Unified Threat Management


Published on

Unified Threat Management Solutions

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Assume all these firewalls block the outside from creating new connections unless specifically allowed in the FW’s rules
  • Unified Threat Management

    1. 1. Where firewalls fit in the corporate landscape KEEN Computer Solutions IT-Software- Engineering info@keencomputer.com Tx-408-668-9062
    2. 2. Firewall topics • Why firewall? • What is a firewall? • What is the perfect firewall? • What types of firewall are there? • How do I defeat these firewalls? • How should I deploy firewalls? • What is good firewall architecture? • Firewall trends.
    3. 3. What are the risks? • Theft or disclosure of internal data • Unauthorized access to internal hosts • Interception or alteration of data • Vandalism & denial of service • Wasted employee time • Bad publicity, public embarassment, and law suits
    4. 4. What needs to be secured? • Crown jewels: patent work, source code, market analysis; information assets • Any way into your network • Any way out of your network • Information about your network
    5. 5. Why do I need a firewall? • Peer pressure. • One firewall is simpler to administer than many hosts. • It’s easier to be security conscientious with a firewall.
    6. 6. What is a firewall? • As many machines as it takes to: – be the sole connection between inside and outside. – test all traffic against consistent rules. – pass traffic that meets those rules. – contain the effects of a compromised system.
    7. 7. Firewall components • All of the machines in the firewall – are immune to penetration or compromise. – retain enough information to recreate their actions.
    8. 8. The Perfect firewall • Lets you do your business • Works with existing security measures • has the security “margin of error” that your company needs.
    9. 9. The security continuum • Ease of use vs. degree of security • Cheap, secure, feature packed, easy to administer? Choose three. • Default deny or default accept Easy to use Secure
    10. 10. Policy for the firewall – Who gets to do what via the Internet? – What Internet usage is not allowed? – Who makes sure the policy works and is being complied with? – When can changes be made to policy/rules? – What will be done with the logs? – Will we cooperate with law enforcement?
    11. 11. What you firewall matters more than which firewall you use. • Internal security policy should show what systems need to be guarded. • How you deploy your firewall determines what the firewall protects. • The kind of firewall is how much insurance you’re buying.
    12. 12. How to defeat firewalls • Take over the firewall. • Get packets through the firewall. • Get the information without going through the firewall.
    13. 13. A partial list of back doors. • personal modems • vendor modems • partner networks • home networks • loose cannon experts • employee hacking • reusable passwords • viruses • “helpful” employees • off-site backup & hosting
    14. 14. Even perfect firewalls can’t fix: • Tunneled traffic. • Holes, e.g. telnet, opened in the firewall. • WWW browser attacks / malicious Internet servers.
    15. 15. Priorities in hacking through a firewall • Collect information. • Look for weaknesses behind the firewall. • Try to get packets through the firewall. • Attack the firewall itself. • Subvert connections through the firewall.
    16. 16. Information often leaked through firewalls • DNS host information • network configuration • e-mail header information • intranet web pages on the Internet
    17. 17. “Ground-floor windows” • mail servers • web Servers • old buggy daemons • account theft • vulnerable web browsers
    18. 18. Attacking the firewall • Does this firewall pass packets when it’s crashed? • Is any software running on the firewall?
    19. 19. A fieldtrip through an IP packet • Important fields are: – source, destination, ports, TCP status . . TOS . . .. . . SRC DEST opt SPORT DPORT DATA SEQ# ACK# ..ACK,URG,SYN ….
    20. 20. Types of firewall • Packet filters • Proxy gateways • Network Address Translation (NAT) • Intrusion Detection • Logging
    21. 21. Packet filters • How Packet filters work – Read the header and filter by whether fields match specific rules. – SYN flags allow the router to tell if connection is new or ongoing. • Packet filters come in dumb, standard, specialized, and stateful models
    22. 22. Standard packet filter – allows connections as long as the ports are OK – denies new inbound connections, using the SYN flag – Examples: Cisco & other routers, Karlbridge, Unix hosts, steelhead.
    23. 23. Packet filter weaknesses – It’s easy to botch the rules. – Good logging is hard. – Stealth scanning works well. – Packet fragments, IP options, and source routing work by default. – Routers usually can’t do authentication of end points.
    24. 24. Stateful packet filters – SPFs track the last few minutes of network activity. If a packet doesn’t fit in, they drop it. – Stronger inspection engines can search for information inside the packet’s data. – SPFs have to collect and assemble packets in order to have enough data. – Examples: Firewall One, ON Technologies, SeattleLabs, ipfilter
    25. 25. Weaknesses in SPF – All the flaws of standard filtering can still apply. – Default setups are sometimes insecure. – The packet that leaves the remote site is the same packet that arrives at the client. – Data inside an allowed connection can be destructive. – Traditionally SPFs have poor logging.
    26. 26. Proxy firewalls • Proxy firewalls pass data between two separate connections, one on each side of the firewall. – Proxies should not route packets between interfaces. • Types: circuit level proxy, application proxy, store and forward proxy.
    27. 27. General proxy weaknesses • The host is now involved, and accessible to attack. – The host must be hardened. • State is being kept by the IP stack. • Spoofing IP & DNS still works if authentication isn’t used. • Higher latency & lower throughput.
    28. 28. Circuit level proxy – Client asks FW for document. FW connects to remote site. FW transfers all information between the two connections. – Tends to have better logging than packet filters – Data passed inside the circuit could be dangerous. – Examples: Socks, Cycom Labyrinth
    29. 29. Application proxy – FW transfers only acceptable information between the two connections. – The proxy can understand the protocol and filter the data within. – Examples: TIS Gauntlet and FWTK, Raptor, Secure Computing
    30. 30. Application proxy weaknesses • Some proxies on an “application proxy” firewall may not be application aware. • Proxies have to be written securely.
    31. 31. Store and forward , or caching, proxies – Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document. – Can do data filtering. – Examples: Microsoft, Netscape, CERN, Squid proxies; SMTP mail
    32. 32. Weaknesses of store & forward proxies – Store and forward proxies tend to be big new programs. Making them your primary connection to the internet is dangerous. – These applications don’t protect the underlying operating system at all. – Caching proxies can require more administrator time and hardware.
    33. 33. Network Address Translation (NAT) – NAT changes the ip addresses in a packet, so that the address of the client inside never shows up on the internet. – Examples: Cisco PIX, Linux Masquerading, Firewall One, ipfilter
    34. 34. Types of NAT • Many IPs inside to many static IPs outside • Many IPs inside to many random IPs outside • Many IPs inside to one IP address outside • Transparent diversion of connections
    35. 35. Weaknesses of NAT • Source routing & other router holes • Can be stupid about complex protocols – ICMP, IP options, FTP, fragments • Can give out a lot of information about your network. • May need a lot of horsepower
    36. 36. Intrusion detection – Watches ethernet or router for trigger events, then tries to interrupt connections. Logs synopsis of all events. – Can log suspicious sessions for playback – Tend to be very good at recognizing attacks, fair at anticipating them – Products: Abirnet, ISS Real Secure, SecureNetPro, Haystack Netstalker
    37. 37. Weaknesses of intrusion detection – Can only stop tcp connections – Sometimes stops things too late – Can trigger alarms too easily – Doesn’t work on switched networks
    38. 38. Logging • Pros: – Very cheap – Solves most behavioral problems – Logfiles are crucial for legal recourse • Cons: – Very programmer or administrator intensive – Doesn’t prevent damage – needs a stable environment to be useful
    39. 39. Types of logging • program logging • syslog /NT event log • sniffers – Argus, Network General, HP Openview, TCPdump • router debug mode – A very good tool for tracking across your network
    40. 40. Commercial Logging • Logging almost all commercial firewall packages stinks – No tripwires – No pattern recognition – No smart/expert distillation – No way to change firewall behavior based on log information – No good way to integrate log files from multiple machines
    41. 41. Firewall Tools • All types of firewall are useful sometimes. • The more compartments on the firewall, the greater the odds of security. • Belt & suspenders
    42. 42. Firewall topology • Webserver placement • RAS server placement • Partner network placement • Internal information protection (intranet firewalling)
    43. 43. Firewall deployment checklist • Have list of what needs to be protected. • Have all of the networks configured for the firewall • All rules are in place • Logging is on.
    44. 44. What steps are left? • What is the firewall allowing access to? – Internal machines receiving data had better be secure. – If these services can’t be secured, what do you have to lose?
    45. 45. Last checks • Day 0 Backups made? • Are there any gaps between our stated policy and the rules the firewall is enforcing?
    46. 46. Auditing • A firewall works when an audit finds no deviations from policy. • Scanning tools are good for auditing conformance to policy, not so good for auditing security.
    47. 47. Sample configurations • Good configurations should: – limit Denial of Service. – minimize complexity for inside users. – be auditable. – allow outside to connect to specific resources.
    48. 48. Minimal restriction, good security • Stateful packet filter, dmz, packet filter, intrusion detection. S Inside
    49. 49. The Multimedia Nightmare • secure multimedia & database content to provided to multiple Internet destinations. • Web server is acting as authentication & security for access to the Finance server. Proxy CACHE Inside
    50. 50. Firewalls in multiple locations – Identical proxies on both sides. VPN over internal LAN
    51. 51. Low end, good security, for low threat environments • Packet filter, “Sacrificial Goat” web server, Application Firewall, bastion host running logging & Store & Forward proxies Store & Forward Inside
    52. 52. High end firewalls • ATM switching firewalls • Round robin gateways – Don’t work with transparent proxies • High availability
    53. 53. Firewall Trends – “Toaster” firewalls – Call-outs / co-processing firewalls – VPNs – Dumb protocols – LAN equipment & protocols showing up on the Internet – Over-hyped content filtering
    54. 54. More Firewall Trends – blurring between packet filters & application proxies – more services running on the firewall – High availability, fail-over and hot swap ability – GUI’s – Statistics for managers
    55. 55. Firewall trends & “religious” issues. • Underlying OS for firewalls – Any firewall OS should have little in common with the retail versions. • Firewall certification – Buy your own copy of ISS and “certify” firewalls yourself.
    56. 56. Source vs. Shrink-wrap • Low end shrinkwrap solutions • The importance of source – Can you afford 1.5 programmer/administrators? – Are you willing to have a non-employee doing your security? (Whose priorities win?)
    57. 57. Downside of firewalls • single point of failure • difficult to integrate into a mesh network • highlights flaws in network architecture • can focus politics on the firewall administrator
    58. 58. Interesting firewall products – GateProtect- http://gateprotect.com – Checkpoint Firewall-1 http://www.checkpoint.com – SecureNetPro http://www.mimestar.com – IP Filter http://coombs.anu.edu.au/~avalon/ip-filter.html – Seattle Labs http://www.sealabs.com – Karlnet Karlbridge http://www.karlnet.com – V-One inc http://www.v-one.com