420 likes | 442 Views
Lecture 16 Firewalls. CSCD 434 Spring 2019. Introduction Firewalls. Firewall as part of a security solution Motivation for firewalls Purpose and definition of firewalls Different types of firewalls Firewall rules Effectiveness of firewalls. Security Mechanisms.
E N D
Lecture 16 Firewalls CSCD 434Spring 2019
Introduction Firewalls • Firewall as part of a security solution • Motivation for firewalls • Purpose and definition of firewalls • Different types of firewalls • Firewall rules • Effectiveness of firewalls
Security Mechanisms • There are a number of mechanisms that can be used to insure system security • Cost needs to be considered along with security, can’t do everything • Most businesses purpose is not computer security … producing products/services • Will be looking at some models that incorporate these mechanisms
Security Mechanisms • Cryptographic Techniques • Have discussed these • Software and hardware for access limitations • Firewalls - today • Intrusion Detection and Prevention Systems • Hardwarefor authentication • Smartcards, security tokens • Security Policies / Access Control • Define who has access to which resources. • Physical security • Keep in safe place with limited and authorized physical access 4
What is a firewall? • A hardware device and/or software program which sits between the Internet and the intranet, internet, of an organization • Its main objectives are to filter: • What should come in the intranet (inbound traffic) and • What should come out of the intranet (outbound traffic)
Another ViewPurpose of Firewalls • Basic task • Control traffic between networks with different zones of trust • Internet has no zones of trust • Internal network high trust zone • Provide controlled interface between zones of trust • Enforcement of security policies and connectivity model
Firewall Between Zones of Trust High Trust No Trust
Properties of Firewalls Firewalls Must have following Properties • All traffic must pass through firewall • Only authorized traffic as defined by security policy • Firewall itself immune to penetration
Firewall Types • Many ways to categorize firewalls • One way looks at where they filter within the protocol stack • Four Categories • Packet filtering • Circuit gateway • Application gateway • Plus NAT – not just a firewall
Packet Filter Firewall • First Generation Firewalls • Examines IP, TCP,UDP, and ICMP headers • Cheap and fast !!! • Usually built into routers, drop packets based on source, destination addresses or port numbers • Little or no context is kept – decision based on single packets • Administrator creates list of acceptable machines and/or services and stoplist of unacceptable machines or services
Packet Filter Firewall • Helps with Spoofed Packets • Incoming IP addresses shouldn't have source address of your network • Ingress Filtering • Outgoing IP addresses should only have source address from your network • Egress Filtering • Packet filters - Not a complete Answer • Cheap, easy method of control but easy to get rules wrong and rules can become too complex ... 147.87.10.5 147.87.10.1 147.87.10.1 187.111.90.9
Packet Filter Firewall • Screening Router Firewalls – Type of Packet Filter • Add firewall software to router • Usually provide light filtering only • Millions of packets – can only screen headers for probing types of scans • Screens out incoming “noise” of simple scanning attacks to make the detection of serious attacks easier • Good location for egress filtering
Packet Filter Firewall Effectiveness of Packet Filter Firewalls • What kind of Attacks? • Only attack packets that take advantage of TCP/IP Vulnerabilities • Probes, Scans, DoS attacks • Some attacks on known ports • Trojans that use a known port
IP-H TCP-H Packet Contents IP-H UDP-H Packet Contents IP-H ICMP Message Static Packet Filter Firewall Packet Filter Firewalls Router Corporate Network The Internet Permit (Pass) Deny (Drop) Arriving Packets Examined One at a Time, in Isolation Only IP, TCP, UDP and ICMP Headers Examined Log File
Packet Filter Firewalls • Have … Access Control Lists (ACL’s) • Both Ingress and Egress Filtering • Will have two separate ACL’s for Ingress and Egress • Goes through rules in order • Test rules and either matches rule and pass or match a rule and deny • If we reach end of list without matching have option of Denying all or Passing all
Packet Filter Firewalls • ACL Design Philosophies • Default deny: • “Everything not expressly permitted is denied” • Default permit: • “Everything not expressly prohibited is permitted” • Which is better?
Ruleset Design Block Everything • Blocking everything provides strongest security but the most inconvenience • Things break and people complain • Block everything method covers all bases but creates more work in figuring out how to make some applications work then opening holes.
Ruleset DesignBlock Nothing • Blocking nothing provides minimal security by only closing holes you can identify • Blocking nothing provides least inconvenience to our users • Blocking nothing means you spend time figuring out what you want to protect by closing each hole … lots of holes
Packet Filter Firewalls • Example: Ingress ACL Rules 1. If source IP address = 10.*.*.*, DENY [private IP address range] 2. If source IP address = 172.16.*.* to 172.31.*.*, DENY [private IP address range] 3. If source IP address = 192.168.*.*, DENY [private IP addr range] 4. If source IP address = 60.40.*.*, DENY [internal address range] 5. If source IP address = 1.2.3.4, DENY [black-holed address of attacker] 6. If TCP SYN=1 AND FIN=1, DENY [crafted attack packet] 7. If destination IP address = 60.47.3.9 AND TCP destination port=80 OR 443, PASS [connect to a public webserver]
Packet Filter Firewalls • Ingress ACL Rules Continued 8. If TCP SYN=1 AND ACK=0, DENY [attempt to open a connection from the outside] 9. If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [NetBIOS connection for clients] 13. If TCP destination port = 513, DENY [UNIX rlogin without password] 14. If TCP destination port = 514, DENY [UNIX rsh launch shell without login]
Packet Filter Firewalls • Ingress ACL Rules 15. If TCP destination port = 22, DENY [SSH for secure login, but some versions are insecure] 16. If UDP destination port=69, DENY [Trivial File Transfer Protocol; no login necessary] 17. If ICMP Type = 0, PASS [allow incoming echo reply messages]
Ingress ACL List Rules • Explanation of Rules 1. First three rules deal with Ingress IP source filtering 2. Rule 5 blocks a known bad address 3. Rule 6 filters packets with both Syn and Fin bits 4. Rule 7 Web server traffic allowed, port 80, 443 5. Rule 8 No TCP outside connections 6. Rules 9 – 12 – Block incoming FTP, Telnet and Netbios 7. Block Rlogins on ports 513, 514 8. Block ssh too, UDP for port 69 blocked
Packet Filter Firewalls • Egress Filtering • Similar but different ACL for Egress routing
Firewall Gateways • Firewall runs set of proxy programs • Proxies filter incoming, outgoing packets • All incoming traffic directed to firewall • All outgoing traffic appears to come from firewall • Policy embedded in proxy programs • Two kinds of proxies • Application-level gateways/proxies • Tailored to specific applications Http, Ftp, Smtp, etc. • Circuit-level gateways/proxies • Working on transport TCP level
Circuit Gateway • Second Generation Firewalls • A circuit level firewall, Transport Level • Validates that packet is either a connection request or • Data packet belongs to existing connection, between two peers • To validate a session, circuit level firewall examines each connection setup • Looks for legitimate handshake for transport layer protocol • In addition, data packets are not forwarded until the handshake is complete
Circuit Gateway • A circuit level firewall works by ... • Maintaining table of valid connections includes state and sequence information • Allows network packets containing data pass through when network packet information matches an entry in virtual circuit table • Once connection is terminated, its table entry is removed • “Virtual circuit” between two peer transport • layers is closed
Circuit Gateway Transport Level • Uses host in middle that acts like a relay • Internal system forwards packet through firewall • Packet is inspected by firewall, and source address is modified, in header • External server receives packet and replies • External server communicates with firewall as if it were actual client • Often company Intranet on one side and Internet on other side • SOCKS is one example of Circuit Gateway type of firewall • SOCKS is an abbreviation for "SOCKetS" http://ftp.icm.edu.pl/packages/socks/socks4/SOCKS4.protocol
Circuit Gateway • Specifically ... • Launder IP Connections • Source IP not available to server on other side of gateway • Relay requests arrive at interface • If allowed, are relayed through SOCKS gateway • Replies are routed back through gateway • Acts like Network Address Translator
Application Gateway • Application Firewalls • Works at application level • Go beyond Circuit level to Specific Applications • Also, called Proxy Gateways and or Proxy Firewalls • Details of particular service are monitored • Not a general purpose solution • Mail proxy, FTP proxy or Http proxy – very common • Looks at details of application so can look at packet contents and takes place of actual application for client
Firewalls • Application Firewalls or Application Proxies • What do they do? • Go deeper into packet analysis and look at packet payload – application, to check for correctness • Example: HTTP proxy • Browser gives an HTTP request • Request goes through application firewall, HTTP proxy • HTTP proxy reads packet payload and either passes or drops HTTP request • Can disallow certain commands • Allow Get but rejects Post commands
Application Firewall An application level gateway that is configured to be a web proxy will not allow any ftp, telnet or other traffic through
Application Firewall 3. Examined HTTP Request From 60.45.2.6 2. Filtering 1. HTTP Request From 192.168.6.77 Browser HTTP Proxy Webserver Application Application Firewall 60.45.2.6 Filtering: Blocked URLs, Post Commands, etc. Webserver 123.80.5.34 Client PC 192.168.6.77
Application Firewall 4. HTTP Response to 60.45.2.6 6. Examined HTTP Response To 192.168.6.77 Browser HTTP Proxy Webserver Application 5. Filtering on Hostname, URL, MIME, etc. Webserver 123.80.5.34 Client PC 192.168.6.77 Application Firewall 60.45.2.6
Application Firewall • Application-level gateways can also log user logins and activity. • Application-level gateways can offer high degree of security but network performance might suffer • It can also use algorithms to determine if content of each application level packet contains malicious material and drop packets if it thinks contact is unauthorized
Network Address Translation Firewall • Network Address Translation NAT • Operates at IP level • What’s this good for? • Hackers can put sniffer outside router and sniff for internal host addresses • Follow up with Scanning Activity • NAT can help to hide internal host addresses • Also extends number of available Ipv4 addresses
1 Internet 2 Server Client 192.168.5.7 3 4 Internal External IP Addr Port IP Addr Port 192.168.5.7 61000 60.5.9.8 55380 . . . . . . . . . . . . Network Address Translation Firewall From 192.168.5.7, Port 61000 IP: 60.5.9.8, From 60.5.9.8, Port 55380 NAT Firewall To 60.5.9.8, Port 55380 Sniffer To 192.168.5.7, Port 61000 Translation Table
Firewall Protection • What can a firewall protect against? • Protect against unauthenticated interactive logins from “outside” your network • Block traffic from outside to inside but permit users to talk to the outside • Provide a single “choke point” where security and audit are imposed
Firewall Protection • What can a firewall protect against? • Firewall can provide a logging and auditing function so can list “bad” packets that were attempts to breach system security • Used later to establish intent in compromising network • Correlate early probe or breach with actual break-in
Firewall Limitations • What can’t a firewall protect against? • Can’t protect against attacks that don’t go through the firewall • Companies concerned about data leaking out through Internet • Data can just as easily leave the building via a floppy or CD • Systems with really sensitive data should not be connected to the corporate network
Firewall Limitations • What can’t a firewall protect against? • Can’t protect against naïve users or traitors inside your network • Spys are just as likely to leak information through a telephone, FAX machine or floppy disk • Firewalls can’t protect you against stupidity • Can use social engineering to bypass most firewalls
Firewall Quiz – In Class Only • Say you have a packet filter firewall … on a router, stateless • Can it protect against the following attacks Yes/No and state how ... 1. Can the firewall prevent a SYN flood denial-of-service attack from the external network? 2. Can the firewall prevent a Smurf attack from the external network? 3. Can the firewall block a virus embedded in an incoming email? 4. Can the firewall be used to block users on the internal network from browsing a specific external IP address?
The End • References Do we Need Firewalls? https://www.csoonline.com/article/3301354/do-you-still-need-a-firewall.html Types of Firewalls https://www.esecurityplanet.com/network-security/firewall-types.html Overview of Firewalls https://searchsecurity.techtarget.com/feature/The-five-different-types-of-firewalls