Post on 22-Dec-2015
transcript
Firewalls
CS591 Topics in Internet Security
November 15 1999
Steve Miskovitz, Steve Peckham, Kan Hayashi
Overview/Motivation
• Why Do We Need Firewalls?
• Design Issues
• Firewall Characteristics
• Typical Setups/Analysis
Why Do We Need Firewalls?
• Prevent unauthorized access to private networks
• Prevent unauthorized export of private information
Design Issues
• That which is not expressly permitted is prohibited– firewall is designed to block everything, services
are enabled on a case-by-case basis– can be seen as a hindrance by users
• That which is not expressly prohibited is permitted– reactive, must predict what kinds of actions would
compromise the security of the firewall
Firewall Characteristics
• Damage Control– If the firewall is compromised or destroyed
what kinds of threats does it leave the private network open to?
• Zones of Risk– How large is the zone of risk during normal
operation?
Firewall Characteristics
• Failure Mode– If the firewall is broken into or destroyed, how easy
is it to detect?– How much information is retained to analyze the
attack?
• Ease of Use– How much of an inconvenience is the firewall?
• Stance– Permissive or prohibitive?
Screening Router
• Basic router with some kind of packet filtering capability– Typically will be able to block traffic between
networks or specific hosts on an IP level
Analysis of Screening Router
• Damage control is difficult because you would need to examine every host for traces of a break-in
• Zone of risk is the all the hosts on the private network because direct communication is permitted
• Usually set up as permissive
Analysis of Screening Router
• In the case of destruction of the firewall it is very hard to trace because commercial routers generally do not keep logs
• Can fairly easily get around the screening using tunnelling
• Popular because they allow fairly free access from any point in the private network
Dual Homed Gateway
• Has a system on both the private network and the Internet , with TCP/IP forwarding disabled
Analysis of Dual Homed Gateway
• Often used and easy to implement
• Hosts on the private network can communicate with the gateway, as can hosts on the Internet, but direct traffic between the networks is blocked
• If the gateway is compromised then the whole private network is accessible
• Zone of risk is only the gateway host
Analysis of Dual Homed Gateway
• Permissiveness dependant on the stance of the gateway– logins on gateway is permissive– application gateways is prohibitive
• Can be adapted more easily to keep logs which can help with tracing what went wrong and which machines on the private network were compromised
Screened Host Gateway
• Combines a screening router and a dual homed gateway. The screening router is configured such that the gateway is the only system reachable from the Internet
Analysis of Screened Host Gateway
• Can be configured to block traffic to the gateway on certain ports, permitting only a small number of services to communicate with it
• Generally very secure, while fairly easy to implement
• Router is configured to only permit Internet access to the gateway
Analysis of Screened Host Gateway
• Zone of risk is the gateway and the router
• Gateway can be on the private network so connectivity is good for local users
• Stance is dependant upon the gateway
• Similar to a dual homed gateway
Screened Subnet
• An isolated subnet is created, between the private network and the Internet– isolate the private network using screening
routers with varying levels of filtering
Analysis of Screened Subnet
• Generally, both the Internet and the private network have access to the subnet but traffic across the screened subnet is blocked
• Usually configured with one host as the sole point of access on the subnet
• Zone of risk is host and any screening routers that connect the subnet
• Appealing for firewalls that use routing to reinforce the existing screening
Analysis of Screened Subnet
• Forces all services to be provided by application gateways
• Strongly prohibitive
• Much harder to break into since you need to compromise multiple systems
• Can be an inconvenience since hosts that are not addressed correctly cannot use the firewall properly
Packet FilteringOverview
• Control data traffic using header of each packet– source IP address– destination IP address– etc
• Screened (Host, Subnet) Setups
Static Packet Filtering
• “Static” = “doors” are open at all times
• Advantages– Low overhead / High throughput
– Inexpensive or free
– Good for traffic management
• Disadvantages– Allows dangerous direct connections
– Leaves holes open
– Unsuitable for complex environment
– No user authentication
Dynamic Packet Filtering
• “Dynamic” = opens and closes “doors” according packet header data
• Can keep track of context information about a session. (stateful filtering)
• Advantages– Only temporarily opens holes in Network Perimeter
– Low overhead / High throughput
– Supports almost any service
• Disadvantages– Allows direct IP connections
– No user authentication (requires application gateway)
Application GatewaysOverview
• First Generation vs. Second Generation (transparent)
• TCP connection state and sequencing are maintained.
• Prevents direct access to services on the internal network.
• Outgoing traffic appears to be coming from the firewall rather than the internal network.
• Works on an application (or service) level.
Application GatewaysExample of masking internal network
C lien t 1 C lien t 2 ... C lien t i
F irew a ll
E xte rn a l N e tw ork
Application GatewaysAdvantages
• Doesn’t allow direct connections between internal and external hosts (proxy).
• Supports user-level authentication.
• Ability to analyze application specific commands inside traffic.
• Can keep logs of traffic.
Application GatewaysDisadvantages
• Takes time to check requests.
• Doesn’t support every type of connection.