Network Security Fundamentals

Transcription

1 Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013

2 Network Security Fundamentals Module 6 Firewalls & VPNs

3 Topics Firewall Fundamentals Case study: Linux iptables Virtual Private Networks (VPNs) 3

4 Firewalls 4

5 Firewalls 5

6 Firewalls A firewall limits the extent to which hosts on different networks can interact with one another 6

7 Types of firewalls Packet level Application level Host-based 7

8 Packet level firewalls Firewall inspects incoming packets Blocks packets violating policy rules => packets dropped without acknowledgement Rules allow blocking based on Source and destination IP address Source and destination port Protocol, flags, TOS, 8

9 Statelessness Traditional packet level firewalls treated every packet independently Stateless firewalling Problem Doesn t relate packet information to overall packet flow Doesn t remember anything Results in coarse-grained control Forces overly liberal or conservative policies 9

10 Example H.323 video streaming protocol Initiates two TCP connections and several RTP (real-time transport protocol) streams The RTP streams contain no information relating them to the H.323 application How should a stateless firewall decide if these streams are to be blocked? 10

11 Example IP Fragmentation All but the first fragment don t specify ports 11

12 Statefulness Solution: firewall keeps state about recent packet flows Decides to block packet based on packet contents plus stored state More fine-grained control Obviates application-level firewalls Problem All that state consumes firewall resources 12

13 Canonical firewalled network 13

14 Zones Collection of networks with specified security properties Perimeter DMZ Wireless Intranet 14

15 Perimeter zone The outside world Untrusted zone No control over hosts in this zone Internet rules 15

16 DMZ Demilitarized zone Contains an organization s publicly visible services ( , Web, DNS, FTP, ) Hardened hosts Proxies Semi-trusted zone 16

17 Intranet zone Most trusted zone Organizational assets placed here Access blocked from untrusted zones Access via proxies in the DMZ only 17

18 Wireless zone A perimeter zone! Untrusted hosts Semi-trusted network 18

19 Application-level firewalls Application proxy server Accepts client traffic Maintains state, validates traffic Passes validated traffic to server 19

20 Application-level firewalls Firewall worries about security Obviates security-related server changes Hampers defense-in-depth Firewall must understand application protocol Increased complexity Stateful packet-level firewalls are an alternative 20

21 Host-based firewalls Firewall run on individual hosts Placed between incoming packets and the host network stack Acts like a packet-level firewall 21

22 Host-based firewalls Each host requires policy management Administration headache Simple default policies in distributions Defense-in-depth 22

23 References The Tao of Network Security Monitoring, Richard Bejtlich, Addison-Wesley, ISBN Information Security Illuminated, Michael G.Solomon and Mike Chapple, Jones and Bartlett, (accessed March 2013) 23

24 iptables 24

25 Linux packet-level firewall Successor to IP Chains NAT/NAPT support Extended functionality via modules Stateful filter support Applications Host based firewall Stateful packet firewall net.ipv4.ip_forward=1 in /etc/sysctl.conf IP Tables 25

26 IP Tables Architecture Three tables for organization filter, nat, mangle Each table contains several chains built-in (invoked at fixed points in network layer) user-defined Each chain contains several rules first rule matched determines action taken Each rule contains matching criteria and target Built-in chains have policies specifies default target if no rule in chain matches 26

27 Rules (Standard) matching criteria protocol source IP (address/mask) dest IP (address/mask) port (source/dest/both) interface (input/output) Target 27

28 Rules Extended matching criteria Implemented via modules Connection state matching INVALID packet not associated with any connection NEW packet is starting a new connection ESTABLISHED packet is associated with existing connection RELATED packet is starting a new connection, but is associated with an existing connection» FTP DATA, ICMP error Several other extended matching criteria 28

29 Predefined targets All terminate processing in this chain for this packet ACCEPT accept packet for processing DROP drop packet QUEUE pass packet to userland (not common) RETURN return to calling chain (use policy if no calling chain) 29

30 Extended targets Both terminating and non-terminating targets REJECT (terminating) return packet indicating error LOG (non-terminating) generate log entry 30

31 Default table Built-in chains INPUT incoming network packets FORWARD packets being routed by the host OUTPUT locally-generated packets output to network filter table 31

32 nat table For network address translation Built-in chains PREROUTING (DNAT) alter packets as they arrive OUTPUT alter locally-generated packets before routing POSTROUTING (SNAT) alter packets as they depart 32

33 mangle table For specialized packet changes change TOS/DSCP header set netfilter mark value Built-in chains PREROUTING INPUT OUTPUT FORWARDING POSTROUTING 33

34 Firewall traversal Prerouting Route Forward Input Local Output Postrouting 34

35 Firewall Traversal Rob Mayoff 35

36 Some caveats iptables and ipchains don t mix rule additions are atomic rule set additions are not avoid leaving firewall open while editing use DROP, DENY, REJECT policies policy actions do not log rules are not removed when an interface goes down raw sockets are unaffected by rules 36

37 iptables lab Examine iptables man page man iptables Examine existing firewall settings sudo service iptables status sudo iptables -L Add firewall rules sudo iptables -I 37

38 Virtual Private Networks (VPNs) 38

39 Roadmap Definition VPN Uses Types of VPNs Protocol Details 39

40 Definition A VPN is a link over a shared public network, typically the Internet, that simulates the behavior of dedicated WAN links over leased lines. A VPN uses encryption to authenticate the communications endpoints and to secure your data as it travels over an insecure network. 40

41 VPN motivators Confidentiality, Integrity & Authentication Encryption Bypass blocks Border Local ISP Extends the office network VoIP Drive mapping Collaboration Enabling technology 41

42 Some VPNs Protocol IPSec Standards-based Varied Encryption Levels Flexible SSL Clientless (Web Browser) Application SSH VPN is not a single solution 42

43 IPSec Details IPSec protocol Internet Standard Two complementary protocols Authentication Headers (AH) Prevents tampering with packet headers Encapsulating Security Protocol (ESP) Provides confidentiality and integrity of packet contents 43

44 IPSec Details AH (Protocol 51) AH Transport Used to authenticate the integrity of the datagram IP Header (with options) A H Transport Layer Header Transport Layer Data All Authenticated (except non mutable fields), e.g., TTL As the entire packet is authenticated, there are some limitations. If using NAT or a firewall where a gateway changes your address, then the packet will fail to authenticate at the far end as the source IP has changed. This is not to say that you cannot use IPSec with a NAT gateway, just that the Gateway will have to be considered the endpoint. 44

45 IPSec Details ESP (Protocol 50) Encapsulation Security Payload ESP will encrypt the payload so that it is private as it passed through the network IP Header (with options) ESP Header Transport Layer Header Transport Layer Data ESP Trailer ESP Authentication Encrypted Authenticated As you can note, the ESP authentication does not authenticate the IP header so this does not have a problem with working behind NAT. 45

46 C I S C O SY S T E M S Logical Connection to VPN Concentrator Public Network Yahoo Tunneled Remote Access client (Split Tunnel ) ARBL COOL Ethernet UM Backbone Cisco 3030 Wireless User (non-split tunnel) Pool Pool Internal Server Ethernet ARBL COOL 46