network security fundamentals - university of michigancja/nsf13/lectures/netsec-06...network...
TRANSCRIPT
![Page 1: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/1.jpg)
Network Security Fundamentals
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2013
![Page 2: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/2.jpg)
Network Security Fundamentals
Module 6 Firewalls & VPNs
![Page 3: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/3.jpg)
Topics
• Firewall Fundamentals • Case study: Linux iptables • Virtual Private Networks (VPNs)
3 04/13 cja 2013
![Page 4: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/4.jpg)
Firewalls
04/13 4 cja 2013
![Page 5: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/5.jpg)
Firewalls
5 04/13 cja 2013
![Page 6: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/6.jpg)
Firewalls
• A firewall limits the extent to which hosts on different networks can interact with one another
6 04/13 cja 2013
![Page 7: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/7.jpg)
Types of firewalls
• Packet level • Application level • Host-based
7 04/13 cja 2013
![Page 8: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/8.jpg)
Packet level firewalls
• Firewall inspects incoming packets • Blocks packets violating policy rules
=> packets dropped without acknowledgement
• Rules allow blocking based on Source and destination IP address Source and destination port Protocol, flags, TOS, …
8 04/13 cja 2013
![Page 9: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/9.jpg)
Statelessness
• Traditional packet level firewalls treated every packet independently Stateless firewalling
• Problem Doesn’t relate packet information to overall packet
flow Doesn’t remember anything
• Results in coarse-grained control Forces overly liberal or conservative policies
9 04/13 cja 2013
![Page 10: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/10.jpg)
Example
• H.323 video streaming protocol Initiates two TCP connections and several
RTP (real-time transport protocol) streams The RTP streams contain no information
relating them to the H.323 application How should a stateless firewall decide if
these streams are to be blocked?
10 04/13 cja 2013
![Page 11: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/11.jpg)
Example
• IP Fragmentation All but the first fragment don’t specify ports
11 04/13 cja 2013
![Page 12: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/12.jpg)
Statefulness
• Solution: firewall keeps state about recent packet flows Decides to block packet based on packet
contents plus stored state More fine-grained control Obviates application-level firewalls
• Problem All that state consumes firewall resources
12 04/13 cja 2013
![Page 13: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/13.jpg)
Canonical firewalled network
13 04/13 cja 2013
![Page 14: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/14.jpg)
Zones
Collection of networks with specified security properties
• Perimeter • DMZ • Wireless • Intranet
14 04/13 cja 2013
![Page 15: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/15.jpg)
Perimeter zone
The outside world Untrusted zone No control over hosts in this zone Internet rules
15 04/13 cja 2013
![Page 16: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/16.jpg)
DMZ
Demilitarized zone • Contains an organization’s publicly
visible services (email, Web, DNS, FTP, …) Hardened hosts Proxies
• Semi-trusted zone
16 04/13 cja 2013
![Page 17: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/17.jpg)
Intranet zone
• Most trusted zone • Organizational assets placed here • Access blocked from untrusted zones
Access via proxies in the DMZ only
17 04/13 cja 2013
![Page 18: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/18.jpg)
Wireless zone
A perimeter zone! • Untrusted hosts • Semi-trusted network
18 04/13 cja 2013
![Page 19: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/19.jpg)
Application-level firewalls
Application proxy server • Accepts client traffic • Maintains state, validates traffic • Passes validated traffic to server
19 04/13 cja 2013
![Page 20: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/20.jpg)
Application-level firewalls
• Firewall worries about security Obviates security-related server changes Hampers defense-in-depth
• Firewall must understand application protocol Increased complexity
• Stateful packet-level firewalls are an alternative
20 04/13 cja 2013
![Page 21: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/21.jpg)
Host-based firewalls
• Firewall run on individual hosts • Placed between incoming packets and
the host network stack • Acts like a packet-level firewall
21 04/13 cja 2013
![Page 22: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/22.jpg)
Host-based firewalls
• Each host requires policy management Administration headache Simple default policies in distributions
• Defense-in-depth
22 04/13 cja 2013
![Page 23: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/23.jpg)
References
• The Tao of Network Security Monitoring, Richard Bejtlich, Addison-Wesley, 2005. ISBN 0-321-24677-2
• Information Security Illuminated, Michael G.Solomon and Mike Chapple, Jones and Bartlett, 2005.
• http://en.wikipedia.org/wiki/Firewall_(computing) (accessed March 2013)
23 04/13 cja 2013
![Page 24: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/24.jpg)
iptables
04/13 24 cja 2013
![Page 25: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/25.jpg)
IP Tables
• Linux packet-level firewall • Successor to IP Chains • NAT/NAPT support • Extended functionality via modules • Stateful filter support • Applications
Host based firewall Stateful packet firewall net.ipv4.ip_forward=1 in /etc/sysctl.conf
25 04/13 cja 2013
![Page 26: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/26.jpg)
IP Tables Architecture
• Three tables for organization filter, nat, mangle
• Each table contains several chains built-in (invoked at fixed points in network layer) user-defined
• Each chain contains several rules first rule matched determines action taken
• Each rule contains matching criteria and target • Built-in chains have policies
specifies default target if no rule in chain matches
26 04/13 cja 2013
![Page 27: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/27.jpg)
Rules
• (Standard) matching criteria protocol source IP (address/mask) dest IP (address/mask) port (source/dest/both) interface (input/output)
• Target
27 04/13 cja 2013
![Page 28: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/28.jpg)
Rules
• Extended matching criteria Implemented via modules
• Connection state matching INVALID
packet not associated with any connection NEW
packet is starting a new connection ESTABLISHED
packet is associated with existing connection RELATED
packet is starting a new connection, but is associated with an existing connection
» FTP DATA, ICMP error • Several other extended matching criteria
28 04/13 cja 2013
![Page 29: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/29.jpg)
Predefined targets
• All terminate processing in this chain for this packet ACCEPT accept packet for processing
DROP drop packet
QUEUE pass packet to userland (not common)
RETURN return to calling chain (use policy if no calling
chain)
29 04/13 cja 2013
![Page 30: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/30.jpg)
Extended targets
• Both terminating and non-terminating targets REJECT (terminating) return packet indicating error
LOG (non-terminating) generate log entry
…
30 04/13 cja 2013
![Page 31: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/31.jpg)
filter table
• Default table • Built-in chains
INPUT incoming network packets
FORWARD packets being routed by the host
OUTPUT locally-generated packets output to
network
31 04/13 cja 2013
![Page 32: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/32.jpg)
nat table
• For network address translation • Built-in chains
PREROUTING (DNAT) alter packets as they arrive
OUTPUT alter locally-generated packets before
routing POSTROUTING (SNAT) alter packets as they depart
32 04/13 cja 2013
![Page 33: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/33.jpg)
mangle table
• For specialized packet changes change TOS/DSCP header set netfilter mark value …
• Built-in chains PREROUTING INPUT OUTPUT FORWARDING POSTROUTING
33 04/13 cja 2013
![Page 34: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/34.jpg)
Firewall traversal
34
Prerouting
Route
Postrouting
Forward
Output
Local
Input
04/13 cja 2013
![Page 35: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/35.jpg)
Firewall Traversal
35
Rob Mayoff
04/13 cja 2013
![Page 36: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/36.jpg)
Some caveats
• iptables and ipchains don’t mix • rule additions are atomic
… rule set additions are not
• avoid leaving firewall open while editing … use DROP, DENY, REJECT policies
• policy actions do not log • rules are not removed when an interface goes
down • raw sockets are unaffected by rules
36 04/13 cja 2013
![Page 37: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/37.jpg)
iptables lab
• Examine iptables man page man iptables
• Examine existing firewall settings sudo service iptables status sudo iptables -L
• Add firewall rules sudo iptables -I …
37 04/13 cja 2013
![Page 38: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/38.jpg)
Virtual Private Networks (VPNs)
04/13 38 cja 2013
![Page 39: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/39.jpg)
Roadmap
• Definition • VPN Uses • Types of VPNs • Protocol Details
39 04/13 cja 2013
![Page 40: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/40.jpg)
Definition
A VPN is a link over a shared public network, typically the Internet, that simulates the behavior of dedicated WAN links over leased lines.
A VPN uses encryption to authenticate the
communications endpoints and to secure your data as it travels over an insecure network .
40 04/13 cja 2013
![Page 41: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/41.jpg)
VPN motivators
• Confidentiality, Integrity & Authentication Encryption
• Bypass blocks Border Local ISP
• Extends the office network VoIP Drive mapping
• Collaboration • Enabling technology
41 04/13 cja 2013
![Page 42: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/42.jpg)
Some VPNs
• Protocol IPSec
Standards-based Varied Encryption Levels Flexible
SSL Clientless (Web Browser)
• Application SSH
VPN is not a single solution
42 04/13 cja 2013
![Page 43: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/43.jpg)
IPSec Details
IPSec protocol • Internet Standard • Two complementary protocols
Authentication Headers (AH) Prevents tampering with packet headers
Encapsulating Security Protocol (ESP) Provides confidentiality and integrity of packet contents
43 04/13 cja 2013
![Page 44: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/44.jpg)
IPSec Details – AH (Protocol 51)
• AH Transport – Used to authenticate the integrity of the datagram
All Authenticated (except non mutable fields), e.g., TTL
As the entire packet is authenticated, there are some limitations. If
using NAT or a firewall where a gateway changes your address, then the packet will fail to authenticate at the far end as the source IP has changed. This is not to say that you cannot use IPSec with a NAT gateway, just that the Gateway will have to be considered the endpoint.
44
IP Header (with options)
AH
Transport Layer Header
Transport Layer Data
04/13 cja 2013
![Page 45: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/45.jpg)
IPSec Details – ESP (Protocol 50)
• Encapsulation Security Payload ESP will encrypt the payload so that it is private as it passed through
the network
As you can note, the ESP authentication does not authenticate the IP header so this does not have a problem with working behind NAT.
45
IP Header (with options)
ESP Header
Transport Layer Header
Transport Layer Data
ESP Trailer
ESP Authentication
Encrypted
Authenticated
04/13 cja 2013
![Page 46: Network Security Fundamentals - University of Michigancja/NSF13/lectures/netsec-06...Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University](https://reader034.vdocument.in/reader034/viewer/2022051910/60007f9c9f42460748248096/html5/thumbnails/46.jpg)
Logical Connection to VPN Concentrator
Remote Access client(Split Tunnel )
Public Network
Ethernet
C I S C O SY S T E M S Cisco 3030
Ethernet
ARBL COOL
ARBL COOL
141.211.255.196
192.168.4.6 Pool 192.168.4.10 – 192.168.7.249
UMBackbone
Tunneled
Yahoo
Pool 141.211.12.10 – 141.211.12.250
Wireless User (non-split tunnel)
Internal Server
46 04/13 cja 2013