firewalls
DESCRIPTION
Firewalls. Dan Fleck CS 469: Security Engineering Slides modified with permission from original by Arun Sood. 1. 1. 1. References. Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 – 29. - PowerPoint PPT PresentationTRANSCRIPT
FirewallsDan FleckCS 469: Security Engineering
Slides modified with permission from original by Arun Sood
Co
min
g u
p:
Re
fere
nce
s
111111
References1. Mark Stamp, Information Security: Principles and Practice, Wiley
Interscience, 2006.2. Robert Zalenski, Firewall Technologies, IEEE Potential, 2002, p 24 –
29.3. Avishai Wool, A Quantitative Study of Firewall Configuration Errors,
IEEE Computer, June 2004, p 62 – 67.4. Steven Bellovin and William Cheswick, Network Firewalls, IEEE
Communications Magazine, Sept 1994, p 50 – 57.5. William Arbaugh, Firewalls: An Outdated Defense, IEEE Computer,
June 2003, p 112 – 113.6. Charles Zhang, Marianne Winslett, Carl Gunter, On the Safety and
Efficiency of Firewall Policy Deployment, IEEE Symposium on Security and Privacy, 2007.
7. Mohamed Gouda and Alex Liu, A Model of Stateful Firewalls and its Properties, Proc of the 2005 International Conference on Dependable Systems and Networks, 2005.
Co
min
g u
p:
Fire
wa
ll a
s N
etw
ork
A
cce
ss C
on
tro
l
222222
Firewall as Network Access Control• Access Control
• Authentication• Authorization
• Single Sign On
• Firewall• Interface between networks
• Usually external (internet) and internal
• Allows traffic flow in both directions Co
min
g u
p:
Fire
wa
ll
333333
Firewall
– Interface between networks• Usually external (internet) and internal
– Allows traffic flow in both directions– Controls the traffic
InternetInternal
Co
min
g u
p:
Fire
wa
ll
444444
Firewall as Secretary
• A firewall is like a secretary• To meet with an executive
– First contact the secretary– Secretary decides if meeting is reasonable– Secretary filters out many requests
• You want to meet chair of CS department?– Secretary does some filtering
• You want to meet President of US?– Secretary does lots of filtering!
[1]
Co
min
g u
p:
Se
curit
y S
tra
teg
ies
555555
Security Strategies• Least privilege
• Objects have the lowest privilege to perform assigned task
• Defense in depth• Use multiple mechanisms• Best if each is independent: minimal overlap
• Choke point• Facilitates monitoring and control
[2]
Co
min
g u
p:
Se
curit
y S
tra
teg
ies
- 2
666666
Security Strategies - 2• Weakest link - • Fail-safe
• If firewall fails, it should go to fail-safe that denies access to avoid intrusions
• Default deny • Default permit• Universal participation
• Everyone has to accept the rules
[2]
Co
min
g u
p:
Se
curit
y S
tra
teg
ies
- 3
777777
Security Strategies - 3• Diversity of defense• Inherent weaknesses
• Multiple technologies to compensate for inherent weakness of one technology
• Common heritage• If systems configured by the same person, may have the same
weakness• Simplicity• Security through obscurity
[2]
Co
min
g u
p:
Se
curit
y S
tra
teg
ies
- 4
888888
Security Strategies - 4• Configuration errors can be devastating• Testing is not perfect• Ongoing trial and error will identify weaknesses• Enforcing a sound policy is critical
[2]
Co
min
g u
p:
Typ
es
of
Fire
wa
ll
999999
Types of FirewallNo Standard Terminology
•Packet Filtering (network layer)• Simplest firewall• Filter packets based on specified criteria
• IP addresses, subnets, TCP or UDP ports• Does NOT read the packet payload• Vulnerable to IP spoofing
•Stateful inspection (transport layer)• In addition to packet inspection• Validate attributes of multi-packet flows• Keeps track of connection state (e.g. TCP streams, active connections,
etc…)[2]
Co
min
g u
p:
Typ
es
of
Fire
wa
ll - 2
101010101010
Types of Firewall - 2• Application Based Firewall (application layer)
• Allows data into/out of a process based on that process’ type• Can act on a single computer or at the network layer
• e.g. allowing only HTTP traffic to a website
• Log access – attempted access and allowed access
• Personal firewall – single user, home network
[2]
Co
min
g u
p:
Typ
es
of
Fire
wa
ll - 3
111111111111
Types of Firewall - 3• Proxy
• Intermediate connection between servers on internet and internal servers.
• For incoming data• Proxy is server to internal network clients
• For outgoing data• Proxy is client sending out data to the internet
• Very secure• Less efficient versus packet filters
[2]
No IP packets pass through firewall. Firewall creates new packets.No IP packets pass through firewall. Firewall creates new packets.
Co
min
g u
p:
Typ
es
of
Fire
wa
ll - 4
121212121212
Types of Firewall - 4• Network Address Translation
• Hides internal network from external network
• Private IP addresses – expands the IP address space
• Creates a choke point
• Virtual Private Network• Employs encryption and integrity protection• Use internet as part of a private network• Make remote computer “act like” it is on local network
[2]
Co
min
g u
p:
Pa
cke
t F
ilte
r
131313131313
Packet Filter• Advantages
• Simplest firewall architecture• Works at the Network layer – applies to all systems• One firewall for the entire network
• Disadvantages• Can be compromised by many attacks
• Source spoofing
Co
min
g u
p:
Pa
cke
t F
ilte
r -
Exa
mp
le
141414141414
Packet Filter - Example
[2]
Co
min
g u
p:
Pa
cke
t F
ilte
r -
Exa
mp
le
151515151515
Packet Filter - Example
[2]
Co
min
g u
p:
Pa
cke
t F
ilte
r -
Exa
mp
le
161616161616
Packet Filter - Example
• Attack succeeds because of rules B and D• More secure to add source ports to rules
Co
min
g u
p:
Pa
cke
t F
ilte
r -
Exa
mp
le
171717171717
Packet Filter - Example
[2]
Co
min
g u
p:
Pa
cke
t F
ilte
r -
Exa
mp
le
181818181818
Packet Filter - Example
• These packets would be admitted. To avoid this add an ACK bit to the rule set
[2]
Co
min
g u
p:
Pa
cke
t F
ilte
r -
Exa
mp
le
191919191919
Packet Filter - Example
• Attack fails, because the ACK bit is not set. ACK bit is set if the connection originated from inside.
• Incoming TCP packets must have ACK bit set. If this started outside, then no matching data, and packet will be rejected.
• Note: This rule means we allow no services other than request that we originate.
Co
min
g u
p:
TC
P A
ck f
or
Po
rt
Sca
nn
ing
202020202020
TCP Ack for Port Scanning
• Attacker sends packet with ACK set (without prior handshake) using port p• Violation of TCP/IP protocol
• Packet filter firewall passes packet • Firewall considers it part of an ongoing connection
• Receiver sends RST • Indicates to the sender that the connection should be
terminated
• Receiving RST indicates that port p is open!![1]
Co
min
g u
p:
TC
P A
ck P
ort
Sca
n
212121212121
TCP Ack Port Scan
• RST confirms that port 1209 is open• Problem: packet filtering is stateless; the firewall should track the
entire connection exchange
[1]
Co
min
g u
p:
Sta
tefu
l Pa
cke
t F
ilte
r
222222222222
Stateful Packet Filter
• Remembers packets in the TCP connections (and flag bits)
• Adds state info to the packet filter firewalls.
• Operates at the transport layer.
• Pro: Adds state to packet filter and keeps track of ongoing connection
• Con: Slower, more overhead. Packet content info not used
[1]
application
transport
network
link
physical Co
min
g u
p:
Ap
plic
atio
n P
roxy
232323232323
Application Proxy• A proxy acts on behalf the system being
protected.• Application proxy examines incoming app data –
verifies that data is safe before passing it to the system.
• Pros• Complete view of the connections and app data• Filter bad data (viruses, Word macros)• Incoming packet is terminated and new packet is sent
to internal network• Con
• Speed[1]
Co
min
g u
p:
Fire
wa
lk –
Po
rt
Sca
nn
ing
242424242424
Firewalk – Port Scanning • Scan ports through firewalls• Requires knowledge of
• IP address of firewall• IP address of one system in internal network• Number of hops to the firewall
• Set TTL (time to live) = Hops to firewall +1• Set destination port to be p• If firewall does not pass data for port p, then no
response• If data passes thru firewall on port p, then time
exceeded error message[1]Lets try it Applications->Utilities->Network UtilityLets try it Applications->Utilities->Network Utility
Co
min
g u
p:
Fire
wa
lk a
nd
Pro
xy
Fire
wa
ll
252525252525
Firewalk and Proxy Firewall
• Attack would be stopped by proxy firewall• Incoming packet destroyed (old TTL value also destroyed)• New outgoing packet will not exceed TTL.
[1]
Dest port 12345, TTL=4
Dest port 12344, TTL=4
Dest port 12343, TTL=4
Time exceeded
Trudy
Packetfilter
RouterRouterRouter
Co
min
g u
p:
Fire
wa
lls a
nd
D
efe
nse
in D
ep
th
262626262626
Firewalls and Defense in Depth• Example security architecture
Internet
Intranet withPersonalFirewalls
PacketFilter
ApplicationProxy
DMZ
FTP server
DNS server
WWW server
[1]
Co
min
g u
p:
Re
sea
rch
: F
irew
all
Po
licy
Ve
rific
atio
n
272727272727
Research: Firewall Policy Verification• Firewall design: consistency, completeness, and compactness
• Gouda, M.G.; Liu, X.-Y.A., "Firewall design: consistency, completeness, and compactness," Distributed Computing Systems, 2004. Proceedings. 24th International Conference on , vol., no., pp.320,327, 2004
• Lesson: Practical firewalls have complex rulesets. They are hard to get right. Research in place to help validate the configuration for errors
• Lets see some simple ones Co
min
g u
p:
Le
ts d
o s
om
e
exa
mp
les
282828282828
Lets do some examplesiptables is a common tool to build firewalls
Well supported in Linux:iptables –A INPUT –p tcp –dport 22 –j ACCEPT
-A: append to list of rules-p:match protocol tcp--dport 22: match destination port 22 (ssh)-j ACCEPT: if rule matches, ACCEPT the packet.
1st matching rule wins… order matters!
Final rule typically rejects anything that doesn’t match: security says deny all, and only allow in who you want.
Co
min
g u
p:
ipta
ble
s -
cha
ins
29292929
iptables - chains• INPUT – anything with a destination of the firewall box• OUTPUT – anything with a source of the firewall box• FORWARD – anything going through the firewall box (neither
source or dest is the firewall box)
• iptables –A INPUT –p tcp –dport 22 –j ACCEPT• # This allows SSH TO THE FIREWALL BOX!
Co
min
g u
p:
ipta
ble
s –
ma
tch
ing
ru
les
30303030
iptables – matching rulesJump targets – what to do upon match?-j ACCEPT – allow it-j REJECT -- send a rejection message-j DROP – drop it, don’t send any message-j logaccept, logdrop, logreject(there are others)
Protocol matching rules-p tcp , udp, icmp, all (0 means all)
Port matching rules--dport destination port--sport source port
Co
min
g u
p:
ipta
ble
s –
mo
re
rule
s
31313131
iptables – more rulesPhysical device interface:
-i vlan0 # Packets coming in on that physical interface-o eth1 # packets going out on that physical interface-i only valid for INPUT, FORWARD chain-o only valid for OUTPUT, FORWARD chain
(Note: Specific interface differs by hardware)
Time-based Limiting --limit 5/minute (rule matches a maximum of 5 times per
minute (or second or hour, or day, etc…)
Syn-flood protection:iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Co
min
g u
p:
ipta
ble
s -
exa
mp
les
32323232
iptables - examples• Lets stop all http access
• Lets stop ping
• Lets allow www.gmu.edu though (but only GMU!)• --destination www.gmu.edu
• Lets allow only my IP to get to HTTP• --source 192.168.3.10 C
om
ing
up
: ip
tab
les
– m
ore
ru
les
33333333
iptables – more rules
State matching:-m state –state ESTABLISHED, RELATED
NEW - A packet which creates a new connection.ESTABLISHED - A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies).RELATED - A packet which is related to, but not part of, an existing connection, such as an ICMP error, or (with the FTP module inserted), a packet establishing an ftp data connection.INVALID - A packet which could not be identified for some reason: this includes running out of memory and ICMP errors which don't correspond to any known connection. Generally these packets should be dropped.
Co
min
g u
p:
ipta
ble
s –
mo
re
rule
s
34343434
iptables – more rules
TCP bit matching:
iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
--tcp-flags <string 1> <string2> string 1 = the set of bits to look atstring 2 = the subset of 1 which should be ones
Above command says look at all the bits (‘ALL’ is synonymous with `SYN,ACK,FIN,RST,URG,PSH’) and verify that only the SYN and ACK bits are set.
Co
min
g u
p:
Wo
uld
a G
UI
he
lp?
34343535
iptables - Tunneling• In our network we have one outward facing server, so to get in
from home we must travel (tunnel) through that server.
• We really use SSH tunnels:• ssh -f -L 10024:sr1s4.mesa.gmu.edu:22 dslsrv.gmu.edu -N ; ssh -X -p
10024 localhost
• However if everyone needed to use it we could use a firewall based tunnel:• iptables -t nat -A PREROUTING -p tcp -d dslsrv.gmu.edu --dport
10024 -j DNAT --to-destination sr1s4.mesa.gmu.edu:22
Would a GUI help?
Co
min
g u
p:
Le
sso
ns
3636
Lessons• There are many firewall types• Each provides a different level of security versus performance• Multiple firewalls can be used to segment networks into
security zones• iptables is a powerful example of how to create/manage
firewalls
En
d o
f p
rese
nta
tion
292935353737