Firewalls (10)
description
Transcript of Firewalls (10)
Firewalls
Mark Clements
Last Week ...
Three main methods for cryptography Symmetric, asymmetric, hash Used in unique combinations Allow Bob and Alice to communicate without
Eve knowing
ENS2
This week ...
Firewalls in generalStateful vs. Stateless FirewallsApplication ProxiesFirewall Architectures
ENS3
Protecting the Network Perimeter
ENS4
Possible reasons for attacking a network:
Extortion FraudEspionageSabotageSimple curiosity
What is a Firewall?
A firewall acts as a control barrier between a trusted and an un-trusted computer network– For example between a company network and
the Internet It is able to make a decision whether to
allow a packet to pass or not It can be a dedicated system or a router too
ENS5
Policy and Connections
UntrustedNetwork
TrustedNetwork
Firewall
ENS6
-enforces a security policy-allows only connections matching security settings
Example Policy
For example, a firewall might be configured to pass all http (www) traffic to TCP port 80, but to block any TELNET datagrams to TCP port 23
– TELNET is known to have some security weaknesses such as sending username and password in plain-text
– you do not wish to allow external clients to TELNET onto your servers and clients
ENS7
Policy in action
UntrustedNetwork
TrustedNetwork
Firewall
Telnet (to TCP port 23) Blocked
HTTP (to TCP port 80) Passed
ENS8
IP Datagram Overview
ENS
9 Source: http://dimitar.me/
Firewall Components
There are two principal firewall components– Packet filtering routers– Application proxies
These work at different layers of the network stack
We shall now consider each of these in more detail
ENS10
Packet Filtering Routers Packet filtering routers decide whether to pass an
IP datagram by viewing data in both the network and transport layer headers
In particular, packet filtering routers can consider the following information:– Source and destination IP address (or subnet)– Source and destination TCP or UDP port number– Direction of datagram flow– State of connection (new or established)
– So in summary, packet filtering routers operate at the network (IP) and transport (TCP/UDP) layers of the stack
ENS11
OSI Layers for firewalling
Untrusted Network Trusted Network
Packet Filtering Router
Physical Layer Physical Layer
Link Layer
Network (IP) Layer
Transport (TCP/UDP) Layer
Link Layer
ENS12
Packet Filtering Routers
Packet filtering routers can operate in one of two ways:– Stateless packet filtering– Stateful packet filtering
Using an access control list to check for traffic is an example of stateless filtering
Stateful packet filtering takes note of the TCP 3-way handshake and ensures packets that pass are part of an agreed stream
ENS13
Stateless Firewalls Stateless packet filtering routers make
forwarding decisions based on the contents of the network (IP) layer header and the transport (TCP/UDP) layer header
Their forwarding decision are therefore based on:– The source and destination IP address (or
subnet)– The direction of datagram travel– The source and destination TCP or UDP port
number– Transport layer data such as SYN and ACK flags
ENS14
Stateful Packet Filtering Routers
Stateful packet filtering routers also make forwarding decisions based on the contents of the Network (IP) layer datagram header and the Transport (TCP/UDP) layer segment header
In addition they maintain a connection state table– Holds the current state of a given connection, – No need to rely solely on the SYN and ACK flag
values for each packet to learn this information (the flag values can be spoofed)
ENS15
Stateful Firewall Decisions Forwarding decision are therefore based on:
– The source and destination IP address (or subnet)
– The direction of datagram travel– The source and destination TCP or UDP port
number– Whether the datagram is part of a new or
established connection (as indicated by information in the state table as indicated by the SYN and ACK flags in the TCP segment header)
ENS16
Performance vs. Cost
90% of the firewalls today are stateful Stateful packet filtering routers are more
reliable than stateless packet filtering routers Provide a greater level of protection than
stateless packet filtering routers However, for similar cost, stateful packet
filtering routers are generally slower than stateless packet filtering routers
ENS17
Packet Filtering Routers Performance Summary
ENS18
Application Proxies
10% of firewalls are application proxies Application Proxies operate on all layers
of the OSI stack from the application layer down rather than just the network and transport layers
Makes them slower Makes them more specific
ENS19
Application Proxy and OSI
Untrusted Network Trusted Network
Application Proxy
Physical Layer Physical Layer
Link Layer
Network (IP) Layer
Transport (TCP/UDP) Layer
Link Layer
Network (IP) Layer
Transport (TCP/UDP) Layer
Application Layer
ENS20
Proxies and Decisions
Application proxies can see and manipulate all data which the full application can see
A separate application proxy is required for each application’s traffic– i.e. HTTP, SMTP, FTP, etc– There are a number of other types of proxies. However, in
firewall terminology, it is not unusual to refer to application proxies simply as proxies
ENS21
Application Proxy Examples HTTP proxy: Java applets and ActiveX
components which are coming in from TCP port 80 can be dropped, while plain HTML files and graphics files coming in from the same port can be passed
SMTP proxy: An executable file attached to an e-mail can be scanned for known viruses
ENS22
Application Proxy Performance
Application proxies are more reliable in detecting malicious content than packet filtering routers
They are generally considered to provide a much greater level of protection than packet filtering routers
However, proxies require considerably more memory and processor cycles than any of the types of packet filtering routers outlined
ENS23
Firewall Performance Summary
ENS24 Security
ProcessingCost(processor cycles and memory)
StatelessPacketFiltering
StatefulPacketFiltering
Proxying
Network Address Translation
Network address translation (NAT) is a technique which allows a router to change the IP addresses of datagrams as they pass through (RFC1631)
Hostile datagrams cannot be routed to target systems, if the IP address of the target system is unknown, or is illegal for use on the Internet (RFC 1918) e.g.:– 10.0.0.0/8– 172.16.0.0/12– 192.168.0.0/16
ENS25
NAT Example
ENS26
Firewall
Client
Client
Client
1 0 .0 .0 .1
1 0 .0 .0 .2
1 0 .0 .0 .3
1 0 .0 .0 .4
1 5 5 .1 9 8 .5 .83
Internet
Com panyNetwork-Static NAT
-Dynamic NAT -PAT(Port Address Translation)
Firewall Architectures
Most real firewalls make use of a number of components connected together, to form an overall firewall solution
It is possible to build a wide range of firewall architectures, with each having a range of applications
Some examples are:– The Classic architecture– The Belt and Braces architecture– The Chapman architecture
ENS27
Firewall Architectures - Classic
Internet
DNSServer
WWWServer
FTPServer
ApplicationProxy
DNSServer
CompanyNetwork
PacketFilteringRouter
DMZ
ENS28
Classic Architecture
The packet filtering router prevents datagrams not addressed to the DMZ hosts or the proxy from entering the DMZ
Externally visible services (www, FTP, etc) are easily available
Datagrams traveling to the company network are sent via the application proxy for maximum security
If any of the DMZ hosts are compromised, they can be re-configured quickly– no adverse effect on company network
ENS29
Belt and Braces Architecture
Internet ApplicationProxy
CompanyNetwork
PacketFilteringRouter
PacketFilteringRouter
DMZ
ENS30
Belt and Braces Security
The additional packet filtering router provides an additional level of security
If the proxy is compromised, the company network is still protected
ENS31
Chapman Architecture
Internet
WWWServer
FTPServer
ApplicationProxy
CompanyNetwork
PacketFilteringRouter
PacketFilteringRouter
ENS32
Chapman Architecture Outgoing traffic can by-pass the proxy Allows external access to services not
supported by the proxy NAT not possible If external router is compromised,
internal router is vulnerable to attack
ENS33
Firewall Security
Remember that firewalls themselves are vulnerable to attack, so the following precautions should be taken:– Remove all Telnet and SSH access to firewall
components– Operate firewall components only from the console– Remove all unnecessary software and services
from firewall components– Remove all unnecessary user accounts from
firewall components
ENS34
What Firewall Cannot Do A firewall cannot protect against poor
server, client or network configuration A firewall cannot configure itself, or
prevent the firewall administrator from configuring it badly
A firewall should be considered as part of a network security solution, not as the network security solution
ENS35
Conclusion
Firewalls prevent malicious traffic from entering a network by filtering
Traffic defined in a policy Stateful and stateless architectures Application proxies better but slower Allows for several architectures NAT obfuscates inside addresses
ENS36
Professional Qualifications in Information Security
There are a number of professional certifications in the field of information security
Some of the most commonly recognized are those offered by:
– The International Information Systems Security Certification Consortium, generally known as (ISC)2
– ISACA, the Information Systems Audit and Controls Association
– The SANS Institute– See the following web site screen shots
ENS37
ENS38
ENS39