Transcript Session 8b
Internet and Intranet
Fundamentals
Class 9
Session A
Topics
• Firewalls (continued)
Firewalls
(Continued)
• Bastion Hosts
• Packet Filtering
Bastion Hosts
• Public Presence on the Internet
• The “Lobby” Analogy
• Public Exposure Implies Increased Security
Requirements
– focus special attention on building a Bastion
host
– host security
• some principles apply to other hosts as well
Bastion Hosts
Various Types
• Non-routing Dual-homed Hosts
– make sure they are non-routing!
• Victim Machines
– sacrificial goat
– don’t let users put valuables on them
• Internal, semi-Bastion Hosts
– inside the firewall
– communicate with external bastion
Bastion Hosts
General Design Guidelines
• Minimize the Number of Services Provided
– keep it simple, scholar
– server software may have bugs that can be
exploited
• Expect Bastion Host to be Compromised
– expect the worst and plan for it
– most likely to be attacked
– bastion host considered untrusted host
Bastion Hosts
• What Platform?
– Unix, NT, etc. ?
• Criteria
– your experience
– firewall tools availability
• Class of Machine
– minimal
– not a supercomputer
– RAM more important than CPU
Bastion Hosts
Location
• Physical Location
– safe
• Network Location
– preferably on a perimeter network
– or a network not susceptible to spoofing
• ATM, Ethernet switch
Bastion Host
Services
• Proxy and Relay Services
–
–
–
–
HTTP Proxy
SMTP Server
NNTP Server
FTP Server
• Public Services
– HTTP
– SMTP
Bastion Hosts
Construction Steps
• Secure the Machine
–
–
–
–
start with minimal, clean operating system
fix all known system bugs
use a security checklist
safeguard the system logs
• requires lots of logging
Bastion Hosts
Construction Steps
• Disable Non-required Services
• Install or Modify Services
• Reconfigure Machine from Development to
Deployment
• Perform Security Audit
• Connect Machine to Network
Packet Filtering
Topics
•
•
•
•
What is it?
Advantages and Disadvantages
Configuring a Packet Filtering Router
Various Kinds of Filtering
Packet Filtering
What is it?
• Selectively reject IP packets based on:
–
–
–
–
source address
destination address
incoming physical port
tcp application port
Packet Filtering
Advantages and Disadvantages
• Advantages
– one router protects an entire network
– doesn’t require user knowledge or cooperation
– widely available
• Disadvantages
– current filtering tools not perfect
• can be hard to configure, test, and maintain
• may have bugs
– some protocols don’t lend themselves to
filtering
Packet Filtering
Configuring a PF Router
• Protocols Bidirectional
• Inbound vs. Outbound Semantics
– packets vs. services
– think “packets”
• Default Security Policy
– permit or deny?
• Returning ICMP Error Codes
– destination unreachable, for example
Various Kinds of Filtering
• Rules
–
–
–
–
–
Direction
Source Address
Destination Address
ACK Set
Action
Various Kinds of Filtering
Rules
Rule Direction Source Address
Dest
Address
ACK
Set
Action
A
Inbound
Internal
Any
Permit
B
Outbound Internal
Trusted
Any
external host
Permit
C
Either
Any
Deny
Trusted external
host
Any
Any
Various Kinds of Filtering
Risks of Address Filtering
• Address Forgery
– source
• does not hope to get any packets back
– man-in-the-middle
• must intercept return packets
• must alter network topology to get in the middle
Various Kinds of Filtering
Filtering by Service
• More Complicated
• TELNET
– outgoing
•
•
•
•
•
local host’s IP source address
remote host’s IP destination address
TCP packet type
TCP destination port is 23
content: your keystrokes
Various Kinds of Filtering
Filtering by Service
• TELNET
– incoming
•
•
•
•
•
•
remote host’s IP source address
local host’s IP destination address
TCP packet type
TCP source port is 23
TCP destination port is same as prior source port
ACK set
Various Kinds of Filtering
Filtering by Service
• TELNET
– Rules
• permit output on port 23
• permit inbound on port 23 if ACK is set
• deny both outbound and inbound for everything else
– default rule
• Risks
– some other service on port 23?