0
Where firewalls fit in the
corporate landscape
Firewall topics
• Why firewall?
• What is a firewall?
• What is the perfect firewall?
• What types of firewall are there?
...
What are the risks?
• Theft or disclosure of internal data
• Unauthorized access to internal hosts
• Interception or alter...
What needs to be secured?
• Crown jewels: patent work, source code,
market analysis; information assets
• Any way into you...
Why do I need a firewall?
• Peer pressure.
• One firewall is simpler to administer than
many hosts.
• It’s easier to be se...
What is a firewall?
• As many machines as it takes to:
– be the sole connection between inside and
outside.
– test all tra...
Firewall components
• All of the machines in the firewall
– are immune to penetration or compromise.
– retain enough infor...
The Perfect firewall
• Lets you do your business
• Works with existing security measures
• has the security “margin of err...
The security continuum
• Ease of use vs. degree of security
• Cheap, secure, feature packed, easy to
administer? Choose th...
Policy for the firewall
– Who gets to do what via the Internet?
– What Internet usage is not allowed?
– Who makes sure the...
What you firewall matters more
than which firewall you use.
• Internal security policy should show what
systems need to be...
How to defeat firewalls
• Take over the firewall.
• Get packets through the firewall.
• Get the information without going ...
A partial list of back doors.
• personal modems
• vendor modems
• partner networks
• home networks
• loose cannon experts
...
Even perfect firewalls can’t fix:
• Tunneled traffic.
• Holes, e.g. telnet, opened in the firewall.
• WWW browser attacks ...
Priorities in hacking through a
firewall
• Collect information.
• Look for weaknesses behind the firewall.
• Try to get pa...
Information often leaked through
firewalls
• DNS host information
• network configuration
• e-mail header information
• in...
“Ground-floor windows”
• mail servers
• web Servers
• old buggy daemons
• account theft
• vulnerable web browsers
Attacking the firewall
• Does this firewall pass packets when it’s
crashed?
• Is any software running on the firewall?
A fieldtrip through an IP packet
• Important fields are:
– source, destination, ports, TCP status
. . TOS . . .. . . SRC D...
Types of firewall
• Packet filters
• Proxy gateways
• Network Address Translation (NAT)
• Intrusion Detection
• Logging
Packet filters
• How Packet filters work
– Read the header and filter by whether fields
match specific rules.
– SYN flags ...
Standard packet filter
– allows connections as long as the ports are OK
– denies new inbound connections, using the
SYN fl...
Packet filter weaknesses
– It’s easy to botch the rules.
– Good logging is hard.
– Stealth scanning works well.
– Packet f...
Stateful packet filters
– SPFs track the last few minutes of network
activity. If a packet doesn’t fit in, they drop it.
–...
Weaknesses in SPF
– All the flaws of standard filtering can still
apply.
– Default setups are sometimes insecure.
– The pa...
Proxy firewalls
• Proxy firewalls pass data between two
separate connections, one on each side of
the firewall.
– Proxies ...
General proxy weaknesses
• The host is now involved, and accessible to
attack.
– The host must be hardened.
• State is bei...
Circuit level proxy
– Client asks FW for document. FW connects to
remote site. FW transfers all information
between the tw...
Application proxy
– FW transfers only acceptable information
between the two connections.
– The proxy can understand the p...
Application proxy weaknesses
• Some proxies on an “application proxy”
firewall may not be application aware.
• Proxies hav...
Store and forward , or caching,
proxies
– Client asks firewall for document; the firewall
downloads the document, saves it...
Weaknesses of store & forward
proxies
– Store and forward proxies tend to be big new
programs. Making them your primary
co...
Network Address Translation
(NAT)
– NAT changes the ip addresses in a packet, so
that the address of the client inside nev...
Types of NAT
• Many IPs inside to many static IPs outside
• Many IPs inside to many random IPs
outside
• Many IPs inside t...
Weaknesses of NAT
• Source routing & other router holes
• Can be stupid about complex protocols
– ICMP, IP options, FTP, f...
Intrusion detection
– Watches ethernet or router for trigger events,
then tries to interrupt connections. Logs
synopsis of...
Weaknesses of intrusion
detection
– Can only stop tcp connections
– Sometimes stops things too late
– Can trigger alarms t...
Logging
• Pros:
– Very cheap
– Solves most behavioral problems
– Logfiles are crucial for legal recourse
• Cons:
– Very pr...
Types of logging
• program logging
• syslog /NT event log
• sniffers
– Argus, Network General, HP Openview,
TCPdump
• rout...
Commercial Logging
• Logging almost all commercial firewall
packages stinks
– No tripwires
– No pattern recognition
– No s...
Firewall Tools
• All types of firewall are useful sometimes.
• The more compartments on the firewall, the
greater the odds...
Firewall topology
• Webserver placement
• RAS server placement
• Partner network placement
• Internal information protecti...
Firewall deployment checklist
• Have list of what needs to be protected.
• Have all of the networks configured for the
fir...
What steps are left?
• What is the firewall allowing access to?
– Internal machines receiving data had better be
secure.
–...
Last checks
• Day 0 Backups made?
• Are there any gaps between our stated
policy and the rules the firewall is
enforcing?
Auditing
• A firewall works when an audit finds no
deviations from policy.
• Scanning tools are good for auditing
conforma...
Sample configurations
• Good configurations should:
– limit Denial of Service.
– minimize complexity for inside users.
– b...
Minimal restriction, good
security
• Stateful packet filter, dmz, packet filter,
intrusion detection.
S Inside
The Multimedia Nightmare
• secure multimedia & database content to provided
to multiple Internet destinations.
• Web serve...
Firewalls in multiple locations
– Identical proxies on both sides.
VPN over internal LAN
Low end, good security, for low
threat environments
• Packet filter, “Sacrificial Goat” web server,
Application Firewall, ...
High end firewalls
• ATM switching firewalls
• Round robin gateways
– Don’t work with transparent proxies
• High availabil...
Firewall Trends
– “Toaster” firewalls
– Call-outs / co-processing firewalls
– VPNs
– Dumb protocols
– LAN equipment & prot...
More Firewall Trends
– blurring between packet filters & application
proxies
– more services running on the firewall
– Hig...
Firewall trends & “religious”
issues.
• Underlying OS for firewalls
– Any firewall OS should have little in common
with th...
Source vs. Shrink-wrap
• Low end shrinkwrap solutions
• The importance of source
– Can you afford 1.5 programmer/administr...
Downside of firewalls
• single point of failure
• difficult to integrate into a mesh network
• highlights flaws in network...
Interesting firewall products
– Checkpoint Firewall-1
http://www.checkpoint.com
– SecureNetPro http://www.mimestar.com
– I...
Upcoming SlideShare
Loading in...5
×

Myles firewalls

1,660

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,660
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
84
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Assume all these firewalls block the outside from creating new connections unless specifically allowed in the FW’s rules
  • Transcript of "Myles firewalls"

    1. 1. Where firewalls fit in the corporate landscape
    2. 2. Firewall topics • Why firewall? • What is a firewall? • What is the perfect firewall? • What types of firewall are there? • How do I defeat these firewalls? • How should I deploy firewalls? • What is good firewall architecture? • Firewall trends.
    3. 3. What are the risks? • Theft or disclosure of internal data • Unauthorized access to internal hosts • Interception or alteration of data • Vandalism & denial of service • Wasted employee time • Bad publicity, public embarassment, and law suits
    4. 4. What needs to be secured? • Crown jewels: patent work, source code, market analysis; information assets • Any way into your network • Any way out of your network • Information about your network
    5. 5. Why do I need a firewall? • Peer pressure. • One firewall is simpler to administer than many hosts. • It’s easier to be security conscientious with a firewall.
    6. 6. What is a firewall? • As many machines as it takes to: – be the sole connection between inside and outside. – test all traffic against consistent rules. – pass traffic that meets those rules. – contain the effects of a compromised system.
    7. 7. Firewall components • All of the machines in the firewall – are immune to penetration or compromise. – retain enough information to recreate their actions.
    8. 8. The Perfect firewall • Lets you do your business • Works with existing security measures • has the security “margin of error” that your company needs.
    9. 9. The security continuum • Ease of use vs. degree of security • Cheap, secure, feature packed, easy to administer? Choose three. • Default deny or default accept Easy to use Secure
    10. 10. Policy for the firewall – Who gets to do what via the Internet? – What Internet usage is not allowed? – Who makes sure the policy works and is being complied with? – When can changes be made to policy/rules? – What will be done with the logs? – Will we cooperate with law enforcement?
    11. 11. What you firewall matters more than which firewall you use. • Internal security policy should show what systems need to be guarded. • How you deploy your firewall determines what the firewall protects. • The kind of firewall is how much insurance you’re buying.
    12. 12. How to defeat firewalls • Take over the firewall. • Get packets through the firewall. • Get the information without going through the firewall.
    13. 13. A partial list of back doors. • personal modems • vendor modems • partner networks • home networks • loose cannon experts • employee hacking • reusable passwords • viruses • “helpful” employees • off-site backup & hosting
    14. 14. Even perfect firewalls can’t fix: • Tunneled traffic. • Holes, e.g. telnet, opened in the firewall. • WWW browser attacks / malicious Internet servers.
    15. 15. Priorities in hacking through a firewall • Collect information. • Look for weaknesses behind the firewall. • Try to get packets through the firewall. • Attack the firewall itself. • Subvert connections through the firewall.
    16. 16. Information often leaked through firewalls • DNS host information • network configuration • e-mail header information • intranet web pages on the Internet
    17. 17. “Ground-floor windows” • mail servers • web Servers • old buggy daemons • account theft • vulnerable web browsers
    18. 18. Attacking the firewall • Does this firewall pass packets when it’s crashed? • Is any software running on the firewall?
    19. 19. A fieldtrip through an IP packet • Important fields are: – source, destination, ports, TCP status . . TOS . . .. . . SRC DEST opt SPORT DPORT DATA SEQ# ACK# ..ACK,URG,SYN ….
    20. 20. Types of firewall • Packet filters • Proxy gateways • Network Address Translation (NAT) • Intrusion Detection • Logging
    21. 21. Packet filters • How Packet filters work – Read the header and filter by whether fields match specific rules. – SYN flags allow the router to tell if connection is new or ongoing. • Packet filters come in dumb, standard, specialized, and stateful models
    22. 22. Standard packet filter – allows connections as long as the ports are OK – denies new inbound connections, using the SYN flag – Examples: Cisco & other routers, Karlbridge, Unix hosts, steelhead.
    23. 23. Packet filter weaknesses – It’s easy to botch the rules. – Good logging is hard. – Stealth scanning works well. – Packet fragments, IP options, and source routing work by default. – Routers usually can’t do authentication of end points.
    24. 24. Stateful packet filters – SPFs track the last few minutes of network activity. If a packet doesn’t fit in, they drop it. – Stronger inspection engines can search for information inside the packet’s data. – SPFs have to collect and assemble packets in order to have enough data. – Examples: Firewall One, ON Technologies, SeattleLabs, ipfilter
    25. 25. Weaknesses in SPF – All the flaws of standard filtering can still apply. – Default setups are sometimes insecure. – The packet that leaves the remote site is the same packet that arrives at the client. – Data inside an allowed connection can be destructive. – Traditionally SPFs have poor logging.
    26. 26. Proxy firewalls • Proxy firewalls pass data between two separate connections, one on each side of the firewall. – Proxies should not route packets between interfaces. • Types: circuit level proxy, application proxy, store and forward proxy.
    27. 27. General proxy weaknesses • The host is now involved, and accessible to attack. – The host must be hardened. • State is being kept by the IP stack. • Spoofing IP & DNS still works if authentication isn’t used. • Higher latency & lower throughput.
    28. 28. Circuit level proxy – Client asks FW for document. FW connects to remote site. FW transfers all information between the two connections. – Tends to have better logging than packet filters – Data passed inside the circuit could be dangerous. – Examples: Socks, Cycom Labyrinth
    29. 29. Application proxy – FW transfers only acceptable information between the two connections. – The proxy can understand the protocol and filter the data within. – Examples: TIS Gauntlet and FWTK, Raptor, Secure Computing
    30. 30. Application proxy weaknesses • Some proxies on an “application proxy” firewall may not be application aware. • Proxies have to be written securely.
    31. 31. Store and forward , or caching, proxies – Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document. – Can do data filtering. – Examples: Microsoft, Netscape, CERN, Squid proxies; SMTP mail
    32. 32. Weaknesses of store & forward proxies – Store and forward proxies tend to be big new programs. Making them your primary connection to the internet is dangerous. – These applications don’t protect the underlying operating system at all. – Caching proxies can require more administrator time and hardware.
    33. 33. Network Address Translation (NAT) – NAT changes the ip addresses in a packet, so that the address of the client inside never shows up on the internet. – Examples: Cisco PIX, Linux Masquerading, Firewall One, ipfilter
    34. 34. Types of NAT • Many IPs inside to many static IPs outside • Many IPs inside to many random IPs outside • Many IPs inside to one IP address outside • Transparent diversion of connections
    35. 35. Weaknesses of NAT • Source routing & other router holes • Can be stupid about complex protocols – ICMP, IP options, FTP, fragments • Can give out a lot of information about your network. • May need a lot of horsepower
    36. 36. Intrusion detection – Watches ethernet or router for trigger events, then tries to interrupt connections. Logs synopsis of all events. – Can log suspicious sessions for playback – Tend to be very good at recognizing attacks, fair at anticipating them – Products: Abirnet, ISS Real Secure, SecureNetPro, Haystack Netstalker
    37. 37. Weaknesses of intrusion detection – Can only stop tcp connections – Sometimes stops things too late – Can trigger alarms too easily – Doesn’t work on switched networks
    38. 38. Logging • Pros: – Very cheap – Solves most behavioral problems – Logfiles are crucial for legal recourse • Cons: – Very programmer or administrator intensive – Doesn’t prevent damage – needs a stable environment to be useful
    39. 39. Types of logging • program logging • syslog /NT event log • sniffers – Argus, Network General, HP Openview, TCPdump • router debug mode – A very good tool for tracking across your network
    40. 40. Commercial Logging • Logging almost all commercial firewall packages stinks – No tripwires – No pattern recognition – No smart/expert distillation – No way to change firewall behavior based on log information – No good way to integrate log files from multiple machines
    41. 41. Firewall Tools • All types of firewall are useful sometimes. • The more compartments on the firewall, the greater the odds of security. • Belt & suspenders
    42. 42. Firewall topology • Webserver placement • RAS server placement • Partner network placement • Internal information protection (intranet firewalling)
    43. 43. Firewall deployment checklist • Have list of what needs to be protected. • Have all of the networks configured for the firewall • All rules are in place • Logging is on.
    44. 44. What steps are left? • What is the firewall allowing access to? – Internal machines receiving data had better be secure. – If these services can’t be secured, what do you have to lose?
    45. 45. Last checks • Day 0 Backups made? • Are there any gaps between our stated policy and the rules the firewall is enforcing?
    46. 46. Auditing • A firewall works when an audit finds no deviations from policy. • Scanning tools are good for auditing conformance to policy, not so good for auditing security.
    47. 47. Sample configurations • Good configurations should: – limit Denial of Service. – minimize complexity for inside users. – be auditable. – allow outside to connect to specific resources.
    48. 48. Minimal restriction, good security • Stateful packet filter, dmz, packet filter, intrusion detection. S Inside
    49. 49. The Multimedia Nightmare • secure multimedia & database content to provided to multiple Internet destinations. • Web server is acting as authentication & security for access to the Finance server. Proxy CACHE Inside
    50. 50. Firewalls in multiple locations – Identical proxies on both sides. VPN over internal LAN
    51. 51. Low end, good security, for low threat environments • Packet filter, “Sacrificial Goat” web server, Application Firewall, bastion host running logging & Store & Forward proxies Store & Forward Inside
    52. 52. High end firewalls • ATM switching firewalls • Round robin gateways – Don’t work with transparent proxies • High availability
    53. 53. Firewall Trends – “Toaster” firewalls – Call-outs / co-processing firewalls – VPNs – Dumb protocols – LAN equipment & protocols showing up on the Internet – Over-hyped content filtering
    54. 54. More Firewall Trends – blurring between packet filters & application proxies – more services running on the firewall – High availability, fail-over and hot swap ability – GUI’s – Statistics for managers
    55. 55. Firewall trends & “religious” issues. • Underlying OS for firewalls – Any firewall OS should have little in common with the retail versions. • Firewall certification – Buy your own copy of ISS and “certify” firewalls yourself.
    56. 56. Source vs. Shrink-wrap • Low end shrinkwrap solutions • The importance of source – Can you afford 1.5 programmer/administrators? – Are you willing to have a non-employee doing your security? (Whose priorities win?)
    57. 57. Downside of firewalls • single point of failure • difficult to integrate into a mesh network • highlights flaws in network architecture • can focus politics on the firewall administrator
    58. 58. Interesting firewall products – Checkpoint Firewall-1 http://www.checkpoint.com – SecureNetPro http://www.mimestar.com – IP Filter http://coombs.anu.edu.au/~avalon/ip-filter.html – Seattle Labs http://www.sealabs.com – Karlnet Karlbridge http://www.karlnet.com – V-One inc http://www.v-one.com – ISS Realsecure http://www.iss.net
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×