Upload
masxali
View
226
Download
0
Embed Size (px)
Citation preview
7/30/2019 Pm Firewalls
1/23
Firewalling Techniques
Prabhaker Mateti
7/30/2019 Pm Firewalls
2/23
ACK
Not linux specific
Some figures are from 3com
7/30/2019 Pm Firewalls
3/23
7/30/2019 Pm Firewalls
4/23
Components of the Firewall System
Bastion Host
Packet-filtering router
Application-level gateway (or proxy server) Circuit-level gateway
7/30/2019 Pm Firewalls
5/23
Dual Homed Gateway
A system that has
two or more network interfaces, each of which
is connected to a different network.
Acts to block or filter some or all of the
traffic trying to pass between the networks.
7/30/2019 Pm Firewalls
6/23
Bastion Host
Runs general purpose
operating system
hardened to resist
attack
7/30/2019 Pm Firewalls
7/23
Proxy services
Proxy servers on a bastion host can prohibit
direct connections from the outside and reducedata-driven attacks.
7/30/2019 Pm Firewalls
8/23
Circuit Relay
Determines if the connection isvalid according to rules
opens a session and permitstraffic only from the allowed source and
possibly only for a limited period
of time. Whether a connection is valid is
based upon: destination IP address and/or port
source IP address and/or port
time of day
protocol
user password
7/30/2019 Pm Firewalls
9/23
Demilitarized Zone (DMZ)
a neutral zone between the private LAN
and the public Internet.
FTP servers, Web servers and the like are
located in DMZ.
7/30/2019 Pm Firewalls
10/23
Location of a Firewall
Untrusted
Network
Firewall DMZ
Internal LAN
External LANwww
SMTP
7/30/2019 Pm Firewalls
11/23
An Application Gateway: Problem
Allow select internal users to telnet
outside.
Users authenticate themselves to
create telnet connection
A gateway used in this sense is
different from a standard gateway.
7/30/2019 Pm Firewalls
12/23
An Application Gateway: Solution
Router filter blocks all telnet connections not originatingfrom gateway.
For authorized users, gateway sets up telnet connection todest host. Gateway relays data between 2 connections
host-to-gatewaytelnet session
gateway-to-remotehost telnet session
applicationgateway
router and filter
7/30/2019 Pm Firewalls
13/23
Packet Filtering Router
7/30/2019 Pm Firewalls
14/23
Packet Filtering Router
Decide not only how, but shoulda packet beforwarded
Not best when detail protocol knowledgerequired for decision Proxy may be a better choice
Lots of leverage as all hosts behind areprotected
Can provide unique capabilities Rejecting forged internal or external packets (address
spoofing)
Recognition of malformed packets
7/30/2019 Pm Firewalls
15/23
Packet-Filtering Router
Service-Dependent Filtering
Some typical filtering rules include:
Permit incoming Telnet sessions only to a
specific list of internal hosts
Permit incoming FTP sessions only to
specific internal hosts
Permit all outbound Telnet sessions
Permit all outbound FTP sessions
Deny all incoming traffic from specific
external networks
Service-Independent Filtering
Source IP Address Spoofing Attacks. Source Routing Attacks. In Tiny
Fragment Attacks. Tiny fragment attacks are designed to circumvent
userdefined filtering rules; the hacker hopes that a filtering router
will examine only the first fragment and allows all other fragments to
pass. A tiny fragment attack can be defeated by discarding all packets
where the protocol type is TCP and the IP FragmentOffset is equal to
1.
Defining packet filters can be a complex task
Generally, the packet throughput of a router decreases as the number
of filters increases.
7/30/2019 Pm Firewalls
16/23
Filtering by Service
Characteristics of internal to external telnetconnection Source is inside,
destination is outside,
is TCP, destination port 23, source port > 1023,
first packet an outbound SYN
Characteristics of ext to int opposite
Risk: trusting the port implies trusting the serveron that port Any service can be run from any port by root
Can telnet fromport 23, for example
7/30/2019 Pm Firewalls
17/23
Security Policy
It is important to note that an Internet firewall is not just a router, abastion host, or a combination of devices that provides security for anetwork.
The firewall is part of an overall security policy that creates aperimeter defense designed to protect the information resources ofthe organization.
This security policy must include published security guidelines toinform users of their responsibilities; corporate policies definingnetwork access, service access, local and remote userauthentication, dial-in and dialout, disk and data encryption, andvirus protection measures; and employee training. All potentialpoints of network attack must be protected with the same level of
network security. Setting up an Internet firewall without acomprehensive security policy is like placing a steel door on a tent.
[From a web based article]
7/30/2019 Pm Firewalls
18/23
Security Policy Describes a
Perimeter Defense
7/30/2019 Pm Firewalls
19/23
A Connection Circumventing an
Internet Firewall
7/30/2019 Pm Firewalls
20/23
Benefits of an Internet Firewall
Without a firewall, each host system on the privatenetwork is exposed to attacks from other hosts on theInternet.
Firewalls offer a convenient point where Internet securitycan be monitored and alarms generated.
An Internet firewall is a logical place to deploy a NetworkAddress Translator (NAT) that can help alleviate theaddress space shortage and eliminate the need torenumber when an organization changes Internet serviceproviders (ISPs).
An Internet firewall is the perfect point to audit or logInternet usage.
An Internet firewall can also offer a central point ofcontact for information delivery service to customers.
7/30/2019 Pm Firewalls
21/23
Limitations of an Internet Firewall
Creates a single point of failure.
Cannot protect against attacks that do not go through thefirewall.
Cannot protect against the types of threats posed bytraitors or unwitting users.
Cannot protect against the transfer of virus-infectedsoftware or files.
Cannot protect against data-driven attacks. A data-driven attack occurs when seemingly harmless data ismailed or copied to an internal host and is executed tolaunch an attack.
7/30/2019 Pm Firewalls
22/23
Limitations of firewalls and
gateways IP spoofing
router cant know if data really comes from claimedsource
If multiple apps. need special treatment, each
has own app. gateway. client software must know how to contact
gateway. e.g., must set IP address of proxy in Web browser
Tradeoff degree of communication with outside world, level of
security
Performance problem
7/30/2019 Pm Firewalls
23/23
Three Myths of Firewalls
Firewalls make the assumption that the only way in or out of a corporatenetwork is through the firewalls; that there are no "back doors" to yournetwork. In practice, this is rarely the case, especially for a network whichspans a large enterprise. Users may setup their own backdoors, usingmodems, terminal servers, or use such programs as "PC Anywhere" so thatthey can work from home. The more inconvenient a firewall is to your usercommunity, the more likely someone will set up their own "back door"
channel to their machine, thus bypassing your firewall. Firewalls make the assumption that all of the bad guys are on the outside of
the firewall, and everyone on the inside of the can be consideredtrustworthy. This neglects the large number of computer crimes which arecommitted by insiders.
Newly evolving systems are blurring the lines between data andexecutables more and more. With macros, JavaScript, Java, and otherforms executable fragments which can be embedded inside data, a securitymodel which neglects this will leave you wide open to a wide range ofattacks.