Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Chapter 11
Firewalls
Bhargavi Goswami,Sunshine Group of Institutes,
Rajkot, Gujarat, India,
Email: [email protected]
Mob: +91 9426669020
Topic List
1. Firewall Design Principles1. Firewall Characteristics2. Types of Firewalls3. Firewall Configurations
2. Trusted Systems1. Data Access Control2. The Concept of Trusted systems3. Trojan Horse Defense
3. Common criteria for IT Security Evaluation1. Requirements2. Profiles & Targets
Email:[email protected],
Mob: 9426669020
Firewalls
• Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside worldvia WAN`s or the Internet
Email:[email protected],
Mob: 9426669020
Firewall DesignPrinciples
• Information systems undergo a steady evolution (from small LAN`s to Internet connectivity)
• Strong security features for all workstations and servers not established
Email:[email protected],
Mob: 9426669020
Firewall DesignPrinciples
• The firewall is inserted between the premises network and the Internet
• Aims:– Establish a controlled link
– Protect the premises network from Internet-based attacks
– Provide a single choke point
Email:[email protected],
Mob: 9426669020
Firewall Characteristics
• Design goals:– All traffic from inside to outside must pass
through the firewall (physically blocking all access to the local network except via the firewall)
– Only authorized traffic (defined by the local security police) will be allowed to pass
– The firewall itself is immune to penetration (use of trusted system with a secure operating system)
Email:[email protected],
Mob: 9426669020
Firewall Characteristics
Limitations:• Cannot protect against attacks that bypass the
firewall.• Cannot protect against disgruntled employee or
an employee who unwittingly cooperates with an external attacker.
• Improperly secured wireless LAN may be accessed from outside.
• A laptop, PDA, or portable storage device may be used and infected outside the corporate network, and then attached and used internally.
Email:[email protected],
Mob: 9426669020
Firewall Characteristics
• Four general techniques:• Service control
– Determines the types of Internet services that can be accessed, inbound or outbound
• Direction control– Determines the direction in which
particular service requests are allowed to flow
Email:[email protected],
Mob: 9426669020
Firewall Characteristics
• User control– Controls access to a service according to
which user is attempting to access it
• Behavior control– Controls how particular services are
used (e.g. filter e-mail)
Email:[email protected],
Mob: 9426669020
Types of Firewalls
• Three common types of Firewalls:– Packet-filtering routers
– Application-level gateways
– Circuit-level gateways
– (Bastion host) Most Imp.
Email:[email protected],
Mob: 9426669020
• Packet-filtering Router– Applies a set of rules to each incoming IP
packet and then forwards or discards the packet
– Filter packets going in both directions– The packet filter is typically set up as a list of
rules based on matches to fields in the IP or TCP header
– Two default policies (discard or forward)• Advantages:
– Simplicity– Transparency to users– High speed
• Disadvantages:– Difficulty of setting up packet filter rules– Lack of Authentication
Email:[email protected],
Mob: 9426669020
Email:[email protected],
Mob: 9426669020
• Filtering rules are based on information contained in a network packet:– Source IP(192.168.1.1)– Destination IP(192.168.1.1)
– Source and Destination Transport Port(8080 for TCP/UDP/TELNET)
– IP Protocol Field– Interface
• Two default policies are possible:– Default = discard: That which is not
expressly permitted is prohibited.– Default = forward: That which is not
expressly prohibited is permitted.
Email:[email protected],
Mob: 9426669020
• Possible attacks and appropriate countermeasures– IP address spoofing: The intruder transmits packets
from the outside with a source IP address field containing an address of an internal host. Countermeasure: security at router.
– Source routing attacks: The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyse the source routing information. Countermeasure: discard all pktsbypassing firewall.
– Tiny fragment attacks: Tiny fragment are control fragments. First fragment is checked, all others are without checking allowed. Countermeasure: There should be min size of fragment of header. Also, if first fragment is rejected, all subsequent related fragments must be rejected.
Email:[email protected],
Mob: 9426669020
Email:[email protected],
Mob: 9426669020
A. SPIGOT, are blocked because that host has a history of sending massive files in e-mail messages.
B. This is an explicit statement of the default policy. All rule-sets include this rule implicitly as the last rule.
C. Inside host can send mail outside. A TCP packet with a destination port of 25 is routed to the SMTP server on the destination machine.
D. The rules take advantage of a feature of TCP connections. Once a connection is set up, the ACK flag of a TCP segment is set and allowed to enter our network.
E. Is handling FTP connections. With FTP, two TCP connections are used: a control connection to set up the file transfer and a data connection for the actual file transfer.
Email:[email protected],
Mob: 9426669020
Stateful Inspection of Firewall:• The numbers less than 1024 are the “well-
known” port numbers and are assigned permanently to particular applications (e.g., 25 for server SMTP).
• The numbers between 1024 and 65535 are generated dynamically and have temporary significance only for the lifetime of a TCP connection.
• A stateful packet inspection firewall does following: – Reviews the same packet information as a packet
filtering firewall,– Also maintains information about TCP connections– And keep track of TCP sequence numbers to prevent
attacks that depend on the sequence number, such as session hijacking.
Email:[email protected],
Mob: 9426669020
Email:[email protected],
Mob: 9426669020
Application-level Gateway
• Application-level Gateway– Also called proxy server– Acts as a relay of application-level traffic– User contacts gateway using TCP/IP application like
Telnet, FTP and ask remote host name from gateway.– Once userid and authentication is provided, user relays
TCP segment containing application data between endpoints.
• Advantages:– Higher security than packet filters– Only need to scrutinize a few allowable applications– Easy to log and audit all incoming traffic
• Disadvantages:– Additional processing overhead on each connection
(gateway as splice point)
Email:[email protected],
Mob: 9426669020
Email:[email protected],
Mob: 9426669020
Circuit-level Gateway
• Circuit-level Gateway– Stand-alone system or– Specialized function performed by an Application-level
Gateway for certain applications.– Sets up two TCP connections between two communicating
host and gateway.– The gateway typically relays TCP segments from one
connection to the other without examining the contents– Security is job of security function.– The security function consists of info determining which
connections will be allowed– Typically use is a situation in which the system
administrator trusts the internal users– An example is the SOCKS package
Email:[email protected],
Mob: 9426669020
SOCKS• SOCKet Secure (SOCKS) is an Internet protocol that routes
network packets between a client and server through a proxy server.
• Protocol is designed to provide a framework for client-server applications in both the TCP and UDP.
• protocol is conceptually a “shim-layer” between the application layer and the transport layer
• SOCKS components:– SOCKS server– SOCKS client library– SOCKS-ified versions of several standard client programs such
as FTP and TELNET to use the appropriate encapsulation routines in the SOCKS library.
• The SOCKS service is located on TCP port 1080 generally.• If client wanna connect to object, opens TCP connection,
SOCKS port, SOCKS server to SOCKS client after authentication and communication continues.
Email:[email protected],
Mob: 9426669020
Types of Firewalls
• Bastion Host– A system identified by the firewall
administrator as a critical strong point in the network´s security
– The bastion host serves as a platform for an application-level or circuit-level gateway
Email:[email protected],
Mob: 9426669020
Bastion Host Characteristics• Executes a secure version of its operating system, making it a
hardened system.• Only the services that the network administrator considers
essential are installed on the bastion host. Eg. DNS, FTP, HTTP, and SMTP.
• each proxy service may require its own authentication before granting user access.
• Each proxy is configured to support only a subset of the standard application’s command set.
• Each proxy is configured to allow access only to specific host systems. limited command/feature set.
• Each proxy maintains detailed audit information which is an essential tool for discovering and terminating intruder attacks.
• Each proxy module is a very small software package specifically designed for network security. Eg. UNIX mail application may contain over 20,000 lines of code, while a mail proxy may contain 1000.
• Each proxy is independent of other proxies on the bastion host.• A proxy generally performs no disk access other than to read its
initial configuration file so safe from Trojan horse sniffers.• Each proxy runs as a non-privileged user in a private and secured
directory on the bastion host.
Email:[email protected],
Mob: 9426669020
Host-Based Firewalls
• Used to secure an individual host.
• Already available with OS and can be added as add on package.
• Like conventional stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets.
• Advantages: – Filtering rules can be tailored to the host
environment.
– Protection is provided independent of topology.
– Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer of protection.
Email:[email protected],
Mob: 9426669020
Personal Firewall
• Controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side
• Personal firewall is used to deny unauthorized remote access to the computer.
• Eg: Mac OS X Operating system.
• Optional services:– Personal file sharing (548, 427)
– Windows sharing (139)
– Personal Web sharing (80, 427)
– Remote login - SSH (22)
– FTP access (20-21, 1024-64535 from 20-21)
– Remote Apple events (3031)
– Printer sharing (631, 515)
– IChat Rendezvous (5297, 5298)
– ITunes Music Sharing (3869)
– CVS (2401)
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible
• Three common configurations
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• Screened host firewall system (single-homed bastion host)
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• Screened host firewall, single-homed bastion configuration
• Firewall consists of two systems:– A packet-filtering router
– A bastion host
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• Configuration for the packet-filtering router:– Only packets from and to the bastion
host are allowed to pass through the router
• The bastion host performs authentication and proxy functions
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• Greater security than single configurations because of two reasons:– This configuration implements both
packet-level and application-level filtering (allowing for flexibility in defining security policy)
– An intruder must generally penetrate two separate systems
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• Screened host firewall system (dual-homed bastion host)
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• Screened host firewall, dual-homed bastion configuration– The packet-filtering router is not
completely compromised
– Traffic between the Internet and other hosts on the private network has to flow through the bastion host
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• Screened subnet firewall configuration– Most secure configuration of the three
– Two packet-filtering routers are used
– Creation of an isolated sub-network
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• Advantages:– Three levels of defense to thwart
intruders
– The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)
Email:[email protected],
Mob: 9426669020
Firewall Configurations
• Advantages:– The inside router advertises only the
existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)
Email:[email protected],
Mob: 9426669020
DMZ Network:
• External Firewall.• DMZ (demilitarized zone) network.• Systems that are externally accessible but need some
protections are usually located on DMZ networks like such as a corporate Web site, an e-mail server, or a DNS.
• Serves 3 purpose:– Internal firewall adds more stringent filtering capability,
compared to the external firewall.– Provides two-way protection, 1. from worms, rootkits,
bots, or other malware and 2. internal firewall can protect internal virus attacks.
– Multiple internal firewalls can be used for providing internal security.
Email:[email protected],
Mob: 9426669020
Email:[email protected],
Mob: 9426669020
Virtual Private Networks
• Provides solution in today’s distributed environment.• make use of encryption and special protocols to provide
security.• Public network exposes corporate traffic to eavesdropping.
Solution? VPN.• Cheaper than real private networks• Common protocol used here is IPSec.• VPN traffic passing through the firewall in both directions
is encrypted.• IPsec could be implemented in the boundary router, outside
the firewall so that it can perform filtering function, access control, logging, or scanning for viruses.
• Disadvantage: less secure than the firewall and thus less desirable
Email:[email protected],
Mob: 9426669020
Email:[email protected],
Mob: 9426669020
Firewall Alternatives:
• Host-resident firewall: Personal Firewall Software, indepthfirewall, applied as single.
• Screening router: typical for small office/home office (SOHO) applications using packet filter or stateless.
• Single bastion T: like single bastion, interfaced with DMZ, used with medium and large organizations.
• Double bastion inline: DMZ is sandwiched between bastion firewalls, best for medium and large organization.
• Double bastion T: DMZ is on a separate network interface on the bastion firewall, used with large businesses and government organizations, currently used with Australian government.
• Distributed firewall configuration: used by some large businesses and government organizations is distributed by nature.
Email:[email protected],
Mob: 9426669020
Trusted Systems
• One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology
Email:[email protected],
Mob: 9426669020
Data Access Control
• Through the user access control procedure (log on), a user can be identified and authenticated to the system
• Associated with each user, there can be a profile that specifies permissible operations and file accesses
• The operation system can enforce rules based on the user profile
Email:[email protected],
Mob: 9426669020
Data Access Control
• General models of access control:– Access matrix (Subject, Object, Access
Rights).
– Access control list(See Fig)
– Capability list(See Fig)
Email:[email protected],
Mob: 9426669020
Data Access Control
• Access Matrix: Basic elements of the model– Subject: An entity capable of accessing
objects, the concept of subject equates with that of process
– Object: Anything to which access is controlled (e.g. files, programs)
– Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)
Email:[email protected],
Mob: 9426669020
Data Access Control
• Access Control List: Decomposition of the matrix by columns– An access control list lists users and their
permitted access right– The list may contain a default or public entry
Email:[email protected],
Mob: 9426669020
Data Access Control
• Capability list: Decomposition of the matrix by rows– A capability ticket specifies authorized objects and
operations for a user– Each user have a number of tickets
Email:[email protected],
Mob: 9426669020
The Concept ofTrusted Systems
• Trusted Systems– Protection of data and resources on the
basis of levels of security (e.g. military)
– Users can be granted clearances to access certain categories of data, not everything.
Email:[email protected],
Mob: 9426669020
The Concept ofTrusted Systems
• Multilevel security– Definition of multiple categories or levels of
data
• A multilevel secure system must enforce:– No read up: A subject can only read an object
of less or equal security level (Simple Security Property)
– No write down: A subject can only write into an object of greater or equal security level (*-Property)
Email:[email protected],
Mob: 9426669020
The Concept ofTrusted Systems
• Reference Monitor Concept: Multilevel security for a data processing system
Email:[email protected],
Mob: 9426669020
The Concept ofTrusted Systems
• Reference Monitor– Controlling element in the hardware and
operating system of a computer that regulates the access of subjects to objects on basis of security parameters
– The monitor has access to a file (security kernel database)
– The monitor enforces the security rules (no read up, no write down)
Email:[email protected],
Mob: 9426669020
The Concept ofTrusted Systems
• Properties of the Reference Monitor– Complete mediation: Security rules are
enforced on every access– Isolation: The reference monitor and
database are protected from unauthorized modification
– Verifiability: The reference monitor’s correctness must be provable (mathematically)
Email:[email protected],
Mob: 9426669020
The Concept ofTrusted Systems
• A system that can provide such verifications (properties) is referred to as a trusted system
Email:[email protected],
Mob: 9426669020
Trojan Horse Defense
• Secure, trusted operating systems are one way to secure against Trojan Horse attacks
Email:[email protected],
Mob: 9426669020
Common Criteria for IT Security Evaluation
• CC(Common Criteria) for IT and Security Evaluation is an International Initiative by Standard bodies.
• TOE(Target of Evaluation) Requirements:– Functional Requirements– Assurance Requirements
• Requirements are organized in classes and classes has families where each componentperform some security objective.
Email:[email protected],
Mob: 9426669020
CC Security Functional Requirement
• Audit• Cryptographic Support• Communication• User Data Protection• Identification and Authentication• Security Management• Privacy• Protection of TOE security Functions• Resource Utilization• TOE Access• Trusted Path/Channels
Email:[email protected],
Mob: 9426669020
CC Security Assurance Requirement
• Configuration Management• Delivery and Operation• Development• Guidance Documents• Life Cycle Support• Tests• Vulnerability Assessment• Assurance Maintenance
Email:[email protected],
Mob: 9426669020
Profiles and Targets• PP : Protection Profiles
Define an implementation independent set of security requirements and objectives. It is reusable and reflects user security requirement.
• ST : Security TargetsDefines IT security objectives and requirements of specific identification TOE. It is supplied by vender or developer.
Email:[email protected],
Mob: 9426669020
Email:[email protected],
Mob: 9426669020
Class
FamilyComponent
Component
Component
Class
FamilyComponent
Component
Component
PACKAGES
Optional Input to PP
or ST
Optional Extended (non
CC) Security
Requirements
PP
Protection
Profile
ST Security
Target
Construction of Common Criteria Requirements.
TOE: Target of Evaluation TSFI: TOE Security Function Interface
Email:[email protected],
Mob: 9426669020
User/ IT Product
User
TOS Security Functions,
enforce TOE Security
function (TSF) and (TSP)
Security
Attributes
Security
AttributesSecurity
Attributes
Security
Attributes
Resource Process
SECURITY FUNCTIONAL REQUIREMENT PARADIGM
Recommended Reading
This was my last lecture in your class.
Thank You for Everything...
Heartily Best Wishes For Your Future.
Email:[email protected],
Mob: 9426669020