690 likes | 860 Views
KX-TDA200/100 System (Version 2.0). Chapter 4 Firewall. Panasonic Communications Co., Ltd. Network Business Company Edition 1.1 15 Nov, 2004. Chapter 4 Firewall. 4. Firewall (1) What’s Firewall ? (2) What does it prevent? (3) How does it prevent the disasters ?
E N D
KX-TDA200/100 System(Version 2.0) Chapter 4 Firewall • Panasonic Communications Co., Ltd. • Network Business Company • Edition 1.1 15 Nov, 2004
Chapter 4 Firewall 4. Firewall (1) What’s Firewall ? (2) What does it prevent? (3) How does it prevent the disasters ? (4) VoIP and Firewall (5) How do you setup Firewall for VoIP ? (6) Firewalls
What is Firewall ? (1/4) We do not recommend to install/use VoIP at Firewall environment. But if you can not escape to install/use VoIP in such condition, you must understand more about Firewall of the network to avoid the possible technical problem. Let’s study about the function of Firewall, the possible technical problem and the solution of it for using VoIP with it !
What is Firewall ? (2/4) Real Firewall. Fire disasters Fire prevention safety facility to stop expansion of fire to minimum, and to prevent spreading of the damage.
What is Firewall ? (3/4) Network Firewall. Malicious attack from outside Network equipment to hold off malicious attack and unlawful computer access from outside, and to prevent destruction and theft damage to in-house data.
What is Firewall ? (4/4) Other way of the definition Untrustworthy network Network which can be trusted The access between two kinds of networks "Network which can be trusted" and "Untrustworthy network" are controlled by the Firewall.
What does it prevent ? (1/5) Preventable attack by firewall Destruction of data ! Illegal invading Falsification of data ! Illegal use of resources ! Firewall prevents a suspicious packet from invading in-house. As a result, destruction and the theft damage to in-house data are prevented.
What does it prevent ? (2/5) Unpreventable attack (1) Invasion of computer virus ! Accepted threat Unknown threat ! Internal threat ! Connection by which firewall is bypassed ! Bypass route However, all the attacks are able not to be prevented only by the firewall completely.
What does it prevent ? (3/5) Unpreventable attack (2) Buffer overflow ! Attack to public server Illegal relay of E-mail ! DoS attack ! Moreover, the attack to the public server cannot be prevented with Firewall alone.
What does it prevent ? (4/5) Important notes about the firewall All the attacks are not always able to be prevented by the firewall completely ! It is necessary to make the combined multiple defenses for various threats !
What does it prevent ? (5/5) Firewall has clear limitation for preventing the disaster. By this reason, the network managers of the customer are usually very nervous(negative) for the introduction of VoIP or such technology that has a possibility to threaten the safety of the Firewall. You must have good discussion with them in order to get the help of them and to finish the VoIP installation successfully.
How does it prevent the disasters ? (1/40) Firewall is the barrier of packet ! Control Rule (Policy) Access Control ! Access from outside Accepted Denied ! The packet is observed according to the rule (policy) by which it is ascertained whether the packet is suspicious, and a suspicious packet which does not fill the rule is abandoned.
How does it prevent the disasters ? (2/40) Basic Configuration of Firewall Firewall The Internet Router(Gateway) Configuration of small home-router The Internet Router(Gateway)with Firewall
How does it prevent the disasters ? (3/40) Public Servers (Global IP) Basic DMZ (demilitarized zone) Basically the access is enabled NAT is working ! DMZ Firewall 2 Firewall 1 The Internet LAN NAT is not working ! Basically the access is disabled It is safer to make such special configuration of Firewall if there is a server that is wanted to be opened to the public.
How does it prevent the disasters ? (4/40) Other DMZ configuration DMZ Access control function Firewall The Internet LAN Router DMZ Firewall with DMZ function The Internet LAN Firewall
How does it prevent the disasters ? (5/40) Three types of Firewall. (1) Packet filtering. (2) Application gateway. (3) Circuit gateway.
How does it prevent the disasters ? (6/40) Rule… (1) Packet filtering. Source IP Address Destination IP Address Source Port Number Destination Port Number TCP/UDP protocol = Firewall of Network Layer. IP Header TCP(UDP) Header Original packet is going through the FW
How does it prevent the disasters ? (7/40) Merit - Comparatively easy, high-speed, good for low-priced router. Demerit - Because it checks header only, the detailed filtering is difficult. - The rule definition is complex. - The security effect is not so high.
How does it prevent the disasters ? (8/40) “Packet filtering” type firewall usually conceals the inside of LAN by using NAT and IP Masquerade for the outbound packet. ? NAT & IP Masquerade Invisible ! Firewall is only visible
How does it prevent the disasters ? (9/40) Rule… Application level analyzing in detail (2) Application gateway. = Firewall of Application Layer. data Receive & Terminate the original packet Copy & Send the safe packet The application gateway is usually called as proxy.
How does it prevent the disasters ? (10/40) Merit - The filtering rule can be set in detail. Demerit - It takes time for processing. - The load increases when the number of connection increases. - High performance machine is necessary. - Because the different software is necessary for each protocol, the unknown(or not famous) protocol can not be supported.
How does it prevent the disasters ? (11/40) Server Client Client Server One session One session Rule… HTTP Rule… FTP Rule… SMTP Application gateway checks data by each protocol individually.
How does it prevent the disasters ? (12/40) “Application gateway” type firewall usually conceals the inside of LAN by using proxy for the outbound packet. ? Proxy Invisible ! Proxy Server is only visible
How does it prevent the disasters ? (13/40) Rule… Check the TCP(UDP) sequence by header (3) Circuit gateway. = Firewall of Transport Layer. TCP(UDP) Header data Terminate TCP(UDP) Link from outside Recreate TCP(UDP) Link to inside. The circuit gateway might be integrated into proxy because they has almost the same function.
How does it prevent the disasters ? (14/40) Merit - The management is easier, and the higher prevention to the IP address misrepresentation attack than the packet filtering. - It does not need so high PC performance than Application gateway. - It is the common gateway that is not depending on the application protocol like Application gateway. Demerit - Because data is not seen, detailed filtering like the Application gateway cannot be done.
How does it prevent the disasters ? (15/40) Detailed access control functions for the major Firewall (1) Functions for Packet Filtering. (1-1) NAT(Network Address Translation) (1-2) IP Masquerade. (1-3) Port forwarding. (1-4) Dynamic / Stateful packet filtering. (1-5) Important notes. (2) Functions for Application Gateway. (2-1) 4 types of the proxy (2-2) Cache (2-3) Important notes.
How does it prevent the disasters ? (16/40) (1-1) NAT(Network Address Translation) By translating the source IP address, the address of the originator is concealed. The original is the address translation of 1:1 provided by RFC1631. However, it is often used as the name of the general technology which converts Internet Protocol address under the present situation. Static NAT : IP address translation of 1:1. Dynamic NAT : IP address allocation from address pool.
SRC : Z DES : Y SRC : Z DES : X SRC : Y DES : Z SRC : X DES : Z How does it prevent the disasters ? (17/40) Y X Static Rule Static NAT Local-IP Global-IP X Z Y Global-IP IP Header Basics of NAT. The small home-router is this type.
SRC : Z DES : Yi SRC : Z DES : X SRC : Yi DES : Z SRC : X DES : Z How does it prevent the disasters ? (18/40) Y1,Y2,,,Yi X Dynamic Rule Dynamic NAT Local-IP Global-IP X Z Address pool Y1,Y2,,,Yi : X IP Header Global-IP If you have multiple Global-IP addresses, you can use this type. This is for the bigger system.
How does it prevent the disasters ? (19/40) (1-2) IP Masquerade. The port number of TCP(UDP) is translated in addition to the IP address translation, and one IP address can be shared by two or more terminals via this technology. This is also useful for the originator concealment. Because a certain specific name seems not to be decided for this concealment function, it is necessary to note. NAT NAPT(Network Address and Port Translation) IP Masquerade PAT(Port Address Translation) eNAT
SRC : IP=Z Port=P3 DES : IP=X1 Port=P1 SRC : IP=Z Port=P3 DES : IP=Y port=P5 SRC : IP=Z Port=P4 DES : IP=Y Port=P6 SRC : IP=X1 Port=P1 DES : IP=Z Port=80 SRC : IP=Z Port=P4 DES : IP=X2 Port=P2 SRC : IP=Y Port=P5 DES : IP=Z Port=80 SRC : IP=Y Port=P6 DES : IP=Z Port=80 SRC : IP=X2 Port=P2 DES : IP=Z Port=80 How does it prevent the disasters ? (20/40) Local-IP IP Masquerade X1 Global-IP Y Global-IP Z Local-IP X2 Y:P5 X1:P1 Y:P6 X2:P2 Dynamic rule TCP/IP Header
How does it prevent the disasters ? (21/40) (1-3) Port forwarding. The port forwarding is a technology which confirms the destination port number of the packet which came from the outside, and does forwarding to the server corresponding to the port. By the port forwarding function, it becomes possible to access from the Internet side to the internal network. And it becomes possible to construct WWW Server and Mail Server, etc. on the internal network.
How does it prevent the disasters ? (22/40) Port forwarding. Global-IP Accepted Y Web Server Access to IP=Y Port=80 Local-IP X The Internet Access to IP=Y Port=120 Y:Port=80 X:Port=80 Static rule Denied !
How does it prevent the disasters ? (23/40) (1-4) Dynamic / Stateful packet filtering. It monitors the establishment and disappearance of the protocol session that the response packet returns back to the originated port number of the request packet from the inside equipment of the firewall. And, only the communication of theestablished session is selectively permitted automatically. If this logic does not exist, it is undesirable on security because it means we have to set the packet filter rule by which all possible ranges of the port for sending packet (port number larger than 1024) are opened. Because the difference between the Statefull packet filtering(trademark of Check Point Software technologies LTD) and Dynamic packet filtering is not clear, they are sometimes understood as same.
How does it prevent the disasters ? (24/40) Dynamic/Stateful packet filtering is supported by most of the packet filtering type of the Firewall, because it has serious problem of the security on the normal packet filtering. Let’s see the point of the problem of the normal packet filtering by the simple HTTP protocol !
1. Request the HTML file. 2. Download the HTML file. 4. Request the Image file. 5. Download the Image file. How does it prevent the disasters ? (25/40) Basic process of HTTP is composed by the session(a pair of the request and the response). The response of HTTP is returned to the source port that had sent the request packet from the client PC. HTTP Server Process Port 80 3. Deciphers HTML file. Port 5678 Port 1234 Port 1234 HTML file One session Port 9012 IMAGE file IMAGE file Port 9012 Port 80 One session Port 3456
How does it prevent the disasters ? (26/40) (1) HTTP by only the normal Packet filtering. This is security problem ! Need to open permanently port 1234 at FW ! SRC IP y.y.y.y Port: z DST IP x.x.x.x Port: 1234 Web Server Response Request One session SRC IP x.x.x.x Port: 1234 DST IP y.y.y.y Port: 80 Static rule only ! Because SRC port number of the outbound request packet can take any port except the well-known ports, we need to open permanentlyall the ports after 1024 for enabling this HTTP communication.
How does it prevent the disasters ? (27/40) This is hardly the security problem ! (2) HTTP by the dynamic packet filtering(DPF). DPF automaticallyopen/close the packet to port 1234 only while this session is alive ! SRC IP y.y.y.y Port: z DST IP x.x.x.x Port: 1234 Web Server Response Request One session SRC IP x.x.x.x Port: 1234 DST IP y.y.y.y Port: 80 Dynamic rule ! Because the port is opened/closed in dynamic by the automatic control of DPF, we do not need to open permanently the wide-range of ports to the external threat for enabling this HTTP communication.
How does it prevent the disasters ? (28/40) (1-5) Important notes. A certain kind of protocol can not pass through the Firewall which contains the function of NAT / IP Masquerade. (A) Protocol which does not operate if the source port number is changed. (B) Protocol which has the returned connection from server side. (C) Protocol which transmits IP address by the application layer. EX. FTP, and VoIP(H.323, SIP, MGCP). (D) Protocol which is not UDP or TCP. EX. IPsec of VPN, and ICMP.
Port number : 21 Control connection FTP Server Process 3. Connection establishment File Port number : 20 Data connection FTP client How does it prevent the disasters ? (29/40) FTP is simple protocol and is well-known as protocol that has the problem with NAT / IP Masquerade. FTP transmit IP address by application layer (C) 1. Request the file. 2. Response 5. Save the file. 4. Transmit the file. FTP has Return connection (B) File
How does it prevent the disasters ? (30/40) The understanding about the problem of FTP is very useful to find the basic problem of VoIP or other multimedia communication with NAT / IP Masquerade. Because the problem and solution is basically the same between them !
How does it prevent the disasters ? (31/40) (1) Basic protocol of PORT mode FTP without NAT. Local IP Client (192.168.1.2) Server (192.168.1.100) Local IP Control Connection set Port 2000 Port 21 Response in the same session is returned to sender. 192.168.1.2 : 2000 PORT 192,168,1,2,2001 Port 2000 Port 21 OK Port 2000 Port 21 Address is decided by sender address of the IP header Data Connection set Port 20 Port 2001 GET / PUT Data connection(new session) is established to 192.168.1.2 : 2001 Port 2001 Port 20 This is no problem. Address is decided by the data in the PORT command message
How does it prevent the disasters ? (32/40) (2) Insert a very simple NAT at client side. Control connection Global IP Local IP Global IP Client (192.168.1.2) NAT(202.11.5.8) Server (202.10.1.2) Port 2000 Port 2000 Port 21 Port 2001 Port 20 Port 2001 Data connection Setting of Firewall (1) NAT without port translation 192.168.1.2 202.11.5.8 (2) Port forwarding 192.168.1.2 : 2000 202.11.5.8 : 2000 192.168.1.2 : 2001 202.11.5.8 : 2001
How does it prevent the disasters ? (33/40) (3) PORT mode FTP with NAT at client side. Local IP Global IP Global IP Client (192.168.1.2) NAT(202.11.5.8) Server (202.10.1.2) returned to sender. 202.11.5.8 : 2000 NAT Port 2000 Control Connection set Port 2000 Port 21 NAT Port 2000 PORT 192,168,1,2,2001 Port 2000 Port 21 Address is decided by sender address of the IP header FWD Port 2000 OK Port 2000 Port 21 This is local address that can not arrive to the client side. Data Connection set Port 20 192.168.1.2 : 2001 Packet lost !! Data connection(new session) is established to 192.168.1.2 : 2001 Data connection causes problem ! Address is decided by the data in the PORT command message
How does it prevent the disasters ? (34/40) (4) What is the solution for PORT mode FTP problem ? (Solutin-1) Select suitable protocol. FTP has another protocol called as PASV mode. And PASV mode gives solution to this problem. If there is another protocol to solve the problem, it can be the solution. (Solutin-2) Select the suitable FTP client software. If the client software can register and can send the Global IP of the Firewall in the PORT command instead of the Local IP, it can be the solution. If there is some special help function in the client software, it can be the solution. (Solutin-3) Select the suitable Firewall. If the Firewall can change the Local address in PORT command message to the Global IP address by itself, it can be the solution. If there is some special help function in the Firewall, it can be the solution.
How does it prevent the disasters ? (35/40) (2-1) 4 types of the typical proxy (A) Proxy that is using the mechanism of protocol. Global-IP Local-IP Local-IP W X Z LAN The Internet Y SRC : Y DES : Z data SRC : X DES : W Server address : Z data Global-IP Specify the address of Proxy HTTP protocol is the most major protocol that has the mechanism. If somebody says “Proxy”, it can be used for the meaning of “HTTP Proxy”.
How does it prevent the disasters ? (36/40) (B) Proxy that handles the packet transparently. Global-IP Local-IP Local-IP W X Z LAN The Internet Y SRC : Y DES : Z data SRC : X DES : Z Data Global-IP No consideration of the address of Proxy The packet is sent to the proxy by the packet routing rule of LAN. Because this is not the mechanism of protocol, it is more convenient than (A). We can use this type or Proxy for many types of the protocols. This looks like the manner of outbound packet handling of Packet Filtering.
How does it prevent the disasters ? (37/40) (C) Proxy that forwards packet to fixed server. Web Server Y:Port=80 X:Port=80 Static rule Global-IP Local-IP Local-IP W X Z LAN The Internet Y SRC : Z DES : Y Port 80 SRC : Z DES : X Port 80 Global-IP Very special Proxy that is called as “Reverse proxy” or “Redirection proxy”. It forwards packet always to a specific fixed server. For forwarding the connection from the Internet to the server of DMZ or LAN, this is mainly used. It looks like the Port Forwarding of Packet Filtering.
How does it prevent the disasters ? (38/40) (D) Proxy that needs interactive user attestation. W LAN Global-IP Local-IP Local-IP X Z Connection Request The Internet Request for address Address transmission Data Y SRC : Y DES : Z data SRC : X DES : W Data Global-IP Old method which had been used when the Firewall was no major device. It is not possible to use except the protocol(such as FTP, Telenet) which can do the interactive communication with the user. It is almost not used now.
How does it prevent the disasters ? (39/40) (2-2) Cache It is the function for HTTP proxy to cache the read file voluntarily for reducing the load to communicate with the outside network. The document frequently accessed by LAN is cached automatically, and is taken out from the Internet only when the source of the cached document was updated or expired. It is useful to reduce the traffic in the network. There is also the Proxy Server that is specialized for the Cache function without having the security functions. In general, such Proxy Server is not suitable for VoIP because it is specialized for HTTP.