firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Similar documents
Why Firewalls? Firewall Characteristics

Information Systems Security

Computer Security and Privacy

Chapter 9. Firewalls

CHAPTER 8 FIREWALLS. Firewall Design Principles

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

COMPUTER NETWORK SECURITY

CSC Network Security

Unit 4: Firewalls (I)

Internet Security: Firewall

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Indicate whether the statement is true or false.

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

SE 4C03 Winter 2005 Network Firewalls

Network Security: Firewall, VPN, IDS/IPS, SIEM

CSE 565 Computer Security Fall 2018

DMZ Networks Virtual Private Networks Distributed Firewalls Summary of Firewall Locations and Topologies

Chapter 8 roadmap. Network Security

10 Defense Mechanisms

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

CSC 474/574 Information Systems Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CSCE 813 Internet Security Network Access Control

CS155 Firewalls. Simon Cooper CS155 - Firewalls 23 May of 30

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Protection of Communication Infrastructures

Application Firewalls

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Advanced Security and Mobile Networks

CyberP3i Course Module Series

Implementing Firewall Technologies

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Firewalls, Tunnels, and Network Intrusion Detection

20-CS Cyber Defense Overview Fall, Network Basics

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

6 Network Security Elements

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

Internet Security Firewalls

Advanced Security and Forensic Computing

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

System i. Version 5 Release 4

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

IP Access List Overview

Configuring Transparent Redirection for Standalone Content Engines

Broadcast Infrastructure Cybersecurity - Part 2

Configuring NAT for IP Address Conservation

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

IPV6 SIMPLE SECURITY CAPABILITIES.

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Why Firewalls? Cosa sono i Firewalls? Firewall. Good Fences Make Good Neighbors Robert Frost, Mending Wall

Definition of firewall

Virtual Private Networks (VPNs)

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

Firewalls can be categorized by processing mode, development era, or structure.

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Configuring NAT for IP Address Conservation

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

Finding Feature Information

Firewall and IDS/IPS. What is a firewall?

Configuring IP Services

IP Access List Overview

KillTest. 半年免费更新服务

Load Balancing Technology White Paper

Configuring Commonly Used IP ACLs

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

Configuring Web Cache Services By Using WCCP

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Unlike Proxy Server 1.0, Proxy Server 2.0 includes packet filtering and many other features that we will be discussing.

CE Advanced Network Security

Cisco IOS Firewall Authentication Proxy

Computer Networks. Wenzhong Li. Nanjing University

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Networking IP filtering and network address translation

Network Security. Course notes. Version

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Computer Network Vulnerabilities

Computer and Network Security

Fundamentals of Network Security v1.1 Scope and Sequence

Securing CS-MARS C H A P T E R

Configuring IP Session Filtering (Reflexive Access Lists)

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Configuring NAT for IP Address Conservation

BOR3307: Intro to Cybersecurity

CSE 565 Computer Security Fall 2018

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Securing Access to Network Devices

Software Engineering 4C03 Answer Key

Network Security. Thierry Sans

Access Control Lists and IP Fragments

Transcription:

Firewalls 1 Overview In old days, brick walls (called firewalls ) built between buildings to prevent fire spreading from building to another Today, when private network (i.e., intranet) connected to public network (i.e., Internet), users communicate with outside world, and outside world with private network and its computer systems Intermediate system(s) placed between private network and public network to establish a controlled link, and a security wall or perimeter providing single point where security and audit may be imposed These intermediate systems called firewall systems or firewalls (alternative terms comprise security gateways and secure Internet gateways) 2

Overview According to RFC 2828, term firewall refers to internetwork gateway that restricts data communication traffic to and from one of the connected networks, protecting that network's system resources against threats from other network It should have following properties All traffic from inside to outside, and vice versa, must pass through the firewall Only authorized traffic, as defined by local security policy, will be allowed to pass Firewall itself immune to penetration (use of trusted system with secure operating system) 3 Benefits and Limitations Pros controlled and logged interaction with external Internet; can enforce security policy internal machines can be administered with varying degrees of care Focal point for security decisions Cons services through firewall introduce vulnerabilities performance may suffer single point of failure useless against insider attacks 4

Firewall Characteristics Four general techniques: Service control Determines the types of Internet services that can be accessed, inbound or outbound Direction control Determines the direction in which particular service requests are allowed to flow User control Controls access to a service according to which user is attempting to access it Behavior control Controls how particular services are used (e.g. filter e-mail) 5 Firewall Evaluation Criteria 1 Performance: Firewalls always impact performance - compare delays with respect to functions offered. Authentication of connections Requirements Support: Should support the applications that are to be used across the network SMTP, TELNET, FTP, HTTP, etc. 6

Firewall Evaluation Criteria 2 Access Control: handled with IP addresses or user-based? How many users can be supported? Authentication: How hard is this to administrate and how is it accomplished? Inbound and outbound? Auditing: What gets audited? any audit reduction tools available? Logging/Alarms: How is this accomplished? How is administrator notified? 7 Firewall Evaluation Criteria 3 Customer Support: Training courses, installation, help desk, 24x7 availability? Damage: if compromised or destroyed, what outside threats can interfere with the protected network, and how easy is this to detect and diagnose? Physical Security Requirements: Location requirements 8

Firewall Design Philosophies Default deny: Everything not expressly permitted is prohibited Firewall designed to block everything Services enabled case-by-case after careful analysis Users more restricted and cannot easily breach security Default permit: Everything not expressly prohibited is permitted System administrator reacts to threats as discovered Services are removed/limited when proven dangerous Users are less restricted 9 Types of Firewalls Ultimate Firewall 10

Components Firewall policy Service access policy Firewall design policy Packet filters Statically (stateless) filtering devices Dynamically (stateful) filtering devices Application gateways Circuit-level gateways Application-level gateways or proxy servers 11 Types of Firewalls Packet-filtering Router 12

Types of Firewalls Circuit-level Gateway Application-level Gateway 13 Packet-filtering Router Security function consists of filtering (forward or drop) packet based on transport-layer information only These routers are sometimes called screening routers The following fields (usually) taken into account by any packet-filtering device Network interface IP header: Source address, Destination address TCP or UDP header: Source and Destination ports TCP connection flags (SYN,ACK,FIN,...) ICMP messsage type 14

Packet Filtering Advantages: Simplicity Transparency to users High speed Disadvantages: Difficulty of setting up packet filter rules Lack of Authentication Protect against amateur hackers only 15 to Configure a Packet Filter Start with a security policy Specify allowable packets in terms of logical expressions on packet fields Rewrite expressions in syntax supported by the vendor General rules - least privilege All that is not expressly permitted is prohibited If you do not need it, eliminate it 16

Every ruleset is followed by an implicit rule reading like this. Example 1: Suppose we want to allow inbound mail (SMTP, port 25) but only to our gateway machine. Also suppose that mail from some particular site SPIGOT to be blocked. 17 Solution 1: Example 2: Now suppose that we want to implement the policy any inside host can send mail to the outside. 18

Solution 2: This solution allows calls to come from any port on an inside machine, and will direct them to port 25 on the outside. Simple enough So why is it wrong? 19 Our defined restriction is based solely on the outside host s port number, which we have no way of controlling. Now an enemy can access any internal machines and port by originating his call from port 25 on the outside machine. What can be a better solution? 20

better Solution 2: The ACK signifies that the packet is part of an ongoing conversation Packets without the ACK are connection establishment messages, which we are only permitting from internal hosts 21 Packet Filtering Order rules so that most common traffic is dealt with first Correctness is more important than speed Possible attacks IP address spoofing Source routing attacks Tiny fragment attacks 22

Packet Filtering A packet filter can be stateless, meaning that each IP packet is treated individually Practical problems occur if inbound connections must be established to dynamically assigned port numbers (e.g., FTP data connection): request may be rejected. FTP Client # r1 (e.g., 1565) ftp-control (outbound) # r2 (e.g., 1567) ftp-data (inbound) # 21 # 20 FTP Server 23 Packet Filtering In case of FTP, passive mode FTP solves the problem, as FTP data connection is also established outbound (from client to server) Underlying problem is more general and applies to increasingly large number of applications (e.g., CORBA InternetInterOrbProtocol and many UDP-based and real-time application protocols) One way to address the problem is to have packet filters establish and maintain state information to more intelligently filter TCP connections or UDP datagram transport sessions 24

Port Numbering TCP connection Server port is number less than 1024 Client port is number between 1024 and 16383 Permanent assignment Ports <1024 assigned permanently 20,21 for FTP 23 for Telnet 25 for server SMTP 80 for HTTP Variable use Ports >1024 must be available for client to make any connection This presents a limitation for stateless packet filtering If client wants to use port 2048, firewall must allow incoming traffic on this port Better: stateful filtering knows outgoing requests 25 Packet Filtering Stateful Packet Filtering filters based on: Information contained in the current packet Information contained in previous packet transmitted Accomplished using state table Maintains state information about the communication from previous packet (client-server session) Information comes from any part of the packet 26

Packet Filtering (stateful) Advantages Can deal with most of the problems that can rise from using stateless filtering Can handle UDP packets Can handle fragmented packets Can prevent TCP Open SYN Flood Attacks Disadvantages Not easy to configure Less secure than Application level gateways??? 27 Types of Firewalls Circuit-level Gateway Stand-alone system or specialized function performed by an Application-level Gateway Sets up two TCP connections The security function consists of determining which connections will be allowed The gateway typically relays TCP segments from one connection to the other without examining the contents Typical use is a situation in which the system administrator trusts the internal users An example is the SOCKS package 28

Circuit-Level Gateways A circuit-level gateway is essentially a proxy server for transport layer associations (i.e., TCP connections) [although more recent ones can handle UDP-based application protocols] A circuit-level gateway differs from a portforwarding mechanism Unlike a port-forwarding mechanism, the client must be made aware of the circuit-level gateway Contrary to a port-forwarding mechanism, the circuitlevel gateway is generic in the sense that it can handle any TCP connection (if enabled in its configuration) 29 Circuit-Level Gateways Circuit-level gateway Origin server User Client 3) The circuit-level gateway connects to the origin server and copies back and forth data between the two TCP connections 2) The circuit-level gateway - checks the client IP address, - authenticates and eventually authorizes the client according to a given network security policy 1) The client establishes a TCP connection to the circuit-level gateway and requests a second TCP connection to a remote server (origin server) 30

Circuit-Level Gateways A common circuit-level gateway is SOCKS (Refer to https://en.wikipedia.org/wiki/socks) Original implementation consisted of two components SOCKS server or daemon (i.e., sockd) SOCKS library used to replace regular Sockets calls in the client software The application developer has to recompile and link the client software with a few preprocessor directives to intercept and replace the regular TCP/IP networking Sockets calls with SOCKS counterparts (connect with Rconnect, listen with Rlisten, etc.) 31 Circuit-Level Gateways The goal of SOCKS was to provide a general framework for TCP/IP applications to securely use (and traverse) a firewall When a client requires access to a server on the Internet, it must first open a TCP connection to the appropriate port (1080) on the SOCKS server residing on the firewall system. Then the client uses the SOCKS protocol to have the SOCKS server establish a second TCP connection to the origin server 32

Types of Firewalls Application-Level Gateways Acts as a relay of application-level traffic Does not provide the service itself. It only acts as the client to the real server It interprets the application protocol, and therefore checks or filter the content works at the application layer, is specific and generally able to proxy only one TCP-based application protocol A firewall needs specific application-level gateways (or proxy servers) for every application protocol that must traverse the firewall (a serious disadvantage for, e.g., proprietary protocols) 33 Application-Level Gateways Advantages: Higher security than packet filters Only need to scrutinize a few allowable applications Easy to log and audit all incoming traffic Disadvantages: Additional processing overhead on each connection (gateway as splice point) 34

Application-Level Gateways In general, the use of an application gateway requires some modification of either the user procedures or the client software (not convenient either way) Useful to have a firewall that maintains all software modifications required for application gateway support in the firewall Solution: transparent firewalls, configured to listen on the network segment of the firewall for outgoing TCP connections and to relay these connections on thebehalf of theclient. 35 Application-Level Gateways Transparency is not necessarily provided in both directions (e.g., inbound transparency is seldom required or used) A transparent firewall requires that all messages to and from the Internet be transmitted through the firewall Similar functionality is required for network address translation (NAT) 36

Application-Level Gateways The application-level gateway must be able to authenticate and authorize user requests List of IP addresses that are allowed to connect inbound or outbound Weak authentication schemes (e.g., password) Strong authentication schemes In practice, the firewall policy must define the authentication and authorization schemes that must be used in either direction and for each service Many policies use the simplest scheme mentioned above for outbound connections and a strong authentication scheme for inbound connections 37 Application-Level Gateways Need for access to reference information to verify the authentication of the information provided by the client (e.g., hash value of a user password or the public key certificate for a specific user) The reference information can be stored either locally or remotely: the latter is preferable since it makes it possible to aggregate at a single point security information for several firewall systems and network access servers 38

Application-Level Gateways A standardized protocol is used to retrieve the reference information from a centralized security server Protocols Remote Authentication Dial-In User Service (RADIUS) developed by Livingston Enterprises, Inc. Terminal access controller access control system (TACACS) now replaced by TACACS+ developed by Cisco Systems Both protocols widely supported by commercial firewall systems and network access servers 39 Firewall Configurations More complex configurations than a simple system (single packet filtering router or single gateway) are possible. Three common configurations, all using the notion of Bastion Host A system identified by the firewall administrator as a critical strong point in the network s security The bastion host serves as a platform for an application-level or circuit-level gateway 40

Firewall Configurations Screened host firewall system (single-homed bastion host) 41 Screened host single-homed Single-homed bastion configuration Firewall consists of two systems: A packet-filtering router only packets from and to the bastion host are allowed to pass through the router A bastion host performs authentication and proxy functions 42

Screened host single-homed Greater security than single configurations because: This configuration implements both packetlevel and application-level filtering (allowing for flexibility in defining security policy) An intruder must generally penetrate two separate systems to compromise network This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) by allowing packets through 43 Firewall Configurations Screened host firewall system (dualhomed bastion host) 44

Screened host dual-homed Dual-homed bastion configuration In single-homed, if packet-filtering router is completely compromised, traffic flows directly to private network In dual-homed, traffic between the Internet and other hosts on the private network has to flow through the bastion host too 45 Firewall Configurations Screened-subnet firewall system 46

Screened subnet Most secure configuration of the three Three levels of defense to thwart intruders Two packet-filtering routers are used Creation of an isolated sub-network Inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) Outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) 47 Conclusions If properly designed, implemented, deployed and administered, a firewall can provide effective access control services The firewall technology is the most widely deployed security technology on the Internet It cannot protect from attacks bypassing it, e.g., utility modems, trusted organisations, trusted services (SSL/SSH) against internal threats e.g., disgruntled employee against transfer of all virus-infected programs or files 48

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback