1prof. dr. stefan fischerteleseminar nice-mannheim tue sept 25 th, 2001 teleseminar nice-mannheim...
Post on 19-Dec-2015
221 views
TRANSCRIPT
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
1
Teleseminar Nice-Mannheim
Firewalls
Tuesday, September 25th, 2001
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
2
Overview
• Motivation: – Security threats for a network– Typical attacks on a computer
• Firewalls as a solution– Properties of firewalls– Firewall components
• Packet filter
• Gateway
• Bastion Host
– Firewall configurations– Available software solutions
• Additional Security Measures
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
3
Motivation
• There are lots of benefits in connecting a network to the Internet – we all know them!
• HOWEVER: access is always bi-directional• Outsiders are typically able to access
resources of the organizational network• Sometimes, this might
be desired – example?• Often, it is a problem.
Internet
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
4
Typical Outsider Attacks
• Denial-of-Service Attacks – make a host unusable– Example: TCP SYN flooding
• Distributed DoS Attack – massive DoS• Spoofing (IP/DNS) – fake source addresses• Smurf and Fraggle Attacks – indirect DoS via ICMP or UDP
echo reply• Ping of Death – send IP packets which are too big and lead to a
buffer overflow and thus a shutdown of the machine• Worms – use security holes to get into a system, then duplicate
and try to access other systems• Trojan Horses – claim to provide useful functions, but have
some malicious code run in the background• Simple Password Guessing
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
5
DNS Spoofing
• Basically, DNS is a distributed database of symbolic names and corresponding IP addresses.
• For efficiency reasons, DNS answers are stored in a cache for later re-use.
• Distribution and caching are weaknesses that can be exploited for spoofing.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
6
Example: DNS Spoofing
Name ServerDomain X
Name ServerDomain Y
www.y.dein Domain Y
Attacker A
Computer C
134.136.12.1 134.136.12.17
137.1.1.1ftp.y.de?
Attacker first finds outthe address of Y’s
name server (by an iterative query).
ask 134.136.12.1!
TCP SYN()
TCP SYN()
TCP SYN()
TCP SYN()
SYN flooding toavoid name server’s
response
www.y.de?
Now, ask for thetarget host.www.y.de?
Name server of Xasks name server
of Y. But the latter cannot answer!
www.y.de = 137.1.1.1
A answers instead of Yand sends his own IPaddress as an answer.This answer is cached
by X.
www.y.de = 137.1.1.1
www.y.de
www.y.de=137.1.1.1
Now, if C asks forwww.y.de, it receives
the cached answer.
C now connects toA who could act asa proxy to the realhost in order to get
user-id and password.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
7
Efficient Security Measures
• Educate your users!• Use the newest protocol versions• Use authentication• Protect your systems
– No protection at all– Protection by obscuration– Protecting single systems– Protecting the whole network
– Comments? Which one? More than one?
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
8
Firewalls
• Firewalls are often compared to the protection measures of amedieval castle:– entry at one point– avoid that attackers
come close to protectedthings
– system can only be left at one point
• The job of a firewall is to protect a whole network.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
9
Firewall Placement and Task
• Firewalls are placed between the own intranet and the global Internet
• The complete traffic between the two networks is running through the firewall.
• The firewall only admits acceptable traffic.• What acceptable means is defined by the
security policy.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
10
Firewall Properties
• A firewall allows – To concentrate all
security measures onto one point in the network,
– To support the company’s security policy,
– To log all Internet activity.– To protect internal
networks against each other.
• It cannot– protect against malicious
insiders,– protect against traffic not
running through it (modem),
– protect against unknown threats,
– protect against viruses
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
11
Firewall Components
• The logical device “firewall” usually consists of physically separate devices. The following devices are available:
– packet filters– application gateways– Connection gateways
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
12
Packet Filters
• As can be told from the name, a packet filter decides which incoming packets to forward and which to drop.
• Packet filters work in both directions!• Basically, a packet filter is a router with
additional capabilities:– Router: How do it forward the packet?– Filter: Do I forward the packet at all, and if so,
how?
• Can be implemented on a dedicated router or on a normal PC/workstation (in software)
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
13
Filter Architecture
Internet Intranet
PacketFilter
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
14
Filtering Decisions
• The decision whether to let a packet pass or not is based on protocol information:– source address– destination address– application protocols to be used
• It can not be based on application data - a filter does not understand the semantics.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
15
Capabilities of Packet Filters
• They can inhibit an outsider’s access to an application like telnet to avoid his/her logging on to an inside computer.
• They can allow any outsider to send email into the intranet.
• They can allow a certain machine to send NNTP data to a certain inside machine, and disallow it for all others.
• They cannot prevent only certain users from logging in to an inside machine and allow it for others.
• They cannot allow or forbid to transfer certain files from inside to outside. Packet filters do not have a notion of “file”.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
16
Advantages/Disadvantages
• A single filter can protect a complete network when configured accordingly.
• To access network services, no special knowledge is required on the users’s side - it works or it does not …
• Most commercial routers can be easily configured for packet filtering.
• Packet filter configuration often is a complex task and thus leads to mistakes.
• Low protocol level only allows for coarse-grained filtering of packets.
• When a packet filter fails to work, the whole network is unprotected - protection is based on proper functioning of the device.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
17
Filter Rules
• Filter rules define which packets are allowed to pass.
• When a packet arrives, the rules are checked one after the other. A soon as one applies, it is executed, and as a result, the packet is forwarded or dropped.
• The last rule either is: – What is not forbidden is allowed or– What is not allowed is forbidden.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
18
Gateways
• Gateways are placed on a higher level in the protocol architecture (application layer).
• They provide access to network services– either by forwarding packets from a client to a
server on TCP level (connection level gateway, 2 TCP connections)
– or by providing specific application login facilities on a host (application gateway/proxy server)
• Packets are checked before they are forwarded.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
19
Proxy Server Architecture
Client Server
Proxy
The client’s illusion
The server’s illusion
Real communication
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
20
How a Proxy Works
Telnetclient
Proxyserver
Proxyclient
Real telnetserver
client proxy server
Internalcommunication
Proxies run on specificMachines, so-called
Bastion Hosts.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
21
Bastion Hosts
• Bastion hosts are those machines that are exposed to the Internet without being protected by the firewall (maybe by a packet filter).
• It is mostly used to run proxies.• In order to make it secure, it should be as
simple as possible (no unnecessary services, programs and files).
• Do not trust the bastion host completely!
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
22
Characteristics• Use well-tested operating systems (UNIX).
– Well-known security mechanisms must be available.
– Administrator must be familiar with it.
• Do not use high-end machine:– Performance is not determined by CPU, but by
line capacity.– The slower the machine, the more inconvenient for
an attacker.
• Memory and swap is important.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
23
Advantages of Proxies
• Allow direct Internet access without visible indirection.
• Allowing and forbidding actions is much more fine-grained since it is on the application level.– Example: ftp proxy could allow reads but forbid
writes
• Logging activities is simple.• If the proxy fails, security is still protected - it
is based on a running device.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
24
Disadvantages
• Proxy software is still unavailable or not well-tested for many new services (http).
• Each service needs another proxy.• Client and server programs must be modified.• Data itself cannot be checked - proxies do not
understand file formats etc.
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
25
Firewall Configurations
• Firewalls do not necessarily consist of only one of the above components.
• There is a number of configurations that make sense.
• Most important:– screened host– dual-homed host– screened subnet
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
26
Screened Host Architecture
• Here, the bastion host has only one network connection (the Intranet).
• Firewall functionality is assured by additional router/packet filter.
• The filter only admits packets that are addressed to the bastion host (or reroutes them).
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
27
Screened Host Architecture
Internet
Bastion Host
Packet Filter
Web Server
Connection to „normal“ host: only
via bastion host
Connection to web server: can
be direct
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
28
Dual-Homed Host
Internet
WebServerBastion
Host
PacketFilter
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
29
Characteristics
• Very flexible control (up to forbidding any communication between intranet and Internet)
• Two possibilities– install proxy servers– allow user accounts on the host
• Additional level of security: in order to get into internal network, attack has to pass filter and bastion host
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
30
Screened Subnet
• introduces one more security layer with a perimeter network
• bastion host is placed into this network and thus has no easy access to intranet
• two routers are necessary
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
31
ArchitectureInternet
Bastion Host
Packet Filter
Packet Filter
Web Server
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
32
Software Solutions
• Squid– The standard Linux application gateway, relatively complex
configuration
• SOCKS:– Probably best-known application gateway
• ipchains: – a Linux packet filter in the kernel
• SuSEfirewall:– Relatively complex packet filter in SuSE Linux
• Personal-firewall:– Easy-to-configure SuSE Linux packet filter: allow
connections to the Internet, but no connections from outside
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
33
Additional Security Measures
• Network Address Translation• IP Masquerading• Virtual Private Networks
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
34
IP Masquerading/NAT
• Idea: don‘t expose the structure of the internal net to the outside
• Internal net has only one official IP address• All internal addresses are so-called private
addresses (e.g. 192.168.23.13) and are not known to the outside
• NAT-Router maps the internal private addresses to a combination of the external address and a port number
• Connections from outside to inside are impossible
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
35
VPNs
• Problem: a firewall restricts access for outsiders to internal resources
• What about telecommuters etc, i.e. people who are logically insiders, but physically outisders?
• Solution: Virtual Private Networks• Idea: use authentication and encryption to
allow secure access to internal resources• Possible implementations: IPsec, ssh,
Microsoft‘s PPTP, ...
Prof. Dr. Stefan Fischer Teleseminar Nice-MannheimTue Sept 25th, 2001
36
Bibliography
• S. Fischer, U. Walther: Linux Netzwerke, SuSE Press, 2000.
• W. Stallings: Network Security Essentials, Prentice Hall, 2000.
• D. Chapman, E. Zwicky: Building Internet Firewalls, O‘Reilly, 1995.
• R. Oppliger: Internet and Intranet Security, Artech House, 1997.
• ... and Clifford Stoll: Cuckoo‘s Egg – for fun