View
228
Download
0
Category
Preview:
Citation preview
8/10/2019 Firewalls (16)
1/22
SMU CSE 5349/7349
Firewalls
8/10/2019 Firewalls (16)
2/22
SMU CSE 5349/7349
Firewalls
Most widely sold solution for Internetsecurity
Solution in a box appeal Not a substitute for proper configuration
management
Firewall needs to be configured properlyfor intended protection
8/10/2019 Firewalls (16)
3/22
SMU CSE 5349/7349
Types of Firewalls
IP packet level Packet filtering
TCP session level Circuit gateways
Application level Application relays/gateway
Dynamic packet filtering
Combination of packet filtering and circuit-levelgateways, often with application level semantics
NATs, IDSs, Logging Ingress vs. Egress filtering
8/10/2019 Firewalls (16)
4/22
SMU CSE 5349/7349
Firewalls and OSI Layers
OSI Model Layer Firewall Functionality
7 - Application
Application Level Proxies, forward andreverse proxies
6 - Presentation
5 - Session Stateful Firewall
4TransportTCP/UDP Port filtering, circuit level proxy
3Network - IP Packet filtering, Address filtering, packet
filtering firewall2Data Link
1- Physical
8/10/2019 Firewalls (16)
5/22
SMU CSE 5349/7349
Packet Filters
Read the header and filter by whether fieldsmatch specific rules Administrator makes a list of acceptable/unacceptable
field values Ingress/Egress filtering
Come in standard, specialized, and stateful models
Weaknesses
Easy to botch rules Logging difficult
Lack of authentication between end points
8/10/2019 Firewalls (16)
6/22
SMU CSE 5349/7349
Network Topology and
Address Spoofing Consider a three network (N1, N2, and N3) system
with one router firewall N1 the DMZ net connecting the GW
Very limited connection between GW and outside
Very limited connection (different set) between GW andN2/N3 (Why?)
Anything can pass between N2 and N3
Outgoing connections only from N2 or N3 How to set the packet filter rules
External nodes can spoof internal addresses block allthe source addresses same as internal addresses
8/10/2019 Firewalls (16)
7/22
8/10/2019 Firewalls (16)
8/22
SMU CSE 5349/7349
Stateful Packet Filters (SPFs)
Track last few minutes of network activity.
If a packet doesnt fit in, drop it
Stronger inspection engines search for
information inside the packets data Have to collect and assemble packets in order
to have enough data
Examples: Firewall One, SeattleLabs, ipfilter
8/10/2019 Firewalls (16)
9/22
SMU CSE 5349/7349
Packet Filtering Performance
May affect the router optimization inhandling packets
Still the serial link from the router to theInternet may be the bottleneck
Keep the rules simple and uniform
Ordering the rules to get the most commontype traffic through, first
8/10/2019 Firewalls (16)
10/22
SMU CSE 5349/7349
Proxy Firewalls
Pass data between two separateconnections, one on each side of the
firewall. Types:
Circuit level proxy
Application proxy
Store and forward proxy
Higher latency and lower throughput
8/10/2019 Firewalls (16)
11/22
SMU CSE 5349/7349
Circuit Level Proxy
Client asks connects to the relay host andrequest a connection to the server
FW connects to server Server usually do not get details such as IP
address of the client
All IP tricks are stopped at the relay host
Fragments Fire walking probes
8/10/2019 Firewalls (16)
12/22
SMU CSE 5349/7349
Application Proxy
FW transfers only acceptable informationbetween the two connections
The proxy can understand the protocol andfilter the data within Example mail proxies
Usually sore-and-forward
8/10/2019 Firewalls (16)
13/22
SMU CSE 5349/7349
Caching Proxies
Client asks firewall for document; thefirewall downloads the document, saves it
to disk, and provides the document to theclient. The firewall may cache thedocument
Can do data filtering.
More administration time, hardware, andcost
8/10/2019 Firewalls (16)
14/22
SMU CSE 5349/7349
Network Address Translation
(NAT) Changes ip addresses in a packet
Address of the client inside never shows up
outside Many IPs inside to many static IPs outside
Many IPs inside to many random IPs outside
Many IPs inside to one IP address outside
Examples: Cisco PIX, Linux Masquerading,Firewall One, ipfilter
8/10/2019 Firewalls (16)
15/22
SMU CSE 5349/7349
Logging
Cheap solution to most behavioral problems program logging syslog /NT event log sniffers
TCPdump, SSLdump Argus, Network General, HPOpenview
Down side Overhead intensive Does not prevent damage (more reactive than
proactive)
8/10/2019 Firewalls (16)
16/22
SMU CSE 5349/7349
Firewall Pitfalls
Single point of failure
Useful ones are difficult to configure and
integrate Performance requirements tend to create
back doors
False sense of security May be 40% protection against the top attacks
8/10/2019 Firewalls (16)
17/22
8/10/2019 Firewalls (16)
18/22
SMU CSE 5349/7349
Where (contd)
8/10/2019 Firewalls (16)
19/22
SMU CSE 5349/7349
8/10/2019 Firewalls (16)
20/22
SMU CSE 5349/7349
DMZ
Neither internal nor external Placed between the external router and
the bastion host Idea is to minimize the services and hencepotential attacks
Example: For a web server stop everything
but http Multiple zones for increased
availability/security
8/10/2019 Firewalls (16)
21/22
SMU CSE 5349/7349
Distributed Firewalls (DFWs)
To avoid S-P-O-F
To distribute risks
Better scalability Trend to use sophisticated protocols
IPSec
Instead of IP headers use authentication codes
8/10/2019 Firewalls (16)
22/22
SMU CSE 5349/7349
Switched Firewalls
(Air-gap Technology)
Recommended