LwIP TCP/IP stack demonstration for STM32F4x7 microcontrollers
Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on...
Transcript of Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on...
Pattern Recognition and Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic Engineering
FIREWALLS
Spring Semester 2019/2020
Giorgio Giacinto
http://pralab.diee.unica.it
Firewall – Perimeter defence
INTERNET
A firewall is either a device or a set of devices intended to ensure control of the traffic
flowing across different networks
Firewall
2
http://pralab.diee.unica.it
Firewall - DefinitionSingle point
of accessKeeps attackers
away from defenses
3
http://pralab.diee.unica.it
Functionalities• A Firewall analyses network traffic and check if it complies
with the organisation policies– Policies are defined from the organization’s information security risk
assessment– Should be developed from a broad specification of which traffic types
the organization needs to support– Then refined to detail the filter elements which can then be
implemented within an appropriate firewall topologyAn example• HTTP traffic is allowed for all the machines connected to the network• Access the the following domains is forbidden
– Youtube.com, Facebook.com, Twitter.com• IMAP/POP/SMTP traffic is allowed only to machines on the
172.16.20/24 subnet
4
http://pralab.diee.unica.it
Firewall Capabilities And LimitsCapabilities• Defines a single choke point• Provides a location for monitoring security events• Convenient platform for several Internet
functions that are not security related• Can serve as the platform for IPSec
Limitations• Cannot protect against attacks bypassing firewall• May not protect fully against internal threats• Improperly secured wireless LAN can be accessed from
outside the organization• Laptop, PDA, or portable storage device may be infected
outside the corporate network then used internally
5
http://pralab.diee.unica.it
Functionalities
INTERNET
Firewall
Filtered trafficNot
Filte
red
Traf
fic
6
http://pralab.diee.unica.it
Functionalities• Firewalls act as “brokers” that
– manage and control the network traffic – protect resources behind the firewall
• This allows Firewalls to record events and activities– log files may turn useful for forensic purposes
• Firewalls also allow managing authentication– still this increments both protection and logging capabilities
7
http://pralab.diee.unica.it
Firewall Filter Characteristics IP address
and protocol values
This type of filtering is
used by packet filter and statefulinspection firewalls
Typically used to limit access
to specific services
Application protocol
This type of filtering is used by an
application-level gateway
that relays and monitors the exchange
of information for specific application protocols
User identity
Typically for inside users who identify themselves using some
form of secure authentication
technology
Network activity
Controls access based
on considerations
such as the time or
request, rate of requests, or other activity
patterns
8
http://pralab.diee.unica.it
Stack TCP & Firewall LayersFirewalls can operate on different layers of the TCP/IP stack
Application
Transport
Network (Internet)
Link
If access must be restricted to certain users or resources, filtering has to be done at the Application
Layer
If access must be disciplined on a per IP basis firewall must work at the Internet Layer
If access must be limited to certain applications, filtering has to be done at the Transport Layer
9
http://pralab.diee.unica.it
Types of Firewalls
10
http://pralab.diee.unica.it
Firewalls
PersonalFirewalls
NetworkFirewalls
Packet Filter
Firewalls
Application Level
Firewalls
NATFirewalls
Packet Filter
Firewalls
StatefulFirewalls
StatefulFirewalls
Firewall - Taxonomy
11
http://pralab.diee.unica.it
Network Firewalls
Firewalls
NetworkFirewalls
PacketFilter
Firewalls
Application Level
Firewalls
NATFirewalls
StatefulFirewalls
12
http://pralab.diee.unica.it
Firewall Appliances
13
http://pralab.diee.unica.it
Feature Summary (Palo Alto PA-7080)
• Firewall throughput – 600/700 Gbps FW
• New Sessions per Second– 4.56 M
• Maximum Number of Sessions (no inspection) – 320M
• Threat prevention throughput– 270/330 Gbps
• IPSec VPN Throughput– 280 Gbps
https://www.paloaltonetworks.com/network-security/next-generation-firewall/pa-7000-series 14
http://pralab.diee.unica.it
Gartner Magic Quadrant
15
http://pralab.diee.unica.it
Packet Filter Firewalls
16
http://pralab.diee.unica.it
Stateless Packet Filter• It is one of the simplest firewalling mechanisms
– Often integrated in the router
• Filtering at layer 3 (Network) and/or 4 (Transport)– A typical implementation is a router with Access Control Lists (ACL)
• Filtering criteria– Source IP Address– Destination IP address– Protocol (ICMP, TCP, UDP, …)– Protocol-specific information
• ICMP Echo, ICMP Reply, ICMP Error– TCP/UDP Ports– etc
• Two default policies– Discard - prohibit unless expressly permitted (more conservative)– Forward - permit unless expressly prohibited (easier to manage but less secure)
17
http://pralab.diee.unica.it
Stateless Packet Filter
Source: Network WarriorGary A. Donoue - O’Reilly
18
http://pralab.diee.unica.it
Discard the packetNO
What’s the action defined by the policy rule?
Yes
Allow the packet Allow Discard the
packetDeny
Stateless Packet Filter
Allow the packet NO
Do an ACL exists in that direction?
Is there a policy rule for that kind of packet?
Yes
19
http://pralab.diee.unica.it
Stateless Packet Filter - Clarifications
• It is worth to remind that:– Once the FW receives a packet it inspects the ACL to check whether a
rule matches the packet– For efficiency, more specific rules must be on top the list
access-list In deny udp any host 192.168.1.101
– The order of the rules is important.One rule can make the following ones useless.
access-list In deny udp any host 192.168.1.101access-list In allow udp any host 192.168.1.101 eq 53
This rule is never activated since the previous one is always matched first
20
http://pralab.diee.unica.it
Stateless Packet Filter• Pros
– Fast– High Flexibility in the definition of the Policy Rules
• Cons– Can’t stop application layer attacks (malicious FTP commands,
malware)– No User Authentication– Limited Logging Capabilities– Vulnerable to TCP/IP weaknesses (e.g. Ip spoofing, Syn flood, DOS). – It might be difficult to configure
21
http://pralab.diee.unica.it
About Transport Port Status (Nmap Results)• open
– Port is open and accepts TCP connections and UDP packets
• closed– A which can be reached and behind which there is not a listening
application
• filtered– It is not possible to determine whether the port is open because
packet filtering prevents its probes from reaching the port.
• Other NMAP results– open|filtered / unfiltered/ closed|filtered
22
http://pralab.diee.unica.it
Stateful Packet Filter• Processes packets at the Network and Transport Layers
as in the case of Stateless Packet Filter but it also traces the Transport Layer connections
– Packets are thus analysed in the context of the connection• e.g., by keeping track of sequence numbers
– Connectionless protocols such as UDP are inspected as well. Here the Packet Filter checks that the exchange of messages is coherent with the protocol logic.
23
http://pralab.diee.unica.it
1. Host A begins a connection with Host B2. Host B replies to the A request3. Host A finalises the connection. A is ready to send data. 4. Host A sends Host B data.5. Host B acknowledges it has received data.
How can I prevent Host B initiating a connection?
Stateful Packet Filter – An example
24
http://pralab.diee.unica.it
Stateful Packet Filter• Pros
– Higher consciousness of the Layer 4 traffic à higher security
• Cons– Can’t stop application layer attacks (malicious FTP commands,
malicious HTTP requests, malware)– No User Authentication– Connections management requires CPU & RAM resources
25
http://pralab.diee.unica.it
Packet Filter Evasion• Packet filters can be evaded leveraging on the IP
fragmentation mechanism– Hackers can play with the offset values
• Several variants of the attack do exist http://www.ouah.org/fragma.html– e.g., Tiny Fragment Attack
• http://tools.ietf.org/html/rfc3128
26
http://pralab.diee.unica.it
Packet Filter Evasion
27
http://pralab.diee.unica.it
Review problems
28
http://pralab.diee.unica.it
Firewall rulesThe following table shows a sample of a packet filter firewall ruleset for an imaginary network of IP address that range from 192.168.1.0 to 192.168.1.254. Describe the effect of each rule.
29
http://pralab.diee.unica.it
Firewall rules - SMTPSMTP (Simple Mail Transfer Protocol) transfers mails between hosts over TCP. The server listens on TCP port 25 for incoming connection requests. The user is on a TCP port number above 1023. Suppose you wish to build a packet filter rule set allowing inbound and outbound SMTP traffic:
Describe the effect of each rule30
http://pralab.diee.unica.it
Firewall rules - SMTP
If the server IP address is 172.16.1.1, which of the following packets will be allowed and which will be denied?
31
http://pralab.diee.unica.it
Firewall rules - SMTP
Someone from the outside world (10.1.2.3) attempts to open a connection from port 5150 on a remote host to the Web proxy server on port 8080 in order to carry out an attack.
Will the attack succeed?
32
http://pralab.diee.unica.it
Application Level Gateways
33
http://pralab.diee.unica.it
Application Level Gateway (aka Proxy)
• Combines Packet Layer functionalities with the capability of inspecting the activities at the application level
• Requires user-authentication before any activity
• It can be used for different services:– Email– Web– FTP– DNS– Telnet
34
http://pralab.diee.unica.it
Application Level Gateway (aka Proxy)
35
http://pralab.diee.unica.it
Application Level Gateway (aka Proxy)
• Authentication Mechanisms– Username and Password– Token HW/SW– Biometrics
• Authentication somehow prevents spoofing attacks– Different authentication mechanisms can be foreseen according to the
users’ privileges
• 2 different types of proxy mechanisms– Connection oriented (circuit level proxy)– Cut-through
36
http://pralab.diee.unica.it
Connection Oriented Proxies1. A Client makes a connection with the proxy
2. The Proxy authenticates the client
3. The Proxy checks authorisations for the client
4. The Proxy opens a second connection toward the resource (e.g. a server) requested by the client
5. The Proxy manages two connections– The connection between the client and the proxy– The connection between the proxy and the server behind the proxy
37
http://pralab.diee.unica.it
Application Level Gateway (aka Proxy)
• Pros– Very high logging capabilities– Very high filtering capability
• Granular permissions can be defined
• Cons– Very high Overhead
• Slow– Ad-hoc firewall and client
38
http://pralab.diee.unica.it
Cut-through Proxy1. Client makes a connection with the proxy
2. Proxy authenticates the client
3. Proxy checks authorisations for the client
4. Proxy opens a second connection toward the resource (e.g. a server) which is then merged with the previous one
5. Proxy acts as an intermediary, by managing one single connection
39
http://pralab.diee.unica.it
Cut-through Proxy• Pros
– Higher throughput with respect to a Connection Proxy– Higher flexibility (possibility to handle a higher number of
applications)
• Cons– Smaller logging capabilities (with respect to Connection Proxy)– Filtering only on layers 3 and 4
40
http://pralab.diee.unica.it
Web Application Firewalls (WAF)
Web application
Web server
OS
Network
Web application vulnerability attack
DoS (service interrumptions) attacks
Network vulnerability attacks
Firewall IDS/IPS WAF
Firewall and Intrusion Detection/Prevention Systems (IDS/IPS) are not effective against Web Application Attacks
Web application
41
http://pralab.diee.unica.it
Attacking Web Services
http://www.vulnerableserver.com/components/com_hbssearch/longDesc.php?h_id=1&id=3
legitimate
Normal traffic
42
http://pralab.diee.unica.it
http://www.vulnerableserver.com/components/com_hbssearch/longDesc.php?h_id=1&id=-2%20union%20select%20concat%28username,0x3a,password%29%20from[…]
malicious
Attack
Attacking Web Services (WAF Protection)
WAFs are commonly based on rules / signatures thatdetect the presence of specific attack patterns into HTTP requests
e.g.: IF‘union%20select*’ in param-input STOP request
Easily evaded in several wayse.g. by replacing a “%20” with a comment (“/**/”)
43
http://pralab.diee.unica.it
WAF (and rule-based systems) Limitations• Easy-to-evade signatures / rules
– changing even a single character may evade detection– several rules required to detect attack variants
• Explosion of the number of Signatures– for computational reasons, only most common rules are used– rare attack patterns (even if known) may evade detection!
• False alarms tend to increase with the number of signatures
• Signatures can not intrinsically detect– Attacks which exploit vulnerabilities in custom applications– Advanced attacks like Phishing, User-Impersonation, Information Leakage– 0-day / never-before-seen attacks (e.g., advanced injection)
WAF and rule-based systems (such as Layer 3-4 protection devices) are thus ineffective to deal with the increasing sophistication
and variability of attacks44
http://pralab.diee.unica.it
Other types of firewalls
45
http://pralab.diee.unica.it
Personal Firewall• Controls traffic between a personal computer or workstation
and the Internet or enterprise network
• Typically much less complex than server-based or stand-alone firewalls– e.g., a software module on a personal computer– can be housed in a router that connects all of the home
computers to a DSL, cable modem, or other Internet interface
• Primary role is to deny unauthorized remote access
• May also monitor outgoing traffic to detect and block worms and malware activity
46
http://pralab.diee.unica.it
Host-Based Firewalls• Used to secure an individual host
• Available in operating systems or can be provided as an add-on package
• Filter and restrict packet flows
• Common location is a server
Advantages
• Filtering rules can be tailored to the host environment
• Protection is provided independent of topology• Provides an additional layer of protection
47
http://pralab.diee.unica.it
DMZ and VPN
48
http://pralab.diee.unica.it
Firewall Configuration
49
http://pralab.diee.unica.it
DMZ – Demilitarized Zone• DMZ is a physical or logical subnetwork between the internal
network (TRUSTED) and the external network (UNTRUSTED)– It usually hosts public company services
50
http://pralab.diee.unica.it
DMZ – Demilitarized Zone• DMZ allows protecting the private network through two
layers of firewalling– the front-end firewall is directly exposed to the network
• Servers (e.g. Mail, Web) are located just behind this firewall– back-end firewall stands behind the front-end firewall and in
front of the internal network
• Rules– The private network can initiate connections toward the DMZ
and the Internet, and doesn’t accept any kind of incoming connection
– Hosts on the DMZ accept connections from both the private network and from the Internet but can not initiate any kind of connection
• A router connecting the three different zones can perform both tasks.
51
http://pralab.diee.unica.it
Virtual Private Network (VPN)• A VPN is a virtual network through which is possible to
establish a secure communication channel over an “insecure” medium (the Internet) without the need of a dedicated link
• VPN management mechanisms ensure security– Confidentiality– Integrity– Authenticity
52
http://pralab.diee.unica.it
Remote Access VPN
Firewall (VPN Concentrator)
Company network
53
http://pralab.diee.unica.it
Site-to-Site VPN
54
http://pralab.diee.unica.it
VPN - Advantages• Cheap– Possibility to build large overlaid networks without the
need of a dedicated infrastructure
• Security– Authentication and Cryptography ensure the security of
the data
• Scalability– Adding branches to the VPN doesn’t require costly
infrastructures
55
http://pralab.diee.unica.it
Network Segmentation and the cloud
• Network segmentation is becoming a complex task– Virtualisation– Cloud applications, services, storage
• The physical deployment of a network barely represents the actual data flow
• A deep logical map of all the enterprise activities is needed in order to define the routing and firewalling policies
• The firewall itself is not required to be a physical appliance, as it can be deployed as a virtual application
56
http://pralab.diee.unica.it
OT Networks
57
http://pralab.diee.unica.it
Operational Technology Networks• The network connecting all Industrial Control Systems
(ICS) devices – PLCs– SCADA– DCS
• In the past, OT used proprietary protocols, and no connection with the external world was available
• Currently, the IT-OT convergence allows ICS to share data, to realise remote control.
• Network segmentation through firewalls is mandatory to avoid those devices to be exposed (ISA99 – IEC 62443)
58
http://pralab.diee.unica.it
Purdue model (ISA99)
59