Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Transcription

1 Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer Security: Principles and Practice, 1/e, by William Stallings and Lawrie Brown Some slides from Mark Stamp Information Security: Principles and Practice 2nd edition (Wiley 2011). 2 Firewalls - pbrandao 1

2 Firewalls 3 Internet Firewall Firewall must determine what to let in to internal network and/or what to let out Access control for the network Internal network A firewall is like a secretary To meet with an executive Firewall as Secretary First contact the secretary Secretary decides if meeting is important So, secretary filters out many requests You want to meet chair of CS department? Secretary does some filtering You want to meet the PoPT? Secretary does lots of filtering 4 Firewalls - pbrandao 2

3 Firewalls and Intrusion Prevention Systems internet connectivity is essential for organization and individuals but creates a threat effective means of protecting LANs could secure workstations and servers also use firewall as perimeter defence single choke point to impose security 5 Inside Outside capabilities: defines a single choke point Firewall Capabilities & Limits provides a location for monitoring security events convenient platform for some Internet functions such as NAT, usage monitoring, IPsec VPNs limitations: cannot protect against attacks bypassing firewall may not protect fully against internal threats improperly secure wireless LAN laptop, PDA, portable storage device infected outside then used inside 6 Firewalls - pbrandao 3

4 Types of Firewalls 7 8 Types of Firewalls Firewalls - pbrandao 4

5 Packet Filtering Firewall applies rules to packets in/out of firewall based on information in packet header src/dest IP addr & port, IP protocol, interface typically a list of rules of matches on fields if match rule says if forward or discard packet two default policies: discard - prohibit unless expressly permitted more conservative, controlled, visible to users forward - permit unless expressly prohibited easier to manage/use but less secure 9 Packet Filter 10 Operates at network layer Can filter based on Source IP address Destination IP address Source Port Destination Port Flag bits (SYN, ACK, etc.) Egress or ingress Application Transport Network Logic Physical Firewalls - pbrandao 5

6 What s in a Packet IPv4 packet 11 Ver(4) IHL(4) DSCP (6) ECN(2) Total Length (16) Identification (16) Flags(4) Frag Offset (12) TTL (8) Protocol (8) Header Checksum (16) Source Address (32) Destination Address (32) Options Padding IHL - Internet Header Length DSCP Differentiated Service Code Point (Type of Service) ECN - explicit congestion notification Packet Filter Configured via Access Control Lists (ACLs) 12 Action Source IP Dest IP Source Port Dest Port Protocol Flag Bits Allow Inside Outside Any 80 HTTP Allow Outside Inside 80 > 1023 HTTP Deny All All All All All Any ACK All Q: Intention? A: Restrict traffic to Web browsing Firewalls - pbrandao 6

7 13 Packet Filter Rules Packet Filter Weaknesses weaknesses cannot prevent attack on application bugs limited logging functionality do no support advanced user authentication vulnerable to attacks on TCP/IP protocol bugs improper configuration can lead to breaches attacks IP address spoofing, source route attacks, tiny fragment attacks 14 Firewalls - pbrandao 7

8 TCP ACK Scan Attacker scans for open ports thru firewall Port scanning is first step in many attacks Attacker sends packet with ACK bit set, without prior 3-way handshake Violates TCP/IP protocol ACK packet pass thru packet filter firewall Appears to be part of an ongoing connection RST sent by recipient of such packet 15 TCP ACK Scan 16 ACK dest port 1207 ACK dest port 1208 ACK dest port 1209 Trudy Packet Filter Attacker knows port 1209 open thru firewall A stateful packet filter can prevent this RST Since scans not part of established connections Internal Network Firewalls - pbrandao 8

9 Stateful packet filter 17 reviews packet header information but also keeps info on TCP connections typically have low, known port nr for server and high, dynamically assigned client port nr simple packet filter must allow all return high port numbered packets back in stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections only allow incoming traffic to highnumbered ports for packets matching an entry in this directory may also track TCP seq numbers as well Application Transport Network Logic Physical Stateful Packet Filter 18 Advantages? Can do everything a packet filter can do plus... Keep track of ongoing connections (so prevents TCP ACK scan) Disadvantages? Cannot see application data Slower than packet filtering Application Transport Network Logic Physical Firewalls - pbrandao 9

10 Application-Level Gateway 19 acts as a relay of application-level traffic users contact gateway with remote host name authenticate themselves gateway contacts application on remote host and relays TCP segments between server and user must have proxy code for each application may restrict application features supported more secure than packet filters but have higher overheads Application Transport Network Logic Physical Application Proxy 20 Advantages? Complete view of connections and applications data Filter bad data at application layer (viruses, Word macros) Disadvantages? Speed Application Transport Network Logic Physical Firewalls - pbrandao 10

11 Circuit-Level Gateway 21 sets up two TCP connections, to an inside user and to an outside host relays TCP segments from one connection to the other without examining contents hence independent of application logic just determines whether relay is permitted typically used when inside users trusted may use application-level gateway inbound and circuit-level gateway outbound hence lower overheads Application Transport Network Logic Physical SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow TCP/UDP applications to use firewall components: SOCKS server on firewall SOCKS client library on all internal hosts SOCKS-ified client applications client app contacts SOCKS server, authenticates, sends relay request server evaluates & establishes relay connection UDP handled with parallel TCP control channel 22 Firewalls - pbrandao 11

12 Deep Packet Inspection Many buzzwords used for firewalls One example: deep packet inspection What could this mean? Look into packets, but don t really process the packets Effect like application proxy, but faster 23 Deep Packet Inspection 24 Uses information up to Application layer Including app data Can differentiate based on all information Prioritize, reroute, shape, drop, etc. Used by ISPs to: Detect/mitigate security attacks DoS, buffer overflows, virus, etc. Throttle unwanted P2P Touches net neutrality Hardware implemented Needs to be at line speed Application Transport Network Logic Physical Firewalls - pbrandao 12

13 Firewall Topologies 25 Typical network security architecture Firewalls and Defense in Depth 26 Web server DMZ FTP server DNS server Internet Packet Filter Application Proxy Intranet with additional defense Firewalls - pbrandao 13

14 Firewall Basing several options for locating firewall: bastion host individual host-based firewall personal firewall 27 Bastion Hosts critical strongpoint in network hosts application/circuit-level gateways common characteristics: runs secure O/S, only essential services may require user auth to access proxy or host each proxy can restrict features, hosts accessed each proxy small, simple, checked for security each proxy is independent, non-privileged limited disk use, hence read-only code 28 Firewalls - pbrandao 14

15 Host-Based Firewalls used to secure individual host available in/add-on for many O/S filter packet flows often used on servers advantages: tailored filter rules for specific host needs protection from both internal / external attacks additional layer of protection to org firewall 29 Internal Net Personal Firewall controls traffic flow to/from PC/workstation for both home or corporate use may be software module on PC or in home cable/dsl router/gateway typically much less complex primary role to deny unauthorized access may also monitor outgoing traffic to detect/block worm/malware activity 30 Internal Net Firewalls - pbrandao 15

16 31 Firewall Locations Virtual Private Networks 32 Firewalls - pbrandao 16

17 33 Distributed Firewalls Firewall Topologies host-resident firewall screening router single bastion inline single bastion T double bastion inline double bastion T distributed firewall configuration 34 Firewalls - pbrandao 17

18 Single bastion inline Firewall Topologies 35 Single bastion T Firewall Topologies Double bastion inline 36 Double bastion T Firewalls - pbrandao 18

19 IPS 37 I N T R U S I O N P R E V E N T I O N S Y S T E M S Intrusion Prevention Systems (IPS) addition to security products inline net/host-based IDS that can block traffic functional addition to firewall that adds IDS capabilities can block traffic like a firewall using IDS algorithms may be network or host based 38 Firewalls - pbrandao 19

20 Host-Based IPS identifies attacks using both: signature techniques malicious application packets anomaly detection techniques behavior patterns that indicate malware can be tailored to the specific platform e.g. general purpose, web/database server specific can also sandbox applets to monitor behavior may give desktop file, registry, I/O protection 39 Internal Net Network-Based IPS inline NIDS that can discard packets or terminate TCP connections uses signature and anomaly detection may provide flow data protection monitoring full application flow content can identify malicious packets using: 40 pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly cf. SNORT inline can drop/modify packets Firewalls - pbrandao 20

21 41 Unified Threat Management Products Tools 42 Firewalls - pbrandao 21

22 Firewalk Tool to scan for open ports thru firewall nmap script Attacker knows IP address of firewall and IP address of one system inside firewall Set TTL to 1 more than number of hops to firewall, and set destination port to N If firewall allows data on port N thru firewall, get time exceeded error message Otherwise, no response 43 Firewalk and Proxy Firewall 44 Trudy Router Router Packet filter Router Dest port 12343, TTL=4 Dest port 12344, TTL=4 Dest port 12345, TTL=4 Time exceeded This will not work thru an application proxy (why?) The proxy creates a new packet, destroys old TTL Firewalls - pbrandao 22

23 iptables path of an IP packet on Netfilter 45 PREROUTING ROUTE FORWARD POSROUTING Mangle Mangle Mangle NAT (Dst) INPUT Filter Security ROUTE NAT (Src) Mangle OUTPUT Chains Tables Filter Security Local Process Mangle NAT (Dst) Filter Security Tables contain chains 46 Filter INPUT Nat PREROUTING Mangle PREROUTING Filter INPUT FORWARD FORWARD FORWARD FORWARD OUTPUT POSROUTING POSROUTING OUTPUT INPUT OUTPUT Firewalls - pbrandao 23

24 iptables (cont) Add rules to tables specifying the chains there in. When a packet matches a rule its target is done Targets vary according to tables. Examples: Filter Table: DROP, ACCEPT NAT Table: DNAT, SNAT, MASQUERADE, REDIRECT New chains may be created by the user and set as targets of rules. 47 Example: iptables (cont.) 48 ## Change source addresses to iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to table chain target Firewalls - pbrandao 24

25 firewall-bypass Uses the connection helpers of netfilter to open ports nmap firewall-bypass script Protocols such ftp or sip have out-of-band management Have a management connection diff from the data and have a passive mode Netfilter must interpret this (e.g.: nf_conntrack_ftp) Firewall-bypass uses incorrect config to open ports on the firewall See more detail on Eric Leblond presentation 49 Summary introduced need for & purpose of firewalls types of firewalls packet filter, stateful inspection, application and circuit gateways firewall hosting, locations, topologies intrusion prevention systems 50 Firewalls - pbrandao 25

26 Demonstration 51 Network 52 Internet enp0s enp0s enp0s / / Firewalls - pbrandao 26

27 SSH access: server workstation [workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j REJECT Default is filter table [workstation] iptables -L INPUT --line-numbers [server] ssh [workstation] iptables -D INPUT 1 Or iptables -D INPUT -i enp0s8 --proto tcp --dport 22 -j REJECT [workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j DROP [server] ssh o ConnectTimeout= [workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j ACCEPT [server] ssh o ConnectTimeout= [workstation] iptables -L INPUT --line-numbers [workstation] iptables -I INPUT 1 -i enp0s8 --proto tcp --dport 22 -j ACCEPT [server] ssh o ConnectTimeout= SSH access: mediavault workstation [openmediavault] ssh [server] iptables A FORWARD proto tcp dport 22 j REJECT [openmediavault] ssh [workstation] ssh [server] iptables I FORWARD 1 o enp0s8 proto tcp dport 22 j ACCEPT [workstation] ssh [openmediavault] ssh Firewalls - pbrandao 27

28 Allow ping from workstation [server] iptables P FORWARD DROP 55 [server] iptables -A FORWARD o enp0s9 -p icmp --icmp-type echo-request - j ACCEPT [server] iptables -A FORWARD o enp0s8 -p icmp --icmp-type echo-reply -j ACCEPT [server] iptables -A FORWARD m state state ESTABLISHED,RELATED -j ACCEPT Firewalls - pbrandao 28