Unit 4: Firewalls (I)

Similar documents
firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

CSC Network Security

Chapter 8 roadmap. Network Security

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Why Firewalls? Firewall Characteristics

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CSE 565 Computer Security Fall 2018

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Internet Security: Firewall

CE Advanced Network Security

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Network Security. Thierry Sans

Implementing Firewall Technologies

CyberP3i Course Module Series

Computer Security and Privacy

SonicWALL / Toshiba General Installation Guide

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

20-CS Cyber Defense Overview Fall, Network Basics

Network Security: Firewall, VPN, IDS/IPS, SIEM

Indicate whether the statement is true or false.

CSC 4900 Computer Networks: Security Protocols (2)

Chapter 9. Firewalls

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Application Firewalls

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls. Types of Firewalls. Schematic of a Firewall. Conceptual Pieces Packet Filters Stateless Packet Filtering. UDP Filtering.

Firewalls can be categorized by processing mode, development era, or structure.

Wireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.

Advanced Security and Mobile Networks

Filtering Trends Sorting Through FUD to get Sanity

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

ISA 674 Understanding Firewalls & NATs

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Configuring Commonly Used IP ACLs

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

10 Defense Mechanisms

History Page. Barracuda NextGen Firewall F

CHAPTER 8 FIREWALLS. Firewall Design Principles

ASA Access Control. Section 3

KillTest. 半年免费更新服务

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Computer and Network Security

Broadcast Infrastructure Cybersecurity - Part 2

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Configuring NAT for IP Address Conservation

Firewalls, Tunnels, and Network Intrusion Detection

Cisco IOS Firewall and Security Appliances

CISCO EXAM QUESTIONS & ANSWERS

ASA/PIX Security Appliance

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

HP High-End Firewalls

Information About NAT

Information Systems Security

COMPUTER NETWORK SECURITY

Finding Feature Information

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Firewall Stateful Inspection of ICMP

CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

Configuring Flood Protection

Advanced Security and Forensic Computing

Network Defenses 21 JANUARY KAMI VANIEA 1

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Introduction to Firewalls using IPTables

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Configuring NAT for IP Address Conservation

ch02 True/False Indicate whether the statement is true or false.

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Multihoming with BGP and NAT

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

COSC 301 Network Management

Firewall and IDS/IPS. What is a firewall?

Internet Security Firewalls

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Networking Security SPRING 2018: GANG WANG

Lab 6: Access Lists. Device Interface IP Address Subnet Mask Gateway/Clock Rate Fa 0/ R1

VG422R. User s Manual. Rev , 5

User Role Firewall Policy

Introduction to Network. Topics

2. INTRUDER DETECTION SYSTEMS

Deployment Scenarios for Standalone Content Engines

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

IP Access List Overview

Three interface Router without NAT Cisco IOS Firewall Configuration

CSE 565 Computer Security Fall 2018

6 Network Security Elements

Information About NAT

Network Interconnection

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

WCCPv2 and WCCP Enhancements

Transcription:

Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2

What is a Firewall? A system that enforces access policy between two (or more) networks. Based on a rules/policies, the firewall: Blocks prohibited traffic. Note: this can be done silently (just drop) or actively, send back reset or ICMP messages. Usually better to do silently. Allow authorized traffic. And, (some) check that the traffic for a given application is behaving correctly. Firewall examines all traffic between the networks. Firewall may also perform other services: NAT / PAT Caching Web access control/site filtering VPN/IPSEC Two main philosophy to setup Firewall either: Block all that is not explicitly authorized. Authorize all that is not specifically blocked. Note: this can be used together on same firewall. Example: a firewall between an organization and the Internet you may at the same time setup: All inbound traffic except specifically authorized is blocked. All outbound traffic except specifically blocked is authorized. Always remember the implied rule. My suggestion: always write it explicitly. For this class: you are required to write it explicitly! Else I choose which one it is

What is a Firewall? A firewall is a device that makes the decision on what to do with a packet. The actions a firewall can take: Forward/accept the packet. Drop the packet silently. Drop the packet and send ICMP back to source to notify why it was dropped. This adhere to strict Internet standards but is it wise? How is it performed? Packets are evaluated against a list of rules and conditions When the packet matches a rule: the action is triggered (reject or allow). The rest of the rules are not evaluated.

What is a Firewall? Concretely what is a firewall? Can be many things: A router that runs traffic filtering rules or a modified version of the routing software (For example Cisco IOS Firewall Feature Set). This is often referred as Screening Router Firewalls or Screening Firewalls. Pro: Can use existing router to perform some traffic filtering such as RFC 1918 and RFC 2827 Filtering. Con: That can kill your router performance! Specially if rules become complex! A server with 2+ NICS running some traffic filtering or application proxy or specialized software. Usually Unix/Linux or Windows. Pro: Usually easy to use, nice GUI, use OS that the administrator may already be familiar with. Con: Using a general-purpose OS to support firewall has lower performance. If there is a security flaw in the OS (I know how likely is that ) the firewall may be compromised!

What is a Firewall? A specialized hardware piece running a specialized software. Often referred as Firewall Appliances. Pro: Used specialized OS that is stripped down to remove unnecessary services. Higher performance. Con: Higher Costs. May not have nice GUI. A Host-based firewall. A.K.A. Personal Firewall. This is the last firewall piece in a defense in-depth strategy: load firewall software on all hosts. Pro: Greatly enhanced security because of host-specific knowledge (For example, encrypted traffic can only be firewalled at end points). May allow to detect the presence/addition of unnecessary services at host. Con: Expensive. May be very hard to manage. Trends: host firewall or host IDS on all desktops the same way you see (or should see) anti-virus on all desktops today.

Types of Firewalls Packet Filter Statefull packet filter Application and Circuit Proxy

Packet Filtering Firewalls Control the forwarding or dropping of the data based on the IP header information. It does not keep track of the connection or session state. The information and fields that may be taken into consideration are: IP destination address IP source address Protocol type/number (ie: TCP, UDP, ICMP, etc...) Source protocol port number (TCP/80, UDP/53, etc ) Destination protocol port number (TCP/80, UDP/53, etc ) Flags (SYN, ACK, FIN,..etc..)

Packet Filtering Pros and Cons Advantages High performance Application independent Provide an economical solution to filter out many threats (SMURF, IP source route, some spoofing) Can be implemented at no cost on existing routers using Access Control Lists (ACL) Note: need to be careful here: this can very negatively impact routing performance on certain routers. This is specially true for core routers (Usually NEVER enable ACL on core routers). Make sure that: 1. You understand the impact of enabling ACL on router operation 2. You know the router can handle the extra load of doing ACL lookups and can still handle traffic in an acceptable manner. Disadvantages Only look at Header information How do you handle incoming or return traffic that use a random/high port for communication Example when you connect to www/80 what is your source port #? Can fairly easily be forced to pass traffic that is not proper Can dramatically lower performance of certain routers if implemented on them

Connection establishment: Three-way handshake

Connection Release: Four-way handshake Closing data stream in this direction only

State transition diagram

Client states

Server states

Statefull Packet Filtering Perform all the functions of a packet filtering firewall but also keep track of the state of the connection and past packets in the communication. The firewall will attempt to track all the information in the communication. This can be at all layers of the OSI. Examples: At layer 4 If it evaluate a TCP packet from B to A that has a SYN-ACK flag, it will verify that it has seen a corresponding SYN packet from A to B before. At Layer 7 If on SMTP, it see MAIL FROM message from A to B. It will verify that there has been a proper TCP connection established before and that a HELO command was sent and replied by a 2xx response from B to A. In other words: the statefull packet filter will keep track of all conversations and ensure that all packets transiting comply with proper protocol rules and operation. Note: new variation of statefull firewall is starting to be popular: statefull FW with Intrusion Detection System/Intrusion Prevention System. More on that in the IDS unit.

Statefull Packet Filtering Advantages Scalable and transparent High performance Can handle pesky applications that jump ports in the process Example: FTP in passive mode H.323 These are very hard to manage in a packet-filtering fw. Disadvantages Weak for stateless protocols Harder to handle UDP return traffic May not look at certain application layer data as a proxy would

Application and Circuit Proxy A proxy firewall acts as an intermediate communication point between 2 parties: Each party think they directly communicate to the other. Actually they communicate to the Proxy Firewall. A Proxy B: A communicates to the proxy, the proxy then acts as A when communicating to B and vice-versa. These proxy firewalls acts either at layer 3-4 (circuit proxy) or layer 7 (application proxy). Most often they act at layer 7.

Application and Circuit Proxy Advantages Better security as it looks at all data in the packet up to layer 7. Can perform other functions such as Email virus scanning. Disadvantages Lower performance L7 - Limited to protocols that are supported Poor scalability under heavy traffic May break custom applications May not support standard applications on nonstandard ports.

Other Services Sometime Performed by Firewall Network Address Translation Intrusion Detection/Prevention Denial-of-Service (DOS) Inspection Authentication Virtual Private Network Termination Traffic Logging URL and/or Content Filtering Virus Scanning

Firewalls Limitations Firewalls have limitations. It is VERY important to understand them: They do not protect against viruses, worms, or trojans (except in Application-level firewalls and new IDS/firewall hybrids.) Can t protect traffic that is not sent through them: Dial-up attacks; modems Social engineering Rerouting due to incompatibility with legacy system Back doors Cannot protect from danger in authorized traffic. (See Nimda and code red) Cannot protect from some spoofing.

Firewall Rules Template The XLS available proposes a template to write firewall rules. This template will be used in the class. Fields are: Set Name Rule # Protocol (IP, UDP, TCP, GRE, or protocol number) A/R (Accept/Reject) Source IP (Start) Source IP End or Source Wildcard Src Port (or protocol number) Destination IP (start) Destination IP (End) or Wildcard Dest Port Flag Comments Always have a last rule that says either: Deny all Permit all Note #1: Often firewalls come with a default last rule that is always inserted at the end and invisible. Strong suggestion ALWAYS specify a last rule even if it is the same as the system s default. Note #2: Often firewalls have a default deny all for ingress traffic and accept all for egress traffic. Why? Class discussion. The rule must then be applied to a firewall interface and to an interface traffic direction: Inbound or outbound.

Simple Firewall Rule Example My-AC-store.com E-Commerce Infrastructure Internet Users Internet ISP DNS 12.11.22.33 Router 199.4.6.1 Intruder, threat, opponent Outside Interface - 199.4.6.2 Note: all subnets are 24 bits Email Server 199.4.5.3 Firewall 1 Inside Interface - 199.4.5.1 E-Comm - Web 199.4.5.2 Inside Users Administrator 199.4.5.100-200 199.4.5.99

Simple Firewall Rule Example The spreadsheet present full rule set for a packet filtering firewall that do not use statefull inspection. Discussion in-class You can notice that some fairly general rules had to be added to allow return traffic. This is a problem and can allow attacker to bypass the firewall The simplified rule show rule set for a statefull firewall. The firewall will keep track of connection establishment, high port assignment and correspondence to conversation. This make rule writing simpler and enhance security But cost more $$$.

Firewall Example #2 Note: all subnets are 24 bits Internet Users My-ac-corporate.com E-Commerce Infrastructure Internet 12.55.55.55 Intruder, threat, opponent ISP DNS 12.11.22.33 Router 202.22.3.1 Remote Office Headquarters Email Relay External Web External DNS 202.22.2.3 Outside Interface - 202.22.3.2 Firewall 2Inside Interface - 202.22.2.1 Router 198.1.1.1 Outside Interface - 198.1.1.2 Email Server Internal DNS 202.22.1.3 Firewall 1 Outside Interface - 202.22.2.2 Inside Interface - 202.22.1.1 Firewall 3 Inside Interface - 202.22.4.1 Corporate Web 202.22.1.2 Inside Users 202.22.1.100-200 Inside Users 202.22.4.2-254

Firewall Example #2 Functional Requirements: Internal users are Headquarters and remote office. Internal user do DNS resolution on 202.22.1.3 and can access corporate web and internal mail. Email between Internal and Internet transit via Email replay for virus scan. The Internal DNS resolve to ISP DNS for unknown zones. External web, relay email handles all Internet user access including DNS resolve. All internal users can access web on 80/443. A Bad guy is 12.55.55.5 prevent him any access. Ping and ping responses should be allowed All firewalls are statefull, return traffic inspection is not required. OPTIONAL You should perform RFC 1918 and anti-spoofing filtering. Please work on it and come up with solutions for next week. We will discuss in class. How many rule sets should be developed? 1 2 4 6 8 10 12 300.5? More? Based on no traffic initiated or terminating at the FW, can we establish how many rules sets we will ever need if written correctly?

Firewall Example #2 (contd.) Part of Homework #3 (which is due in two weeks) is to write the firewall rules for the above example. Please try to write the rules and bring them to class next week. The initial thinking process, and some additional discussion during next class, will likely help you to do a better job for HW #3! This initial solution is to be included in your final HW #3 submission.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback