Network Security
CS 192
Firewall Rules
Today’s topics
• Client Web Auth paper
Additional Resources
• Required:
– FIS Chapter 10
• Reference:
Firewall Rulesets
• A Rule defines how a firewall should process a
Rule Chains
• To organize groups of rules, many firewalls allow you to define “chains” that consist of a set of rules in a particular order.
– The chains can be included in other ‘chains’ leading to a hierarchical arrangement.
– Typically there are default chains corresponding to the 3 core paths of packets:
• INPUT, OUTPUT, FORWARD
Rule structure
• The core pieces of any rule are:
– Action
– Source (IP, port, and state)
– Destination (IP, prot and state)
• So our notation will be
– (action, source, destination)
– {host | net}:port for source or destination
• The order of rules matters, meaning the first rule that matches a particular packet will be the one that
Example Network
Firewall Internet
DMZnet
DNS
• DNS firewalls are complex because it is a required service that must access untrusted information and is relied on by many other services.
• Often two classes of DNS names:
– Internal network names (often trusted)
– External network names (must never be trusted)
Security Modes for DNS:
– Proxy
Simple DNS
• Simple setup (can leak dns info)
– One shared DNS server provides all information about corpdomain. It is located in the DMZ (dmz-dnsserver) – Outgoing DNS Queries
• (allow, corpnet, any:DNS)
– Incoming DNS requests
Split DNS
• Two DNS servers run, one internal with full data (called corp-dnsserver) and one external with
minimal data (called dmz-dnsserver). • Rules
– Outgoing DNS Queries
• (allow, corpnet, corp-dnsserver:DNS)
• (allow, corp-dnsserver, dmz-dnsserver:DNS) • (deny, corpnet, any:DNS)
– Incoming DNS requests
• (allow, any, dmz-dnsserver:DNS)
Split DNS issues
• More overhead then direct DNS queries
• Apps that require valid DNS entries for clients will fail without additional work
– The client will connect from an internal IP address which the external server cannot lookup (because dmz DNS
server does not return detailed information about internal machines.
– Need to create ‘fake’ entries in dmz DNS for any client. These entries need to match both forward and reverse lookups.
• *.3.2.127.in-addr.arpa IN PTR UNKNOWN.example.com
WWW
• The core web protocols of HTTP and HTTPS are
fairly behaved as they use TCP and have a well-structured client-server model.
• Basic policy
– (allow, corpnet, any:HTTP)
– (allow, any, dmz-webserver:HTTP) – (deny, any, any:HTTP)
• If you use a web proxy you can replace the first rule:
NTP
• NTP uses UDP packets and involves bi-directional communication. Luckily the ports used are constant so a straightforward rule works.
• If vulnerabilities in NTP client software exist, then firewall protection becomes difficult as
uni-directional openings are not possible.
• Instead of allowing connection to any ntp server, you may restrict it to only a few ‘approved’ servers by
removing the ‘any’ rules and adding 2 rules for each server you want.
• Rule:
SSH
• Two models:
– Allow SSH directly to internal clients.
• Simple;
• Lets users connect to their machines directly; • No additional servers/machines required; • (allow, any, corpnet:SSH)
– Bastion Login gateway
• Allows centralized controls on external access;
• More secure as two machines must be broken through;
Information Slide
• Lecture slides, course updates, and assignments can be obtained at the course web page
