220 likes | 492 Views
Firewalls. Firewalls. Most widely sold solution for Internet security Solution in a box appeal Not a substitute for proper configuration management Firewall needs to be configured properly for intended protection. Types of Firewalls. IP packet level Packet filtering TCP session level
E N D
Firewalls CSE 5349/7349
Firewalls • Most widely sold solution for Internet security • Solution in a box appeal • Not a substitute for proper configuration management • Firewall needs to be configured properly for intended protection CSE 5349/7349
Types of Firewalls • IP packet level • Packet filtering • TCP session level • Circuit gateways • Application level • Application relays/gateway • Dynamic packet filtering • Combination of packet filtering and circuit-level gateways, often with application level semantics • NATs, IDSs, Logging • Ingress vs. Egress filtering CSE 5349/7349
OSI Model Layer Firewall Functionality Packet filtering, Address filtering, packet filtering firewall 7 - Application Application Level Proxies, forward and reverse proxies 6 - Presentation 5 - Session Stateful Firewall 4 – Transport – TCP/UDP Port filtering, circuit level proxy 3 – Network - IP 2 – Data Link 1- Physical Firewalls and OSI Layers CSE 5349/7349
Packet Filters • Read the header and filter by whether fields match specific rules • Administrator makes a list of acceptable/unacceptable field values • Ingress/Egress filtering • Come in standard, specialized, and stateful models • Weaknesses • Easy to botch rules • Logging difficult • Lack of authentication between end points CSE 5349/7349
Network Topology and Address Spoofing • Consider a three network (N1, N2, and N3) system with one router firewall • N1 the DMZ net connecting the GW • Very limited connection between GW and outside • Very limited connection (different set) between GW and N2/N3 (Why?) • Anything can pass between N2 and N3 • Outgoing connections only from N2 or N3 • How to set the packet filter rules • External nodes can spoof internal addresses – block all the source addresses same as internal addresses CSE 5349/7349
Routing Filters • Perfect security if the node is completely unreachable • Routers do not advertise internal routes • Output route filtering • Input route filtering ? • To prevent subversion by route confusion • Route leaks CSE 5349/7349
Stateful Packet Filters (SPFs) • Track last few minutes of network activity. • If a packet doesn’t fit in, drop it • Stronger inspection engines search for information inside the packet’s data • Have to collect and assemble packets in order to have enough data • Examples: • Firewall One, SeattleLabs, ipfilter CSE 5349/7349
Packet Filtering Performance • May affect the router optimization in handling packets • Still the serial link from the router to the Internet may be the bottleneck • Keep the rules simple and uniform • Ordering the rules to get the most common type traffic through, first CSE 5349/7349
Proxy Firewalls • Pass data between two separate connections, one on each side of the firewall. • Types: • Circuit level proxy • Application proxy • Store and forward proxy • Higher latency and lower throughput CSE 5349/7349
Circuit Level Proxy • Client asks connects to the relay host and request a connection to the server • FW connects to server • Server usually do not get details such as IP address of the client • All IP tricks are stopped at the relay host • Fragments • Fire walking probes CSE 5349/7349
Application Proxy • FW transfers only acceptable information between the two connections • The proxy can understand the protocol and filter the data within • Example mail proxies • Usually sore-and-forward CSE 5349/7349
Caching Proxies • Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document • Can do data filtering. • More administration time, hardware, and cost CSE 5349/7349
Network Address Translation (NAT) • Changes ip addresses in a packet • Address of the client inside never shows up outside • Many IPs inside to many static IPs outside • Many IPs inside to many random IPs outside • Many IPs inside to one IP address outside • Examples: Cisco PIX, Linux Masquerading, Firewall One, ipfilter CSE 5349/7349
Logging • Cheap solution to most behavioral problems • program logging • syslog /NT event log • sniffers • TCPdump, SSLdump Argus, Network General, HP Openview • Down side • Overhead intensive • Does not prevent damage (more reactive than proactive) CSE 5349/7349
Firewall Pitfalls • Single point of failure • Useful ones are difficult to configure and integrate • Performance requirements tend to create back doors • False sense of security • May be 40% protection against the top attacks CSE 5349/7349
Where to Put FW CSE 5349/7349
Where (cont’d) CSE 5349/7349
DMZ • Neither internal nor external • Placed between the external router and the bastion host • Idea is to minimize the services and hence potential attacks • Example: For a web server stop everything but http • Multiple zones for increased availability/security CSE 5349/7349
Distributed Firewalls (DFWs) • To avoid S-P-O-F • To distribute risks • Better scalability • Trend to use sophisticated protocols • IPSec • Instead of IP headers use authentication codes CSE 5349/7349
Switched Firewalls (Air-gap Technology) CSE 5349/7349