3 firewalls
TRANSCRIPT
-
8/3/2019 3 Firewalls
1/54
1
Firewalls
-
8/3/2019 3 Firewalls
2/54
2
Topics on Defenses
Firewalls and Intrusion Detection Access Control - prevention of the unauthorized use of a
resource
Availability resources (i.e. information) should be
available to authorized parties at all times
Cryptography Data Confidentiality
Authentication Data Integrity
Non-Repudiation
-
8/3/2019 3 Firewalls
3/54
3
Firewalls Lecture Objectives
To understand the general characteristics of
firewalls
To study different types of firewalls
To examine common firewall configurations
-
8/3/2019 3 Firewalls
4/54
4
Definition of Firewalls By conventional definition, a firewall is a partition made of fireproof
material designed to prevent the spread of fire from one part of a buildingto another.
Network Firewall
Isolates organizations internal network from largerInternet, allowing some packet to pass, blocking others.
Internet
Firewall
Router
Router
Internet Network
-
8/3/2019 3 Firewalls
5/54
5
Local Network without Firewall In the case ofLocal Networkdirectly connected to the Internet without
any firewall, the entire network is subject to the attack.
Practical experience shows that it is very difficult to ensure that every
host on the network is secure. One badly chosen password and all thenetwork security can be compromised.
If one of the hosts is penetrated it is not difficult to penetrate all the otherhosts on the network using the resources of that compromised host.
InternetRouter
Router
Internal Network
-
8/3/2019 3 Firewalls
6/54
6
Why Firewall? Protects network from intrusion.
Provides a single choke point of control andmonitoring
Provides focus for security decisions.
Enforces security policies.
It can limit your exposure to external attacks.
-
8/3/2019 3 Firewalls
7/54
7
Firewall Goals
All traffic from outside to inside and vice-versa
passes through the firewall.
Only authorized traffic, as defined by local
security policy, will be allowed to pass.
The firewall itself is immune to penetration.
-
8/3/2019 3 Firewalls
8/54
8
Types of Firewalls
1. Traditional Packet Filter Firewalls
2. Stateful Filter Firewalls
3. Application Gateways
-
8/3/2019 3 Firewalls
9/54
9
Traditional Packet Filter Firewalls
Every packet has a set of headers containing certain information. Themain information is:
Source IP address (IP Header) Destination IP address (IP Header)
Protocol Type (IP Header)
This specifies whether the data encapsulated in the IP datagram belongs toTCP, UDP or ICMP protocol
Source Port (TCP or UDP Header)
Destination Port (TCP or UDP Header)
ICMP message type
Direction
Is the datagram leaving or entering the internal network?
Router interface
Decisions can be different for different interfaces
-
8/3/2019 3 Firewalls
10/54
10
Packet Filter Firewall Example 1:
IP Spoofing of Internal Addresses
Many network services base their authentication on source IP addressof the host requesting the service.
It had be known of attacks that exploited this feature and compromisedthe network using IP packets with spoofed source IP address thusimpersonating some trusted host.
This attack could be protected by packet filtering Filtering out all packets that come through external interface and those source
IP address belongs to Internal Network
Internet
FirewallInternal Network
IP: 144.214.0.0Net Mast: 255.255.0.0
SA:144.214.30..23
-
8/3/2019 3 Firewalls
11/54
11
Access Control List for
IP Spoofing of Internal Addresses
Internet
FirewallInternal Network
IP: 144.214.0.0.0Net Mast: 255.255.0.0
This is an example on using packet filter to protect against the
IP spoofing of internal addresses The Access Control List (ACL) for port #1
Entry number Source IP address/Mask Destination IP address/Mask Action
(1) 144.214.0.0/255.255.0.0 any drop(2) any any permit
Port #1Port #2
-
8/3/2019 3 Firewalls
12/54
12
Packet Filter Firewall Example 2:
Allowing only email traffic
Suppose you only want to allow email traffic between the Internet andyour Internal Network.
Suppose user on host A wants to send e-mail message to user on host B.
The mail transfer program on host A becomes a SMTP (Simple MailTransfer Protocol) client and forms a TCP connection to SMTP server onhost B.
Internet
Firewall
Host A Host B
Port #1Port #2
Internal NetworkIP: 144.214.0.0.0Net Mast: 255.255.0.0
Mail Gateway
IP: 144.214.5.210
-
8/3/2019 3 Firewalls
13/54
13
block any other trafficblockanyanyanyany(2)
allow internal traffic
to SMTP port on
external hosts
permit25anyany144.214.0.0/255.255.0.0
(1)
CommentsActionDest portDest IP addr
/Mask
Src portSrc IP addr
/Mask
entry #
ACL for port #2:
ACL for port #1:
block any other trafficblockanyanyanyany(2)
allow external traffic toSMTP port on Mail
Gateway
permit25144.214.5.210/255.255.255.255anyany(1)
CommentsActionDest portDest IP addr
/Mask
Src portSrc IP addr
/Mask
entry #
Security Policy:The Filtering router must permit only following packets:
- coming from the host on the Internal Networkand destined to port 25;
- coming from the Internet to port 25 on the Mail Gateway Machine;
-
8/3/2019 3 Firewalls
14/54
14
Drop all incoming ICMPPrevent your network from beingtracerouted
Drop all ICMP packets going to a
broadcast address (e.g.
144.2.14.255.255)
Prevent your network from being
used for a Smuft DoS attack.
Drop all incoming UDP packets
except DNS and router broadcasts.
Prevent Web-radios from eating up
the available bandwidth
Drop all outgoing packets to any
IP address except port 80.
Outside Web access only
Firewall SettingPolicy
Packet Filtering Rules Example 3
-
8/3/2019 3 Firewalls
15/54
15
Access Control Lists
AllAllAllAllAllAllDeny
--->102353UDP144.214/16Outside of144.214/16
Allow
---53>1053UDPOutside of
144.214/16
144.214/16Allow
ACK>102380TCP144.214/16Outside of
144.214/16
Allow
Any80>1023TCPOutside of
144.214/16
144.214/16Allow
Flag
Bit
Dest
Port
Source
Port
ProtocolDest
Address
Source
Address
Action
Apply rules from top to bottom:
-
8/3/2019 3 Firewalls
16/54
16
Access Control Lists
Each router/firewall interface can have its own
ACL
Most firewall vendors provide both command-line
and graphical configuration interface
-
8/3/2019 3 Firewalls
17/54
17
Advantages and Disadvantages of
Traditional Packet Filter Firewalls
Advantages
One Screening router can protect entire network Can be efficient if filtering rules are kept simple
Widely available. Almost any router, even Linux boxes
Disadvantages Can be penetrated
Cannot enforce some policies. For example, permit
certain users Rules can get complicated and difficult to test
Can reduce router performance
-
8/3/2019 3 Firewalls
18/54
18
Stateful Filter Firewalls
In previous example, any packet with ACK=1 and
source port 80 gets in. Attacker could, for example, attempt a malformed
packet attack by sending ACK=1 segments
Stateful filter: Adds more intelligence to the filterdecision-making process
Stateful = remember past packets
Memory implemented in a very dynamic state table
-
8/3/2019 3 Firewalls
19/54
19
Stateful Filters: Example
Log each TCP connection initiated through firewall: SYN segment
Timeout entries which see no activity for, say, 1 min.
80234567203.45.23.66144.214.30.67
80434577199.1.205.34144.214.30.45
8012345637.98.87.144144.214.30.22
Dest
Port
Source
Port
Dest
Address
Source
Address
If rule table indicates that stateful table must be checked:
Check to see if there is already a connection in stateful table
Stateful filters can also remember outgoing UDP segments
-
8/3/2019 3 Firewalls
20/54
20
Stateful Fitlers: Example (cont.)
1. Packet arrives from outside: SA: 37.98.87.144, SP=80, DA= 144.214.30.22,DP= 123456, SYN=0, ACK=1
2. Check filter table => check stateful table
3. Connection is listed in connection table => let packet through
AllAllAllAllAllAllDeny
X--->102353UDP144.214/16Outside of
144.214/16
Allow
---53>1053UDPOutside of
144.214/16
144.214/16Allow
XACK>102380TCP144.214/16Outside of
144.214/16
Allow
Any80>1023TCPOutside of
144.214/16
144.214/16Allow
Check
Conxion
Flag
Bit
Dest
Port
Source
Port
ProtocolDest
Address
Source
Address
Action
-
8/3/2019 3 Firewalls
21/54
21
Application Gateways (or Proxy Servers)
Application gateway sits between user on inside and server onoutside. Instead of talking directly, user and server talk throughproxy.
Allows more fine grained and sophisticated control than packetfiltering. For example, ftp server may not allow files greaterthan a set size.
InternetRouter
Router
Application Gateway
Host-to-gatewayftp session
gateway-to-remote host
ftp session
-
8/3/2019 3 Firewalls
22/54
22
Proxy Program
ProxyClient
Actual Client Dual-Homed Host
ProxyServer
Proxy Program
Internet
Real Server
-
8/3/2019 3 Firewalls
23/54
23
Mail Servers and Proxy Web Servers
Local mail server is an application gateway
Virus detection and removal
So is a Web proxy cache
Can also do virus detection and removal
-
8/3/2019 3 Firewalls
24/54
24
Advantages and Disadvantages of
Proxy Gateways
Advantages
Can log all connections, activity in connections Can provide caching
Can do intelligent filtering based on content
Can perform user level authentication Disadvantages
Not all services have proxied versions
May need different proxy server for each service Require modification of client
Performance
-
8/3/2019 3 Firewalls
25/54
25
Application Gateways + Packet Filter
Filters packets on application data as well as IP/TCP/UDP fields.
Example: allow select internal users to ftp outside
Require all ftp users to ftp through gateway
For authorized users, gateway sets up ftp connection to dest host.Gateway relays data between 2 connections
Router filter blocks all ftp connections not originating from gateway.
InternetRouter
Routerand Filter
Application Gateway
Host-to-gatewayftp session
gateway-to-remote host
ftp session
-
8/3/2019 3 Firewalls
26/54
26
Network Address Translation
Network Address Translation (NAT) allows a network to use one set ofaddresses internally and a different set when dealing with external
networks. It helps conceal internal network and force connections to go through
choke point.
Router does the extra work required for address translation.
ExternalNetwork
144.214.40.66
192.168.2.90
192.168.2.91
192.168.2.92
192.168.2.1
NAT Router
-
8/3/2019 3 Firewalls
27/54
27
NAT Example 1
Internet FTP Client202.66.151.118
Router 144.214.40.66 with NAT that masquerades.
Could be a dual-homed bastion host
Host192.168.2.90
Host192.168.2.91
Host192.168.2.92
Host192.168.2.93
To 202.66.151.118:XFrom 144.214.40.66:21
To 144.214.40.66:21From 202.66.151.118:X
To 202.66.151.118:X
From 192.168.2.92:21
To 192.168.2.92:21
From 202.66.151.118:X
FTP Server Port 21Web Server Port 80
-
8/3/2019 3 Firewalls
28/54
28
NAT Example 2
Internet RTHK Web Server202.177.192.72
Router 144.214.40.66 with NAT that masquerades.
Could be a dual-homed bastion host
Host192.168.2.90
Web Client192.168.2.91
Host192.168.2.92
Host192.168.2.93
To 202.177.192.72:80From 144.214.40.66:Y
To 144.214.40.66:YFrom 202.177.192.72:80
To 202.177.192.72:80
From 192.168.2.91:Y
To 192.168.2.92:Y
From 202.177.192.72:80
FTP Server Port 23Web Server Port 80
-
8/3/2019 3 Firewalls
29/54
29
Advantages and Disadvantages of NAT
Advantages
Helps enforce Firewall control over outbound
connections
Can help restrict incoming traffic
Can help conceal internal network configuration
Disadvantages Interferes with logging
Could interfere with packet filtering
Could interfere with encryption and authentication Dynamic allocation could lead to broken connections
-
8/3/2019 3 Firewalls
30/54
30
Demilitarized Zone (DMZ)
Internet
Interior
Router
Demilitarized Zone
(Perimeter Network)
DNS ServerFTP ServerWeb Server
Internal Network
Exterior
Router
Bastion Stations
Attacker
-
8/3/2019 3 Firewalls
31/54
31
Some Firewall Definitions
Perimeter network (or DMZ) A network added between a protected network and an external network,
in order to provide an additional layer of security. A perimeter networkis sometimes called a DMZ, which stands for De-Militarized Zone(named after the zone separating North and South Korea).
Bastion host A computer system that must be highly secured because it is
vulnerable to attack, usually because it is exposed to the Internetand is a main point of contact for users of internal networks. Itgets its name from the highly fortified projections on the outerwalls of medieval castles.
Dual-homed host A general-purpose computer system that has at least two network
interfaces (or homes)
-
8/3/2019 3 Firewalls
32/54
32
Firewall Architectures
Screening Router Architecture
Dual-homed Host Architecture
Screened Host Architecture
Screened Subnet Architecture
Variations Multiple Bastion Hosts
Multiple Exterior Routers
Multiple Perimeter Networks Multiple Interior Routers
etc
-
8/3/2019 3 Firewalls
33/54
33
Screened Router Architecture
The security of the whole Internal Networkdepends on the correct AccessControl List of the screening router and on the amount of services
permitted.
Screening
Router
Internet
Firewall
Internet Network
-
8/3/2019 3 Firewalls
34/54
34
Dual-Homed Host Architecture
Dual-Home
Host
Internet
Firewall
Router
Internet Network
Routing turned offon Dual-homed Host.
Useful if no traffic from internal network to external network
allowed. Users have to log into dual homed host to access internet. Implies
user accounts not a good idea!
Services can also be provided by proxying them.
-
8/3/2019 3 Firewalls
35/54
35
Communication Methods for DHH
Users on theInternal Networkare given accounts on theDual-Homed Host machine.
To use Internet services, user must rlogin on the Dual-HomedHost machine.
The fact that you allow accounts on the machine weakens itssecurity greatly.
Dual-Homed Host runs proxy program for each serviceyou want to permit
There is no more need for users to rlogin to the machine in orderto access the Internet. They can communicate via proxy software.
-
8/3/2019 3 Firewalls
36/54
36
Security of DHH Architecture
The only host that can be accessed and thus attacked from
the Internet is the Dual-Homed host machine.
It must have much greater level of security than the ordinary host
on theInternal Network.
The excessive logging and auditing of system state must be
performed, only secure software and necessary software installed
and so on.
This architecture is much more secure than the Screening
Router Architecture.
But still once the Dual-Homed Host is subverted the
entireInternal Networkis vulnerable to attack.
-
8/3/2019 3 Firewalls
37/54
37
Screened Host Architecture
Services only provided through bastion host.
Primary security provided by Screening Router (packet
filtering).
InternetRouter
ScreenRouter
Bastion Host
-
8/3/2019 3 Firewalls
38/54
38
Screened Host Architecture
Consists of a packet filtering router & a bastion host
Router rule:
Inbound: only IP packets destined for bastion host are allowed
Outbound: only IP packets from the bastion host are allowed
Bastion host perform authentication & proxy functions
Better security, because of 2 systems
Router may allow direct traffic between a web server &
the internet
If attacker breaks into bastion host, has access to internal
network.
-
8/3/2019 3 Firewalls
39/54
39
Screened Subnet Architectures
Internet
Interior
Router
Internal Network
Exterior
Router
Bastion Station
Reduces impact of break-in into bastion host.
No single vulnerable point that compromises internal network.
-
8/3/2019 3 Firewalls
40/54
40
Multiple Bastion Hosts
Internet
Interior
Router
Demilitarized Zone
(Perimeter Network)
DNS ServerFTP ServerWeb Server
Internal Network
Exterior
Router
Bastion Stations
Reasons you might want to do this include performance, redundancy,and the need to separate data or servers.
-
8/3/2019 3 Firewalls
41/54
41
Merge Interior and Exterior Routers
This architecture, like the screened host architecture, makes the site vulnerable to
the compromise of a single router. In general, routers are easier to protect thanhosts, but they are not impenetrable.
Internet
Internal Network
Bastion Host
Interior/Exterior
Router
-
8/3/2019 3 Firewalls
42/54
42
Merge Bastion Host and Exterior Router
Internet
Internal Network
InteriorRouter
Bastion Host/
Exterior Router
-
8/3/2019 3 Firewalls
43/54
43
Merge Bastion Host and Interior Router
Internet
Internal Network
ExteriorRouter
Bastion Host/
Interior Router
One of the main purposes of the perimeter network is to prevent the bastion
host from being able to snoop on internal traffic. Moving the bastion host tothe interior router makes all of your internal traffic visible to it.
Warning: We recommend against this configuration.
-
8/3/2019 3 Firewalls
44/54
44
It's Dangerous to Merge the Bastion Host and
the Interior Router
The bastion host and the exterior router each perform
distinct protective tasks; they complement each other butdon't back each other up. The interior router functions in
part as a backup to the two of them.
With this type of configuration, if the bastion host is
broken into, there's nothing left in the way of security
between the bastion host and the internal network.
-
8/3/2019 3 Firewalls
45/54
45
Multiple Interior Routers
Internet
Exterior
Router
Bastion Station
Interior
Router
Interior
Router
PerimeterNetwork
Warning: We recommend against this configuration.
-
8/3/2019 3 Firewalls
46/54
46
It's Dangerous to Use Multiple Interior Routers
The basic problem is that the routing software on an internal systemcould decide that the fastest way to another internal system is via the
perimeter net. If you're lucky, this approach simply won't work, because it will be
blocked by the packet filtering on one of the routers.
If you're unlucky, it will work, and you'll have sensitive, strictly internaltraffic flowing across your perimeter net, where it can be snooped on ifsomebody has managed to break in to the bastion host.
It's also difficult to keep multiple interior routers correctlyconfigured. The interior router is the one with the most importantand the most complex set of packet filters and having two of them
doubles your chances of getting the rule sets wrong.
-
8/3/2019 3 Firewalls
47/54
47
Multiple Internal Networks
Internet
Exterior
Router
Bastion Station
Interior
Router
InternalNetwork A
InternalNetwork B
M l i l I l N k
-
8/3/2019 3 Firewalls
48/54
48
Multiple Internal Network
(Backbone Architecture)
Internet
Exterior
Router
Bastion Station
Interior
Router
InternalNetwork A
InternalNetwork B
Router
Router
Multiple internal networks (separate interfaces in a single router)
-
8/3/2019 3 Firewalls
49/54
49
Multiple Exterior Routers
Internet
Exterior
Router
Bastion Station
Interior
Router
Exterior
Router
There are some cases in which it makes sense to connect multiple exterior
routers to the same perimeter network.
SupplierNetwork
Wh U i M lti l E t i R t ?
-
8/3/2019 3 Firewalls
50/54
50
Why Using Multiple Exterior Routers?
Examples are:
You have multiple connections to the Internet (for example, through
different service providers, for redundancy). You have a connection to the Internet plus other connections to other
sites.
In these cases, you might instead have one exterior router with
multiple exterior network interfaces. Attaching multiple exterior routers which go to the same external
network (e.g., two different Internet providers) is not a significantsecurity problem. They may have different filter sets, but that's notcritical in exterior routers. There is twice the chance that one will becompromisable, but a compromise of an exterior router is notparticularly threatening.
M lti l E t i R t ( )
-
8/3/2019 3 Firewalls
51/54
51
Multiple Exterior Routers (cont.)
Things are more complex if the connections are to different places
For example, one is to the Internet and one is to a site you're
collaborating with and need more bandwidth to. To figure out whether such an architecture makes sense in these
cases, ask yourself this question: what traffic could someone see if
they broke into a bastion host on this perimeter net?
For example, if an attacker broke in, could he snoop on sensitive trafficbetween your site and a subsidiary or affiliate? If so, then you may want
to think about installing multiple perimeter nets instead of multiple
exterior routers on a single perimeter net.
There are other significant problems involved in setting upconnections to external networks with which you have special
relationships, which is called "Internal Firewalls."
M lti l P i t N t k
-
8/3/2019 3 Firewalls
52/54
52
Multiple Perimeter Networks
Bastion Station
Interior
Router
SupplierNetwork
ExteriorRouter
In certain situations, it makes sense for your configuration to include
multiple perimeter networks.
InteriorRouter
Bastion Station
Internet
Exterior
Router
Multiple Perimeter Networks ( t )
-
8/3/2019 3 Firewalls
53/54
53
Multiple Perimeter Networks (cont.)
You might put in multiple perimeter networks to provide redundancy.
It doesn't make much sense to pay for two connections to the Internet, and then runthem both through the same router or routers.
Putting in two exterior routers, two perimeter networks, and two interior routersensures that there is no single point of failure between you and the Internet.
You might also put in multiple perimeter nets for privacy, so that you can runmoderately confidential data across one, and an Internet connection across theother. In that case, you might even attach both perimeter nets to the same
interior router. Having multiple perimeter nets is less risky than having multiple interior
routers sharing the same internal net, but it's still a maintenance headache. Youwill probably have multiple interior routers, presenting multiple possible pointsof compromise. Those routers must be watched very carefully to keep them
enforcing appropriate security policies; if they both connect to the Internet,they need to enforce the same policy.
C l i
-
8/3/2019 3 Firewalls
54/54
54
Conclusion
Understand what is Dual-Homed Host Architecture
Understand what is Screened Host Architecture
Understand what is Screened Subnet Architecture Its OK to Use Multiple Bastion Hosts
Its OK to Merge the Bastion Host and the Exterior Router
It's Dangerous to Merge the Bastion Host and the Interior Router
It's Dangerous to Use Multiple Interior Routers
It's OK to Use Multiple Exterior Routers
It's OK to Have Multiple Perimeter Networks