Post on 16-Jan-2016
transcript
Lecture 15Page 1Advanced Network Security
Perimeter Defense in Networks: Firewalls Configuration and
ManagementAdvanced Network Security
Peter ReiherAugust, 2014
Lecture 15Page 2Advanced Network Security
Outline
• Shortcomings of firewalls
• How do we properly manage firewalls?
• Firewalls and mobile computing
Lecture 15Page 3Advanced Network Security
So Firewalls Are the Answer?
• Not by themselves
• Relying exclusively on firewalls runs into problems
• Why?
Lecture 15Page 4Advanced Network Security
Internet
Problem #1
ISP
Local network
Is there a way around the firewall?
No firewall
here!
Lecture 15Page 5Advanced Network Security
Problem #2
Internet
ISPCan you properly
identify all bad traffic?
Great, no back doors
But . . .
It looks OK . . .
Lecture 15Page 6Advanced Network Security
Problem #3
Internet
ISP
Let’s say you’ve
closed all the back doors
And you’ve somehow
recognized all bad traffic
What about this?
If the bad traffic comes from inside, the
firewall doesn’t help
Lecture 15Page 7Advanced Network Security
Weaknesses of Perimeter Defense
Lecture 15Page 8Advanced Network Security
Defense in Depth
• An old principle in warfare
• Don’t rely on a single defensive mechanism or defense at a single point
• Combine different defenses
• Defeating one defense doesn’t defeat your entire plan
Lecture 15Page 9Advanced Network Security
So What Should Happen?
Lecture 15Page 10Advanced Network Security
Or, Better
Lecture 15Page 11Advanced Network Security
Or, Even Better
Lecture 15Page 12Advanced Network Security
Firewall Configuration and Administration
• Again, the firewall is the point of attack for intruders
• Thus, it must be extraordinarily secure
• How do you achieve that level of security?
Lecture 15Page 13Advanced Network Security
Firewall Location
• Clearly, between you and the bad guys
• But you may have some different types of machines/functionalities
• Sometimes makes sense to divide your network into segments
– Typically, less secure public network and more secure internal network
– Using separate firewalls
Lecture 15Page 14Advanced Network Security
Firewalls and DMZs
• A standard way to configure multiple firewalls for a single organization
• Used when organization runs machines with different openness needs
– And security requirements
• Basically, use firewalls to divide your network into segments
Lecture 15Page 15Advanced Network Security
A Typical DMZ Organization
Your production
LAN
Your web serverThe Internet
Firewall set up to protect your
LAN
Firewall set up to protect your
web server
DMZ
Lecture 15Page 16Advanced Network Security
Advantages of DMZ Approach
• Can customize firewalls for different purposes
• Can customize traffic analysis in different areas of network
• Keeps inherently less safe traffic away from critical resources
Lecture 15Page 17Advanced Network Security
Dangers of a DMZ• Things in the DMZ aren’t well protected
– If they’re compromised, provide a foothold into your network
• One problem in DMZ might compromise all machines there
• Vital that main network doesn’t treat machines in DMZ as trusted
• Must avoid back doors from DMZ to network
Lecture 15Page 18Advanced Network Security
Firewall Hardening
• Devote a special machine only to firewall duties
• Alter OS operations on that machine– To allow only firewall activities– And to close known vulnerabilities
• Strictly limit access to the machine– Both login and remote execution
Lecture 15Page 19Advanced Network Security
Keep Your Firewall Current
• New vulnerabilities are discovered all the time
• Must update your firewall to fix them• Even more important, sometimes you have
to open doors temporarily– Make sure you shut them again later
• Can automate some updates to firewalls• How about getting rid of old stuff?
Lecture 15Page 20Advanced Network Security
Closing the Back Doors
• Firewall security is based on assumption that all traffic goes through the firewall
• So be careful with:– Wireless connections– Portable computers– Sneakernet mechanisms and other entry points
• Put a firewall at every entry point to your network• And make sure all your firewalls are up to date
Lecture 15Page 21Advanced Network Security
Firewalls and Mobile Computing
• The firewall concept comes from the world before mobile computing
• Firewalls assume machines are safe behind their protections
• Which is only true if network traffic to the machine goes through the firewall
• What happens with mobile computers?
Lecture 15Page 22Advanced Network Security
Consider Bob’s Office
Bob’s Office
WorkerWorker
Worker
WorkerBob
So far, so good
Lecture 15Page 23Advanced Network Security
Now Bob Goes to a Cafe
Local Café
Bob
Carol
Xavier
Alice
Lecture 15Page 24Advanced Network Security
Now Bob Returns To Work . . .
Bob’s Office
WorkerWorker
Worker
WorkerBob
The firewall didn’t help at
all!
Lecture 15Page 25Advanced Network Security
How Bad Could This Be?
• Depends on how much mobility occurs
– Nowadays, a lot
• Wireless connectivity makes it worse
– Especially if wireless used in untrusted locations
• Smart phones in store windows have been infected by malware passing by
Lecture 15Page 26Advanced Network Security
Handling the Problem• Single machine firewalls on mobile
devices help
– But usually aren’t powerful or sophisticated
• Safe use practices help
– But are usually trumped by convenience
• So mobile devices will get infected
Lecture 15Page 27Advanced Network Security
The Next Best Thing
• It was bad that the mobile device got infected
• It was worse that it got behind the firewall and infected everyone else
• Can we at least stop that step?
Lecture 15Page 28Advanced Network Security
How To Handle This Problem?
• Essentially quarantine the portable computer until it’s safe
• Don’t permit connection to wireless access point until you’re satisfied that the portable is safe– Or put them in constrained network
• Common in Cisco, Microsoft, and other companies’ products– Network access control
Lecture 15Page 29Advanced Network Security
Conclusion • Important to recognize the
shortcomings of firewalls
• Proper organization and management of firewalls can help
• Mobile computing limits the value of firewalls further
– Requiring extra caution