540 likes | 799 Views
Firewalls. PROTECTING YOUR COMPUTER NETWORK. By Ford Levy. What we will cover. Who Needs a Firewall Network Basics Firewall Basics Establishing Rules Firewall Solutions Sources for more information. Does Security Matter?. Would you care if someone could:.
E N D
Firewalls PROTECTING YOUR COMPUTER NETWORK By Ford Levy
What we will cover • Who Needs a Firewall • Network Basics • Firewall Basics • Establishing Rules • Firewall Solutions • Sources for more information
Does Security Matter? Would you care if someone could: • Crash your computer every 5 minutes? • Erase or change your client data • Steal proprietary information • Reconfigure your Server • Transfer your company’s bank balance via EFTPS to ENRON’s payroll account.
Does Your Business Need… • Theft or disclosure of internal data • Unauthorized access to internal hosts • Interception or alteration of data • Vandalism & denial of service • Wasted employee time • Access to Martha Stewart’s Broker
Does Security Matter at Your Company? Do You Have… • Computers • A Network • Access to the Internet • Shared Files and Peripherals • Files you do not want to lose • Programs you do not want tampered with • Artwork to Ship to New Hampshire
Is it an Issue on Your System? • Protocol design? (Nah, that’s an application problem) • Application design? (We plan to add that in the future...) • Application deployment? (Let’s get it running first) • System administration? (I’m putting out fires every day!) Some systems and/or protocols are designed with security in mind from the beginning -- maybe even as their primary design goal. But for most? The story’s the same… The Focus is on System Operation, not Security
System Vulnerabilities • Almost all vulnerabilities come from bugs in the implementation of, or misconfigurations of, the OS and/or apps • Rarely, a problem with a protocol itself • Vulnerabilities can lead to: • Unauthorized access: attacker gains control of the victim’s machine (attacker can log in, read files, and/or make changes to the system) • Denial of Service against host (attacker can crash the computer, disable services, etc.) • Denial of Service against network (attack can disrupt routing, flood the network, etc.)
System Vulnerabilities MS WINDOWS – A MAJOR CULPRIT NT XP 2000 MILLENIUM What About Linux?
Security incidents reported to CERT Source: CERT/CC
Simpson Who is the enemy? • The Troubled Genius • Has a deep understanding of systems • Capable of finding obscure vulnerabilities in OS’s, apps, and protocols, and exploiting them • Extremely skilled at evading countermeasures • Can dynamically adapt to new environments • The Idiot • Little or no true understanding of systems • Blindly downloads & runs code written by T.G. • Can usually be stopped by calling his mother Who do you think causes more damage?
The IDIOT!!! • The idiots collectively cause more damage because there are a vast number of them • Every security incident analyzed at NIH was the work of an idiot • Every time smart hackers find a new security hole, they make it public -- they have a publish or perish “ethic” • Each time, hordes of idiots pounce on it and break into every system they can find • Purchases used shredders from Arthur Andersen on Ebay
What a Firewall Can’t Protect You From • Inside Attack • Social Engineering • Viruses and Trojan Horses • Poorly Trained firewall administrators • Most of the shows on the Fox News Channel
TCP/IP – MAKING THE INTERNET HAPPEN • Transmission Control Protocol/Internet Protocol • A Suite of Protocols or Rules for Communicating (language) • Defines Standards for Communicating on the Internet • Four Layers • Network Interface Layer • Internet Layer • Transport Layer • Application Layer
PACKET FENCES Internet Communication uses Packets Data broken up into small Packets Prevents single user from capturing bandwidth and bogging down internet IP labels each packet with unique internet destination address TCP assigns sequence number to each so destination can reconstruct
Connecting to the Internet Dial-up modem (slow but no permanent connection) ISDN (faster with no permanent connection) DSL (fast with permanent connection) Cable Modem (fast but bandwidth limits. Permanent connection) T1/T3 (very fast with permanent connection) Wireless (comparable to DSL. May be permanent)
Connecting to the Internet Network Router Transfers network packets between two different networks
Securing your systemthe quick & easy way “ It’s easy to run a secure computer system. You just have to disconnect all dial-up (and DSL) connections and permit only direct-wired terminals, put the machine and its terminals in a shielded room, fire all employees and post a guard at the door. F.T. Grampp and R.H. Morris ”
The never-ending game 1. New bugs are found; exploits are published 2. Hordes of idiots cause damage using those exploits 3. Vendors are pressured to come out with fixes 4. Users install the fixes (sometimes? rarely?) 5. Go to step 1. The big questions are: 1. How can we protect a large site? (The site is only as strong as its most poorly administered machine.) 2. How can we pro-actively protect against attacks that we have never seen before, to avoid Step 2 damage?
Firewalls(not as good as a guard but…) • Routers: easy to say “allow everything but…” • Firewalls: easy to say “allow nothing but…” • This helps because we turn off access to everything, then evaluate which services are mission-critical and have well-understood risks • Note: the only difference between a router and a firewall is the design philosophy; do we prioritize security, or Connectivity/performance?
A Firewall Separates an Internal Network from the Internet Internet Firewall Internal Network
Typical firewall setup Evil Internet DMZ internal network Diagram courtesy of CheckPoint Software Tech, www.checkpoint.com
Inter-department firewall setup Department B DMZ ? Department A
Okay, So what is it? • A firewall is a system of components of hardware, software or both designed to control access between our network and an external network or Internet • A firewall system can be a router, a personal computer, a host, or multi-host • What the investors of WorldCom want to throw Bernard Ebbers through
Really, What Is It! • Logically, a firewall is a separator, a restrictor, an analyzer • Physically, the implementation of a firewall varies from site to site • The best implementations occur during network design, not after
How About Common Features • Block incoming network traffic based on source or destination (most common) • Block outgoing network traffic based on source or destination • Block network traffic based on content (screening) • Make internal resources available • Allow connections to internal network (VPNs) • Report on network traffic and firewall activities
Why Do We Need It? • A firewall is a line of Internet’s defense a. Protection -- A firewall has ability to filter insecure services that will be reduce risks to the sites on the internet -- Will pass only selected protocols
Say What? b. Controlling Access -- Can block all ways to get into a system without knowing an account name and password -- Reduce the number of accounts accessed from the outside -- Keep the attackers out of the network
Firewall Uses c. Monitoring and logging -- Logging what happens at the firewall is important -- Can help us analyze a possible security breach later -- Gives feedback on the performance and actual filtering done by the firewall
One Size Does Not Fit All • Personal firewall • Departmental or small organization firewall • Enterprise firewall
How Does It Work? • Packet filtering -- Packet filtering system route packets between internal and external host, but they do it selectively. -- Usually, this router checks the information that every packet’s header has: source IP address destination IP address IP protocol ID TCP or UDP port number ICMP message type -- It is the only protecting system: if its security fails, the internal network is exposed.
How Does It Work? • Proxy services ( or application proxy ) -- It is a software solution -- These programs take user’s requests for Internet services and forward them to the actual services • Proxy services(PS) vs Packet filtering(PF) -- A PF inspects only the packet header A PS scan the entire data in the packet A PF passes and an allowed packet that travels from the internal network A PS regenerates an allowed packet that is sent from the firewall to the server on the Internet
How Does It Work? • Network Address Translation (NAT) -- Outside world sees only one or more outside IP addresses of the firewall. Internal network uses different IP addresses. -- These programs take user’s requests for Internet services and forward them to the actual services
Establishing Rules Creating an Internet Acceptable Use Policy Creating a Security Policy Using the Policy to Configure your Firewall Allow-all Deny-all Combination of both
Strategies, Policies and Rules Internet Use and Security Policy Internet Acceptable Use: Define all available services Determine who can access the internet Define ownership of resources Establish the responsibility of employees Define all unauthorized use of the Internet Define what e-mail purposes are expressly disallowed. Define disallowed protocol for internet use Define disallowed web content Define disallowed file-type downloads Define disallowed web addresses and actions
Strategies, Policies and Rules Internet Use and Security Policy Security: Establish a project team to develop security policy Identify what resources require protection Identify what potential risks exist for each resource Decide the probability of risks coming of fruition Create mitigation plans that address each risk
Sample Policy in Use • Deny network traffic on all IP ports • Except, allow network traffic on port 80 (HTTP) • Except, from all HTTP traffic, deny HTTP video content • Except, allow HTTP video content for members of the Education Center • Except, deny members of Education Center to download HTTP video content at night and weekends.
Solutions Disguised as Software Windows as a firewall A Personal Firewall Enterprise Firewalls
BUT… • No stateful packet filters • No application proxies • No monitoring or logging • No firewall mindset
Dangers of Older Windows OS Win 95, 98 and ME File and Printer sharing: - Easy to misuse for remote administration - Should disable sharing component for dial-up adapter (unbinding) • PPTP Client: • - All Windows OS products support VPN. • - Requires closer monitoring of those computers • - PPTP replaced by L2TP on Windows 2000 and XP
The Latest Windows Networking System Windows 2000 • Better packet filtering capabilities • TCP/IP Filtering in the Network Control Panel Console • Input filters and output filters per network interface • Input filters and output filters per remote access policy • Block and permit filters in an IPSec policy • More flexible NAT implementation • Simplified version from Windows 98SE • More configurable version that can be installed in the Routing and Remote Access console
The Latest Windows Networking System Windows 2000 • Support for L2TP VPN Protocol • Considered more secure than PPTP • Support for IPSec encrypted traffic
Personal Firewalls BlackICE $40 for single user Intrusion detection over outgoing traffic blockage Four predefined protection levels (paranoid, nervous, cautious and trusting) Two packet filtering levels (IDS and Firewall) Intrusion alert can vary from icon indication to information collection to complete blockage Also any Windows OS from 95 up ZoneAlarm Free for single computer Provides three security levels Two network zones (local and internet) Trusted Application list created via Program Alerts Lock option to block internet activity after specified period of inactivity Works on any Windows OS from 95 on up
Solutions Disguised as Hardware Firewall Appliances
What’s a Firewall Appliance? • No moving parts, no hard drive, no boot-up and no crashing (hopefully) • Can be placed between network and internet or within a network structure (departmentalized) • Replaces software firewalls (with exceptions) • Turn-key approach
What’s Available At the Enterprise Level TOP MODELS INCLUDE: Lucent’s - VPN Gateway V2.0 Radgaurd Inc’s - clPro-HQ Sonic Systems Inc’s - SonicWALL PRO WatchGuard Technologies Inc’s - WatchGuard LiveSecurity System