Segurança Redes e Dados F I R E W A L L S 2 0 1 2 / 2 0 1 3 P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A 2 Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer Security: Principles and Practice, 1/e, by William Stallings and Lawrie Brown Some slides from Mark Stamp Information Security: Principles and Practice 2nd edition (Wiley 2011). Firewalls - pbrandao 1
Firewalls 3 Internet Firewall Firewall must determine what to let in to internal network and/or what to let out Access control for the network Internal network Firewall as Secretary A firewall is like a secretary To meet with an executive First contact the secretary Secretary decides if meeting is important So, secretary filters out many requests You want to meet chair of CS department? Secretary does some filtering You want to meet the PotPT? 4 Secretary does lots of filtering Firewalls - pbrandao 2
Firewalls and Intrusion Prevention Systems effective means of protecting LANs internet connectivity essential for organization and individuals but creates a threat could secure workstations and servers also use firewall as perimeter defence single choke point to impose security 5 Inside Outside capabilities: Firewall Capabilities & Limits defines a single choke point provides a location for monitoring security events convenient platform for some Internet functions such as NAT, usage monitoring, IPsec VPNs limitations: cannot protect against attacks bypassing firewall may not protect fully against internal threats improperly secure wireless LAN laptop, PDA, portable storage device infected outside then used inside 6 Firewalls - pbrandao 3
Types of Firewalls 8 Types of Firewalls Firewalls - pbrandao 4
Packet Filtering Firewall applies rules to packets in/out of firewall based on information in packet header src/dest IP addr & port, IP protocol, interface typically a list of rules of matches on fields if match rule says if forward or discard packet two default policies: discard - prohibit unless expressly permitted more conservative, controlled, visible to users forward - permit unless expressly prohibited easier to manage/use but less secure 9 Packet Filter 10 Operates at network layer Can filter based on Source IP address Destination IP address Source Port Destination Port Flag bits (SYN, ACK, etc.) Egress or ingress Application Transport Network Logic Physical Firewalls - pbrandao 5
IPv4 packet What s in a Packet 11 Ver(4) IHL(4) DSCP (6) ECN(2) Total Length (16) Identification (16) Flags(4) Frag Offset (12) TTL (8) Protocol (8) Header Checksum (16) Source Address (32) Destination Address (32) Options Padding IHL - Internet Header Length DSCP Differentiated Service Code Point (Type of Service) ECN - explicit congestion notification Packet Filter Configured via Access Control Lists (ACLs) 12 Action Source IP Dest IP Source Port Dest Port Protocol Flag Bits Allow Inside Outside Any 80 HTTP Allow Outside Inside 80 > 1023 HTTP Deny All All All All All Any ACK All Q: Intention? A: Restrict traffic to Web browsing Firewalls - pbrandao 6
13 Packet Filter Rules Packet Filter Weaknesses 14 weaknesses cannot prevent attack on application bugs limited logging functionality do no support advanced user authentication vulnerable to attacks on TCP/IP protocol bugs improper configuration can lead to breaches attacks IP address spoofing, source route attacks, tiny fragment attacks Application Transport Network Logic Physical Firewalls - pbrandao 7
TCP ACK Scan Attacker scans for open ports thru firewall Port scanning is first step in many attacks 15 Attacker sends packet with ACK bit set, without prior 3-way handshake Violates TCP/IP protocol ACK packet pass thru packet filter firewall Appears to be part of an ongoing connection RST sent by recipient of such packet TCP ACK Scan 16 ACK dest port 1207 ACK dest port 1208 ACK dest port 1209 Trudy Packet Filter RST Attacker knows port 1209 open thru firewall A stateful packet filter can prevent this Since scans not part of established connections Internal Network Firewalls - pbrandao 8
Stateful packet filter 17 reviews packet header information but also keeps info on TCP connections typically have low, known port nr for server and high, dynamically assigned client port nr simple packet filter must allow all return high port numbered packets back in stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections only allow incoming traffic to high-numbered ports for packets matching an entry in this directory may also track TCP seq numbers as well Application Transport Network Logic Physical Stateful Packet Filter 18 Advantages? Can do everything a packet filter can do plus... Keep track of ongoing connections (so prevents TCP ACK scan) Disadvantages? Cannot see application data Slower than packet filtering Application Transport Network Logic Physical Firewalls - pbrandao 9
Application-Level Gateway 19 acts as a relay of application-level traffic user contacts gateway with remote host name authenticates themselves gateway contacts application on remote host and relays TCP segments between server and user must have proxy code for each application may restrict application features supported more secure than packet filters but have higher overheads Application Transport Network Logic Physical Application Proxy 20 Advantages? Complete view of connections and applications data Filter bad data at application layer (viruses, Word macros) Disadvantages? Speed Application Transport Network Logic Physical Firewalls - pbrandao 10
Circuit-Level Gateway 21 sets up two TCP connections, to an inside user and to an outside host relays TCP segments from one connection to the other without examining contents hence independent of application logic just determines whether relay is permitted typically used when inside users trusted may use application-level gateway inbound and circuit-level gateway outbound hence lower overheads SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow TCP/UDP applications to use firewall components: SOCKS server on firewall SOCKS client library on all internal hosts SOCKS-ified client applications client app contacts SOCKS server, authenticates, sends relay request server evaluates & establishes relay connection UDP handled with parallel TCP control channel 22 Firewalls - pbrandao 11
Deep Packet Inspection Many buzzwords used for firewalls One example: deep packet inspection What could this mean? Look into packets, but don t really process the packets Effect like application proxy, but faster 23 Deep Packet Inspection 24 Uses information up to Application layer Including app data Can differentiate based on all information Prioritize, reroute, shape, drop, etc. Used by ISPs to: Detect/mitigate security attacks DoS, buffer overflows, virus, etc Throttle unwanted P2P Touches net neutrality Hardware implemented Needs to be at line speed Application Transport Network Logic Physical Multimedia Networking - pbrandao - 2012/13 Firewalls - pbrandao 12
Firewall Topologies Firewalls and Defense in Depth Typical network security architecture 26 Web server DMZ FTP server DNS server Internet Packet Filter Application Proxy Intranet with additional defense Firewalls - pbrandao 13
Firewall Basing several options for locating firewall: bastion host individual host-based firewall personal firewall 27 Bastion Hosts 28 critical strongpoint in network hosts application/circuit-level gateways common characteristics: runs secure O/S, only essential services may require user auth to access proxy or host each proxy can restrict features, hosts accessed each proxy small, simple, checked for security each proxy is independent, non-privileged limited disk use, hence read-only code Firewalls - pbrandao 14
Host-Based Firewalls used to secure individual host available in/add-on for many O/S filter packet flows often used on servers advantages: tailored filter rules for specific host needs protection from both internal / external attacks additional layer of protection to org firewall 29 Internal Net Personal Firewall controls traffic flow to/from PC/workstation for both home or corporate use may be software module on PC or in home cable/dsl router/gateway typically much less complex primary role to deny unauthorized access may also monitor outgoing traffic to detect/block worm/malware activity 30 Internal Net Firewalls - pbrandao 15
31 Firewall Locations Virtual Private Networks 32 Firewalls - pbrandao 16
33 Distributed Firewalls Firewall Topologies 34 host-resident firewall screening router single bastion inline single bastion T double bastion inline double bastion T distributed firewall configuration Firewalls - pbrandao 17
Single bastion inline Firewall Topologies 35 Single bastion T Firewall Topologies Double bastion inline 36 Double bastion T Firewalls - pbrandao 18
IPS I N T R U S I O N P R E V E N T I O N S Y S T E M S Intrusion Prevention Systems (IPS) addition to security products which inline net/host-based IDS that can block traffic functional addition to firewall that adds IDS capabilities 38 can block traffic like a firewall using IDS algorithms may be network or host based Firewalls - pbrandao 19
Host-Based IPS identifies attacks using both: signature techniques malicious application packets anomaly detection techniques behavior patterns that indicate malware can be tailored to the specific platform e.g. general purpose, web/database server specific can also sandbox applets to monitor behavior may give desktop file, registry, I/O protection 39 Internal Net Network-Based IPS inline NIDS that can discard packets or terminate TCP connections uses signature and anomaly detection may provide flow data protection monitoring full application flow content can identify malicious packets using: pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly cf. SNORT inline can drop/modify packets 40 Firewalls - pbrandao 20
41 Unified Threat Management Products Tools Firewalls - pbrandao 21
Firewalk Tool to scan for open ports thru firewall Attacker knows IP address of firewall and IP address of one system inside firewall Set TTL to 1 more than number of hops to firewall, and set destination port to N If firewall allows data on port N thru firewall, get time exceeded error message Otherwise, no response 43 Firewalk and Proxy Firewall 44 Trudy Router Router Packet filter Router Dest port 12343, TTL=4 Dest port 12344, TTL=4 Dest port 12345, TTL=4 Time exceeded This will not work thru an application proxy (why?) The proxy creates a new packet, destroys old TTL Firewalls - pbrandao 22
iptables path of an IP packet on Netfilter 45 PREROUTING ROUTE FORWARD POSROUTING Mangle Mangle Mangle NAT (Dst) INPUT Filter Security ROUTE NAT (Src) Filter OUTPUT Chains Tables Mangle Security Local Process Mangle NAT (Dst) Filter Security Tables contain chains 46 Filter INPUT Nat PREROUTING Mangle PREROUTING Filter INPUT FORWARD FORWARD FORWARD FORWARD OUTPUT POSROUTING POSROUTING OUTPUT INPUT OUTPUT Firewalls - pbrandao 23
iptables (cont) Add rules to tables specifying the chains there in. When a packet matches a rule its target is done 47 Targets vary according to tables. Examples: Filter Table: DROP, ACCEPT NAT Table: DNAT, SNAT, MASQUERADE, REDIRECT New chains may be created by the user and set as targets of rules. Example: iptables (cont.) 48 ## Change source addresses to 1.2.3.4. iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 table chain target Firewalls - pbrandao 24
172.16.GA.14 Rede alunos 192.168.0.0/24 172.16.GA.13 Grupo A 172.16.GA.0/24 172.16.GA.12 172.16.GA.1 Lab srd 192.168.201.0/24 172.16.GA.11 Internet Grupo X 172.16.GX.0/24 Summary introduced need for & purpose of firewalls types of firewalls packet filter, stateful inspection, application and circuit gateways firewall hosting, locations, topologies 50 intrusion prevention systems Firewalls - pbrandao 25