ITEC5611 Electronic Commerce System Implementation Supakorn Kungpisdan [email protected].
Lecture 08 Firewalls Dr. Supakorn Kungpisdan [email protected] 1ITEC4621: Network Security.
-
Upload
louise-rose -
Category
Documents
-
view
215 -
download
0
Transcript of Lecture 08 Firewalls Dr. Supakorn Kungpisdan [email protected] 1ITEC4621: Network Security.
ITEC4621: Network Security 2
Firewall Overviews Firewall Functions Address Translation at Firewall DMZ IPTables Example
Roadmap
ITEC4621: Network Security 3
Primary Concerns
Confidentiality of information Unauthorized access External and internal attacks
ITEC4621: Network Security 4
Defining Access Control Policy
Access Control Policy is a corporate policy that states which type of access is allowed across an organizations’ network perimeter.
For example, Allow SSH request only to the machine with IP 203.148.145.2 from
outside network Reject the request from any hosts inside the network to the web server
that has IP 203.147.23.2 Controlling such accesses mainly relies on FIREWALL
Even has ACLs on router, TCP wrappers on Unix, Intrusion Prevention Systems (IPSs)
ITEC4621: Network Security 5
Firewall
Firewall is a gateway or access server (HW or SW based) or several gateways or access servers that act as buffers between any connected public network and a private network
It separates a trusted network from an untrusted network Firewall can be a router, a PC running specialized software, or a
combination of devices. It enforces an access control policy on network traffic as it passes
through access points. Firewalls filter traffic mainly based on various factors e.g. src/dest IP
addresses, src/dest port no., interfaces, protocols, etc.
ITEC4621: Network Security 6
Firewall (cont’d)
Public INTERNET
Administered Network
ITEC4621: Network Security 7
When Is a Firewall Required?
Dial-in modem pool and client-initiated VPN E.g. allow dial-in or VPN to access only email server
External connections to business partners Used to filter access among permanent link btw business partners
Between departments Internal firewall may be required to specify clearance level
Hosts Software firewall e.g. ZoneAlarm may be used in individual desktop
computers
ITEC4621: Network Security 8
Firewall Overviews Firewall Functions
Packet Filtering Stateful Firewall Application-level Firewall or Proxy
Address Translation at Firewall DMZ IPTables Example
Roadmap
ITEC4621: Network Security 9
Packet Filtering
Least-intelligent firewall Control traffic using information stored in packet headers Either passed or dropped The information filtered
Source/destination IP address or subnet TCP/UDP source/destination port Flag (TCP only) Etc.
ITEC4621: Network Security 10
Filtering TCP Flags
“Our internal users can access any service out on the Internet, but all Internet traffic headed to the internal network should be blocked”
Generally, to establish a TCP connection, a sender sends a packet with SYN=1 and all other flags equal to 0.
Thus, more correctly, “All Internet traffic headed to the internal network with SYN=1
and all other flags equal to 0 should be blocked”
TCP SYN Scan
The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handshake process.
When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as "half open" scanning.
ITEC4621: Network Security 11
TCP SYN Scan (cont.)
ITEC4621: Network Security 12
Closed port
Open port
http://www.networkuptime.com/nmap/page3-2.shtml
ITEC4621: Network Security 13
TCP SYN Stealth Port Scan
root@REDHATBOX root]#nmap -sS 192.168.0.1
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 05:07 EST
Interesting ports on 192.168.0.4:
(The 1637 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp filtered ftp
22/tcp open ssh
23/tcp open telnet
139/tcp open netbios-ssn
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 3.194 seconds
TCP SYN Scan (cont.)
ITEC4621: Network Security 14
SMB, running on top of netbiosRemote desktop
ITEC4621: Network Security 15
FIN Scanners
Normally a port scanner will check if any services are open on a host by sending SYN=1, ACK=1 packet. This can be blocked by a firewall
Instead, an attacker sends FIN=1, ACK=1 packet to a host with destination to a port number. If ACK=1, RST=1 packet returns, no service on particular port If ACK=1, FIN=1 packet returns, the service is monitoring that port
FIN scan can identify services and OS of remote machine
root@REDHATBOX root]#nmap -sF 192.168.0.1
ITEC4621: Network Security 16
Packet Filtering ICMP
Internet Control Message Protocol: provides background support for the IP protocol
ICMP does not use ports. Type identifies ICMP packet type Code provides detailed explanation about the current session
E.g. Type 3 = Destination unreachable Type 0 = Echo reply Code 3 = Port unreachable Code 0 = Network Unreachable
ITEC4621: Network Security 17
Example of Filtering ICMP
Avoid a “Ping Flood” attack…
> iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
As input is default DROP, this allows only 1 ping per second to be accepted.
ITEC4621: Network Security 18
Packet Filtering - Pros
Fast: operate on IP addresses and TCP/UDP port numbers alone, ignoring the data contents (payload) of packets.
Application independence : ignore packet payload Least expensive of types of firewalls. Packet filtering rules are relatively easy to configure. There are no configuration changes necessary to the
protected workstations.
ITEC4621: Network Security 19
Packet Filtering - Cons
Allow a direct connection between endpoints through the firewall. Leaves the potential for a vulnerability to be exploited.
No screening of packet payload available. Impossible to block users from visiting web sites deemed off limits, for
example. Logging of network traffic includes only IP addresses and TCP/UDP port
numbers, no packet payload information is available. Complex firewall policies are difficult to implement using filtering rules
alone. Authentication based on IP addresses rather than user
ITEC4621: Network Security 20
Stateful Firewall
Extend feature of Packet Filtering maintaining a connection table in order to monitor the state of
a communication session Attacker cannot fool the firewall by sending a message with
ACK=1 Can remember state information Suitable for UDP traffic
ITEC4621: Network Security 21
Packet Filtering VS Stateful Firewall
ACL Allow the protected host to establish any service
sessions with the remote server Allow any session that has already been established to
pass Drop all other traffic
ITEC4621: Network Security 22
Packet Filtering VS Stateful Firewall (cont’d)
Port 1037
Port 1037
Port 80
Port 80
ITEC4621: Network Security 23
Packet Filtering VS Stateful Firewall (cont’d)
Port 1037
Port 1037
Port 80
Port 80
ITEC4621: Network Security 24
Packet Filtering VS Stateful Firewall (cont’d)
Only the protected host can establish a connection with the server
ITEC4621: Network Security 25
Packet Filtering VS Stateful Firewall (cont’d)
Look up the table and found that the host has not established the connection with the attacker yet
Thought that the attacker has already established a connection with the host
Port 1037 Port 80
Port 1037 Port 80
ITEC4621: Network Security 26
IPTables Rules Based on Network State
Packets can be in a number of different states: NEW – a packet which starts a new connection RELATED – new connection, but part of an old session ESTABLISHED – connection already running INVALID – something else (?)
> iptables –t filter –A INPUT –i ppp+ state --state RELATED,ESTABLISHED –j ACCEPT
ITEC4621: Network Security 27
Stateful Firewall - Pros
Offers improved security over basic packet filters due to packet examination
Better logging of activities over basic packet filters Good performance Configuration changes to the protected workstations are
unnecessary
ITEC4621: Network Security 28
Stateful Firewall - Cons
Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited.
No hiding of your private systems. Setting up stateful packet examination rules is more
complicated. Only supported protocols at the application layer. No user authentication.
ITEC4621: Network Security 29
Proxy
Also called “application gateway” or “forwarder” Is an application that mediates traffic between two network
segments Used instead of filtering to prevent traffic from passing
directly between networks Source and destination never actually “connect”
ITEC4621: Network Security 30
How a Proxy Passes Traffic
Proxy does not route traffic, but being “interpreter” Protocol specific: web proxy, email proxy, your app proxy
ITEC4621: Network Security 31
How a Proxy Passes Traffic (cont’d)
1. Internal host sends an http request to the proxy2. Proxy found that the host has requested a web page. It then
passes the request to an http application inside the proxy3. Check with ACL. If ok, the proxy creates a new request containing
the internal host’s request by setting the proxy as the source4. The web server responds to the proxy. The http application checks
with ACL. If ok, the proxy creates a http response to the internal host
ITEC4621: Network Security 32
Proxies - Pros
Firewall does not let end points communicate directly with one another.
Has the best content filtering capability. Can hide private systems. Robust user authentication. Offers the best logging of activities. Policy rules are usually easier than packet filtering rules.
ITEC4621: Network Security 33
Proxies - Cons
Performance problems; much slower than the other two Must have a proxy for every protocol. Failure to have a proxy may
prevent a protocol from being handled correctly by the firewall. TCP is the preferred transport. UDP may not be supported. Limited transparency, clients may need to be modified. Setting up
the proxy server in a browser, for example.
ITEC4621: Network Security 34
Firewall Overviews Firewall Functions Address Translation at Firewall DMZ IPTables Example
Roadmap
ITEC4621: Network Security 35
Address Translation
Translate IP address from one to another Hide the system from outside network Using Network Address Translation (NAT)
Map between public IPs and private IPs Range of private IPs
10.0.0.0-10.255.255.255/8 172.16.0.0-172.31.255.255/12 192.168.0.0-192.168.255.255/16
Types of NATs Static NAT Hiding (or Dynamic) NAT Port Address Translation (PAT)
ITEC4621: Network Security 36
Static NAT
One private IP is mapped to one public IP Can access the internal system from the Internet Allow both inbound and outbound traffic Does not need to change the source port Most NAT devices allow some systems to use static NAT,
while hiding the rest Suitable for assigning to servers in DMZ
ITEC4621: Network Security 37
Hiding (or Dynamic) NAT
Firewall converts local IP to its IP for outgoing and incoming packets Many-to-many relationship: multiple private IPs are mapped to a
single public IP depending on a list of available IPs Outbound traffic can be mapped into the firewall IP or any other legal
IPs Does not allow inbound connection
Local machines cannot operate as servers Increase security cannot be accessed from outside firewall
ITEC4621: Network Security 38
Port Address Translation (PAT)
Utilized by most proxies must use firewall IP, not any public IP Also allow inbound traffic For inbound traffic, PAT checks port no. and forwards the
packet to specified internal system
ITEC4621: Network Security 39
PAT (cont’d)
ITEC4621: Network Security 40
Firewall Overviews Firewall Functions Address Translation at Firewall DMZ IPTables Example
Roadmap
ITEC4621: Network Security 41
DMZ
Demilitarized Zone (DMZ) is the subnet that is not in a private or public network.
DMZ provides additional protection since attacker may be able to break in the web server and get inside the internal network
Using static filtering at router to provide multilayer protection
Place proxy behind the firewall to secure internet connection
All the DMZ servers may be statically NATed
ITEC4621: Network Security 42
DMZ (cont’d)
Public INTERNET
Outer FirewallInner Firewall
DMZ
Internal Server External Server (Public)
ITEC4621: Network Security 43
Firewall Overviews Firewall Functions Address Translation at Firewall Firewall Deployment IPTables Example
Roadmap
ITEC4621: Network Security 44
IPtables
Since kernel 2.4, the standard for firewall on Linux is iptables.
It implements its rules using three “tables” Filter – handles standard “firewall” things NAT – rewriting of source/destination IPs Mangle –packet information manipulation
ITEC4621: Network Security 45
IPTables – Filter Table
The filter table is divided up into three chains. INPUT OUTPUT FORWARD
Chains have a default policy (either ACCEPT, REJECT, or DROP).
Packets will only be dealt with using one of the three chains.
ITEC4621: Network Security 46
203.148.145.110.1.1.1
DMZ
192.168.1.1
eth0
eth1
eth2
Internal network
Public Network
Web server10.1.1.254
App server192.168.1.254: 6001
ITEC4621: Network Security 47
Rule Structure Append or Delete Rule: iptables [-t table] -[AD] chain rule-specification [options]
Insert New Rule: iptables [-t table] -I chain [rulenum] rule-specification [options]
Replace Rule: iptables [-t table] -R chain rulenum rule-specification [options]
Delete Rule: iptables [-t table] -D chain rulenum [options]
List Rules, Flush Rules, Zero counters: iptables [-t table] -[LFZ] [chain] [options]
New Chain iptables [-t table] -N chain
Delete Chain: iptables [-t table] -X [chain]
Set Chain Policy (Accept, Drop): iptables [-t table] -P chain target [options]
Rename Chain: iptables [-t table] -E old-chain-name new-chain-name
ITEC4621: Network Security 48
Adding Rules
Rules can be added, removed, and changed using the iptables command.
> iptables –t filter –A INPUT –i lo –j ACCEPT
Append to the INPUT chain that packets arriving on the LOOPBACK device should be ACCEPTed
ITEC4621: Network Security 49
IPTables Example
Scenario: Personal Firewall that should allow all outbound connections and restrict all inbound traffic to just an SSH server running on port 22.
ITEC4621: Network Security 50
IPTables Example (cont’d)
Initial Rules:# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination
Chain FORWARD (policy ACCEPT)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination
ITEC4621: Network Security 51
IPTables Example - Initial firewall configuration
# Flush any rules that may still be configured/sbin/iptables -t filter -F INPUT/sbin/iptables -t filter -F OUTPUT/sbin/iptables -t filter -F FORWARD
# Set the default policies for the chains/sbin/iptables -t filter -P INPUT DROP/sbin/iptables -t filter -P OUTPUT ACCEPT/sbin/iptables -t filter -P FORWARD DROP
ITEC4621: Network Security 52
IPTables Example (cont’d)Add the rule to allow incoming tcp connections on 22:
# iptables -I INPUT -p tcp --dport 22 -j ACCEPT# iptables -L
Chain INPUT (policy DROP)target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination
ITEC4621: Network Security 53
IPTables Example (cont’d)Add a rule to allow incoming connections from ourself (on the loopback interface only – outside
interface could be spoofed).# iptables –I INPUT –i eth0 –s localhost –j DROP# iptables -I INPUT -i lo -j ACCEPT# iptables -L
Chain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere DROP all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination
ITEC4621: Network Security 54
Add a rule to allow incoming connections on any port if it is alreadyestablished or related to an established connection.# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -L
Chain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere DROP all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination
IPTables Example (cont.)
ITEC4621: Network Security 55
Add a rule to log all packets before we drop them:# iptables -A INPUT -j LOG --log-level debug --log-prefix "IPTABLES: DROPPED"# iptables -L
Chain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere DROP all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG all -- anywhere anywhere LOG level debug prefix `IPTABLES:
DROPPED'
IPTables Example (cont’d)
ITEC4621: Network Security 56
Questions?