Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | calvin-ireland |
View: | 225 times |
Download: | 1 times |
Second Editionby William Stallings and Lawrie
Brown
Lecture slides by Susan Lincke & Lawrie Brown
Chapter 9 – Chapter 9 – Firewalls and Intrusion Firewalls and Intrusion Prevention SystemsPrevention Systems
Chapter ObjectivesObjectives:The student should be able to:Describe the different types of firewalls: Circuit,
Application Proxy, Packet, Stateful, Personal including how they differ in an example attack that each can fend off.
Describe 3 firewall vulnerabilitiesDraw configurations for network types: double
inline, T, multihomed, distributed, load balanced.Describe what a firewall policy is, give an example
policy, and indicate how a policy may be used Describe each of the following: border router,
static and dynamic NAT and PAT.
Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls
Firewall Required FunctionsRequired Functions:Serve as an entry point into a networkScreens all packets entering the network
Service controlDirection controlUser controlBehavior control (access only part of Web service)
Log and alarm eventsPerform Network Address Translation functions
(optional)Perform Virtual Private Network functions (optional)Support no other functions (that can be compromised)
Firewall Locations
ScreeningRouter
Firewall A
External DNS
IDS Web Server
E-CommerceVPNServer
Firewall B
IDS
Protected Internal Network
IDS
Database/File Servers
Internet
Router
Firewall B
External DNS
IDS Web Server
E-Commerce VPNServer
Firewall A
Protected Internal Network
IDSDatabase/File Servers
Internet
ScreeningRouter
Router
External DNS
IPS Web Server
E-Commerce VPNServer
Firewall
Protected Internal NetworkZone
IPSDatabase/File Servers
Internet
Demilitarized Zone
ScreeningRouter
ScreeningRouter
Firewall A
External DNS
IDS Web Server
E-CommerceVPNServer
Firewall B
IDS
Protected Internal Network
IDS
Database/File Servers
Internet
Firewall Firewall Firewall Firewall Fi
rew
all
Bastion Hostscritical strongpoint in networkhosts application/circuit-level gatewayscommon characteristics:
runs secure O/S, only essential servicesmay require user auth to access proxy or hosteach proxy can restrict services & hosts
accessedeach proxy small, simple, checked for securityeach proxy is independent, non-privilegedproxy disk use is boot only; hence read-only code
Firewall Topologieshost-resident firewallscreening routersingle bastion inline: One firewallsingle bastion T: with 3 zonesdouble bastion inline: Serial firewallsdouble bastion T: with 3 zonesdistributed firewall configuration: double
with host firewalls
Router
FirewallVendor A
External DNS
IPS Web Server
E-CommerceVPNServer
Firewall Vendor B
IDS
Protected Internal Network
IPS
Database/File Servers
Internet
SecurityMgmt Syslog
Types of Firewalls
A A
terminal
firewall
hostRouter Packet Filtering:Packet header is inspectedSingle packet attacks caughtVery little overhead in firewall: very quickHigh volume filter
A A
terminal
firewall
host
A
Stateful InspectionState retained in firewall memoryMost multi-packet attacks caughtMore fields in packet header inspectedLittle overhead in firewall: quick
Packet Filtering Firewallapplies rules to packets in/out of firewallbased on information in packet header
src/dest IP addr & port, IP protocol, interfacetypically a list of rules of matches on fields
if match rule says if forward or discard packettwo default policies:
discard - prohibit unless expressly permittedforward - permit unless expressly prohibited
Packet Filter ProblemsIn heavy load may forward all packets without
loggingCannot catch application-level errors
ICMP can have invalid contentsFTP, RPC use ports > 1023, dynamically allocatedCannot recognized spoofed IP or port addressesDo not support advanced user authenticationTiny fragments can hide attacksImproper configuration can lead to breachesRouters can do packet filtering, most firewalls do
more
Stateful Inspection Firewallreviews packet header information but also
keeps info on TCP connectionstypically have low, “known” port no for serverand high, dynamically assigned client port nosimple packet filter must allow all return high port
numbered packets back instateful inspection packet firewall tightens rules
for TCP traffic using a directory of TCP connections
only allow incoming traffic to high-numbered ports for packets matching an entry in this directory
may also track TCP seq numbers as well
Packet Filter Rules
Stateful Packet Filters Tracks TCP/UDP connection status Can configure outbound-only connections Packets are allowed in if connection is established Records source/destination IP and port addresses, protocol (TCP/UDP),
timer expiration TCP: Also supports TCP state, Sequence numbers UDP: Supports expiration timer, pseudo state May prevent fragmentation attacks
Advantage: Supports higher loads than Circuit-Level Firewalls at same memory/processor speed levels
Problems ICMP: Messages may come from intermediate node, not destination. Must
accept/reject all ICMP messages of type N DOS Attack: Establish connections to fill table Applications change ports or use multiple ports: e.g., ftp Application attacks not detected since application protocols not scanned Some routers support Stateful packet filtering; nearly all firewalls do
Stateful Firewall Connection State Table
Source Address
Source Port
Destination Address
Destination Port
Connection State
215.34.55.143
2011 188.55.43.59
80 Established
84.22.428.143
1027 188.55.43.59
80 Established
188.55.42.34
1022 89.42.33.143
23 Established
184.56.23.123
88 188.55.43.49
80 Established
A B
terminal
firewall
hostCircuit-Level Firewall:Packet session terminated and recreated via a Proxy ServerAll multi-packet attacks caughtPacket header completely inspectedHigh overhead in firewall: slow
A B
terminal
firewall
host
A
Application-Proxy FirewallPacket session terminated and recreated via a Proxy ServerPacket header completely inspectedMost or all of application inspectedHighest overhead: slow & low volume
A B
B
IP Header TCP Header Application Header & Data
…Prot
Src Addr
DestAddr
… … SrcPort
DestPort
IP Header TCP Header Application Header & Data
…Prot Src
AddrDestAddr
… … SrcPort
DestPort
Flag
SeqNo
IP Header TCP Header Application Header & Data
…Prot Src
AddrDestAddr
… … SrcPort
DestPort
Flag
SeqNo
IP Header TCP Header Application Header & Data
…Prot Src
AddrDestAddr
… … SrcPort
DestPort
Flag
SeqNo
ApplHdr
ApplHdr
ApplData
Application Proxy Firewall
Guard Firewall – Sophisticated Application Proxy Firewall – IDS/IPS
Packet Filter
Stateful Packet Filter – Circuit Level Filter – Proxy Server
Fields shown are monitored by these types of Firewalls
Circuit-Level Firewalls or Proxy Server
Establishes a TCP connection with remote end before passing information through.
Creates two sessions: one with sender & one with receiver Does not filter based on packet contents (other than state) Also known as Pass-Through Proxy or Generic Proxy Advantages: If firewall failure, no packets are forwarded through
firewall Catches fragmentation errors
Problems: Does not detect invalid application data Moves security issues from service to firewall: e.g., DOS attacks Less able to handle high loads since each connection becomes two Requires much greater memory and processor at application level
(Web page is > 1 connection) Slower interfaces can result in poor performance for streaming
applications
Application Proxy FirewallExamines packets and their contents at the
Application LayerCan cause delay due to additional processingMay strip info on internal servers, server version
on outgoing messages (e.g., email)May allow only certain types of sessions through:
FTP: May permit receives, no sends. Or sends of specific files only.
Email: Encrypts email between all of company’s offices
HTTP: May filter PUT commands, URL names. Can cache replies.
Authentication: Perform extra authentication for external access (via dialup or internet)
Application-Level Gatewayacts as a relay of application-level traffic
user contacts gateway with remote host nameauthenticates themselvesgateway contacts application on remote host
and relays TCP segments between server and user
must have proxy code for each applicationmay restrict application features supported
more secure than packet filtersbut have higher overheads
SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow
TCP/UDP client-server applications to use firewall
components:SOCKS server on firewallSOCKS client library on all internal hostsSOCKS-ified client applications
client app contacts SOCKS server, authenticates, sends relay request
server evaluates & establishes relay connectionUDP handled with parallel TCP control channel
Distributed Firewalls
Host-Based Firewallsoften used on serversused to secure individual hostavailable in/add-on for many O/Sfilter packet flowsadvantages:
taylored filter rules for specific host needsprotection from both internal / external attacksadditional layer of protection to org firewall
Personal Firewallcontrols traffic flow to/from PC/workstationfor both home or corporate usemay be software module on PCor in home cable/DSL router/gatewaytypically much less complexprimary role to deny unauthorized accessmay also monitor outgoing traffic to
detect/block worm/malware activity
Virtual Private Networks
NAT
x Dynamic NAT: Single external IP address may translate into many IP addresses.
NAT
x
y
Hide NAT or PAT: IP/Port translates to IP/Port
Static NAT: External IP address translates into Internal IP address.
NAT
x
External Organization IP:201.25.44.0/24
Internal Addresses:10.0.0.0/8
Network Address TranslationStatic NAT: One external IP address translates into one
fixed internal IP addressDynamic NAT: Internal IP addresses are assigned an
external IP address on a FCFS basis.Port Address Translation (PAT) or Hide NAT: Translates
one incoming IP address/port into an internal IP address/port. Multiple internal IP addresses can map to one external IP address
Firewall Capabilities & Limitscapabilities:
defines a single choke pointprovides a location for monitoring security eventsconvenient platform for some Internet functions
such as NAT, usage monitoring, IPSEC VPNslimitations:
cannot protect against attacks bypassing firewallmay not protect fully against internal threatsimproperly secure wireless LANlaptop, PDA, portable storage device infected
outside then used inside
Firewall VulnerabilitiesFirewalls can be bypassed via other means (e.g.,
modem, CDs)Data transmitted to the outside may be vulnerableFirewalls may lie: in heavy loads attack packets may
get through without logging.Extra software on the firewall device increase
vulnerabilityFirewalls are vulnerable if installed above a general-
purpose OSFirewalls do not prevent malicious acts within the
networkLayers of defense are safer than a single firewallAuditing: Scan weekly or at every changeRetain a baseline of perimeter device configurations
Designing Firewalls/RoutersBefore creating a firewall configuration, create
firewall policies.Firewall policy: An Access Control List (ACL) item
in EnglishPolicies can be reviewed, turned into ACLs, and
testedExample Policy: IP addresses with internal source
addresses shall not be allowed into the internal network from the outside.
Often ports > 1000 cannot be closed due to applications like FTP
Other policies may deal with failover protection, detecting malicious code, …
Configuring Firewalls/RoutersPut specific rules first, then general rulesWhen a rule matches, no further testing is
done.Minimize tests & speed processing by placing
common rules first
Auditing FirewallsIf there is no security policy, speak with mgmt
about their expectations of the firewallAfter configuring the firewall, test the firewall by
launching an attackUse a sniffer to determine which attack packets
get throughOther required operations include:
Log Monitoring and NotificationUser Mgmt and Password policyPatch Update and BackupChange ControlSecure build for firewall platforms
Audit TestingScan all TCP and UDP ports 0-65,535 on the firewallPing devices to see if Echo Requests passScan using ‘TCP Connect Scan’ (Full SYN-ACK)Do a slow SYN scan (with 15 second delay) to se if port
scans are detected (by IDS)Scan with FINs, ACKs, and fragmented ACKs , Xmas Tree
scans (URG, PUSH, FIN flags) to see how all performScan the subnet using UDP ports to look for open
applicationsCheck routing capability, including NATTest other blocked source IP addresses: Spoofed, private,
loopback, undefinedTest other protocols: ICMP, IP fragmentation, all policies, all
directions.Verify logging occurs for illegal probesAlways get signed-off permission first!!!
Intrusion Prevention Systems (IPS)enhanced security product which
inline net/host-based IDS that can block trafficfunctional addition to firewall that adds IDS
capabilitiescan block traffic like a firewall
alternatively send commands to firewalluses IDS algorithmsmay be network or host based
Host-Based IPSaddresses:
modification of system resourcesprivilege-escalation exploitsbuffer overflow exploitsaccess to email contact listdirectory traversal
identifies attacks using: sandbox applets to monitor behavior signature techniquesanomaly detection techniques
can be tailored to the specific platforme.g. general purpose, web/database
may protect file access, system registry, I/O, system calls
Network-Based IPSinline NIDS that can discard packets or
terminate TCP connectionscan provide flow data protection
reassembling whole packetsmonitoring full application flow content
can identify malicious packets using:pattern matching, stateful matching, protocol
anomaly, traffic anomaly, statistical anomalycf. SNORT inline can drop/modify packets
Unified Threat Management Products
SummaryFirewall filters packetsTypes of networks
double inline, T or multihomed, distributed, load balanced, screening router
Types of firewallspacket filter, stateful inspection, application and circuit
gateways
Other capabilitiesVirtual Private Network (VPN), Network Address
Translation (NAT)
Advanced configurations: IPS, Unified Threat Management