Date post: | 18-Jan-2016 |
Category: |
Documents |
Upload: | edward-warren |
View: | 220 times |
Download: | 3 times |
Firewalls
Original slides prepared by Theo Benson
Unix Firewalls• FreeBSD: ipfw• Linux: ipfw → ipchains → iptables• MacOS X: ipfw
ipfw example rules:
# SSH# Allow ssh from unc.edu hosts/sbin/ipfw -f add allow tcp from 152.2.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.19.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.23.0.0/16 to any 22 setup
Stateful Firewalls• A bit more complicated• Keep track of transport layer
connections (e.g., TCP, UDP) that may comprise multiple packets
• Often allow only connections initiated from behind the firewall
How are they deployed?
“circle of trust”
The InternetAKA “Everything evil”
The firewall isthe gatekeeper
Only one way in or out into the circle
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
Similar to streaming a Video …
Browser Network
HTTP RequestsGet: image.png
HTTP RequestsGet: video.avi
Loading Youtube
Allowing Outbound Connections Only
“circle of trust”
The InternetAKA “Everything evil”
SYN
• Why would someone from the outside want to start a connection?
Allowing Outbound Connections Only
“circle of trust”
The InternetAKA “Everything evil”
SYN
• Why would someone from the outside want to start a connection?– They would if you were running a web-server, an email-server, a gaming
server …. Pretty much any ‘server’ service.– Firewall configuration may allow “punching holes” to specific
addresses/ports
Traversing Firewalls
• Two hosts behind separate firewalls may try to fool their firewalls by simultaneously establishing outbound connections.
• An external server may help coordinate which source ports, sequence numbers, to use. (E.g., STUN protocol.)
Network Address Translation (NAT)
• For outbound packets, the translator replaces (typically) private address with it’s own public address, and rewrites the source port.
• Translator remembers the mapping.• For inbound packets, the reverse translation is performed.
192.168.1.100
128.2.205.42
Src: 192.168.1.100:32532
Src: 128.2.205.42:45323
NAT versus Firewall
• A network address translator is not intrinsically a firewall, but– Often the two are combined in one device– Traffic cannot be sent directly to private addresses
used behind a NAT from the public Internet– A NAT may block incoming connections by
necessity because it does not know which private address to forward the traffic to
What Happens When you Connect to a Website?
Browser NetworkLoading SoundCloud
HTTP RequestsGet: image.png
HTTP RequestsGet: sound.mp3
What happens if the virus/worm is hidden in an email? Picture? Or if the security exploit is in an HTML page?
Deep Packet Inspection
• Examine payload (data) portion of packet as well as headers
IP Header
TCP/UDP Header
Payload
Application Level Firewall
• Why are they needed?
• Attackers are tricky– When exploiting security vulnerabilities– Attacks span multiple packets
• Need a system to scan across multiple packets for Virus/Worm/Vulnerability exploits
Application Level Firewalls
• Similar to Packet-filters except:– Supports regular expression– Search across different packets for a match– Reconstructs objects (images,pictures) from
packets and scans objects.
Application Level Firewalls
• Similar to Packet-filters except:– Supports regular expression– Searches across different packets for a match– Reconstructs objects (images,pictures) from
packets and scans objects.
HTTP RequestsGet: image.png
Appy reg-ex to the object:
Application Level Firewalls
• Similar to Packet-filters except:– Supports regular expression– Searches across different packets for a match– Reconstructs objects (images,pictures) from
packets and scans objects.
HTTP RequestsGet: image.png
Why doesn’t everyone use App level firewalls?
• Object re-assembly requires a lot of memory• Regular-expressions require a lot of CPU
• App level firewalls are a lot more expensive– And also much slower – So you need more -- a lot more.
How do you Attack the Firewall?
• Most Common: Denial-of-Service attacks – Figure out a bug in the Firewall code– Code causes it to handle a packet incorrectly– Send a lot of ‘bug’ packets and no one can use the
firewall