R1
R2
Internal
Screened host: Bastion host and exterior router
Screened subnet: Exterior and interior routers
Multiple bastion hosts, multiple interior routers, multiple
exterior routers, multiple internal networks (with/without
backbone), multiple perimeter networks
Merged interior and exterior routers, bastion host and exterior
router and bastion host and interior router (not recommended)
Purdue University
Sonia Fahmy
10
Dual-homed Host
Internet
Internal
The dual-homed host is the firewall in this case
Purdue University
Sonia Fahmy
11
Application-Level Gateways
Internet
Server
Dual-homed Host
and Proxy Server
Client
Specialized programs on bastion host relay requests and
responses, enforcing site policies (refusing some requests)
Sometimes referred to as “proxy servers”
Transparent with special “proxy client” programs
Full protocol decomposition, e.g, Raptor, or “plug mode” e.g.,
Firewall-1 and PIX
Purdue University
Sonia Fahmy
12
Policies
Network service access policy
Defines which services are to be explicitly
allowed or denied+ways in which these services
are to be used
Firewall design policy
Defines how the firewall implements restricted
access and service filtering specified by the
NSAP
FDP must be continuously updated with new
vulnerabilities
Purdue University
Sonia Fahmy
13
Packet Traversal in a Firewall
Packet flow
Packet receipt by firewall
Link layer filtering
Dynamic ruleset (state)
Bypass
Packet legality checks
Packet may be dropped
On
IP and port filtering
Packet may be dropped
Match
NAT/PAT (header rewrite)
Packet reassembly
Application level analysis Stream may be dropped
Routing decision
Dynamic ruleset (state)
Packet sanity checks
Optional outbound filtering
IP and port filtering
Packet release
Purdue University
Sonia Fahmy
14
Firewall Testing
Vulnerabilities = design or coding flaws = invalid
assumptions, e.g., insufficient verification, memory
available, user data, trusted network object, predictable
sequence, etc.
Develop a vulnerability-operation matrix
Place Common Vulnerabilities Exposure (CVE), and its
candidates (CAN), and other known and new firewall
problems in appropriate matrix cell
Find clusters in matrix
Predict problems
Automate firewall testing through focusing on common
problems
Purdue University
Sonia Fahmy
15
Example
CVE-1999-0158
Cisco PIX firewall manager (PFM) allows retrieval
of any file whose name and location is known
PIX proxy’s verification failure
Application level
Insufficient verification
Purdue University
Sonia Fahmy
16
Key Points
Firewalls can employ:
Packet filters
Stateful inspection
Application-level gateways (many types)
Also circuit-level
Large variations, e.g., Raptor, PIX, Firewall-1, Gauntlet
Several architectures to prevent all-or-nothing effect
Importance of policy
Firewall testing automation underway
Purdue University
Sonia Fahmy
17
References
RFC 2647, “Benchmarking” + drafts
Simonds, “Network Security”, 1996
Hunt, “Internet/Intranet firewall security”, Computer
Communications, 1998
Frantzen et al, “A framework for understanding
vulnerabilties in firewalls using a dataflow model of firewall
internals”, in preparation
Kamara et al, “Testing firewalls”, in preparation
Chapman, “Network (In)Security through IP packet
filtering”
http://cve.mitre.org/, www.sans.org, www.cert.org
Web pages and mailing lists
Purdue University
Sonia Fahmy
18
Thank You!
Questions?
Purdue University
Sonia Fahmy
19