Guide to Network Defense and Countermeasures Second Edition Chapter 10 Firewall Topology

Guide to Network Defense and CountermeasuresSecond Edition

Chapter 10Firewall Topology

Guide to Network Defense and Countermeasures, Second Edition 2

Objectives

• Explain the goal of securing the network perimeter

• Describe factors in choosing a bastion host

• Explain how to supplement a firewall with a proxy server

• Set up Network Address Translation (NAT)

• Decide when to use user, session, or client authentication


Securing Network Perimeters

• Goal is to provide adequate access without jeopardizing confidential or mission-critical areas

• You need– Firewalls, IDSs, bastion host, Network Address

Translation (NAT), proxy servers• Combined with authentication mechanisms

• Bastion host– Provides Web, FTP, e-mail, or other services running

on a specially secured server


Choosing a Bastion Host

• Security software does not operate on its own– You install it on a computer

• Bastion host– Computer that sits on the network perimeter– Has been specially protected through OS patches,

authentication, and encryption


General Requirements

• Steps in creating a bastion host– Select sufficient memory and processor speed– Choose and install OS and any patches or updates– Determine where the bastion host will fit in the

network configuration– Install services you want to provide– Remove services and accounts that aren’t needed.– Back up the system and all data on it– Run a security audit– Connect the machine to the network


Selecting the Bastion Host Machine

• Select familiar hardware and software

• Ideal situation– One bastion host for each service you want to provide– Can be prohibitively expensive

• Operating system– Pick a version that is stable and secure– Check OS Web site for patches and updates


Selecting the Bastion Host Machine (continued)

• Memory and processor speed– Memory is always important when operating a server– Bastion host might provide only a single service

• Does not need gigabytes of RAM

– Match processing power to server load• You might have to add processor

• Location on the network– Typically located outside the internal network

• Combined with packet-filtering devices

– Multiple bastion hosts are set up in the DMZ




Hardening the Bastion Host

• Selecting services to provide– Close unnecessary ports– Disable unnecessary user accounts and services

• Reduces chances of being attacked

– Disable routing or IP forwarding services– Do not remove dependency services

• System needs them to function correctly


Hardening the Bastion Host (continued)

• Using honeypots– Honeypot

• Computer placed on the network perimeter

• Attracts attackers away from critical servers

• Appears real

– Network security experts are divided about honeypots– Laws on the use of honeypots are confusing at best– Another goal of a honeypot is logging

• Logs are used to learn about attackers techniques



Hardening the Bastion Host (continued)

• Disabling user accounts– Default accounts are created during OS installation– Disable all user accounts from the bastion host

• Users should not be able to connect to it

– Rename the Administrator account– Passwords at least 6-8 alphanumeric characters


Handling Backups and Auditing

• Essential steps in hardening a computer– Backups– Detailed recordkeeping– Auditing

• Copy log files to other computers in your network– Check these files for viruses

• Audit all failed and successful attempts to log on to the bastion host– And any attempts to access or change files


Working with Proxy Servers

• Proxy server– Software product– Forwards packets to and from the network being

protected – Caches Web pages to speed up network performance


Goals of Proxy Servers

• Original goal– Speed up network communications– Information is retrieved from proxy cache instead of

the Internet• If information has not changed at all

• Other goals– Provide security at the application layer– Shield hosts on the internal network– Control Web sites users are allowed to visit



How Proxy Servers Work

• Proxy server goal– Prevent a direct connection between an external

computer and an internal computer

• Proxy servers work at the application layer– Opens the packet and examines the data– Decides to which application it should forward the

packet– Reconstructs the packet and forwards it

• Replace the original header with a new header

– Containing proxy’s own IP address



How Proxy Servers Work (continued)

• Proxy server receives traffic before it goes to the Internet

• Client programs are configured to connect to the proxy server instead of the Internet– Web browser– E-mail applications




Choosing a Proxy Server

• Different proxy servers perform different functions

• Freeware proxy servers– Often described as content filters– Do not have features for business applications– Example: Squid

• Commercial proxy servers– Offer Web page caching, source and destination IP

addresses translation, content filtering, and NAT– Example: Microsoft ISA Server


Choosing a Proxy Server (continued)

• Proxy servers that can include firewall functions– Having an all-in-one program simplifies life– Disadvantages

• Single point of failure

– Try to use several software and hardware products to protect your network


Filtering Content

• Proxy servers can open packets and examine data

• Proxy servers can filter out content– That would otherwise appear in a user’s Web browser– Can block Web sites with content your users should

not be viewing– Can also drop executable programs

• Java applets

• ActiveX controls


Using Network Address Translation (NAT)

• Network Address Translation (NAT)– Go-between– Receives requests at its own IP address and forwards

them to the correct IP address

• A NAT-enable device is the only one that needs a public IP address

• Essential functions many firewalls or routers perform– Shields IP addresses of internal hosts

• NAT modes– Hide-mode and static mapping


Hide-Mode Mapping

• Process of having multiple IP addresses behind one public IP address

• Dynamic Host Configuration Protocol (DHCP)– Enables IP addresses to be assigned dynamically

among hosts on a network• Disadvantages

– Cannot hide all clients behind a single IP address– Does not work with some types of VPNs

– Cannot provide more than one service with a single IP address



Static Mapping

• Internal IP addresses are mapped to external, routable IP addresses– On a one-to-one basis

• Internal IP addresses are still hidden– Computers appear to have public addresses

• All addresses are static



Authenticating Users

• Authentication– Identify users authorized to access the network

– Important role in firewall or other security configurations

• Depends on the exchange of information– Password– Key– Checksum– Smart card


Step 1: Deciding What to Authenticate

• User authentication– Identify person authorized to access network– Users submit credentials and log on to the network– Can be automatic and based on key exchange– Define an user and assign it to a group

• Set access rules for that group– Other restrictions

• IP addresses• Time-based restrictions




Step 1: Deciding What to Authenticate (continued)

• Client authentication– Grant access to network resources based on

• Source IP address

• Computer MAC address

• Computer name– Identification can be automatic or manual

• Manual requires extra effort but offers more security– Knowing a username and password is not enough

• User must log on from an authorized IP address



Step 1: Deciding What to Authenticate (continued)

• Session authentication– Authorize user or computer on a per-connection basis – Uses special authentication software on the client

• Exchanges information with the firewall

– Gives the user more flexibility than user or client authentication



Step 2: Deciding How to Authenticate

• Password Security– User name and password compared against a

database of approved users– Simplest and most straightforward authentication– Password systems

• OS password• Firewall password• S/Key password• SecureID



Step 2: Deciding How to Authenticate (continued)

• Smart cards and tokens– Two-factor authentication

• Combines objects the user posses with passwords– Most common objects used in authentication

• Smart cards• Tokens

– Smart cards• Similar to ATM cards

– Tokens• Objects that enable users to authenticate themselves• Examples :Smart cards, handhelds, key fobs



• Exchanging public and private keys– Password is a code used to authenticate yourself– Computers can also authenticate each other

• Exchanging codes• Code can be long and complicated• Called keys

– Keys• Blocks of encrypted code generated by algorithms

– Public key cryptography• Authenticates by exchanging public and private keys




• Digital signatures– Message recipient can authenticate sender’s identity– One-way hash function

• Called a message digest• Code of fixed-length• Results from processing a message through a

mathematical function– One-way hash function characteristics

• Value is unique for the hashed data• Data cannot be deduced from the hash



• Digital signatures– Signing software creates a hash of the message

• And encrypts it using your private key– Validation process

• Recipient uses signer’s public key to decrypt the hash• Computes hash value of received message

– Using same hashing algorithm as the sender• Compares hash values


Step 3: Putting It All Together

• S-HTTP– Secure Hypertext Transfer Protocol (S-HTTP)

• Encrypts communication between a Web server and a Web browser

– Using Secure Socket Layer (SSL) or Transport Layer Security (TLS)

• SSL encrypts data portion of a packet not the header– Firewall can still filter and route it

• SSL does not provide user authentication


Step 3: Putting It All Together (continued)

• IPSec/IKE– IPSec encrypts communications at network layer of

OSI model– Widely used– NAT can interfere with IPSec– Internet Key Exchange (IKE)

• Allows exchange of public and private keys

– Internet Security Association Key Management Protocol (ISAKMP)

• Enables two computers to agree on security settings



• Dial-in Authentication: RADIUS and TACACS+– Terminal Access Controller Access Control System

(TACACS+)• Called “Tac-plus”• Authentication protocols developed by Cisco Systems• Uses MD5 to produce an encrypted digest version of

transmitted data



• Dial-in Authentication: RADIUS and TACACS+– Remote Authentication Dial-In User Service

(RADIUS)• Provides less security than TACACS+

• More widely supported

• Transmits authentication packets unencrypted across the network

• Vulnerable to packet sniffing


Summary

• Modern networks require a variety of services

• Firewalls cannot secure a network alone

• Bastion host– Computer on the network perimeter – Specially protected through OS patches,

authentication, and encryption

• Proxy server– Forwards packets to and from the network – Caches Web pages to speed up network performance


Summary (continued)

• Network Address Translation (NAT)– Conceals the IP addresses of computers on the

internal network from external locations

• Authentication types– Client authentication– User authentication– Session authentication

• Encryption schemes– Secure Socket Layer (SSL)– Internet Protocol Security (IPSec)

Documents

Guide to Network Defense and Countermeasures Second Edition Chapter 10 Firewall Topology