CMPT 471 Networking II

1

CMPT 471Networking II

Firewalls

© Janice Regan, 2006-2013

2© Janice Regan, 2006-2013

Security When is a computer secure

When the data and software on the computer are available on demand only to those people who should have access

One component of keeping a computer secure can be a firewall This is not an all encompassing solution Not all problems come from outside, you must keep

in mind that an comprehensive internal security policy is also part of the solution


Firewalls: why Provide a single protected access from your

machine or network to the internet Create a single “choke” point Concentrate attention on protecting that “choke” point A network behind a firewall can spend less (not none)

effort on host based security not all attacks or security problems come from

outside Still need a second line of defense in many cases


Firewalls: why not Firewalls don’t protect against malicious

insiders: May prevent sending data out through the internet

but cannot protect against removing the data on physical media

Firewall don’t protect you from connections that bypass them: dial in or network access to internal machines can

not be monitored unless they pass through the firewall


Firewalls: why not Protect against known threats

new threats occur regularly and counters to them must be added just as regularly

Viruses and malware can penetrate firewalls under some circumstances

Firewalls often interfere with expected behaviors of internet applications, or slow down interaction with the internet


Firewalls Different Firewall architectures are appropriate

for different types of applications A firewall is a combination of hardware software

and policies Look at some architectures and examples

Single machine with firewall (filtering) Screening router Dual homed host Screened host Screened network


GIVEN TODAY’S INTERNET ENVIRONMENT NO COMPUTER WITH INTERNET CONNECTIVITY SHOULD BE UNPROTECTED BY A FIREWALL TO

Protect any private data or information Protect the machine so it is available for your

use To prevent others from ‘hijacking’ your

machine for their own purposes


Security strategies Least privilege:

any object (user, program, system, …) should have the least amount of privilege necessary to accomplish its own purpose

Depth of Defense: Layer security mechanisms so that if one is

compromised another still protects you This protects against not only attacks but possible

failures of any single layer in your defense


Security strategies Choke point:

Be sure that there is no way to circumvent the choke point

Put protections at the choke point Weakest link:

Be aware of the weak points of your defense, this is where attacks will most likely occur

Failures Try to make the system fail in a way that denies the

attacker access, not opens access.


Firewall Default Strategies Default Deny Policy

No traffic is passed through the firewall unless is it specifically allowed

Any traffic or service not specifically permitted to pass the firewall will be permitted into the protected machine or network

Default Permit Policy All traffic will be permitted to pass through the

firewall unless it is specifically forbidden


Which Default Strategy? To maximize security use default deny

OK if you do not need to provide internet services

Limited flexibility To maximize flexibility use default permit

More difficult to maintain Must specifically deny sources and protocols


Some types of low level attacks Half open port scan or SYN scan: send SYN (or packet

with other combination of flags) to each port, watch for ACK or RST to determine if port is open. Do not reply and complete connection (send RST).

Denial of service: exploit known weaknesses of stack to cause crashes

IP spoofing: Make the packet look like it comes from somewhere else.

Smurf: use forged source address (A) to make third party attack A

Land: send a packet with source and destination addresses the same. May cause failure of receiving machine.


A single computer Many computers (probably most) have a continuous

internet connection For a user with a single computer connected to their

continuous connection Simplest approach is a packet filtering firewall For Windows can use the built in firewall or many

other proprietary products that provide more complete protection including virus and spy-ware protection

For Linux can use iptables/netfilter to directly implement or other public domain or proprietary products


A home network It is becoming increasingly common for a household to

have more than one computer. Probably the user of each computer wants it to be directly connected to the continuous Internet connection/s for the household

This means that out of the box solutions that implement basic network protection are becoming common

For a technically savvy user these solutions may also be easy but other simple options exist Remember that out of the box solutions need

configuration to optimize their effectiveness


Screening Router This is a common, inexpensive, out of the

box solution that can be made more robust You probably need the router to connect

your local machines anyway. Be sure to configure, don’t just use the

defaults Router usually includes a mechanism for

implementing packet filtering (default deny or default permit strategies are usually both supported)


Screening Router This is a common, inexpensive, out of the

box solution that can be made more robust Can implement the level of security

appropriate for the network being protected you will likely also need host level security The router will run a proprietary or reduced

version of the operating system, providing fewer points of attack


Using a screening router The network needs an adequate level of host protection

If data on any of the machines is private, need host security to protect that data

Only a limited number of simple protocols and services can be supported efficiently using a screening router Can permit or deny protocols by port number Harder to permit or deny parts of a protocol Difficult to be sure what is arriving on a port is really

the expected protocol Router is a single point of failure


When to use a screening router When performance is important

minimize added load on hosts by using router to filter maximize throughput by basing security on simple filtering

When the protected network also has an adequate level of host security

The number of protocols being allowed (default deny) or blocked (default accept) is small and those protocols are simple and amenable to filtering

Most useful for networks providing services to the internet (like those of internet providers) and for internal firewalls


Use a dual homed host to access the internet. Your network attaches to one or more interfaces, the internet to the another

Disable forwarding: create a default deny policy All access to the Internet from internal hosts is by proxy

application running on the dual homed host Each application you run/proxy on the dual homed host

provides another point of attack and increases load Avoid user accounts on the dual homed host. This

provides extra protection Monitor activity of each user

Simple Firewall: Dual Homed Host


Dual Home Host

Dual-homed host(no-forwarding)

Internal Host

Internal Host

Internal Host

Internal Host

INTERNET


Dual homed Hosts: user accounts Users should not be able to log into the dual

homed host. prevents a hacker from breaking in through a user

account Makes use of vulnerable services necessary to

support user accounts unnecessary (printing, local mail delivery …)

Prevents inadvertent damage to the dual homed hosts security by users (poor password … )

Easier to detect attacks if types of traffic are limited


Dual Homed Host: Limitations (1) Need an additional machine to use as dual

homed host (should not be a machine used directly by users) For a small network with modest traffic levels can

even use an older less powerful machine (bonus is this is the only machine seen from outside, less attractive to hackers)

As the network size, number of services proxied, or traffic load grows more power is needed.


Dual Homed Host: Limitations (2) Provides services by proxy

Each service supported provides addition points of attack

Not all services can be proxied Not all services that can be proxied will have

appropriate proxies available Better at supporting outbound services (local

users using services on the external network) than inbound services


Dual Homed Host: Limitations (3) More overhead than an equivalent packet

filtering system, proxies are more compute intensive than simple filters

Dual homed host is a single point of failure A hacker who crashed your dual homed host

cuts you off from the internet A hacker who comprises your dual homed

host has access to your local network


When to use a dual homed host Internet traffic is limited

Remember load is larger than comparable packet filter

Network protected does not contain critical data Can be mitigated by host level protections,

but there are better solutions


When to use a dual homed host No (very limited) services being provided to the

internet Each service provided adds points of attack

for those trying to break in Continuous connection to the internet is not

essential, traffic to the internet is not critical to your business Attacks may cause single “choke” point to fail

or crash


Variations Many consumer routers, support NAT (network

address translation). Allowing one IP address to be shared between multiple machines. Local IP addresses are used for your network Using the gateway (router) to packet forward on

behalf of the other computers on your intranet Good way to hide network from external eyes Can packet filter and provide some proxy

services, often provides MAC address filtering


Screened Host Architecture All communication between hosts on the local

network and the internet (both directions) passes though proxies on a bastion host which communicates with the internet though a packet filtering router

Less secure versions may allow some direct communication from network hosts to the internet (definitely not initiated from the internet to network hosts)

Bastion host is the only host on the network to which hosts on the internet can make connections


Screened Host Architecture Packet filtering router protects internal hosts

from direct internet attack (allowing only certain services/ protocols). This is the primary security for the network This prevents users from directly accessing the

Internet Bastion host provides services and runs proxies

connecting to the outside world, it should not be a trusted member of the local network

Not appropriate for public web servers


Screened Host

Router(packet filtering)

Internal Host

Bastion Host

Internal Host

Internal Host

INTERNET


Bastion Host Should run a minimum configuration to

minimize points of attack Should have all services not needed by the site

disabled Should not be trusted by hosts on the

network Should not run booting services Must maintain a high level of host security

on the bastion host


Bastion Host and user accounts Should not support user accounts

May know about users (i.e. to allow access from outside the network to machines inside the network)

Users should not be able to log into the bastion host.

Administrators should be able to log into the bastion host with individual accounts, remote login is a high security risk


Bastion Hosts and user accounts Users should not be able to log into the

bastion host. prevents a hacker from breaking in through a user

account Makes use of vulnerable services necessary to

support user accounts unnecessary (printing, local mail delivery …)

Prevents inadvertent damage to the bastion hosts security by users (poor password … )

Easier to detect attacks if types of traffic are limited


Bastion Host Provides the services your site needs to

access the internet Runs proxies for services your site provides

to the internet all services or just services that cannot be adequately

protected using filtering in the router alone (FTP, TELNET, DNS SMTP HTTP)


Screening router May allow hosts to open connections to

selected servers on the internet May disallow services forcing them to be

proxied by the bastion host (or hosts)


Use a Screened Host When Few connections to the network originate

from outside the network When host security is relatively high If you allow non bastion hosts to connect

to the internet you are compromising the design, since outside users have access to IP addresses of protected hosts


Comparison Router easier to secure than multi-homed host

(simpler OS fewer points of attack, fewer services running, than a multi-homed host)

Multi-homed host provides no way for packets to go directly to hosts, screened host does (can be security hole)

Multi-homed host more prone to failure (type of failure more difficult to predict)

On balance router may be more secure and simpler to administer


Comparison You can get some extra protection by isolating

your bastion host and your screen hosts so most local network traffic from your screened hosts is not visible to the bastion host (broadcast traffic will still be visible)

This is part of what a screened subnet does (next topic of discussion)

Can get this part of the protection by isolating your bastion host using an appropriately secured Ethernet switch or switching hub.


Screened Subnet Place the bastion host (hosts) on a separate subnet

connected to the Internet with a router. This separate subnet is known as a perimeter network.

That subnet in turn connects to your internal network through a second router (with packet filtering).

Removes the difficulties caused by a single point of failure (as in multi-homed hosts, and to a lesser extent screened hosts) Now a hacker must break though two levels of

packet filters and compromise a bastion host to reach your internal network


Screened SubnetRouter

(packet filtering)

Internal Host

Internal Host

Internal Host

Internal Host

INTERNET

Interior Router(packet filtering)

Bastion Host

Bastion Host

Perimeter network


Screened subnet No longer a single point of failure

Adds an extra layer of security by adding a perimeter network to further isolate the hosts in the screened subnet from the internet

Multiple failures are needed to reach the screened subnet

If the router’s firewall is breached the hacker can only reach the bastion hosts

If the bastion host is compromised, sensitive internal information is still protected.

The screened network still has the protection of the interior router


Bastion Host/s on separate net Locating the bastion hosts on a separate

network from the protected hosts has many benefits Sees only packets to and from bastion hosts

and to and from the internet Does not see traffic on the internal network

Accesses to sensitive files Confidential local email Remote logins, FTP or TELNET packets that

could provide passwords


Bastion Host/s on separate net Bastion Hosts are primary point of contact for incoming

connections for any supported protocols (local servers for SMTP, FTP, DNS …)

Outbound services (from our network to severs on the internet) have access controlled by Filtering on exterior or interior router Proxy services on the bastion hosts

If traffic is high and or multiple services are proxied on the bastion host, multiple bastion hosts may be used to distribute the load and partition risk

Services may be divided between multiple bastions hosts. Services may be grouped by Importance, audience, security level, access level


Interior router Primary packet filtering system (choke router) May be more restrictive than the packet filters in the

exterior router Want to assure sensitive information does not leave screened

network May allow a smaller set of services to reach interior network

than can reach the exterior network May target services from outside the screened networks to

designated servers (e.g. a mail server on one on the internal hosts)

Allows services to the internet to be isolated from the screened internal network (on the perimeter network)

Protects your screened interior network from the Internet and the perimeter network


Exterior Router Exterior Router may be called the access router Sometimes the external router is provided by

another group (like an ISP) Your access will be limited Filter rules will not be customized to your needs

Hosts on the perimeter net must be protected by strong host security Makes exterior filtering less critical

If you do control the exterior router you may want to duplicate a subset of the rules on your interior router


Exterior Router Should block incoming packets whose source

addresses may be forged, particularly addresses that indicate packets are coming from inside the network (screened network or perimeter network)

Should block outgoing packets that do not come from one of your networks IP addresses Prevents your users sending inappropriate packets More importantly: prevents any hijacker using one of

your machines to send packets with inappropriate IP addresses


Variants Use multiple bastion hosts

Distribute load, partition services, add redundancy

Merge interior router and exterior router Need router that allows separate filter

specifications on each interface. Disadvantage: creates a single point of

failure if router is compromised


Multiple Bastion hostsRouter

(packet filtering)

Internal Host

Internal Host

Internal Host

Internal Host

INTERNET


Bastion Host

Bastion Host

Perimeter network


Merged Internal/Exterior routers

Internal Host

Internal Host

Internal Host

Internal Host

INTERNET

Interior /exteriorRouter

(packet filtering)Bastion Host

Bastion Host

Perimeter network


Variants Use multiple independent perimeter networks

Provide redundancy and bandwidth Assure networks connect to different physical

connections (different providers and different cables) Both interior routers must enforce the same policies Also used to separate incoming and outgoing

services


Multiple perimeter networksExterior Router

(packet filtering)

Internal Host

Internal Host

Internal Host

Internal Host

INTERNET


Bastion Host

Perimeter network

Exterior Router(packet filtering)


Bastion Host

Perimeter network


Variants Use multiple exterior routers (one exterior

router with multiple interfaces) Multiple internet connections (i.e. multiple

providers, for redundancy or bandwidth) Internet connection plus direct connections

to other sites (though internal firewall) Minor security compromise because of two

attack points into perimeter network


Multiple Exterior routersRouter

(packet filtering)

Internal Host

Internal Host

Internal Host

Internal Host

INTERNET


Bastion Host

Bastion Host

Perimeter network

Router(packet filtering)


Variants Merge bastion host and exterior router

Use a single dual-homed host for both Limits performance, less efficient for routing than

router Depending on operating system may not have

flexible filtering available Need better protections on the dual homed host Appropriate only for serving a very small number of

low bandwidth services


Merge Bastion host/exterior routerBastion host

And exterior Router

Internal Host

Internal Host

Internal Host

Internal Host

INTERNET


Perimeter network


Dangerous Variants Do not merge bastion host and interior

router Do not use multiple interior routers Do not use both screened subnets and

screened hosts

Documents

CMPT 471 Networking II