CSCI 680: Computer & Network Security

Size: px

Start display at page:

Download "CSCI 680: Computer & Network Security"

Audra Quinn
5 years ago
Views:

1 CSCI 680: Computer & Network Security Lecture 21 Prof. Adwait Nadkarni Fall 2017 Derived from slides by William Enck, Micah Sherr and Patrick McDaniel 1

2 Filtering: Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or deny May perform other duties Logging (forensics, SLA) Flagging (intrusion detection) QoS (differentiated services) 2

3 IP Firewall Policy Specifies what traffic is (not) allowed Maps attributes to address and ports Example: HTTP should be allowed to any external host, but inbound only to web-server Rules typically refer to IP addresses, not hostnames -- WHY? 3

4 Default accept vs. Default deny Default policy specifies what to do if no other policy applies Most OSes default to default accept Most organizations default to default deny WM: Default deny for incoming traffic 4

5 Blacklisting Specifies connectivity that is explicitly disallowed E.g., prevent connections from badguys.com Whitelisting Specifies connectivity that is explicitly allowed E.g., allow connections from goodguys.com 5

6 Stateless vs. Stateful Stateless: each packet considered in isolation Single packet contains insufficient data to make access control decision Stateful: allows historical context consideration Firewall collects data over time e.g., TCP packet is part of established session Q: What are the advantages/disadvantages of stateless and stateful? 6

7 DMZ (De-militarized Zone) Zone between LAN and Internet 7

8 Practical Issues and Limitations Network layer firewalls are dominant DMZs allow multi-tiered firewalling Tools are widely available and mature Personal firewalls gaining popularity Issues Network perimeters not quite as clear as before: e.g., telecommuters, VPNs, wireless Every access point must be protected Hard to debug, maintain consistency and correctness Often seen by non-security personnel as impediment E.g., Just open port X so I can use my wonder widget 8

9 Proxy Firewall Some firewalls act like proxies Two broad variants: Transparent : Inline. Allows traffic through. Does not terminate any connection. Proxy: Terminates the connection and raises it up to the application layer, and starts a new connection to the inside. E.g., SSH Gateways into companies. 9

10 Firewall Implementations Linux iptables ( also referred to as Netfilter lots of GUIs, higher-level apps, etc. e.g., ufw PF: OpenBSD Packet Filter Mac OS X Application Firewall Windows firewall thingy 12

11 Netfilter Chain: checklist of firewall rules Firewall chains: INPUT: if packet is destined for this host FORWARD: if packet is destined for another network interface OUTPUT: outgoing packets Packets either get dropped or advance towards next chain dst? FORWARD OUTPUT Internet me INPUT Local process 13

12 iptables Concepts The iptables firewall looks in the firewall table to see if the chain associated with the current hook matches a packet, and executes the target if it does. Table: all the firewall rules Chain: list of rules associated with the chain identifier, e.g., hook name Match: when all of a rule s field match the packet Target: operation to execute on a packet given a match 14

13 iptables Rule Parameters Non-comprehensive list of things you can match on: Destination/Source Specific IPs, or IP address range and netmask Protocol of packet: ICMP, TCP, etc Fragmented only Incoming/outgoing interface 16

14 Per Protocol Options Specialized matching options for rules that are specific to a particular protocol E.g., for TCP: Source/destination ports (also for UDP) TCP flags: SYN, SYN/ACK, ACK 18

15 Targets Define what to do with the packet at this time ACCEPT/DROP QUEUE for user-space application LOG any packet that matches REJECT drops and returns error packet RETURN enables packet to return to previous chain 19

16 Examples iptables -A INPUT -s j ACCEPT iptables -A INPUT -s j DROP iptables -A INPUT -s p tcp -j DROP iptables -A INPUT -s p tcp --dport telnet -j DROP iptables -A INPUT -p tcp --destination-port telnet -i eth0 -j DROP 20

17 Example: Gateway/DMZ Firewalls Assume you have two firewalls (FW1 and FW2), each with two ethernet interfaces (eth0 and eth1). FW1 FW2 DMZ eth0 eth1 eth0 eth1 FW1 protects the DMZ, and FW2 protects the LAN Define an iptables policy for FW1 that Allows new Internet traffic to reach port 80 on Does not allow traffic to reach the LAN ( /24) Define an iptables policy for FW2 that Allows internal hosts to reach the webserver, but nothing else in the DMZ ( /24) Prevents DMZ hosts from initiating connections to LAN 21

18 Example: Gateway/DMZ Firewalls FW1 Policy # iptables -F INPUT # iptables -F OUTPUT # iptables -F FORWARD # iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # iptables -P FORWARD DROP # iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -d dport 80 -j ACCEPT # iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT FW2 Policy # iptables -F INPUT # iptables -F OUTPUT # iptables -F FORWARD # iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # iptables -P FORWARD DROP # iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -d dport 80 -j ACCEPT # iptables -A FORWARD -i eth1 -o eth0 -d! /24 -j ACCEPT 22

19 Example: Host Firewall Assume you have a host with one network interface (eth0). You are running SSH (port 22) and want to allow access by external hosts. You are also running Apache for Web development, and only want it to be accessed by other hosts on the LAN ( /24) # iptables -F INPUT # iptables -F OUTPUT # iptables -F FORWARD # iptables -P INPUT DROP # iptables -P OUTPUT ACCEPT # iptables -P FORWARD DROP # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -i eth0 -m state --state NEW --dport 22 -j ACCEPT # iptables -A INPUT -i eth0 -m state --state NEW -s /24 --dport 80 -j ACCEPT 23

20 Deep Packet Inspection Deep packet inspection looks into the internals of a pack to look for some application/content context e.g., inspect HTTP for URLs that point to malicious websites Can have serious privacy issues if done by, say, Comcast To specify a match in iptables iptables -A INPUT -p tcp -m string --algo bm --string 'exe' matches packet with content containing exe iptables -A INPUT -p tcp -m length --length 10:100 matches packet with length between 10 and 100 bytes 24

21 Announcements Course Evaluations due soon! HW4 due tonight. HW5 for extra credit. 25

CS Computer and Network Security: Firewalls

CS Computer and Network Security: Firewalls CS 5410 - Computer and Network Security: Firewalls Professor Patrick Traynor Fall 2017 Reminders Monday: Change of Plans Recording lecture - turn in your rules. Friday: Project Abstract The hardest paragraph