Upload
annice-williamson
View
270
Download
1
Tags:
Embed Size (px)
Citation preview
TopicsFirewall design principles
CharacteristicsTypesConfigurations
Trusted systemsCommon Criteria for Information Technology
Security Evaluation
FirewallsInternet connectivity has become a necessity in
corporations and organizationsHowever, this allows outsiders to interact with
network assetsAn organization may own thousands of
computersCould install strong security software on every
computer…A security patch is releasedNow thousands of computers need to be patched
FirewallsEasier solution?
Place a firewall between the Internet and the organization’s network
Protects a network from Internet-based attacks
Impose security and auditing on one choke point
Special hardware, a computer, or many computers can function as a firewall
Firewall characteristicsGoals:
All traffic is directed towards the firewall. There must be no way to access the network without going through the firewall first
Only authorized traffic is allowed to pass through the firewall, as defined by local security policies
The firewall is immune to penetration. Implies use of a trusted system and a secure operating system
Firewall characteristicsFour techniques used to control access:
Service control Determine what Internet services are allowed to be
accessed May filter traffic based on IP address or port May act as proxy software (receive and interpret
services before passing them on) May host service software itself
Direction control Determine what direction service requests may be
initiated or allowed to pass through
Firewall characteristicsUser control
Control which services can be accessed by particular users (inside or outside the network)
Behaviour control Control how services are used (e.g., spam firewall
or website filter)
Firewall characteristicsOther features:
Monitoring of security-related eventsNon-security-related Internet functions
Network address translation (NAT) Log Internet usage
Platform for IPSec
Firewall characteristicsLimitations:
Cannot protect against attacks that bypass the firewall
Cannot protect against internal threats For example, an angry employee deleting files Or, an employee cooperating with an outside attacker
Cannot protect against the transfer of viruses Different operating systems and applications inside
the network Need to scan all incoming data…impractical, perhaps
impossible
Packet-filtering routerApplies a set of rules to each incoming and outgoing
packetPossible rules:
Source or destination IP addressPort numberTransport protocol (TCP or UDP)Other information contained in a network packet
Filters are a list of rulesIf a rule is matched, either forward or discard the packet
Default action may be either forward or discardHappens when a packet is not filtered
Packet-filtering routerAdvantages:
Fast, simple, transparentDisadvantages:
Cannot prevent attacks on specific application weaknesses
Limiting logging capabilitiesTypically no support for user authenticationVulnerable to exploits that take advantage of
problems in the TCP/IP specificationEasy to make mistakes when creating rules
Application-level gatewayAlso called a proxy serverUsage:
User contacts gateway through an application (e.g., telnet or FTP)
User must authenticate and provide name of remote host
Gateway connects to remote host and relays data back to the user
If code for an application is not implemented, gateway will not support that application
May be configured to support only certain features of an application
Application-level gatewayAdvantages:
Tend to be more secure than packet filtersWhole applications can be allowed or blocked,
rather than many possible combinations of packets
Easy to log and audit traffic at the application level
Disadvantage:Additional overhead due to splicing every
connection
Circuit-level gatewayDoes not permit end-to-end connections
Sets ups two TCP connection (inner host to gateway, gateway to outer host)
Gateway relays segments from one connection to the other
Does not examine contents of segmentsSecurity function is to determine what
connections are allowedCould be a standalone system or function
performed by application-level gateway for some applications
Circuit-level gatewayExample implementation: SOCKS
Consists of a server, client library, and client programs that have been linked with or are compatible with SOCKS
A client wants to access an object beyond the firewall
A TCP connection is opened on port 1080 on the SOCKS server
Client is authenticatedClient makes relay requestSOCKS either accepts (and establishes
connection) or rejects
Bastion hostA system identified to be a critical strong point in a
network’s securityTypically used as platform for application-level or
circuit-level gatewaysCharacteristics:
Runs a secure version of an operating systemOnly essential services are installedRequires user authentication to access proxy servicesEach proxy is a tiny software package that runs
independently and requires little configurationEach proxy may only support a subset of application
features, may only access specific hosts, and maintains detailed logs
Firewall configurationsA single router or gateway are simple
configurationsMore complex configurations are possible
and are more common:Screened host firewall, single-homed bastionScreened host firewall, dual-homed bastionScreened subnet firewall
Screened host firewall, single-homed bastionA packet-filtering router with a bastion hostRouter’s configuration:
Only packets destined for the bastion host may pass
Only packets from the bastion host may leaveBastion host performs authentication and
proxy functionsInternal network is protected by two systems
Screened host firewall, single-homed bastionAllows for flexibility:
For example, a web server does not need strong security; router can be configured to allow traffic directly to it
Problem: A compromised router will allow traffic to flow
directly through to the internal network, bypassing the bastion
Screened host firewall, dual-homed bastionAll of the same features and functionality of a
single-homed bastion setupHowever, physically prevents traffic from
going anywhere but through the bastion firstSolves problem with single-homed bastion
setup
Screened subnet firewallTwo packet-filtering routers and one bastion
hostOne router between Internet and bastionAnother between bastion and internal network
Creates an isolated, screened sub-networkBesides bastion, could also contain servers,
modems, etc.Three levels of defenseInternet only sees the screened sub-networkInternal network cannot construct direct
routes to the Internet
Trusted systemsTrusted system technologies enhance the
ability to defend against intruders and malicious programs
Data access controlNeed a way to state what sort of permissions
a user may have in a system (e.g., file access, database access, etc.)
Access matrixA general model of access control used by file
or database management systems
Data access controlElements:
Subject: An entity that can access objects. Usually a user or application is represented by a process, since a process gains access to an object
Object: Anything to which access is controlled (e.g., files or memory)
Access right: The way in which an object is accessed (e.g., read, write, or execute)
One axis lists the subject, the other lists objects
Each entry consists of access rights of a subject on an object
Data access controlAccess matrix is usually implemented by
decomposing itAccess control list (ACL)
Decomposition by columnLists subjects and their access rights for each
objectMay include a default set of rights
Capability ticketsDecomposition by rowLists objects and associated access rights for
each subject
Concept of trusted systemsMultilevel security
Multiple groups (or levels) of data are definedIdea is a high level subject cannot convey
information to a lower level subjectTwo rules need to be enforced:
No read up: A subject only reads objects less or equal to their security level
No write down: A subject only writes into an object equal or greater than their security level
Concept of trusted systemsReference monitor
Element of hardware or operating systemRegulates the access of objects by subjects on the basis
of security parametersA security kernel database stores all access privileges
and object levelsProperties:
Complete mediation: Security rules are enforced on every single access to an object
Isolation: No unauthorized modification to reference monitor and database
Verifiability: The reference monitor’s correctness must be mathematically provable
An audit file may be used to log security violations or changes to the kernel database
Concept of trusted systemsA trusted system provides the amount of
verification as seen in the reference monitorTrojan horse defense
A trusted operating system can prevent Trojan horse attacks
A user’s documents and programs are classified under a high security level
A Trojan horse is planted by a user who has gained access, but under a low security level
The Trojan horse can read the documents, but cannot copy them to a low security level file
Common Criteria for Information Technology Security EvaluationDefines a set of potential security requirements for
use in evaluating part of a systemRequirements:
Functional: Defines desired security behaviourAssurance: Basis for gaining confidence that security
measures are effective and implemented correctlyProfiles that can be generated:
Protection: Defines a set of security requirements and objectives of a category of systems
Security: Contains security requirements and objectives of a target system and functional and assurance measures offered to meet those requirements