450 likes | 468 Views
Learn about firewalls, their objectives, advantages, and disadvantages. Understand how they provide controlled access, enhanced privacy, and policy enforcement. Discover the limitations and potential risks associated with firewalls.
E N D
CSCE 522 Firewalls
Readings • Pfleeger: 6.7 CSCE 522 - Farkas
Traffic Control – Firewall • Brick wall placed between apartments to prevent the spread of fire from one apartment to the next • Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it CSCE 522 - Farkas
Firewall Private Network security wall between private (protected) network and outside word Firewall External Network CSCE 522 - Farkas
PrivateNetwork External Network Firewall Objectives Keep intruders, malicious code and unwanted traffic or information out • Keep proprietary and sensitive information in Proprietary data External attacks CSCE 522 - Farkas
Without firewalls, nodes: • Are exposed to insecure services • Are exposed to probes and attacks from outside • Can be defenseless against new attacks • Network security totally relies on host security and all hosts must communicate to achieve high level of security – almost impossible CSCE 522 - Farkas
Common firewall features • Routing information about the private network can't be observed from outside • traceroute and ping -o can't “see” internal hosts • Users wishing to log on to an internal host must first log onto a firewall machine CSCE 522 - Farkas
Trade-Off between accessibility and Security Service Access Policy Accessibility Security CSCE 522 - Farkas
Firewall Advantages • Protection for vulnerable services • Controlled access to site systems • Concentrated security • Enhanced Privacy • Logging and statistics on network use, misuse • Policy enforcement CSCE 522 - Farkas
Controlled Access • A site could prevent outside access to its hosts except for special cases (e.g., mail server). • Do not give access to a host that does not require access • Some hosts can be reached from outside, some can not. • Some hosts can reach outside, some can not. CSCE 522 - Farkas
Concentrated Security • Firewall less expensive than securing all hosts • All or most modified software and additional security software on firewall only (no need to distribute on many hosts) • Other network security (e.g., Kerberos) involves modification at each host system. CSCE 522 - Farkas
Enhanced Privacy • Even innocuous information may contain clues that can be used by attackers • E.g., finger: • information about the last login time, when e-mail was read, etc. • Infer: how often the system is used, active users, whether system can be attacked without drawing attention CSCE 522 - Farkas
Logging and Statistics on Network Use, Misuse • If all access to and from the Internet passes through the firewall, the firewall can theoretically log accesses and provide statistics about system usage • Alarm can be added to indicate suspicious activity, probes and attacks – double duty as IDS on smaller networks CSCE 522 - Farkas
Policy enforcement • Means for implementing and enforcing a network access policy • Access control for users and services • Can’t replace a good education/awareness program, however: • Knowledgeable users could tunnel traffic to bypass policy enforcement on a firewall CSCE 522 - Farkas
Firewall Disadvantages • Restricted access to desirable services • Large potential for back doors • No protection from insider attacks • No protection against data-driven attacks • Cannot protect against newly discovered attacks – policy/situation dependent • Large learning curve CSCE 522 - Farkas
Restricted Access to Desirable Services • May block services that users want • E.g., telnet, ftp, X windows, NFS, etc. • Need well-balanced security policy • Similar problems would occur with host access control • Network topology may not fit the firewall design • E.g., using insecure services across major gateways • Need to investigate other solutions (e.g., Kerberos) CSCE 522 - Farkas
Back Doors • Firewalls DO NOT protect against back doors into the site • e.g., if unrestricted modem access is still permitted into a site the attacker could jump around the firewall • Legacy network topology in large networks CSCE 522 - Farkas
Little Protection from Insider Attacks • Generally does not provide protection from insider threats • Sneaker Net - insider may copy data onto tape or print it and take it out of the facility CSCE 522 - Farkas
Data-Driven Attacks • Viruses: • users downloading virus-infected personal computer programs • Executable Content: • Java applets • ActiveX Controls • JavaScript, VBScript • End to End Encryption • Tunneling/Encapsulation CSCE 522 - Farkas
Other Issues • Throughput: potential bottleneck (all connections must pass through firewall) • Single point of failure: concentrates security in one spot => compromised firewall is disaster • Complexity - feature bloat • Some services do not work well with firewalls • Lack of standard performance measurements or techniques CSCE 522 - Farkas
Firewall Components • Firewall Administrator • Firewall policy • Packet filters • transparent • does not change traffic, only passes it • Proxies • Active • Intercepts traffic and acts as an intermediary CSCE 522 - Farkas
Firewall Administrator • Knowledge of underpinnings of network protocols (e.g., TCP/IP, ICMP) • Knowledge of workings of applications that run over the lower level protocols • Knowledge of interaction between firewall implementation and traffic • Vendor specific knowledge CSCE 522 - Farkas
Firewall Policy • High-level policy: service access policy • Low-level policy: firewall design policy Firewall policy should be flexible! CSCE 522 - Farkas
Service Access Policy • Part of the Network Security Policy • Goal: Keep outsiders out • Must be realistic and reflect required security level • Full security vs. full accessibility CSCE 522 - Farkas
Firewall Design Policy • Refinement of service access policy for specific firewall configuration • Defines: • How the firewall achieves the service access policy • Unique to a firewall configuration • Difficult! CSCE 522 - Farkas
Firewall Design Policy Approaches: • Open system: Permit any service unless explicitly denied (maximal accessibility) • Closed system: Deny any service unless explicitly permitted (maximal security) CSCE 522 - Farkas
Simple Packet Filters • Applies a set of rules to each incoming IP packet to decide whether it should be forwarded or discarded. • Header information is used for filtering ( e.g, Protocol number, source and destination IP, source and destination port numbers, etc.) • Stateless: each IP packet is examined isolated from what has happened in the past. • Often implemented by a router (screening router). CSCE 522 - Farkas
Simple Packet Filter Private Network Placing a simple router (or similar hardware) between internal network and “outside” Allow/prohibit packets from certain services Packet-level rules Packet Filter Outside CSCE 522 - Farkas
Simple Packet Filters • Advantages: • Does not change the traffic flow or characteristics –passes it through or doesn’t • Simple • Cheap • Flexible: filtering is based on current rules CSCE 522 - Farkas
Simple Packet Filters • Disadvantages: • Direct communication between multiple hosts and internal network • Unsophisticated (protects against simple attacks) • Calibrating rule set may be tricky • Limited auditing • Single point of failure CSCE 522 - Farkas
Stateful Packet Filters • Called Stateful Inspection or Dynamic Packet Filtering • Checkpoint patented this technology in 1997 • Maintains a history of previously seen packets to make better decisions about current and future packets • Check out: • CheckPoint, Stateful Inspection Technology, http://www.tchk.net/download/Stateful_Inspection.pdf CSCE 522 - Farkas
Bastion Host Proxy Firewalls View Reality Private Network Private Network Proxy Server Outside Outside CSCE 522 - Farkas
Proxy Firewalls • Application Gateways • Works at the application layer must understand and implement application protocol • Called Application-level gateway or proxy server • Circuit-Level Gateway • Works at the transport layer CSCE 522 - Farkas
Application Gateways • Interconnects one network to another for a specific application • Understands and implements application protocol • Good for higher-level restrictions Server Client Application Gateway CSCE 522 - Farkas
Application Gateways • Advantages: by permitting application traffic directly to internal hosts • Information hiding: names of internal systems are not known to outside systems • Can limit capabilities within an application • Robust authentication and logging: application traffic can be pre-authenticated before reaching host and can be logged • Cost effective: third-party software and hardware for authentication and logging only on gateway • Less-complex filtering rules for packet filtering routers: need to check only destination • Most secure CSCE 522 - Farkas
Application Gateways • Disadvantages: • Keeping up with new applications • Need to know all aspects of protocols • May need to modify application client/protocols CSCE 522 - Farkas
Circuit-Level Gateways • Is basically a generic proxy server for TCP • Works like an application-level gateway, but at a lower level CSCE 522 - Farkas
Circuit-Level Gateways • Advantages: • Don’t need a separate proxy server for each application • Provides an option for applications for which proxy servers don’t yet exist • Simpler to implement than application specific proxy servers CSCE 522 - Farkas
Circuit-Level Gateways • Disadvantages: • No knowledge of higher level protocols – can’t scan for active content or disallowed commands • Can only handle TCP connections – new extensions proposed for UDP • Proprietary packages, TCP/IP stacks must be modified by vendor to use circuit-level gateways CSCE 522 - Farkas
Home Users • Home routers: • Come with built-in firewall • Generally simple packet filters • Can block all incoming connections on all ports if desired • Open connections as needed • Examples: • Download files from outside using FTP: allow incoming connections on Port 21 CSCE 522 - Farkas
Windows Firewall Functionality: • Help block computer viruses and worms from reaching your computer • Ask for your permission to block or unblock certain connection requests • Allow to create a record (a security log), if you want one, that records successful and unsuccessful attempts to connect to your computer CSCE 522 - Farkas
Windows Firewall What it does not support: • Detect or disable computer viruses and worms if they are already on your computer • Stop you from opening e-mail with dangerous attachments • Block spam or unsolicited e-mail from appearing in your inbox CSCE 522 - Farkas
Third Party Firewall • Ranging in price between FREE and $50 on average • ZoneAlarm Pro 5 • PC-Cillin 2004 Internet Security • Norton Personal Firewall 2005 • McAfee Personal Firewall 6.0 2005 CSCE 522 - Farkas
Firewall Evaluation • Level of protection on the private network ? • Prevented attacks • Missed attacks • Amount of damage to the network • How well the firewall is protected? • Possibility of compromise • Detection of the compromise • Effect of compromise on the protected network • Ease of use • Efficiency, scalability, redundancy • Expense CSCE 522 - Farkas
Next class: Intrusion Detection CSCE 522 - Farkas