Sigurnost bezicnih racunalnih mreza

1,713 views
1,614 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,713
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
49
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Sigurnost bezicnih racunalnih mreza

  1. 1. Odabrana Poglavlja iz Računalnih Mreža Network Firewalls Mario Čagalj mario.cagalj@fesb.hr FESB Sveučilište u Splitu 8/5/2007.
  2. 2. Introduction o Computer security is hard o Security of networked computers is much harder o Organizations/companies/universities are connected to the Internet o “Outside world” can reach and interact with local network assets o Internal networks comprise hundreds of computers running Unix, Win o Local computers running different (potentially vulnerable) services • FTP, Telnet, DNS, ARP, rlogin, Skype, POP, IMAP, ICMP… • New Internet vulnerabilities and flaws discovered on a daily basis o How to protect efficiently a large heterogeneous internal network? o Security flaws discovered -> upgrade each potentially affected system • Does this approach scale well? o Better, insert a firewall between the internal network and the Internet • Establish a controlled link between the internal trusted network and the untrusted network (e.g., Internet) 2
  3. 3. What is a Firewall? o Originally, firewall used to define a barrier constructed to prevent the spread of fire from one part of the building to another o Network firewalls are barriers between networks, which prevent or deny unauthorized traffic between the networks o There exists no unified definition, but essentially: A network firewall is a system or a group of systems used to control access to or from a protected (trusted) network, using preconfigured set of rules and filters. Trusted network Untrusted network Firewall o Firewalls can be a single router, multiple routers, a single host system or multiple hosts running firewall software, hardware device or any combination 3
  4. 4. Firewall Characteristics o Main design goals o All traffic from inside to outside, and vice versa, must pass through the firewall o Only authorized traffic (as defined by the local security policy) will be allowed to pass o The firewall is immune to penetration o What firewalls can do – positive effects? o User authentication • Firewalls can be configured to require user authentication • Enforce different access control policies (different users different rights) o Auditing and logging • Useful statistics for updating current security and utilization policies o Security and privacy • Some firewall systems can hide internal (trusted) networks from external (untrasted) networks - Network Address Translator (NAT) • No DNS traffic outside the internal network • Can shield services from unwanted scans 4
  5. 5. Firewall Characteristics contd. o What firewalls can do – negative effects? o Traffic bottlenecks • All the traffic is forced to go through the firewall system (to be inspected) o Single point of failure o Complex management o User frustration • “Arrgh, my Skpye communication doesn’t go through!” • Users may try to go around -> a serious security problem o What firewalls cannot do? o Installed firewall does not imply that the protected network is 100% secure (other security measures necessary) o Firewalls does not protect against inside attacks • Inside traffic is not routed through the firewall o Unwanted and unauthorized backdoors • Modem dial-in access, WiFi access o Firewalls cannot protect against the transfer of viruses or malicious codes • Generally, firewalls do not inspect a packet payload (not practical) 5
  6. 6. Basic Firewall Design Policies o Firewalls generally implement one of two basic design policies: 1. Permit any service unless it is explicitly denied 2. Deny any service unless it is explicitly permitted o 1st policy o Firewall allows all services to pass into the internal network by default o Blocks those services that the service access policy has identified as disallowed o More flexible but less desirable than the 2nd design policy o 2nd policy o Firewall denies all services by default o Passes those services that have been identified as allowed o Stronger and safer than the 1st policy o Legitimate traffic may suffer until the correct rules and filters identified and implemented o Most often recommended 6
  7. 7. Types of Firewalls o Firewall’s basic design policies can be enforced by using different types of packet-screening (inspection) methods o The packet-screening methods are distinguished by how firewalls use pre-configured rules, filters, information gathered from packets and sessions to allow or deny traffic o The three common types of firewalls (screening methods) are: o Packet Filtering firewall o Stateful packet Inspection firewall + hybrid methods o Application-level Gateways/proxies Application Application Application Gateways Application Gateways TCP/UDP TCP/UDP Stateful Inspection Stateful Inspection Packet Filters Packet Filters IP IP Data-link layer Data-link layer Physical layer Physical layer TCP/IP protocol suite 7
  8. 8. Packet Filtering Firewall o The simplest packet screening method – simply filters packets o Each packet is inspected individually, without any regard to other packets o Filtering rules are based on information contained in a packet o Source IP address o Destination IP address o Protocol type (TCP/UDP/ICMP) o Source port o Destination port Security perimeter Packet-filtering router (e.g., dual-homed) Internet Private network Private network Application Application TCP/UDP TCP/UDP 2 1 2 IP IP Data-link layer Data-link layer Physical layer Physical layer 8
  9. 9. Packet Filtering Firewall contd. o Operation: o The packet filter is set up as a list of rules based on matches to fields in the IP or TCP headers o If there is a match to one of the rules, the rule is invoked to determine whether to forward or discard the packet o If there is no match to any rule, a default action is take • Discard (2nd firewall design policy) • Forward (1st firewall design policy) Action Ourhost IP Port Theirhost IP Port allow Host A 25 * * “*” is a wildcard designator that matches everything. “SMTP (Simple Mail Transfer Protocol) Port 25” is the port used to send/receive e-mail. 9
  10. 10. Packet Filtering Rules: Examples Action Ourhost IP Port Theirhost IP Port block * * Host A * allow Host B 25 * * Inbound mail is allowed (port 25 is for SMTP incoming), but only to Host B. Packets from an external Host A are blocked because that host does not comply with our email policy. Action Ourhost IP Port Theirhost IP Port block * * * * An explicit statement of the default policy. All rule sets include this rule implicitly as the last rule. Action Ourhost IP Port Theirhost IP Port allow * * * 25 Specifies that any inside host can send mail to the outside. However, this rule also allows to an enemy to access to any internal host and port by originating his call from port 25 on the outside machine! We have to make distinction between incoming and outgoing packets to solve this problem. 10
  11. 11. Packet Filtering Rules: Examples Action Src IP Port Dest IP Port Flag allow {our hosts} * * 25 allow * 25 * * ACK SMTP is based on TCP protocol. A TCP conversation consists of packets flowing in two directions. Even if all of the data is flowing one way, acknowledgment packets and control packets must flow the other way. We want to accomplish that only internal host can make calls to someone’s port 25. We can do this by paying attention to the direction of the packet, and by looking at some of the control fields. In particular, an initial open request packet in TCP does not have the ACK bit set in the header; all other TCP packets do. Thus, packets with ACK set are part of an ongoing conversation; packets without it represent connection establishment messages, which we will permit only from internal hosts. The idea is that an outsider cannot initiate a connection, but can continue one. From: “Firewalls and Internet Security: Repelling the Wily Hacker.” Cheswick and Bellovin, 2003. 11
  12. 12. Packet Filtering: Advantages o Simplicity o Each packet inspected without any regard to other packets from the same connection o Speed o Packet filtering is done at the lower levels of the OSI model, the time it takes to process a packet is much quicker o Transparent to the user o Require no additional configuration for clients o Packet filtering firewalls are typically less expensive o Usually present in standard firewall package o Scale better than other types of firewalls o Lower processing overhead o Packet filtering firewalls are application independent 12
  13. 13. Packet Filtering: Disadvantages o Defining rules can be a very complex task o Packer-filtering firewalls do not support user authentication o Packet filters cannot prevent attacks that employ application specific vulnerabilities o Packet-filter firewalls do not examine upper-layer data o E.g., they cannot block specific application commands o Vulnerable to IP address spoofing attacks o The intruder transmits packets from the outside with a source IP address set to an address of an internal host o Countermeasure: discard any packet with an internal source address if the packet arrives on an external interface o Vulnerable to the packet fragmentation attack o Typically, a packet filter will make a filtering decision based on the first fragment of the packet o The intruder uses the IP fragmentation option to create small fragments such that the TCP header information is forced into a separate fragment 13
  14. 14. Stateful Inspection Firewalls o Uses the same packet-screening technique as packet filtering o In addition, takes into account higher layer(s) context o Inspects the packet from the network layer to the application layer to verify that the packet is part of a legitimate connection o Stateful packet inspection process o Packet header information is examined and stored into a dynamic state table o The packets are first compared to pre-configured rules or filters and allowed to passed or blocked o The state table is then used to evaluate subsequent packets to verify that they are part of the same connection o The decision can be made based on the following information o Source IP address o Destination IP address o Protocol type (TCP/UDP/ICMP) o Source port o Destination port o Connection state (derived from information gathered in previous packets) 14
  15. 15. Stateful Inspection Packet Filtering Application Application Application TCP/UDP TCP/UDP TCP/UDP IP IP IP Data layer Data layer Data layer Physical layer Physical layer Physical layer Packet 1 Packet 2 Packet 3 P 4 P 5 P 4 Internet Firewall Firewall Private network Private network Rule Set Rule Set Allow P 5 Discard 15
  16. 16. Stateful Firewall: Connection State Table o Contains an entry for each currently established connection o The packet filter will allow incoming traffic to ports only for those packets that fit the profile of one of the entries Source Destination Destination Connection Source Port Address Address Port State 192.168.1.100 1030 210.9.88.29 80 Established 192.168.1.102 1031 216.32.42.123 80 Established 192.168.1.101 1033 173.66.32.122 80 Established 192.168.1.106 1035 177.231.32.12 80 Established 223.43.21.231 1990 192.168.1.6 80 Established 210.99.212.18 2112 192.168.1.6 80 Established 24.102.32.23 1025 192.168.1.6 80 Established 16
  17. 17. Stateful Inspection: Pros and Cons o Advantages: o Very little impact on network performance (very fast) o Application independent and transparent to users o More secure than basic packet-filtering (determines the connection state between endpoints) o Have logging capabilities o Disadvantages o Rules and filters quite complex to set, test and manage o Allows a direct connection to be made between two endpoints (like basic packet filtering) 17
  18. 18. Application-level Gateway/Proxy o Also called a proxy server, considered the most complex packet screening method o Acts as a relay of application-level traffic o Uses the application layer information to filter packets Outside Inside connection connection TELNET FTP SMTP Outside host HTTP Inside host Application-level gateway o The direct connection is broken into two separate connections o Interfaces on the proxy server do not forward packets -> a proxy service must be implemented for each application protocol 18
  19. 19. Application Gateway/Proxy Operation o Outside connection o A client issues a request to the gateway o A connection is established between the client and the proxy o The proxy determines if the request is valid (by using the filter and rules) and optionally if the user is authorized for the requested service (user’s authentication) o In turn, the proxy sends a new request on behalf of the client to the desired destination o Inside connection o The destination responds to the proxy server o The proxy determines if the response is valid o In turn, the proxy sends back the response from the destination to the client 19
  20. 20. Application Gateway: Pros and Cons o Advantages o Does not allow direct connections between internal and external hosts o Can analyze application commands of data packets o Does not route between an internal and an external networks • Hides the internal network topology (similar to NAT) o Supports user-level authentication o Supports logging at the application level o Perhaps the most secure type of firewall o Disadvantages o Can have a significant impact on network performance o Each protocol (HTTP, FTP, SMTP) requires its own proxy application o Vulnerable to Denial-of-Service attacks o Does not scale well 20
  21. 21. Circuit-level Gateway o Does not examine individual packets o Instead, they monitor TCP or UDP sessions o Security consist of determining which connections will be allowed o Once a session has been established, it leaves the port open to allow all the packets from the same session to pass o In many respects similar to application gateway, with the difference that it operates at the Transport layer Outside connection Out In Out In Inside connection Outside host Out In Circuit-level gateway Inside host 21
  22. 22. Application of a Circuit-level Gateway o A typical use is a situation in which the system administrator trusts the internal users o The gateway can be configured to support application-level service on inbound connections and circuit-level functions for outbound connection o The gateway can incur processing overhead of examining incoming application data o The gateway does not incur that overhead on outgoing data 22
  23. 23. Pseudo Firewalls o Network Address Translation (NAT) o Translates “internal” IP addresses of one network to “external” IP addresses on another network o Static NAT • E.g., 12.1.8.4 <-> 162.145.14.3 o Pooled NAT (dynamical mapping to IP from a given pool of addresses) • E.g., 10.0.0.1-10.0.0.254 <-> 168.13.1.1-168.13.1.254 o Port-level NAT (dynamical mapping) • E.g., 10.0.0.1 <-> 168.13.1.1:1084 10.0.0.2 <-> 168.13.1.1:1085 o Not really a network firewall o Personal Firewalls o Control an access to a single device (not to a trusted network) o “The defense in depth” • Provides an additional level of protection 23
  24. 24. Firewall Architectures o Refers to a collection of firewall system components (hardware and software), connectivity between them and the distribution of functions between them o The very first step in designing a firewall architecture is to identify the boundaries between different security domains (security perimeter) o The most common security perimeter is the boundary between an organization’s LAN and the Internet o To make a network more secure, it is advisable to use different types of firewalls within the same firewall system o The most effective firewall architectures require that all the network traffic passes through them 24
  25. 25. Screening Router (Packet Filtering) Trusted LAN Internet Screening (Filtering) Router 25
  26. 26. Screening Router (Packet Filtering) o The most simple and basic architecture o A host on local network and a host on the Internet can communicate directly o The communication is restricted to the types that are allowed by the router (rules and filters) o Simple filtering based on the IP addresses and protocols o Best suited for small and simple networks o Disadvantages: o No logging capabilities o Packet filtering rules may be complex and hard to test o A single component of protection • If it fails, the security is compromised 26
  27. 27. Screened-host/Bastion-host Firewall System o Single-homed bastion host Trusted LAN Screening Router Internet Single-homed Gateway (Bastion host) 27
  28. 28. Screened-host/Bastion-host Firewall System o Consists of two systems: o A packet-filtering router o Single-homed bastion host • Bastion host servers as a platform for an application- or circuit-level gateway • Critical strong point in the network security o Typically, the router is configured such that o Only IP packets, originating from the Internet, destined to the bastion host are allowed in o Only IP packets from the bastion host are allowed out o A direct connection between an internal host and a host on the Internet is also possible, for certain services (e.g., Web server) o The bastion host performs o Authentication and application proxy functions o The system implements both packet-level and application-level filtering o Two points of defense (generally, an intruder would have to penetrate two separate systems) o Still, if the filtering router is compromised, traffic could flow directly through the router between the Internet and other hosts on the LAN 28
  29. 29. Dual-homed Gateway Architecture Trusted LAN Internet Screening Router Dual-homed Gateway (Bastion host) 29
  30. 30. Dual-homed Gateway Architecture o Consists of two systems: o A packet-filtering router o Dual-homed bastion host (application proxy, packet forwarding disabled) o Compared to the screened-host system, all the network traffic passes through the bastion host o A direct connection between an internal host and a host on the Internet is not possible o The bastion host performs o User authentication and application proxy functions o Two points of defense (an intruder must penetrate two separate systems) o If the filtering router is compromised, traffic cannot flow directly through the router between the Internet and other hosts on the LAN 30
  31. 31. Dual-homed Gateway Architecture contd. Demilitarized Zone (DMZ) Web Mail Server Server Trusted LAN Internet Screening Router Dual-homed Gateway (Bastion host) 31
  32. 32. Tri-homed Gateway Demilitarized Zone (DMZ) Web Mail Server Server Trusted LAN Internet Screening Router Tri-homed Gateway (Bastion host) 32
  33. 33. Screened-subnet Firewall Architecture Web Mail Server Trusted Server LAN Internet DMZ Screening Screening Router Router Single-homed Gateway (Bastion host) 33
  34. 34. Screened-subnet Firewall Architecture o Screened-subnet or DMZ typically created between two packet filtering routers o Creates and isolated subnetwork o The most secure architecture o Three levels of defense o The outside router advertises only the existence of the screened subnetwork to the Internet, the internal network is invisible to the Internet o The inside router advertises only the existence of the screened subnet to the internal network (no direct routes between the internal network and the Internet) 34
  35. 35. Literature o “Firewalls and Internet Security: Repelling the Wily Hacker.” Cheswick and Bellovin, 1994. o http://www.wilyhacker.com/1e o http://www2.rad.com/networks/2001/firewall/index.htm o http://www.more.net/technical/netserv/tcpip/firewalls o Any book on network security o And, of course, Google :) 35

×