firewalls
TRANSCRIPT
8/18/2010
1
Chapter 6
Copyright Pearson Prentice-Hall 20102
1.Legitimate hosts send innocent packets.
Attackers send attack packets.
2.Ingress packets come into a site.Egress packets go out from a site.
8/18/2010
2
Copyright Pearson Prentice-Hall 20103
Firewalls drop and logprovable attack packets
Copyright Pearson Prentice-Hall 20104
Firewalls do not drop packets unless they are provably attack packets.
This means that some attack packets that are not provably attack packets
get through the firewall.
8/18/2010
3
Copyright Pearson Prentice-Hall 2010
� The ProblemThe ProblemThe ProblemThe Problem
◦ If a firewall cannot filter all of the traffic passing through it, it drops packets it cannot process
◦ This is secure because it prevents attack packets from getting through
◦ But it creates a self-inflicted denial-of-serviceattack by dropping legitimate traffic
5
Copyright Pearson Prentice-Hall 2010
� Firewall CapacityFirewall CapacityFirewall CapacityFirewall Capacity
◦ Firewalls must have the capacity to handle the incoming traffic volume
◦ Some can handle normal traffic but cannot handle traffic during heavy attacks!
◦ They must be able to handle incoming traffic at wire speed—the maximum speed of data coming into each port
6
8/18/2010
4
� Performance – must have sufficient processing capacity and RAM to process all packets.
� Packets that do not get processed must be dropped.
� Two factors drive performance requirement
1. Volume of traffic to be filter
2. Complexity of filtering
� Ensuring adequate performance – Check log file everyday
Performance
Requirements
Traffic Volume (Packets per Second)
Complexity
of Filtering:
Number of
Filtering
Rules,
Complexity
Of rules, etc.If a firewall cannot inspect packets
fast enough, it will drop unchecked
packets rather than pass them
6-2: The Danger of Traffic Overload
8/18/2010
5
Copyright Pearson Prentice-Hall 2010
� Processing Power Is Increasing RapidlyProcessing Power Is Increasing RapidlyProcessing Power Is Increasing RapidlyProcessing Power Is Increasing Rapidly
◦ As processing power increases, more sophisticated filtering methods should become possible
◦ We can even have unified threat management (UTM), in which a single firewall can use many forms of filtering, including antivirus filtering and even spam filtering. (Traditional firewalls do not do these types of application-level malware filtering)
◦ However, increasing traffic is soaking up much of this increasing processing power
9
Copyright Pearson Prentice-Hall 2010
� Firewall Filtering MechanismsFirewall Filtering MechanismsFirewall Filtering MechanismsFirewall Filtering Mechanisms
◦ There are many types
◦ We will focus most heavily on the most important firewall filtering method, stateful packet inspection (SPI)
◦ Single firewalls can use multiple filtering mechanisms, most commonly, SPI with other secondary filtering mechanisms
10
8/18/2010
6
11
Copyright Pearson Prentice-Hall 2010
� Static Packet FilteringStatic Packet FilteringStatic Packet FilteringStatic Packet Filtering
◦ This was the earliest firewall filtering mechanism
◦ Limits
� Examines packets one at a time, in isolation
� Only looks at some internet and transport headers
� Consequently, unable to stop many types of attacks
12
8/18/2010
7
Static Packet Filter Firewall
IP-H
IP-H
TCP-H
UDP-H Application Message
Application Message
IP-H ICMP-H
Only IP, TCP, UDP and ICMP
Headers Examined
Permit
(Pass)
Deny
(Drop)
Corporate Network The Internet
Log
File
Static
Packet
Filter
Firewall
ICMP Message
IP-H
IP-H
TCP-H
UDP-H Application Message
Application Message
IP-H ICMP-H
Arriving Packets
Examined One at a Time, in Isolation;
This Misses Many Attacks
Permit
(Pass)
Deny
(Drop)
Corporate Network The Internet
Log
File
Static
Packet
Filter
Firewall
ICMP Message
Static Packet Filter Firewall
8/18/2010
8
Copyright Pearson Prentice-Hall 2010
� Inspects Packets One at a Time, in IsolationInspects Packets One at a Time, in IsolationInspects Packets One at a Time, in IsolationInspects Packets One at a Time, in Isolation
◦ If it receives a packet containing a SYN/ACK segment, this may be a legitimate response to an internally initiated SYN segment
� The firewall must pass packets containing these segments, or internally initiated communications cannot exist
15
Copyright Pearson Prentice-Hall 2010
� Inspects Packets One at a Time, in IsolationInspects Packets One at a Time, in IsolationInspects Packets One at a Time, in IsolationInspects Packets One at a Time, in Isolation
◦ However, this SYN/ACK segment could be an external attack
� It could be sent to elicit an RST segment confirming that there is a victim at the IP address to which the SYN/ACK segment is sent
� A static packet filtering firewall cannot stop this attack
16
8/18/2010
9
Copyright Pearson Prentice-Hall 2010
� However, Static Packet Filtering Can Stop However, Static Packet Filtering Can Stop However, Static Packet Filtering Can Stop However, Static Packet Filtering Can Stop Certain Attacks Very EfficientlyCertain Attacks Very EfficientlyCertain Attacks Very EfficientlyCertain Attacks Very Efficiently
◦ Incoming ICMP Echo packets and other scanning probe packets
◦ Outgoing responses to scanning probe packets
◦ Packets with spoofed IP addresses (e.g., incoming packets with the source IP addresses of hosts inside the firm)
◦ Packets that have nonsensical field settings —such as a TCP segment with both the SYN and FIN bits set
17
Copyright Pearson Prentice-Hall 2010
� Market StatusMarket StatusMarket StatusMarket Status
◦ No longer used as the main filtering mechanism for border firewalls
◦ May be used as a secondary filtering mechanism on main border firewalls
18
8/18/2010
10
Copyright Pearson Prentice-Hall 2010
� Market StatusMarket StatusMarket StatusMarket Status
◦ Also may be implemented in border routers, which lie between the Internet and the firewall
� Stops simple, high-volume attacks to reduce the load on the main border firewall
19
20
8/18/2010
11
Copyright Pearson Prentice-Hall 2010
� Connections have distinct states or stages
� Different states are subject to different attacks
� Stateful firewalls use different filtering rules for different states
21
Connection OpeningState
Ongoing Communication
State
Connection ClosingState
Copyright Pearson Prentice-Hall 201022
8/18/2010
12
Copyright Pearson Prentice-Hall 201023
� Default Behavior
◦ Permit connections initiated by an internal host
◦ Deny connections initiated by an external host
◦ Can change default behavior with ACL
Internet
Automatically Accept Connection Attempt
Router
Automatically Deny Connection Attempt
8/18/2010
14
� Static Packet Filter Firewalls are Stateless
◦ Filter one packet at a time, in isolation
◦ If a TCP SYN/ACK segment is sent, cannot tell if there was a previous SYN to open a connection
◦ But stateful firewalls can
Attacker
Spoofing
External
Webserver
10.5.3.4
Internal
Client PC
60.55.33.12
Stateful Firewall
2.
Check
Connection Table:
No Connection
Match: Drop
1.
Spoofed
TCP SYN/ACK Segment
From: 10.5.3.4.:80
To: 60.55.33.12:64640
Type
TCP
UDP
Internal
IP
60.55.33.12
60.55.33.12
Internal
Port
62600
63206
External
IP
123.80.5.34
222.8.33.4
External
Port
80
69
Status
OK
OK
Connection Table
8/18/2010
15
� Static Packet Filter Firewalls are Stateless
◦ Filter one packet at a time, in isolation
◦ Cannot deal with port-switching applications
◦ But stateful firewalls can
External
FTP Server
123.80.5.34
Internal
Client PC
60.55.33.12
1.
TCP SYN Segment
From: 60.55.33.12:62600
To: 123.80.5.34:21
2.
To Establish
Connection 3.
TCP SYN Segment
From: 60.55.33.12:62600
To: 123.80.5.34:21
Stateful Firewall
Type
TCP
Internal
IP
60.55.33.12
Internal
Port
62600
External
IP
123.80.5.34
External
Port
21
Status
OK
State Table
Step 2
8/18/2010
16
External
FTP
Server
123.80.5.34
Internal
Client PC
60.55.33.12
6.
TCP SYN/ACK Segment
From: 123.80.5.34:21
To: 60.55.33.12:62600
Use Ports 20
and 55336 for
Data Transfers
5.
To Allow,
Establish
Second
Connection
4.
TCP SYN/ACK Segment
From: 123.80.5.34:21
To: 60.55.33.12:62600
Use Ports 20
and 55336 for
Data Transfers
Stateful
Firewall
Type
TCP
TCP
Internal
IP
60.55.33.12
60.55.33.12
Internal
Port
62600
55336
External
IP
123.80.5.34
123.80.5.34
External
Port
21
20
Status
OK
OK
State Table
Step 2
Step 5
Copyright Pearson Prentice-Hall 201032
Port Primary
Protocol*
Application
20 TCP FTP Data Traffic
21 TCP FTP Supervisory Connection
22 TCP Secure Shell (SSH)
23 TCP Telnet
25 TCP Simple Mail Transfer Protocol (SMTP)
53 TCP Domain Name System (DNS)
*In many cases, both TCP and UDP can be used by an application. In such cases, the same port number is used for both. Typically, however, the use of either TCP or UDP will be predominant.
8/18/2010
17
Copyright Pearson Prentice-Hall 201033
Port Primary
Protocol
Application
69 UDP Trivial File Transfer Protocol (TFTP)
80 TCP Hypertext Transfer Protocol (HTTP)
110 TCP Post Office Protocol (POP)
135-
139
TCP NETBIOS service for peer-to-peer file sharing in older
versions of Windows
143 TCP Internet Message Access Protocol (IMAP)
161 UDP Simple Network Management Protocol (SNMP)
443 TCP HTTP over SSL/TLS
Copyright Pearson Prentice-Hall 2010
� Access Control List OperationAccess Control List OperationAccess Control List OperationAccess Control List Operation
◦ An ACL is a series of rules for allowing or disallowing connections
◦ The rules are executed in order, beginning with the first
� If a rule DOES NOT apply to the connection-opening attempt, the firewall goes to the next ACL rule
� If the rule DOES apply, the firewall follows the rule, no further rules are executed
◦ If the firewall reaches the last rule in the ACL, it follows that rule
34
8/18/2010
18
Copyright Pearson Prentice-Hall 2010
� Ingress ACL’s PurposeIngress ACL’s PurposeIngress ACL’s PurposeIngress ACL’s Purpose
◦ The default behavior is to drop all attempts to open a connection from the outside
◦ All ACL rules except for the last give exceptions to the default behavior under specified circumstances
◦ The last rule applies the default behavior to all connection-opening attempts that are not allowed by earlier rules are executed by this last rule
35
� 1. If source IP address = 10.*.*.*, DENY [private IP address range]
� 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range]
� 3. If source IP address = 192.168.*.*, DENY [private IP address range]
� 4. If source IP address = 60.40.*.*, DENY [firm’s internal address range]
Access Control List (ACLs)
8/18/2010
19
� 5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker]
� 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet]
� 7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connection to a public webserver]
� 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside]
Access Control List (ACLs)
� 9. If TCP destination port = 20, DENY [FTP data connection]
� 10. If TCP destination port = 21, DENY [FTP supervisory control connection]
� 11. If TCP destination port = 23, DENY [Telnet data connection]
� 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients]
Access Control List (ACLs)
8/18/2010
20
� 13. If TCP destination port = 513, DENY [UNIX rlogin without password]
� 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]
� 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure]
� 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary]
� 17. If ICMP Type = 0, PASS [allow incoming echo reply messages]
� DENY ALL
Access Control List (ACLs)
� DENY ALL
◦ Last rule
◦ Drops any packets not specifically permitted by earlier rules
8/18/2010
21
Copyright Pearson Prentice-Hall 2010
� Low CostLow CostLow CostLow Cost
◦ Most packets are not part of packet-opening attempts
◦ These can be handled very simply and therefore inexpensively
◦ Connection-opening attempt packets are more expensive process but are rare
41
Copyright Pearson Prentice-Hall 2010
� SafetySafetySafetySafety
◦ Attacks other than application-level attacks usually fail to get through SPI firewalls
◦ In addition, SPI firewalls can use other forms of filtering when needed
42
8/18/2010
22
Copyright Pearson Prentice-Hall 2010
� DominanceDominanceDominanceDominance
◦ The combination of high safety and low cost makes SPI firewalls extremely popular
◦ Nearly all main border firewalls today use statefulpacket inspection
43
44
8/18/2010
23
Copyright Pearson Prentice-Hall 201045
� Sniffers on the Internet cannot learn internal IP addresses and port numbers
◦ Only learn the translated address and port number
� By themselves, provide a great deal of protection against attacks
◦ External attackers cannot create a connection to an internal computers
8/18/2010
25
Copyright Pearson Prentice-Hall 201049
Copyright Pearson Prentice-Hall 201050
Topic Application
Proxy
Firewalls
Stateful
Packet
Inspection
Firewalls
Remarks
Can examine
application layer
content
Always As an Extra
Feature
Capabilities for
application layer
content filtering
Somewhat
More
Somewhat
Less
8/18/2010
26
Copyright Pearson Prentice-Hall 201051
Topic Application
Proxy
Firewalls
Stateful
Packet
Inspection
Firewalls
Remarks
Uses Relay
Operation with
two
connections
per
client/server
pair?
Yes No Maintaining two
connections is highly
processing intensive.
Cannot support many
client/server pairs.
Consequently,
application proxy
firewalls cannot be used
as main border firewalls
Speed Slow Fast
Intrusion Detection Systems and
Intrusion Prevention Systems
52
8/18/2010
27
Copyright Pearson Prentice-Hall 2010
� PerspectivePerspectivePerspectivePerspective
◦ Growing processing power made stateful packet inspection possible
◦ Now, growing processing power is making a new firewall filtering method attractive
◦ Intrusion prevention systems (IPSs)
53
Copyright Pearson Prentice-Hall 2010
� Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)
◦ Firewalls drop provable attack packets only
◦ Intrusion detection systems (IDSs) look for suspicious traffic
� Cannot drop because the packet is merely suspicious
◦ Sends an alarm message if the attack appears to be serious
54
8/18/2010
28
Copyright Pearson Prentice-Hall 2010
� Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)
◦ Problem: Too many false positives (false alarms)
� Alarms are ignored or the system is discontinued
� Can reduce false positives by tuning the IDSs
� Eliminate inapplicable rules, such as a Unix rule in an all-Windows company
� Reduce the number of rules allowed to generate alarms
� Most alarms will still be false alarms
55
Copyright Pearson Prentice-Hall 2010
� Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)Intrusion Detection Systems (IDSs)
◦ Problem: Heavy processing requirements because of sophisticated filtering
� Deep packet inspection
� Looks at application content and transport and internet headers
� Packet stream analysis
� Looks at patterns across a series of packets
� Often, patterns cannot be seen unless many packets are examined
56
8/18/2010
29
Copyright Pearson Prentice-Hall 2010
� Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)
◦ Use IDS filtering mechanisms
◦ Application-specific integrated circuits (ASICs) provide the needed processing power
57
Copyright Pearson Prentice-Hall 2010
� Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)Intrusion Prevention Systems (IPSs)
◦ Attack confidence identification spectrum
� Somewhat likely
� Very likely
� Provable
◦ Firm may allow firewall to stop traffic at the high end of the attack confidence spectrum
◦ Firm decides which attacks to stop
◦ This allows it to manage its risks
58
8/18/2010
30
Copyright Pearson Prentice-Hall 2010
� Possible ActionsPossible ActionsPossible ActionsPossible Actions
◦ Drop packets
� Risky for suspicious traffic even with high confidence
◦ Bandwidth limitation for certain types of traffic
� Limit to a certain percentage of all traffic
� Less risky than dropping packets
� Useful when confidence is lower
59
60
8/18/2010
31
Copyright Pearson Prentice-Hall 201061
� Traditional Firewalls Do Not Do Antivirus FilteringTraditional Firewalls Do Not Do Antivirus FilteringTraditional Firewalls Do Not Do Antivirus FilteringTraditional Firewalls Do Not Do Antivirus Filtering
� They Pass Files Needing Filtering to an Antivirus ServerThey Pass Files Needing Filtering to an Antivirus ServerThey Pass Files Needing Filtering to an Antivirus ServerThey Pass Files Needing Filtering to an Antivirus Server
Copyright Pearson Prentice-Hall 2010
� Unified Threat Management (UTM) Firewalls Unified Threat Management (UTM) Firewalls Unified Threat Management (UTM) Firewalls Unified Threat Management (UTM) Firewalls Go Beyond Traditional Firewall FilteringGo Beyond Traditional Firewall FilteringGo Beyond Traditional Firewall FilteringGo Beyond Traditional Firewall Filtering
◦ SPI
◦ Antivirus Filtering
◦ VPNs
◦ DoS Protection
◦ NAT
62
8/18/2010
32
63
� Introduction
◦ Attack on availability
◦ Act of vandalism
1. Single-Message DoS Attacks
◦ Crash a host with a single attack packet
◦ Examples: Ping-of-Death, Teardrop, and LAND
◦ Send unusual combination for which developers did not test
8/18/2010
33
2. Flooding Denial-of-Service Attacks
i. SYN flooding
� Try to open many connections with SYN segments
� Victim must prepare to work with many connections
� Victim crashes if runs out of resources; at least slows down
� More expensive for the victim than the attacker
Denial-of-Service (DoS) Attacks
SYN SYN SYN SYN SYN
Attacker
1.34.150.37Victim
60.168.47.47
Attacker Sends Flood of SYN Segments
Victim Sets Aside Resources for Each Victim
Crashes or Victim Becomes Too Overloaded
to Respond to the SYNs from Legitimate
Uses
2. Flooding Denial-of-Service Attacks
i. SYN flooding
8/18/2010
34
“Innocent” Firm
Attacker
1.34.150.37
1.
Single ICMP Echo Message
Source IP: 60.168.47.47
(Victim) Destination IP:
Broadcast
Echo
4.
Echo
Replies
Victim
60.168.47.47
2.
Router with
Broadcasting
Enabled
3.
Broadcast
Echo
Message
2. Flooding Denial-of-Service Attacks
ii. Smurf flooding
Attacker
1.34.150.37
Attack
Command
Handler
Attack
Command
Zombie
Attack Packet
Victim 60.168.47.47
Attack Packet
Attack Packet
Zombie
ZombieHandler
Attack
Command
Attack
Command
Attack
Command
2. Flooding Denial-of-Service Attacks
ii. Distributed DoS flooding
8/18/2010
35
� Stopping DoS Attacks
◦ Ingress filtering to stop attack packets
◦ Limited ability of ingress filtering because link to ISP might become overloaded
◦ Egress filtering by attacker’s company or ISP
◦ Requires cooperating from attacker’s company or ISP
◦ Requires a community response; victim cannot do it alone
Copyright Pearson Prentice-Hall 2010
� PerspectivePerspectivePerspectivePerspective
◦ Done by most main border firewalls
◦ DOS attacks are easy to detect but difficult to stop because their traffic looks like legitimate packets
70
8/18/2010
36
Copyright Pearson Prentice-Hall 2010
� TCP HalfTCP HalfTCP HalfTCP Half----OpeningOpeningOpeningOpeningAttacksAttacksAttacksAttacks
◦ Attacks
� Attacker sends a TCP SYN segment to a port
� The application program sends back a SYN/ACK segment and sets aside resources
� The attacker never sends back an ACK, so the victim keeps the resources reserved
� The victim soon runs out of resources and crashes or can no longer serve legitimate traffic
71
SYN
SYN/ACK
No ACK
SYN
Copyright Pearson Prentice-Hall 2010
� TCP HalfTCP HalfTCP HalfTCP Half----Opening AttacksOpening AttacksOpening AttacksOpening Attacks
◦ Defenses
� Firewall intercepts the SYN from an external host
� Firewall sends back an SYN/ACK without passing the segment on to the target host
� Only if the firewall receives a timely ACK does it send the original SYN the destination host
72
SYN
SYN/ACK
No ACK
8/18/2010
37
Copyright Pearson Prentice-Hall 2010
� Rate LimitingRate LimitingRate LimitingRate Limiting
◦ Set a limit on all traffic to a server—both legitimate and DoS packets
◦ Keeps the entire network from being overloaded
◦ Not perfect—does not protect the target server or allow legitimate traffic
73
Copyright Pearson Prentice-Hall 2010
� DoS Protection Is a Community ProblemDoS Protection Is a Community ProblemDoS Protection Is a Community ProblemDoS Protection Is a Community Problem
◦ If an organization’s access line to the Internet becomes overloaded, it cannot solve the problem itself
◦ Its ISP or other upstream agencies must help
74
8/18/2010
38
75
Copyright Pearson Prentice-Hall 201076
A Firm Has Many Firewalls:Screening border routersMain border firewallsInternal firewalls
Host firewalls on clients and servers
The Firewall Architecture Describeshow These Firewalls Work Together
8/18/2010
39
Copyright Pearson Prentice-Hall 2010
� DMZs Use TriDMZs Use TriDMZs Use TriDMZs Use Tri----HomedHomedHomedHomedMain FirewallsMain FirewallsMain FirewallsMain Firewalls
◦ One subnet to theborder router
◦ One subnet to the DMZ (accessible to the outside world)
◦ One subnet to the internal network
� Access from the internal subnet to the Internet is nonexistent or minimal
� Access from the internal subnet to the DMZ is also strongly controlled
77
DMZ
InternalNetwork
BorderRouter
Copyright Pearson Prentice-Hall 2010
� Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)
◦ Subnet for servers and application proxy firewalls accessible via the Internet (Figure 6-22)
◦ Hosts in the DMZ must be especially hardened because they will be accessible to attackers on the Internet
78
8/18/2010
40
Copyright Pearson Prentice-Hall 2010
� Hosts in the DMZHosts in the DMZHosts in the DMZHosts in the DMZ
◦ Public servers (public webservers, FTP servers, etc.)
◦ Application proxy firewalls to require all Internet traffic to pass through the DMZ
◦ External DNS server that knows only host names in the DMZ
79
80
8/18/2010
41
Copyright Pearson Prentice-Hall 2010
� Firewalls Are Ineffective Without Planning and Firewalls Are Ineffective Without Planning and Firewalls Are Ineffective Without Planning and Firewalls Are Ineffective Without Planning and Ongoing ManagementOngoing ManagementOngoing ManagementOngoing Management
� Defining Firewall PoliciesDefining Firewall PoliciesDefining Firewall PoliciesDefining Firewall Policies
◦ Policies are high-level statements about what to do
◦ E.g., HTTP connections from the Internet may only go to servers in the DMZ
81
Copyright Pearson Prentice-Hall 2010
� Defining Firewall PoliciesDefining Firewall PoliciesDefining Firewall PoliciesDefining Firewall Policies
◦ Policies are more comprehensible than actual firewall rules
◦ There may be multiple ways to implement a policy
� Defining policies instead of specific rules gives implementers freedom to choose the best way to implement a policy
82
8/18/2010
42
Copyright Pearson Prentice-Hall 2010
� ImplementationImplementationImplementationImplementation
◦ Firewall hardening
� Firewall appliances are hardened at the factory
� Vendors sell software plus a server with a pre-hardened operating system
� Firewall software on a general-purpose computer requires the most on-site hardening
83
Copyright Pearson Prentice-Hall 2010
� ImplementationImplementationImplementationImplementation
◦ Central firewall management systems (Figure 6-24)
� Creates a policy database
� Changes policies into ACL rules
� Sends ACL rules out toindividual firewalls
84
PolicyServer
FirewallAdministrator
Policy
ACL RuleACL Rule
8/18/2010
43
Copyright Pearson Prentice-Hall 201085
Policy Source Destination Service Action Track Firewalls
1 Internal DNS
Servers
UDP dns Pass None All
2 External Internal TCP http Drop Log All
3 External DMZ
webserver
TCP http Pass None Border
4 Internal External TCP http Pass Log Border
5 Internal External ICMP Drop None Border
6 Internal Mail Server TCP smtp Authenticate Log if
Fail
Central
7 Marketing Plans
Server
TCP http Authenticate Alert if
Fail
Marketing
8 Any Plans
Server
TCP http Drop Log Marketing
9 Any Any Any Drop Log All
Copyright Pearson Prentice-Hall 2010
� ImplementationImplementationImplementationImplementation
◦ Vulnerability testing after configuration
� There will be problems
� Tests, like firewall configuration, should be based on policies
86
8/18/2010
44
Copyright Pearson Prentice-Hall 2010
� ImplementationImplementationImplementationImplementation
◦ Change authorization and management
� Limit the number of people who can make change requests
� Limit the number of authorizers even more
� Require requesters and authorizers to be different people
� Implement the rule in the most restrictive way possible —� To pass the least number of packets
87
Copyright Pearson Prentice-Hall 2010
� ImplementationImplementationImplementationImplementation
◦ Change authorization and management
� Document all changes carefully
� Do vulnerability testing after every change� The change should work
� All previous behaviors should still work (regression testing)
� Audit changes frequently� Focus especially on asking if each change opens the firewall in the most restrictive way possible
88
8/18/2010
45
Copyright Pearson Prentice-Hall 2010
� ImplementationImplementationImplementationImplementation
◦ Reading the firewall logs
� Should be done dailyor more frequently
� The most labor-intensive part of firewall management
� Strategy is to find unusual traffic patterns� Top ten source IP addresses whose packets were dropped
� Number of DNS failures today versus in an average day
� Attackers can be black holed (have their packets dropped)
89
Death of the Perimeter
The Need for Anomaly Detection
90
8/18/2010
46
Copyright Pearson Prentice-Hall 2010
� Protecting the Perimeter Is No Longer PossibleProtecting the Perimeter Is No Longer PossibleProtecting the Perimeter Is No Longer PossibleProtecting the Perimeter Is No Longer Possible
◦ There are too many ways to get through the perimeter
� Avoiding the Border FirewallAvoiding the Border FirewallAvoiding the Border FirewallAvoiding the Border Firewall
◦ Internal attackers are inside the firewall already
◦ Compromised internal hosts are inside the firewall
◦ Wireless LAN drive-by hackers enter through access points that are inside the site
◦ Home notebooks, mobile phones, and media brought into the site
◦ Internal firewalls can address some of these threats
91
Copyright Pearson Prentice-Hall 2010
� Extending the PerimeterExtending the PerimeterExtending the PerimeterExtending the Perimeter
◦ Remote employees must be given access
◦ Consultants, outsourcers, customers, suppliers, and other subsidiaries must be given access
◦ Essentially, all of these tend to use VPNs to make external parties “internal” to your site
92
8/18/2010
47
Copyright Pearson Prentice-Hall 2010
� Most Filtering Methods Use Attack Signature Most Filtering Methods Use Attack Signature Most Filtering Methods Use Attack Signature Most Filtering Methods Use Attack Signature DetectionDetectionDetectionDetection
◦ Each attack has a signature
◦ This attack signature is discovered
◦ The attack signature is added to the firewall
◦ But zero-day attacks are attacks without warning, occur before a signature is developed
◦ Signature defense cannot stop zero-day attacks
93
Copyright Pearson Prentice-Hall 2010
� Anomaly DetectionAnomaly DetectionAnomaly DetectionAnomaly Detection
◦ Detects an unusual pattern indicating a possible attack
◦ This is difficult, so there are many false positives
◦ Shrinking time needed to define signatures
◦ Anomaly detection is necessary in today’s firewalls
94