CMPT 471 Networking II
description
Transcript of CMPT 471 Networking II
1
CMPT 471Networking II
Firewalls
© Janice Regan, 2006-2013
2© Janice Regan, 2006-2013
Security When is a computer secure
When the data and software on the computer are available on demand only to those people who should have access
One component of keeping a computer secure can be a firewall This is not an all encompassing solution Not all problems come from outside, you must keep
in mind that an comprehensive internal security policy is also part of the solution
3© Janice Regan, 2006-2013
Firewalls: why Provide a single protected access from your
machine or network to the internet Create a single “choke” point Concentrate attention on protecting that “choke” point A network behind a firewall can spend less (not none)
effort on host based security not all attacks or security problems come from
outside Still need a second line of defense in many cases
4© Janice Regan, 2006-2013
Firewalls: why not Firewalls don’t protect against malicious
insiders: May prevent sending data out through the internet
but cannot protect against removing the data on physical media
Firewall don’t protect you from connections that bypass them: dial in or network access to internal machines can
not be monitored unless they pass through the firewall
5© Janice Regan, 2006-2013
Firewalls: why not Protect against known threats
new threats occur regularly and counters to them must be added just as regularly
Viruses and malware can penetrate firewalls under some circumstances
Firewalls often interfere with expected behaviors of internet applications, or slow down interaction with the internet
6© Janice Regan, 2006-2013
Firewalls Different Firewall architectures are appropriate
for different types of applications A firewall is a combination of hardware software
and policies Look at some architectures and examples
Single machine with firewall (filtering) Screening router Dual homed host Screened host Screened network
7© Janice Regan, 2006-2013
GIVEN TODAY’S INTERNET ENVIRONMENT NO COMPUTER WITH INTERNET CONNECTIVITY SHOULD BE UNPROTECTED BY A FIREWALL TO
Protect any private data or information Protect the machine so it is available for your
use To prevent others from ‘hijacking’ your
machine for their own purposes
8© Janice Regan, 2006-2013
Security strategies Least privilege:
any object (user, program, system, …) should have the least amount of privilege necessary to accomplish its own purpose
Depth of Defense: Layer security mechanisms so that if one is
compromised another still protects you This protects against not only attacks but possible
failures of any single layer in your defense
9© Janice Regan, 2006-2013
Security strategies Choke point:
Be sure that there is no way to circumvent the choke point
Put protections at the choke point Weakest link:
Be aware of the weak points of your defense, this is where attacks will most likely occur
Failures Try to make the system fail in a way that denies the
attacker access, not opens access.
10© Janice Regan, 2006-2013
Firewall Default Strategies Default Deny Policy
No traffic is passed through the firewall unless is it specifically allowed
Any traffic or service not specifically permitted to pass the firewall will be permitted into the protected machine or network
Default Permit Policy All traffic will be permitted to pass through the
firewall unless it is specifically forbidden
11© Janice Regan, 2006-2013
Which Default Strategy? To maximize security use default deny
OK if you do not need to provide internet services
Limited flexibility To maximize flexibility use default permit
More difficult to maintain Must specifically deny sources and protocols
12© Janice Regan, 2006-2013
Some types of low level attacks Half open port scan or SYN scan: send SYN (or packet
with other combination of flags) to each port, watch for ACK or RST to determine if port is open. Do not reply and complete connection (send RST).
Denial of service: exploit known weaknesses of stack to cause crashes
IP spoofing: Make the packet look like it comes from somewhere else.
Smurf: use forged source address (A) to make third party attack A
Land: send a packet with source and destination addresses the same. May cause failure of receiving machine.
13© Janice Regan, 2006-2013
A single computer Many computers (probably most) have a continuous
internet connection For a user with a single computer connected to their
continuous connection Simplest approach is a packet filtering firewall For Windows can use the built in firewall or many
other proprietary products that provide more complete protection including virus and spy-ware protection
For Linux can use iptables/netfilter to directly implement or other public domain or proprietary products
14© Janice Regan, 2006-2013
A home network It is becoming increasingly common for a household to
have more than one computer. Probably the user of each computer wants it to be directly connected to the continuous Internet connection/s for the household
This means that out of the box solutions that implement basic network protection are becoming common
For a technically savvy user these solutions may also be easy but other simple options exist Remember that out of the box solutions need
configuration to optimize their effectiveness
15© Janice Regan, 2006-2013
Screening Router This is a common, inexpensive, out of the
box solution that can be made more robust You probably need the router to connect
your local machines anyway. Be sure to configure, don’t just use the
defaults Router usually includes a mechanism for
implementing packet filtering (default deny or default permit strategies are usually both supported)
16© Janice Regan, 2006-2013
Screening Router This is a common, inexpensive, out of the
box solution that can be made more robust Can implement the level of security
appropriate for the network being protected you will likely also need host level security The router will run a proprietary or reduced
version of the operating system, providing fewer points of attack
17© Janice Regan, 2006-2013
Using a screening router The network needs an adequate level of host protection
If data on any of the machines is private, need host security to protect that data
Only a limited number of simple protocols and services can be supported efficiently using a screening router Can permit or deny protocols by port number Harder to permit or deny parts of a protocol Difficult to be sure what is arriving on a port is really
the expected protocol Router is a single point of failure
18© Janice Regan, 2006-2013
When to use a screening router When performance is important
minimize added load on hosts by using router to filter maximize throughput by basing security on simple filtering
When the protected network also has an adequate level of host security
The number of protocols being allowed (default deny) or blocked (default accept) is small and those protocols are simple and amenable to filtering
Most useful for networks providing services to the internet (like those of internet providers) and for internal firewalls
19© Janice Regan, 2006-2013
Use a dual homed host to access the internet. Your network attaches to one or more interfaces, the internet to the another
Disable forwarding: create a default deny policy All access to the Internet from internal hosts is by proxy
application running on the dual homed host Each application you run/proxy on the dual homed host
provides another point of attack and increases load Avoid user accounts on the dual homed host. This
provides extra protection Monitor activity of each user
Simple Firewall: Dual Homed Host
20© Janice Regan, 2006-2013
Dual Home Host
Dual-homed host(no-forwarding)
Internal Host
Internal Host
Internal Host
Internal Host
INTERNET
21© Janice Regan, 2006-2013
Dual homed Hosts: user accounts Users should not be able to log into the dual
homed host. prevents a hacker from breaking in through a user
account Makes use of vulnerable services necessary to
support user accounts unnecessary (printing, local mail delivery …)
Prevents inadvertent damage to the dual homed hosts security by users (poor password … )
Easier to detect attacks if types of traffic are limited
22© Janice Regan, 2006-2013
Dual Homed Host: Limitations (1) Need an additional machine to use as dual
homed host (should not be a machine used directly by users) For a small network with modest traffic levels can
even use an older less powerful machine (bonus is this is the only machine seen from outside, less attractive to hackers)
As the network size, number of services proxied, or traffic load grows more power is needed.
23© Janice Regan, 2006-2013
Dual Homed Host: Limitations (2) Provides services by proxy
Each service supported provides addition points of attack
Not all services can be proxied Not all services that can be proxied will have
appropriate proxies available Better at supporting outbound services (local
users using services on the external network) than inbound services
24© Janice Regan, 2006-2013
Dual Homed Host: Limitations (3) More overhead than an equivalent packet
filtering system, proxies are more compute intensive than simple filters
Dual homed host is a single point of failure A hacker who crashed your dual homed host
cuts you off from the internet A hacker who comprises your dual homed
host has access to your local network
25© Janice Regan, 2006-2013
When to use a dual homed host Internet traffic is limited
Remember load is larger than comparable packet filter
Network protected does not contain critical data Can be mitigated by host level protections,
but there are better solutions
26© Janice Regan, 2006-2013
When to use a dual homed host No (very limited) services being provided to the
internet Each service provided adds points of attack
for those trying to break in Continuous connection to the internet is not
essential, traffic to the internet is not critical to your business Attacks may cause single “choke” point to fail
or crash
27© Janice Regan, 2006-2013
Variations Many consumer routers, support NAT (network
address translation). Allowing one IP address to be shared between multiple machines. Local IP addresses are used for your network Using the gateway (router) to packet forward on
behalf of the other computers on your intranet Good way to hide network from external eyes Can packet filter and provide some proxy
services, often provides MAC address filtering
28© Janice Regan, 2006-2013
Screened Host Architecture All communication between hosts on the local
network and the internet (both directions) passes though proxies on a bastion host which communicates with the internet though a packet filtering router
Less secure versions may allow some direct communication from network hosts to the internet (definitely not initiated from the internet to network hosts)
Bastion host is the only host on the network to which hosts on the internet can make connections
29© Janice Regan, 2006-2013
Screened Host Architecture Packet filtering router protects internal hosts
from direct internet attack (allowing only certain services/ protocols). This is the primary security for the network This prevents users from directly accessing the
Internet Bastion host provides services and runs proxies
connecting to the outside world, it should not be a trusted member of the local network
Not appropriate for public web servers
30© Janice Regan, 2006-2013
Screened Host
Router(packet filtering)
Internal Host
Bastion Host
Internal Host
Internal Host
INTERNET
31© Janice Regan, 2006-2013
Bastion Host Should run a minimum configuration to
minimize points of attack Should have all services not needed by the site
disabled Should not be trusted by hosts on the
network Should not run booting services Must maintain a high level of host security
on the bastion host
32© Janice Regan, 2006-2013
Bastion Host and user accounts Should not support user accounts
May know about users (i.e. to allow access from outside the network to machines inside the network)
Users should not be able to log into the bastion host.
Administrators should be able to log into the bastion host with individual accounts, remote login is a high security risk
33© Janice Regan, 2006-2013
Bastion Hosts and user accounts Users should not be able to log into the
bastion host. prevents a hacker from breaking in through a user
account Makes use of vulnerable services necessary to
support user accounts unnecessary (printing, local mail delivery …)
Prevents inadvertent damage to the bastion hosts security by users (poor password … )
Easier to detect attacks if types of traffic are limited
34© Janice Regan, 2006-2013
Bastion Host Provides the services your site needs to
access the internet Runs proxies for services your site provides
to the internet all services or just services that cannot be adequately
protected using filtering in the router alone (FTP, TELNET, DNS SMTP HTTP)
35© Janice Regan, 2006-2013
Screening router May allow hosts to open connections to
selected servers on the internet May disallow services forcing them to be
proxied by the bastion host (or hosts)
36© Janice Regan, 2006-2013
Use a Screened Host When Few connections to the network originate
from outside the network When host security is relatively high If you allow non bastion hosts to connect
to the internet you are compromising the design, since outside users have access to IP addresses of protected hosts
37© Janice Regan, 2006-2013
Comparison Router easier to secure than multi-homed host
(simpler OS fewer points of attack, fewer services running, than a multi-homed host)
Multi-homed host provides no way for packets to go directly to hosts, screened host does (can be security hole)
Multi-homed host more prone to failure (type of failure more difficult to predict)
On balance router may be more secure and simpler to administer
38© Janice Regan, 2006-2013
Comparison You can get some extra protection by isolating
your bastion host and your screen hosts so most local network traffic from your screened hosts is not visible to the bastion host (broadcast traffic will still be visible)
This is part of what a screened subnet does (next topic of discussion)
Can get this part of the protection by isolating your bastion host using an appropriately secured Ethernet switch or switching hub.
39© Janice Regan, 2006-2013
Screened Subnet Place the bastion host (hosts) on a separate subnet
connected to the Internet with a router. This separate subnet is known as a perimeter network.
That subnet in turn connects to your internal network through a second router (with packet filtering).
Removes the difficulties caused by a single point of failure (as in multi-homed hosts, and to a lesser extent screened hosts) Now a hacker must break though two levels of
packet filters and compromise a bastion host to reach your internal network
40© Janice Regan, 2006-2013
Screened SubnetRouter
(packet filtering)
Internal Host
Internal Host
Internal Host
Internal Host
INTERNET
Interior Router(packet filtering)
Bastion Host
Bastion Host
Perimeter network
41© Janice Regan, 2006-2013
Screened subnet No longer a single point of failure
Adds an extra layer of security by adding a perimeter network to further isolate the hosts in the screened subnet from the internet
Multiple failures are needed to reach the screened subnet
If the router’s firewall is breached the hacker can only reach the bastion hosts
If the bastion host is compromised, sensitive internal information is still protected.
The screened network still has the protection of the interior router
42© Janice Regan, 2006-2013
Bastion Host/s on separate net Locating the bastion hosts on a separate
network from the protected hosts has many benefits Sees only packets to and from bastion hosts
and to and from the internet Does not see traffic on the internal network
Accesses to sensitive files Confidential local email Remote logins, FTP or TELNET packets that
could provide passwords
43© Janice Regan, 2006-2013
Bastion Host/s on separate net Bastion Hosts are primary point of contact for incoming
connections for any supported protocols (local servers for SMTP, FTP, DNS …)
Outbound services (from our network to severs on the internet) have access controlled by Filtering on exterior or interior router Proxy services on the bastion hosts
If traffic is high and or multiple services are proxied on the bastion host, multiple bastion hosts may be used to distribute the load and partition risk
Services may be divided between multiple bastions hosts. Services may be grouped by Importance, audience, security level, access level
44© Janice Regan, 2006-2013
Interior router Primary packet filtering system (choke router) May be more restrictive than the packet filters in the
exterior router Want to assure sensitive information does not leave screened
network May allow a smaller set of services to reach interior network
than can reach the exterior network May target services from outside the screened networks to
designated servers (e.g. a mail server on one on the internal hosts)
Allows services to the internet to be isolated from the screened internal network (on the perimeter network)
Protects your screened interior network from the Internet and the perimeter network
45© Janice Regan, 2006-2013
Exterior Router Exterior Router may be called the access router Sometimes the external router is provided by
another group (like an ISP) Your access will be limited Filter rules will not be customized to your needs
Hosts on the perimeter net must be protected by strong host security Makes exterior filtering less critical
If you do control the exterior router you may want to duplicate a subset of the rules on your interior router
46© Janice Regan, 2006-2013
Exterior Router Should block incoming packets whose source
addresses may be forged, particularly addresses that indicate packets are coming from inside the network (screened network or perimeter network)
Should block outgoing packets that do not come from one of your networks IP addresses Prevents your users sending inappropriate packets More importantly: prevents any hijacker using one of
your machines to send packets with inappropriate IP addresses
47© Janice Regan, 2006-2013
Variants Use multiple bastion hosts
Distribute load, partition services, add redundancy
Merge interior router and exterior router Need router that allows separate filter
specifications on each interface. Disadvantage: creates a single point of
failure if router is compromised
48© Janice Regan, 2006-2013
Multiple Bastion hostsRouter
(packet filtering)
Internal Host
Internal Host
Internal Host
Internal Host
INTERNET
Interior Router(packet filtering)
Bastion Host
Bastion Host
Perimeter network
49© Janice Regan, 2006-2013
Merged Internal/Exterior routers
Internal Host
Internal Host
Internal Host
Internal Host
INTERNET
Interior /exteriorRouter
(packet filtering)Bastion Host
Bastion Host
Perimeter network
50© Janice Regan, 2006-2013
Variants Use multiple independent perimeter networks
Provide redundancy and bandwidth Assure networks connect to different physical
connections (different providers and different cables) Both interior routers must enforce the same policies Also used to separate incoming and outgoing
services
51© Janice Regan, 2006-2013
Multiple perimeter networksExterior Router
(packet filtering)
Internal Host
Internal Host
Internal Host
Internal Host
INTERNET
Interior Router(packet filtering)
Bastion Host
Perimeter network
Exterior Router(packet filtering)
Interior Router(packet filtering)
Bastion Host
Perimeter network
52© Janice Regan, 2006-2013
Variants Use multiple exterior routers (one exterior
router with multiple interfaces) Multiple internet connections (i.e. multiple
providers, for redundancy or bandwidth) Internet connection plus direct connections
to other sites (though internal firewall) Minor security compromise because of two
attack points into perimeter network
53© Janice Regan, 2006-2013
Multiple Exterior routersRouter
(packet filtering)
Internal Host
Internal Host
Internal Host
Internal Host
INTERNET
Interior Router(packet filtering)
Bastion Host
Bastion Host
Perimeter network
Router(packet filtering)
54© Janice Regan, 2006-2013
Variants Merge bastion host and exterior router
Use a single dual-homed host for both Limits performance, less efficient for routing than
router Depending on operating system may not have
flexible filtering available Need better protections on the dual homed host Appropriate only for serving a very small number of
low bandwidth services
55© Janice Regan, 2006-2013
Merge Bastion host/exterior routerBastion host
And exterior Router
Internal Host
Internal Host
Internal Host
Internal Host
INTERNET
Interior Router(packet filtering)
Perimeter network
56© Janice Regan, 2006-2013
Dangerous Variants Do not merge bastion host and interior
router Do not use multiple interior routers Do not use both screened subnets and
screened hosts