Transcript Firewalls
CSCE 522
Firewalls
Readings
Pfleeger: 7.4
CSCE 522 - Farkas
2
Traffic Control – Firewall
Brick wall placed between apartments to
prevent the spread of fire from one
apartment to the next
Single, narrow checkpoint placed between
two or more networks where security and
audit can be imposed on traffic which
passes through it
CSCE 522 - Farkas
3
Firewall
Private Network
Firewall
security wall between
private (protected)
network and outside word
External Network
CSCE 522 - Farkas
4
Firewall Objectives
Keep intruders,
malicious code and
unwanted
traffic or
information out
Private Network
Proprietary data
Keep proprietary
and sensitive
information in
External attacks
External Network
CSCE 522 - Farkas
5
Without firewalls, nodes:
Are exposed to insecure services
Are exposed to probes and attacks from outside
Can be defenseless against new attacks
Network security totally relies on host security
and all hosts must communicate to achieve high
level of security – almost impossible
CSCE 522 - Farkas
6
Common firewall features
Routing information about the private network
can't be observed from outside
traceroute and ping -o can't “see” internal hosts
Users wishing to log on to an internal host must
first log onto a firewall machine
CSCE 522 - Farkas
7
Trade-Off between accessibility
and Security
Service Access Policy
Accessibility
Security
CSCE 522 - Farkas
8
Firewall Advantages
Protection for vulnerable services
Controlled access to site systems
Concentrated security
Enhanced Privacy
Logging and statistics on network use,
misuse
Policy enforcement
CSCE 522 - Farkas
9
Controlled Access
A site could prevent outside access to its
hosts except for special cases (e.g., mail
server).
Do not give access to a host that does not
require access
Some hosts can be reached from outside,
some can not.
Some hosts can reach outside, some can not.
CSCE 522 - Farkas
10
Concentrated Security
Firewall less expensive than securing all
hosts
All or most modified software and additional
security software on firewall only (no need to
distribute on many hosts)
Other network security (e.g., Kerberos)
involves modification at each host system.
CSCE 522 - Farkas
11
Enhanced Privacy
Even innocuous information may contain
clues that can be used by attackers
E.g., finger:
information about the last login time, when e-mail
was read, etc.
Infer: how often the system is used, active users,
whether system can be attacked without drawing
attention
CSCE 522 - Farkas
12
Logging and Statistics on
Network Use, Misuse
If all access to and from the Internet passes
through the firewall, the firewall can
theoretically log accesses and provide
statistics about system usage
Alarm can be added to indicate suspicious
activity, probes and attacks – double duty as
IDS on smaller networks
CSCE 522 - Farkas
13
Policy enforcement
Means for implementing and enforcing a
network access policy
Access control for users and services
Can’t replace a good education/awareness
program, however:
Knowledgeable users could tunnel traffic to
bypass policy enforcement on a firewall
CSCE 522 - Farkas
14
Firewall Disadvantages
Restricted access to desirable services
Large potential for back doors
No protection from insider attacks
No protection against data-driven attacks
Cannot protect against newly discovered
attacks – policy/situation dependent
Large learning curve
CSCE 522 - Farkas
15
Restricted Access to Desirable
Services
May block services that users want
E.g., telnet, ftp, X windows, NFS, etc.
Need well-balanced security policy
Similar problems would occur with host access
control
Network topology may not fit the firewall design
E.g., using insecure services across major gateways
Need to investigate other solutions (e.g., Kerberos)
CSCE 522 - Farkas
16
Back Doors
Firewalls DO NOT protect against back
doors into the site
e.g., if unrestricted modem access is still
permitted into a site the attacker could jump
around the firewall
Legacy network topology in large networks
CSCE 522 - Farkas
17
Little Protection from Insider
Attacks
Generally does not provide protection from
insider threats
Sneaker Net - insider may copy data onto
tape or print it and take it out of the facility
CSCE 522 - Farkas
18
Data-Driven Attacks
Viruses:
Executable Content:
users downloading virus-infected personal
computer programs
Java applets
ActiveX Controls
JavaScript, VBScript
End to End Encryption
Tunneling/Encapsulation
CSCE 522 - Farkas
19
Other Issues
Throughput: potential bottleneck (all
connections must pass through firewall)
Single point of failure: concentrates security in
one spot => compromised firewall is disaster
Complexity - feature bloat
Some services do not work well with firewalls
Lack of standard performance measurements
or techniques
CSCE 522 - Farkas
20
Firewall Components
Firewall Administrator
Firewall policy
Packet filters
transparent
does not change traffic, only passes it
Proxies
Active
Intercepts traffic and acts as an intermediary
CSCE 522 - Farkas
21
Firewall Administrator
Knowledge of underpinnings of network
protocols (e.g., TCP/IP, ICMP)
Knowledge of workings of applications that
run over the lower level protocols
Knowledge of interaction between firewall
implementation and traffic
Vendor specific knowledge
CSCE 522 - Farkas
22
Firewall Policy
High-level policy: service access policy
Low-level policy: firewall design policy
Firewall policy should be flexible!
CSCE 522 - Farkas
23
Service Access Policy
Part of the Network Security Policy
Goal: Keep outsiders out
Must be realistic and reflect required
security level
Full security vs. full accessibility
CSCE 522 - Farkas
24
Firewall Design Policy
Refinement of service access policy for specific
firewall configuration
Defines:
– How the firewall achieves the service access
policy
– Unique to a firewall configuration
– Difficult!
CSCE 522 - Farkas
25
Firewall Design Policy
Approaches:
Open system: Permit any service unless
explicitly denied (maximal accessibility)
Closed system: Deny any service unless
explicitly permitted (maximal security)
CSCE 522 - Farkas
26
Simple Packet Filters
Applies a set of rules to each incoming IP packet
to decide whether it should be forwarded or
discarded.
Header information is used for filtering ( e.g,
Protocol number, source and destination IP, source
and destination port numbers, etc.)
Stateless: each IP packet is examined isolated
from what has happened in the past.
Often implemented by a router (screening router).
CSCE 522 - Farkas
27
Simple Packet Filter
Private Network
Placing a simple router (or
similar hardware) between
internal network and
“outside”
Allow/prohibit packets from
certain services
Packet
Filter
Packet-level
rules
Outside
CSCE 522 - Farkas
28
Simple Packet Filters
Advantages:
Does not change the traffic flow or
characteristics –passes it through or doesn’t
Simple
Cheap
Flexible: filtering is based on current rules
CSCE 522 - Farkas
29
Simple Packet Filters
Disadvantages:
– Direct communication between multiple hosts and internal
network
– Unsophisticated (protects against simple attacks)
– Calibrating rule set may be tricky
– Limited auditing
– Single point of failure
CSCE 522 - Farkas
30
Stateful Packet Filters
Called Stateful Inspection or Dynamic Packet Filtering
Checkpoint patented this technology in 1997
Maintains a history of previously seen packets to make
better decisions about current and future packets
Check out:
CheckPoint, Stateful Inspection Technology,
http://www.checkpoint.com/products/downloads/Statef
ul_Inspection.pdf
CSCE 522 - Farkas
31
Proxy Firewalls
View
Reality
Private Network
Private Network
Bastion
Host
Proxy Server
Outside
Outside
CSCE 522 - Farkas
32
Proxy Firewalls
Application Gateways
Works at the application layer must
understand and implement application protocol
Called Application-level gateway or proxy
server
Circuit-Level Gateway
Works at the transport layer
E.g., SOCKS
CSCE 522 - Farkas
33
Application Gateways
Interconnects one network to another for a specific
application
Understands and implements application protocol
Good for higher-level restrictions
Client
Application Gateway
CSCE 522 - Farkas
Server
34
Application Gateways
Advantages: by permitting application traffic directly to
internal hosts
Information hiding: names of internal systems are not known to
outside systems
Can limit capabilities within an application
Robust authentication and logging: application traffic can be preauthenticated before reaching host and can be logged
Cost effective: third-party software and hardware for authentication
and logging only on gateway
Less-complex filtering rules for packet filtering routers: need to
check only destination
Most secure
CSCE 522 - Farkas
35
Application Gateways
Disadvantages:
Keeping up with new applications
Need to know all aspects of protocols
May need to modify application
client/protocols
CSCE 522 - Farkas
36
Circuit-Level Gateways
Is basically a generic proxy server for TCP
Works like an application-level gateway,
but at a lower level
SOCKS – most widely know circuit-level
gateway
CSCE 522 - Farkas
37
Circuit-Level Gateways
Advantages:
Don’t need a separate proxy server for each
application
Provides an option for applications for which proxy
servers don’t yet exist
Simpler to implement than application specific
proxy servers
Most Open-Source packages can be easily extended
to use SOCKS
CSCE 522 - Farkas
38
Circuit-Level Gateways
Disadvantages:
No knowledge of higher level protocols – can’t
scan for active content or disallowed commands
Can only handle TCP connections – new
extensions proposed for UDP
Proprietary packages, TCP/IP stacks must be
modified by vendor to use circuit-level gateways
CSCE 522 - Farkas
39
Home Users
Home routers:
Come with built-in firewall
Generally simple packet filters
Can block all incoming connections on all ports if desired
Open connections as needed
Examples:
Download files from outside using FTP: allow
incoming connections on Port 21
CSCE 522 - Farkas
40
Windows Firewall
Functionality:
Help block computer viruses and worms from reaching
your computer
Ask for your permission to block or unblock certain
connection requests
Allow to create a record (a security log), if you want
one, that records successful and unsuccessful attempts to
connect to your computer
CSCE 522 - Farkas
41
Windows Firewall
What it does not support:
Detect or disable computer viruses and worms if they
are already on your computer
Stop you from opening e-mail with dangerous
attachments
Block spam or unsolicited e-mail from appearing in your
inbox
CSCE 522 - Farkas
42
Third Party Firewall
Ranging in price between FREE and $50
on average
ZoneAlarm Pro 5
PC-Cillin 2004 Internet Security
Norton Personal Firewall 2005
McAfee Personal Firewall 6.0 2005
CSCE 522 - Farkas
43
Firewall Evaluation
Level of protection on the private network ?
Prevented attacks
Missed attacks
Amount of damage to the network
How well the firewall is protected?
Possibility of compromise
Detection of the compromise
Effect of compromise on the protected network
Ease of use
Efficiency, scalability, redundancy
Expense
CSCE 522 - Farkas
44
NEXT CLASS:
INTRUSION DETECTION
CSCE 522 - Farkas
45