140 likes | 290 Views
Controlling access with packet filters and firewalls. Security vulnarabilities of the TCP/IP protocols. IP packets are transmitted in the clear and without authentication facilities Can routers trust routing updates received from others?
E N D
Security vulnarabilities of the TCP/IP protocols • IP packets are transmitted in the clear and without authentication facilities • Can routers trust routing updates received from others? • TCP and UDP segments are transmitted in clear and without authentication facilities • Auxiliary protocols have similar problems (ICMP, DNS, ARP, BOOTP, TFTP) • Application protocols are without protection or use weak password protection (TELNET, FTP) • Specific protection applied as “add ons” (NFS, SNMP, X11)
Methods of access control • Physical protection of entities (devices, cables) • Packet Filter • Network Relay • Firewalls • visible • invisible • Security mechanisms of individual computers or applications („personal firewall“, „personal internet security“, e-mail security, telebanking)
Physical security • Protection against physical access to power distribution or network cables • Protection of internal or external access points (distributors, patch panels) • Protection of active devices (routers, bridges) against physical access (lock them up) Problems: • How to support mobile users • How to protect a wireless infrastructure • How to allow secure access to external resources
Access control using packet filters • Operates primarily on IP layer, however also peeking into transport layer information • Filtering based on • IP address of the source • IP address of the receiver • Port number of receiver • Sometimes port number of the source • Type of transport protocol used (TCP/UDP) • Uses set of filter rules • Pure packet filters do not have information on connection states
Filter rules 123.45.6.0 123.45.0.0 Rule Source Destination Action A 135.79.0.0/16 123.45.6.0/24 Permit B 135.79.99.0/24 123.45.0.0/16 Deny C 0.0.0.0/0 0.0.0.0/0 Deny PF 135.79.0.0 135.79.99.0
Access control using network relay External connections Monitoring and controlling host Router Configuration and logging database Invisible private subnet Internal connections
Access control by visible firewall • Users use the Internet exclusively from the firewall • All users need to have a user account on the firewall • The firewall terminates DNS, e-mail, http • User authentication must be secure (with cryptographic means) • Reduced user friendliness
Access control by invisible firewall • Termination of all store-and-forward services (DNS, e-mail) with servers on the firewall • Selective forwarding of connections (stateful) • Authentication of external and internal peers • Logging and intrusion detection • Network Address Translation • Proxy functions Protectedinternal network Internet Firewall 1 Firewall 2 D N S D N S publicservers Variant 1 (DMZ – „de-militarized zone“)
Access control by invisible firewall(Variant 2) • Uses only one physical firewall unit Ruleset 2 Protectedinternal network Firewall Internet Ruleset 1 D N S D N S publicservers (DMZ – „de-militarized zone“)
User or application is “proxy aware” Netscape Navigator Internet Explorer
Some applications are not “proxy aware” • talk, ping, … • Specific implementation of such applications • Offering replacement applications • Such appliations may also not be accessible to normal users at all
Literature • B. Chapman, E. Zwicky, “Building Internet Firewalls”, O’Reilly & Associates, 1995 • W. Cheswick, S. Bellovin, „Firewalls and Internet Security“, Addison-Wesley, 1994