Your SlideShare is downloading. ×
0
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Myles firewalls
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Myles firewalls

1,656

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,656
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
84
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Assume all these firewalls block the outside from creating new connections unless specifically allowed in the FW’s rules
  • Transcript

    • 1. Where firewalls fit in the corporate landscape
    • 2. Firewall topics • Why firewall? • What is a firewall? • What is the perfect firewall? • What types of firewall are there? • How do I defeat these firewalls? • How should I deploy firewalls? • What is good firewall architecture? • Firewall trends.
    • 3. What are the risks? • Theft or disclosure of internal data • Unauthorized access to internal hosts • Interception or alteration of data • Vandalism & denial of service • Wasted employee time • Bad publicity, public embarassment, and law suits
    • 4. What needs to be secured? • Crown jewels: patent work, source code, market analysis; information assets • Any way into your network • Any way out of your network • Information about your network
    • 5. Why do I need a firewall? • Peer pressure. • One firewall is simpler to administer than many hosts. • It’s easier to be security conscientious with a firewall.
    • 6. What is a firewall? • As many machines as it takes to: – be the sole connection between inside and outside. – test all traffic against consistent rules. – pass traffic that meets those rules. – contain the effects of a compromised system.
    • 7. Firewall components • All of the machines in the firewall – are immune to penetration or compromise. – retain enough information to recreate their actions.
    • 8. The Perfect firewall • Lets you do your business • Works with existing security measures • has the security “margin of error” that your company needs.
    • 9. The security continuum • Ease of use vs. degree of security • Cheap, secure, feature packed, easy to administer? Choose three. • Default deny or default accept Easy to use Secure
    • 10. Policy for the firewall – Who gets to do what via the Internet? – What Internet usage is not allowed? – Who makes sure the policy works and is being complied with? – When can changes be made to policy/rules? – What will be done with the logs? – Will we cooperate with law enforcement?
    • 11. What you firewall matters more than which firewall you use. • Internal security policy should show what systems need to be guarded. • How you deploy your firewall determines what the firewall protects. • The kind of firewall is how much insurance you’re buying.
    • 12. How to defeat firewalls • Take over the firewall. • Get packets through the firewall. • Get the information without going through the firewall.
    • 13. A partial list of back doors. • personal modems • vendor modems • partner networks • home networks • loose cannon experts • employee hacking • reusable passwords • viruses • “helpful” employees • off-site backup & hosting
    • 14. Even perfect firewalls can’t fix: • Tunneled traffic. • Holes, e.g. telnet, opened in the firewall. • WWW browser attacks / malicious Internet servers.
    • 15. Priorities in hacking through a firewall • Collect information. • Look for weaknesses behind the firewall. • Try to get packets through the firewall. • Attack the firewall itself. • Subvert connections through the firewall.
    • 16. Information often leaked through firewalls • DNS host information • network configuration • e-mail header information • intranet web pages on the Internet
    • 17. “Ground-floor windows” • mail servers • web Servers • old buggy daemons • account theft • vulnerable web browsers
    • 18. Attacking the firewall • Does this firewall pass packets when it’s crashed? • Is any software running on the firewall?
    • 19. A fieldtrip through an IP packet • Important fields are: – source, destination, ports, TCP status . . TOS . . .. . . SRC DEST opt SPORT DPORT DATA SEQ# ACK# ..ACK,URG,SYN ….
    • 20. Types of firewall • Packet filters • Proxy gateways • Network Address Translation (NAT) • Intrusion Detection • Logging
    • 21. Packet filters • How Packet filters work – Read the header and filter by whether fields match specific rules. – SYN flags allow the router to tell if connection is new or ongoing. • Packet filters come in dumb, standard, specialized, and stateful models
    • 22. Standard packet filter – allows connections as long as the ports are OK – denies new inbound connections, using the SYN flag – Examples: Cisco & other routers, Karlbridge, Unix hosts, steelhead.
    • 23. Packet filter weaknesses – It’s easy to botch the rules. – Good logging is hard. – Stealth scanning works well. – Packet fragments, IP options, and source routing work by default. – Routers usually can’t do authentication of end points.
    • 24. Stateful packet filters – SPFs track the last few minutes of network activity. If a packet doesn’t fit in, they drop it. – Stronger inspection engines can search for information inside the packet’s data. – SPFs have to collect and assemble packets in order to have enough data. – Examples: Firewall One, ON Technologies, SeattleLabs, ipfilter
    • 25. Weaknesses in SPF – All the flaws of standard filtering can still apply. – Default setups are sometimes insecure. – The packet that leaves the remote site is the same packet that arrives at the client. – Data inside an allowed connection can be destructive. – Traditionally SPFs have poor logging.
    • 26. Proxy firewalls • Proxy firewalls pass data between two separate connections, one on each side of the firewall. – Proxies should not route packets between interfaces. • Types: circuit level proxy, application proxy, store and forward proxy.
    • 27. General proxy weaknesses • The host is now involved, and accessible to attack. – The host must be hardened. • State is being kept by the IP stack. • Spoofing IP & DNS still works if authentication isn’t used. • Higher latency & lower throughput.
    • 28. Circuit level proxy – Client asks FW for document. FW connects to remote site. FW transfers all information between the two connections. – Tends to have better logging than packet filters – Data passed inside the circuit could be dangerous. – Examples: Socks, Cycom Labyrinth
    • 29. Application proxy – FW transfers only acceptable information between the two connections. – The proxy can understand the protocol and filter the data within. – Examples: TIS Gauntlet and FWTK, Raptor, Secure Computing
    • 30. Application proxy weaknesses • Some proxies on an “application proxy” firewall may not be application aware. • Proxies have to be written securely.
    • 31. Store and forward , or caching, proxies – Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document. – Can do data filtering. – Examples: Microsoft, Netscape, CERN, Squid proxies; SMTP mail
    • 32. Weaknesses of store & forward proxies – Store and forward proxies tend to be big new programs. Making them your primary connection to the internet is dangerous. – These applications don’t protect the underlying operating system at all. – Caching proxies can require more administrator time and hardware.
    • 33. Network Address Translation (NAT) – NAT changes the ip addresses in a packet, so that the address of the client inside never shows up on the internet. – Examples: Cisco PIX, Linux Masquerading, Firewall One, ipfilter
    • 34. Types of NAT • Many IPs inside to many static IPs outside • Many IPs inside to many random IPs outside • Many IPs inside to one IP address outside • Transparent diversion of connections
    • 35. Weaknesses of NAT • Source routing & other router holes • Can be stupid about complex protocols – ICMP, IP options, FTP, fragments • Can give out a lot of information about your network. • May need a lot of horsepower
    • 36. Intrusion detection – Watches ethernet or router for trigger events, then tries to interrupt connections. Logs synopsis of all events. – Can log suspicious sessions for playback – Tend to be very good at recognizing attacks, fair at anticipating them – Products: Abirnet, ISS Real Secure, SecureNetPro, Haystack Netstalker
    • 37. Weaknesses of intrusion detection – Can only stop tcp connections – Sometimes stops things too late – Can trigger alarms too easily – Doesn’t work on switched networks
    • 38. Logging • Pros: – Very cheap – Solves most behavioral problems – Logfiles are crucial for legal recourse • Cons: – Very programmer or administrator intensive – Doesn’t prevent damage – needs a stable environment to be useful
    • 39. Types of logging • program logging • syslog /NT event log • sniffers – Argus, Network General, HP Openview, TCPdump • router debug mode – A very good tool for tracking across your network
    • 40. Commercial Logging • Logging almost all commercial firewall packages stinks – No tripwires – No pattern recognition – No smart/expert distillation – No way to change firewall behavior based on log information – No good way to integrate log files from multiple machines
    • 41. Firewall Tools • All types of firewall are useful sometimes. • The more compartments on the firewall, the greater the odds of security. • Belt & suspenders
    • 42. Firewall topology • Webserver placement • RAS server placement • Partner network placement • Internal information protection (intranet firewalling)
    • 43. Firewall deployment checklist • Have list of what needs to be protected. • Have all of the networks configured for the firewall • All rules are in place • Logging is on.
    • 44. What steps are left? • What is the firewall allowing access to? – Internal machines receiving data had better be secure. – If these services can’t be secured, what do you have to lose?
    • 45. Last checks • Day 0 Backups made? • Are there any gaps between our stated policy and the rules the firewall is enforcing?
    • 46. Auditing • A firewall works when an audit finds no deviations from policy. • Scanning tools are good for auditing conformance to policy, not so good for auditing security.
    • 47. Sample configurations • Good configurations should: – limit Denial of Service. – minimize complexity for inside users. – be auditable. – allow outside to connect to specific resources.
    • 48. Minimal restriction, good security • Stateful packet filter, dmz, packet filter, intrusion detection. S Inside
    • 49. The Multimedia Nightmare • secure multimedia & database content to provided to multiple Internet destinations. • Web server is acting as authentication & security for access to the Finance server. Proxy CACHE Inside
    • 50. Firewalls in multiple locations – Identical proxies on both sides. VPN over internal LAN
    • 51. Low end, good security, for low threat environments • Packet filter, “Sacrificial Goat” web server, Application Firewall, bastion host running logging & Store & Forward proxies Store & Forward Inside
    • 52. High end firewalls • ATM switching firewalls • Round robin gateways – Don’t work with transparent proxies • High availability
    • 53. Firewall Trends – “Toaster” firewalls – Call-outs / co-processing firewalls – VPNs – Dumb protocols – LAN equipment & protocols showing up on the Internet – Over-hyped content filtering
    • 54. More Firewall Trends – blurring between packet filters & application proxies – more services running on the firewall – High availability, fail-over and hot swap ability – GUI’s – Statistics for managers
    • 55. Firewall trends & “religious” issues. • Underlying OS for firewalls – Any firewall OS should have little in common with the retail versions. • Firewall certification – Buy your own copy of ISS and “certify” firewalls yourself.
    • 56. Source vs. Shrink-wrap • Low end shrinkwrap solutions • The importance of source – Can you afford 1.5 programmer/administrators? – Are you willing to have a non-employee doing your security? (Whose priorities win?)
    • 57. Downside of firewalls • single point of failure • difficult to integrate into a mesh network • highlights flaws in network architecture • can focus politics on the firewall administrator
    • 58. Interesting firewall products – Checkpoint Firewall-1 http://www.checkpoint.com – SecureNetPro http://www.mimestar.com – IP Filter http://coombs.anu.edu.au/~avalon/ip-filter.html – Seattle Labs http://www.sealabs.com – Karlnet Karlbridge http://www.karlnet.com – V-One inc http://www.v-one.com – ISS Realsecure http://www.iss.net

    ×