400 likes | 713 Views
Perimeter Security. CS498IA Spring 2007. Reading. Ch. 25 (Intrusion Detection) Ch. 26 (Network Security) Optional: “Firewalls and Internet Security,” Cheswick, Bellovin, Rubin The text about network security. Network Security Approaches. Secure Network Protocols
E N D
Perimeter Security CS498IA Spring 2007
Reading • Ch. 25 (Intrusion Detection) • Ch. 26 (Network Security) • Optional: “Firewalls and Internet Security,” Cheswick, Bellovin, Rubin • The text about network security
Network Security Approaches • Secure Network Protocols • Secure Networked Computer • Perimeter Security
Perimeter Defense Perimeter Internet Intranet
Perimeter Defense Strategy • Divide networks into zones of varying trust • Simplest division: intranet (trusted) and Internet (untrusted) • Put security measures on boundaries between zones • choke points • E.g. connection to ISP
Perimeter Defense Advantages • Scale • Can configure one computer to be secure, but how about 1,000? • Threat model • Most threats come from less trusted zones • Convenience • Can use less secure protocols and software inside perimeter • Don’t bother users with security protections unless they talk to the outside
Firewalls • Filter traffic going across perimeter boundary • Various levels of sophistication Firewall Internet Intranet
Packet Filter • Filter IP packets based on their headers • Fields may include: • IP address (source & destination) • TCP/UDP ports (source & destination) • Flags • Options • Stateless & fast • Implementation is based on lookup of header bits/bytes and decisions
Example Rules allow proto=TCP AND port=80 deny proto=UDP AND port=1434 deny sourceIP=127.0.0.1 allow proto=TCP AND port=22 AND sourceIP=adminConsole
Example Policy • Outbound traffic only • allow proto=TCP AND (sourceIP=inside OR ACK=true) • What might be some issues with this policy? Firewall Internet Intranet
Firewall Internet More complicated network Intranet • Need to allow services from within the Intranet • Option 1: “punch a hole” allow port=25 AND destIP=mailserver • Option 2: DMZ WebServer DNSServer MailServer Desktop Desktop Desktop
Firewall Internet Demilitarized Zone Intranet Intranet WebServer Desktop Desktop Desktop MailServer Public WebServer DMZ DNSServer
DMZ principles • Restrict access • from Internet to the DMZ to protect servers • from DMZ to intranet to protect against compromises • E.g. • Allow connections from Internet to mail server on port 25 (SMTP) • Allow connections from intranet to mail server on port 993 (secure IMAP)
Policies • Firewall policies typically lists of allow or deny rules • What should the default rule be? • Default allow: • convenient since doesn’t interfere with legitimate activity • Default deny: • more secure, since every allowed use undergoes security review • if policy too restrictive, people complain and it gets fixed • if policy too permissive, only learn about it after an attack -- too late!
Other policy issues • Scale • Large organizations have thousands of rules • How do you process them efficiently? • How do you know they are correct? • Ingress vs. egress filtering • Ingress: filter packets from the Internet • Egress: filter traffic to the Internet (why?)
Packet Filter Limitation • Packet fragmentation • IP allows packets to be split into several fragments • No connection semantics • Actions only on individual packets • No application semantics • Only indication of application protocol is port number • Modern applications abuse this fact
Higher-level analysis • Packet filters cannot: • Forbid a particular URL • Detect email viruses • Block (malicious) ActiveX plugins • Alternate approaches: • Stateful firewall: reconstruct connections • Application-level proxy: transform connections
Stateful Firewall • Reconstruct connection state • Make decisions based on flows, not on packets • Some application protocol parsing may also be done GET su /foo.html root flow1 GET /foo.html ... flow2 su root X
Application-Level Proxy • Process incoming packets at application layer • Generate transformed message stream • Block dangerous messages • Normalize protocol semantics GET /foo.html HTTP/1.0 Evil-option: yes Proxy GET /foo.html HTTP/1.1 Evil-option: no
Trade-offs • Pro: Higher precision • Con: Higher costs • Scalability: keep state for all connections for 1000’s of computers • Latency: proxy adds processing delays • Flexibility: proxy needs to understand everything you do with a protocol
Network Address Translation rest of Internet local network (e.g., home network) 10.0.0/24 10.0.0.1 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 All datagrams leaving local network have same single source NAT IP address: 138.76.29.7, different source port numbers Datagrams with source or destination in this network have 10.0.0/24 address for source, destination (as usual)
NAT & security • NAT originally designed to address IP scarcity • A user (e.g. DSL subscriber) pays for one or a few IP addresses for many computers • Side benefit: simple firewall • External ports allocated when internal host initiates connection • External connection attempts are impossible • Modern NATs more sophisticated • Allow some external connections to exist • Support for dynamic port allocation for P2P, UDP applications • Limited firewall semantics
Network Intrusion Detection NIDS • Passive traffic interception • Send copy of traffic to NIDS • Do not block normal path • Better performance / worse security Internet Intranet
NIDS vs. Firewalls • Actions: • Firewalls: block or allow • NIDS: alert administrator, log, block (intrusion prevention system) • Policies: • Firewalls: ACL-style policy on (packet) attributes • NIDS: attack signatures, statistical anomalies • NIDS challenges: • Evasion • False positives
VPNs Firewall Intranet Internet Home Network
VPNs and Firewalls • VPN goals • Home computer / laptop on the road can be on corporate network • VPN issues • Home networks less protected than corporate network • Attacks can vector through VPN • Mitigation • Require protection on computers using VPN • More restrictive FW policy on VPN connections
Blurring of the Perimeter • VPNs • Complicated network connections with multiple partners • Wireless networks • Laptops • Malicious insiders • Worms / compromised computers can be seen as “malicious insiders”
Host-based approaches • Host-based IDS • Earlier types of IDS were all host-based • Can get better insight into host behavior • But more susceptible to compromise • Host-based firewalls • Your laptop and desktop probably have this functionality already • Challenge: management • Require all users to install firewall / IDS product, manage policies, configuration, and logs centrally • Alternate approach: FW/IDS in routers and switches
If you want to learn more... • Take CS460 lab course • Hands on experience with firewalls and IDSs • Take CS463 course • More detailed coverage of intrusion detection
Key points • Perimeter security is popular • Cheap, convenient, effective(?) • Firewalls and IDSs most common tools for network security • Firewalls and IDSs fighting an uphill battle • Both attackers and legitimate users struggle to avoid/evade them • Security management is a key challenge