Application Firewalls

Similar documents
The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Computer Security and Privacy

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

CSE 565 Computer Security Fall 2018

Internet Security: Firewall

CSC Network Security

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Unit 4: Firewalls (I)

Why Firewalls? Firewall Characteristics

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Chapter 9. Firewalls

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

CyberP3i Course Module Series

Chapter 8 roadmap. Network Security

Indicate whether the statement is true or false.

Network Control, Con t

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CE Advanced Network Security

ISA 674 Understanding Firewalls & NATs

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

COMPUTER NETWORK SECURITY

CHAPTER 8 FIREWALLS. Firewall Design Principles

Internet Security Firewalls

Lotus Protector Interop Guide. Mail Encryption Mail Security Version 1.4

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Information Systems Security

CTS2134 Introduction to Networking. Module 08: Network Security

Network Security. Thierry Sans

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

Firewalls. Types of Firewalls. Schematic of a Firewall. Conceptual Pieces Packet Filters Stateless Packet Filtering. UDP Filtering.

Managing SonicWall Gateway Anti Virus Service

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls, Tunnels, and Network Intrusion Detection

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Security by Any Other Name:

CSC 4900 Computer Networks: Security Protocols (2)

CS 356 Internet Security Protocols. Fall 2013

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Training UNIFIED SECURITY. Signature based packet analysis

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

20-CS Cyber Defense Overview Fall, Network Basics

10 Defense Mechanisms

Network Defenses 21 JANUARY KAMI VANIEA 1

CSCE 813 Internet Security Network Access Control

CompTIA E2C Security+ (2008 Edition) Exam Exam.

Simple and Powerful Security for PCI DSS

GFI MailSecurity 2011 for Exchange/SMTP. Administration & Configuration Manual

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Corrigendum 3. Tender Number: 10/ dated

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Secure VPNs for Enterprise Networks

A Comprehensive CyberSecurity Policy

Advanced Security and Mobile Networks

Network Security Fundamentals

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Protection of Communication Infrastructures

CSC 474/574 Information Systems Security

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Network Defenses 21 JANUARY KAMI VANIEA 1

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

... Lecture 10. Network Security I. Information & Communication Security. Prof. Dr. Kai Rannenberg

Are You Avoiding These Top 10 File Transfer Risks?

4. The transport layer

Network Security - ISA 656 Intro to Firewalls

Locking down a Hitachi ID Suite server

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

AccessEnforcer Version 4.0 Features List

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Computer and Network Security

Distributed Systems. Lecture 14: Security. 5 March,

Implementing Firewall Technologies

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

SOLUTION MANAGEMENT GROUP

Network Protocols - Revision

System i. Version 5 Release 4

Agenda. Introduction. Security Protocols Wireless / Mobile Security. Lecture 10. Network Security I

Exploring CVE , a Skeleton key in DNS. Jaime Cochran, Marek Vavrusa

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Introduction to Network. Topics

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

EE 122: Network Security

UMSSIA LECTURE II: NETWORKS?

Transcription:

Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Application Distributed 1 / 41

Moving Up the Stack Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Distributed Why move up the stack? Apart from the limitations of packet filters discussed last time, firewalls are inherently incapable of protecting against attacks on a higher layer IP packet filters (plus port numbers... ) can t protect against bogus TCP data A TCP-layer firewall can t protect against bugs in SMTP SMTP proxies can t protect against problems in the email itself, etc. 2 / 41

Advantages Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Protection can be tuned to the individual application More context can be available You only pay the performance price for that application, not others Distributed 3 / 41

Disadvantages Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Application-layer firewalls don t protect against attacks at lower layers! They require a separate program per application These programs can be quite complex They may be very intrusive for user applications, user behavior, etc. Distributed 4 / 41

Example: Protecting Email Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Do we protect inbound or outbound email? Some of the code is common; some is quite different Do we work at the SMTP level (RFC 2821) or the mail content level (RFC 2822)? What about MIME? (What about S/MIME- or PGP-protected mail?) What are the threats? Distributed 5 / 41

Email Threats Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement The usual: defend against protocol implementation bugs Virus-scanning Anti-spam? Javascript? Web bugs in HTML email? Violations of organizational email policy? Signature-checking? Distributed 6 / 41

Inbound Email Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Email is easy to intercept: MX records in the DNS route inbound email to an arbitrary machine Possible to use * to handle entire domain Example: DNS records exist for att.com and *.att.com Net result: all email for that domain is sent to a front end machine Distributed 7 / 41

Different Sublayers Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Note that are are multiple layers of protection possible here The receiving machine can run a hardened SMTP, providing protection at that layer Once the email is received, it can be scanned at the content layer for any threats The firewall function can consist of either or both Distributed 8 / 41

Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement No help from the protocol definition here But most MTAs have the ability to forward some or all email to a relay host Declare by administrative fiat that this must be done (Remember: in a large organization, some groups will run their own MTA.) Enforce this with a packet filter... Distributed 9 / 41

Combining Firewall Types Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Use an application firewall to handle inbound and outbound email Use a packet filter to enforce the rules Distributed 10 / 41

Firewalling Email Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Distributed Outside Packet Filter Inside SMTP Receiver DMZ Anti Spam Anti Virus 11 / 41

Enforcement Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Distributed Email can t flow any other way The only SMTP server the outside can talk to is the SMTP receiver It forwards the email to the anti-virus/anti-spam filter, via some arbitrary protocol That machine speaks SMTP to some inside mail gateway Note the other benefit: if the SMTP receiver is compromised, it can t speak directly to the inside 12 / 41

Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Again, we use a packet filter to block direct outbound connections to port 25 The only machine that can speak to external SMTP receivers is the dedicated outbound email gateway That gateway can either live on the inside or on the DMZ Distributed 13 / 41

Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed 14 / 41

DNS Issues Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering UDP (discussed previously) Internal versus external view DNS cache corruption Optimizing DNSSEC checks Distributed 15 / 41

UDP Issues Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed Remember the DNS server location discsussed last time In fact, what we did there was use an application-level relay to work around packet filter restrictions We re lucky since the DNS protocol includes provision for recursion, it requires no application changes for this to work 16 / 41

Internal Versus External View Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed Should outsiders be able to see the names of all internal machines? What about secretproject.foobar.com? Solution: use two DNS servers, one for internal requests and one for external request Put one on each side of the firewall Issue: which machine does the NS record for foobar.com point to, the inside or the outside server? Can be trickier than it seems must make sure that internal machines don t see NS records that will make them try to go outside directly 17 / 41

Cache Contamination Attacks Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering DNS servers cache results from queries Responses can contain additional information data that may be helpful but isn t part of the answer Send bogus DNS records as additional information; confuse a later querier Distributed 18 / 41

DNS Filtering Application DNS Issues UDP Issues Internal Versus External View Cache Contamination Attacks DNS Filtering Distributed All internal DNS queries go to a DNS switch If it s an internal query, forward the query to the internal server or pass back internal NS record If it s an external query, forward the query to outside, but: Scrub the result to remove any references to inside machines Scrub the result to remove any references to any NS records; this prevents attempts to go outside directly Use a packet filter to block direct DNS communication 19 / 41

Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed 20 / 41

Small Application Gateways Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Some protocols don t need full-fledged handling at the application level That said, a packet filter isn t adequate Solution: examine some of the traffic via an application-specific proxy; react accordingly Distributed 21 / 41

FTP Proxy Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Remember the problem with the PORT command? Scan the FTP control channel If a PORT command is spotted, tell the firewall to open that port temporarily for an incoming connection (Can do similar things with RPC define filters based on RPC applications, rather than port numbers) 22 / 41

Attacks Via FTP Proxy Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Distributed Downloaded Java applets can call back to the originating host A malicious applet can open an FTP channel, and send a PORT command listing a vulnerable port on a nominally-protected host The firewall will let that connection through Solution: make the firewall smarter about what host and port numbers can appear in PORT commands... 23 / 41

Web Proxies Application Small Application Gateways FTP Proxy Attacks Via FTP Proxy Web Proxies Again, built-in protocol support Provide performance advantage: caching Can enforce site-specific filtering rules Distributed 24 / 41

Application Application Modifications Adding Authentication Distributed 25 / 41

Application Application Modifications Adding Authentication Distributed Circuit gateways operate at (more or less) the TCP layer No application-specific semantics Avoid complexities of packet filters Allow controlled inband connections, i.e., for FTP Handle UDP Most common one: SOCKS. Supported by many common applications, such as Firefox and Pidgin. 26 / 41

Application Modifications Application Application Modifications Adding Authentication Distributed Application must be changed to speak the circuit gateway protocol instead of TCP or UDP Easy for open source Socket-compatible circuit gateway libraries have been written for SOCKS use those instead of standard C library to convert application 27 / 41

Adding Authentication Application Application Modifications Adding Authentication Distributed Because of the circuit (rather than packet) orientation, it s feasible to add authentication Purpose: extrusion control 28 / 41

Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Distributed 29 / 41

Rationale Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Conventional firewalls rely on topological assumptions these are questionable today Instead, install protection on the end system Let it protect itself 30 / 41

Personal Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Add-on to the main protocol stack The inside is the host itself; everything else is the outside Most act like packet filters Rules can be set by individual or by administrator 31 / 41

Saying No, Saying Yes Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed It s easy to reject protocols you don t like with a personal firewall The hard part is saying yes safely There s no topology all that you have is the sender s IP address Spoofing IP addresses isn t that hard, especially for UDP 32 / 41

Application-Linked Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed Most personal firewalls act on port numbers At least one such firewall is tied to applications individual programs are or are not allowed to talk, locally or globally Pros: don t worry about cryptic port numbers; handle auxiliary ports just fine Cons: application names can be just as cryptic; service applications operate on behalf of some other application 33 / 41

Distributed Application Distributed Rationale Personal Saying No, Saying Yes Application-Linked Distributed In some sense similar to personal firewalls, though with central policy control Use IPsec to distinguish inside from outside Insiders have inside-issued certificates; outsiders don t Only trust other machines with the proper certificate No reliance on topology; insider laptops are protected when traveling; outsider laptops aren t a threat when they visit 34 / 41

Application Distributed Problems IPsec versus Corrupt Insiders Connectivity Laptops Evasion 35 / 41

Problems Application Distributed Problems IPsec versus Corrupt Insiders Connectivity Laptops Evasion Corrupt insiders IPsec versus Connectivity Laptops Evasion 36 / 41

IPsec versus Application Distributed Problems IPsec versus Corrupt Insiders Connectivity Laptops Evasion Suppose hosts routinely use IPsec to talk to the outside world. An inbound, ESP-protected packet arrives at the firewall. Should it be allowed in? Does it conform to security policies? The destination port number is encrypted. The ACK flag is encrypted. It might even be a tunnel mode packet. There is no way to for the firewall to make a decision! 37 / 41

Corrupt Insiders Application Distributed Problems IPsec versus Corrupt Insiders Connectivity Laptops Evasion assume that everyone on the inside is good Obviously, that s not true Beyond that, active content and subverted machines mean there are bad actors on the inside 38 / 41

Connectivity Application Distributed Problems IPsec versus Corrupt Insiders Connectivity Laptops Evasion rely on topology If there are too many conections, some will bypass the firewall Sometimes, that s even necessary; it isn t possible to effectively firewall all external partners A large company may have hundreds or even thousands of external links, most of which are unknown to the official networking people 39 / 41

Laptops Application Distributed Problems IPsec versus Corrupt Insiders Connectivity Laptops Evasion Laptops, more or less by definition, travel When they re outside the firewall, what protects them? At one conference, I spotted at least a dozen other attendee machines that were infected with the Code Red virus (Code Red only infected web servers. Why were laptops running web servers?) 40 / 41

Evasion Application Distributed Problems IPsec versus Corrupt Insiders Connectivity Laptops Evasion and firewall administrators got too good Some applications weren t able to run Vendors started building things that ran over HTTP HTTP usually gets through firewalls and even web proxies... 41 / 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback