Internet and Intranet Fundamentals

Class 9

Session A

Topics

• Firewalls (continued)

Firewalls(Continued)

• Bastion Hosts

• Packet Filtering

Bastion Hosts

• Public Presence on the Internet

• The “Lobby” Analogy

• Public Exposure Implies Increased Security Requirements– focus special attention on building a Bastion

host– host security

• some principles apply to other hosts as well

Bastion HostsVarious Types

• Non-routing Dual-homed Hosts– make sure they are non-routing!

• Victim Machines– sacrificial goat– don’t let users put valuables on them

• Internal, semi-Bastion Hosts– inside the firewall– communicate with external bastion

Bastion HostsGeneral Design Guidelines

• Minimize the Number of Services Provided– keep it simple, scholar– server software may have bugs that can be

exploited

• Expect Bastion Host to be Compromised– expect the worst and plan for it– most likely to be attacked– bastion host considered untrusted host

Bastion Hosts• What Platform?

– Unix, NT, etc. ?

• Criteria– your experience– firewall tools availability

• Class of Machine– minimal– not a supercomputer– RAM more important than CPU

Bastion HostsLocation

• Physical Location– safe

• Network Location– preferably on a perimeter network– or a network not susceptible to spoofing

• ATM, Ethernet switch

Bastion HostServices

• Proxy and Relay Services– HTTP Proxy– SMTP Server– NNTP Server– FTP Server

• Public Services– HTTP– SMTP

Bastion HostsConstruction Steps

• Secure the Machine– start with minimal, clean operating system– fix all known system bugs– use a security checklist– safeguard the system logs

• requires lots of logging

Bastion HostsConstruction Steps

• Disable Non-required Services

• Install or Modify Services

• Reconfigure Machine from Development to Deployment

• Perform Security Audit

• Connect Machine to Network

Packet FilteringTopics

• What is it?

• Advantages and Disadvantages

• Configuring a Packet Filtering Router

• Various Kinds of Filtering

Packet FilteringWhat is it?

• Selectively reject IP packets based on:– source address– destination address– incoming physical port– tcp application port

Packet FilteringAdvantages and Disadvantages

• Advantages– one router protects an entire network– doesn’t require user knowledge or cooperation– widely available

• Disadvantages– current filtering tools not perfect

• can be hard to configure, test, and maintain

• may have bugs

– some protocols don’t lend themselves to filtering

Packet FilteringConfiguring a PF Router

• Protocols Bidirectional• Inbound vs. Outbound Semantics

– packets vs. services– think “packets”

• Default Security Policy– permit or deny?

• Returning ICMP Error Codes– destination unreachable, for example

Various Kinds of Filtering

• Rules– Direction– Source Address– Destination Address– ACK Set– Action

Various Kinds of FilteringRules

Rule Direction Source Address DestAddress

ACKSet

Action

A Inbound Trusted externalhost

Internal Any Permit

B Outbound Internal Trustedexternal host

Any Permit

C Either Any Any Any Deny

Various Kinds of FilteringRisks of Address Filtering

• Address Forgery– source

• does not hope to get any packets back

– man-in-the-middle• must intercept return packets

• must alter network topology to get in the middle

Various Kinds of FilteringFiltering by Service

• More Complicated

• TELNET– outgoing

• local host’s IP source address

• remote host’s IP destination address

• TCP packet type

• TCP destination port is 23

• content: your keystrokes

Various Kinds of FilteringFiltering by Service

• TELNET– incoming

• remote host’s IP source address

• local host’s IP destination address

• TCP packet type

• TCP source port is 23

• TCP destination port is same as prior source port

• ACK set

Various Kinds of FilteringFiltering by Service

• TELNET– Rules

• permit output on port 23

• permit inbound on port 23 if ACK is set

• deny both outbound and inbound for everything else– default rule

• Risks– some other service on port 23?