Computer Security:
Computer Security:
Principles and Practice
Principles and Practice
First Edition First Edition
by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown
Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown
Chapter 9 –
Chapter 9 –
Firewalls and Intrusion
Firewalls and Intrusion
Prevention Systems
Agenda
Agenda
Quiz 1 Review
Quiz 1 Review
Firewalls and Intrusion Prevention
Firewalls and Intrusion Prevention
Break
Break
Firewalls and Intrusion
Firewalls and Intrusion
Prevention Systems
Prevention Systems
effective means of protecting LANs
effective means of protecting LANs
internet connectivity essential
internet connectivity essential
for organization and individualsfor organization and individuals but creates a threatbut creates a threat
could secure workstations and servers
could secure workstations and servers
also use firewall as perimeter defense
also use firewall as perimeter defense
Firewall Capabilities & Limits
Firewall Capabilities & Limits
capabilities:capabilities:
defines a single choke pointdefines a single choke point
provides a location for monitoring security eventsprovides a location for monitoring security events
convenient platform for some Internet functions such convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC VPNs
as NAT, usage monitoring, IPSEC VPNs
limitations:limitations:
cannot protect against attacks bypassing firewallcannot protect against attacks bypassing firewall may not protect fully against internal threatsmay not protect fully against internal threats
improperly secure wireless LANimproperly secure wireless LAN
laptop, PDA, portable storage device infected outside laptop, PDA, portable storage device infected outside then used inside
Packet Filtering Firewall
Packet Filtering Firewall
applies rules to packets in/out of firewall
applies rules to packets in/out of firewall
based on information in packet header
based on information in packet header
src/dest IP addr & port, IP protocol, interfacesrc/dest IP addr & port, IP protocol, interface
typically a list of rules of matches on fields
typically a list of rules of matches on fields
if match rule says if forward or discard packetif match rule says if forward or discard packet
two default policies:
two default policies:
discard - prohibit unless expressly permitteddiscard - prohibit unless expressly permitted
• more conservative, controlled, visible to usersmore conservative, controlled, visible to users
forward - permit unless expressly prohibitedforward - permit unless expressly prohibited
Packet
Packet
Packet Filter Weaknesses
Packet Filter Weaknesses
weaknesses
weaknesses
cannot prevent attack on application bugscannot prevent attack on application bugs limited logging functionalitylimited logging functionality
do no support advanced user authenticationdo no support advanced user authentication vulnerable to attacks on TCP/IP protocol bugsvulnerable to attacks on TCP/IP protocol bugs improper configuration can lead to breachesimproper configuration can lead to breaches
attacks
attacks
IP address spoofing, source route attacks, tiny IP address spoofing, source route attacks, tiny
Stateful Inspection Firewall
Stateful Inspection Firewall
reviews packet header information but also reviews packet header information but also
keeps info on TCP connections keeps info on TCP connections
typically have low, “known” port no for servertypically have low, “known” port no for server and high, dynamically assigned client port noand high, dynamically assigned client port no
simple packet filter must allow all return high port simple packet filter must allow all return high port numbered packets back in
numbered packets back in
stateful inspection packet firewall tightens rules for stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections
TCP traffic using a directory of TCP connections
only allow incoming traffic to high-numbered ports for only allow incoming traffic to high-numbered ports for packets matching an entry in this directory
packets matching an entry in this directory
Application-Level Gateway
Application-Level Gateway
acts as a relay of application-level traffic
acts as a relay of application-level traffic
user contacts gateway with remote host nameuser contacts gateway with remote host name authenticates themselvesauthenticates themselves
gateway contacts application on remote host gateway contacts application on remote host
and relays TCP segments between server and and relays TCP segments between server and
user user
must have proxy code for each application
must have proxy code for each application
may restrict application features supportedmay restrict application features supported
Circuit-Level Gateway
Circuit-Level Gateway
sets up two TCP connections, to an inside
sets up two TCP connections, to an inside
user and to an outside host
user and to an outside host
relays TCP segments from one connection
relays TCP segments from one connection
to the other without examining contents
to the other without examining contents
hence independent of application logichence independent of application logic
just determines whether relay is permittedjust determines whether relay is permitted
typically used when inside users trusted
typically used when inside users trusted
may use application-level gateway inbound may use application-level gateway inbound
and circuit-level gateway outbound and circuit-level gateway outbound
SOCKS Circuit-Level Gateway
SOCKS Circuit-Level Gateway
SOCKS v5 defined as RFC1928 to allow SOCKS v5 defined as RFC1928 to allow
TCP/UDP applications to use firewall TCP/UDP applications to use firewall
components:components:
SOCKS server on firewallSOCKS server on firewall
SOCKS client library on all internal hostsSOCKS client library on all internal hosts SOCKS-ified client applicationsSOCKS-ified client applications
client app contacts SOCKS server, client app contacts SOCKS server,
authenticates, sends relay request authenticates, sends relay request
Firewall Basing
Firewall Basing
several options for locating firewall:
several options for locating firewall:
bastion host
bastion host
individual host-based firewall
individual host-based firewall
Bastion Hosts
Bastion Hosts
critical strongpoint in network
critical strongpoint in network
hosts application/circuit-level gateways
hosts application/circuit-level gateways
common characteristics:
common characteristics:
runs secure O/S, only essential servicesruns secure O/S, only essential services
may require user auth to access proxy or hostmay require user auth to access proxy or host each proxy can restrict features, hosts each proxy can restrict features, hosts
accessed accessed
each proxy small, simple, checked for securityeach proxy small, simple, checked for security each proxy is independent, non-privilegedeach proxy is independent, non-privileged
Host-Based Firewalls
Host-Based Firewalls
used to secure individual host
used to secure individual host
available in/add-on for many O/S
available in/add-on for many O/S
filter packet flows
filter packet flows
often used on servers
often used on servers
advantages:
advantages:
taylored filter rules for specific host needstaylored filter rules for specific host needs
Personal Firewall
Personal Firewall
controls traffic flow to/from PC/workstation
controls traffic flow to/from PC/workstation
for both home or corporate use
for both home or corporate use
may be software module on PC
may be software module on PC
or in home cable/DSL router/gateway
or in home cable/DSL router/gateway
typically much less complex
typically much less complex
primary role to deny unauthorized access
primary role to deny unauthorized access
may also monitor outgoing traffic to detect/
may also monitor outgoing traffic to detect/
Distributed
Distributed
Firewall Topologies
Firewall Topologies
host-resident firewall
host-resident firewall
screening router
screening router
single bastion inline
single bastion inline
single bastion T
single bastion T
double bastion inline
double bastion inline
double bastion T
double bastion T
Intrusion Prevention Systems
Intrusion Prevention Systems
(IPS)
(IPS)
recent addition to security products which
recent addition to security products which
inline net/host-based IDS that can block trafficinline net/host-based IDS that can block traffic functional addition to firewall that adds IDS functional addition to firewall that adds IDS
capabilities capabilities
can block traffic like a firewall
can block traffic like a firewall
using IDS algorithms
using IDS algorithms
Host-Based IPS
Host-Based IPS
identifies attacks
identifies attacks
using
using
both:
both:
signature techniquessignature techniques
• malicious application packetsmalicious application packets
anomaly detection techniquesanomaly detection techniques
• behavior patterns that indicate malwarebehavior patterns that indicate malware
can be tailored to the specific platform
can be tailored to the specific platform
e.g. general purpose, web/database server specifice.g. general purpose, web/database server specific
Network-Based IPS
Network-Based IPS
inline NIDS that can discard packets or
inline NIDS that can discard packets or
terminate TCP connections
terminate TCP connections
uses signature and anomaly detection
uses signature and anomaly detection
may provide flow data protection
may provide flow data protection
monitoring full application flow contentmonitoring full application flow content
can identify malicious packets using:
can identify malicious packets using:
pattern matching, stateful matching, protocol pattern matching, stateful matching, protocol
Unified
Unified
Threat
Threat
Management
Management
Summary
Summary
introduced need for & purpose of firewalls
introduced need for & purpose of firewalls
types of firewalls
types of firewalls
packet filter, stateful inspection, application packet filter, stateful inspection, application
and circuit gateways and circuit gateways
firewall hosting, locations, topologies
firewall hosting, locations, topologies