Transcript Firewall
EE579T
Network Security
11: Firewalls
Prof. Richard A. Stanley
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #1
Overview of Tonight’s Class
• Review last week’s lesson
• Security in the news
• Firewalls
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #2
Last time...
• SNMP is widely-used for managing clients
distributed across a network
• SNMPv1 is simple, effective, and provides
the majority of SNMP service in the field
• SNMPv2 adds some functionality to v1
• SNMPv3 is a security overlay for either
version, not a standalone replacement
• SNMP security is a major issue!
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #3
Interesting Security Facts
• The average number of formidable Internetbased attacks currently are twice as likely to
affect power utilities in the United States
than financial firms
• Overall number of these attacks is growing
“very rapidly”
• Data shows steady increase in attacks
against electronic infrastructure
Source: Securities Industry News
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #4
More Statistics
• Most threats still from inside the firm
• Outside attacks still dominated by hackers
• Government or group sponsored attacks on
the rise
• “...for the first time, empirical evidence has
led to profiles of attacks that appear to be
sponsored by governments or other
organizations...” [Tim Belcher, CEO, Riptech]
Source: Securities Industry News
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #5
And more...
• Origin of attacks:
– USA 30%
– South Korea 9%
– China 8%
• Based on number of Internet users, Israel
leads the list as a source of attacks
• Beware jumping to conclusions--an attack
from Country X may just be using their
servers as a jumping-off point
Source: Securities Industry News
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #6
Outline
• Firewall Design Principles
– Firewall Characteristics
– Types of Firewalls
– Firewall Configurations
• Trusted Systems
– Data Access Control
– The Concept of Trusted systems
– Trojan Horse Defense
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #7
Firewall is to Network
as
User privilege is to Operating system
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #8
What Is a Firewall?
• A router with attitude?
• A device to implement an access control
policy?
• A physical device?
• A logical device?
• The preferred solution for network
protection?
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #9
Firewalls
• Effective means of protection a local system
or network of systems from network-based
security threats while affording access to the
outside world via WAN`s or the Internet
• Despite common opinion, not a panacea or
an “out-of-the-box” security solution
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #10
Where Does This Term
Come From?
Firewall means a fire separation of noncombustible
construction that subdivides a building or separates adjoining
buildings to resist the spread of fire that has a fire-resistance
rating as prescribed in the Building Code and that has
structural stability to remain intact under fire conditions for the
required fire-rated time.
Source: The Ontario Fire Code, § 1.2.1.2
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #11
Firewall Design
Principles
• Information systems undergo a steady
evolution (from small LAN`s to Internet
connectivity)
• Strong security features for all workstations
and servers not established
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #12
Firewall Design
Principles
• The firewall is inserted between the
premises network and the Internet or
another external network
• Aims:
– Establish a controlled link
– Protect the premises network from Internetbased or “outside” attacks
– Provide a single choke point (good or bad?)
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #13
Firewall Characteristics
• Design goals:
– All traffic from inside to outside must pass
through the firewall (physically blocking all
access to the local network except via the
firewall)
– Only authorized traffic (defined by the local
security policy) will be allowed to pass
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #14
Firewall Characteristics
• Design goals:
– The firewall itself is immune to penetration
(use of trusted system with a secure operating
system)
– Although this is a noble goal, it is virtually
impossible to achieve!
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #15
Firewall Characteristics - 1
• Service control
– Determines the types of external services that
can be accessed, inbound or outbound
• Direction control
– Determines the direction in which particular
service requests are allowed to flow
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #16
Firewall Characteristics - 2
• User control
– Controls access to a service according to which
user is attempting to access it
• Behavior control
– Controls how particular services can be used
(e.g. filter e-mail)
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #17
Types of Firewalls
• Three common types of Firewalls:
– Packet-filtering routers
– Application-level gateways
– Circuit-level gateways
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #18
Types of Firewalls
• Packet-filtering Router
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #19
Packet-Filtering Firewall
• Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet
• Filters packets going in both directions
• The packet filter is typically set up as a list
of rules based on matches to fields in the IP
or TCP header
• Two default policies (discard or forward)
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #20
Packet Filtering Firewall
• Advantages:
– Simplicity
– Transparency to users
– High speed
• Disadvantages:
– Difficult to set up packet filter rules
– Lack of authentication
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #21
Packet Filtering Firewall
• Possible attacks and appropriate
countermeasures
– IP address spoofing
– Source routing attacks
– Tiny fragment attacks
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #22
Types of Firewalls
• Application-level Gateway
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #23
Application-level Gateway
• Also called proxy server
• Acts as a relay of application-level traffic
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #24
Application-level Gateway
• Advantages:
– Higher security than packet filters
– Only need to scrutinize a few allowable
applications
– Easy to log and audit all incoming traffic
• Disadvantages:
– Additional processing overhead on each
connection (gateway as splice point)
– Speed
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #25
Types of Firewalls
• Circuit-level Gateway
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #26
Circuit-level Gateway
• Stand-alone system, or
• Specialized function performed by an
application-level gateway
• Sets up two TCP connections
• The gateway typically relays TCP segments
from one connection to the other without
examining the contents
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #27
Circuit-level Gateway
• Security function consists of determining
which connections will be allowed
• Typically used where the system
administrator trusts the internal users
• An example is the SOCKS package
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #28
Types of Firewalls
• Bastion Host
– Sometimes called a DMZ
– A system identified by the firewall
administrator as a critical strong point in the
network´s security
– The bastion host serves as a platform for an
application-level or circuit-level gateway
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #29
Firewall Configurations
• In addition to using simple configuration of
a single system (single packet filtering
router or single gateway), more complex
configurations are possible
• Three common configurations
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #30
Firewall Configurations
• Screened host firewall system (singlehomed bastion host)
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #31
Screened Host Firewall
• Firewall consists of two systems:
– A packet-filtering router
– A bastion host
• Configuration for the packet-filtering router:
– Only packets from and to the bastion host are
allowed to pass through the router
• The bastion host performs authentication
and proxy functions
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #32
Screened Host Firewall
• Greater security than single configurations :
– Implements both packet-level and applicationlevel filtering (allowing for flexibility in
defining security policy)
– An intruder must generally penetrate two
separate systems (but if outside router
compromised, what then?)
• Affords flexibility in providing direct
Internet access (public information server,
e.g. Web server)
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #33
Firewall Configurations
• Screened host firewall system (dual-homed
bastion host)
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #34
Dual-homed Bastion Host
• Even if the packet-filtering router is
completely compromised
– Traffic between the Internet and other hosts on
the private network has to flow through the
bastion host
– Provides two layers of security
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #35
Firewall Configurations
• Screened-subnet firewall system
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #36
Screened-Subnet Firewall
• Most secure configuration of the three
• Two packet-filtering routers are used
– One between bastion host and external network
– One between bastion host and internal network
• Creates an isolated sub-network
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #37
Screened-Subnet Firewall
• Advantages:
– Three levels of defense to thwart intruders
– Outside router advertises only the existence of
the screened subnet to the Internet (internal
network is invisible to the Internet)
– Inside router advertises only the existence of
the screened subnet to the internal network
(systems on the inside network cannot construct
direct routes to the Internet)
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #38
Firewalls
• Useful to enforce security policy at the
network edges
• Popularly believed to provide “hardened”
security as they come out of the box
• If not properly configured, can introduce
more problems than they solve
• Come in both hardware and software
flavors, but all have software inside
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #39
Trusted Systems
• One way to enhance the ability of a system
to defend against intruders and malicious
programs is to implement trusted system
technology
• Be careful whom you trust!
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #40
Data Access Control
• Through the user access control procedure
(log on), user is identified to the system
• Associated with each user, there is a profile
that specifies permissible operations and file
accesses
• The operating system can enforce rules
based on the user profile
– This is why Win9x cannot be used here
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #41
Data Access Control
• General models of access control:
– Access matrix
– Access control list
– Capability list
• We saw all these in Computer Security, in
the implementation of security models like
Bell-LaPadula
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #42
Data Access Control
• Access Matrix
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #43
Data Access Control
• Access Matrix: Basic elements of the model
– Subject: An entity capable of accessing objects,
the concept of subject equates with that of
process
– Object: Anything to which access is controlled
(e.g. files, programs)
– Access right: The way in which an object is
accessed by a subject (e.g. read, write, execute)
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #44
Data Access Control
• Access Control List: Decomposition of the
matrix by columns
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #45
Data Access Control
• Access Control List
– An access control list lists users and their
permitted access right
– The list may contain a default or public entry
– This is how Unix handles security, and is the
only mechanism available in Unix
• Everything in Unix looks like a text file
• All files have 9-bit permissions in the inode pointer
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #46
Data Access Control
• Capability list: Decomposition of the matrix
by rows
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #47
Data Access Control
• Capability list
– A capability ticket specifies authorized objects
and operations for a user
– Each user has a number of tickets
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #48
Trusted Systems Concept
• Trusted Systems
– Protect data and resources on the basis of levels
of security (e.g. military)
– Users can be granted clearances to access
certain categories of data
– Trusted systems need not discern levels of
permissions; they can operate “system high”
• cf. Telephone systems
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #49
Security Levels
• Multilevel security: multiple categories or levels
of data
• Multilevel secure system must enforce:
– No read up: A subject can only read an object of lower
or equal security level (BLP Simple Security Property)
– No write down: A subject can only write into an object
of greater or equal security level (BLP *-Property)
– May enforce discretionary security (BLP DS property)
• Security levels may be linear or latticed
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #50
Trusted Systems Implementation
• Reference Monitor provides multilevel
security for a data processing system
– Reference Monitor is a concept, not a thing
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #51
Reference Monitor
Up Close and Personal
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #52
Reference Monitor
• Controlling element in the security kernel of
a computer that regulates access of subjects
to objects on basis of security parameters
• The monitor has access to a file (security
kernel database)
• The monitor enforces the security rules (no
read up, no write down)
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #53
Reference Monitor Properties
• Complete mediation: Security rules are
enforced on every access
• Isolation: Reference monitor and database
protected from unauthorized modification
• Verifiability: reference monitor’s
correctness must be mathematically
provable
– this may be where we bend the rules!
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #54
Trusted Systems
• A system that can provide such verifications
(properties) is referred to as a trusted system
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #55
Trojan Horse Defense
• Secure, trusted operating systems are one
way to secure against Trojan Horse attacks
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #56
Trojan Horse Defense
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #57
Trojan Horse Defense
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #58
Summary
• Firewalls are useful tools to mediate access
from internal networks to external networks
• Firewalls are not a single-point security
solution
• Firewalls cannot protect against a malicious
user on the internal network
• Trusted computing systems are needed to
enforce security policy
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #59
Homework
• Find a copy of the U.S. Code on the ‘Net,
and read Title 18, Section 1030
• Choose a firewall product, and describe
how you would implement the following
security policy:
– Anyone on the inside network may establish
any connection they desire from outside
– No one on the outside network may initiate a
connection to the inside
Spring 2002
© 2000-2002, Richard A. Stanley
WPI
EE579T/11 #60