1prof. dr. stefan fischerteleseminar nice-mannheim tue sept 25 th, 2001 teleseminar nice-mannheim...

Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001

1

Teleseminar Nice-Mannheim

Firewalls

Tuesday, September 25th, 2001


2

Overview

• Motivation: – Security threats for a network– Typical attacks on a computer

• Firewalls as a solution– Properties of firewalls– Firewall components

• Packet filter

• Gateway

• Bastion Host

– Firewall configurations– Available software solutions

• Additional Security Measures


3

Motivation

• There are lots of benefits in connecting a network to the Internet – we all know them!

• HOWEVER: access is always bi-directional• Outsiders are typically able to access

resources of the organizational network• Sometimes, this might

be desired – example?• Often, it is a problem.

Internet


4

Typical Outsider Attacks

• Denial-of-Service Attacks – make a host unusable– Example: TCP SYN flooding

• Distributed DoS Attack – massive DoS• Spoofing (IP/DNS) – fake source addresses• Smurf and Fraggle Attacks – indirect DoS via ICMP or UDP

echo reply• Ping of Death – send IP packets which are too big and lead to a

buffer overflow and thus a shutdown of the machine• Worms – use security holes to get into a system, then duplicate

and try to access other systems• Trojan Horses – claim to provide useful functions, but have

some malicious code run in the background• Simple Password Guessing


5

DNS Spoofing

• Basically, DNS is a distributed database of symbolic names and corresponding IP addresses.

• For efficiency reasons, DNS answers are stored in a cache for later re-use.

• Distribution and caching are weaknesses that can be exploited for spoofing.


6

Example: DNS Spoofing

Name ServerDomain X

Name ServerDomain Y

www.y.dein Domain Y

Attacker A

Computer C

134.136.12.1 134.136.12.17

137.1.1.1ftp.y.de?

Attacker first finds outthe address of Y’s

name server (by an iterative query).

ask 134.136.12.1!

TCP SYN()

TCP SYN()

TCP SYN()

TCP SYN()

SYN flooding toavoid name server’s

response

www.y.de?

Now, ask for thetarget host.www.y.de?

Name server of Xasks name server

of Y. But the latter cannot answer!

www.y.de = 137.1.1.1

A answers instead of Yand sends his own IPaddress as an answer.This answer is cached

by X.

www.y.de = 137.1.1.1

www.y.de

www.y.de=137.1.1.1

Now, if C asks forwww.y.de, it receives

the cached answer.

C now connects toA who could act asa proxy to the realhost in order to get

user-id and password.


7

Efficient Security Measures

• Educate your users!• Use the newest protocol versions• Use authentication• Protect your systems

– No protection at all– Protection by obscuration– Protecting single systems– Protecting the whole network

– Comments? Which one? More than one?


8

Firewalls

• Firewalls are often compared to the protection measures of amedieval castle:– entry at one point– avoid that attackers

come close to protectedthings

– system can only be left at one point

• The job of a firewall is to protect a whole network.


9

Firewall Placement and Task

• Firewalls are placed between the own intranet and the global Internet

• The complete traffic between the two networks is running through the firewall.

• The firewall only admits acceptable traffic.• What acceptable means is defined by the

security policy.


10

Firewall Properties

• A firewall allows – To concentrate all

security measures onto one point in the network,

– To support the company’s security policy,

– To log all Internet activity.– To protect internal

networks against each other.

• It cannot– protect against malicious

insiders,– protect against traffic not

running through it (modem),

– protect against unknown threats,

– protect against viruses


11

Firewall Components

• The logical device “firewall” usually consists of physically separate devices. The following devices are available:

– packet filters– application gateways– Connection gateways


12

Packet Filters

• As can be told from the name, a packet filter decides which incoming packets to forward and which to drop.

• Packet filters work in both directions!• Basically, a packet filter is a router with

additional capabilities:– Router: How do it forward the packet?– Filter: Do I forward the packet at all, and if so,

how?

• Can be implemented on a dedicated router or on a normal PC/workstation (in software)


13

Filter Architecture

Internet Intranet

PacketFilter


14

Filtering Decisions

• The decision whether to let a packet pass or not is based on protocol information:– source address– destination address– application protocols to be used

• It can not be based on application data - a filter does not understand the semantics.


15

Capabilities of Packet Filters

• They can inhibit an outsider’s access to an application like telnet to avoid his/her logging on to an inside computer.

• They can allow any outsider to send email into the intranet.

• They can allow a certain machine to send NNTP data to a certain inside machine, and disallow it for all others.

• They cannot prevent only certain users from logging in to an inside machine and allow it for others.

• They cannot allow or forbid to transfer certain files from inside to outside. Packet filters do not have a notion of “file”.


16

Advantages/Disadvantages

• A single filter can protect a complete network when configured accordingly.

• To access network services, no special knowledge is required on the users’s side - it works or it does not …

• Most commercial routers can be easily configured for packet filtering.

• Packet filter configuration often is a complex task and thus leads to mistakes.

• Low protocol level only allows for coarse-grained filtering of packets.

• When a packet filter fails to work, the whole network is unprotected - protection is based on proper functioning of the device.


17

Filter Rules

• Filter rules define which packets are allowed to pass.

• When a packet arrives, the rules are checked one after the other. A soon as one applies, it is executed, and as a result, the packet is forwarded or dropped.

• The last rule either is: – What is not forbidden is allowed or– What is not allowed is forbidden.


18

Gateways

• Gateways are placed on a higher level in the protocol architecture (application layer).

• They provide access to network services– either by forwarding packets from a client to a

server on TCP level (connection level gateway, 2 TCP connections)

– or by providing specific application login facilities on a host (application gateway/proxy server)

• Packets are checked before they are forwarded.


19

Proxy Server Architecture

Client Server

Proxy

The client’s illusion

The server’s illusion

Real communication


20

How a Proxy Works

Telnetclient

Proxyserver

Proxyclient

Real telnetserver

client proxy server

Internalcommunication

Proxies run on specificMachines, so-called

Bastion Hosts.


21

Bastion Hosts

• Bastion hosts are those machines that are exposed to the Internet without being protected by the firewall (maybe by a packet filter).

• It is mostly used to run proxies.• In order to make it secure, it should be as

simple as possible (no unnecessary services, programs and files).

• Do not trust the bastion host completely!


22

Characteristics• Use well-tested operating systems (UNIX).

– Well-known security mechanisms must be available.

– Administrator must be familiar with it.

• Do not use high-end machine:– Performance is not determined by CPU, but by

line capacity.– The slower the machine, the more inconvenient for

an attacker.

• Memory and swap is important.


23

Advantages of Proxies

• Allow direct Internet access without visible indirection.

• Allowing and forbidding actions is much more fine-grained since it is on the application level.– Example: ftp proxy could allow reads but forbid

writes

• Logging activities is simple.• If the proxy fails, security is still protected - it

is based on a running device.


24

Disadvantages

• Proxy software is still unavailable or not well-tested for many new services (http).

• Each service needs another proxy.• Client and server programs must be modified.• Data itself cannot be checked - proxies do not

understand file formats etc.


25

Firewall Configurations

• Firewalls do not necessarily consist of only one of the above components.

• There is a number of configurations that make sense.

• Most important:– screened host– dual-homed host– screened subnet


26

Screened Host Architecture

• Here, the bastion host has only one network connection (the Intranet).

• Firewall functionality is assured by additional router/packet filter.

• The filter only admits packets that are addressed to the bastion host (or reroutes them).


27

Screened Host Architecture

Internet

Bastion Host

Packet Filter

Web Server

Connection to „normal“ host: only

via bastion host

Connection to web server: can

be direct


28

Dual-Homed Host

Internet

WebServerBastion

Host

PacketFilter


29

Characteristics

• Very flexible control (up to forbidding any communication between intranet and Internet)

• Two possibilities– install proxy servers– allow user accounts on the host

• Additional level of security: in order to get into internal network, attack has to pass filter and bastion host


30

Screened Subnet

• introduces one more security layer with a perimeter network

• bastion host is placed into this network and thus has no easy access to intranet

• two routers are necessary


31

ArchitectureInternet

Bastion Host

Packet Filter

Packet Filter

Web Server


32

Software Solutions

• Squid– The standard Linux application gateway, relatively complex

configuration

• SOCKS:– Probably best-known application gateway

• ipchains: – a Linux packet filter in the kernel

• SuSEfirewall:– Relatively complex packet filter in SuSE Linux

• Personal-firewall:– Easy-to-configure SuSE Linux packet filter: allow

connections to the Internet, but no connections from outside


33

Additional Security Measures

• Network Address Translation• IP Masquerading• Virtual Private Networks


34

IP Masquerading/NAT

• Idea: don‘t expose the structure of the internal net to the outside

• Internal net has only one official IP address• All internal addresses are so-called private

addresses (e.g. 192.168.23.13) and are not known to the outside

• NAT-Router maps the internal private addresses to a combination of the external address and a port number

• Connections from outside to inside are impossible


35

VPNs

• Problem: a firewall restricts access for outsiders to internal resources

• What about telecommuters etc, i.e. people who are logically insiders, but physically outisders?

• Solution: Virtual Private Networks• Idea: use authentication and encryption to

allow secure access to internal resources• Possible implementations: IPsec, ssh,

Microsoft‘s PPTP, ...


36

Bibliography

• S. Fischer, U. Walther: Linux Netzwerke, SuSE Press, 2000.

• W. Stallings: Network Security Essentials, Prentice Hall, 2000.

• D. Chapman, E. Zwicky: Building Internet Firewalls, O‘Reilly, 1995.

• R. Oppliger: Internet and Intranet Security, Artech House, 1997.

• ... and Clifford Stoll: Cuckoo‘s Egg – for fun

1prof. dr. stefan fischerteleseminar nice-mannheim tue sept 25 th, 2001 teleseminar nice-mannheim...

Documents