• Home

  • Documents

  • firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a...
15
Firewalls Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu <[email protected]> 1

firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

  • Upload
    others

  • View
    6

  • Download
    0

Embed Size (px)

Citation preview

Page 1: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

Firewalls

StevenM.Bellovinhttps://www.cs.columbia.edu/~smb

Matsuzaki ‘maz’Yoshinobu<[email protected]>

1

Page 2: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

What’saFirewall?

• Abarrierbetween“us”andtheInternet• Alltraffic,inboundoroutbound,mustpassthroughit

• Firewallsenforcepolicy:onlycertaintrafficisallowedtoflow

2

Page 3: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

insideandoutside

2-3-4.firewalls 3

• “good”users• thesamesecuritypolicy

• bad/untrustedusers

Inside OutsideFirewall

Page 4: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

WhyUseFirewalls?

• Firewallsareascalable solution:youdon’thavetomanagemanyboxes

• Firewallsareunderyourcontrol• Usualpurpose:keepattackersawayfrombuggycodeonhosts

• Generallyspeaking,firewallsarenot networksecuritydevices;they’rethenetwork’sresponsetobuggy,insecurehosts– Asuitablyhardenedhostisn’thelpedmuchbyafirewall

4

Page 5: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

Policies

• Firewallscanenforcepoliciesatanylayerofthenetworkstack

• Accept/rejectMACaddresses,IPaddresses,portnumbers,variousformsofapplicationcontent,etc.

• Policiesreflectorganizationalneeds– Generalphilosophy:accept“safe”,necessary traffic;rejectallelse

7 Application

6 Presentation

5 Session

4 Transport

3 Network

2 Link

1 Physical

5

Page 6: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

FirewallsImplementPolicy• Ifyoudonothaveasecuritypolicy,afirewallcan’thelpyou– Firewallsarenotmagicsecuritydevices– Simplyhavingonedoesn’tprotectyou;whatmattersisthepolicytheyenforce

• Ifthereisnosinglepolicyfortheentirenetwork,afirewalldoesn’tdomuchgood– Example:ISPnetworkscan’tbefirewalled,becauseeverycustomerhasdifferentsecurityneedsandpolicies

– But—theISP’sowncomputerscanbefirewalled

6

Page 7: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

failuremodels

2-3-4.firewalls 7

Firewall

• “good”and“bad”users• exceptionsandcomplexpolicy

Inside Outside

otherinternetconnections

Page 8: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

SomeSamplePolicyRules

• AllowinboundTCPport25(SMTP)destinedforthemailhost

• BlockandlogoutboundTCPport25unlessit’sfromtheauthorizedmailhost

• AllowoutboundTCPports80or443or…

AllowoutboundTCPports80or443onlyfromthedesignatedwebproxy

8

Page 9: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

CraftingPolicyRules

• Acomplexprocess:mustbalancebusinessneedsagainstnetworkthreats– Bothareconstantlychanging– Generally,nosinglepersonknowsbothwell

• It’seasytogetitwrong;boththepolicyanditsimplementationcanhaveerrors

• Iterativeprocess:deployasetofrules,andwatchforerrorsandcomplaints– Checkyourlogfilesandflowrecords!

9

Page 10: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

Topology

• Threeclassesofnets:untrusted(theoutside),trusted,andsemi-trusted(DMZ=“DemilitarizedZone”)

• Servicehosts—mail,DNS,web,etc.—gointheDMZ– Mostlyprotectedfromthe

outside,butnotfullytrustedbecauseofoutsideexposure

10

Inside

DMZ

Internet

Page 11: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

ImplementingFirewalls• AnyrouterorLinux/BSDhostcanfilteratlayers3and4

• Therealtroublesarehigherup:emailedviruses,infectedPDFs,webpageswithJavascript thatexploitsbrowserbugs,andmore

• Someprotocols,e.g.,FTPandSIP,can’tbehandledjustatthelowerlayers,becausetheyrequireotherportstobeopenedupdynamically

• Must haveapplicationproxiesformanyprotocols;eitherrulesormechanismsmustbeabletodiverttraffictotheseproxies

11

Page 12: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

TheTroublewithFirewalls

• Thereistoomuchconnectivitythatdoesn’tfitthesimplemodel– Speciallinkstocustomers,suppliers,jointventurepartners,contractors,etc.

– Verymanyconnectionstotheoutside– Branchoffices– Laptopsandsmartphones!

• Differentthreatmodels• Theclassicmodelofthefirewalldoesn’tworkthatwellanymoreforlargeorganizations

12

Page 13: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

MobileDevices

• Bydefinition,mobiledevicessometimesliveoutsidethefirewall

• Thisisnecessaryifpeoplearetogettheirjobsdone

• Buttheyhavetohaveinsideconnectivity(oratleastsensitiveinsidedata),too

• Risk:devicescanbecompromisedwhenoutside,andbringtheinfectionhome

• Risk:devicescanbestolen

13

Page 14: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

FirewallsandThreatModels

• Firewallsgenerally(butnotalways)deflectunskilledhackers

• Opportunistichackersmayormaynotbekeptout;theycanoftenpenetrateasingleinsidehostandworkfromthere

• Disgruntledemployeesarealreadyontheinside• Intelligenceagencieswon’tbekeptoutbysimpleschemes– TheNSAreputedlyhascannedtoolstoattackcommoncommercialfirewalls

14

Page 15: firewalls - start [APNIC TRAINING WIKI] · Firewalls Implement Policy •If you do not have a security policy, a firewall can’t help you –Firewalls are not magic security devices

WhattoDo?

• Multiplelayersofdefense– Large,enterprisefirewalltoprotectthecompany,completewithcentralservicehosts

– Departmentalfirewallstoisolateprinters,fileservers,etc.

– Hardenedhosts,plusautomatedtoolstomaintainthem

– Lotsofloggingandmonitoring

15


Fortinet and Tufin Integrated Security Solution · PDF file 1 Fortinet and Tufin Integrated Security Solution Network Security Policy Orchestration for Fortinet Firewalls Fortinet

Fortinet and Tufin Integrated Security Solution · PDF file 1 Fortinet and Tufin Integrated Security Solution Network Security Policy Orchestration for Fortinet Firewalls Fortinet

Documents
Security Comparing network firewalls to web application firewalls

Security Comparing network firewalls to web application firewalls

Documents
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Documents
Cyber Security II, Network Security, Firewalls and VPNs ...infotech.armstrong.edu/katz/katz/syllabus/ITEC4200SylFall17.pdf · ITEC 4200 – Cyber Security II, Network Security, Firewalls

Cyber Security II, Network Security, Firewalls and VPNs ...infotech.armstrong.edu/katz/katz/syllabus/ITEC4200SylFall17.pdf · ITEC 4200 – Cyber Security II, Network Security, Firewalls

Documents
Firewalls Aren’t Just About Security - Cyberoam · PDF fileWhite paper Cyberoam UTM Firewalls Aren’t Just About Security ... applications for bandwidth. ways of looking at firewalls

Firewalls Aren’t Just About Security - Cyberoam · PDF fileWhite paper Cyberoam UTM Firewalls Aren’t Just About Security ... applications for bandwidth. ways of looking at firewalls

Documents
Security and Firewalls

Security and Firewalls

Documents
PA-3060 and PA-7080 Firewalls Non-Proprietary Security Policy · PA-3060 and PA-7080 Firewalls Non-Proprietary Security Policy Page 6 of 37 • Legacy firewall support: Support for

PA-3060 and PA-7080 Firewalls Non-Proprietary Security Policy · PA-3060 and PA-7080 Firewalls Non-Proprietary Security Policy Page 6 of 37 • Legacy firewall support: Support for

Documents
Network firewalls - IEEE Communications Magazinepeople.scs.carleton.ca/~soma/id/readings/bellovin-firewalls.pdf · Network Firewalls Computer security is a hard problem. Security

Network firewalls - IEEE Communications Magazinepeople.scs.carleton.ca/~soma/id/readings/bellovin-firewalls.pdf · Network Firewalls Computer security is a hard problem. Security

Documents
Network Firewall Security Auditing Firewalls. Module 1: Understanding Firewalls Firewall Architecture Overview

Network Firewall Security Auditing Firewalls. Module 1: Understanding Firewalls Firewall Architecture Overview

Documents
Guidelines on Firewalls and Firewall Policy

Guidelines on Firewalls and Firewall Policy

Documents
Security Initiative VLAN Firewalls

Security Initiative VLAN Firewalls

Documents
Network Security (NetSec) - Technische Universität · PDF fileChapter 3: Firewalls and Security Policies The 3 Security Components Network Firewalls The Story of Firewalls Placing

Network Security (NetSec) - Technische Universität · PDF fileChapter 3: Firewalls and Security Policies The 3 Security Components Network Firewalls The Story of Firewalls Placing

Documents
1 Chapter 13 – Network Security Password Protection Security Models Firewalls Security Protocols

1 Chapter 13 – Network Security Password Protection Security Models Firewalls Security Protocols

Documents
Dell Security Next-Generation Firewalls

Dell Security Next-Generation Firewalls

Documents
Network Security: Firewalls

Network Security: Firewalls

Documents
Network Security: Firewalls · Network Security: Firewalls Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2013

Network Security: Firewalls · Network Security: Firewalls Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2013

Documents
Network Security Policy Stateful Firewalls Isabelle/HOL

Network Security Policy Stateful Firewalls Isabelle/HOL

Documents
Network Security and Firewalls

Network Security and Firewalls

Documents
Network firewalls - IEEE Communications Magazine · PDF fileNetwork Firewalls Computer security is a hard problem. Security on networked computers is much harder. Firewalls (barriers

Network firewalls - IEEE Communications Magazine · PDF fileNetwork Firewalls Computer security is a hard problem. Security on networked computers is much harder. Firewalls (barriers

Documents
Usability and Security of Personal Firewalls

Usability and Security of Personal Firewalls

Documents
Wanstor Security Evaluating Enterprise Firewalls

Wanstor Security Evaluating Enterprise Firewalls

Documents
Internet Security Firewalls

Internet Security Firewalls

Documents
Network Security - Startseite TU Ilmenau · PDF fileNetwork Security (WS 2002): 13 – Internet Firewalls 3 © Dr.-Ing G. Schäfer Introduction to Network Firewalls (2)! What firewalls

Network Security - Startseite TU Ilmenau · PDF fileNetwork Security (WS 2002): 13 – Internet Firewalls 3 © Dr.-Ing G. Schäfer Introduction to Network Firewalls (2)! What firewalls

Documents
The Perfect Linux Security Firewalls

The Perfect Linux Security Firewalls

Technology
Network Security: Protocol Analysis, Firewalls

Network Security: Protocol Analysis, Firewalls

Documents
Layer 2 Transparent Firewalls - Cisco · Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 3 Layer 2 Transparent Firewalls How to Configure Layer 2

Layer 2 Transparent Firewalls - Cisco · Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 3 Layer 2 Transparent Firewalls How to Configure Layer 2

Documents
Firewalls and Internet Security, Second Edition

Firewalls and Internet Security, Second Edition

Documents
IUT– Network Security Course 1 Network Security Firewalls

IUT– Network Security Course 1 Network Security Firewalls

Documents
Network firewalls - IEEE Communications Magazinecourses.isi.jhu.edu/netsec/papers/network_firewalls.pdf · Network Firewalls Computer security is a hard problem. Security on networked

Network firewalls - IEEE Communications Magazinecourses.isi.jhu.edu/netsec/papers/network_firewalls.pdf · Network Firewalls Computer security is a hard problem. Security on networked

Documents
Network Security: Internet Worms and Firewalls

Network Security: Internet Worms and Firewalls

Documents