Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Transcription

1 Introduction TELE 301 Lecture 21: s David Eyers (dme@cs.otago.ac.nz) Telecommunications Programme University of Otago Discernment of Routers, s, Gateways Placement of such devices Elementary firewalls Stateful firewalls and connection tracking NAT and Port Forwarding Routers s Primary purpose is to forward packets (Layer 3). Demarcates a broadcast zone. Segments networks. May demarcate management borders. Used to shield the border of networks. Switch where you can, route where you must. Often some firewall capabilities. (Layer 4) Filter traffic at layers 3-4 of OSI model. Deals most commonly with IP, TCP, UDP & ICMP. Also outer layers, such as Content filtering (Layer 7) MAC address filtering (Layer 2) Owning OS process / user Gateways Sample Large Network A very broad term. One sense is... Application Layer Gateway (ALG) , Web Other sense is the closest router. A gateway can convert between two different types of network SMS / gateway, or VoIP / PSTN Internet ISP Border Router Department Servers and Hosts DMZ Demarcation Router Distribution Network Support Services

2 Border Router De-Militarised Zones Coarse-grained inspection. Block offensive networks from getting inside your network. Route to null0 or drop at firewall. Hide parts of interior network from outside. Stop interior hosts from accessing internet directly. Force use of web proxy or gateway. Create a De-Militarised Zone (DMZ), creating a different network for public servers. Internal machines should not trust these machines. Ideally, these machines will be independent of internal machines. Don t use same back-end servers for databases etc. if you can help it. Demarcation Router Used to segregate / demarcate parts of the network. Creates administrative zones. May have a shared router... or both parties have a router, and an empty network between them. R1 R2 Provides a looking-glass for monitoring the network. Rs Commonly done on the router. Used to implement a finer-grained access policy. TCP/UDP ports, ICMP message types, rate limiting. Protects against illegitimate packets. Two varieties: Packet Filtering firewalls and SOCKS firewalls (proxies) Place firewall inside of router. Routers are faster, better equipped for simple dropping. Place in front of infrastructure. Beware the filtering rate for high Packet Per Minute (PPM) applications. Effect of packet drop. s incur some delay, but it is usually negligible when compared with the Internet. s are not a panacea! Individual hosts commonly have firewall. Fast becoming the out-of-box configuration. Useful for servers, dial-up users, large networks, visitor networks,... Protection from network worms and other forms of malware. Can limit based on application / user. Useful for both ingress and egress filtering.

3 Gateway Can be used to implement a Web Proxy. Use can be enforced by router / firewall. Can be used as filtering solution. All outgoing and incoming mail must go through a mailhub only authorised hosts can be servers. All is scanned for viruses and SPAM. Small-Time on same machine as router, possibly also web-proxy. Uses NAT to share one public IP address. Commonly in the form of a hardware router. Or with something like Linux with IPTables... Windows/Mac Internet Connection Sharing. Usually no internet facing services, or services offsite. Router Solutions May be different models Cisco PIX Security Levels [0..100] + access_list Downhill allowed, Uphill via access list. Packet Filter Software solutions are cheaper, more flexible, lower performance, but worthwhile. The Linux/Unix Solution Under Linux 2.4+, we use IPTables. (Previously IPChains.) OpenBSD uses pf. Other BSDs (incl Mac OS X) use ipfw. All tools are command-line. defined in a script. Many front-ends and wrapper scripts are available to make it easier for lay administrators. Imperative versus declarative definition Packet Filtering Process Think of a firewall as a set of inverted trees. Input, Output and Forward. Create a chain for each combination of {in,out} Each packet starts at the top of its respective tree. Packet is inspected one test at a time. Accept or drop (processing stops) Jump into another rule-set (continue processing) Return from a rule-set (or fall-off a rule-set) Falling off the tree s rule-set invokes the default policy for that tree. Trees of Chains Forward Input Output Accept established connections From Inside To Outside Drop Microsoft Networking Accept From Outside To Inside Allow SSH to Drop

4 Stateful s A stateful firewall tracks connections, making it easier to write rules, and with more closure. At the start of the firewall, we enter a rule to allow packets that are part of, or related to existing connections. Further down, we allow the TCP SYN packets for the connections we want. Stateful s Some protocols may need to be tracked specially, using data available inside the application layer payload. (FTP) UDP is connectionless, so tracking is a little less precise, but still good enough, so long as the source port is random. Because of the higher resource requirements for stateful firewalls, they may not be suitable for border routers on larger networks. FWs can Guard Against... FWs aren t a Panacea Near-local spoofing where packets come in on the wrong interface. Ping-floods against internal hosts though the firewall still gets flooded. Syn-Ack attacks Limit TCP half-open connections to say 20/min. Fragment attacks stateful firewalls. Spoofing internet hosts solved using tools such as SSL Flooding your internet connection requires upstream co-operation. No protocol support for this. Detecting network anomalies requires checking of logs, Intrusion Detection Systems Poor policy. Source NAT Source NAT of TCP/80 Source address are rewritten so they appear to originate from the NAT gateway Allows us to share one (or a pool of) public IP address with many devices on a network with private addresses. Source port may be translated too (PAT) Private addresses: 10/8, /16, / ( ,80, ,x) ( ,x, ,80) ( ,y, ,80) ( ,80, ,y)

5 Connection Tracking Tracking of connections currently in use. Connection = (saddr,spt,daddr,dpt) Some protocols need to be specially tracked. Lots of problems for applications. IPv6 will solve some problems introduced by NAT, but will not solve the problem of connection tracking. Destination NAT Incoming connections need to be forwarded. Vendor terminology differs: port forwarding, NAPT, Destination NAT, pin-holing. Some effort to allow applications to open ports for destination NAT: UPnP IGD, NAT- PMP Security issues. Resources RFC 2647 Benchmarking Terminology for Performance (iptables) books/handbook/firewalls-ipfw.html