Download - 12 Firewalls
-
8/10/2019 12 Firewalls
1/38
FirewallsDan Fleck
CS 469: Security Engineering
Slides modified with permission from original by Arun Sood
Com
ingup:
Re
ferences
1
1
1
-
8/10/2019 12 Firewalls
2/38
References
1. Mark Stamp, Information Security: Principles and Practice, WileyInterscience, 2006.
2. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 2429.
3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors,
IEEE Computer, June 2004, p 6267.4. Steven Bellovin and William Cheswick, Network Firewalls, IEEECommunications Magazine, Sept 1994, p 5057.
5. William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer,June 2003, p 112113.
6. Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and
Efficiency of Firewall Policy Deployment, IEEE Symposium onSecurity and Privacy, 2007.
7. Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and itsProperties, Proc of the 2005 International Conference onDependable Systems and Networks, 2005.
Com
ing
up:
Firewa
llas
Ne
twork
Access
Con
trol
2
2
2
-
8/10/2019 12 Firewalls
3/38
Firewall as Network Access Control
Access Control
Authentication
Authorization
Single Sign On
Firewall
Interface between networks
Usually external (internet) and internal
Allows traffic flow in both directions Com
ingup:
Firewa
ll
3
3
3
-
8/10/2019 12 Firewalls
4/38
Firewall
Interface between networks
Usually external (internet) and internal
Allows traffic flow in both directions
Controls the traffic
Internet
Internal
Com
ingup:
Firewa
ll
4
4
4
-
8/10/2019 12 Firewalls
5/38
Firewall as Secretary
A firewall is like a secretary
To meet with an executive
First contact the secretary
Secretary decides if meeting is reasonable
Secretary filters out many requests
You want to meet chair of CS department?
Secretary does some filtering You want to meet President of US?
Secretary does lots of filtering!
[1]
Com
ingup:
Securi
tyStra
tegies
5
5
5
-
8/10/2019 12 Firewalls
6/38
Security Strategies
Least privilege
Objects have the lowest privilege to perform assigned task
Defense in depth
Use multiple mechanisms
Best if each is independent: minimal overlap
Choke point
Facilitates monitoring and control
[2]
Com
ingup:
Securi
tyStra
tegies -2
6
6
6
-
8/10/2019 12 Firewalls
7/38
Security Strategies - 2
Weakest link -
Fail-safe
If firewall fails, it should go to fail-safe that denies access to avoid
intrusions
Default deny
Default permit
Universal participation
Everyone has to accept the rules
[2]
Com
ingup:
Securi
tyStra
tegies
-3
777
-
8/10/2019 12 Firewalls
8/38
Security Strategies - 3
Diversity of defense
Inherent weaknesses
Multiple technologies to compensate for inherent weakness ofone technology
Common heritage If systems configured by the same person, may have the same
weakness
Simplicity
Security through obscurity
[2]
Com
ingup:
Securi
tyStra
tegies
-4
888
-
8/10/2019 12 Firewalls
9/38
Security Strategies - 4
Configuration errors can be devastating
Testing is not perfect
Ongoing trial and error will identify weaknesses
Enforcing a sound policy is critical
[2]
Com
ingup:
Typeso
fFirewa
ll
999
-
8/10/2019 12 Firewalls
10/38
Types of Firewall
No Standard Terminology
Packet Filtering (network layer)
Simplest firewall
Filter packets based on specified criteria
IP addresses, subnets, TCP or UDP ports
Does NOT read the packet payload
Vulnerable to IP spoofing
Stateful inspection (transport layer)
In addition to packet inspection
Validate attributes of multi-packet flows
Keeps track of connection state (e.g. TCP streams, active connections,etc)
[2]
Com
ing
up:
Typeso
fFirewa
ll-2
101010
-
8/10/2019 12 Firewalls
11/38
Types of Firewall - 2
Application Based Firewall (application layer)
Allows data into/out of a process based on that processtype
Can act on a single computer or at the network layer
e.g. allowing only HTTP traffic to a website
Log accessattempted access and allowed access
Personal firewallsingle user, home network
[2]
Com
ing
up:
Typeso
fFirewa
ll-3
111111
-
8/10/2019 12 Firewalls
12/38
Types of Firewall - 3
Proxy
Intermediate connection between servers on internet and
internal servers.
For incoming data
Proxy is server to internal network clients For outgoing data
Proxy is client sending out data to the internet
Very secure
Less efficient versus packet filters[2]
No IP packets pass through firewall. Firewall creates new packets.
Com
ing
up:
Typeso
fFirewa
ll-4
121212
-
8/10/2019 12 Firewalls
13/38
Types of Firewall - 4
Network Address Translation
Hides internal network from
external network
Private IP addresses
expands the IP address space Creates a choke point
Virtual Private Network
Employs encryption and integrity protection
Use internet as part of a private network
Make remote computer act likeit is on local network
[2]
Com
ingup:
Pac
ke
tFilte
r
131313
-
8/10/2019 12 Firewalls
14/38
Packet Filter
Advantages
Simplest firewall architecture
Works at the Network layerapplies to all systems
One firewall for the entire network
Disadvantages
Can be compromised by many attacks
Source spoofing
C
om
ingup:
Pac
ke
tFilter
-
Example
141414
-
8/10/2019 12 Firewalls
15/38
Packet Filter - Example
[2]
C
om
ingup:
Pac
ke
tFilter
-
Example
151515
-
8/10/2019 12 Firewalls
16/38
Packet Filter - Example
[2]
C
om
ingup:
Pac
ke
tFilter
-
Example
161616
-
8/10/2019 12 Firewalls
17/38
Packet Filter - Example
Attack succeeds because of rules B and D
More secure to add source ports to rules
C
om
ingup:
Pac
ke
tFilter
-
Example
171717
-
8/10/2019 12 Firewalls
18/38
Packet Filter - Example
[2]
C
om
ingup:
Pac
ke
tFilter
-
Example
181818
-
8/10/2019 12 Firewalls
19/38
Packet Filter - Example
These packets would be admitted. To avoid this add an ACK bit tothe rule set
[2]
C
om
ingup:
Pac
ke
tFilter
-
Example
191919
-
8/10/2019 12 Firewalls
20/38
Packet Filter - Example
Attack fails, because the ACK bit is not set. ACK bit is set if the connectionoriginated from inside.
Incoming TCP packets must have ACK bit set. If this started outside, thenno matching data, and packet will be rejected.
Note: This rule means we allow no services other than request that weoriginate.
Com
ingup:
TCPAc
kfor
Port
Scanning
202020
-
8/10/2019 12 Firewalls
21/38
TCP Ack for Port Scanning
Attacker sends packet with ACK set (without prior
handshake) using port p
Violation of TCP/IP protocol
Packet filter firewall passes packet
Firewall considers it part of an ongoing connection
Receiver sends RST
Indicates to the sender that the connection should beterminated
Receiving RST indicates that port p is open!!
[1]
Comingup:
TCPAc
kPort
Scan
212121
-
8/10/2019 12 Firewalls
22/38
TCP Ack Port Scan
RST confirms that port 1209 is open
Problem: packet filtering is stateless; the firewall should track theentire connection exchange
[1]
Co
mingup:
StatefulPacke
t
Filte
r
222222
-
8/10/2019 12 Firewalls
23/38
Stateful Packet Filter
Remembers packets in the TCPconnections (and flag bits)
Adds state info to the packet filterfirewalls.
Operates at the transport layer.
Pro: Adds state to packet filter and
keeps track of ongoing connection Con: Slower, more overhead. Packet
content info not used
[1]
application
transport
network
link
physical Com
ingup:
App
lica
tion
Proxy
232323
-
8/10/2019 12 Firewalls
24/38
Application Proxy
A proxy acts on behalf the system beingprotected.
Application proxy examines incoming app dataverifies that data is safe before passing it to the
system. Pros
Complete view of the connections and app data
Filter bad data (viruses, Word macros)
Incoming packet is terminated and new packet is sentto internal network
Con Speed
[1]
Co
mingup:
Firewa
lkPo
rt
Scanning
242424
-
8/10/2019 12 Firewalls
25/38
Firewalk Port Scanning
Scan ports through firewalls
Requires knowledge of IP address of firewall
IP address of one system in internal network
Number of hops to the firewall
Set TTL (time to live) = Hops to firewall +1
Set destination port to be p
If firewall does not pass data for port p, then no
response If data passes thru firewall on port p, then time
exceeded error message
[1]
Lets try it Applications->Utilities->Network Utility
Comin
gup:
Firewa
lkan
dProx
y
Firewa
ll
252525
-
8/10/2019 12 Firewalls
26/38
Firewalk and Proxy Firewall
Attack would be stopped by proxy firewall Incoming packet destroyed (old TTL value also destroyed)
New outgoing packet will not exceed TTL.
[1]
Dest port 12345, TTL=4
Dest port 12344, TTL=4Dest port 12343, TTL=4
Time exceeded
Trudy
Packetfilter
RouterRouterRouter
Com
ingup:
Firewa
llsan
d
De
fense
inDept
h
262626
-
8/10/2019 12 Firewalls
27/38
Firewalls and Defense in Depth
Example security architecture
Internet
Intranet withPersonalFirewalls
PacketFilter
ApplicationProxy
DMZ
FTP server
DNS server
WWW server
[1]
Comingup:
Researc
h:
Firewa
ll
Po
licy
Veri
fication
272727
-
8/10/2019 12 Firewalls
28/38
Research: Firewall Policy
Verification Firewall design: consistency, completeness, and compactness
Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness,"
Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol.,
no., pp.320,327, 2004
Lesson: Practical firewalls have complex rulesets. Theyare hard to get right. Research in place to help validate
the configuration for errors
Lets see some simple ones Com
ingup:
Le
tsdosome
example
s
282828
-
8/10/2019 12 Firewalls
29/38
Lets do some examplesiptables is a common tool to build firewalls
Well supported in Linux:
iptablesA INPUTp tcpdport 22j ACCEPT
-A: append to list of rules
-p:match protocol tcp--dport 22: match destination port 22 (ssh)
-j ACCEPT: if rule matches, ACCEPT the packet.
1st
matching rule wins order matters!
Final rule typically rejects anything that doesnt match: security
says deny all, and only allow in who you want.
Com
ingup:
iptables-c
hain
s
2929
-
8/10/2019 12 Firewalls
30/38
iptables - chains
INPUTanything with a destination of the firewall box
OUTPUTanything with a source of the firewall box
FORWARDanything going through the firewall box (neither
source or dest is the firewall box)
iptablesA INPUTp tcpdport 22j ACCEPT
# This allows SSH TO THE FIREWALL BOX!
Comin
gup:
iptablesm
atchin
g
rule
s
3030
-
8/10/2019 12 Firewalls
31/38
iptables matching rulesJump targetswhat to do upon match?
-j ACCEPTallow it-j REJECT -- send a rejection message
-j DROPdrop it, dont send any message
-j logaccept, logdrop, logreject
(there are others)
Protocol matching rules
-p tcp , udp, icmp, all (0 means all)
Port matching rules
--dport destination port
--sport source port
Co
mingup:
iptablesm
or
e
rule
s
3131
-
8/10/2019 12 Firewalls
32/38
iptables more rulesPhysical device interface:
-i vlan0 # Packets coming in on that physical interface-o eth1 # packets going out on that physical interface
-i only valid for INPUT, FORWARD chain
-o only valid for OUTPUT, FORWARD chain
(Note: Specific interface differs by hardware)
Time-based Limiting
--limit 5/minute (rule matches a maximum of 5 times per
minute (or second or hour, or day, etc)
Syn-flood protection:
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Comin
gup:
iptables-example
s
3232
-
8/10/2019 12 Firewalls
33/38
iptables - examples
Lets stop all http access
Lets stop ping
Lets allow www.gmu.edu though (but only GMU!)
--destination www.gmu.edu
Lets allow only my IP to get to HTTP
--source 192.168.3.10 Com
ingup:
iptablesm
or
e
rule
s
3333
http://www.gmu.edu/http://www.gmu.edu/ -
8/10/2019 12 Firewalls
34/38
iptables more rules
State matching:-m statestate ESTABLISHED, RELATED
NEW- A packet which creates a new connection.
ESTABLISHED- A packet which belongs to an existing connection (i.e., areply packet, or outgoing packet on a connection which has seen
replies).
RELATED- A packet which is related to, but not part of, an existing
connection, such as an ICMP error, or (with the FTP module inserted), a
packet establishing an ftp data connection.
INVALID- A packet which could not be identified for some reason: this
includes running out of memory and ICMP errors which don't
correspond to any known connection. Generally these packets should
be dropped.
Co
mingup:
iptablesm
or
e
rule
s
3434
-
8/10/2019 12 Firewalls
35/38
iptables more rules
TCP bit matching:
iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
--tcp-flags string 1 = the set of bits to look at
string 2 = the subset of 1 which should be ones
Above command says look at all the bits (ALLis synonymous with`SYN,ACK,FIN,RST,URG,PSH) and verify that only the SYN and ACK bits
are set.
Comin
gup:
Wou
lda
GUIhelp
?
3435
-
8/10/2019 12 Firewalls
36/38
iptables - Tunneling
In our network we have one outward facing server, so to get in
from home we must travel (tunnel) through that server.
We really use SSH tunnels:
ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p10024 localhost
However if everyone needed to use it we could use a firewall
based tunnel:
iptables -t nat -A PREROUTING -p tcp -d dslsrv.gmu.edu --dport 10024
-j DNAT --to-destination sr1s4.mesa.gmu.edu:22
W ld GUI h l ?
-
8/10/2019 12 Firewalls
37/38
Would a GUI help?
Com
ingup:
Lesson
s
36
-
8/10/2019 12 Firewalls
38/38
Lessons
There are many firewall types
Each provides a different level of security versus performance
Multiple firewalls can be used to segment networks into
security zones
iptables is a powerful example of how to create/managefirewalls
En
do
fpresen
tatio
n
293537