Operatinal Security Firewalls and Intrusin Detectin CS242 Cmputer Netwrks Speaking Frankly The Internet is nt a very safe place Frm ur netwrk administratr s pint f view, the wrld divides int tw camps: Us - gd; able t access lcal resurces and Them - suspicius; access must be carefully scrutinized and perhaps restricted. Department f Cmputer Science Wellesley Cllege Firewalls 25-2 Firewalls* A sense f false security... In thery, nly authrized traffic, as defined by lcal security plicy, is allwed t pass. Administered Netwrk trusted gd guys Public Internet untrusted bad guys Of curse the firewall itself is a device cnnected t the netwrk. It had better be carefully designed and installed r else we are nly fling urselves. firewall *A firewall islates an rganizatins internal netwrk frm larger Internet, allwing sme packets t pass, blcking thers. Firewalls 25-3 Firewalls 25-4 1
Firewalls cme in three flavrs Traditinal (stateless) packet filters Traditinal packet filters exam each datagram in islatin at the pint f entry/exit. The internal netwrk is cnnected t Internet via ruter firewall which filters packet-by-packet. Stateful filters track TCP cnnectins, and use this knwledge t make filtering decisins. Applicatin s are applicatin-specific servers thrugh which all applicatin data must pass. Filtering decisins typically based n: IP surce r inatin ; Prtcl type in IP datagram field; TCP r UDP surce and inatin prt; TCP s (SYN, ACK, etc.); ICMP message type. Firewalls 25-5 Firewalls 25-6 Plicy decisins Plicy N utside Web access. N incming TCP cnnectins, except thse fr institutin s public Web server nly. Prevent Web-radis frm eating up the available bandwidth. Prevent yur netwrk frm being used fr a smurf DS attack. Prevent yur netwrk frm being traceruted Firewall Setting Drp all utging packets t any IP, prt 80 Drp all incming TCP SYN packets t any IP except 130.207.244.203, prt 80 Drp all incming UDP packets - except DNS and ruter bradcasts. Drp all ICMP packets ging t a bradcast (e.g. 130.207.255.255). Drp all utging ICMP TTL expired traffic We culd get tricky And base ur plicy n a cmbinatin f es and prt numbers. Fr example, ur ruter culd filter all Telnet datagrams (prt 23) except thse ging t and cming frm a list f specific IP. This allws Telnet cnnectins t and frm hsts n the allwed list. Hwever,... Firewalls 25-7 Firewalls 25-8 2
Filtering TCP handshakes Access cntrl list fr ruter interface* Filtering can be based n whether r nt the TCP ACK is set. This lets internal clients cnnect t external servers, but...... prevents external clients frm cnnecting t internal servers. actin surce allw allw utside f allw allw utside f utside f utside f prtcl surce prt prt TCP > 1023 80 any UDP > 1023 53 --- UDP 53 > 1023 ---- deny all all all all all all Firewalls 25-9 *Table f rules, applied tp t bttm t incming packets: (actin, cnditin) pairs. Firewalls 25-10 Prblems with stateless filters Stateful packet filters Althugh restrictive, the access cntrl list in the previus table allws packets arriving frm the utside with ACK=1 and surce prt 80, even when n TCP cnnectin has been established. actin allw surce utside f prtcl surce prt prt Such packets culd be used by attackers in attempts t crashed internal systems with malfrmed packets, carry ut denial-f-service attacks, r map the internal netwrk. Stateful filters track all nging TCP cnnectins in a cnnectin table. The firewall bserves the beginning f a new cnnectin (SYN, SYNACK, and ACK); and it can bserve the end f the cnnectin with it sees a FIN packet.* surce addr addr surceprt prt 222.22.1.7 37.96.87.123 12699 80 222.22.93.2 199.1.205.23 37654 80 222.22.65.143 203.77.240.43 48712 80 Firewalls 25-11 *The firewall can (cnservatively) assume that the cnnectin is ver when it hasn t seen any activity fr say 60 secnds. Firewalls 25-12 3
Augmented access cntrl list fr stateful filter actin surce allw allw utside f allw allw utside f utside f utside f prt surce prt prt TCP > 1023 80 any check cnxin x UDP > 1023 53 --- UDP 53 > 1023 ---- deny all all all all all all x S far, s gd, but suppse nw that...... Wellesley wants t prvide Telnet services t a restricted set f internal users, as ppsed t IP es)...... and suppse Wellesley wants such privileged users t authenticate themselves first befre being allwed t create a Telnet sessin t the utside wrld. *ACL augmented t indicate need t check cnnectin state table befre admitting packet Firewalls 25-13 *Such tasks are beynd stateful filters. The identity f internal users is an applicatin-layer data and is nt included in the IP/TCP/UDP headers. Firewalls 25-14 Applicatin T d this, we must... An applicatin is an applicatin-specific server thrugh which all applicatin data must pass. It lks beynd IP/TCP/ UDP headers t make plicy decisins based n applicatin data. We design a firewall that allws nly a restricted set f internal users t Telnet utside and prevents all external clients frm Telneting inside. hst-t- telnet sessin applicatin -t-remte hst telnet sessin ruter and filter 1. Require all Telnet users t Telnet thrugh the applicatin. 2. Fr authrized users, sets up Telnet cnnectin t hst. Gateway relays data between 2 cnnectins 3. Ruter filter blcks all telnet cnnectins nt riginating frm. hst-t- telnet sessin applicatin ruter and filter -t-remte hst telnet sessin Firewalls 25-15 Firewalls 25-16 4
Intrusin detectin systems Multiple IDS sensrs Packet filtering: perates n TCP/IP headers nly; n crrelatin check amng sessins. T detect many attacks, we need a deep packet inspectin, e.g., check character strings in packet against database f knwn virus strings. Additinally we may wish t examine crrelatin amng multiple packets t detect: prt scanning; netwrk mapping; DS attack. Firewalls 25-17 IDS sensrs Internal netwrk Applicatin Firewall Web DNS server FTP server server demilitarized zne Internet Firewalls 25-18 Curse grain classificatin Signature-based IDS maintains an database f attack signatures, sniffs every packet, cmparing cntents with tis database.* Anmaly-based IDS creates a traffic prfile in nrmal peratin, then lks fr statistically unusual packet streams.** *Mst cmmn, but cmpletely blind t new attacks. Subject t false psitives. **Can ptentially detect new attacks, but ften difficult t distinguish between nrmal traffic and statistically unusual traffic. Handshake pitfalls 18-19 5