Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based...
20
Firewalls and Info Services • Prevent unathorized access between nets • Most of the protection is based upon examination of the IP packets • There is always a tradeoff between security and ease of use PROTECT outside inside inside outside and
-
Upload
justin-quinn -
Category
Documents
-
view
213 -
download
0
Transcript of Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based...
Firewalls and Info Services
• Prevent unathorized access between nets
• Most of the protection is based upon examination of the IP packets
• There is always a tradeoff between security and ease of use
PROTECT
outside inside
insideoutside
and
Primary Types of Firewalls
Internet
Dual-Homed Gateway
InnerNetwork
bastion host
Internet
Screened Host Gateway
InnerNetwork
screened host
router
ftp proxy
• Any data wanting to pass through to/from the bastion host should be required to pass through a PROXY agent.
• Proxy software can be configured to use encryption.
• Clients may need to be replaced with proxy clients
Internet
Dual-Homed Gateway
InnerNetwork
bastion host
ftp requestpasses through
telnet requestno agent X
• Only data allowed through is data for the screened host
• Router can allow holes to certain hosts on inner net.
• Router uses IP addresses and port numbers to control the flow of data
Internet
Screened Host Gateway
InnerNetwork
screened host
router
Router
for bastionhost passes through
for other nodes
InnerNetwork
Xnot allowed
ScreenedHost
Some Risks
• Once you allow holes in the router, the nodes to which you allow “extra” access increase your ZONE OF RISK.
• Those machines need to be as secure as your screened/bastion host or represent your weak link.
• The larger the program, the more susceptible to errors and security leaks.– Browsers are good examples of large programs
router
Two Other Types of Firewalls
Internet
Screening Router
InnerNetwork
bastion host
Internet
Router-only Gateway
InnerNetwork
router
router
Planning Steps
• Know the details of how client-server connections are made
• Determine physical location of equipment
• Decide who gets access in either direction– Screening router is on basis of IP/port not user
• Determine a strategy for logging activity– What to write
– How to monitor
– Under what conditions do you take specific actions
• Must develop a failure plan if firewall breaks
• Develop a thorough testing procedure
Software for Firewall Support
Cern WEB server• Proxy mode to handle requests for internal clients
• Handles http AND OTHER PROTOCOLS– browser clients usually handle other protocols NOT SERVERS
• Requires the client to be configurable to use proxy mode. Not sure how common the is in the client
p.504 of text setenv http_proxy “http://web.bastion.host:80/”
setenv ftp_proxy “http://web.bastion.host:80/”
• What if the client doesn’t go through the WEB server?– bastion serves as a router of sorts and doesn’t let any other data through
– router will deny passge if not through the screened host
• Has caching features so only one copy needed for entire inner net
• Freeware running on bastion host
• Presumably configures the bastion to do filtering of data passing through
• SOCKS is a proxy server dealing with TCP streams, not client dependent
• The specific client must be written to be SOCKsified
• SOCKsified versions are available for PCs and unix environments
• Check it out at ftp.nec.com
Software for Firewall Support
SOCKS
• tn-gw, ftp-gw, plug-gw(socket to socket)
• Does NOT requires a special client
• Client must RUN the program differently
Software for Firewall Support
Firewall Toolkit
• “netacl” can be used with inetd.conf to check server requests against an access list first
• A scaled down ftp to allow anonymous ftp to the bastion and to proxy other requests
instead of:
telnet remotehost
you must:
tn-gwtn-gw>connect remotehost
OTHER FEATURES
Where does the server go?
WWW
• Dual homed gateway– Outside the firewall
» may be difficult to connect at service entry
» sacrificial lamb
– On bastion host
» software is avialable
» if server cracked, the whole inner net is vulnerable
– Behind the firewall
» internal access is easy / external access is difficult
» needs a socksified browser
– One inside and one outside
» inside company confidential
» outside for public info
• Screened host– Outside firewall (as before)
– On screened host segment
» router only sends outside requests to a SPECIFIC port on the server
– On the Screened Host itself
» It controls too much access in and out
• With a screened subnet– On the screened subnet
» SECOND ROUTER ONLY ALLOWS ACCESS FROM THE server/port TO THE INSIDE
» if server cracked, can’t get inside
Where does the server go?
WWW
Preferred
• Connections are initiated from both directions
Where does the server go?
FTP
SERVER CLIENT
time
connects to port 21(command channel)
get “file”
connectsfrom port 20(data channel)
NET
• Dual Homed Gateway– Possible to have your service provider handle it
» the ftp clients would require the provider agent to proxy ftp
– Suggest putting it on the bastion host
» ftp to chroot() ed area of the disk
» run daemon as a non-priviledged user
• Screened host– Preferred to be inside... preferred with screened subnet
– run ftp server in proxy mode
– if possible, run clients in proxy (PASV) mode so client creates both end of the connection
– router allows IN->OUT not OUT->IN, no inward server connections
– router allows incoming on 21 and outgoing on 20
Where does the server go?
FTP
Safeguards for internal servers
• Strip inner network priviledges– hostp.equiv and .rhosts
• Internal machines should NOT trust server
• Strip the server of networking clients– telnet, ftp, rlogin, rsh, etc.
• NFS & NIS should be disabled
• Kernel should not route IP packets
• Disable all services in inetd.conf which do not support the service
• USED IN CONJUNCTION WITH SCREENED SUBNET, THESE DO THE BEST JOB
Other things to dofor Protection
• Leave traps for attackers– If hackers gain access to your server, they will try to access
other machines by clients like telnet, rsh, etc
– Change the client to look like it has errors and use it to mail the sys admin that a problem exists
» error messages and delays to occupy attacker
• Periodically run software to verify the integrity of your system.– Store files with encryption signatures
– Files which are public relations (or more) for your business should be protected.
– This way you verify no one has misrepresented you
• Run servers in a chroot()ed area– Should do this anyway
Helping clients access through the firewall
TELNET
• Always on port 23
• Screened host– an access list in the router can typically be configured to
allow outgoing on port 23
• Dual Homed– use a proxy
– use socks
– use firewall toolkit
• Interesting because it uses UDP not TCP– The routers look at acceptable connections by looking at
the CONNECT sequence
– UDP does not do connections to consider acceptable data (don’t know who started it)
• So how do you know whether your archie server is ok?
• Special solution: only a limited (about 20) Archie servers on the net. Set router to accept from any of them
• DH Gateway use a proxy– must also proxy ftp since archie uses ftp
Helping clients access through the firewall
ARCHIE
• Web clients must access lots of types of servers
• Easiest solution is to use cern web server and let it proxy for you
• Otherwise must provide individual proxies
• Routers allowing messages from inside to out solves the problem for most... not for ftp.
Helping clients access through the firewall
Web clients
PCs
• Screened hosts can use holes in router ...
• Some ftps support PASV mode so that it can be used with a screened host
• For Dual Homed Gateway, use SOCKS
• SOCKS is available for pc software
• DLLs are (being made) available for a SOCKsified version of winsock.dll
