Internet Security: Firewall

Transcription

1 Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits to carefully controlled points

2 Firewall Combination of hardware and software to regulate traffic between an internal network and an external network (Internet) of threats What a Firewall can Do Focus security decisions Enforce security policies Log Internet activity What Protect against malicious insiders Protect against connections that bypass it Protect against completely new threats Protect against viruses and worms Set itself up correctly

3 Ingress vs. Egress Firewall Ingress firewall incoming connections typically to select the (public) services offered sometimes as part of an application exchange initiated by my users outgoing connections Egress firewall typically to check the activity of my personnel Firewall Design we need to achieve an optimal trade-off between security and functionality... with minimum cost

4 Firewall Design Principles Firewall Characteristics Four general techniques: Service control: determines the types of Internet services that can be accessed, inbound or outbound) Direction control: determines the direction in which particular service requests are allowed to flow) User control: controls access to a service according to which user is attempting to access it) Behavior control: control how particular services are used

5 Authorisation Policies Classification of Firewalls Characterised by protocol level it controls: Packet filtering Circuit Gateways Application Gateways Firewall basic components: screening router that filters traffic at IP level bastion host secure system, with auditing proxy service that works on behalf of an application, dual-homed gateway system with two network cards and routing disabled

6 At which level does a firewall work? Packet Filtering Implemented through a screening router Router: can the packet be routed to its destination? Screening router: should the packet be routed to its destination? Decision based on information in the IP packet header IP source address IP destination address Protocol (TCP, UDP, ICMP) Source port number Destination port number Packet size

7

8 Packet Filtering Additional information Interface the packet arrives on Interface the packet will go out on State information Is the packet a response to an earlier packet? Number of recent packets seen from the same host Is the packet identical to a recently seen packet? Is the packet a fragment? Stateful Packet Filtering Traditional packet filters do not examine higher layer context ie matching return packets with outgoing flow Stateful packet filters address this need They examine each IP packet in context Keep track of client-server sessions Check each packet validly belongs to one Hence are better able to detect bogus packets out of context

9 Security & Performance of Packet Filters IP address spoofing Fake source address to be trusted Add filters on router to block Tiny fragment attacks Split TCP header info over several tiny packets Either discard or reassemble before check Degradation depends on number of rules applied at any point Order rules so that most common traffic is dealt with first Correctness is more important than speed

10 Proxy Servers Specialized application programs for Internet services (HTTP, FTP, telnet, etc.) Proxy server Proxy client Need a mechanism to restrict direct communication between the internal and external networks Policy embedded in proxy servers Two kinds of proxies Application-level gateways/proxies Tailored to http, ftp, smtp, etc. Circuit-level gateways/proxies Working on TCP level Application Level Gateway

11 Application-Level Gateways 1. Has full access to protocol user requests service from proxy proxy validates request as legal then actions request and returns result to user Need separate proxies for each service E.g., SMTP ( ) NNTP (Net news) DNS (Domain Name System) NTP (Network Time Protocol) custom services generally not supported Application-Level Gateways 2. composed by a set of proxies inspecting the packet payload at application level often requires modifications to the client application may optionally mask / renumber the internal IP addresses when used as part of a firewal, usually performs also peer authentication top security!! (e.g. against buffer overflow of the target application) rules are more fine-grained and simple than those of a packet filter

12 Limitations of App-Level Gateways delay in supporting new applications heavy on resources (many processes) low performance (user-mode processes) completely breaks the client/server model not transparent to the client Circuit Level Gateway

13 a - creates a transport-level circuit between client and server any way the payload data breaks the TCP/UDP-level client/server model during the connection may authenticate the client but this requires modification to the application still exhibits many limitations of the packet filter

14 Firewall Architectures Screening Router Dual-Homed Host Screened Host Screened Subnet Screening Router

15 Dual-Homed Host Screened Host

16 Screened Subnet

17 Useless against attacks from the inside Evildoer exists on inside Malicious code is executed on an internal machine Organizations with greater insider threat Banks and Military Protection must exist at each layer Assess risks of threats at every layer Cannot protect against transfer of all virus infected programs or files because of huge range of O/S & file types