Upload
linette-johnston
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
January 2007 Prof. Reuven Aviv: Firewalls 2
OutlineOutline
• What and where are firewalls
• Goals of a firewall
• Types of Firewalls
– Packet Filter
– Application Level (Proxy Server) Gateway
January 2007 Prof. Reuven Aviv: Firewalls 3
What and where are Firewalls?
Trusted
Networks
Untrusted Networks & Servers
Firewall
RouterInternet
Intranet
DMZPublic Accessible Servers & Networks
Trusted Users
Untrusted Users
Goals??
January 2009 Prof. Reuven Aviv: Firewalls 4
Firewall Goals
• The firewall is inserted between the premises network and the Internet
• Goals:
– Protect the premises network from Internet-based attacks
– Establish access control gate
Name types of traffic that passes or blocked by the firewall
January 2009 Prof. Reuven Aviv: Firewalls 5
Access Control gate
InternetInternet
DMZ NetWeb Server Pool
ALERT!!ALERT!!ALERT!!
How do we protect the firewall itself?
January 2009 Prof. Reuven Aviv: Firewalls 6
Access Control Functions
• Service control: types of traffic to permit/ deny
in which direction
• User control: which user to which service
– E.g denied websites
• Application behavior control
– Only Filtered email can come in
January 2009 Prof. Reuven Aviv: Firewalls 7
Types of Firewalls
• Two common types of Firewalls that we
consider in this course
– Packet-filtering
– Application-level gateways
January 2007 Prof. Reuven Aviv: Firewalls 8
Packet Filtering FirewallsPacket Filtering Firewalls
• Apply Rules to incoming/outgoing IP packet and then forwards or discards the packet
• Rules based on fields in the IP or TCP header
– IP address, port numbers, flags
• Two default policies (discard or forward)
January 2009 Prof. Reuven Aviv: Firewalls 9
Packet Filter at the TCP/IP Level
ApplicationsApplications
TransportTransport
DataLinkDataLink
PhysicalPhysical
DataLinkDataLink
PhysicalPhysical
Router/FirewallRouter/Firewall
ApplicationsApplications
TransportTransport
DataLinkDataLink
PhysicalPhysical
NetworkNetwork NetworkNetwork
Give examples of rules
January 200910
Data Link Layer Header
Version Type of Service Total Length
Identifier Flags Fragment Offset
Time To Live Protocol Header Checksum
Source Address
Destination Address
Options + Padding
Source Port Destination Port
Sequence Number
Acknowledgement Number
Offset/Reserved U A P R S F Window
Checksum Urgent Pointer
Options + Padding
Data
Data Link Layer Trailer
IP D
atag
ram
IP H
ead
erT
CP
Hea
der
TCP/IP packet
January 2007 Prof. Reuven Aviv: Firewalls 11
Basic Filtering Rules
Action Internal Port External Port commentblock * * 134.72.5.1 *
Allow Our Mail
Server add
25 * 25
Block * * * *
Allow * * * 80
Not trusted external host
Mail Transport allowed
Default: Deny everything
Allow http connection to
external web servers
January 2007 Prof. Reuven Aviv: Firewalls 12
Filtering Rules: direction, flags
• Action src Port Dest Port Flag comment
Allow Internal * External 25
Allow * 25 * * ACK
Allow Internal * External *
Allow External * Internal * ACK
Allow * * * >1024
Outgoing SMTP
SMTP ACK from outside
Allow All outgoing
connectionsAck outgoing connections
Traffic to non standard
Servers (Dangerous)
January 2007 Prof. Reuven Aviv: Firewalls 13
Session Filtering
Applications
Transport
DataLink
Physical
DataLink
Physical
Applications
Transport
DataLink
Physical
Network Network
Network
Transport
ApplicationsApplications
Dynamic State Dynamic State TablesTables
Dynamic State Dynamic State TablesTables
Dynamic State Tables
Screens ALL attempts, Protects All applications Extracts & maintains ‘state’ information Makes an intelligent security / traffic decision
January 2007 Prof. Reuven Aviv: Firewalls 14
Controlling Telnet traffic via firewall
Client opens
TCP
connection:
tells server its
port number.
The ACK bit is
not set
Server sends acknowledgement
“PORT 1234”
“ACK”
Telnet ClientTelnet Server
23 1234
InternalExternal
January 2007 Prof. Reuven Aviv: Firewalls 15
access-list 100 permit tcp host 172.168.10.11 gt 1023 any eq 23 ! Allows packets to (External) Telnet serversaccess-list 101 permit tcp any eq 23 host 172.168.10.11 established ! Allows packets (back) from (External) Telnet Server. It verifies that the ACK bit is setinterface Ethernet 0 access-list 100 out ! Apply 1’st rule to outgoing traffic access-list 101 in ! Apply 2’nd rule to incoming traffic !
Rule: Allow telnet from 172.168.10.11 to any External Server (port 23) , and reverse Ack
January 2007 Prof. Reuven Aviv: Firewalls 16
access-list <rule number> <permit|deny>
<protocol> <SOURCE host with IP address|
any|IP address and mask> [<gt|eq port
number>] <DEST host with IP address| any|IP
address and mask> [<gt|eq port number>]
Router Rule Format
January 2009Prof. Reuven Aviv: Firewalls 17
FTP
“activeMode”
Scenario
“PORT 5151”
“OK”
DATA CHANNEL
TCP ACK
External FTP ClientInternal FTP Server
20Data
21Command 5150 5151
Client opens command channel; tells server second port number.
Server acks. Server opens data channel to client’s 2’nd port.
Client Acknowledges.
January 2007 Prof. Reuven Aviv: Firewalls 18
Example FTP – Packet Filteraccess-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 21access-list 100 permit tcp any gt 1023 host 172.168.10.12 eq 20 ! Allows packets from any (External) client to the (Internal) FTP control and data ports access-list 101 permit tcp host 172.168.10.12 eq 21 any gt 1023access-list 101 permit tcp host 172.168.10.12 eq 20 any gt 1023 ! Allows the (Internal) FTP server to send packets back to any (External) IP address with TCP ports > 1023
interface Ethernet 0 access-list 100 in ! Apply the first rule to incoming traffic access-list 101 out ! Apply the second rule to outgoing traffic!
January 2007 Prof. Reuven Aviv: Firewalls 19
“PASV”
“OK 3267”
TCP ACK
DATA CHANNEL
FTP ClientInternal FTP Server
20Data
21Command 5150 5151
Client opens command channel ; requests passive mode.
Server tells client port number.
Client opens data channel to server’s 2nd port. Server Acknowledges.
FTP“Passive Mode”Scenario
3267
January 2007 Prof. Reuven Aviv: Firewalls 20
Packet Filtering Firewalls
• Advantages:
• Simplicity
• Transparency to users
• High speed
• Disadvantages:
• Difficulty of setting up packet filter rules
• Lack of Authentication
January 2007 Prof. Reuven Aviv: Firewalls 21
Packet Filtering Firewall: Attacks
• IP address spoofing
• Fragmentation Attacks
January 2007 Prof. Reuven Aviv: Firewalls 22
Anti Spoofing Policy:Do not allow outgoing traffic with false
sender addressInternet Service Provider
130.207.5.0 130.207.3.0
130.207.4.0
E1
E2E3
E4
Allowed outgoing traffic:E1: only from 130.207.4.0/24E2: only from 130.207.3.0/24E3: only from 130.207.5.0/24
ISP: Allow outgoing data only with legal addresses
January 200923
Data Link Layer Header
Version Type of Service Total Length
Identifier Flags Fragment Offset
Time To Live Protocol Header Checksum
Source Address
Destination Address
Options + Padding
Source Port Destination Port
Sequence Number
Acknowledgement Number
Offset/Reserved U A P R S F Window
Checksum Urgent Pointer
Options + Padding
Data
Data Link Layer Trailer
IP D
atag
ram
IP H
ead
erT
CP
Hea
der
Fragmentation
Prof. Reuven Aviv: Firewalls 24
External Telnet ClientInternal Telnet Server
23 1234
Firewall allows OUT: with SYNIN: data with ACK
All following packets will have the ACK bit set
FRAG1 (with ACK)
FRAG2 (with ACK)
SYN packet (no ACK)
ACK
Basic Fragmentation Attack
Allow only if ACK bit set
Allow only if SYN bit set
, Client Send 2 fragments with ACK. Server re-assembles: Fragments overlap - full datagram SYN bit set!
January 2007 Prof. Reuven Aviv: Firewalls 25
General Fragmentation Attack
• Instead of fragmenting TCP header
– Fragment data portion of packet or ICMP
– attack applications in Clients
• Clients – not all do bounds checking
– Oversized reassembled packets on client
maybe too large, cause buffer overflow
• Remedy: Application Level Firewall
January 2007 Prof. Reuven Aviv: Firewalls 27
Application Level (Proxy) Gateway
• Acts as a relay of application-level traffic via a
single TCP connection
• Knows the Application Protocol
– Rules are tailored to expected and un
expected behavior of application traffic
• Can stop / deny according to its rules
Advantages / Disadvantages?
January 2007 Prof. Reuven Aviv: Firewalls 28
Application Level Gateway
• Advantages:
– Higher security than packet filters
– Only need to scrutinize a few allowable applications
– Easy to log and audit all incoming traffic
• Disadvantages:
– Additional processing overhead on each connection (gateway as splice point)