Upload
annabel-mcbride
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Internet and Intranet Fundamentals
Class 9
Session A
Topics
• Firewalls (continued)
Firewalls(Continued)
• Bastion Hosts
• Packet Filtering
Bastion Hosts
• Public Presence on the Internet
• The “Lobby” Analogy
• Public Exposure Implies Increased Security Requirements– focus special attention on building a Bastion
host– host security
• some principles apply to other hosts as well
Bastion HostsVarious Types
• Non-routing Dual-homed Hosts– make sure they are non-routing!
• Victim Machines– sacrificial goat– don’t let users put valuables on them
• Internal, semi-Bastion Hosts– inside the firewall– communicate with external bastion
Bastion HostsGeneral Design Guidelines
• Minimize the Number of Services Provided– keep it simple, scholar– server software may have bugs that can be
exploited
• Expect Bastion Host to be Compromised– expect the worst and plan for it– most likely to be attacked– bastion host considered untrusted host
Bastion Hosts• What Platform?
– Unix, NT, etc. ?
• Criteria– your experience– firewall tools availability
• Class of Machine– minimal– not a supercomputer– RAM more important than CPU
Bastion HostsLocation
• Physical Location– safe
• Network Location– preferably on a perimeter network– or a network not susceptible to spoofing
• ATM, Ethernet switch
Bastion HostServices
• Proxy and Relay Services– HTTP Proxy– SMTP Server– NNTP Server– FTP Server
• Public Services– HTTP– SMTP
Bastion HostsConstruction Steps
• Secure the Machine– start with minimal, clean operating system– fix all known system bugs– use a security checklist– safeguard the system logs
• requires lots of logging
Bastion HostsConstruction Steps
• Disable Non-required Services
• Install or Modify Services
• Reconfigure Machine from Development to Deployment
• Perform Security Audit
• Connect Machine to Network
Packet FilteringTopics
• What is it?
• Advantages and Disadvantages
• Configuring a Packet Filtering Router
• Various Kinds of Filtering
Packet FilteringWhat is it?
• Selectively reject IP packets based on:– source address– destination address– incoming physical port– tcp application port
Packet FilteringAdvantages and Disadvantages
• Advantages– one router protects an entire network– doesn’t require user knowledge or cooperation– widely available
• Disadvantages– current filtering tools not perfect
• can be hard to configure, test, and maintain
• may have bugs
– some protocols don’t lend themselves to filtering
Packet FilteringConfiguring a PF Router
• Protocols Bidirectional• Inbound vs. Outbound Semantics
– packets vs. services– think “packets”
• Default Security Policy– permit or deny?
• Returning ICMP Error Codes– destination unreachable, for example
Various Kinds of Filtering
• Rules– Direction– Source Address– Destination Address– ACK Set– Action
Various Kinds of FilteringRules
Rule Direction Source Address DestAddress
ACKSet
Action
A Inbound Trusted externalhost
Internal Any Permit
B Outbound Internal Trustedexternal host
Any Permit
C Either Any Any Any Deny
Various Kinds of FilteringRisks of Address Filtering
• Address Forgery– source
• does not hope to get any packets back
– man-in-the-middle• must intercept return packets
• must alter network topology to get in the middle
Various Kinds of FilteringFiltering by Service
• More Complicated
• TELNET– outgoing
• local host’s IP source address
• remote host’s IP destination address
• TCP packet type
• TCP destination port is 23
• content: your keystrokes
Various Kinds of FilteringFiltering by Service
• TELNET– incoming
• remote host’s IP source address
• local host’s IP destination address
• TCP packet type
• TCP source port is 23
• TCP destination port is same as prior source port
• ACK set
Various Kinds of FilteringFiltering by Service
• TELNET– Rules
• permit output on port 23
• permit inbound on port 23 if ACK is set
• deny both outbound and inbound for everything else– default rule
• Risks– some other service on port 23?