8: network management1 firewalls. 8: network management2 firewalls two firewall types: m packet...

8: Network Management 1

Firewalls

8: Network Management 2

Firewalls

Two firewall types: packet filter application

gateways

To prevent denial of service attacks: SYN flooding: attacker

establishes many bogus TCP connections. Attacked host alloc’s TCP buffers for bogus connections, none left for “real” connections.

To prevent illegal modification of internal data. e.g., attacker replaces

CIA’s homepage with something else

To prevent intruders from obtaining secret info.

isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.

firewall

8: Network Management 3

Packet Filtering

Internal network is connected to Internet through a router.

Router manufacturer provides options for filtering packets, based on: source IP address destination IP address TCP/UDP source and

destination port numbers

ICMP message type TCP SYN and ACK bits

Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing

UDP flows and telnet connections are blocked.

Example 2: Block inbound TCP segments with ACK=0. Prevents external clients

from making TCP connections with internal clients, but allows internal clients to connect to outside.

8: Network Management 4

Application gateways

Filters packets on application data as well as on IP/TCP/UDP fields.

Example: allow select internal users to telnet outside.

host-to-gatewaytelnet session

gateway-to-remote host telnet session

applicationgateway

router and filter

1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet

connection to dest host. Gateway relays data between 2 connections

3. Router filter blocks all telnet connections not originating from gateway.

8: Network Management 5

Limitations of firewalls and gateways

IP spoofing: router can’t know if data “really” comes from claimed source

If multiple app’s. need special treatment, each has own app. gateway.

Client software must know how to contact gateway. e.g., must set IP address

of proxy in Web browser

Filters often use all or nothing policy for UDP.

Tradeoff: degree of communication with outside world, level of security

Many highly protected sites still suffer from attacks.

8: Network Management 6

참고자료 : Firewalls

8: Network Management 7

Acknowledgements

Professor Insup Lee

Department of Computer and Information Science

University of Pennsylvania lee@cis.upenn.edu www.cis.upenn.edu/~lee

8: Network Management 8

Why do we need firewalls?

8: Network Management 9

8: Network Management 10

8: Network Management 11

BEFORE AFTER (your results may vary)

8: Network Management 12

What is a firewall?

Two goals: To provide the people in your organization with

access to the WWW without allowing the entire world to peak in;

To erect a barrier between an untrusted piece of software, your organization’s public Web server, and the sensitive information that resides on your private network.

Basic idea: Impose a specifically configured gateway machine

between the outside world and the site’s inner network.

All traffic must first go to the gateway, where software decide whether to allow or reject.

8: Network Management 13

What is a firewall

A firewall is a system of hardware and software components designed to restrict access between or among networks, most often between the Internet and a private Internet.

The firewall is part of an overall security policy that creates a perimeter defense designed to protect the information resources of the organization.

8: Network Management 14

Firewalls DO

Implement security policies at a single point Monitor security-related events (audit, log) Provide strong authentication Allow virtual private networks Have a specially hardened/secured operating

system

8: Network Management 15

Firewalls DON’T

Protect against attacks that bypass the firewall Dial-out from internal host to an ISP

Protect against internal threats disgruntled employee Insider cooperates with and external attacker

Protect against the transfer of virus-infected programs or files

8: Network Management 16

Types of Firewalls

Packet-Filtering Router Application-Level Gateway Circuit-Level Gateway Hybrid Firewalls

8: Network Management 17

Packet Filtering Routers

• Forward or discard IP packet according a set of rules

• Filtering rules are based on fields in the IP and transport header

8: Network Management 18

What information is used for filtering decision?

Source IP address (IP header) Destination IP address (IP header) Protocol Type Source port (TCP or UDP header) Destination port (TCP or UDP header) ACK. bit

8: Network Management 19

Web Access Through a Packet Filter Firewall

[Stein]

8: Network Management 20

Packet Filtering Routerspros and cons Advantages:

Simple Low cost Transparent to user

Disadvantages: Hard to configure filtering rules Hard to test filtering rules Don’t hide network topology(due to transparency) May not be able to provide enough control over traffic Throughput of a router decreases as the number of filters

increases

8: Network Management 21

Application Level Gateways (Proxy Server)

8: Network Management 22

A Telnet Proxy

8: Network Management 23

A sample telnet session

8: Network Management 24

Application Level Gateways (Proxy Server) Advantages:

complete control over each service (FTP/HTTP…) complete control over which services are permitted Strong user authentication (Smart Cards etc.) Easy to log and audit at the application level Filtering rules are easy to configure and test

Disadvantages: A separate proxy must be installed for each

application-level service Not transparent to users

8: Network Management 25

Circuit Level Gateways

8: Network Management 26

Circuit Level Gateways (2)

Often used for outgoing connections where the system administrator trusts the internal users

The chief advantage is that a firewall can be configured as a hybrid gateway supporting application-level/proxy services for inbound connections and circuit-level functions for outbound connections

8: Network Management 27

Hybrid Firewalls

In practice, many of today's commercial firewalls use a combination of these techniques.

Examples: A product that originated as a packet-

filtering firewall may since have been enhanced with smart filtering at the application level.

Application proxies in established areas such as FTP may augment an inspection-based filtering scheme.

8: Network Management 28

Firewall Configurations

Bastion host a system identified by firewall administrator as a

critical strong point in the network’s security typically serves as a platform for an application-level or

circuit-level gateway extra secure O/S, tougher to break into

Dual homed gateway Two network interface cards: one to the outer network

and the other to the inner A proxy selectively forwards packets

Screened host firewall system Uses a network router to forward all traffic from the

outer and inner networks to the gateway machine Screened-subnet firewall system

8: Network Management 29

Dual-homed gateway

8: Network Management 30

Screened-host gateway

8: Network Management 31

Screened Host Firewall

8: Network Management 32

Screened Subnet Firewall

8: Network Management 33

Screened subnet gateway

8: Network Management 34

Selecting a firewall system

Operating system Protocols handled Filter types Logging Administration Simplicity Tunneling

8: Network Management 35

Commercial Firewall Systems

0%5%

10%15%20%25%30%35%40%45%

Chec

k

Poin

t

Cis

co

Axen

t

Net

wor

k

Ass

ocia

tes

Cyb

er

Gua

rd

Oth

ers

8: Network Management 36

Widely used commercial firewalls AltaVista BorderWare (Secure Computing

Corporation) CyberGurad Firewall (CyberGuard

Corporation) Eagle (Raptor Systems) Firewall-1 (Checkpoint Software

Technologies) Gauntlet (Trusted Information Systems) ON Guard (ON Technology Corporation)

8: Network Management 37

Firewall’s security policy

Embodied in the filters that allow or deny passages to network traffic

Filters are implemented as proxy programs. Application-level proxies

• one for particular communication protocol• E.g., HTTP, FTP, SM• Can also filter based on IP addresses

Circuit-level proxies• Lower-level, general purpose programs that treat

packets as black boxes to be forward or not• Only looks at header information• Advantages: speed and generality• One proxy can handle many protocols

8: Network Management 38

Configure a Firewall (1)

Outgoing Web Access Outgoing connections through a packet

filter firewall Outgoing connections through an

application-level proxy Outgoing connections through a circuit

proxy

8: Network Management 39

Firewall Proxy

Configuring Netscape to use a firewall proxy involves enteringthe address and port number for each proxied service. [Stein]

8: Network Management 40

Configure a Firewall (2)

Incoming Web Access The “Judas” server The “Sacrificial Lamb” The “Private Affair” server The doubly fortified server

8: Network Management 41

The “Judas” Server (not recommended)

[Stein]

8: Network Management 42

The “sacrificial lamb”

[Stein]

8: Network Management 43

The “private affair” server

[Stein]

8: Network Management 44

Internal Firewall

An Internal Firewall protects the Web server from insider threats.

[Stein]

8: Network Management 45

Placing the sacrificial lamb in

the demilitarized zone.

[Stein]

8: Network Management 46

Poking holes in the firewall

If you need to support a public Web server, but no place to put other than inside the firewall.

Problem: if the server is compromised, then you are cooked.

8: Network Management 47

Simplified Screened-Host Firewall Filter Rules

[Stein]

8: Network Management 48

Filter Rule Exceptions for Incoming Web Services

[Stein]

8: Network Management 49

Screened subnetwork

Placing the Web server on its own screened subnetwork insulatesit from your organization while granting the outside world limitedaccess to it. [Stein]

8: Network Management 50

Filter Rules for a Screened Public Web Server

[Stein]