Transcript Chapter 1
FIREWALLS – Chapter 20
network-based threats
access to outside world
• Functionality, Design
• Security – trusted system
INTERNET CONNECTIVITY
essential –
via LAN, ISP, …..etc
Network – thousands of mixed systems
Firewall is:
a single point for security and audit
Premise Network || Internet
firewall
FIREWALL CHARACTERISTICS
1. All traffic through firewall
2. Only authorised traffic
3. Immune to penetration
- trusted system
- secure Operating System
•
•
•
•
FIREWALL CONTROL TECHNIQUES
Service – filter (IP address, TCP port no)
- proxy software
- host server e.g. web/mail
Direction – control direction of service
requests
User – access control (local users)
- for external users, use IPSec auth.
Behaviour – controls service use
(e.g. filter spam)
- restrict external access to
local web server
FIREWALL CAPABILITIES
1. Single ’choke’ point
unauthorised users out
stop vulnerable services using firewall
stop IP spoofing/routing attacks
2. Location for security monitoring
– audits/alarms
3. Platform for non-security internet functions
(e.g. address translator)
4. Platform for IPSec – VPNs using tunnel
LIMITATIONS
Cannot protect against
- Firewall bypass - e.g. internal system
dial-out
- Internal threats
- Virus - impossible to scan everything
FIREWALL TYPES
Fig 20.1
FIREWALL TYPES
1. Packet Filters
rules IP packet
TCP/UDP
header fields
Default rule
forward
discard
discard (prohibit if not
permitted)
forward (permit if not
prohibited)
Table 20.1
(discard policy used)
FIREWALL TYPES
1.Packet Filters (continued) Table 20.1
A – inbound mail allowed, but only
to gateway host.
but mail from SPIGOT is blocked
B – default policy
C – inside host can send mail outside, but
attacker can access TCP port no 25
D - same as C but:
TCP segment ACK flag set
source IP addr. from internal host
allows incoming packets with port 25
and ACK
FIREWALL TYPES
1.Packet Filters (continued) Table 20.1
E – FTP connections – two TCP connections
1. control connection (FTP setup)
2. data connection (file transfer)
different port no.
Rule sets
- packets that originate internally
- reply packets to connection initiated by
internal m/c
- packets high numbered internal port
Advantages of packet filtering:
Simple/Transparency/Fast
Disadvantages of packet filtering:
Difficult to configure rules correctly
No authorisation
Attacks on Packet-Filtering Routers
• IP Address Spoofing
intruder
firewall
packets[sourceIP=internal host addr.]
countermeasure:
discard if internal addr. from external interface
• Source Routing Attack
source specifies packet route to avoid
security measures
countermeasure:
discard packets using this option
Attacks on Packet-Filtering Routers
• Tiny Fragments Attack
TCP header
filter
Intruder (IP fragmentation)
fragments
countermeasure:
discard packets where protocol type is
TCP/IP fragment offset = 1
TYPES OF FIREWALLS (continued)
2. Application-Level Gateway
(proxy server) - Fig 20.1b
user contacts gateway using
TCP/IP application (e.g. Telnet/FTP)
user (remote host, ID, auth.) gateway
gateway
remote host
TCP
segments
(appl. data)
(if and only if gateway implements
proxy code for application)
gateway supports only specific
application features
TYPES OF FIREWALLS (continued)
2. Application-Level Gateway
more secure than packet-filters
-only deals with allowable application
- easier to log and audit
disadvantage:
- processing overhead
TYPES OF FIREWALLS (continued)
3. Circuit-Level Gateway
(Fig 20.1c)
stand-alone or specialised appl.-level
NO end-to-end TCP
outside
TCP
user
inside
TCP
user
circuit-level
gateway
TCP
connection 1
TCP
connection 2
TYPES OF FIREWALLS (continued)
3. Circuit-Level Gateway
(Fig 20.1c)
- does not examine traffic
- instead security is obtained according
to connections allowed
e.g. if system admin. trusts internal users
e.g. appl.-level/proxy inbound
examined by gateway
outbound circuit-level
not examined by gateway
TYPES OF FIREWALLS (continued)
3. Bastion Host
Critical strong point
Platform for appl.-level,circuit-level gateway
• Secure version of OS-trusted system
• Essential services only
proxy appl. – telnet,DNS,FTP,SMTP,
user auth.
• Additional authentication from user to
access proxy services
TYPES OF FIREWALLS (continued)
3. Bastion Host
(continued)
• Proxy supports only subset of commands
• Proxy only allows access to specific hosts
• Proxy maintains detailed audit to discover
and terminate attacks
• Proxy is very small software module
- easier to check for security flaws
TYPES OF FIREWALLS (continued)
3. Bastion Host
(continued)
• Each proxy independent of other proxies
on Bastion Host.
• No disk access by proxy except to read
initial configuration.
• Proxy is non-priviledged user in private,
secure directory.
FIREWALL CONFIGURATIONS
Fig 20.2
FIREWALL CONFIGURATIONS
Single system – e.g. packet-filtering, gateway
Complex Configuration (e.g. Fig 20.2)
Fig 20.2a – Screened Host Firewall
Two Systems: a) Packet-Filtering Router
IP packets Bastion Host only
b) Bastion Host
Bastion performs auth./proxy
Advantages: packet-level/appl.-level filtering
flexible
intruder must penetrate 2 systems
but internal web server can use router to bypass Bastion
SCREENED HOST FIREWALL
Fig 20.2b
Dual Security layers
Web Server can have direct
communications but private hosts
must go through Bastion
SCREENED SUBNET FIREWALL
Fig 20.2c
Most secure:
Bastion Internet
two packet-filtering routers Bastion Internal
Isolated Subnetwork
– Bastion, Web Servers, modems
Advantages
- three levels of defence
- internal network invisible to internet
- no direct routes from internet to
internal network
TRUSTED SYSTEMS
Data Access Control
Operating System grants user permissions
but Database Management System decides
on each individual access
Criteria: User ID, parts of data being accessed,
information already divulged
Access Matrix (Fig 20.3a)
Subject / Object /
users,terminals,
hosts,….
data fields
Access Right
entries in matrix
ACCESS MATRIX SPARSE
Implemented by decomposition
Matrix Columns: Access Control Lists (Fig 20.3b)
lists (users,rights) including (default,rights)
Matrix Rows: Capability Tickets (Fig 20.3c)
(authorised objects, user operations)
Each user has # tickets (unforgeable)
….can loan or give to others
OS may hold tickets in inaccessible memory
TRUSTED SYSTEMS
- concept – Multilevel Security
Protect data/resources - levels of security
e.g. military - U,C,S,TS - clearances
High-Level
Subject A
Lower/Another Level
Subject B
only if
authorised
- No Read Up
- No Write Down
REFERENCE MONITOR CONCEPT
Fig 20.4
REFERENCE MONITOR CONCEPT (RM)
Regulates Subject Object
enforces no read-up, no write-down
Security Kernel Database:
- access privileges
- attributes
RMC – Complete Mediation
rules always enforced, expensive – use hardware
- Isolation – RM/database protected
- Verifiability – correctness of RM
Trusted System
very difficult
proven rigorously
TROJAN HORSE ATTACK
Trojan Horse Attacks – use secure trusted OS
Fig 20.5:
Bob DataFile{”CPE1704TKS”}
Bob : r/w
Fig 20.5a:
Alice legitimate access installs Trojan
to system
Private File
(back pocket)
Alice : r/w
Fig 20.5b:
Bob : w
invoke Trojan
Alice Bob {”CPE1704TKS”}
back pocket
TROJAN HORSE DEFENCE
Secure OS, Fig 20.5c:
At logon, subjects security levels
e.g. Sensitive/Public
Bob: Programs, Files : Sensitive
Alice: Programs, Files : Public
Fig 20.5d:
Bob ”CPE1704TKS”
backpocket