Upload
arron-todd
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Karlstad University
Firewall
Ge Zhang
Karlstad University
A typical network topology
• Threats example– Back door– Port scanning– …
Karlstad University
Karlstad University
What is Firewall?A single checking point that reacts traffic to and from a
network (pass, discard, block, log)• Design goals
– All traffic from inside to outside and vice versa must pass through the firewall
Internet
Karlstad University
Services by a firewall
• Service control • Direction control • User Control (internal network)• Behavior control (the firewall needs to know the
application protocol)• Logging flow information• Hidden internal topology
Karlstad University
Capabilities and limitations
• Capabilities– Prevent unauthorized traffics– Monitoring security-related events– The platform for Network address translator (NAT) – The platform for IPSec tunnel mode (VPN)
• Limitations– Attacks the bypass the firewall (over other channels)– Internal threats (internal employees cooperate with external
attackers)– Transferring virus-infected programs
Karlstad University
The working flow of a Firewall
if {condition_1} then {action_1}
else if{condition_2} then {action_2}
else if{condition_3} then {action_3}
else if{condition_4} then {action_4}
…
else if{condition_n} then {action_n}
How to define the conditions?
Karlstad University
Layered TCP/IP model
Karlstad University
Types of firewalls
• Packet-Filtering router• Application-level gateway• Circuit-level gateway
Karlstad University
Packet-Filtering router (1)
External network
Internal network
Security perimeter
IP headers
TCP/UDP headers
• Packet-Filtering Firewall– Applies a set of rules– Decides forwarding or discarding the packet– Only examine the header, do not “see inside” a packet
Karlstad University
Packet-Filtering router (2)source destination protocol dest. port action
Ane_home Ane_work any any Allow
any SIP proxy Tcp, udp 5060, 5061 Allow
any Mail server Tcp, udp 25 Allow
any Web server tcp 80, 8080 Allow
any any any any Deny
source destination protocol dest. port action
mal1 any any any Deny
mal2 any any any Deny
mal1 any any any Deny
mal3 any any any Deny
any any any any Allow
Karlstad University
Requirements on rule set design
• Consistency: The rules are ordered correctly• Completeness: every packet satisfies at least one
rule in the firewall• Compactness: firewall has no redundant rules
Karlstad University
An example
Interface source destination protocol dest. port action
0 any Web server tcp 80 Allow
0 any Web server any any Deny
0 malicious any any any Deny
1 host any any any Allow
1 any any any any Allow
Internet
Host
Web Server0 1
Malicious
Consistencyerror
Compactnesserror
0 Not malicious host any any ???? Completenesserror
Karlstad University
Improvement
Interface source destination protocol dest. port action
0 malicious any any any Deny
0 any Web server tcp 80 Allow
0 any Web server any any Deny
0 any any any any Allow
1 any any any any Allow
Internet
Host
Web Server0 1
Malicious
Karlstad University
Efficiency of rule setsource destination protocol dest. port action
192.163.0.1 any tcp 80, 8080 Deny
192.163.0.2 any tcp 80, 8080 Deny
192.163.0.3 any tcp 80, 8080 Deny
10.1.1.2 any tcp 80, 8080 Allow
10.1.1.3 any tcp 80, 8080 Allow
source destination protocol dest. port action
192.163.0.* any tcp 80,8080 Deny
10.1.1.* any tcp 80,8080 Allow
Karlstad University
Stateful PF• For TCP connections
– Server ports are mostly fixed (<1024)– Client ports are dynamically used ( from 1024 to 65535)
• Stateful: tightens up the rules for TCP traffic by creating a directory of outbound TCP connections
src Src port des Des port state
192.168.1.100 1030 210.9.88.29 80 established
192.168.1.102 3331 216.32.1.122 25 established
Karlstad University
Pro and cons in PF
• Pro: – Simple, high efficient – Transparent to users
• Con:– Does not work with application-specific vulnerabilities– Limited log information– No user authentication– Difficulty to configure rulesets
Karlstad University
Attacks on a PF
• IP address spoofing: (use spoofed IP address which can be trusted)
• Fragment attacks– Tiny fragment– Overlapping fragment
Karlstad University
IP fragment
• A firewall only inspects the first fragmented one.
IP h. TCP/UDP h. data
IP h. IP h. IP h.
IP h. TCP/UDP h. data
Sender
recipient
intermediaries
Karlstad University
Tiny fragment attack
IP h. TCP/UDP h. data
IP h. IP h. IP h.
IP h. TCP/UDP h. data
Sender
recipient
intermediaries
Not enough information
Karlstad University
Overlapping fragment
IP h. TCP/UDP h. data
IP h. IP h. IP h.
IP h. TCP/UDP h. data
Sender
recipient
intermediaries
Offset 20 Offset 16
Rewrite the overlapped part
Offset 0
Offset 16
Karlstad University
Application-level Gateway (mainly for inbound requests)
HTTP
SIP Inside hostOutside host
FTP
Outside host
• Have more checking parameters (user names, message format, client software version, etc)
• Only deal with allowable applications• More useful log information• Con: high processing overhead
Karlstad University
Circuit level gateway (mainly for outbound requests)
• Based on connections instead of packets• Similar to stateful PF• Perform authentication• Implementations: Socks server
Inside hostOutside host
out
out
out
in
in
in
Karlstad University
Bastion Host
• A secure version of its operating system• A platform for an application-level gateway or
circuit-level gateway• Only support allowed applications• Only support a subset of the standard applications• Needs additional authentication
Karlstad University
Demilitarized Zone (DMZ)
• Demilitarized zone is a subnet that contains and exposes an organization's public services to an external network
• DNS, web server, VoIP server
• Internal network, work stations
Karlstad University
Setup Firewalls in a network
• Screened host firewall (single-homes bastion)
External network
PF
Bastion host
Information server (web, DNS...)
Work station
Work stationWork station
Karlstad University
• Sceened host firewall (dual-homed bastion host)
External network
PF
Bastion host
Information server (web, DNS...)
Work station
Work stationWork station
Karlstad University
• Screened subnet firewall
External network
PF
Bastion host
Information server (web, DNS...)
PF
Internal network
Karlstad University
Practical experiences on firewall itself
• Stealth rule: drop any packet from outside to the firewall
• Insecure firewall management: drop packets to the firewall over insecure protocols (telnet, ftp, x11)
• Limited management machines: firewalls should be managed from a small number of machines
Karlstad University
High-throughput firewall (1)
• Application Specific Integrated Circuit (ASIC)• e.g., netscreen 100 (100Mbps firewall)
Karlstad University
High-throughput firewall (2)
• Load balance
Firewall 1
Internal router
Firewall 2
Firewall n
External router...
Karlstad University
Key points• Types of firewall • Pros and cons of the three types• Ruleset of PF (consistency, completeness, compactness,
efficiency)• Stateful PF• Attack on PF• Bastion host• DMZ• Setup firewalls in a network