4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Transcription

1 4.. Filtering Filtering helps limiting traffic to useful services It can be done based on multiple criteria or IP address Protocols (, UDP, ICMP, ) and s Flags and options (syn, ack, ICMP message type, ) Filtering of source addresses prevents IP spoofing Filtering of flags allows defining the direction in which connections can be established 4..4 Network Address Translation (NAT) Public IP addresses are rare Instead of reserving 6 addresses for 00 workstations, we can hide those 00 workstations behind a single address With regards to this, the IETF has reserved three address ranges: Ph. Oechslin, Network Security, 2007 Ph. Oechslin, Network Security, NAT: basic principle We use private addresses in the network and one/several public addresses to communicate with the When a packet leaves the network, we replace its source address by a public address When a packet arrives from the, we replace its public destination by a private address We use a translation table to store the relations between and external addresses Dynamic NAT Initially, the translation table is empty When a packet leaves, we replace its source address by a public address We store the source and destination addresses and s When a reply to a packet arrives from, we search for the source that corresponds to the packet s destination We replace the destination by the source Ph. Oechslin, Network Security, 2007 Ph. Oechslin, Network Security,

2 Dynamic NAT: example Dynamic NAT: properties Dst NAT When two connections are differentiated only by their address we have a collision We can use a pool of public addresses and use different source addresses We can change the source (Port and Address Translation PAT) external Dynamic NAT doesn t allow establishing incoming connections (good protection by default) Ph. Oechslin, Network Security, Ph. Oechslin, Network Security, Static NAT Static NAT: example To allow incoming connections, we have to define certain static entries in the translation table Typically we create one entry per protocol (SMTP, HTTP, ) Different s from the same external address can lead to different addresses NAT external Ph. Oechslin, Network Security, Ph. Oechslin, Network Security,

3 NAT: limitations Certain protocols exchange their IP addresses With NAT, it s the private address that will be given If the knows the protocol, it can "patch" packets to replace the private address by public addresses Examples FTP, RealAudio, Quake, X windows, H.2 Certain protocols do not sup packet modifications NAT: advantages Less public addresses, limited costs Easy to change access provider Easy to re-organize the network Automatic protection effect (ref. Static NAT) Hides the network s structure IPSec Ph. Oechslin, Network Security, Ph. Oechslin, Network Security, Other features of Firewalls Authentication Remote Network access Encryption Packet Analysis Logging Authentication The can demand an authentication letting a connection through Outbound: allows limiting access only to privileged users Inbound: allows authorizing access to resources for employees on that are travelling Authentication can be done based on a local database or by inter with a central database Ph. Oechslin, Network Security, 2007 Ph. Oechslin, Network Security,

4 Remote network access The allows external users to access the LAN The external user establishes an encrypted connection (a tunnel) with the The user finds himself just as if he was inside the LAN The connection can be done via or modem Encryption A can encrypt or decrypt data that traverses a less secure zone Examples: Interconnection between two remote sites via Remote network access The encrypting is normally done from the public side of NAT Ph. Oechslin, Network Security, 2007 Ph. Oechslin, Network Security, Packet analysis A can analyze packets to verify their format and content Allows elimination of malformed packets (DOS, exploits) Allows elimination of packets that do not correspond to the protocol s current state (cf. stateful ) Allows elimination of packets with undesired content (Virus, basic filtering, ref. proxies) Generation of logs It is imant to be protected but we must also know when we are attacked and react accordingly Logs keep a trace of attack attempts They also allow verifying that the s or destinations that we authorize are really needed (least privilege) Ph. Oechslin, Network Security, Ph. Oechslin, Network Security,

5 4..6 Firewall Architectures Personal access Personal Firewall NAT + filtering with demilitarized zone Sandwiched demilitarized zone Personal firewall Ph. Oechslin, Network Security, Ph. Oechslin, Network Security, Personal access The personal firewall initially prohibits all connections Personal firewall NAT + filtering At each alarm, the user can authorize the application to connect for that time only or for always Allows blocking backdoors, spy-wares and certain worms An ideal complement to an anti-virus for safe surfing Ph. Oechslin, Network Security, Ph. Oechslin, Network Security,

6 NAT + filtering Demilitarized zone () Configuration Dynamic NAT for all machines Static NAT for all accessible servers Outbound filtering (useful traffic) Inbound filtering (blocking access to the firewall) Limitations No analysis of contents (virus) from Direct connections on servers (exploits, DoS) Application Low security, no large public Web server proxy Ph. Oechslin, Network Security, Ph. Oechslin, Network Security, Demilitarized zone Demilitarized zone (contd.) The demilitarized zone () is connected neither to the, nor to the network Allows preventing attacks Configuration Internal machines can only connect to the proxy Only the proxy can connect to the Outbound dynamic NAT, static inbound Outbound filtering (useful traffic), inbound filtering (blocking access to the firewall) Ph. Oechslin, Network Security, Limitations (of the example, not ) The firewall is a critical point All services pass through the same proxy, a vulnerability on a single service can give access to all traffic Application medium security needs Ph. Oechslin, Network Security,

7 Sandwiched Sandwiched HTTP SMTP DNS Configuration 2 Internal machines can only connect to the proxies (one protocol per proxy) Only proxies can connect to the No routing in proxies HTTP SMTP 2 DNS Outbound dynamic NAT, inbound static Outbound filtering (useful traffic), inbound filtering (blocking access to the firewall) Applications High security needs Ph. Oechslin, Network Security, 2007 Ph. Oechslin, Network Security, Example: web server Example: web server Not good! Not good! web proxy Ph. Oechslin, Network Security, Ph. Oechslin, Network Security,

8 Example: web server Bank example web access, intranet by modem external firewall proxies PSTN front end web HTTP SMTP DNS middle end zone 2 Internal firewall Control zone / logs Internal proxies Ph. Oechslin, Network Security, Intranet back end server Ph. Oechslin, Network Security, Filtering rules Filtering rules are specified in a list The firewall runs through the list until it finds a rule that applies The firewall executes the specified by the rule and moves on to the next packet We create a last rule that prohibits all that has not been authorized Filtering: A simple example Problem: protocol All s of our server are accessible as long as the hacker chooses as source! Ph. Oechslin, Network Security, 2007 Ph. Oechslin, Network Security,

9 Filtering: Corrected example Filtering: Stateful firewall protocol Specification of the ack flag prevents the sending of syn packets and hence the establishment of connections However, we can still send un-solicited ack packets (scanning, DoS) ack yes yes 5 Stateful know the established connections and can automatically authorize returning traffic Safer: No un-solicited packets Simpler, hence less errors protocole Ph. Oechslin, Network Security, 2007 Ph. Oechslin, Network Security, Organization of filtering rules Organization: example The order in which the rules are specified is imant web proxy When there are m rules, it is imant to organize them systematically dmz-web protocol 2 proxy 4 Rule allows machines to access dmz-web, while rule should have prohibited it Ph. Oechslin, Network Security, Ph. Oechslin, Network Security,

10 Organization: correction Organization: method web proxy We define a security level for each zone 2 4 proxy dmz-web The fate of packets from the network is sealed by rule 2, rule does not influence the traffic more protocol Ph. Oechslin, Network Security, We groups rules by zones in descending order of security level Each groups consists of four parts: Explicit authorizations for inbound traffic General prohibition for inbound traffic Explicit authorizations for outbound traffic General prohibition for outbound traffic Ph. Oechslin, Network Security, Organization: example (4 zones) Organization: properties bob alice 2 protocol tcp For each zone, it is sufficient to declare the flow towards less secure zones zone alice Zone zone bob 2 authorized traffic entering zone 2 The flow towards more secure zones cannot more be influenced (goal of the operation): "" refers to lower levels zone 2 zone Any other traffic entering zone 2 authorized traffic leaving zone 2 other traffic leaving zone 2 authorized traffic entering zone other traffic entering zone authorized traffic leaving zone 2 other traffic leaving zone,log A rule that implies 2 zones appears in the block pertaining to the more secure zone The block pertaining to the last zone is empty The last rule (-) must not be required. By activating logs on that rule we may detect possible errors Ph. Oechslin, Network Security, Ph. Oechslin, Network Security,

11 Example: Checkpoint Example: SonicWall Configuration of a small firewall by HTTP Ph. Oechslin, Network Security, Ph. Oechslin, Network Security,