firewall implementation and design term: january 2005 dana epp [email protected] comp 4706
TRANSCRIPT
Firewall Implementation and DesignFirewall Implementation and Design
Term: January 2005Term: January 2005
Dana EppDana [email protected]@scorpionsoft.comhttp://silverstr.ufies.org/blog/http://silverstr.ufies.org/blog/
COMP 4706COMP 4706
AgendaAgendaAgendaAgenda
Discuss why firewalls are importantDiscuss why firewalls are important Learning OutcomesLearning Outcomes Discuss Final ExamDiscuss Final Exam Basic firewall fundamentalsBasic firewall fundamentals TCP/IP fundamentalsTCP/IP fundamentals Introduction to threat modeling for network servicesIntroduction to threat modeling for network services Introduction to STRIDEIntroduction to STRIDE Hands on - group threat modelingHands on - group threat modeling
Impact of W32.Blaster.WormImpact of W32.Blaster.WormImpact of W32.Blaster.WormImpact of W32.Blaster.Worm
Remediation cost $475,000 per company (median average - including hard, soft and Remediation cost $475,000 per company (median average - including hard, soft and productivity costs) with larger node-count companies reporting losses up to productivity costs) with larger node-count companies reporting losses up to $4,228,000$4,228,000
Entered company networks most often through infected laptops, then through VPNs, Entered company networks most often through infected laptops, then through VPNs, and finally through mis-configured firewalls or routersand finally through mis-configured firewalls or routers
Source: TruSecure / ICSA Labs, 29 August 2003Source: TruSecure / ICSA Labs, 29 August 2003
A small survey including 882 respondents A small survey including 882 respondents determined that the MS Blaster worm:determined that the MS Blaster worm:
Learning OutcomesLearning OutcomesLearning OutcomesLearning Outcomes
Identify various types of firewalls and their functions, Identify various types of firewalls and their functions, including which firewalls operate at which OSI protocol including which firewalls operate at which OSI protocol layer, and the basic variations of firewall architectureslayer, and the basic variations of firewall architectures
Describe risk mitigation techniques to varying threats Describe risk mitigation techniques to varying threats with the use of different firewall architectureswith the use of different firewall architectures
Demonstrate the ability to design and deploy policies on Demonstrate the ability to design and deploy policies on a firewall a firewall
On successful completion of this course, students will be On successful completion of this course, students will be able to:able to:
The Final ExamThe Final ExamThe Final ExamThe Final Exam
Written portion closed book. Practical portion open Written portion closed book. Practical portion open book, use any information you learned in this class. book, use any information you learned in this class.
No external help!No external help! 20% - Written test on theory20% - Written test on theory 20% - policy decisions on Windows deployment20% - policy decisions on Windows deployment 20% - policy decisions on Linux deployment20% - policy decisions on Linux deployment 20% - working Windows firewall (against open scan)20% - working Windows firewall (against open scan) 20% - working Linux firewall (against open scan)20% - working Linux firewall (against open scan) Exam is 1.5 hours longExam is 1.5 hours long
What is the “Pain”?What is the “Pain”?What is the “Pain”?What is the “Pain”?
The risk of unauthorized access to privileged The risk of unauthorized access to privileged and/or confidential resources on a private and/or confidential resources on a private network.network.
Security StrategiesSecurity StrategiesSecurity StrategiesSecurity Strategies
Least PrivilegeLeast Privilege Defense in DepthDefense in Depth Thinking in ZonesThinking in Zones ChokepointsChokepoints
What is a “firewall”?What is a “firewall”?What is a “firewall”?What is a “firewall”? A firewall is simply a system or group of systems A firewall is simply a system or group of systems
that enforces an access control policy between that enforces an access control policy between two or more networks. two or more networks.
Basic Types of FirewallsBasic Types of FirewallsBasic Types of FirewallsBasic Types of Firewalls
Packet filtering firewallsPacket filtering firewalls Stateful packet inspection firewallsStateful packet inspection firewalls Application proxiesApplication proxies HybridsHybrids
Packet filterPacket filterPacket filterPacket filter
Source IP address Source IP address Destination IP address Destination IP address TCP/UDP source port TCP/UDP source port TCP/UDP destination port TCP/UDP destination port
A packet filter firewall is the simplest type of firewall. Dealing with each individual packet, the firewall applies its rule set to determine which packet to allow or disallow. The firewall examines each packet based on the following criteria:
Packet Filter - ProsPacket Filter - ProsPacket Filter - ProsPacket Filter - Pros
They are fast because they operate on IP addresses They are fast because they operate on IP addresses and TCP/UDP port numbers alone, ignoring the data and TCP/UDP port numbers alone, ignoring the data contents (payload) of packets. contents (payload) of packets.
Due to the fact that packet payload is ignored, Due to the fact that packet payload is ignored, application independence exists. application independence exists.
Least expensive of the three types of firewalls. Least expensive of the three types of firewalls. Packet filtering rules are relatively easy to configure. Packet filtering rules are relatively easy to configure. There are no configuration changes necessary to the There are no configuration changes necessary to the
protected workstations. protected workstations.
Packet filters - ConsPacket filters - ConsPacket filters - ConsPacket filters - Cons Allow a direct connection between endpoints through the firewall. Allow a direct connection between endpoints through the firewall.
This leaves the potential for a vulnerability to be exploited. This leaves the potential for a vulnerability to be exploited. There is no screening of packet payload available. It is impossible to There is no screening of packet payload available. It is impossible to
block users from visiting web sites deemed off limits, for example. block users from visiting web sites deemed off limits, for example. Logging of network traffic includes only IP addresses and TCP/UDP Logging of network traffic includes only IP addresses and TCP/UDP
port numbers, no packet payload information is available. port numbers, no packet payload information is available. Complex firewall policies are difficult to implement using filtering Complex firewall policies are difficult to implement using filtering
rules alone. rules alone. There is a reliance on the IP address for authentication rather than There is a reliance on the IP address for authentication rather than
user authentication. user authentication. Dynamic IP addressing schemes such as DHCP may complicate Dynamic IP addressing schemes such as DHCP may complicate
filtering rules involving IP addresses. filtering rules involving IP addresses.
Stateful packet inspectionStateful packet inspectionStateful packet inspectionStateful packet inspection
Examines the contents of packets rather than just filtering them; that is, they consider their contents as well as their addresses.
Stateful packet inspection firewalls also take into account the state of the connections they handle so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in.
Stateful packet inspection - ProsStateful packet inspection - ProsStateful packet inspection - ProsStateful packet inspection - Pros
Offers improved security over basic packet filters Offers improved security over basic packet filters due to packet examination. due to packet examination.
Offers a degree of application independence, Offers a degree of application independence, based on level of stateful packet examination. based on level of stateful packet examination.
Better logging of activities over basic packet Better logging of activities over basic packet filters. filters.
Good performance. Good performance. Configuration changes to the protected Configuration changes to the protected
workstations are unnecessary. workstations are unnecessary.
Stateful packet inspection - ConsStateful packet inspection - ConsStateful packet inspection - ConsStateful packet inspection - Cons
Allow a direct connection between endpoints Allow a direct connection between endpoints through the firewall. This leaves the potential for through the firewall. This leaves the potential for a vulnerability to be exploited. a vulnerability to be exploited.
No hiding of your private systems. No hiding of your private systems. Setting up stateful packet examination rules is Setting up stateful packet examination rules is
more complicated. more complicated. Only supported protocols at the application layer. Only supported protocols at the application layer. No user authentication.No user authentication.
Application proxiesApplication proxiesApplication proxiesApplication proxiesAn application proxy is a program running on the firewall that emulates both ends of a network connection. One can think of it as a sort of "translator" in-between the two computers communicating.
Application proxies - ProsApplication proxies - ProsApplication proxies - ProsApplication proxies - Pros Firewall does not let end points communicate directly Firewall does not let end points communicate directly
with one another. Thus a vulnerability in a protocol with one another. Thus a vulnerability in a protocol which could slip by a packet filter or stateful packet which could slip by a packet filter or stateful packet inspection firewall could be overcome by the proxy inspection firewall could be overcome by the proxy program. program.
Has the best content filtering capability. Has the best content filtering capability. Can hide private systems. Can hide private systems. Robust user authentication. Robust user authentication. Offers the best logging of activities. Offers the best logging of activities. Policy rules are usually easier than packet filtering rules.Policy rules are usually easier than packet filtering rules.
Application proxies - ConsApplication proxies - ConsApplication proxies - ConsApplication proxies - Cons
Performance problems; much slower than the other two Performance problems; much slower than the other two Must have a proxy for every protocol. Failure to have a Must have a proxy for every protocol. Failure to have a
proxy may prevent a protocol from being handled proxy may prevent a protocol from being handled correctly by the firewall. correctly by the firewall.
TCP is the preferred transport. UDP may not be TCP is the preferred transport. UDP may not be supported. supported.
Limited transparency, clients may need to be modified. Limited transparency, clients may need to be modified. Setting up the proxy server in a browser, for example. Setting up the proxy server in a browser, for example.
No protection from all protocol weaknesses. No protection from all protocol weaknesses.
OSI – Open System InterconnectOSI – Open System InterconnectOSI – Open System InterconnectOSI – Open System Interconnect
TCP/IP Protocol ArchitectureTCP/IP Protocol ArchitectureTCP/IP Protocol ArchitectureTCP/IP Protocol Architecture
IP data encapsulationIP data encapsulationIP data encapsulationIP data encapsulation
TCP HeaderTCP HeaderTCP HeaderTCP Header
Three way TCP handshakeThree way TCP handshakeThree way TCP handshakeThree way TCP handshake
UDP HeaderUDP HeaderUDP HeaderUDP Header
Common Ports and ServicesCommon Ports and ServicesCommon Ports and ServicesCommon Ports and Services
Windows: %windir%\System32\drivers\etc\Windows: %windir%\System32\drivers\etc\servicesservices
Linux:Linux:/etc/services/etc/services
Examples:Examples: SMTP = port 25SMTP = port 25 HTTP = port 80HTTP = port 80 POP3 = port 110POP3 = port 110 PPTP = port 1723PPTP = port 1723
LUNCHLUNCHLUNCHLUNCH
You cannot build secure systems unless you know the threats to which you
are susceptible
Introduction to Threat ModelingIntroduction to Threat ModelingIntroduction to Threat ModelingIntroduction to Threat Modeling
Threat modeling allows you to apply a structured Threat modeling allows you to apply a structured approach to security and to address the top approach to security and to address the top threats that have the greatest potential impact to threats that have the greatest potential impact to your network first. your network first.
Although typically thought of as a methodology Although typically thought of as a methodology for secure software engineering, parts can be for secure software engineering, parts can be applied to network engineering as well.applied to network engineering as well.
The Steps in Threat ModelingThe Steps in Threat ModelingThe Steps in Threat ModelingThe Steps in Threat Modeling
Brainstorm the known threats to the system.Brainstorm the known threats to the system. Rank the threats by decreasing risk.Rank the threats by decreasing risk. Choose how to respond to the threats.Choose how to respond to the threats. Choose techniques to mitigate the threats.Choose techniques to mitigate the threats. Choose the appropriate technologies from the Choose the appropriate technologies from the
identified techniques.identified techniques.
Threat, Vulnerabilities, Attacks and Threat, Vulnerabilities, Attacks and MotivesMotivesThreat, Vulnerabilities, Attacks and Threat, Vulnerabilities, Attacks and MotivesMotives A A threatthreat to a system is a potential event that will to a system is a potential event that will
have an unwelcome consequence if it becomes have an unwelcome consequence if it becomes an attack. an attack.
A A vulnerabilityvulnerability is a weakness in a system, such is a weakness in a system, such as a coding bug or a design flaw.as a coding bug or a design flaw.
An An attackattack occurs when an attacker has a occurs when an attacker has a motivemotive, or a reason to attack, and takes , or a reason to attack, and takes advantage of a vulnerability.advantage of a vulnerability.
Things to consider when Things to consider when BrainstormingBrainstormingThings to consider when Things to consider when BrainstormingBrainstorming Which assets need protecting?Which assets need protecting? What value are the assets?What value are the assets? To what threats are the assets susceptible?To what threats are the assets susceptible? How should you prioritize the threats?How should you prioritize the threats? How do you mitigate the threats?How do you mitigate the threats? Address architecture Address architecture andand implementation implementation
Core assets to considerCore assets to considerCore assets to considerCore assets to consider
Configuration dataConfiguration data Authentication dataAuthentication data Persistent dataPersistent data Data ‘on the wire’Data ‘on the wire’ State dataState data Temporary dataTemporary data
Asset
Vulnerability
Threat
loot
* Artwork stolen from Jason Garms (SBU Microsoft)
MitigationTechniques
Patrolled!loot ggrr!
* Artwork stolen from Jason Garms (SBU Microsoft)
The STRIDE Threat ModelThe STRIDE Threat ModelThe STRIDE Threat ModelThe STRIDE Threat Model Spoofing identitySpoofing identity
Attacker obtains something that enables authenticationAttacker obtains something that enables authentication Tampering with dataTampering with data
Unauthorized change made to stored or in-transit informationUnauthorized change made to stored or in-transit information RepudiationRepudiation
Performing an illegal operation in a system that lacks the ability to trace such Performing an illegal operation in a system that lacks the ability to trace such operationsoperations
Information disclosureInformation disclosure Exposing critical information to unauthorized individualsExposing critical information to unauthorized individuals
Denial of Service (DoS)Denial of Service (DoS) Denies service to othersDenies service to others
Elevation of privilegesElevation of privileges Attacker exploits a weakness to gain greater privileges on a system than were intendedAttacker exploits a weakness to gain greater privileges on a system than were intended
A Server ExampleA Server ExampleA Server ExampleA Server Example
Persistent dataPersistent data
Configuration dataConfiguration data
Authentication dataAuthentication data
Insecure networkInsecure network
STRI
STRIDDEE
SSTTRRIDIDEE
SSTRITRIDEDE
SSTTRRIIDEDE
Ranking and Prioritizing ThreatsRanking and Prioritizing ThreatsRanking and Prioritizing ThreatsRanking and Prioritizing Threats
Chance of attack occurringChance of attack occurring 1 = high1 = high 10 = low10 = low How much effort/cost/time is needed to launch the How much effort/cost/time is needed to launch the
attack?attack? What is the cost/damage if it occurs?What is the cost/damage if it occurs?
1 = little1 = little 10 = massive10 = massive RISK = Damage / ChanceRISK = Damage / Chance Goal is to reduce riskGoal is to reduce risk Do high risk items firstDo high risk items first
How to Respond to ThreatsHow to Respond to ThreatsHow to Respond to ThreatsHow to Respond to Threats
1.1. Do nothing.Do nothing.2.2. Inform the user of the threat.Inform the user of the threat.3.3. Remove the problem.Remove the problem.4.4. Fix the problem.Fix the problem.
Threat Mitigation Techniques:Threat Mitigation Techniques:SpoofingSpoofingThreat Mitigation Techniques:Threat Mitigation Techniques:SpoofingSpoofing AuthenticationAuthentication Protect secretsProtect secrets Don’t store secretsDon’t store secrets
Threat Mitigation Techniques:Threat Mitigation Techniques:TamperingTamperingThreat Mitigation Techniques:Threat Mitigation Techniques:TamperingTampering AuthorizationAuthorization HashesHashes Message Authentication Codes (MAC)Message Authentication Codes (MAC) Digital signaturesDigital signatures Tamper-resistant protocolsTamper-resistant protocols
Threat Mitigation Techniques:Threat Mitigation Techniques:RepudiationRepudiationThreat Mitigation Techniques:Threat Mitigation Techniques:RepudiationRepudiation Digital signaturesDigital signatures TimestampsTimestamps Audit trailsAudit trails
Threat Mitigation Techniques:Threat Mitigation Techniques:Information disclosureInformation disclosureThreat Mitigation Techniques:Threat Mitigation Techniques:Information disclosureInformation disclosure AuthorizationAuthorization Privacy-enhanced protocolsPrivacy-enhanced protocols EncryptionEncryption Protect secretsProtect secrets Don’t store secretsDon’t store secrets
Threat Mitigation Techniques:Threat Mitigation Techniques:Denial of ServiceDenial of ServiceThreat Mitigation Techniques:Threat Mitigation Techniques:Denial of ServiceDenial of Service AuthenticationAuthentication AuthorizationAuthorization FilteringFiltering ThrottlingThrottling Quality of Service (QoS)Quality of Service (QoS)
Threat Mitigation Techniques:Threat Mitigation Techniques:Elevation of privilegesElevation of privilegesThreat Mitigation Techniques:Threat Mitigation Techniques:Elevation of privilegesElevation of privileges Run with least privilegesRun with least privileges
Security Techniques:Security Techniques:AuthenticationAuthenticationSecurity Techniques:Security Techniques:AuthenticationAuthentication BasicBasic DigestDigest Forms-basedForms-based PassportPassport Windows AuthWindows Auth
NTLMNTLM Kerberos v5Kerberos v5 X.509 certsX.509 certs IPSecIPSec RADIUSRADIUS
Security Techniques:Security Techniques:AuthorizationAuthorizationSecurity Techniques:Security Techniques:AuthorizationAuthorization Access Control Lists (ACL)Access Control Lists (ACL) PrivilegesPrivileges IP restrictionsIP restrictions Server-specific permissionsServer-specific permissions
Security Techniques:Security Techniques:Tamper resistance Tamper resistance Security Techniques:Security Techniques:Tamper resistance Tamper resistance SSL/TLSSSL/TLS IPSecIPSec DCOM and RPCDCOM and RPC EFS (Encrypted File System)EFS (Encrypted File System)
Security Techniques:Security Techniques:PrivacyPrivacySecurity Techniques:Security Techniques:PrivacyPrivacy EncryptionEncryption HashesHashes MACsMACs Digital SignaturesDigital Signatures
Security Techniques:Security Techniques:DoS MitigationDoS MitigationSecurity Techniques:Security Techniques:DoS MitigationDoS Mitigation FilteringFiltering
Similar to packet filteringSimilar to packet filtering ThrottlingThrottling
Limiting the number of connectionsLimiting the number of connections Quality of ServiceQuality of Service
Provide preferential treatment for specific types of Provide preferential treatment for specific types of traffictraffic
Security Techniques:Security Techniques:Least PrivilegeLeast PrivilegeSecurity Techniques:Security Techniques:Least PrivilegeLeast Privilege Have applications run with JUST enough Have applications run with JUST enough
privileges to get the job done, and no more.privileges to get the job done, and no more. As long as the job gets done, users will never As long as the job gets done, users will never
know you are using least privilege unless they know you are using least privilege unless they do something they aren’t SUPPOSED to do!do something they aren’t SUPPOSED to do!
Defense in DepthDefense in DepthDefense in DepthDefense in Depth Assume external systems are insecureAssume external systems are insecure
““We’re secure, we have a firewall” *ugh*We’re secure, we have a firewall” *ugh* Assume your system(s) is the last thing Assume your system(s) is the last thing
standingstanding Plan on failurePlan on failure
More layers of security means more work to More layers of security means more work to compromise a targetcompromise a target Threat risk goes down as threat difficulty goes upThreat risk goes down as threat difficulty goes up
Never depend on security through obscurityNever depend on security through obscurity
Don’t trust user inputDon’t trust user inputDon’t trust user inputDon’t trust user input Must validate data Must validate data as it crossesas it crosses between between
untrusted and trusted environmentsuntrusted and trusted environments Most vulnerabilities rely on malicious inputMost vulnerabilities rely on malicious input
Don’t rely on client side validationDon’t rely on client side validation Hacker tools exist to bypass client validationHacker tools exist to bypass client validation
All user input is bad until proven otherwiseAll user input is bad until proven otherwise Use regular expressions to checkUse regular expressions to check Don’t check for invalid data, check for valid data Don’t check for invalid data, check for valid data
and reject anything elseand reject anything else
Secure Failures and DefaultsSecure Failures and DefaultsSecure Failures and DefaultsSecure Failures and Defaults
Plan on Failure (Fail securely)Plan on Failure (Fail securely) Failure code path should be most secureFailure code path should be most secure Verify success, not failureVerify success, not failure Don’t log detailed failure errors to the clientDon’t log detailed failure errors to the client
Plan on Ignorance (Use secure defaults)Plan on Ignorance (Use secure defaults) Create solutions in their most secure state, and let Create solutions in their most secure state, and let
users turn off security as neededusers turn off security as needed Don’t rely on a user to turn off a feature they don’t Don’t rely on a user to turn off a feature they don’t
needneed
A Web server exampleA Web server exampleA Web server exampleA Web server example
Good readingGood readingGood readingGood reading
Building Internet FirewallsBuilding Internet FirewallsISBN:1-56592-124-0ISBN:1-56592-124-0
Linux FirewallsLinux FirewallsISBN: 0-7357-0900-9ISBN: 0-7357-0900-9
Threat ModelingThreat ModelingISBN: 0-7356-1991-3ISBN: 0-7356-1991-3
Any Questions?Any Questions?