Transcript Lesson 17

Perimeter Defenses:
Filters and Firewalls
Lesson 17
Filters and Firewalls
• Filter -- a software program or device that monitors
incoming and outgoing packets on a computer network
to determine whether the packets should be allowed to
enter or leave a computer system.
• Firewall -- a network monitor or collection of monitors
placed between an organization’s internal network and
the Internet or between two local area networks.
Junk E-Mail Filters
• Some ISP’s attempt to filter junk email
• extra load it places on servers
• annoyance factor
• Attempts to eliminate junk e-mail
• Check “From” field or IP address for known spammers
• Check to see if it originated from mail delivery agent frequently
used by spammers
• All approaches potentially eliminate valid (nonspam) email
Junk e-mail filters
• Bright Light Technologies developed SW that
• Seeds Internet with 1000’s of email addresses
• Addresses picked up by spammer bots
• Messages sent to these addresses sent to Bright Light
which then develops filter for it.
• ISPs that allow spammers to use their site can find
all mail originating from it (valid or spam)
blocked in response.
• UUNet and Compuserve both had this happen to them.
Issues with spam filtering
• Add to the issue the error rate:
• A study showed that
• Brightmail, a for-profit blacklisting and filtering service blocks 94%
of spam with 1% false positives.
• MAPS was found to block 24% of spam with 34% false positives.
• Also consider the following from Julian Haight,
founder of SpamCop
• “We list you immediately, and then we can talk about it.”
• They receive 50,000 complaints/day.
• What is the implications in terms of a potential for a
DoS attack?
Web Filtering
• Used to “prevent certain materials from entering into a
system while users are browsing the Web.”
• Often offered as an alternative to legislative actions
such as the Communications Decency Act.
• Filtering at the receiving end does not inhibit free speech
• The problem is that the filters are not completely
accurate
• numerous reports of “inappropriate” material not being
filtered or valid info being blocked
Web Filtering
• Net Shepherd Family Search filter returned only 1% of sites
returned by non-filtered search using Alta Vista -- even though
search was on items such as “American Red Cross”, “Thomas
Edison”, and “National Aquarium”.
• One university’s filtering blocked the Edupage newsletter
because of the sentence:
• “The new bill is more narrowly focused than the CDA, and is targeted
strictly at impeding the flow of commercial pornography on the World
Wide Web.”
• Cybersitter blocked sites for National Organization for Women,
Godiva chocolates, and the teen website Peacefire.
• Cyber Patrol allowed 6 of the first 16 sites listed on Yahoo’s
category “Sex: Virtual Clubs”
Web Filtering
• World Wide Web Consortium approach to filtering
based on assigned labels and ratings and is called the
Platform for Internet Content Selection (PICS)
• does not dictate labels, instead allows groups to establish their
own.
• European Commission proposed a similar rating
scheme. Governments could develop site-rating systems
and SW provided that would allow teachers and parents
to filter unwanted info.
• Another proposal is an adult only domain
Firewalls
• Purpose of a firewall is to provide a shell around
the network to protect it from “outside” threats.
• Types of threats a firewall addresses:
•
•
•
•
Filter inherently insecure network services
Unauthorized access to network resources
Denial of service
Masquerading
Firewalls
• Three Basic Techniques
• Packet Filtering -- decide to allow or reject specific packets as they enter your
network
• Stateful Packet filtering – keep track of sessions and connections
– Stateful Inspection – looks at contents of packet not just header
• Circuit Level Gateway -- simply relays bytes from a port on one system to
another on an external network.
• Connection appears to originate from firewall and not internal system
– Prevents direct connection between internal and external systems, but…
– Packets are not filtered/checked
• Application Level Gateway -- also known as proxy gateways, used to forward
service-specific traffic (e.g. email).
• Proxies act as a middleman preventing direct connection, the proxy will take the
request and, if allowed by the policy, will forward it.
• Proxy ‘understands’ the service and can make better filtering decisions (thus
theoretically more secure) but this process is less flexible and more time
consuming
Packet Filtering
Operation
discard
allow
discard
source
bad.host
our.host
128.236.*.*
port
*
25
>1023
destination
*
*
our.host
port
*
*
>1023
type
*
*
tcp
Operation
allow
discard
allow
discard
allow
source
bad.host
bad.host
our.host
128.236.*.*
*
port
25
*
25
>1023
*
destination
our.host
*
*
our.host
*
port
25
*
*
>1023
*
type
*
*
*
tcp
*
Firewall Architectures
Internet
Screening Router
Firewall Architectures
Dual-homed host Architecture
Internet
Dual-homed host
Firewall Architectures
Screened host Architecture
Internet
X
Screening Router
Bastion
Host
Bastion Hosts
• A specially ‘armored’ and protected host.
• May run special ‘secure’ or ‘stripped down’
version of OS
• Only essential services are run on it.
• User accounts generally not permitted (admin
only)
• Machines inside of the firewall should not
trust the Bastion Host.
Firewall Architectures
Screened subnet Architecture
Internet
Bastion host
Exterior Router
Perimeter Network
Interior Router
Internal Network
So, what’s the difference between them?
Screening router
very primitive, just a souped up router
Dual-homed host (firewall)
Routing function turned off, external systems can’t communicate directly
with internal systems!
Provides services through proxies
Screened Host
router provides routing and packet filtering functions
Bastion provides single system to heavily secure.
Screened subnet
no defenses between bastion and other systems in screened host firewall,
thus if bastion compromised, the internal network is vulnerable.
Screened subnet adds another router to add another layer of protection.
This router can be configured to only allow certain services.
Firewall Architectures
Multiple Exterior Routers
Supplier
Network
Internet
Bastion host
Exterior Router
Exterior Router
Perimeter Network
Interior Router
Lab Network
Internal Network
Checkpoint Firewall Sample Rule Set
Cisco System PIX Firewall
Choosing a Firewall
• Determine the trust relationships and communication
•
•
•
•
•
paths in your organization.
What capacity do you need – can the firewall handle
the throughput?
Does the firewall have the features you desire.
What is the interface like – you have to live with
using it…
Price
Reputation of the company, especially in terms of
their responsiveness to product vulnerabilities.
Network Address Translation (NAT)
• Firewalls can also provide NAT services
• Allows a LAN to use one set of addresses for
internal purposes and a second set for external
traffic
• Not all systems need a globally unique IP address
• Saves on IP addresses which is a concern for IPv4
• Shields internal addresses from public view
Network Address Translation (NAT)
• There are a limited number of IP addresses available and
not every system needs one.
• NAT was developed to provide a means to translate private
IP addresses into public IP addresses.
– A device (typically a router or firewall) will accomplish this translation
process.
Source: 63.69.110.110
Destination: 207.25.71.23
Source: 10.1.1.123
Destination: 207.25.71.23
Firewall
performs NAT
Source: 207.25.71.23
Destination: 10.1.1.123
Source: 207.25.71.23
Destination: 63.69.110.110
NGFW-Next Generation Firewalls
• Attribution: Identify Users, Not IP Addresses
• Identify Content, Not Packets
• High-performance
• Reliability, scalability, manageability
• Granular application usage control policies
 Allow or deny
 Allow certain application functions and apply traffic
shaping
 Allow but scan
 Decrypt and inspect
 Allow for certain users or groups