530 likes | 900 Views
2. Firewall topics. Why do you need a firewall?What is a firewall?What is the perfect firewall?What types of firewall are there?How should I deploy firewalls?What is good firewall architecture?. 3. What are the risks?. Theft or disclosure of internal dataUnauthorized access to internal hostsI
E N D
1. ©2006 Secure Computing Corporation. All Rights Reserved. 1 9/2/2012 Firewall’s 101 Paul A. Henry
MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP, CISM, CISA, ISSAP, CIFI
Vice President, Technology Evangelism
Secure Computing
2. 2 Firewall topics Why do you need a firewall?
What is a firewall?
What is the perfect firewall?
What types of firewall are there?
How should I deploy firewalls?
What is good firewall architecture?
3. 3 What are the risks? Theft or disclosure of internal data
Unauthorized access to internal hosts
Interception or alteration of data
Vandalism & denial of service
Lost employee time
Bad publicity, public embarassment, and law suits
4. 4 What needs to be secured? Crown jewels: patent work, source code, market analysis; information assets
Any way into your network
Any way out of your network
Information about your network
5. 5 Why do I need a firewall? One firewall is simpler to administer than many hosts.
It’s easier to be security conscientious with a firewall.
6. 6 What is a firewall? As many machines as it takes to:
be the sole connection between inside and outside.
test all traffic against consistent rules.
pass traffic that meets those rules.
contain the effects of a compromised system.
7. 7 Firewall components All of the machines in the firewall
are immune to penetration or compromise.
retain enough information to recreate their actions.
8. 8 The Perfect firewall Lets you do your business
Works with existing security measures
Provides an acceptable level of Risk as defined by your Corporate Security Policy
9. 9 The security continuum Ease of use vs. degree of security
Cheap, secure, feature packed, easy to administer?
Choose three.
Default deny or default accept
10. 10 Policy for the firewall Who gets to do what via the Internet?
What Internet usage is not allowed?
Who makes sure the policy works and is being complied with?
When can changes be made to policy/rules?
What will be done with the logs?
Will we cooperate with law enforcement?
11. 11 What you firewall is important Internal security policy should show what systems need to be guarded.
How you deploy your firewall determines what the firewall protects.
The kind of firewall is how much insurance you’re buying.
12. 12 OSI Model – TCP/IP Model
13. 13 A fieldtrip through an IP packet Important fields are:
IP Header, TCP Header, Application Level Header
14. 14 Types of Firewalls Packet filters
Static
Dynamic (Stateful SPF)
Proxy
Circuit Level Proxy
Application Proxy
Store and Forward Proxy
Assume all these firewalls block the outside from creating new connections unless specifically allowed in the FW’s rulesAssume all these firewalls block the outside from creating new connections unless specifically allowed in the FW’s rules
15. 15 Packet filters
16. 16 Packet filters
17. 17 IP Header Segment The only information of value to the packet filter in the IP header segment is the Source and Destination addresses of the packet
18. 18 IP Header Segment
19. 19 TCP Header Segment The only information of value to the packet filter in the TCP header segment is the source / destination ports for the packet and the SYN flag
A dynamic packet filter uses the SYN flag to determine if a packet is a new connection or existing connection
20. 20 TCP Header Segment
21. 21 Packet filters How Packet filters work
Read the header and filter by whether fields match specific rules.
In a Dynamic Packet Filter (SPF) the SYN flags allow the Firewall to tell if connection is new or ongoing.
Static packet filters do not look at the status of communications.
22. 22 Packet filters Allows connections as long as the ports are OK
Dynamic packet filters can deny / allow new inbound connections, using the SYN flag
When run at the kernel level, the host is directly involved, and accessible to attack.
The host must be hardened
23. 23 Packet filter weaknesses It’s easy to botch the rules.
Good logging is hard
On poorly designed packet filters Stealth scanning works well
Packet fragments, IP options, and source routing work by default
Packet filters usually can’t do authentication of end points
24. 24 Stateful packet filters
25. 25 Stateful packet filters Fast – because they do very little work
SPFs are dynamic packet filters operating at the kernel level - dangerous
The only data inspected by a SPF is source, destination and service.
SPFs are incapable of decisions such as:
allow - put
do not allow - get
SPFs have to collect and assemble packets in order to have enough data to act upon.
Once a connection is made it is entered in to a table, when a new packet arrives if it matches the table it is allowed to pass – without further inspection
26. 26 SPF flow diagram
27. 27 Stateful packet filters
28. 28 Weaknesses in SPF All the flaws of standard filtering still apply.
On SPFs Stealth scanning works well, hackers can learn what ports are open without alerting the administrator.
Default setups are very often insecure as reflected in CERT bulletins.
The packet that leaves the remote site is the same packet that arrives at the client.
Data in an allowed connection can be destructive.
SPFs are totally unaware of the packet pay-load
Traditionally SPFs have poor logging.
An SPF by and of itself is nothing more than a dynamic packet filter
29. 29 Proxy firewalls Proxy firewalls pass data between two separate connections, one on each side of the firewall.
Types: circuit level proxy, application proxy, store and forward proxy.
Current hardware platforms allow performance equal to or better than SPF with dramatically more granular security
30. 30 General proxy weaknesses The host is now directly involved, and accessible to attack.
The host must be hardened.
Higher latency & lower throughput.
31. 31 Circuit level proxy
32. 32 Circuit level proxy
33. 33 Circuit level proxy FW acts as an intermediary and transfers all information between the two connections. There is no direct connection between the client and host
Tends to have better logging than packet filters as more data is available
Data passed inside the circuit could be dangerous.
34. 34 Application proxy
35. 35 Application proxy FW transfers only acceptable information between the two connections. There is no direct connection between the client and host
The proxy can understand the protocol and filter the data within.
Strong Application Proxy implementations will inspect and re-write the packet for full RFC compliance
Provides the best logging as all possible data is available
36. 36 Application proxy weaknesses Some proxies on an “application proxy” firewall may not be fully application aware.
Proxies have to be written securely.
37. 37 Store and forward proxies Client asks firewall for document; the firewall downloads the document, saves it to disk, and provides the document to the client. The firewall may cache the document.
Can do data filtering.
Examples: Microsoft, Netscape, CERN, Squid proxies; SMTP mail
38. 38 Weaknesses Store and forward proxies tend to be big new programs. Making them your primary connection to the internet is dangerous.
These applications don’t protect the underlying operating system at all.
Caching proxies can require more administrator time and hardware.
39. 39 Architecture summary No single architecture is the Holy Grail
A firewall based on anything less than a combination and balance of all 3 architectures is simply inadequate
static packet filter
dynamic packet filter (SPF)
circuit / application proxy
40. 40 Other Considerations OS Hardening
Network Address Translation (NAT)
Logging
41.
This slide show a typical application level only firewall. The firewall software (proxies, packet filtering, etc.) reside on top of a non secure OS (i.e. SUN OS, HP/UX, NT, etc.).
All the firewall security then is based on this application level program. If a hacker is able to get through this software or around this software, they have easy access into the OS and can tunnel through the firewall or otherwise disable the firewall.
This is a LESS SECURE SOLUTION.
This slide show a typical application level only firewall. The firewall software (proxies, packet filtering, etc.) reside on top of a non secure OS (i.e. SUN OS, HP/UX, NT, etc.).
All the firewall security then is based on this application level program. If a hacker is able to get through this software or around this software, they have easy access into the OS and can tunnel through the firewall or otherwise disable the firewall.
This is a LESS SECURE SOLUTION.
42.
This shows the same as the last slide, but for CyberGuard Firewall.
CyberGuard firewall also has application level firewall software. However, this resides on top of our B1 (B2 future) OS and networking. Thus, if a hacker is able to penetrate our application level software or get around this software, they run into the MLS capabilities of our B1 OS & Networking. They cannot penetrate into the OS to tunnel through or modify the security aspects of the CyberGuard.
This is the MOST SECURE SOLUTION!
This shows the same as the last slide, but for CyberGuard Firewall.
CyberGuard firewall also has application level firewall software. However, this resides on top of our B1 (B2 future) OS and networking. Thus, if a hacker is able to penetrate our application level software or get around this software, they run into the MLS capabilities of our B1 OS & Networking. They cannot penetrate into the OS to tunnel through or modify the security aspects of the CyberGuard.
This is the MOST SECURE SOLUTION!
43. 43 Network Address Translation (NAT) NAT changes the ip addresses in a packet, so that the address of the client inside never shows up on the internet.
44. 44 Types of NAT Many IPs inside to many static IPs outside
Many IPs inside to many random IPs outside
Many IPs inside to one IP address outside
Transparent diversion of connections
45. 45 Weaknesses of NAT Poor NAT implementations can still give out a lot of information about your network
May need a lot of horsepower
46. 46 Logging Pros:
Very cheap
Solves some behavioral problems
Logfiles are good
Cons:
Administrator intensive
Doesn’t prevent damage
Needs a very stable environment to be useful
47. 47 Types of logging Program logging
Syslog /NT event log
Sniffers
Argus, Network General, HP Openview, TCPdump
Router debug mode
A very good tool for tracking across your network
48. 48 Firewall deployment checklist Review corporate security policy requirements
Have a list of what needs to be protected
Have all of the networks configured for the firewall
All rules are in place
Logging is on
49. 49 What steps are left? What is the firewall allowing access to?
Internal machines receiving data had better be secure.
If these services can’t be secured, what do you have to lose?
50. 50 Last checks Day 0 Backups made?
Are there any gaps between our corporate security policy and the rules the firewall is enforcing?
51. 51 Auditing A firewall works when an audit finds no deviations from policy.
Scanning tools are good for auditing conformance to policy, not very good for auditing security.
52. 52 Sample configurations Good configurations should:
Limit Denial of Service.
Minimize complexity for inside users.
Be fully auditable.
Allow outside to connect to all specific inside permitted resources.
Allow inside to connect to all specific outside permitted resources.
Deny outside to connect to all specific inside denied resources.
Deny inside to connect to all specific outside denied resources.
53. ©2006 Secure Computing Corporation. All Rights Reserved. 53 9/2/2012 Thank You