CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 - - PowerPoint PPT Presentation

cse 543 computer security
SMART_READER_LITE
LIVE PREVIEW

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 - - PowerPoint PPT Presentation

Jan 25, 2023 629 likes •935 views

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Midterm Grades (High is 83) 77-94 -- A (4)

slide-1
SLIDE 1

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

CSE 543 - Computer Security

Lecture 20 - Firewalls November 8, 2007

URL: http://www.cse.psu.edu/~tjaeger/cse543-f07

1

slide-2
SLIDE 2

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Midterm

  • Grades (High is 83)
  • 77-94 -- A (4)
  • 71-75 -- B+/A- (7)
  • 64-69 -- B+/B (13)
  • 56-61 -- B/B- (7)
  • 54-55 -- C+ (2)
  • <50 -- D/F (2)
  • Impact
  • 20% of grade
  • Project and final to go -- more than 50% of grade

2

slide-3
SLIDE 3

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Some Questions

  • First 14: General basic concepts or lookup in slides
  • r papers
  • Generally Good
  • All were answered correctly by multiple people (Windows

and TOCTTOU in Janus)

  • Questions 15-18
  • Generally good
  • 17 weak capability
  • 18 IDs in messages
  • Constructions
  • Where points were lost

3

slide-4
SLIDE 4

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Question 19-21

  • Capability and Crypto
  • E(K, obj+rights) HMAC(K, obj+rights)
  • E(K+, obj+rights) S(K-, obj+rights)
  • DH and Info Flow
  • DH was better
  • Info Flow -- not so prepared
  • Multics
  • Better than the other two
  • Main problem: ring of user shell vs. ring of passwd

4

slide-5
SLIDE 5

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Network Security …

  • This is a poorly understood engineering discipline.
  • The following looks at the application of tools …

5

slide-6
SLIDE 6

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Network security: the high bits

  • The network is …
  • … a collection of interconnected computers
  • … with resources that must be protected
  • … from unwanted inspection or modification
  • … while maintaining adequate quality of service.
  • Another way of seeing network security is
  • Securing the network infrastructure such that the integrity,

confidentiality, and availability of the resources is maintained.

  • Q: How do we do this?

6

slide-7
SLIDE 7

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

The network …

Internet LAN (perimeter) (hosts/desktops) (edge) (server) (remote hosts/servers)

7

slide-8
SLIDE 8

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

The big picture ….

  • Internet Protocol (IP)
  • Really refers to a whole collection of protocols

making up the vast majority of the Internet

  • Routing
  • How these packets move from place to place
  • Network management
  • Administrators have to maintain the services and

infrastructure supporting everyone’s daily activities

8

slide-9
SLIDE 9

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Network security – the tools …

  • Filtering
  • Firewalls
  • Communication Security and Services
  • DNSsec, IPsec, SSH, ...
  • Isolation
  • VPNs, VLANs
  • Detection and mitigation
  • intrusion detection
  • DDOS tools

9

slide-10
SLIDE 10

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Filtering: the threats

  • Adversary 1: some external

network entity attempting to gain access to internal resources

  • Adversary 2: some internal, but malicious entity

(or software) trying to expose sensitive data

  • Adversary 3: some internal or external entity that

is preventing access to internal resource (DOS)

10

slide-11
SLIDE 11

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Filtering: Firewalls

  • Filtering traffic based on policy
  • Policy determines what is acceptable traffic
  • Access control over traffic
  • Accept or deny
  • May perform other duties
  • Logging (forensics, SLA)
  • Flagging (intrusion detection)
  • QOS (differentiated services)

Application Network Link

11

slide-12
SLIDE 12

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Firewall Policy

  • Specifies what traffic is (not) allowed
  • Maps attributes to address and ports
  • Example: HTTP should be allowed to any external host, but inbound
  • nly to web-server

12

slide-13
SLIDE 13

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

xListing

  • Blacklisting - specifying specific connectivity that is

explicitly disallowed

  • E.g., prevent connections from badguys.com
  • Whitelisting - specifying specific connectivity that

explicitly allowed

  • E.g., allow connections from goodguys.com
  • These is useful for IP filtering, SPAM mitigation, …
  • Q: What access control policies do these represent?

13

slide-14
SLIDE 14

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Stateful, Proxy, and Transparent

  • Single packet contains insufficient data to

make access control decision

  • State allows historical context consideration
  • Firewall collects data over time
  • e.g., TCP packet is part of established session
  • Firewalls can affect network traffic
  • Transparent: appear as a single router (network)
  • Proxy: receives, interprets, and reinitiates

communication (application)

  • Transparent good for speed (routers), proxies

good for complex state (applications)

14

slide-15
SLIDE 15

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

DMZ (De-militarized Zone)

(servers) LAN Internet LAN

15

slide-16
SLIDE 16

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Practical Issues and Limitations

  • Network layer firewalls are dominant
  • DMZs allow multi-tiered fire-walling
  • Tools are widely available and mature
  • Personal firewalls gaining popularity
  • Issues
  • Network perimeters not quite as clear as before
  • E.g., telecommuters, VPNs, wireless, …
  • Every access point must be protected
  • E.g., this is why war-dialing is effective
  • Hard to debug, maintain consistency and correctness
  • Often seen by non-security personnel as impediment
  • E.g., Just open port X so I can use my wonder widget …
  • SOAP - why is this protocol an issue?

16

slide-17
SLIDE 17

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Wool’s Firewall Study

  • What is the purpose of this study?

17

slide-18
SLIDE 18

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Interesting tid-bits from the Wool study

  • 12 error classes
  • No default policy, automatic broad tools
  • NetBIOS (the very use of the Win protocol deemed error)
  • Portmapper protocols
  • Use of “any wildcards”
  • Lack of egress rules
  • Interesting questions:
  • Is the violation of Wool’s errors really a problem?
  • “DNS attack” comment?
  • Why do you think more expensive firewalls had a higher
  • ccurrence of errors?
  • Take away: configurations are bad

18

slide-19
SLIDE 19

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Practical Firewall Implementations

  • Primary task is to filter packets

– But systems and requirements are complex

  • Consider

– All the protocols and services – Stateless vs. stateful firewalls – Network function: NAT, forwarding, etc.

  • Practical implementation: Linux iptables

– http://www.netfilter.org/documentation/HOWTO/packet- filtering-HOWTO.html – http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/ ch-iptables.html

slide-20
SLIDE 20

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Netfilter hooks

  • Series of hooks in Linux network protocol stack
  • At each Netfilter hook

– An iptable rule set is evaluated

  • Hook placements

Preroute Input Forward Postroute Routing Output

slide-21
SLIDE 21

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

iptables Concepts

  • Table

– All the firewall rules

  • Chain

– List of rules associated with the chain identifier – E.g., hook name

  • Match

– When all a rule’s field match the packet (protocol-specific)

  • Target

– Operation to execute on a packet given a match

slide-22
SLIDE 22

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

iptables Commands

  • iptables [-t <table_name>] <cmd> <chain> <plist>
  • Commands

– Append rule to end or specific location in chain – Delete a specific rule in a chain – Flush a chain – List a chain – Create a new user-specified chain – Replace a rule

slide-23
SLIDE 23

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Test it out

  • PING on localhost

– ping -c 1 127.0.0.1

  • Add iptables rule to block

– iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP

  • Try ping
  • Delete the rule

– iptables -D INPUT 1 – iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP – iptables -F INPUT

slide-24
SLIDE 24

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Testing

  • Use loopback to test the rules locally on your

machine

– IP address 127.0.0.1

  • ICMP

– submit ping requests to 127.0.0.1 as above

  • TCP

– submit requests to 127.0.0.1 at specific port – server

  • nc -l -p 3750
  • listen at port 3750

– client

  • nc -p 3000 localhost 3750
  • send from port 3000 to localhost at port 3750
slide-25
SLIDE 25

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

iptables Rule Parameters

  • Destination/Source

– IP address range and netmask

  • Protocol of packet

– ICMP, TCP, etc

  • Fragmented only
  • Incoming/outgoing interface
  • Target on rule match
slide-26
SLIDE 26

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Per Protocol Options

  • Specialized matching options for rules

– Specific to protocol

  • TCP

– Source/destination ports – SYN – TCP flags

slide-27
SLIDE 27

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Examples

  • iptables -A INPUT -s 200.200.200.2 -j ACCEPT
  • iptables -A INPUT -s 200.200.200.1 -j DROP
  • iptables -A INPUT -s 200.200.200.1 -p tcp -j DROP
  • iptables -A INPUT -s 200.200.200.1 -p tcp --dport

telnet -j DROP

  • iptables -A INPUT -p tcp --destination-port telnet -i

ppp0 -j DROP

slide-28
SLIDE 28

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Match content

  • Different means for matching packet content
  • Lots of different modules

– Only a few supported on your Playpen (lucky you)

  • To specify a match

– iptables -A INPUT -p tcp -m string --algo bm --string ‘exe’

  • matches to packet with content containing ‘exe’

– iptables -A INPUT -p tcp -m length --length 10:100

  • matches to packet with length between 10 and 100 bytes
  • Also, can specify ‘greater than 10’ by 10:
  • There are many others, but these are what you’ll

need to know

slide-29
SLIDE 29

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Targets

  • Define what to do with the packet at this time
  • ACCEPT/DROP
  • QUEUE for user-space application
  • LOG any packet that matches
  • REJECT drops and returns error packet
  • RETURN enables packet to return to previous chain
  • <user-specified> passes packet to that chain