Network Security Fundamentals

Security Training Course

Dr. Charles J. Antonelli The University of Michigan

2013

Network Security Fundamentals

Module 6 Firewalls & VPNs

Topics

•  Firewall Fundamentals •  Case study: Linux iptables •  Virtual Private Networks (VPNs)

3 04/13 cja 2013

Firewalls

04/13 4 cja 2013

Firewalls

5 04/13 cja 2013

Firewalls

•  A firewall limits the extent to which hosts on different networks can interact with one another

6 04/13 cja 2013

Types of firewalls

•  Packet level •  Application level •  Host-based

7 04/13 cja 2013

Packet level firewalls

•  Firewall inspects incoming packets •  Blocks packets violating policy rules

  => packets dropped without acknowledgement

•  Rules allow blocking based on   Source and destination IP address   Source and destination port   Protocol, flags, TOS, …

8 04/13 cja 2013

Statelessness

•  Traditional packet level firewalls treated every packet independently   Stateless firewalling

•  Problem   Doesn’t relate packet information to overall packet

flow   Doesn’t remember anything

•  Results in coarse-grained control   Forces overly liberal or conservative policies

9 04/13 cja 2013

Example

•  H.323 video streaming protocol   Initiates two TCP connections and several

RTP (real-time transport protocol) streams   The RTP streams contain no information

relating them to the H.323 application  How should a stateless firewall decide if

these streams are to be blocked?

10 04/13 cja 2013

Example

•  IP Fragmentation   All but the first fragment don’t specify ports

11 04/13 cja 2013

Statefulness

•  Solution: firewall keeps state about recent packet flows  Decides to block packet based on packet

contents plus stored state  More fine-grained control  Obviates application-level firewalls

•  Problem   All that state consumes firewall resources

12 04/13 cja 2013

Canonical firewalled network

13 04/13 cja 2013

Zones

Collection of networks with specified security properties

•  Perimeter •  DMZ •  Wireless •  Intranet

14 04/13 cja 2013

Perimeter zone

The outside world  Untrusted zone  No control over hosts in this zone   Internet rules

15 04/13 cja 2013

DMZ

Demilitarized zone •  Contains an organization’s publicly

visible services (email, Web, DNS, FTP, …)  Hardened hosts   Proxies

•  Semi-trusted zone

16 04/13 cja 2013

Intranet zone

•  Most trusted zone •  Organizational assets placed here •  Access blocked from untrusted zones

  Access via proxies in the DMZ only

17 04/13 cja 2013

Wireless zone

A perimeter zone! •  Untrusted hosts •  Semi-trusted network

18 04/13 cja 2013

Application-level firewalls

Application proxy server •  Accepts client traffic •  Maintains state, validates traffic •  Passes validated traffic to server

19 04/13 cja 2013

Application-level firewalls

•  Firewall worries about security  Obviates security-related server changes  Hampers defense-in-depth

•  Firewall must understand application protocol   Increased complexity

•  Stateful packet-level firewalls are an alternative

20 04/13 cja 2013

Host-based firewalls

•  Firewall run on individual hosts •  Placed between incoming packets and

the host network stack •  Acts like a packet-level firewall

21 04/13 cja 2013

Host-based firewalls

•  Each host requires policy management   Administration headache   Simple default policies in distributions

•  Defense-in-depth

22 04/13 cja 2013

References

•  The Tao of Network Security Monitoring, Richard Bejtlich, Addison-Wesley, 2005. ISBN 0-321-24677-2

•  Information Security Illuminated, Michael G.Solomon and Mike Chapple, Jones and Bartlett, 2005.

•  http://en.wikipedia.org/wiki/Firewall_(computing) (accessed March 2013)

23 04/13 cja 2013

iptables

04/13 24 cja 2013

IP Tables

•  Linux packet-level firewall •  Successor to IP Chains •  NAT/NAPT support •  Extended functionality via modules •  Stateful filter support •  Applications

  Host based firewall   Stateful packet firewall  net.ipv4.ip_forward=1 in /etc/sysctl.conf

25 04/13 cja 2013

IP Tables Architecture

•  Three tables for organization   filter, nat, mangle

•  Each table contains several chains   built-in (invoked at fixed points in network layer)   user-defined

•  Each chain contains several rules   first rule matched determines action taken

•  Each rule contains matching criteria and target •  Built-in chains have policies

  specifies default target if no rule in chain matches

26 04/13 cja 2013

Rules

•  (Standard) matching criteria   protocol   source IP (address/mask)   dest IP (address/mask)   port (source/dest/both)   interface (input/output)

•  Target

27 04/13 cja 2013

Rules

•  Extended matching criteria   Implemented via modules

•  Connection state matching   INVALID

 packet not associated with any connection   NEW

 packet is starting a new connection   ESTABLISHED

 packet is associated with existing connection   RELATED

 packet is starting a new connection, but is associated with an existing connection

»  FTP DATA, ICMP error •  Several other extended matching criteria

28 04/13 cja 2013

Predefined targets

•  All terminate processing in this chain for this packet   ACCEPT  accept packet for processing

  DROP  drop packet

  QUEUE  pass packet to userland (not common)

  RETURN  return to calling chain (use policy if no calling

chain)

29 04/13 cja 2013

Extended targets

•  Both terminating and non-terminating targets  REJECT (terminating)  return packet indicating error

  LOG (non-terminating)  generate log entry

 …

30 04/13 cja 2013

filter table

•  Default table •  Built-in chains

  INPUT  incoming network packets

  FORWARD  packets being routed by the host

 OUTPUT  locally-generated packets output to

network

31 04/13 cja 2013

nat table

•  For network address translation •  Built-in chains

  PREROUTING (DNAT)  alter packets as they arrive

 OUTPUT  alter locally-generated packets before

routing   POSTROUTING (SNAT)  alter packets as they depart

32 04/13 cja 2013

mangle table

•  For specialized packet changes   change TOS/DSCP header   set netfilter mark value   …

•  Built-in chains   PREROUTING   INPUT   OUTPUT   FORWARDING   POSTROUTING

33 04/13 cja 2013

Firewall traversal

34

Prerouting

Route

Postrouting

Forward

Output

Local

Input

04/13 cja 2013

Firewall Traversal

35

Rob Mayoff

04/13 cja 2013

Some caveats

•  iptables and ipchains don’t mix •  rule additions are atomic

  … rule set additions are not

•  avoid leaving firewall open while editing   … use DROP, DENY, REJECT policies

•  policy actions do not log •  rules are not removed when an interface goes

down •  raw sockets are unaffected by rules

36 04/13 cja 2013

iptables lab

•  Examine iptables man page   man iptables

•  Examine existing firewall settings   sudo service iptables status   sudo iptables -L

•  Add firewall rules   sudo iptables -I …

37 04/13 cja 2013

Virtual Private Networks (VPNs)

04/13 38 cja 2013

Roadmap

•  Definition •  VPN Uses •  Types of VPNs •  Protocol Details

39 04/13 cja 2013

Definition

A VPN is a link over a shared public network, typically the Internet, that simulates the behavior of dedicated WAN links over leased lines.

A VPN uses encryption to authenticate the

communications endpoints and to secure your data as it travels over an insecure network .

40 04/13 cja 2013

VPN motivators

•  Confidentiality, Integrity & Authentication   Encryption

•  Bypass blocks   Border   Local ISP

•  Extends the office network   VoIP   Drive mapping

•  Collaboration •  Enabling technology

41 04/13 cja 2013

Some VPNs

•  Protocol   IPSec

 Standards-based  Varied Encryption Levels  Flexible

  SSL  Clientless (Web Browser)

•  Application   SSH

VPN is not a single solution

42 04/13 cja 2013

IPSec Details

IPSec protocol •  Internet Standard •  Two complementary protocols

  Authentication Headers (AH) Prevents tampering with packet headers

  Encapsulating Security Protocol (ESP) Provides confidentiality and integrity of packet contents

43 04/13 cja 2013

IPSec Details – AH (Protocol 51)

•  AH Transport – Used to authenticate the integrity of the datagram

All Authenticated (except non mutable fields), e.g., TTL

As the entire packet is authenticated, there are some limitations. If

using NAT or a firewall where a gateway changes your address, then the packet will fail to authenticate at the far end as the source IP has changed. This is not to say that you cannot use IPSec with a NAT gateway, just that the Gateway will have to be considered the endpoint.

44

IP Header (with options)

AH

Transport Layer Header

Transport Layer Data

04/13 cja 2013

IPSec Details – ESP (Protocol 50)

•  Encapsulation Security Payload   ESP will encrypt the payload so that it is private as it passed through

the network

  As you can note, the ESP authentication does not authenticate the IP header so this does not have a problem with working behind NAT.

45

IP Header (with options)

ESP Header

Transport Layer Header

Transport Layer Data

ESP Trailer

ESP Authentication

Encrypted

Authenticated

04/13 cja 2013

Logical Connection to VPN Concentrator

Remote Access client(Split Tunnel )

Public Network

Ethernet

C I S C O SY S T E M S Cisco 3030

Ethernet

ARBL COOL

ARBL COOL

141.211.255.196

192.168.4.6 Pool 192.168.4.10 – 192.168.7.249

UMBackbone

Tunneled

Yahoo

Pool 141.211.12.10 – 141.211.12.250

Wireless User (non-split tunnel)

Internal Server

46 04/13 cja 2013