Internet Securityand Firewall Design

Chapter 32

Introduction

• Levels of trust– The Internet is used by a diverse group of users,

services, and networks separated by:• geography• organizational boundaries• and politics

– Security is required on every computer and every protocol

• Perimeter security: defines inside and outside• Encryption

Protecting Resources

• Security refers to:– data integrity– authorized-only access to services and resources– freedom from invasion– continuity of service

• Protection of physical resources– disks, computers, cables, bridges, routers

Protecting Resources

• Protection of abstract resources (information security)

– data integrity– data availability– privacy or confidentiality– authorization– authentication– replay avoidance

• preventing problems with copies of packets left floating around

Information Policy

• All organizations need to assess risks and define a clear policy about information access and protection– Who is granted access?– How is information disseminated?– How will the organization handle violations of this

policy?• “A worker who is malicious, careless, or unaware of an

organization’s information policy can compromise the best security.”

Internet Security

• Difficult because – datagrams may pass over intermediate networks and routers

not owned or controlled by the sender or the receiver– datagrams may be intercepted or compromised and contents

may not be trusted• e.g. a router can record the IP address of a passing datagram, later

send a request and intercept the reply

• Encryption may be used– Bits in a message are rearranged according to a key known

only to the sender and the receiver

IP Security (IPsec)

• IPsec is a set of security protocols from IETF – allows pairs of communicators to determine which

protocols to use• An authentication header is inserted between the

IP and TCP headersTCP data

TCP data

TCP hdr

TCP hdr

IP hdr

IP hdr Auth hdr

(original)

(when authentication header is added)

IP Security (IPsec)

• The protocol field in the IP header is changed to 51 to indicate the authentication header– The authentication header is followed by a NEXT

header which specifies the type of information in the datagram

Authentication DataSequence Number

Next hdr Hdr Len Reserved

Security Parameters Index

Security Association

• Each receiver has a security scheme defined in a set of security parameters– called a security association (SA) – known by an index number specified in the header– a sender must know the SA number to be bound with a

receiver

Encapsulating Security Payload (ESP)• ESP uses a value of 50 in the IP Protocol field• ESP adds 3 areas to the datagram

– ESP header: between IP and TCP headers– ESP trailer: after TCP data and encrypted with the

payload (TCP header and TCP data)– ESP auth: follows the ESP trailer

IP hdr ESP hdr TCP hdr TCP data ESP trl ESP auth

encryped

authenticated

Authentication and Mutable Header Fields• IPsec authentication is designed to make sure that

an arriving datagram is identical to the one sent– But we know that the TTL and checksum fields are

changed each hop– Mutable fields are those IP headers that get changed in

transit • We don’t want these slight changes to cause authentication

errors• So IPsec will only authenticate the immutable fields

Secure Sockets

• SSL (Secure Sockets Layer) was developed by Netscape– allows each side to authenticate itself to the other– both sides negotiate an encryption algorithm– provides an encrypted connection

Firewalls and Internet Access

• Controlling internet access prevents users from:– obtaining information– changing information– disrupting communication on an internet

• Access control involves:– network topology– information staging– packet fileters

• An organization places a firewall at its connection to external networks to separate inside and outside

Multiple Connections

• A firewall is a router– It is named from the fireproof partition in a building

that separates parts of buildings, making each separate part impenitrable to fire

• A major factor in using firewalls is that there may be multiple external connections – A firewall may be placed at each external connection– All firewalls must be coordinated with each other

Filtering

• A firewall must have hardware and software that can filter at high-speeds– Filters can be configured to block specific datagrams

• from a particular source• used by a particular application

– Each datagram is considered separately by the filter– Some routers may configure separate filter actions for

each interface, others configure all interfaces the same

Filtering

• Example in Figure 32.6: – a router has two interfaces – blocks incoming datagrams for FTP, TFTP, TELNET,

WHOIS and FINGER– blocks outgoing for hosts with prefix of 128.5.0.0 destined

for e-mail service at port 25 • Problems

– listing each service like this could be tedious– much of the traffic is not to or from a well-known port– tunneling can circumvent security (some will slip past)

A Better Solution

• Maybe we should have the firewall decide on which packets can be allowed in– Block all datagrams except those destined for certain

networks, hosts and ports

The Consequences of Restricted Access for Clients• A client on the inside of a firewall may wish a

service from the outside, and pass it a source port– But this port is not “known” to the filter and may be

denied when the server responds– Users on the inside need a safe way to access outside

services• Solution: Proxy Access

– Usually one secure computer is associated with each firewall - called a bastion host

Firewall Architecture

• See Figure 32.8• Like Figure 32.7, the barriers each require routers with

packet filters– R2 implements the outer barrier

• It filters all incoming datagrams except those destined for the bastion host

– R1 implements the inner barrier• It blocks all incoming datagrams except those originating on the

bastion host

• The security of the firewall depends on the bastion

Stub Network

• A stub network is one that connects the two routers and the bastion host

• Could the bastion be placed on one of the production networks?– The stub network isolates the organization from

incoming datagram traffic

An Alternative Firewall Implementation• How can one company have a single firewall, but

allow connections to multiple sites?– Multiple routers act as the outer barrier

R2 R3 R4 R5

R1 HIntranet(inside)

An Alternative Firewall Implementation• Why do firewalls with multiple connections use a

router per connection?– The organization running the firewall does not trust the

external organizations completely– Although the external connections share a single

common network, no datgram from one external connection may pass to another

Monitoring and Logging

• A network manager needs to know if attempts have been made to bypass security of a firewall– Active monitoring - the manager is notified when an

incident occurs• Quick and timely, but produces much information

– Passive monitoring - a firewall logs a record of incidents in a file on disk

• Trends can be shown

Summary

• IPsec offers 2 schemes:– Authentication of datagrams

• an authentication header is inserted between TCP and IP hdrs

– Authentication plus privacy• an ESP header and trailer are added, data is encrypted

• Firewalls control internet access– Firewalls consist of two barriers and a bastion host at

each external connection– Barriers use packet filters to restrict traffic