Date post: | 31-Dec-2015 |
Category: |
Documents |
Upload: | sydney-munoz |
View: | 26 times |
Download: | 0 times |
ECE-6612http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. [email protected]
404 894-5177fax 404 894-0035
Office: Klaus 3362email or call for office visit, 404 894-5177
Chapter 10a - Firewalls
3/10/2013
2
Computer System Evolution
Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer).
Local Area Networks: - connects PC’s (in “terminal emulation” mode), remote terminals (next building) and mini-computers.
Premises Network: - connects LANs and LAN-attached devices to each other.
Enterprise-wide Network: - leased data lines (T1, DS-3) connect various offices.
Internet Connectivity: - initially for email, now for Web access, e-commerce, music and video downloads, social networking, tele-commuting, Web and video conferencing, distance learning, ... . Makes the world accessible, but now the world also has access to you.
3
Agency VirtualPrivate Network
LANs at Agency
Offices across Georgia
State WWW GatewayState Internet
• Citizens
• Contractors
• City & CountyGovernments
Agency Gateway &Web Server
Non-AgencyState Server
Private VirtualConnection
AgencyServer
• Schools
• Libraries
• Kiosks
Connectivity Provided by theGeorgia Backbone Network
Other Agencies
WWW
Firewalls
Agency Firewall - Protects Agency Subnetsfrom Unwanted Connections
Agency Firewall - Protects Agency Subnetsfrom Unwanted Connections
Subnet 1 Subnet 2
Gate-way
WAN
Firewalls (and many routers) can reject:• Packets with certain source and destination addresses
• Packets with certain high-level protocols (UDP, Telnet)
Proxy Servers - for specific applications• Email messages assembled and inspected, then passed to
internal email server machine.
Prevent Cyber Loafing - Using the Internet for fun and personal business (not very effective).
Gate-way
4
5
Application Layer (HTTP)
Transport Layer(TCP,UDP)
Network Layer (IP)
E'net DataLink Layer
Ethernet
Phys. Layer
Network Layer
E'net DataLink Layer
E'net Phys.Layer
Network Layer
Web Server Browser
Router-Firewallcan drop packets
based onsource or destination,ip address and/or port
Application Layer (HTTP)
Transport Layer(TCP,UDP)
Network Layer (IP)
Token Ring
Data-Link Layer
Token RingPhys. Layer
IP Address130.207.22.5
IP Address24.88.15.22
Port 80 Port 31337
Segment No. Segment No.
Token Ring
Data Link Layer
Token RingPhys. Layer
ApplicationLayer (HTTP,FTP, TELNET,SMTP)
Transport Layer (TCP, UDP)
Network Layer (IP)
E'net DataLink Layer
E'net Phys.Layer
Transport
Layer
(TCP, UDP)
Network
Layer (IP)
E'net Data
Link
Layer
E'net Phys.
Layer
Process ProcessTransport or App.-Layer
Gateway, or ProxyApplicationLayer(HTTP(HTTP,FTP, TELNET,SMTP)
Transport Layer(TCP,UDP)
Network Layer (IP)
TR DataLink Layer
TR Phys.Layer
Transport
Layer
(TCP, UDP)
Network
Layer (IP)
TR Data
Link
Layer
TR Phys.
Layer
6
Policy
No outside Web access.
Outside connections to Public Web Server Only.
Prevent Web-Radios from eating up the available bandwidth.
Prevent your network from being used for a Smuft DoS attack.
Prevent your network from being tracerouted or Ping scanned.
Firewall Setting
Drop all outgoing packets to any IP, Port 80
Drop all incoming TCP SYN packets to any IP except 130:207:244.203, port 80
Drop all incoming UDP packets - except DNS and Router Broadcasts.
Drop all ICMP packets going to a “broadcast” address (130.207.255.255 or 130.207.0.0).
Drop all incoming ICMP, UDP, or TCP echo-request packets, drop all packets with TTL < 5.
7
Firewall Attacks
IP Internal-Address Spoofing
Source Routing (External Spoof)
Tiny Fragment Attacks
2nd-Fragment Probes
SYN-ACK Probes
Internal Outbound Hacking
Firewall Defense
Drop all incoming packets with local source address.
Drop all IP packets with Source-Routing Option.
Drop all incoming packet fragments with small size.
Assemble IP fragments (hard work), or at least *.
Be “Stateful” -keep track of TCP outgoing SYN
packets (start of all TCP connections).
Drop all outgoing packets which do not have an "internal" source IP address.
8
* Fragments after the first one have no transport header (no way to tell if it is TCP, UDP, ICMP, ... , or determine port numbers. Firewall must at least keep a temporary list of approved IP ID-Numbers based on the first fragment decision.
A Network Firewall is a single point that a Network Administrator can control, even if individual computers are managed by workers or departments.
-------
Over half of corporate computer misfeasance is caused by employees who are already behind the main firewall.
Solution 1 - isolate subnets with firewalls (usually routers or Ethernet switches with “filter” capabilities). Protect Finance Department from Engineering Department [Problem: internal network is much higher bit rate, firewalls more expensive].
Solution 2 - implement host-based firewalls to limit access except on certain TCP/UDP ports from specific hosts or subnets. Must be centrally managed to be economical.
Solution 3 – Use a Intruder Detection System that divides the network into zones, and reports unauthorized cross-zone connections.
9
StatefulFirewall
Local PCip1
External Hostip2
TCP SYN
establishes “state” (ip1,ip2,tcp, 33489,80)
TCP SYN-ACK or RESET or relatedICMP
established “state” (ip1,ip2,tcp, 33489,80)
TCP ACK’s
established “state” (ip1,ip2,tcp, 33489,80)
TCP or UDP or ICMP
Not part of an established “state”
10
# iptables -L -n
Chain INPUT (policy DROP)target prot opt source destination ACCEPT tcp -- 143.218.132.0/25 0.0.0.0/0 ACCEPT tcp -- 130.207.225.0/24 0.0.0.0/0 ACCEPT all -- 79.76.0.0/16 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 130.207.152.119 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 143.215.151.0/24 0.0.0.0/0 ACCEPT udp -- 64.192.0.0/10 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 69.59.0.0/16 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 24.0.0.0/8 0.0.0.0/0 tcp dpt:22 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)target prot opt source destination DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)target prot opt source destination ACCEPT icmp -- anywhere 10.0.0.0/24 ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
11
A “-n” option speeds up iptables because it stops reverse lookups. Also beneficial for “route”, “netstat”, … .
$ ufw status numberedStatus: active
To Action From -- ------ ----[ 1] 8822/tcp ALLOW IN 130.207.150.144[ 2] Anywhere ALLOW IN 143.215.138.0/25[ 3] 8822/tcp ALLOW IN 130.207.225.103[ 4] 8822/tcp ALLOW IN 78.88.0.0/16[ 5] 8822/tcp ALLOW IN 80.55.0.0/16[ 6] Anywhere DENY IN Anywhere
$ ufw insert 1 allow proto tcp from 130.207.0.0/16 to any port 8822Rule Inserted$ ufw activate (changes iptables configuration)
Uncomplicated Firewall (UFW) for Ubuntu (LINUX)
12
Internet
Router 24.88.48.47 with NAT
Host 192.168.0.10
Web Client 192.168.0.20
13
Host 192.168.0.30
Host 192.168.0.40
Web Serverport 80
FTP Serverport 21
Web Server 130.27.8.35
To 130.27.8.35:80 from 192.168.0.20:x
To 130.27.8.35:80 from 24.88.48.47:y
To 24.88.48.47:y from 130.27.8.35:80
To 192.168.0.20:x from 130.27.8.35:80
1
4
3 2
Local Web client accessing an external Web server
x & y are high number ephemeral client ports. Simple NATs, use x=y
NAT - Network Address Translation
Internet
Router 24.88.48.47 with NAT
Host 192.168.0.10
Host 192.168.0.20
14
Host 192.168.0.30
Host 192.168.0.40
Web Serverport 80
FTP Serverport 21
FTP Client 130.27.8.35
To 130.27.8.35:y from 192.168.0.20:21
To 130.27.8.35: x from 24.88.48.47:21
To 24.88.48.47: 21 from 130.27.8.35:x
To 192.168.0.30:21 from 130.27.8.35:y
1 4
32
External FTP client accessing a local FTP server
Forwarding Table
Port 80 -> .10Port 21 -> .30
15
16
Home Routers allow incoming connections based on server port
New Home Routers also allow port translation (e.g., 2222 -> 22)
Combined Firewalls and IDS
(see also: IBM Proventia - www.iss.net) 17
Protocol Anomaly DetectionWatchGuard Transparent Application layer proxies examine entire connection data streams, identifying protocol anomalies and discarding harmful or questionable information.
In addition, WatchGuard firewalls perform:
* Packet Handling - prevents packets from entering the network until they are reassembled and examined. * Packet Reassembly - reassembles packet fragments to prevent fragment overlap attacks such as Teardrop and other Layer 3 protocol anomaly based attacks.
Signature Element AnalysisRather than using signatures that precisely identify specific attacks, WatchGuard systems look at what any attack of a certain type (e.g., e-mail) must do to succeed (e.g., auto-execute an attachment). With rule sets, you can choose to allow or deny traffic, or even deny all traffic from a source for a specific period.
In addition to rigorous rule sets, the firewall processes policy-based configurations, and management subsystems perform state and content analysis. These processes protect against entire known and unknown attack classes, and can narrow the vulnerability window without having to make you wait for updated attack-specific signatures.
Behavior-Based AnalysisAlthough behavior-based intrusion detection is a relatively new technology, WatchGuard has mechanisms in place within the firewall to identify known attack behaviors, such as:
* Port scans and probes * Spoofing * SYN flood attacks * DoS and DDoS attacks * The misuse of IP options such as source routing
from www.watchguard.com18
Network Operations
* Resolve network performance issues in minutes * Provides enterprise network visibility down to user level * Troubleshoots network incidents at 1/3 the time of point solutions * Analyzes NetFlow / sFlow to facilitate capacity planning and traffic engineering
Network Security
* Detects attacks that bypass signature based, perimeter defenses * Leverages flow data, including packet capture, to reduce security risks by 90% * Enforces policies and assures compliance with agent-free user identity tracking * Delivers scalable, robust security and risk management
from www.lancope.com
19(also see http://users.ece.gatech.edu/~copeland/jac/lancope/index.html)