Chapter 6: Network Access Control

(1)

Managing and Securing

Computer Networks

Guy Leduc

Chapter 6:

Network Access Control

Computer Networking: A Top Down Approach,

6th_edition.

Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section 8.9)

Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, 2002. (chapter 23)

Chapter 6: Network Access

Control

Chapter goals:

❒ 

security in practice: operational security

❍ 

Firewalls

(2)

Chapter Roadmap

❒ 

Firewalls

❍ 

Introduction and types of firewalls

❍ 

Traditional (stateless) packet filters

❍ 

Stateful packet filters

❍ 

Application gateways

❍ 

Circuit-level gateways

❍ 

Firewall configurations

❒ 

IDS: Intrusion Detection Systems

Firewalls

isolates organization’s internal net from larger

Internet, allowing some packets to pass, blocking

others

firewall

administered network public Internet

firewall

(3)

Firewalls: Why?

because the internal network is unlikely to be properly

secured

❍  weak passwords, patches not installed, etc

because the Internet is a scary place

❍  spies from unfriendly countries, users from competing

companies, criminals, disgruntled ex-employees, vandals compensating their lack of social life by annoying others, …

to prevent denial of service attacks

❍  e.g., SYN flooding: attacker establishes many bogus TCP

connections, no resources left for “real” connections

to prevent illegal modification/access of internal data

❍  e.g., attacker replaces CIA’s homepage with something else

to allow only authorized access to inside network

❍  set of authenticated users/hosts

Analogies

❒ 

Security is aggregated at a single point

❒ 

Analogies

❍  Apartments are locked at the entrance (not necessarily at each

door)

❍  Passports are checked at the border of a country ❍  Offices don't usually have a door to the outside world

❒ 

Additional security precautions may be required under

certain circumstances

(4)

Firewall

❒ 

Design goals for a firewall:

❍  All traffic from inside to outside, and vice versa, must

pass through the firewall

❍  Only authorized traffic, as defined by the local security

policy, will be allowed to pass

❍  The firewall itself is immune to penetration

❒ 

Capabilities that are within the scope of a firewall

❍  It provides a location for monitoring security-based

events. Audits and alarms can be implemented on it

❍  It is a convenient platform for several Internet

functions that are not security related (network address translator, network management related to Internet usage, …)

❍  It can be used to implement Virtual Private Networks

(VPN) by using a tunnel mode capability

Limitations of firewalls

❒ 

The firewall cannot protect against attacks that bypass

the firewall

❍  WiFi networks reachable from outside the company ❍  Dial-out capability of some systems to connect to an ISP ❍  Modem pool on an internal LAN to provide dial-in capability for

traveling employees

❒ 

No protection against internal threats

❒ 

No protection against virus-infected programs or files

(5)

Firewall Policy

❒ 

Two levels of policy that directly influence the design,

installation, and use of a firewall system:

❍  The higher-level policy, the service access policy, defines

•  the TCP/IP protocols and services that should be allowed or denied from the protected network

•  how these services should be used •  how exceptions to this policy are handled

❍  The lower-level policy, the firewall design policy, describes how

the firewall actually goes about restricting access and filtering the TCP/IP protocols and services according to the service access policy

❒ 

The policy should be as flexible as possible

❍  To address the organization's needs to change as the Internet

offers new services, …

Service Access Policy

❒ 

It is part of the Network Security Policy (NSP),

which is a document that describes an

organization's network security concerns and

specifies how network security should be achieved

❒ 

Examples

❍  allow no inbound access to an intranet, but allow full

outbound access to the Internet

❍  some inbound access, but perhaps only to selected

systems, such as information servers or e-mail gateways

❍  allow access to some internal systems but only with

strong user authentication

(6)

Firewall Design Policy

❒ 

It refines the Service Access Policy

❒ 

It defines the rules used by the firewall to

implement the Service Access Policy

❒ 

One may implement one of the following two

stances:

❍  Permit any service unless it is expressly denied ❍  Deny any service unless it is expressly permitted

•  Preferable

❒ 

The first stance would allow users to

❍  access new services currently not denied

❍  run denied services on non standard ports not expressly

denied by the policy

Types of Firewalls

❒ 

1. Packet filter, or packet-filtering router

❍  Stateless or stateful

(7)

Chapter Roadmap

❒ 

Firewalls

❍ 

Introduction and types of firewalls

❍ 

Traditional (stateless) packet filters

❍ 

Stateful packet filters

❍ 

Application gateways

❍ 

Circuit-level gateways

❍ 

Firewall configurations

❒ 

IDS: Intrusion Detection Systems

Stateless packet filtering

❒  internal network connected to Internet via router firewall ❒  router filters packet-by-packet, decision to forward/drop

packet based on:

❍  source IP address, destination IP address ❍  other IP protocol fields

❍  TCP/UDP source and destination port numbers ❍  ICMP message type

❍  TCP SYN and ACK bits

❒  Not solely based on IP header!

Should arriving packet be allowed in?

(8)

Stateless packet filtering: example

❒ 

example 1:

block incoming and outgoing datagrams

with IP protocol field = 17 and with either source or

dest port = 23

❍ 

result: all incoming, outgoing UDP flows and telnet

connections are blocked

❒ 

example 2:

block inbound TCP segments with SYN=1,

ACK=0

❍ 

result: prevents external clients from making TCP

connections with internal clients, but allows

internal clients to connect to outside

Policy

Firewall Setting

No outside Web access No incoming TCP connections, except those for institution’s public Web server

Prevent Web-radios from eating up the available bandwidth Prevent your network from being used for a smurf DoS attack Prevent your network from being tracerouted

Stateless packet filtering: more examples

Drop all outgoing packets to any IP address, port 80

Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80

Drop all incoming UDP packets - except DNS and router broadcasts

Drop all ICMP packets going to a “broadcast” address (e.g., 130.207.255.255)

(9)

Packet Filter Rules

❒ 

Two parts

❍  Selection criteria: sort of pattern matching

❍  Action field: action to be taken if an IP packet meets the

selection criteria

•  Block (deny) •  Permit (allow)

❒ 

ACL: Access Control Lists

❍  For each incoming IP packet:

•  check the selection criteria in sequence until one matches the packet, the order is thus relevant

•  apply the specified action and stop checking remaining rules •  if no rule matches the packet, apply the default policy

–  or add the default policy at the end with a wildcard pattern

© From Computer Networking, by Kurose&Ross 6: Network Access Control 6-18 action source address dest address protocol source port dest port flag bit allow 222.22/16 _222.22/16outside of TCP > 1023 80 any allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 --- deny all all all all all all

Access Control Lists

❒ 

ACL:

table of rules, applied top to bottom to

(10)

IP spoofing attack

❒  IP spoofing: the source IP address has been modified by an intruder

❍  e.g.: Trudy replaces her address by the address of a trusted host on the

intranet

❒  Nothing ensures the authenticity of a source IP address ❒  Sequence number prediction attack based on IP spoofing

❍  Alice trusts Bob

❍  Trudy uses Bob's address to open a connection with Alice ❍  Trudy sends a TCP SYN segment to Alice with initial number x ❍  Alice replies by a SYN-ACK segment with her initial number y, to Bob! ❍  Trudy should intercept this message (otherwise Bob sends back a RST)

•  Typically by using a SYN flooding attack on Bob

❍  Trudy should reply to Alice with an ACK (y+1) but does not know y!

•  Should guess it! Not that difficult in practice: y is not random

❒  Firewall solution to block IP spoofing:

❍  Add a packet filter rule that discards any inbound packet that contains

a source IP address of an internal machine

IP Fragmentation Problem

❒  When an IP packet is fragmented, only the first fragment

contains the transport (TCP or UDP) header!

❒  First possibility:

❍  Filtering is applied to first fragment ❍  Other fragments pass through

❍  Anyway, when reassembled, partial IP packets (without 1st

fragment) are discarded by the destination

❍  But: may still be dangerous for outbound packets, because big

parts of transport segments could escape the intranet (possibly with sensitive data)

❒  Other possibility:

❍  Maintain a cache of recently seen first fragments, together with

the associated action (Permit or Deny) that was applied

❍  Apply same decision to non first fragments

(11)

Chapter Roadmap

❒ 

Firewalls

❍ 

Introduction and types of firewalls

❍ 

Traditional (stateless) packet filters

❍ 

Stateful packet filters

❍ 

Application gateways

❍ 

Circuit-level gateways

❍ 

Firewall configurations

❒ 

IDS: Intrusion Detection Systems

Stateful packet filtering

❒ 

stateless packet filter:

heavy handed tool

❍  admits packets that “make no sense,” e.g., dest port = 80, ACK

bit set, even though no TCP connection established:

action source address dest address protocol source port dest port flag bit allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK

❒ 

stateful packet filter:

track status of every TCP

connection

❍  track connection setup (SYN), teardown (FIN): can determine

whether incoming, outgoing packets “make sense”

❍  timeout inactive connections at firewall: no longer admit

(12)

© From Computer Networking, by Kurose&Ross 6: Network Access Control 6-23 action source address dest address proto source port dest port flag bit check connecti on allow 222.22/16 outside of _222.22/16 TCP > 1023 80 any

allow outside of 222.22/16

222.22/16 _TCP ₈₀ _{> 1023} _ACK

_x

allow 222.22/16 outside of _222.22/16 UDP > 1023 53 ---

allow outside of 222.22/16

222.22/16 _UDP ₅₃ _{> 1023} _----

x

deny all all all all all all

Stateful packet filtering

❒ 

ACL augmented to indicate need to check

connection state table before admitting packet

Discussion on packet filtering

❒  Packet filters (screening routers) are used and widely

deployed, for several reasons:

❍  It is a low-cost technology

❍  It is transparent to applications (no changes needed) ❍  It is not based on cryptography: good for worldwide

distribution

❒  Packet filters are not a panacea, because they have

weaknesses

❍  Configuring packet filter rules correctly is difficult and

error-prone

•  Is optimized for the router, not for the administrator

•  Care with the rule ordering is required, when there are exceptions •  Requires intricate knowledge of TCP/IP

–  Think in terms of bidirectional flows whose characteristics may be different

❍  No user authentication

(13)

Chapter Roadmap

❒ 

Firewalls

❍ 

Introduction and types of firewalls

❍ 

Traditional (stateless) packet filters

❍ 

Stateful packet filters

❍ 

Application gateways

❍ 

Circuit-level gateways

❍ 

Firewall configurations

❒ 

IDS: Intrusion Detection Systems

Application gateways

❒ 

filters packets on

application data as

well as on IP/TCP/

UDP fields

❒ 

example:

allow select

internal users to

telnet outside

1. Require all telnet users to telnet through gateway

2. For authorized users, gateway sets up telnet

connection to dest host. Gateway relays data between

the 2 connections

3. Router/filter blocks all telnet connections not

originating from gateway

application gateway host-to-gateway

telnet session

router and filter

(14)

Application Gateways

❒  An application-level gateway, also called proxy server, acts as a

relay of application-level traffic

❒  The user (from the intranet or the Internet) contacts the gateway

using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed

❒  When the user responds and provides a valid user ID and

authentication information, the gateway contacts the application on the remote host and relays the application data between the two endpoints

❒  If the gateway does not implement the proxy code for a specific

application, the service is not supported and cannot be forwarded across the firewall

❒  The gateway can be configured to support only specific features of

an application that the network administrator considers acceptable, while denying others

More on application gateways

❒  Such gateway must have as many proxy servers as there are

applications to be supported

❒  The authentication may be different if the user is from the

intranet or from the Internet, e.g.,

❍  From intranet: simple list of IP addresses allowed to connect to

external applications (IP spoofing possible)

❍  From Internet: strong authentication

❒  An application gateway relays TCP segments between the

two TCP connections in the 2 directions

❍  (Client <—> Proxy <—> Server)

❒  For outbound packets, the gateway may replace the source

IP address by its own IP address (NAT)

(15)

Impact of proxies on the client

❒ 

The use of proxy servers usually requires some

customization and modification of either user

procedures or client software

❒ 

The approach just explained has no impact on the

client's software, but the user has to be trained

for an extra step to logon to the proxy

❒ 

Another approach is to customize and modify the

client software

❍  Provides transparency to users accessing the Internet ❍  Done by additional software at the client that intercepts

and directs the application traffic

❍  Not always easy and feasible

❒ 

The 2 approaches have their disadvantages

Filtering application exchanges

❒ 

Another benefit of a proxy server is that

application protocols can be filtered

❒ 

Examples

❍ 

Filter out inbound FTP PUT command

❍ 

Filter out Java applets and ActiveX controls

(16)

Chapter Roadmap

❒ 

Firewalls

❍ 

Introduction and types of firewalls

❍ 

Traditional (stateless) packet filters

❍ 

Stateful packet filters

❍ 

Application gateways

❍ 

Circuit-level gateways

❍ 

Firewall configurations

❒ 

IDS: Intrusion Detection Systems

Circuit-level gateway

❒  The circuit-level gateway is an intermediate solution between the

packet filter and the application gateway

❍  Runs at the transport layer, and can thus act as proxy for any

application

❒  Like an application gateway, the circuit-level gateway does not

permit an end-to-end TCP connection

❍  Rather, it sets up 2 TCP connections too and relays the TCP segments

from one to the other

❒  But, it does not examine the application data ❒  Typical use

❍  When the system administrator trusts the internal users, a circuit-level

gateway is enough for outbound connections

•  No overhead for outgoing data

❍  An application gateway can still be used for inbound connections

❒  Requires to modify the client software too

(17)

SOCKS

❒ 

SOCKS (RFC 1928) refers to a circuit-level gateway

❍  SOCKS is a networking proxy mechanism that enables hosts on

one side of a SOCKS server to gain full access to hosts on the other side without requiring direct IP reachability

❒ 

Client software should be socksified

❍  Most recent HTTP clients have been socksified

❍  The client has to connect to the SOCKS server at the firewall

•  It is attached to a well-known port

❍  Then the client enters a negotiation for the authentication

method to be used, and authenticates with the chosen method

❍  Then the client sends a connection relay request to the SOCKS

server, containing the desired destination IP address and transport port

❍  The SOCKS server informs the client, and in case of success

starts relaying the data between the 2 connections

❒ 

An alternative to socksifying clients would be to

socksify the TCP/IP stack

Chapter Roadmap

❒ 

Firewalls

❍ 

Introduction and types of firewalls

❍ 

Traditional (stateless) packet filters

❍ 

Stateful packet filters

❍ 

Application gateways

❍ 

Circuit-level gateways

❍ 

Firewall configurations

(18)

Firewall configurations

❒ 

Packet filters and gateways are usually

combined in firewall configurations

❒ 

Three firewall configurations:

❍ 

Dual-homed firewalls

❍ 

Screened host firewalls

❍ 

Screened subnet firewalls

Dual-Homed Firewalls

❒ 

The term multihomed host is generally used to

refer to a host with multiple network interfaces

❒ 

If IP routing and IP forwarding are disabled on

the multihomed host, it provides isolation

between the network segments and may be used

in a firewall configuration accordingly

Bastion Host (Application

gateway)

Intranet _{Packet filter} Internet

The packet filter ensures that any IP packet arriving from the Internet is correctly addressed to the Bastion Host

The intermediate LAN could host other systems (e.g. information or network access servers)

(19)

Entire architecture of a

Dual-Homed Firewall

❒ 

The Bastion host could also be replicated for efficiency

reasons

❍  Parallel dual-homed firewall

❍  Distribute the proxy or SOCKS servers on several bastion

hosts

gateway)

Packet filter Packet filter

Intranet Internet

Inner

LAN Outer LAN

Screened host firewalls

❒  The Bastion host has a unique network interface ❒  One does not need an intermediate LAN

❍  Requires fewer IP addresses

❒  The packet filter, after filtering, must forward all IP traffic

originated from the Internet to the Bastion Host

❍  Forwarding tables must be configured correctly and must be protected

❒  More flexible

❍  Some applications could be accessed directly without passing through the

Bastion host

•  If no proxy exists (proprietary app.) or if they are felt harmless (e.g. NTP)

❒  Less secure

gateway)

(20)

Screened subnet firewalls

❒ 

Adds an extra security layer with respect to the

screened host firewall

❒ 

Both the Internet and the internal network have access

to the DMZ, but traffic across the DMZ is blocked

❒ 

Note that the bastion host (and the additional servers

on the DMZ) could be set up so that they would be the

only systems seen from the Internet

❍  No other system name needs to be known or used in a DNS

database accessible from the outside world

❍  And similarly for the intranet

gateway)

Intranet _{Packet filter} _{Packet filter} Internet

Inner subnet, also called Sandbox or demilitarized zone (DMZ)

Limitations of firewalls and gateways

❒ 

IP spoofing:

router

can’t know if data

“really” comes from

claimed source

❒ 

if multiple app’s need

special treatment, each

has own app. gateway.

❒ 

client software must

know how to contact

gateway.

❍  e.g., must set IP address

of proxy in Web browser

❒ 

filters often use all or

nothing policy for UDP

❒ 

tradeoff:

degree of

communication with

outside world versus

level of security

(21)

Discussion

❒  Firewalls are a fact of life

❒  Provide effective access control, but this is not a panacea

❍  It is not a substitute for careful security management within a

corporate intranet

❍  Attacker could disguise traffic by carrying it in a “firewall-friendly”

protocol like HTTP

❍  No protection against data-driven attacks

•  E.g. Virus-infected softwares

❍  If an external intruder has an accomplice in the intranet, they can set

up a (authorized) tunnel through the firewall

❒  Basically, firewalls are not a solution to network security problems,

but a network response to host security problems

❒  Historical analogies

❍  During Stone Age, everyone knew everyone in the same cave

•  No need for security

❍  In the Middle Ages, they lived in castles or villages surrounded by town

walls

•  History has shown that this security model does not work either

❒  The Internet has entered the Middle Ages

Chapter Roadmap

❒ 

Firewalls

❍ 

Introduction and types of firewalls

❍ 

Traditional (stateless) packet filters

❍ 

Stateful packet filters

❍ 

Application gateways

❍ 

Circuit-level gateways

❍ 

Firewall configurations

(22)

Intrusion detection systems

❒ 

packet filtering:

❍ operates on TCP/UDP/IP headers only ❍ no correlation check among sessions

❒ 

IDS/IPS: Intrusion Detection/Prevention System

❍ Deep Packet Inspection (DPI): look at packet contents (e.g.,

check character strings in packet against database of known virus, attack strings)

•  Application gateways do that too, but only for specific applications

❍ examine correlation among multiple packets

•  port scanning •  network mapping •  DoS attack

❍ IDS: send alert - IPS: drop packets

•  beyond that, similar

Intrusion detection systems

❒ 

multiple IDSs: different types of checking

(23)

Types of IDS

❒ 

Signature-based

IDS

❍  Needs a database of known attacks with their signatures

•  Signature defines types and order of packets characterizing an attack

❍  Limitations:

•  Only known attacks detected

•  False alarm possible: a normal packet stream may match the signature of an attack

❍  Well-known public open-source IDS: Snort

❒ 

Anomaly-based

IDS

❍  Create traffic profile in normal operation

❍  Look at traffic profiles that are statistically unusual, e.g.

•  ICMP unusual load, exponential growth in port scans, etc.

❍  Challenge: how to distinguish between normal traffic and

statistically unusual traffic?

Summary

❒ 

Firewalls

❍ 

Types of firewalls

•  Stateless packet filters •  Stateful packet filters •  Application gateways •  Circuit-level gateways ❍ 

Firewall configurations

•  Dual-homed •  Screened host •  Screened subnet