Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

28 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

N E T W O R K ( A N D D AT A ) S E C U R I T Y 2 0 1 5 / 2 0 1 6

P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls

 Slides are based on slides by Dr Lawrie Brown

(UNSW@ADFA) for “Computer Security: Principles and Practice”, 1/e, by William Stallings and Lawrie Brown

 Some slides from Mark Stamp “Information Security:

Principles and Practice” 2nd edition (Wiley 2011).

(2)

Firewalls

 Firewall must determine what to let in to internal

network and/or what to let out

 Access controlfor the network

Internet Firewall Internalnetwork

SR(D) - Firewalls - pbrandao - 2015/16

3

Firewall as Secretary

 A firewall is like a secretary

 To meet with an executive

 First contact the secretary

 Secretary decides if meeting is important  So, secretary filters out many requests

 You want to meet chair of CS department?

 Secretary does some filtering

 You want to meet the PotPT?

 Secretary does lots of filtering

(3)

Firewalls and Intrusion Prevention Systems

 effective means of protecting LANs

 internet connectivity essential

 for organization and individuals  but creates a threat

 could secure workstations and servers  also use firewall as perimeter defence

 single choke point to impose security

SR(D) - Firewalls - pbrandao - 2015/16

5

Outside Inside

Firewall Capabilities & Limits

 capabilities:

 defines a single choke point

 provides a location for monitoring security events

 convenient platform for some Internet functions such as NAT, usage monitoring, IPsec VPNs

 limitations:

 cannot protect against attacks bypassing firewall  may not protect fully against internal threats  improperly secure wireless LAN

 laptop, PDA, portable storage device infected outside then used inside

(4)

SR(D) - Firewalls - pbrandao - 2015/16

Types of Firewalls

7

Types of Firewalls

(5)

Packet Filtering Firewall

 applies rules to packets in/out of firewall  based on information in packet header

 src/dest IP addr & port, IP protocol, interface

 typically a list of rules of matches on fields

 if match rule says if forward or discard packet

 two default policies:

 discard - prohibit unless expressly permitted

more conservative, controlled, visible to users

 forward - permit unless expressly prohibited

easier to manage/use but less secure

SR(D) - Firewalls - pbrandao - 2015/16

9

Packet Filter

10

 Operates at network layer  Can filter based on…

 Source IP address  Destination IP address  Source Port

 Destination Port

 Flag bits (SYN, ACK, etc.)

 Egress or ingress Physical

Logic Network Transport

(6)

What’s in a Packet

SR(D) - Firewalls - pbrandao - 2015/16

11

 IPv4 packet

 IHL - Internet Header Length

 DSCP – Differentiated Service Code Point (Type of Service)  ECN - explicit congestion notification

Ver(4) IHL(4) DSCP (6) ECN(2) Total Length (16) Identification (16) Flags(4) Frag Offset (12) TTL (8) Protocol (8) Header Checksum (16)

Source Address (32) Destination Address (32)

Options Padding

Packet Filter

12

 Configured via Access Control Lists (ACLs)

Allow Inside Outside Any 80 HTTP

Allow Outside Inside 80 > 1023 HTTP

Deny All All All All All

Action Source IP Dest IP Source Port Dest Port Protocol

 Q: Intention?

 A: Restrict traffic to Web browsing

Any ACK All Flag Bits

(7)

Packet Filter Rules

SR(D) - Firewalls - pbrandao - 2015/16 13

Packet Filter Weaknesses

 weaknesses

 cannot prevent attack on application bugs  limited logging functionality

 do no support advanced user authentication  vulnerable to attacks on TCP/IP protocol bugs  improper configuration can lead to breaches

 attacks

 IP address spoofing, source route attacks, tiny fragment attacks

14

Physical Logic Network Transport

(8)

TCP ACK Scan

SR(D) - Firewalls - pbrandao - 2015/16

15

 Attacker scans for open ports thru firewall

 Port scanning is first step in many attacks

 Attacker sends packet with ACK bit set, without prior

3-way handshake

 Violates TCP/IP protocol

 ACK packet pass thru packet filter firewall  Appears to be part of an ongoing connection  RST sent by recipient of such packet

TCP ACK Scan

16

 Attacker knows port 1209 open thru firewall  A stateful packet filter can prevent this

 Since scans not part of established connections Packet

Filter

Trudy Internal

Network ACK dest port 1207

ACK dest port 1208 ACK dest port 1209

(9)

Stateful packet filter

 reviews packet header information but also

keeps info on TCP connections

 typically have low, “known” port nr for server  and high, dynamically assigned client port nr  simple packet filter must allow all return high

port numbered packets back in

 stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP

connections

 only allow incoming traffic to high-numbered ports for packets matching an entry in this directory

 may also track TCP seq numbers as well

SR(D) - Firewalls - pbrandao - 2015/16

17 Physical Logic Network Transport Application

Stateful Packet Filter

18

 Advantages?

 Can do everything a packet filter can do plus...  Keep track of ongoing connections (so

prevents TCP ACK scan)

 Disadvantages?

 Cannot see application data  Slower than packet filtering

Physical Logic Network Transport

(10)

Application-Level Gateway

 acts as a relay of application-level traffic

 users contact gateway with remote host name  authenticate themselves

 gateway contacts application on remote host and relaysTCP segments between server and user

 must have proxy code for each application

 may restrict application features supported

 more secure than packet filters  but have higher overheads

SR(D) - Firewalls - pbrandao - 2015/16

19 Physical Logic Network Transport Application

Application Proxy

20  Advantages?

 Complete view of connections and applications data

 Filter bad data at application layer (viruses, Word macros)  Disadvantages?  Speed Physical Logic Network Transport Application

(11)

Circuit-Level Gateway

 sets up two TCP connections, to an inside user and to

an outside host

 relays TCP segments from one connection

to the other without examining contents

 hence independent of application logic  just determines whether relay is permitted

 typically used when inside users trusted

 may use application-level gateway inbound and circuit-level gateway outbound

 hence lower overheads

SR(D) - Firewalls - pbrandao - 2015/16

21

Physical Logic Network Transport

Application

SOCKS Circuit-Level Gateway

 SOCKS v5 defined as RFC1928 to allow TCP/UDP

applications to use firewall

 components:

 SOCKS server on firewall

 SOCKS client library on all internal hosts  SOCKS-ified client applications

 client app contacts SOCKS server, authenticates,

sends relay request

 server evaluates & establishes relay connection  UDP handled with parallel TCP control channel

(12)

Deep Packet Inspection

SR(D) - Firewalls - pbrandao - 2015/16

23

 Many buzzwords used for firewalls  One example: deep packet inspection  What could this mean?

 Look into packets, but don’t really “process” the

packets

 Effect like application proxy, but faster

Deep Packet Inspection

 Uses information up to Application layer  Including app data

 Can differentiate based on all information  Prioritize, reroute, shape, drop, etc.

 Used by ISPs to:

 Detect/mitigate security attacks DoS, buffer overflows, virus, etc.  Throttle “unwanted”

P2P

Touches net neutrality  Hardware implemented

 Needs to be at line speed

24

Physical Logic Network Transport Application

(13)

SR(D) - Firewalls - pbrandao - 2015/16

Firewall Topologies

25

Firewalls and Defense in Depth

26

 Typical network security architecture

Internet

Intranet with additional

defense Packet

Filter

Application Proxy

DMZ FTP server DNS server Web server

(14)

Firewall Basing

 several options for locating firewall:

 bastion host

 individual host-based firewall  personal firewall

SR(D) - Firewalls - pbrandao - 2015/16

27

Bastion Hosts

 critical strongpoint in network

 hosts application/circuit-level gateways  common characteristics:

 runs secure O/S, only essential services  may require user auth to access proxy or host  each proxy can restrict features, hosts accessed  each proxy small, simple, checked for security  each proxy is independent, non-privileged  limited disk use, hence read-only code

(15)

Host-Based Firewalls

 used to secure individual host

 available in/add-on for many O/S  filter packet flows

 often used on servers  advantages:

 tailored filter rules for specific host needs  protection from both internal / external attacks  additional layer of protection to org firewall

SR(D) - Firewalls - pbrandao - 2015/16

29

Internal Net

Personal Firewall

 controls traffic flow to/from PC/workstation  for both home or corporate use

 may be software module on PC

 or in home cable/DSL router/gateway  typically much less complex

 primary role to deny unauthorized access

 may also monitor outgoing traffic to detect/block

worm/malware activity

30

(16)

Firewall Locations

SR(D) - Firewalls - pbrandao - 2015/16 31

Virtual Private Networks

(17)

Distributed Firewalls

SR(D) - Firewalls - pbrandao - 2015/16 33

Firewall Topologies

 host-resident firewall

 screening router  single bastion inline  single bastion T  double bastion inline  double bastion T

 distributed firewall configuration

(18)

Firewall Topologies

SR(D) - Firewalls - pbrandao - 2015/16  Single bastion inline

 Single bastion T

35

Firewall Topologies

36

(19)

I N T R U S I O N P R E V E N T I O N S Y S T E M S

SR(D) - Firewalls - pbrandao - 2015/16

IPS

37

Intrusion Prevention Systems (IPS)

 addition to security products

 inline net/host-based IDS that can block traffic

 functional addition to firewall that adds IDS capabilities

 can block traffic like a firewall  using IDS algorithms

 may be network or host based

(20)

Host-Based IPS

 identifies attacksusing both:

 signature techniques

malicious application packets  anomaly detection techniques

behavior patterns that indicate malware

 can be tailored to the specific platform

 e.g. general purpose, web/database server specific

 can also sandbox applets to monitor behavior  may give desktop file, registry, I/O protection

SR(D) - Firewalls - pbrandao - 2015/16

39

Internal Net

Network-Based IPS

 inline NIDS that can discard packets or terminate TCP connections

 uses signature and anomaly detection  may provide flow data protection

 monitoring full application flow content  can identify malicious packets using:

 pattern matching, stateful matching, protocol anomaly, traffic anomaly,

statistical anomaly

 cf. SNORT inline can drop/modify packets

(21)

Unified Threat Management Products

SR(D) - Firewalls - pbrandao - 2015/16 41

Tools

42

(22)

Firewalk

 Tool to scan for open ports thru firewall

 nmap script

 Attacker knows IP address of firewall and IP address

of one system inside firewall

 Set TTL to 1 more than number of hops to firewall, and set

destination port to N

 If firewall allows data on port N thru

firewall, get time exceedederror message

 Otherwise, no response

SR(D) - Firewalls - pbrandao - 2015/16

43

Firewalk and Proxy Firewall

44

 This willnotwork thru an application proxy (why?)

 The proxy creates a new packet, destroys old TTL

Dest port 12345, TTL=4 Dest port 12344, TTL=4 Dest port 12343, TTL=4

Time exceeded Trudy

Packet filter

Router Router

(23)

iptables – path of an IP packet on Netfilter

SR(D) - Firewalls - pbrandao - 2015/16

45 PREROUTING FORWARD INPUT OUTPUT POSROUTING ROUTE Local Process ROUTE Chains Tables NAT (Dst) Mangle Filter Mangle Filter Mangle NAT (Dst) Mangle Filter NAT (Src) Mangle Security Security Security

Tables contain chains

46 Filter INPUT FORWARD OUTPUT Nat PREROUTING FORWARD POSROUTING Mangle INPUT OUTPUT PREROUTING FORWARD POSROUTING Filter INPUT FORWARD OUTPUT

(24)

iptables (cont)

47

 Add rulesto tablesspecifying the chains there in.

 When a packet matches a ruleits targetis done

 Targetsvary according to tables.

 Examples:

Filter Table: DROP, ACCEPT

NAT Table: DNAT, SNAT, MASQUERADE, REDIRECT

 New chainsmay be created by the user and set as targets

of rules.

SR(D) - Firewalls - pbrandao - 2015/16

iptables (cont.)

48

 Example:

## Change source addresses to 1.2.3.4.

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

(25)

firewall-bypass

SR(D) - Firewalls - pbrandao - 2015/16

49

 Uses the connection helpers of netfilter to open ports

 nmap firewall-bypass script

 Protocols such ftp or sip have out-of-band management

 Have a management connection diff from the data and have a passive mode

 Netfilter must interpret this (e.g.: nf_conntrack_ftp)

 Firewall-bypass uses incorrect config to open ports on

the firewall

 See more detail on Eric Leblond presentation

Demonstration

50

(26)

Network

SR(D) - Firewalls - pbrandao - 2015/16

51

Internet

10.0.0.0/24 10.0.1.0/24

10.0.0.10

10.0.0.1 10.0.1.1

10.0.1.100 enp0s8

enp0s8 enp0s9

SSH access: server 

workstation

52

[workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j REJECT

 Default is filter chain

[workstation] iptables -L INPUT --line-numbers [server] ssh 10.0.0.10

[workstation] iptables -D INPUT 1

 Or iptables -D INPUT -i enp0s8 --proto tcp --dport 22 -j REJECT

[workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j DROP [server] ssh –o ConnectTimeout=2 10.0.0.10

[workstation] iptables -A INPUT -i enp0s8 --proto tcp --dport 22 -j ACCEPT [server] ssh –o ConnectTimeout=2 10.0.0.10

[workstation] iptables -L INPUT --line-numbers

[workstation] iptables -I INPUT 1 -i enp0s8 --proto tcp --dport 22 -j ACCEPT [server] ssh –o ConnectTimeout=2 10.0.0.10

(27)

SSH access: mediavault

workstation

SR(D) - Firewalls - pbrandao - 2015/16

53

[openmediavault] ssh 10.0.0.10

[server] iptables –A FORWARD –proto tcp –dport 22 –j REJECT

[openmediavault] ssh 10.0.0.10 [workstation] ssh 10.0.1.100

[server] iptables –I FORWARD 1 –o enp0s8 –proto tcp – dport 22 –j ACCEPT

[workstation] ssh 10.0.1.100 [openmediavault] ssh 10.0.0.10

Allow ping from workstation

54

 [server] iptables –P FORWARD DROP

 [server] iptables -A FORWARD –o enp0s9 -p icmp

--icmp-type echo-request -j ACCEPT

 [server] iptables -A FORWARD –o enp0s8 -p icmp

(28)

Summary

 introduced need for & purpose of firewalls  types of firewalls

 packet filter, stateful inspection, application and circuit gateways

 firewall hosting, locations, topologies  intrusion prevention systems

SR(D) - Firewalls - pbrandao - 2015/16

Figure

Updating...