Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Similar documents
Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9. Firewalls

COMPUTER NETWORK SECURITY

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Unit 5. System Security

CSE 565 Computer Security Fall 2018

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Broadcast Infrastructure Cybersecurity - Part 2

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Internet Security: Firewall

Chapter 8 roadmap. Network Security

Computer Security and Privacy

Introduction to Firewalls using IPTables

Information Systems Security

CSC Network Security

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Why Firewalls? Firewall Characteristics

CyberP3i Course Module Series

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

ECE 435 Network Engineering Lecture 23

CSC 474/574 Information Systems Security

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

COSC 301 Network Management

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Unit 4: Firewalls (I)

Network Security. Thierry Sans

CHAPTER 8 FIREWALLS. Firewall Design Principles

DMZ Networks Virtual Private Networks Distributed Firewalls Summary of Firewall Locations and Topologies

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Firewall and IDS/IPS. What is a firewall?

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Network Security Fundamentals

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

11 aid sheets., A non-programmable calculator.

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Network Security: Firewall, VPN, IDS/IPS, SIEM

Protection of Communication Infrastructures

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Network and Security: Introduction

Definition of firewall

ECE 435 Network Engineering Lecture 23

Packet Header Formats

20-CS Cyber Defense Overview Fall, Network Basics

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

CSCI 680: Computer & Network Security

Certification. Securing Networks

CSC 4900 Computer Networks: Security Protocols (2)

TCP /IP Fundamentals Mr. Cantu

Introduction to TCP/IP networking

Sirindhorn International Institute of Technology Thammasat University

Configuring attack detection and prevention 1

Implementing Firewall Technologies

Internet Security Firewalls

CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Network Interconnection

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Application Firewalls

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

CS Computer and Network Security: Firewalls

ISA 674 Understanding Firewalls & NATs

CE Advanced Network Security

History Page. Barracuda NextGen Firewall F

IPtables and Netfilter

CSCE 813 Internet Security Network Access Control

Configuring attack detection and prevention 1

Network Control, Con t

CSE 565 Computer Security Fall 2018

SEN366 (SEN374) (Introduction to) Computer Networks

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

ET4254 Communications and Networking 1

Advanced Security and Mobile Networks

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Università Ca Foscari Venezia

Configuring Access Rules

Firewall and IDS/IPS. What is a firewall?

Firewall and IDS/IPS. What is a firewall? Ingress vs. Egress firewall. M.Aime, A.Lioy - Politecnico di Torino ( ) 1

Computer and Network Security

CSC 4900 Computer Networks: Network Layer

TCP/IP Protocol Suite

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

This material is based on work supported by the National Science Foundation under Grant No

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

CSCI-GA Operating Systems. Networking. Hubertus Franke

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

Mohammad Hossein Manshaei 1393

Transcription:

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y 2 01 6 / 2 017 P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer Security: Principles and Practice, 1/e, by William Stallings and Lawrie Brown Some slides from Mark Stamp Information Security: Principles and Practice 2nd edition (Wiley 2011). 2 Firewalls - pbrandao 1

Firewalls 3 Internet Firewall Firewall must determine what to let in to internal network and/or what to let out Access control for the network Internal network A firewall is like a secretary To meet with an executive Firewall as Secretary First contact the secretary Secretary decides if meeting is important So, secretary filters out many requests You want to meet chair of CS department? Secretary does some filtering You want to meet the PoPT? Secretary does lots of filtering 4 Firewalls - pbrandao 2

Firewalls and Intrusion Prevention Systems internet connectivity is essential for organization and individuals but creates a threat effective means of protecting LANs could secure workstations and servers also use firewall as perimeter defence single choke point to impose security 5 Inside Outside capabilities: defines a single choke point Firewall Capabilities & Limits provides a location for monitoring security events convenient platform for some Internet functions such as NAT, usage monitoring, IPsec VPNs limitations: cannot protect against attacks bypassing firewall may not protect fully against internal threats improperly secure wireless LAN laptop, PDA, portable storage device infected outside then used inside 6 Firewalls - pbrandao 3

Types of Firewalls 7 8 Types of Firewalls Firewalls - pbrandao 4

Packet Filtering Firewall applies rules to packets in/out of firewall based on information in packet header src/dest IP addr & port, IP protocol, interface typically a list of rules of matches on fields if match rule says if forward or discard packet two default policies: discard - prohibit unless expressly permitted more conservative, controlled, visible to users forward - permit unless expressly prohibited easier to manage/use but less secure 9 Packet Filter 10 Operates at network layer Can filter based on Source IP address Destination IP address Source Port Destination Port Flag bits (SYN, ACK, etc.) Egress or ingress Application Transport Network Logic Physical Firewalls - pbrandao 5

What s in a Packet IPv4 packet 11 Ver(4) IHL(4) DSCP (6) ECN(2) Total Length (16) Identification (16) Flags(4) Frag Offset (12) TTL (8) Protocol (8) Header Checksum (16) Source Address (32) Destination Address (32) Options Padding IHL - Internet Header Length DSCP Differentiated Service Code Point (Type of Service) ECN - explicit congestion notification Packet Filter Configured via Access Control Lists (ACLs) 12 Action Source IP Dest IP Source Port Dest Port Protocol Flag Bits Allow Inside Outside Any 80 HTTP Allow Outside Inside 80 > 1023 HTTP Deny All All All All All Any ACK All Q: Intention? A: Restrict traffic to Web browsing Firewalls - pbrandao 6

13 Packet Filter Rules Packet Filter Weaknesses weaknesses cannot prevent attack on application bugs limited logging functionality do no support advanced user authentication vulnerable to attacks on TCP/IP protocol bugs improper configuration can lead to breaches attacks IP address spoofing, source route attacks, tiny fragment attacks 14 Firewalls - pbrandao 7

TCP ACK Scan Attacker scans for open ports thru firewall Port scanning is first step in many attacks Attacker sends packet with ACK bit set, without prior 3-way handshake Violates TCP/IP protocol ACK packet pass thru packet filter firewall Appears to be part of an ongoing connection RST sent by recipient of such packet 15 TCP ACK Scan 16 ACK dest port 1207 ACK dest port 1208 ACK dest port 1209 Trudy Packet Filter Attacker knows port 1209 open thru firewall A stateful packet filter can prevent this RST Since scans not part of established connections Internal Network Firewalls - pbrandao 8

Stateful packet filter 17 reviews packet header information but also keeps info on TCP connections typically have low, known port nr for server and high, dynamically assigned client port nr simple packet filter must allow all return high port numbered packets back in stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections only allow incoming traffic to highnumbered ports for packets matching an entry in this directory may also track TCP seq numbers as well Application Transport Network Logic Physical Stateful Packet Filter 18 Advantages? Can do everything a packet filter can do plus... Keep track of ongoing connections (so prevents TCP ACK scan) Disadvantages? Cannot see application data Slower than packet filtering Application Transport Network Logic Physical Firewalls - pbrandao 9

Application-Level Gateway 19 acts as a relay of application-level traffic users contact gateway with remote host name authenticate themselves gateway contacts application on remote host and relays TCP segments between server and user must have proxy code for each application may restrict application features supported more secure than packet filters but have higher overheads Application Transport Network Logic Physical Application Proxy 20 Advantages? Complete view of connections and applications data Filter bad data at application layer (viruses, Word macros) Disadvantages? Speed Application Transport Network Logic Physical Firewalls - pbrandao 10

Circuit-Level Gateway 21 sets up two TCP connections, to an inside user and to an outside host relays TCP segments from one connection to the other without examining contents hence independent of application logic just determines whether relay is permitted typically used when inside users trusted may use application-level gateway inbound and circuit-level gateway outbound hence lower overheads Application Transport Network Logic Physical SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow TCP/UDP applications to use firewall components: SOCKS server on firewall SOCKS client library on all internal hosts SOCKS-ified client applications client app contacts SOCKS server, authenticates, sends relay request server evaluates & establishes relay connection UDP handled with parallel TCP control channel 22 Firewalls - pbrandao 11

Deep Packet Inspection Many buzzwords used for firewalls One example: deep packet inspection What could this mean? Look into packets, but don t really process the packets Effect like application proxy, but faster 23 Deep Packet Inspection 24 Uses information up to Application layer Including app data Can differentiate based on all information Prioritize, reroute, shape, drop, etc. Used by ISPs to: Detect/mitigate security attacks DoS, buffer overflows, virus, etc. Throttle unwanted P2P Touches net neutrality Hardware implemented Needs to be at line speed Application Transport Network Logic Physical Firewalls - pbrandao 12

Firewall Topologies 25 Typical network security architecture Firewalls and Defense in Depth 26 Web server DMZ FTP server DNS server Internet Packet Filter Application Proxy Intranet with additional defense Firewalls - pbrandao 13

Firewall Basing several options for locating firewall: bastion host individual host-based firewall personal firewall 27 Bastion Hosts critical strongpoint in network hosts application/circuit-level gateways common characteristics: runs secure O/S, only essential services may require user auth to access proxy or host each proxy can restrict features, hosts accessed each proxy small, simple, checked for security each proxy is independent, non-privileged limited disk use, hence read-only code 28 Firewalls - pbrandao 14

Host-Based Firewalls used to secure individual host available in/add-on for many O/S filter packet flows often used on servers advantages: tailored filter rules for specific host needs protection from both internal / external attacks additional layer of protection to org firewall 29 Internal Net Personal Firewall controls traffic flow to/from PC/workstation for both home or corporate use may be software module on PC or in home cable/dsl router/gateway typically much less complex primary role to deny unauthorized access may also monitor outgoing traffic to detect/block worm/malware activity 30 Internal Net Firewalls - pbrandao 15

31 Firewall Locations Virtual Private Networks 32 Firewalls - pbrandao 16

33 Distributed Firewalls Firewall Topologies host-resident firewall screening router single bastion inline single bastion T double bastion inline double bastion T distributed firewall configuration 34 Firewalls - pbrandao 17

Single bastion inline Firewall Topologies 35 Single bastion T Firewall Topologies Double bastion inline 36 Double bastion T Firewalls - pbrandao 18

IPS 37 I N T R U S I O N P R E V E N T I O N S Y S T E M S Intrusion Prevention Systems (IPS) addition to security products inline net/host-based IDS that can block traffic functional addition to firewall that adds IDS capabilities can block traffic like a firewall using IDS algorithms may be network or host based 38 Firewalls - pbrandao 19

Host-Based IPS identifies attacks using both: signature techniques malicious application packets anomaly detection techniques behavior patterns that indicate malware can be tailored to the specific platform e.g. general purpose, web/database server specific can also sandbox applets to monitor behavior may give desktop file, registry, I/O protection 39 Internal Net Network-Based IPS inline NIDS that can discard packets or terminate TCP connections uses signature and anomaly detection may provide flow data protection monitoring full application flow content can identify malicious packets using: 40 pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly cf. SNORT inline can drop/modify packets Firewalls - pbrandao 20

41 Unified Threat Management Products Tools 42 Firewalls - pbrandao 21

Firewalk Tool to scan for open ports thru firewall nmap script Attacker knows IP address of firewall and IP address of one system inside firewall Set TTL to 1 more than number of hops to firewall, and set destination port to N If firewall allows data on port N thru firewall, get time exceeded error message Otherwise, no response 43 Firewalk and Proxy Firewall 44 Trudy Router Router Packet filter Router Dest port 12343, TTL=4 Dest port 12344, TTL=4 Dest port 12345, TTL=4 Time exceeded This will not work thru an application proxy (why?) The proxy creates a new packet, destroys old TTL Firewalls - pbrandao 22

iptables path of an IP packet on Netfilter 45 PREROUTING ROUTE FORWARD POSROUTING Mangle Mangle Mangle NAT (Dst) INPUT Filter Security ROUTE NAT (Src) Mangle OUTPUT Chains Tables Filter Security Local Process Mangle NAT (Dst) Filter Security Tables contain chains 46 Filter INPUT Nat PREROUTING Mangle PREROUTING Filter INPUT FORWARD FORWARD FORWARD FORWARD OUTPUT POSROUTING POSROUTING OUTPUT INPUT OUTPUT Firewalls - pbrandao 23

iptables (cont) Add rules to tables specifying the chains there in. When a packet matches a rule its target is done Targets vary according to tables. Examples: Filter Table: DROP, ACCEPT NAT Table: DNAT, SNAT, MASQUERADE, REDIRECT New chains may be created by the user and set as targets of rules. 47 Example: iptables (cont.) 48 ## Change source addresses to 1.2.3.4. iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 table chain target Firewalls - pbrandao 24

firewall-bypass Uses the connection helpers of netfilter to open ports nmap firewall-bypass script Protocols such ftp or sip have out-of-band management Have a management connection diff from the data and have a passive mode Netfilter must interpret this (e.g.: nf_conntrack_ftp) Firewall-bypass uses incorrect config to open ports on the firewall See more detail on Eric Leblond presentation 49 Summary introduced need for & purpose of firewalls types of firewalls packet filter, stateful inspection, application and circuit gateways firewall hosting, locations, topologies intrusion prevention systems 50 Firewalls - pbrandao 25

Demonstration 51 Network 52 Internet 10.0.0.1 enp0s8 10.0.1.1 enp0s9 10.0.0.10 enp0s8 10.0.0.0/24 10.0.1.0/24 10.0.1.100 Firewalls - pbrandao 26

SSH access: server workstation [workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j REJECT Default is filter table [workstation] iptables -L INPUT --line-numbers [server] ssh 10.0.0.10 [workstation] iptables -D INPUT 1 Or iptables -D INPUT -i enp0s8 --proto tcp --dport 22 -j REJECT [workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j DROP [server] ssh o ConnectTimeout=2 10.0.0.10 [workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j ACCEPT [server] ssh o ConnectTimeout=2 10.0.0.10 [workstation] iptables -L INPUT --line-numbers [workstation] iptables -I INPUT 1 -i enp0s8 --proto tcp --dport 22 -j ACCEPT [server] ssh o ConnectTimeout=2 10.0.0.10 53 SSH access: mediavault workstation [openmediavault] ssh 10.0.0.10 [server] iptables A FORWARD proto tcp dport 22 j REJECT [openmediavault] ssh 10.0.0.10 [workstation] ssh 10.0.1.100 [server] iptables I FORWARD 1 o enp0s8 proto tcp dport 22 j ACCEPT [workstation] ssh 10.0.1.100 [openmediavault] ssh 10.0.0.10 54 Firewalls - pbrandao 27

Allow ping from workstation [server] iptables P FORWARD DROP 55 [server] iptables -A FORWARD o enp0s9 -p icmp --icmp-type echo-request - j ACCEPT [server] iptables -A FORWARD o enp0s8 -p icmp --icmp-type echo-reply -j ACCEPT [server] iptables -A FORWARD m state state ESTABLISHED,RELATED -j ACCEPT Firewalls - pbrandao 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback