security and firewalls ref: keeping your site comfortably secure: an introduction to firewalls john...
TRANSCRIPT
Security and Firewalls
Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls
John P. Wack and Lisa J. Carnahan
NIST Special Publication 800-10
What
• A firewall is a barrier that prevents something bad from passing and doing harm
• Network Firewalls are systems through which must pass all traffic going into or out of a protected network environment– The gateway becomes the guardian, protecting
the network by selectively forbidding access
Why
• TCP/IP services were not all designed with security in mind– a determined attacker takes advantage of
security risks inherent in some service implementations
• Networks and computing resources, including the data stored, are increasingly critical to an organization’s survival
What, more
• Firewall– systems– routers– policy– central connection
• Restrict– access to or from selected systems– block certain TCP/IP services
Authentication
• Weak authentication– password files are accessible
• password attacks are sophisticated
• finding one vulnerable password gives access to the system
– Granularity of authentication• user level or host level
• trusted user may come from a host accessible to many untrusted users.
Monitoring
• Unencrypted passwords cross networks when using telnet or ftp
• Monitoring traffic on a LAN is easy
• Information displayed may be critical
Spoofing
• Source routing of IP packets allows an intruder to masquerade as a trusted site
• Many services determine access rights based on the IP address, assuming that traffic from a trusted domain is safe
• Mail is easily spoofed and allows an intruder to gain access to the mail privileges of a legitimate user.
• More can be said, but we probably all know that the networks are vulnerable to attack.
Structure
A barrier
The Internet
Our network to be protected
Firewall Services
• Protection from vulnerable services
• Controlled access to specific systems
• Concentrated security
• Enhanced privacy
• Logging and statistics on network use, misuse
• Policy enforcement
Service restriction
• Refuse to respond to source-routed packets
• Restrict NFS and NIS service access– Constrain them to a local network where the
services are needed– Disallow remote access
Site access restriction
• A Policy matter– What internal sites should be accessible from
outside?– Base: no access unless there is a reason for it
Concentrated security
• Only one place needs to be configured and maintained for control of access to the systems. – Reduces the burden of configuring many
systems– Increases the likelihood of well maintained
access control
Privacy
• Blocking some service access– finger on unix systems
• in addition to information about the user that might be better restricted to internal use, it gives information on when the user last logged in.
• usage patterns can be useful to intruders
– DNS• knowledge about the configuration of network
internals can be useful in attacks.
Logging
• If all access to network resources goes through one site, comprehensive logging of activity becomes feasible.
• What might look unimportant when logs of one host are examined, may be serious when aggregated with information about access to other hosts on the same network.
Policy
• A reasonable policy– allows access that is needed and useful– denies access that serves no good use and might
be dangerous
• A firewall is a way to enforce a good policy
Issues, problems with Firewalls
• Restricted access adds a burden to legitimate users
• Firewall provides no protection from attacks that originate behind the firewall
• A false sense of security may lead to carelessness
Firewall components
• network policy– what restrictions– how enforced
• advanced authentication mechanisms– one-time passwords, biometrics, smartcards, etc.
• packet filtering– source, destination IP address or port
• application gateways– proxy service
Packet filtering• Flexibility in what you allow• Perhaps allow http or smtp access to specific
internal hosts, but no access to others• Example:
Type Src addr Dst addr Src port DstPort
Action
Tcp * 123.4.5.6 >1023 23 permit
Tcp * 123.4.5.7 >1023 25 Permit
Tcp * 123.4.5.8 >1023 25 Permit
Tcp 129.6.48.254 123.4.5.9 >1023 119 permit
Udp * 123.4.*.* >1023 123 Permit* * * * * deny
(port 23= telnet; 25 = smtp; 119 = nntp; 123 = NTP )
What to restrict
• tftp, port 69, trivial FTP, used for booting diskless workstations, terminal servers and routers, can also be used to read any file on the system if set up incorrectly
• X Windows, OpenWindows, ports 6000+, port 2000, can leak information from X window displays including all keystrokes
• RPC, port 111, Remote Procedure Call services including NIS and NFS, which can be used to steal system information such as passwords and read and write to files
• rlogin, rsh, and rexec, ports 513, 514, and 512, services that if improperly configured can permit unauthorized access to accounts and
commands. Quoted from the reference source
More restrictions
• TELNET, port 23, often restricted to only certain systems, • FTP, ports 20 and 21, like TELNET, often restricted to only certain systems, • SMTP, port 25, often restricted to a central e-mail server, • RIP, port 520, routing information protocol, can be spoofed to redirect
packet routing, • DNS, port 53, domain names service zone transfers, contains names of hosts
and information about hosts that could be helpful to attackers, could be spoofed,
• UUCP, port 540, UNIX-to-UNIX CoPy, if improperly configured can be used for unauthorized access,
• NNTP, port 119, Network News Transfer Protocol, for accessing and reading network news, and
• gopher, http ports 70 and 80, information servers and client programs for gopher and WWW clients, should be restricted to an application gateway
that contains proxy services.
Examples
• Firewalls come in several types– Packet filtering
• simplest, common, block addresses and/or protocols
– Dual homed• proxy for all services that are needed
– Screened host• more flexible, less secure
– Screened subnet• no need for dual homed host
Dual homed host
Internet
Info server
Application Gateway
Complete block to IP traffic between the protected network and the Internet
Service only available by proxy servers on the Application Gateway
IP filtering
Host based application must accept all requests for specific services and pass on or not.
Mail, telnet, ftp,http, etc.
Screened host
Internet
Info server
Application Gateway
IP filtering
Application traffic from Internet to App Gateway ok; all other incoming traffic rejected; application from App Gateway to Internet ok; all other traffic from the network to the Internet rejected
Screened subnet
1Internet
Info server
E-mail server
Application Gateway
Similar in function to a dual homed host
2
Firewall summary
• The goal: impose a barrier between the protected network and the potential intruder
• The problem: provide protection without undo restriction on services to legitimate users.
• Most important: have a policy
• Options available for how to implement the policy