Network Security Fundamentals Security Training Course Dr. Charles - - PowerPoint PPT Presentation

Network Security Fundamentals

Security Training Course

• Dr. Charles J. Antonelli

The University of Michigan 2013

Network Security Fundamentals

Module 6 Firewalls & VPNs

Topics

• Firewall Fundamentals
• Case study: Linux iptables
• Virtual Private Networks (VPNs)

3 04/13 cja 2013

Firewalls

04/13 4 cja 2013

Firewalls

5 04/13 cja 2013

Firewalls

• A firewall limits the extent to which hosts
• n different networks can interact with
• ne another

6 04/13 cja 2013

Types of firewalls

• Packet level
• Application level
• Host-based

7 04/13 cja 2013

Packet level firewalls

• Firewall inspects incoming packets
• Blocks packets violating policy rules
• => packets dropped without

acknowledgement

• Rules allow blocking based on
• Source and destination IP address
• Source and destination port
• Protocol, flags, TOS, …

8 04/13 cja 2013

Statelessness

• Traditional packet level firewalls treated every

packet independently

• Stateless firewalling
• Problem
• Doesn’t relate packet information to overall packet

flow

• Doesn’t remember anything
• Results in coarse-grained control
• Forces overly liberal or conservative policies

9 04/13 cja 2013

Example

• H.323 video streaming protocol
• Initiates two TCP connections and several

RTP (real-time transport protocol) streams

• The RTP streams contain no information

relating them to the H.323 application

• How should a stateless firewall decide if

these streams are to be blocked?

10 04/13 cja 2013

Example

• IP Fragmentation
• All but the first fragment don’t specify ports

11 04/13 cja 2013

Statefulness

• Solution: firewall keeps state about

recent packet flows

• Decides to block packet based on packet

contents plus stored state

• More fine-grained control
• Obviates application-level firewalls
• Problem
• All that state consumes firewall resources

12 04/13 cja 2013

Canonical firewalled network

13 04/13 cja 2013

Zones Collection of networks with specified security properties

• Perimeter
• DMZ
• Wireless
• Intranet

14 04/13 cja 2013

Perimeter zone The outside world

• Untrusted zone
• No control over hosts in this zone
• Internet rules

15 04/13 cja 2013

DMZ

Demilitarized zone

• Contains an organization’s publicly

visible services (email, Web, DNS, FTP, …)

• Hardened hosts
• Proxies
• Semi-trusted zone

16 04/13 cja 2013

Intranet zone

• Most trusted zone
• Organizational assets placed here
• Access blocked from untrusted zones
• Access via proxies in the DMZ only

17 04/13 cja 2013

Wireless zone A perimeter zone!

• Untrusted hosts
• Semi-trusted network

18 04/13 cja 2013

Application-level firewalls

Application proxy server

• Accepts client traffic
• Maintains state, validates traffic
• Passes validated traffic to server

19 04/13 cja 2013

Application-level firewalls

• Firewall worries about security
• Obviates security-related server changes
• Hampers defense-in-depth
• Firewall must understand application

protocol

• Increased complexity
• Stateful packet-level firewalls are an

alternative

20 04/13 cja 2013

Host-based firewalls

• Firewall run on individual hosts
• Placed between incoming packets and

the host network stack

• Acts like a packet-level firewall

21 04/13 cja 2013

Host-based firewalls

• Each host requires policy management
• Administration headache
• Simple default policies in distributions
• Defense-in-depth

22 04/13 cja 2013

References

• The Tao of Network Security Monitoring,

Richard Bejtlich, Addison-Wesley, 2005. ISBN 0-321-24677-2

• Information Security Illuminated, Michael

G.Solomon and Mike Chapple, Jones and Bartlett, 2005.

• http://en.wikipedia.org/wiki/Firewall_(computing)

(accessed March 2013)

23 04/13 cja 2013

iptables

04/13 24 cja 2013

IP Tables

• Linux packet-level firewall
• Successor to IP Chains
• NAT/NAPT support
• Extended functionality via modules
• Stateful filter support
• Applications
• Host based firewall
• Stateful packet firewall

 net.ipv4.ip_forward=1 in /etc/sysctl.conf

25 04/13 cja 2013

IP Tables Architecture

• Three tables for organization
• filter, nat, mangle
• Each table contains several chains
• built-in (invoked at fixed points in network layer)
• user-defined
• Each chain contains several rules
• first rule matched determines action taken
• Each rule contains matching criteria and target
• Built-in chains have policies
• specifies default target if no rule in chain matches

26 04/13 cja 2013

Rules

• (Standard) matching criteria
• protocol
• source IP (address/mask)
• dest IP (address/mask)
• port (source/dest/both)
• interface (input/output)
• Target

27 04/13 cja 2013

Rules

• Extended matching criteria
• Implemented via modules
• Connection state matching
• INVALID

 packet not associated with any connection

• NEW

 packet is starting a new connection

• ESTABLISHED

 packet is associated with existing connection

• RELATED

 packet is starting a new connection, but is associated with an existing connection

» FTP DATA, ICMP error

• Several other extended matching criteria

28 04/13 cja 2013

Predefined targets

• All terminate processing in this chain for this

packet

• ACCEPT

 accept packet for processing

• DROP

 drop packet

• QUEUE

 pass packet to userland (not common)

• RETURN

 return to calling chain (use policy if no calling chain)

29 04/13 cja 2013

Extended targets

• Both terminating and non-terminating

targets

• REJECT (terminating)

 return packet indicating error

• LOG (non-terminating)

 generate log entry

• …

30 04/13 cja 2013

filter table

• Default table
• Built-in chains
• INPUT

 incoming network packets

• FORWARD

 packets being routed by the host

• OUTPUT

 locally-generated packets output to network

31 04/13 cja 2013

nat table

• For network address translation
• Built-in chains
• PREROUTING (DNAT)

 alter packets as they arrive

• OUTPUT

 alter locally-generated packets before routing

• POSTROUTING (SNAT)

 alter packets as they depart

32 04/13 cja 2013

mangle table

• For specialized packet changes
• change TOS/DSCP header
• set netfilter mark value
• …
• Built-in chains
• PREROUTING
• INPUT
• OUTPUT
• FORWARDING
• POSTROUTING

33 04/13 cja 2013

Firewall traversal

34

Prerouting Route Postrouting Forward Output Local Input

04/13 cja 2013

Firewall Traversal

35

Rob Mayoff

04/13 cja 2013

Some caveats

• iptables and ipchains don’t mix
• rule additions are atomic
• … rule set additions are not
• avoid leaving firewall open while editing
• … use DROP, DENY, REJECT policies
• policy actions do not log
• rules are not removed when an interface goes

down

• raw sockets are unaffected by rules

36 04/13 cja 2013

iptables lab

• Examine iptables man page
• man iptables
• Examine existing firewall settings
• sudo service iptables status
• sudo iptables -L
• Add firewall rules
• sudo iptables -I …

37 04/13 cja 2013

Virtual Private Networks (VPNs)

04/13 38 cja 2013

Roadmap

• Definition
• VPN Uses
• Types of VPNs
• Protocol Details

39 04/13 cja 2013

Definition

A VPN is a link over a shared public network, typically the Internet, that simulates the behavior of dedicated WAN links over leased lines. A VPN uses encryption to authenticate the communications endpoints and to secure your data as it travels over an insecure network .

40 04/13 cja 2013

VPN motivators

• Confidentiality, Integrity & Authentication
• Encryption
• Bypass blocks
• Border
• Local ISP
• Extends the office network
• VoIP
• Drive mapping
• Collaboration
• Enabling technology

41 04/13 cja 2013

Some VPNs

• Protocol
• IPSec

 Standards-based  Varied Encryption Levels  Flexible

• SSL

 Clientless (Web Browser)

• Application
• SSH

VPN is not a single solution

42 04/13 cja 2013

IPSec Details

IPSec protocol

• Internet Standard
• Two complementary protocols
• Authentication Headers (AH)

Prevents tampering with packet headers

• Encapsulating Security Protocol (ESP)

Provides confidentiality and integrity of packet contents

43 04/13 cja 2013

IPSec Details – AH

(Protocol 51)

• AH Transport – Used to authenticate the integrity of the datagram

All Authenticated (except non mutable fields), e.g., TTL

As the entire packet is authenticated, there are some limitations. If using NAT or a firewall where a gateway changes your address, then the packet will fail to authenticate at the far end as the source IP has changed. This is not to say that you cannot use IPSec with a NAT gateway, just that the Gateway will have to be considered the endpoint.

44

IP Header (with

• ptions)

A H Transport Layer Header Transport Layer Data

04/13 cja 2013

IPSec Details – ESP

(Protocol 50)

• Encapsulation Security Payload
• ESP will encrypt the payload so that it is private as it passed through

the network

• As you can note, the ESP authentication does not authenticate the IP

header so this does not have a problem with working behind NAT. 45

IP Header (with options) ESP Header Transport Layer Header Transport Layer Data ESP Trailer ESP

Authentication Encrypted Authenticated

04/13 cja 2013

Logical Connection to VPN Concentrator

Remote Access client (Split Tunnel )

Public Network

Ethernet

Cisco 3030

Ethernet

ARBL COOL ARBL COOL 141 .211.255.196 192.168.4.6 Pool 192.168.4.10 – 192.168.7.249

UM Backbone

Tunneled

Yahoo

Pool 141.211.12.10 – 141.211.12.250 Wireless User (non-split tunnel) Internal Server

46 04/13 cja 2013