introduction (cont.) - york university...introduction (cont.) ... smc barricade residential...
TRANSCRIPT
Introduction (cont.) • Categories processing mode 1.1) MAC layer firewalls 1.2) packet filtering firewalls 1.3) application gateways 1.4) circuit gateways 1.5) hybrids
development era (generation) 2.1) – 2.5) 1st, 2nd, 3rd, 4th, 5th generation
structure 3.1) commercial grade firewall appliances 3.2) commercial grade firewall systems 3.3) small-office/home-office (SOHO) firewall appliances 3.4) residential-grade firewall software
architecture 4.1) packet filtering routers 4.2) dual-homed host firewalls 4.3) screened host firewalls 4.4) screened subnet firewalls
of Firewalls
Firewalls by Structure 3.1) Commercial – stand-alone, self-contained combination of hardware and software (~ $1 – $10,000 k)
often a general-purpose computer with customized OS that can be modified only using direct physical connection & strong authentication
not vulnerable to ‘bugs’ and other flaws of common OS + can handle more data with faster throughput
generally more expensive than software counterparts
examples: Cisco’s hardware firewalls running on Cisco’s own Internetwork Operating System (IOS)
Grade Firewall Appliance [Hardware]
The Cisco ASA 5510 Adaptive Security Appliance delivers a wealth of advanced security and networking services for small-to-medium businesses and enterprise remote/branch offices in an easy-to-deploy, cost-effective appliance. These services can be easily managed and monitored by the integrated, Web-based management application, Cisco Adaptive Security Device Manager, thus reducing the overall deployment and operations costs associated with providing this high level of security. The Cisco ASA 5510 Adaptive Security Appliance provides high performance firewall and VPN services, three integrated 10/100 Fast Ethernet interfaces, and optional high-performance intrusion prevention and anti-x services via a Security Services Module making it an excellent choice for businesses requiring a cost-effective, extensible, DMZ-enabled security solution. As business needs grow, the Cisco ASA 5510 Adaptive Security Appliance can also scale to higher interface density and integrate into switched network environments through VLAN support by installing a Security Plus upgrade license. Furthermore, this upgrade license maximizes business continuity by enabling Active/Standby high availability services and expands VPN capacity by supporting a greater number of concurrent VPN connections for mobile users, remote sites, and business partners.
suggested retail price:$5,304.10 $3,978.07
Firewalls by Structure (cont.)
3.2) Commercial – consist of application firewall software that runs on a general purpose computer (~ $1 – $5 k)
aka Enterprise Firewalls – designed for large complex networks
features:
ability to manage multiple firewalls centrally
sophisticated monitoring and reporting
load balancing and failover, …
examples:
Novell’s BorderManager See: http://www.novell.com/documentation/nbm39/pdfdoc/installation/installation.pdf
Grade Firewall Systems [Software]
Firewalls by Structure (cont.) 3.3) Small Office / – aimed to protect small business & residences with DSL or cable modem (always on) connection to the Internet (~ $100)
SOHO firewalls properties:
stateful packet filtering
port filtering & simple intrusion detection
screened subnetting, …
in recent years, SOHO firewall also combine features of WAP & NAT
with NAT, internal computers ‘not visible’ to public network, hence less vulnerable
examples:
SMC Barricade residential broadband router Sonicwall SOHO firewall
Home Office [SOHO] or Residential Grade Firewall Appliance
Firewalls by Structure (cont.)
Firewalls by Structure (cont.)
Firewalls by Structure (cont.)
3.4) Residential – software installed directly on user’s system (free or ~ $100)
aka Personal Firewalls – intended to protect a single computer
features:
lightweight in terms of protection
most guard only against IP threats
some do not handle outbound blocking, …
examples:
ZoneAlarm Pro (freeware available)
Norton Personal Firewall
Sygate Personal Firewall Pro (freeware available)
Microsoft Windows Firewall – integral to Windows XP, Vista, Windows 7 systems http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm
Grade [SOHO] Firewall Software
Firewalls by Structure (cont.)
Example: Firewall advantages and disadvantages
Firewalls by Structure (cont.)
Firewalls by Architecture Firewall Architectures – each of the four classes of firewalls (MAC-layer, packet filtering firewall, application gateway, circuit gateway) can be used and combined in a number of ways
ultimate decision on which and how many firewalls to deploy depends on:
network uses
network objectives
available budget (for initial purchase, maintenance, upgrades)
4.1) Packet Filtering – rejects packets that organi- zation does not want to let ‘in’
simple way to lower risk from high- volume low-complexity attacks
drawbacks:
complex ACL can degrade (slow down) network performance
single point of failure – if router fails, there is no further protection
Firewalls by Architecture (cont.)
(Screening) Firewall/Router
Firewalls by Architecture (cont.) 4.1) Packet Filtering (Screening) Router
appropriate uses:
the network being protected already has a high level of host security
the number of protocols and their rules/use is straightforward
you require maximum performance
Firewalls by Architecture (cont.)
4.2) Dual-Homed – a host-firewall (not router!) with 2 NIC is placed between internal and external network
all traffic must physically go through host-firewall
host-firewall filters data based on higher-layer data (not just IP!)
Firewall (Application Gateway)
Firewalls by Architecture (cont.)
4.2) Dual-Homed Firewall (cont.)
drawbacks:
dual-homed hosts/firewalls are NOT high-performance devices; have more work to do per each connection
a dual-homed host is ‘regular’ computer with all its vulnerabilities
a dual-homed host is the system’s single-point of failure
Firewalls by Architecture (cont.)
4.2) Dual-Homed Firewall (cont.)
appropriate use:
traffic to the Internet is low-volume and is not business-critical
no service is being provided to Internet-based users
4.3) Screened – combines a packet filtering router & a separate application gateway
router prescreens packets to minimize network traffic
gateway - aka bastion-host - performs proxy services for one or more applicat. protocols (e.g. FTP, HTTP)
gateway is the only host in internal network that hosts from the Internet can communicate to
Firewalls by Architecture (cont.)
Host Firewall
Firewalls by Architecture (cont.)
4.3) Screen Host Firewall (cont.)
strengths:
to compromise internal network, attacker must compromise both – the screening router and bastion host
overall, router + proxy protect data (network) more fully than router or dual-homed host alone
appropriate uses:
few connections are coming from the Internet
the network being protected has a relatively high level of host security
Firewalls by Architecture (cont.)
4.4) Screened – adds an extra layer of security to screened host architecture by adding a perimeter network to better isolate bastion host
bastion host is ‘the most likely to be attacked’ machine on a network
by setting up a perimeter network, the ultimate impact of a break-in on bastion host is significantly reduced
it is no longer an instant ‘jackpot’; it gives an intruder some access, but not all
to break into internal network an attacker would have to get past both routers
Subnet Architecture
Firewalls by Architecture (cont.)
4.4) Screened Subnet Architecture (cont.)
it is OK to use multiple bastion hosts
e.g., one host handles services important to your own users (SMTP, DNS), other host handles services that you provide to the Internet (HTTP, FTP) – this way the performance of your own users will not be dragged down by activities of outside users
If you have $$$$
Firewalls by Architecture (cont.)
4.4) Screened Subnet Architecture (cont.)
it is OK to merge bastion host and exterior router
this configuration exposes bastion host more, but it doesn’t open significant new vulnera- bilities to the internal network
If you do not have $$$$
Firewalls by Architecture (cont.)
4.4) Screened Subnet Architecture (cont.)
it is dangerous to merge bastion host and interior router
with this type of configuration, if the bastion host is broken into, there is nothing left in the way of security between the bastion host and the internal network
one of the main purposes of perimeter network is to prevent bastion host from being able to snoop on internal traffic – with this configuration all of your internal traffic is visible to it
If you do not have $$$$
4.4) Screened Subnet Architecture (cont.)
multiple interior routers should be used with caution
in case of misconfiguration on one of interior routers (which happens frequently), strictly internal traffic may end up flowing across perimeter network where it can be snooped on if some- body has managed to break into bastion host
possible solution: backbone architecture
Firewalls by Architecture (cont.)
In multi-LAN networks…
Firewalls by Architecture (cont.)
4.4) Screened Subnet Architecture (cont.)
it is OK to use multiple exterior routers
may be needed if: a) for redundancy purposes, you have multiple connections to the Internet b) you have connection to the Internet plus other connections to other sites
compromise of an exterior router in case of a) is not critical – attacker still cannot see internal traffic
case b) is possibly dangerous if other connections are to sites that require/assume privacy of information
In complex networks…
Firewalls by Architecture (cont.)
HTTP Server
HTTP Proxy
HTTP Server and HTTP Proxy separated by a firewall. Is this architecture optimal with regard to QoS?
Firewalls by Architecture (cont.)
4.5) Screened Subnet – provides an extra layer of security by creating a new network segment (DMZ) of ‘public servers’
DeMilitarized Zone (DMZ) is isolated from rest of internal net.
Firewalls with DMZ
Bastion host.
Exterior and interior filtering
routers.
Firewalls by Architecture (cont.)
4.4) Screened Subnet Firewall with DMZ (cont.)
bastion host acts as proxy for DMZ’s servers and is protected by interior and exterior filtering routers
interior router protects internal network from perimeter network and the Internet
allow only specific DMZ hosts (DNS, SMTP, HTTP server) to communicate with hosts on internal network
exterior router protects perimeter and internal network from the Internet
block incoming and outgoing IP packets with forged IP addresses
if someone successfully breaks into bastion host, internal network is still (reasonably) protected by internal router
attacker will be able to snoop only on DMZ’s local hosts and traffic
Firewalls by Architecture (cont.) Example: Multiple DMZ/Firewall Configurations
server farm 1
server farm 2
server farm 3
Web Server 1: stores public data that requires no (major) protection or is not likely to be a ‘target’
Web Server 2: stores public data that requires protection
Web Server 3: stores private data that requires high level of protection
How Many Firewalls simple home network might be sufficiently protected with a single stateful packet filter
small network with proprietary information can use a proxy server + packet filter to prevent external user from ‘seeing’ internal data and network
large companies with public Web servers & proprietary data may have to build a DMZ with packet filters on either side
Firewalls by Architecture (cont.)
and Where?
Firewall Rules
Configuring Firewall – art as much as science
each rule must be carefully crafted, debugged, tested and placed into Access Control List (ACL) in proper order
rules that can be evaluated quickly & regulate broad access should be performed first
when security rules conflict with performance, security often needs to be removed or redesigned
Rules
Most firewalls operate on the principle of explicitly permitted rules:
“that which is not permitted is prohibited”.
Firewall Rules (cont.)
Firewall Rules (cont.)
‘Best Practices’ for Firewall & Firewall Rules
Firewall devices should not be accessible from public, as well internal network, for management and configuration purposes.
only authorized firewall administrators should be able to access device, using encryption and strong authentication SMTP data should be allowed through firewall, but routed to a well-configured SMTP gateway to filter mail traffic securely. All ICMP data should be denied. Telnet access to all internal servers form the public network should be blocked (especially to DNS server).
if internal users need to come into an organization’s network form outside firewall, Virtual Private Network (VPN) is preferred
Firewall Rules (cont.)
‘Best Practices’ for Firewall & Firewall Rules (cont.)
When Web services are offered outside firewall, use of proxy servers (in or outside DMZ) should be considered.
proxy server – application-level software, checks and forwards packets to & from Web server, and caches Web pages to speed up network performance
Firewall Rules (cont.)
Example: Firewall rules
Assume a network with one internal and one external firewall.
Switch
(external firewall) (internal firewall)
NetIP: 10.10.10.0
10.10.10.1 10.10.10.2 10.10.10.3 192.168.2.1
NAT Addressing
192.168.2.2 192.168.2.3
INT Address 192.168.2.1 192.168.2.2 192.168.2.3 192.168.2.x
EXT Address 10.10.10.7 10.10.10.8 10.10.10.9
10.10.10.10
Firewall Admin.
Internal Server
Firewall Rules (cont.)
I1 I1 I2 I1 I2 I2 I1 I1 I1 I1
both
I1 I1 I2 I1 I2
I1 I2
both
Firewall Rules (cont.)
Firewall Rules (cont.)
Example: Firewall rules (cont.) Rule 1: Responses to internal requests are allowed. External (Inbound) Firewall: Internal Firewall:
Use state tables to track connections and prevent dangerous packets from entering the upper port range.
Client programs run on registered ports.
Firewall Rules (cont.)
Example: Firewall rules (cont.)
Rule 2: Firewall device is never accessible directly from public or internal network, and it should never be allowed to access other devices directly.
External Firewall: Internal Firewall:
Similar rules should be designed for internal firewall as well.
Firewall Rules (cont.)
Example: Firewall rules (cont.)
Rule 3: All traffic from trusted network is allowed out.
External and Internal Firewall:
Rule 4: All traffic intended for SMTP server is allowed into DMZ.
External and Internal Firewall:
Firewall Rules (cont.)
Example: Firewall rules (cont.)
Rule 5: All outside ICMP data (Ping, Traceroute) should be denied, while inside ICMP should be allowed.
External Firewall: Internal Firewall:
Rule 6: All outside Telnet access to all internal servers should be blocked.
External Firewall:
Internal Firewall:
Firewall Rules (cont.)
Example: Firewall rules (cont.)
Rule 7: The proxy server & the Web server are in DMZ. Internal hosts are allowed to access the Web server directly. External hosts are directed to proxy server. Proxy server repackage any HTTP request into a new packet and retransmits to the web server.
Internal Firewall:
External Firewall:
Firewall Rules (cont.)
Example: Firewall rules (cont.)
Rule 8: The Cleanup Rule!
If a request for a service is not explicitly allowed by policy, that request should be denied! External and Internal Firewall: