• Firewall Design Principles – Firewall Characteristics – Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides . Fall 2008 CS 334: Computer Security 1 Fall 2008 CS 334: Computer Security 2 • Systems provide many services by default • Effective means of protection a local – Many workstations provide remote access to system or network of systems from files and configuration databases (for ease of network-based security threats while management and file sharing) affording access to the outside world via – Even if configured only for specific users, they WANs or the Internet can sometimes be tricked into providing services they shouldn’t • Information systems undergo a steady evolution (from small LAN`s to Internet • E.g. missing bounds check in input parsers – Also, users sometimes forget to close connectivity) temporary holes • Strong security features for all • E.g. leaving file system remote mountable for file workstations and servers not established sharing Fall 2008 CS 334: Computer Security 3 Fall 2008 CS 334: Computer Security 4 • Firewalls enforce policies that centrally manage access to services in ways that workstations should, but don’t • Which services? • The firewall is inserted between the – Finger premises network and the Internet – telnet: requires authentication, but password sent in clear • Aims: – rlogin: similar to telnet, but uses IP address based authentication (Bad!) – Establish a controlled link – ftp: Tricky because two connections, control channel – Protect the premises network from from sender, and data connection from receiver. (passive ftp has both sender originated) Internet-based attacks – X Windows – Provide a single choke point – ICMP Fall 2008 CS 334: Computer Security 5 Fall 2008 CS 334: Computer Security 6 1
• Four general techniques: • Design goals: – All traffic from inside to outside must pass • Service control through the firewall (physically blocking all – Determines the types of Internet access to the local network except via the services that can be accessed, inbound firewall) or outbound – Only authorized traffic (defined by the local security policy) will be allowed to pass • Direction control – The firewall itself is immune to penetration – Determines the direction in which (use of trusted system with a secure operating particular service requests are allowed system) to flow Fall 2008 CS 334: Computer Security 7 Fall 2008 CS 334: Computer Security 8 • Cannot protect against attacks that bypass the firewall • User control – E.g. an internal modem pool – Controls access to a service according to • Firewall does not protect against internal which user is attempting to access it threats • Behavior control • Firewall cannot protect against transfer of virus infected programs – Controls how particular services are used – Too many different apps and operating systems (e.g. filter e-mail) supported to make it practical to scan all incoming files for viruses Fall 2008 CS 334: Computer Security 9 Fall 2008 CS 334: Computer Security 10 • Three common types of Firewalls: • Packet-filtering Router – Packet-filtering routers – Application-level gateways – Circuit-level gateways – (Bastion host) Fall 2008 CS 334: Computer Security 11 Fall 2008 CS 334: Computer Security 12 2
• Packet-filtering Router • Advantages: – Simplicity – Applies a set of rules to each incoming IP packet and then forwards or discards – Transparency to users the packet – High speed – Filter packets going in both directions • Disadvantages: – The packet filter is typically set up as a – Difficulty of setting up packet filter rules list of rules based on matches to fields – Lack of Authentication in the IP or TCP header • Who really sent the packet? – Two default policies (discard or forward) Fall 2008 CS 334: Computer Security 13 Fall 2008 CS 334: Computer Security 14 • Can be clever: – Allow connections initiated from inside network to outside, but not initiated from outside. • Traffic flows both way, but if firewall only allows incoming packets with ACK set in TCP header, this manages the issue. • Problem: some apps require outside node to initiate connection with inside node (e.g. ftp, Xwindows), even if original request initiated by inside node. • Solution (sort of): allow packets from outside if they are connecting to high port number. Fall 2008 CS 334: Computer Security 15 Fall 2008 CS 334: Computer Security 16 • Changes filtering rules dynamically (by remembering what has happened in recent • Possible attacks and past) appropriate countermeasures • Example: Connection initiated from inside node S to outside IP address D. For short – IP address spoofing time allow incoming connections from D to • Discard packet with inside source appropriate ports (I.e. ftp port). address if it arrives on external • In practice, much more caution interface – Source routing attacks – Stateful filter notices the incoming port requested by S and only allows connections • Discard all source routed packets from D to that port. Requires parsing ftp control packets Fall 2008 CS 334: Computer Security 17 Fall 2008 CS 334: Computer Security 18 3
• Possible attacks and appropriate countermeasures • Application-level Gateway – Tiny fragment attacks • Intruder uses IP fragment option to create extremely small IP packets that force TCP header information into separate packet fragments • Discard all packets where protocol type is TCP and IP fragment offset is small Fall 2008 CS 334: Computer Security 19 Fall 2008 CS 334: Computer Security 20 • Advantages: • Application-level Gateway – Also called proxy server – Higher security than packet filters – Acts as a relay of application-level traffic – Only need to scrutinize a few allowable – Can act as router, but typically placed between applications two packet filtering firewalls (for total of – Easy to log and audit all incoming traffic three boxes) • Two firewalls are routers that refuse to forward • Disadvantages: anything from the global net that is not to gateway, and anything to global net that is not from gateway. – Additional processing overhead on each • Sometimes called a bastion host (we use connection (gateway as splice point) the term differently) Fall 2008 CS 334: Computer Security 21 Fall 2008 CS 334: Computer Security 22 • Circuit-level Gateway – Stand-alone system or • Circuit-level Gateway – Specialized function performed by an Application-level Gateway – Sets up two TCP connections – The gateway typically relays TCP segments from one connection to the other without examining the contents Fall 2008 CS 334: Computer Security 23 Fall 2008 CS 334: Computer Security 24 4
• Circuit-level Gateway • Bastion Host – The security function consists of determining which connections will be – A system identified by the firewall allowed administrator as a critical strong point in – Typically use is a situation in which the the network´s security system administrator trusts the internal – The bastion host serves as a platform users for an application-level or circuit-level gateway Fall 2008 CS 334: Computer Security 25 Fall 2008 CS 334: Computer Security 26 • Assume all bad guys are on outside, and everyone inside can be trusted. • In addition to the use of simple • Firewalls can be defeated if malicious code configuration of a single system can be injected into corporate network (single packet filtering router or – E.g. trick someone into launching an executable single gateway), more complex from an email message or into downloading something from the net. configurations are possible • Often make it difficult for legitimate • We won’t go into these users to get their work done. – Misconfiguration, failure to recognize new app Fall 2008 CS 334: Computer Security 27 Fall 2008 CS 334: Computer Security 28 • If firewall allows anything through, people figure out how to do what they need by • Chapman, D., and Zwicky, E. Building disguising their traffic as allowed traffic Internet Firewalls. O’Reilly, 1995 – E.g. file transfer by sending it through email. • Cheswick, W., and Bellovin, S. Firewalls and If size of emails limited, then user breaks them Internet Security: Repelling the Wily into chunks, etc. Hacker. Addison-Wesley, 2000 – Firewall friendly traffic (e.g. using http for other purposes) • Defeats effort of sysadmin to control traffic • Less efficient than not using http Fall 2008 CS 334: Computer Security 29 Fall 2008 CS 334: Computer Security 30 5
Recommend
More recommend
