Embed Size (px)
Citation preview
Firewalls
CS461/ECE422Spring 2012
Reading Material
• Text chapter 9• “Firewalls and Internet Security: Repelling the
Wily Hacker”, Cheswick, Bellovin, and Rubin.
Firewall Goal
• Insert after the fact security by wrapping or interposing a filter on network traffic
Inside Outside
Firewall Requirements
• All traffic between network section A and network section B (and visa versa) must pass through the firewall (or a consistently controlled set of firewalls)
• Only authorized traffic (as specified by the security policy) is allowed to pass
• The firewall itself is immune to penetration
“Typical” corporate network
Web ServerWeb Server
Mail forwardingMail forwarding
Mail serverMail server DNS (internal)DNS (internal)
DNS (DMZ)DNS (DMZ)
InternetInternet
File ServerFile Server
User machinesUser machinesUser machinesUser machinesUser machines
Web ServerWeb Server
DemilitarizedZone (DMZ)
IntranetFirewall
Firewall
Packet Filter Firewall
• Operates at Layer 3 in router or HW firewall• Has access to the Layer 3 header and Layer 4 header• Can block traffic based on source and destination
address, ports, and protocol• Does not reconstruct Layer 4 payload, so cannot do
reliable analysis of layer 4 or higher content
Rule Scenario
Example Packet Filter Rules
• Rules attached to outside interface
• Rules attached to inside interface
Action SourceAddr
Src port
Dest Addr Dest Port
Protocol Comment
Block Outside host * * * * Don’t trust
Allow * * Our Mail Server
25 Tcp Allow mail traffic
Action Source Addr
Source Port
Dest Addr Dest Port Protocol Comment
Block * * Outside host
* * Don’t trust
Allow Our Mail Server
25 * * Tcp Allow Mail traffic
Same Rules in iptables
• Rules in the filter table• -A FORWARD –p ip -s outside_host –j REJECT
-A FORWARD –p ip –d outside_host –j REJECT -A FORWARD –i outside –p tcp –d our_mail_server –m tcp --dport 25 –j ACCEPT-A FORWARD –i inside –p tcp –s our_mail_server –m tcp --sport 25 –j ACCEPT-A FORWARD –j REJECT
More Example Pack Filter Rules
• Rules attached to inside interface
• Rules attached to outside interface
Action Source Addr
Source Port
Dest Addr
Dest Port
Proto Comment
Allow * * * 25 TCP Allow traffic to all mail servers
Action Source Addr
Source Port
Dest Addr
Dest Port
Proto Comment
Allow * 25 * * TCP Allow return traffic from all mail servers
A Better Example
• Rules attached to inside interface
• Rules attached to outside interface
Action Source Addr
Source Port
Dest Addr
Dest Port
Proto Comment
Allow Inside networks
* * 25 TCP Allow traffic to all mail servers
Action Source Addr
Source Port
Dest Addr
Dest Port
Proto Flags Comment
Allow * 25 Inside networks
* TCP ACK Allow return traffic from all mail servers
FTP Example• Rules attached to inside interface
• Rules attached to outside interface
Action Source Addr
Source Port
Dest Addr
Dest Port
Proto Flags Comment
Allow Inside networks
* * 21 TCP Allow Control channel traffic out
Allow Inside networks
> 1024 * * TCP ACK Allow data traffic back
Action Source Addr
Source Port
Dest Addr
Dest Port
Proto Flags Comment
Allow * 21 Inside networks
* TCP ACK Allow return traffic for FTP control channel
Allow * * Inside networks
>1024 TCP Initiate data traffic
Stateful Inspection Firewall• Evolved as packet filters aimed for proxy functionality• In addition to Layer 3 reassembly, it can reconstruct layer 4 traffic• Some application layer analysis exists, e.g., for HTTP, FTP, H.323
– Called context-based access control (CBAC) on IOS– Configured by fixup command on PIX
• Some of this analysis is necessary to enable address translation and dynamic access for negotiated data channels
• Reconstruction and analysis can be expensive. – Must be configured on specified traffic streams– At a minimum the user must tell the Firewall what kind of traffic to
expect on a port– Degree of reconstruction varies per platform, e.g. IOS does not do IP
reassembly
Circuit Firewall
• Actually creates two separate TCP connections– Completely reconstructs TCP connections– SOCKS is an example implementation
Example Stateful Rules
• Rules attached to outside interface
• Rules attached to inside interface
Action SourceAddr
Src port
Dest Addr Dest Port
Protocol Comment
Block Outside host * * * * Don’t trust
Allow * * Our Mail Server
25 Tcp Allow mail traffic
Action Source Addr
Source Port
Dest Addr Dest Port Protocol Comment
Block * * Outside host
* * Don’t trust
Same Rules in iptables
• Rules in the filter table• -A FORWARD –p ip -s outside_host –j REJECT
-A FORWARD –p ip –d outside_host –j REJECT -A FORWARD –m state --state ESTABLISHED, RELATED –j ACCEPT-A FORWARD –i outside –m state –state NEW –p tcp –d our_mail_server –m tcp --dport 25 –j ACCEPT-A FORWARD –j REJECT
Application Proxy Firewall
• Firewall software runs in application space on the firewall
• The traffic source must be aware of the proxy and add an additional header• Now transparent proxy support is available (TPROXY)
• Leverage basic network stack functionality to sanitize application level traffic– Block java or active X– Filter out “bad” URLs– Ensure well formed protocols or block suspect aspects of
protocol
Traffic reconstruction
X Y
FTP: X to YGET /etc/passwd
GET command causes firewall to dynamically
open data channel initiate from Y to X
Might have filter for files to block, like /etc/passwd
Ingress and Egress Filtering• Ingress filtering
– Filter out packets from invalid addresses before entering your network• Egress filtering
– Filter out packets from invalid addresses before leaving your network
Inside Outside
Owns network X
Egress FilteringBlock outgoing traffic not sourced from network X
Ingress FilteringBlock incoming traffic from
one of the set of invalid networks
Denial of Service
• Example attacks– Smurf Attack– TCP SYN Attack– Teardrop
• DoS general exploits resource limitations– Denial by Consumption– Denial by Disruption– Denial by Reservation
Teardrop Attack
• Send series of fragments that don't fit together– Poor stack implementations would crash– Early windows stacks
Offset 0, len 60
Offset 30, len 90
Offset 41, len 173
Address Translation
• Traditional NAT RFC 3022 Reference RFC• Map real address to alias address
– Real address associated with physical device, generally an unroutable address
– Alias address generally a routeable associated with the translation device
• Originally motivated by limited access to publicly routable IP addresses– Folks didn’t want to pay for addresses and/or hassle with getting
official addresses • Later folks said this also added security
– By hiding structure of internal network– Obscuring access to internal machines
• Adds complexity to firewall technology– Must dig around in data stream to rewrite references to IP addresses
and ports– Limits how quickly new protocols can be firewalled
Address Hiding (NAPT)
• Many to few dynamic mapping– Packets from a large pool of private addresses are mapped
to a small pool of public addresses at runtime• Port remapping makes this sharing more scalable
– Two real addresses can be rewritten to the same alias address
– Rewrite the source port to differentiate the streams• Traffic must be initiated from the real side • Called masquerading in iptables if the interface IP is
used for the alias address
NAT example
EnforcingDevice192.168.1.0/24
10.10.10.0/24
Internet
Hide from inside to outside192.168.1.0/24 behind 128.274.1.1
Static map from inside to DMZ192.168.1.5 to 128.274.1.5
inside
DMZ
outside
Src=192.168.1.100Dst=microsoft.com
Src=128.274.1.1Dst=microsoft.com
Static Mapping
• One-to-one fixed mapping– One real address is mapped to one alias address at
configuration time– Traffic can be initiated from either side
• Used to statically map out small set of servers from a network that is otherwise hidden
• Static port remapping is also available
NAT example
EnforcingDevice192.168.1.0/24
10.10.10.0/24
Internet
Hide from inside to outside192.168.1.0/24 behind 128.274.1.1
Static map from DMZ to Internet10.10.10.5 to 128.274.1.5
inside
DMZ
outside
Src=XDst=10.10.10.5
Src=XDst=128.274.1.5
Deployment
• Hardware Firewall– Buy firewall from vendor
• They provide software and hardware• Depending on cost, may include hardware accelerators
• Software Firewall on hardened bastion server– Buy software from vendor or use open source– Harden server to reduce attack surface
• Host-based firewall – Additional layer of defense for application server
• Personal firewall– Protect desktops/laptops from undesired probing
DMZ Network
Web ServerWeb Server
Mail forwardingMail forwarding
Mail serverMail server DNS (internal)DNS (internal)
DNS (DMZ)DNS (DMZ)
InternetInternet
File ServerFile Server
User machinesUser machinesUser machinesUser machinesUser machines
Web ServerWeb Server
DemilitarizedZone (DMZ)
IntranetFirewall
Firewall
VPN Network
Distributed Firewalls
Intrusion Prevention
• Discussed in the Intrusion Detection lecture• Enables more dynamic rules and access rules
that rely on more communication details– Can download new signatures or adapt anomaly
rules on a daily basis
Unified Threat Management (UTM)
• Firewalls at the border provide a nice point for analysis– Might as well perform other analysis as long as flows
have been tracked– Deploy one box instead of N boxes
• Additional actions could be– Virus scanning– URL filtering– IDS/IPS/anomaly detection– Spam filtering
Limits to firewalls
• Cannot analyze encrypted traffic– Beyond header information
• Everything is driven through port 80– Relies on port as indicator of service– Newer firewalls dynamically analyze traffic to determine
protocol• Cannot react to new attacks on protocols that must be
allowed– IPS can help
• Tracking IP addresses instead of people• Costs too much to manage firewalls
Summary
• Different types of firewalls for different needs– Packet filtering/stateful/application– Network/Host/personal
• Firewalls have been a stalwart element of network security for decades– Not the end all solution– But still beneficial
![Hal Abelson [1] Ross Anderson [2] Steven M. Bellovin [3](https://img.dokumen.tips/doc/110x75/629593db9dfeae128a50a6f3/hal-abelson-1-ross-anderson-2-steven-m-bellovin-3-.jpg)
