N E T W O R K ( A N D D AT A ) S E C U R I T Y 2 0 1 5 / 2 0 1 6
P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A
Firewalls
Slides are based on slides by Dr Lawrie Brown
(UNSW@ADFA) for “Computer Security: Principles and Practice”, 1/e, by William Stallings and Lawrie Brown
Some slides from Mark Stamp “Information Security:
Principles and Practice” 2nd edition (Wiley 2011).
Firewalls
Firewall must determine what to let in to internal
network and/or what to let out
Access controlfor the network
Internet Firewall Internalnetwork
SR(D) - Firewalls - pbrandao - 2015/16
3
Firewall as Secretary
A firewall is like a secretary To meet with an executive
First contact the secretary
Secretary decides if meeting is important So, secretary filters out many requests
You want to meet chair of CS department?
Secretary does some filtering
You want to meet the PotPT?
Secretary does lots of filtering
Firewalls and Intrusion Prevention Systems
effective means of protecting LANs internet connectivity essential
for organization and individuals but creates a threat
could secure workstations and servers also use firewall as perimeter defence
single choke point to impose security
SR(D) - Firewalls - pbrandao - 2015/16
5
Outside Inside
Firewall Capabilities & Limits
capabilities: defines a single choke point
provides a location for monitoring security events
convenient platform for some Internet functions such as NAT, usage monitoring, IPsec VPNs
limitations:
cannot protect against attacks bypassing firewall may not protect fully against internal threats improperly secure wireless LAN
laptop, PDA, portable storage device infected outside then used inside
SR(D) - Firewalls - pbrandao - 2015/16
Types of Firewalls
7
Types of Firewalls
Packet Filtering Firewall
applies rules to packets in/out of firewall based on information in packet header src/dest IP addr & port, IP protocol, interface
typically a list of rules of matches on fields
if match rule says if forward or discard packet
two default policies:
discard - prohibit unless expressly permitted
more conservative, controlled, visible to users
forward - permit unless expressly prohibited
easier to manage/use but less secure
SR(D) - Firewalls - pbrandao - 2015/16
9
Packet Filter
10
Operates at network layer Can filter based on…
Source IP address Destination IP address Source Port
Destination Port
Flag bits (SYN, ACK, etc.)
Egress or ingress Physical
Logic Network Transport
What’s in a Packet
SR(D) - Firewalls - pbrandao - 2015/16
11
IPv4 packet
IHL - Internet Header Length
DSCP – Differentiated Service Code Point (Type of Service) ECN - explicit congestion notification
Ver(4) IHL(4) DSCP (6) ECN(2) Total Length (16) Identification (16) Flags(4) Frag Offset (12) TTL (8) Protocol (8) Header Checksum (16)
Source Address (32) Destination Address (32)
Options Padding
Packet Filter
12
Configured via Access Control Lists (ACLs)
Allow Inside Outside Any 80 HTTP
Allow Outside Inside 80 > 1023 HTTP
Deny All All All All All
Action Source IP Dest IP Source Port Dest Port Protocol
Q: Intention?
A: Restrict traffic to Web browsing
Any ACK All Flag Bits
Packet Filter Rules
SR(D) - Firewalls - pbrandao - 2015/16 13
Packet Filter Weaknesses
weaknesses cannot prevent attack on application bugs limited logging functionality
do no support advanced user authentication vulnerable to attacks on TCP/IP protocol bugs improper configuration can lead to breaches
attacks
IP address spoofing, source route attacks, tiny fragment attacks
14
Physical Logic Network Transport
TCP ACK Scan
SR(D) - Firewalls - pbrandao - 2015/16
15
Attacker scans for open ports thru firewall
Port scanning is first step in many attacks
Attacker sends packet with ACK bit set, without prior
3-way handshake
Violates TCP/IP protocol
ACK packet pass thru packet filter firewall Appears to be part of an ongoing connection RST sent by recipient of such packet
TCP ACK Scan
16
Attacker knows port 1209 open thru firewall A stateful packet filter can prevent this
Since scans not part of established connections Packet
Filter
Trudy Internal
Network ACK dest port 1207
ACK dest port 1208 ACK dest port 1209
Stateful packet filter
reviews packet header information but also
keeps info on TCP connections
typically have low, “known” port nr for server and high, dynamically assigned client port nr simple packet filter must allow all return high
port numbered packets back in
stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP
connections
only allow incoming traffic to high-numbered ports for packets matching an entry in this directory
may also track TCP seq numbers as well
SR(D) - Firewalls - pbrandao - 2015/16
17 Physical Logic Network Transport Application
Stateful Packet Filter
18
Advantages?
Can do everything a packet filter can do plus... Keep track of ongoing connections (so
prevents TCP ACK scan)
Disadvantages?
Cannot see application data Slower than packet filtering
Physical Logic Network Transport
Application-Level Gateway
acts as a relay of application-level traffic users contact gateway with remote host name authenticate themselves
gateway contacts application on remote host and relaysTCP segments between server and user
must have proxy code for each application
may restrict application features supported
more secure than packet filters but have higher overheads
SR(D) - Firewalls - pbrandao - 2015/16
19 Physical Logic Network Transport Application
Application Proxy
20 Advantages? Complete view of connections and applications data
Filter bad data at application layer (viruses, Word macros) Disadvantages? Speed Physical Logic Network Transport Application
Circuit-Level Gateway
sets up two TCP connections, to an inside user and to
an outside host
relays TCP segments from one connection
to the other without examining contents
hence independent of application logic just determines whether relay is permitted
typically used when inside users trusted
may use application-level gateway inbound and circuit-level gateway outbound
hence lower overheads
SR(D) - Firewalls - pbrandao - 2015/16
21
Physical Logic Network Transport
Application
SOCKS Circuit-Level Gateway
SOCKS v5 defined as RFC1928 to allow TCP/UDP
applications to use firewall
components:
SOCKS server on firewall
SOCKS client library on all internal hosts SOCKS-ified client applications
client app contacts SOCKS server, authenticates,
sends relay request
server evaluates & establishes relay connection UDP handled with parallel TCP control channel
Deep Packet Inspection
SR(D) - Firewalls - pbrandao - 2015/16
23
Many buzzwords used for firewalls One example: deep packet inspection What could this mean?
Look into packets, but don’t really “process” the
packets
Effect like application proxy, but faster
Deep Packet Inspection
Uses information up to Application layer Including app data
Can differentiate based on all information Prioritize, reroute, shape, drop, etc.
Used by ISPs to:
Detect/mitigate security attacks DoS, buffer overflows, virus, etc. Throttle “unwanted”
P2P
Touches net neutrality Hardware implemented
Needs to be at line speed
24
Physical Logic Network Transport Application
SR(D) - Firewalls - pbrandao - 2015/16
Firewall Topologies
25Firewalls and Defense in Depth
26
Typical network security architecture
Internet
Intranet with additional
defense Packet
Filter
Application Proxy
DMZ FTP server DNS server Web server
Firewall Basing
several options for locating firewall: bastion host
individual host-based firewall personal firewall
SR(D) - Firewalls - pbrandao - 2015/16
27
Bastion Hosts
critical strongpoint in network hosts application/circuit-level gateways common characteristics:
runs secure O/S, only essential services may require user auth to access proxy or host each proxy can restrict features, hosts accessed each proxy small, simple, checked for security each proxy is independent, non-privileged limited disk use, hence read-only code
Host-Based Firewalls
used to secure individual host available in/add-on for many O/S filter packet flows
often used on servers advantages:
tailored filter rules for specific host needs protection from both internal / external attacks additional layer of protection to org firewall
SR(D) - Firewalls - pbrandao - 2015/16
29
Internal Net
Personal Firewall
controls traffic flow to/from PC/workstation for both home or corporate use may be software module on PC
or in home cable/DSL router/gateway typically much less complex
primary role to deny unauthorized access
may also monitor outgoing traffic to detect/block
worm/malware activity
30
Firewall Locations
SR(D) - Firewalls - pbrandao - 2015/16 31
Virtual Private Networks
Distributed Firewalls
SR(D) - Firewalls - pbrandao - 2015/16 33
Firewall Topologies
host-resident firewall screening router single bastion inline single bastion T double bastion inline double bastion T
distributed firewall configuration
Firewall Topologies
SR(D) - Firewalls - pbrandao - 2015/16 Single bastion inline
Single bastion T
35
Firewall Topologies
36
I N T R U S I O N P R E V E N T I O N S Y S T E M S
SR(D) - Firewalls - pbrandao - 2015/16
IPS
37
Intrusion Prevention Systems (IPS)
addition to security products inline net/host-based IDS that can block traffic
functional addition to firewall that adds IDS capabilities
can block traffic like a firewall using IDS algorithms
may be network or host based
Host-Based IPS
identifies attacksusing both: signature techniques
malicious application packets anomaly detection techniques
behavior patterns that indicate malware
can be tailored to the specific platform
e.g. general purpose, web/database server specific
can also sandbox applets to monitor behavior may give desktop file, registry, I/O protection
SR(D) - Firewalls - pbrandao - 2015/16
39
Internal Net
Network-Based IPS
inline NIDS that can discard packets or terminate TCP connections
uses signature and anomaly detection may provide flow data protection
monitoring full application flow content can identify malicious packets using:
pattern matching, stateful matching, protocol anomaly, traffic anomaly,
statistical anomaly
cf. SNORT inline can drop/modify packets
Unified Threat Management Products
SR(D) - Firewalls - pbrandao - 2015/16 41
Tools
42Firewalk
Tool to scan for open ports thru firewall
nmap script
Attacker knows IP address of firewall and IP address
of one system inside firewall
Set TTL to 1 more than number of hops to firewall, and set
destination port to N
If firewall allows data on port N thru
firewall, get time exceedederror message
Otherwise, no response
SR(D) - Firewalls - pbrandao - 2015/16
43
Firewalk and Proxy Firewall
44
This willnotwork thru an application proxy (why?)
The proxy creates a new packet, destroys old TTL
Dest port 12345, TTL=4 Dest port 12344, TTL=4 Dest port 12343, TTL=4
Time exceeded Trudy
Packet filter
Router Router
iptables – path of an IP packet on Netfilter
SR(D) - Firewalls - pbrandao - 2015/16
45 PREROUTING FORWARD INPUT OUTPUT POSROUTING ROUTE Local Process ROUTE Chains Tables NAT (Dst) Mangle Filter Mangle Filter Mangle NAT (Dst) Mangle Filter NAT (Src) Mangle Security Security Security
Tables contain chains
46 Filter INPUT FORWARD OUTPUT Nat PREROUTING FORWARD POSROUTING Mangle INPUT OUTPUT PREROUTING FORWARD POSROUTING Filter INPUT FORWARD OUTPUTiptables (cont)
47
Add rulesto tablesspecifying the chains there in.
When a packet matches a ruleits targetis done
Targetsvary according to tables.
Examples:
Filter Table: DROP, ACCEPT
NAT Table: DNAT, SNAT, MASQUERADE, REDIRECT
New chainsmay be created by the user and set as targets
of rules.
SR(D) - Firewalls - pbrandao - 2015/16
iptables (cont.)
48
Example:
## Change source addresses to 1.2.3.4.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
firewall-bypass
SR(D) - Firewalls - pbrandao - 2015/16
49
Uses the connection helpers of netfilter to open ports
nmap firewall-bypass script
Protocols such ftp or sip have out-of-band management
Have a management connection diff from the data and have a passive mode
Netfilter must interpret this (e.g.: nf_conntrack_ftp)
Firewall-bypass uses incorrect config to open ports on
the firewall
See more detail on Eric Leblond presentation
Demonstration
50Network
SR(D) - Firewalls - pbrandao - 2015/16
51
Internet
10.0.0.0/24 10.0.1.0/24
10.0.0.10
10.0.0.1 10.0.1.1
10.0.1.100 enp0s8
enp0s8 enp0s9
SSH access: server
workstation
52
[workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j REJECT
Default is filter chain
[workstation] iptables -L INPUT --line-numbers [server] ssh 10.0.0.10
[workstation] iptables -D INPUT 1
Or iptables -D INPUT -i enp0s8 --proto tcp --dport 22 -j REJECT
[workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j DROP [server] ssh –o ConnectTimeout=2 10.0.0.10
[workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j ACCEPT [server] ssh –o ConnectTimeout=2 10.0.0.10
[workstation] iptables -L INPUT --line-numbers
[workstation] iptables -I INPUT 1 -i enp0s8 --proto tcp --dport 22 -j ACCEPT [server] ssh –o ConnectTimeout=2 10.0.0.10
SSH access: mediavault
workstation
SR(D) - Firewalls - pbrandao - 2015/16
53
[openmediavault] ssh 10.0.0.10
[server] iptables –A FORWARD –proto tcp –dport 22 –j REJECT
[openmediavault] ssh 10.0.0.10 [workstation] ssh 10.0.1.100
[server] iptables –I FORWARD 1 –o enp0s8 –proto tcp – dport 22 –j ACCEPT
[workstation] ssh 10.0.1.100 [openmediavault] ssh 10.0.0.10
Allow ping from workstation
54
[server] iptables –P FORWARD DROP
[server] iptables -A FORWARD –o enp0s9 -p icmp
--icmp-type echo-request -j ACCEPT
[server] iptables -A FORWARD –o enp0s8 -p icmp
Summary
introduced need for & purpose of firewalls types of firewalls
packet filter, stateful inspection, application and circuit gateways
firewall hosting, locations, topologies intrusion prevention systems
SR(D) - Firewalls - pbrandao - 2015/16