1 / 36

Teleseminar Nice-Mannheim

Teleseminar Nice-Mannheim. Firewalls Tuesday, September 25 th , 2001. Overview. Motivation: Security threats for a network Typical attacks on a computer Firewalls as a solution Properties of firewalls Firewall components Packet filter Gateway Bastion Host Firewall configurations

kmitchell
Download Presentation

Teleseminar Nice-Mannheim

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Teleseminar Nice-Mannheim Firewalls Tuesday, September 25th, 2001 Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  2. Overview • Motivation: • Security threats for a network • Typical attacks on a computer • Firewalls as a solution • Properties of firewalls • Firewall components • Packet filter • Gateway • Bastion Host • Firewall configurations • Available software solutions • Additional Security Measures Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  3. Internet Motivation • There are lots of benefits in connecting a network to the Internet – we all know them! • HOWEVER: access is always bi-directional • Outsiders are typically able to access resources of the organizational network • Sometimes, this mightbe desired – example? • Often, it is a problem. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  4. Typical Outsider Attacks • Denial-of-Service Attacks – make a host unusable • Example: TCP SYN flooding • Distributed DoS Attack – massive DoS • Spoofing (IP/DNS) – fake source addresses • Smurf and Fraggle Attacks – indirect DoS via ICMP or UDP echo reply • Ping of Death – send IP packets which are too big and lead to a buffer overflow and thus a shutdown of the machine • Worms – use security holes to get into a system, then duplicate and try to access other systems • Trojan Horses – claim to provide useful functions, but have some malicious code run in the background • Simple Password Guessing Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  5. DNS Spoofing • Basically, DNS is a distributed database of symbolic names and corresponding IP addresses. • For efficiency reasons, DNS answers are stored in a cache for later re-use. • Distribution and caching are weaknesses that can be exploited for spoofing. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  6. Name server of X asks name server of Y. But the latter cannot answer! C now connects to A who could act as a proxy to the real host in order to get user-id and password. www.y.de? ftp.y.de? www.y.de = 137.1.1.1 ask 134.136.12.1! Now, ask for the target host. www.y.de = 137.1.1.1 TCP SYN() TCP SYN() TCP SYN() TCP SYN() www.y.de? www.y.de A answers instead of Y and sends his own IP address as an answer. This answer is cached by X. Attacker first finds out the address of Y’s name server (by an iterative query). www.y.de=137.1.1.1 SYN flooding to avoid name server’s response Now, if C asks for www.y.de, it receives the cached answer. Example: DNS Spoofing Name Server Domain X Attacker A 137.1.1.1 134.136.12.1 134.136.12.17 Computer C Name Server Domain Y www.y.de in Domain Y Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  7. Efficient Security Measures • Educate your users! • Use the newest protocol versions • Use authentication • Protect your systems • No protection at all • Protection by obscuration • Protecting single systems • Protecting the whole network • Comments? Which one? More than one? Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  8. Firewalls • Firewalls are often compared to the protection measures of amedieval castle: • entry at one point • avoid that attackerscome close to protectedthings • system can only be left at one point • The job of a firewall is to protect a whole network. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  9. Firewall Placement and Task • Firewalls are placed between the own intranet and the global Internet • The complete traffic between the two networks is running through the firewall. • The firewall only admits acceptable traffic. • What acceptable means is defined by the security policy. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  10. A firewall allows To concentrate all security measures onto one point in the network, To support the company’s security policy, To log all Internet activity. To protect internal networks against each other. It cannot protect against malicious insiders, protect against traffic not running through it (modem), protect against unknown threats, protect against viruses Firewall Properties Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  11. Firewall Components • The logical device “firewall” usually consists of physically separate devices. The following devices are available: • packet filters • application gateways • Connection gateways Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  12. Packet Filters • As can be told from the name, a packet filter decides which incoming packets to forward and which to drop. • Packet filters work in both directions! • Basically, a packet filter is a router with additional capabilities: • Router: How do it forward the packet? • Filter: Do I forward the packet at all, and if so, how? • Can be implemented on a dedicated router or on a normal PC/workstation (in software) Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  13. Internet Filter Architecture Intranet Packet Filter Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  14. Filtering Decisions • The decision whether to let a packet pass or not is based on protocol information: • source address • destination address • application protocols to be used • It can not be based on application data - a filter does not understand the semantics. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  15. They can inhibit an outsider’s access to an application like telnet to avoid his/her logging on to an inside computer. They can allow any outsider to send email into the intranet. They can allow a certain machine to send NNTP data to a certain inside machine, and disallow it for all others. They cannot prevent only certain users from logging in to an inside machine and allow it for others. They cannot allow or forbid to transfer certain files from inside to outside. Packet filters do not have a notion of “file”. Capabilities of Packet Filters Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  16. A single filter can protect a complete network when configured accordingly. To access network services, no special knowledge is required on the users’s side - it works or it does not … Most commercial routers can be easily configured for packet filtering. Packet filter configuration often is a complex task and thus leads to mistakes. Low protocol level only allows for coarse-grained filtering of packets. When a packet filter fails to work, the whole network is unprotected - protection is based on proper functioning of the device. Advantages/Disadvantages Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  17. Filter Rules • Filter rules define which packets are allowed to pass. • When a packet arrives, the rules are checked one after the other. A soon as one applies, it is executed, and as a result, the packet is forwarded or dropped. • The last rule either is: • What is not forbidden is allowed or • What is not allowed is forbidden. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  18. Gateways • Gateways are placed on a higher level in the protocol architecture (application layer). • They provide access to network services • eitherby forwarding packets from a client to a server on TCP level (connection level gateway, 2 TCP connections) • or by providing specific application login facilities on a host (application gateway/proxy server) • Packets are checked before they are forwarded. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  19. Proxy Server Architecture Proxy The server’s illusion Real communication The client’s illusion Client Server Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  20. How a Proxy Works Proxies run on specific Machines, so-called Bastion Hosts. client proxy server Telnet client Proxy server Proxy client Real telnet server Internal communication Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  21. Bastion Hosts • Bastion hosts are those machines that are exposed to the Internet without being protected by the firewall (maybe by a packet filter). • It is mostly used to run proxies. • In order to make it secure, it should be as simple as possible (no unnecessary services, programs and files). • Do not trust the bastion host completely! Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  22. Characteristics • Use well-tested operating systems (UNIX). • Well-known security mechanisms must be available. • Administrator must be familiar with it. • Do not use high-end machine: • Performance is not determined by CPU, but by line capacity. • The slower the machine, the more inconvenient for an attacker. • Memory and swap is important. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  23. Advantages of Proxies • Allow direct Internet access without visible indirection. • Allowing and forbidding actions is much more fine-grained since it is on the application level. • Example: ftp proxy could allow reads but forbid writes • Logging activities is simple. • If the proxy fails, security is still protected - it is based on a running device. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  24. Disadvantages • Proxy software is still unavailable or not well-tested for many new services (http). • Each service needs another proxy. • Client and server programs must be modified. • Data itself cannot be checked - proxies do not understand file formats etc. Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  25. Firewall Configurations • Firewalls do not necessarily consist of only one of the above components. • There is a number of configurations that make sense. • Most important: • screened host • dual-homed host • screened subnet Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  26. Screened Host Architecture • Here, the bastion host has only one network connection (the Intranet). • Firewall functionality is assured by additional router/packet filter. • The filter only admits packets that are addressed to the bastion host (or reroutes them). Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  27. Internet Screened Host Architecture Connection to „normal“ host: only via bastion host Connection to web server: can be direct Packet Filter Bastion Host Web Server Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  28. Internet Dual-Homed Host Packet Filter Web Server Bastion Host Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  29. Characteristics • Very flexible control (up to forbidding any communication between intranet and Internet) • Two possibilities • install proxy servers • allow user accounts on the host • Additional level of security: in order to get into internal network, attack has to pass filter and bastion host Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  30. Screened Subnet • introduces one more security layer with a perimeter network • bastion host is placed into this network and thus has no easy access to intranet • two routers are necessary Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  31. Internet Architecture Packet Filter Web Server Bastion Host Packet Filter Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  32. Software Solutions • Squid • The standard Linux application gateway, relatively complex configuration • SOCKS: • Probably best-known application gateway • ipchains: • a Linux packet filter in the kernel • SuSEfirewall: • Relatively complex packet filter in SuSE Linux • Personal-firewall: • Easy-to-configure SuSE Linux packet filter: allow connections to the Internet, but no connections from outside Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  33. Additional Security Measures • Network Address Translation • IP Masquerading • Virtual Private Networks Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  34. IP Masquerading/NAT • Idea: don‘t expose the structure of the internal net to the outside • Internal net has only one official IP address • All internal addresses are so-called private addresses (e.g. 192.168.23.13) and are not known to the outside • NAT-Router maps the internal private addresses to a combination of the external address and a port number • Connections from outside to inside are impossible Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  35. VPNs • Problem: a firewall restricts access for outsiders to internal resources • What about telecommuters etc, i.e. people who are logically insiders, but physically outisders? • Solution: Virtual Private Networks • Idea: use authentication and encryption to allow secure access to internal resources • Possible implementations: IPsec, ssh, Microsoft‘s PPTP, ... Teleseminar Nice-Mannheim Tue Sept 25th, 2001

  36. Bibliography • S. Fischer, U. Walther: Linux Netzwerke, SuSE Press, 2000. • W. Stallings: Network Security Essentials, Prentice Hall, 2000. • D. Chapman, E. Zwicky: Building Internet Firewalls, O‘Reilly, 1995. • R. Oppliger: Internet and Intranet Security, Artech House, 1997. • ... and Clifford Stoll: Cuckoo‘s Egg – for fun  Teleseminar Nice-Mannheim Tue Sept 25th, 2001

More Related