Chapter 11 › 2013 › 10 › ch11.pdf · Chapter 11 Firewalls Bhargavi Goswami, Sunshine Group of Institutes, Rajkot, ... the file transfer and a data connection for the actual

Chapter 11

Firewalls

Bhargavi Goswami,Sunshine Group of Institutes,

Rajkot, Gujarat, India,

Email: [email protected]

Mob: +91 9426669020

Topic List

1. Firewall Design Principles1. Firewall Characteristics2. Types of Firewalls3. Firewall Configurations

2. Trusted Systems1. Data Access Control2. The Concept of Trusted systems3. Trojan Horse Defense

3. Common criteria for IT Security Evaluation1. Requirements2. Profiles & Targets

Email:[email protected],

Mob: 9426669020

Firewalls

• Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside worldvia WAN`s or the Internet


Mob: 9426669020

Firewall DesignPrinciples

• Information systems undergo a steady evolution (from small LAN`s to Internet connectivity)

• Strong security features for all workstations and servers not established


Mob: 9426669020

Firewall DesignPrinciples

• The firewall is inserted between the premises network and the Internet

• Aims:– Establish a controlled link

– Protect the premises network from Internet-based attacks

– Provide a single choke point


Mob: 9426669020

Firewall Characteristics

• Design goals:– All traffic from inside to outside must pass

through the firewall (physically blocking all access to the local network except via the firewall)

– Only authorized traffic (defined by the local security police) will be allowed to pass

– The firewall itself is immune to penetration (use of trusted system with a secure operating system)


Mob: 9426669020


Limitations:• Cannot protect against attacks that bypass the

firewall.• Cannot protect against disgruntled employee or

an employee who unwittingly cooperates with an external attacker.

• Improperly secured wireless LAN may be accessed from outside.

• A laptop, PDA, or portable storage device may be used and infected outside the corporate network, and then attached and used internally.


Mob: 9426669020


• Four general techniques:• Service control

– Determines the types of Internet services that can be accessed, inbound or outbound

• Direction control– Determines the direction in which

particular service requests are allowed to flow


Mob: 9426669020


• User control– Controls access to a service according to

which user is attempting to access it

• Behavior control– Controls how particular services are

used (e.g. filter e-mail)


Mob: 9426669020

Types of Firewalls

• Three common types of Firewalls:– Packet-filtering routers

– Application-level gateways

– Circuit-level gateways

– (Bastion host) Most Imp.


Mob: 9426669020

Types of Firewalls

1. Packet-filtering Router


Mob: 9426669020

• Packet-filtering Router– Applies a set of rules to each incoming IP

packet and then forwards or discards the packet

– Filter packets going in both directions– The packet filter is typically set up as a list of

rules based on matches to fields in the IP or TCP header

– Two default policies (discard or forward)• Advantages:

– Simplicity– Transparency to users– High speed

• Disadvantages:– Difficulty of setting up packet filter rules– Lack of Authentication


Mob: 9426669020


Mob: 9426669020

• Filtering rules are based on information contained in a network packet:– Source IP(192.168.1.1)– Destination IP(192.168.1.1)

– Source and Destination Transport Port(8080 for TCP/UDP/TELNET)

– IP Protocol Field– Interface

• Two default policies are possible:– Default = discard: That which is not

expressly permitted is prohibited.– Default = forward: That which is not

expressly prohibited is permitted.


Mob: 9426669020

• Possible attacks and appropriate countermeasures– IP address spoofing: The intruder transmits packets

from the outside with a source IP address field containing an address of an internal host. Countermeasure: security at router.

– Source routing attacks: The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyse the source routing information. Countermeasure: discard all pktsbypassing firewall.

– Tiny fragment attacks: Tiny fragment are control fragments. First fragment is checked, all others are without checking allowed. Countermeasure: There should be min size of fragment of header. Also, if first fragment is rejected, all subsequent related fragments must be rejected.


Mob: 9426669020


Mob: 9426669020

A. SPIGOT, are blocked because that host has a history of sending massive files in e-mail messages.

B. This is an explicit statement of the default policy. All rule-sets include this rule implicitly as the last rule.

C. Inside host can send mail outside. A TCP packet with a destination port of 25 is routed to the SMTP server on the destination machine.

D. The rules take advantage of a feature of TCP connections. Once a connection is set up, the ACK flag of a TCP segment is set and allowed to enter our network.

E. Is handling FTP connections. With FTP, two TCP connections are used: a control connection to set up the file transfer and a data connection for the actual file transfer.


Mob: 9426669020

2. Stateful Inspection of Firewall


Mob: 9426669020

Stateful Inspection of Firewall:• The numbers less than 1024 are the “well-

known” port numbers and are assigned permanently to particular applications (e.g., 25 for server SMTP).

• The numbers between 1024 and 65535 are generated dynamically and have temporary significance only for the lifetime of a TCP connection.

• A stateful packet inspection firewall does following: – Reviews the same packet information as a packet

filtering firewall,– Also maintains information about TCP connections– And keep track of TCP sequence numbers to prevent

attacks that depend on the sequence number, such as session hijacking.


Mob: 9426669020

Types of Firewalls

3. Application-level Gateway


Mob: 9426669020


Mob: 9426669020

Application-level Gateway

• Application-level Gateway– Also called proxy server– Acts as a relay of application-level traffic– User contacts gateway using TCP/IP application like

Telnet, FTP and ask remote host name from gateway.– Once userid and authentication is provided, user relays

TCP segment containing application data between endpoints.

• Advantages:– Higher security than packet filters– Only need to scrutinize a few allowable applications– Easy to log and audit all incoming traffic

• Disadvantages:– Additional processing overhead on each connection

(gateway as splice point)


Mob: 9426669020

Types of Firewalls

4. Circuit-level Gateway


Mob: 9426669020


Mob: 9426669020

Circuit-level Gateway

• Circuit-level Gateway– Stand-alone system or– Specialized function performed by an Application-level

Gateway for certain applications.– Sets up two TCP connections between two communicating

host and gateway.– The gateway typically relays TCP segments from one

connection to the other without examining the contents– Security is job of security function.– The security function consists of info determining which

connections will be allowed– Typically use is a situation in which the system

administrator trusts the internal users– An example is the SOCKS package


Mob: 9426669020

SOCKS• SOCKet Secure (SOCKS) is an Internet protocol that routes

network packets between a client and server through a proxy server.

• Protocol is designed to provide a framework for client-server applications in both the TCP and UDP.

• protocol is conceptually a “shim-layer” between the application layer and the transport layer

• SOCKS components:– SOCKS server– SOCKS client library– SOCKS-ified versions of several standard client programs such

as FTP and TELNET to use the appropriate encapsulation routines in the SOCKS library.

• The SOCKS service is located on TCP port 1080 generally.• If client wanna connect to object, opens TCP connection,

SOCKS port, SOCKS server to SOCKS client after authentication and communication continues.


Mob: 9426669020

Types of Firewalls

• Bastion Host– A system identified by the firewall

administrator as a critical strong point in the network´s security

– The bastion host serves as a platform for an application-level or circuit-level gateway


Mob: 9426669020

Bastion Host Characteristics• Executes a secure version of its operating system, making it a

hardened system.• Only the services that the network administrator considers

essential are installed on the bastion host. Eg. DNS, FTP, HTTP, and SMTP.

• each proxy service may require its own authentication before granting user access.

• Each proxy is configured to support only a subset of the standard application’s command set.

• Each proxy is configured to allow access only to specific host systems. limited command/feature set.

• Each proxy maintains detailed audit information which is an essential tool for discovering and terminating intruder attacks.

• Each proxy module is a very small software package specifically designed for network security. Eg. UNIX mail application may contain over 20,000 lines of code, while a mail proxy may contain 1000.

• Each proxy is independent of other proxies on the bastion host.• A proxy generally performs no disk access other than to read its

initial configuration file so safe from Trojan horse sniffers.• Each proxy runs as a non-privileged user in a private and secured

directory on the bastion host.


Mob: 9426669020

Host-Based Firewalls

• Used to secure an individual host.

• Already available with OS and can be added as add on package.

• Like conventional stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets.

• Advantages: – Filtering rules can be tailored to the host

environment.

– Protection is provided independent of topology.

– Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer of protection.


Mob: 9426669020

Personal Firewall

• Controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side

• Personal firewall is used to deny unauthorized remote access to the computer.

• Eg: Mac OS X Operating system.

• Optional services:– Personal file sharing (548, 427)

– Windows sharing (139)

– Personal Web sharing (80, 427)

– Remote login - SSH (22)

– FTP access (20-21, 1024-64535 from 20-21)

– Remote Apple events (3031)

– Printer sharing (631, 515)

– IChat Rendezvous (5297, 5298)

– ITunes Music Sharing (3869)

– CVS (2401)


Mob: 9426669020

Firewall Configurations

• In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible

• Three common configurations


Mob: 9426669020


• Screened host firewall system (single-homed bastion host)


Mob: 9426669020


• Screened host firewall, single-homed bastion configuration

• Firewall consists of two systems:– A packet-filtering router

– A bastion host


Mob: 9426669020


• Configuration for the packet-filtering router:– Only packets from and to the bastion

host are allowed to pass through the router

• The bastion host performs authentication and proxy functions


Mob: 9426669020


• Greater security than single configurations because of two reasons:– This configuration implements both

packet-level and application-level filtering (allowing for flexibility in defining security policy)

– An intruder must generally penetrate two separate systems


Mob: 9426669020


• This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)


Mob: 9426669020


• Screened host firewall system (dual-homed bastion host)


Mob: 9426669020


• Screened host firewall, dual-homed bastion configuration– The packet-filtering router is not

completely compromised

– Traffic between the Internet and other hosts on the private network has to flow through the bastion host


Mob: 9426669020


• Screened-subnet firewall system


Mob: 9426669020


• Screened subnet firewall configuration– Most secure configuration of the three

– Two packet-filtering routers are used

– Creation of an isolated sub-network


Mob: 9426669020


• Advantages:– Three levels of defense to thwart

intruders

– The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)


Mob: 9426669020


• Advantages:– The inside router advertises only the

existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)


Mob: 9426669020

DMZ Network:

• External Firewall.• DMZ (demilitarized zone) network.• Systems that are externally accessible but need some

protections are usually located on DMZ networks like such as a corporate Web site, an e-mail server, or a DNS.

• Serves 3 purpose:– Internal firewall adds more stringent filtering capability,

compared to the external firewall.– Provides two-way protection, 1. from worms, rootkits,

bots, or other malware and 2. internal firewall can protect internal virus attacks.

– Multiple internal firewalls can be used for providing internal security.


Mob: 9426669020


Mob: 9426669020

Virtual Private Networks

• Provides solution in today’s distributed environment.• make use of encryption and special protocols to provide

security.• Public network exposes corporate traffic to eavesdropping.

Solution? VPN.• Cheaper than real private networks• Common protocol used here is IPSec.• VPN traffic passing through the firewall in both directions

is encrypted.• IPsec could be implemented in the boundary router, outside

the firewall so that it can perform filtering function, access control, logging, or scanning for viruses.

• Disadvantage: less secure than the firewall and thus less desirable


Mob: 9426669020


Mob: 9426669020

Firewall Alternatives:

• Host-resident firewall: Personal Firewall Software, indepthfirewall, applied as single.

• Screening router: typical for small office/home office (SOHO) applications using packet filter or stateless.

• Single bastion T: like single bastion, interfaced with DMZ, used with medium and large organizations.

• Double bastion inline: DMZ is sandwiched between bastion firewalls, best for medium and large organization.

• Double bastion T: DMZ is on a separate network interface on the bastion firewall, used with large businesses and government organizations, currently used with Australian government.

• Distributed firewall configuration: used by some large businesses and government organizations is distributed by nature.


Mob: 9426669020

Trusted Systems

• One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology


Mob: 9426669020

Data Access Control

• Through the user access control procedure (log on), a user can be identified and authenticated to the system

• Associated with each user, there can be a profile that specifies permissible operations and file accesses

• The operation system can enforce rules based on the user profile


Mob: 9426669020

Data Access Control

• General models of access control:– Access matrix (Subject, Object, Access

Rights).

– Access control list(See Fig)

– Capability list(See Fig)


Mob: 9426669020

Data Access Control

• Access Matrix


Mob: 9426669020

Data Access Control

• Access Matrix: Basic elements of the model– Subject: An entity capable of accessing

objects, the concept of subject equates with that of process

– Object: Anything to which access is controlled (e.g. files, programs)

– Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)


Mob: 9426669020

Data Access Control

• Access Control List: Decomposition of the matrix by columns– An access control list lists users and their

permitted access right– The list may contain a default or public entry


Mob: 9426669020

Data Access Control

• Capability list: Decomposition of the matrix by rows– A capability ticket specifies authorized objects and

operations for a user– Each user have a number of tickets


Mob: 9426669020

The Concept ofTrusted Systems

• Trusted Systems– Protection of data and resources on the

basis of levels of security (e.g. military)

– Users can be granted clearances to access certain categories of data, not everything.


Mob: 9426669020


• Multilevel security– Definition of multiple categories or levels of

data

• A multilevel secure system must enforce:– No read up: A subject can only read an object

of less or equal security level (Simple Security Property)

– No write down: A subject can only write into an object of greater or equal security level (*-Property)


Mob: 9426669020


• Reference Monitor Concept: Multilevel security for a data processing system


Mob: 9426669020



Mob: 9426669020


• Reference Monitor– Controlling element in the hardware and

operating system of a computer that regulates the access of subjects to objects on basis of security parameters

– The monitor has access to a file (security kernel database)

– The monitor enforces the security rules (no read up, no write down)


Mob: 9426669020


• Properties of the Reference Monitor– Complete mediation: Security rules are

enforced on every access– Isolation: The reference monitor and

database are protected from unauthorized modification

– Verifiability: The reference monitor’s correctness must be provable (mathematically)


Mob: 9426669020


• A system that can provide such verifications (properties) is referred to as a trusted system


Mob: 9426669020

Trojan Horse Defense

• Secure, trusted operating systems are one way to secure against Trojan Horse attacks


Mob: 9426669020



Mob: 9426669020



Mob: 9426669020

Common Criteria for IT Security Evaluation

• CC(Common Criteria) for IT and Security Evaluation is an International Initiative by Standard bodies.

• TOE(Target of Evaluation) Requirements:– Functional Requirements– Assurance Requirements

• Requirements are organized in classes and classes has families where each componentperform some security objective.


Mob: 9426669020

CC Security Functional Requirement

• Audit• Cryptographic Support• Communication• User Data Protection• Identification and Authentication• Security Management• Privacy• Protection of TOE security Functions• Resource Utilization• TOE Access• Trusted Path/Channels


Mob: 9426669020

CC Security Assurance Requirement

• Configuration Management• Delivery and Operation• Development• Guidance Documents• Life Cycle Support• Tests• Vulnerability Assessment• Assurance Maintenance


Mob: 9426669020

Profiles and Targets• PP : Protection Profiles

Define an implementation independent set of security requirements and objectives. It is reusable and reflects user security requirement.

• ST : Security TargetsDefines IT security objectives and requirements of specific identification TOE. It is supplied by vender or developer.


Mob: 9426669020


Mob: 9426669020

Class

FamilyComponent

Component

Component

Class

FamilyComponent

Component

Component

PACKAGES

Optional Input to PP

or ST

Optional Extended (non

CC) Security

Requirements

PP

Protection

Profile

ST Security

Target

Construction of Common Criteria Requirements.

TOE: Target of Evaluation TSFI: TOE Security Function Interface


Mob: 9426669020

User/ IT Product

User

TOS Security Functions,

enforce TOE Security

function (TSF) and (TSP)

Security

Attributes

Security

AttributesSecurity

Attributes

Security

Attributes

Resource Process

SECURITY FUNCTIONAL REQUIREMENT PARADIGM

Recommended Reading

This was my last lecture in your class.

Thank You for Everything...

Heartily Best Wishes For Your Future.


Mob: 9426669020