Download No Slide Title

ECE-6612
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
[email protected]
404 894-5177
fax 404 894-0035
Office: Klaus 3362
email or call for office visit, 404 894-5177
Chapter 10a - Firewalls
3/10/2013
Computer System Evolution
Central Data Processing System: - with directly attached peripherals (card
reader, magnetic tapes, line printer).
Local Area Networks: - connects PC’s (in “terminal emulation” mode),
remote terminals (next building) and mini-computers.
Premises Network: - connects LANs and LAN-attached devices to each
other.
Enterprise-wide Network: - leased data lines (T1, DS-3) connect various
offices.
Internet Connectivity: - initially for email, now for Web access, ecommerce, music and video downloads, social networking, tele-commuting,
Web and video conferencing, distance learning, ... . Makes the world
accessible, but now the world also has access to you.
2
Connectivity Provided by the
Georgia Backbone Network
• Schools
• Libraries
• Kiosks
WWW
• Citizens
• Contractors
• City & County
Governments
Firewalls
State WWW Gateway
State Internet
Agency Gateway &
Web Server
Other Agencies
Agency Virtual
Private Network
LANs at Agency
Offices across Georgia
Agency
Server
Private Virtual
Connection
Non-Agency
State Server
3
Agency Firewall -- Protects
Protects Agency
Agency Subnets
Subnets
from Unwanted Connections
Subnet 1
Subnet 2
Gateway
WAN
Gateway
Firewalls (and many routers) can reject:
• Packets with certain source and destination addresses
• Packets with certain high-level protocols (UDP, Telnet)
Proxy Servers - for specific applications
• Email messages assembled and inspected, then passed to
internal email server machine.
Prevent Cyber Loafing - Using the Internet for fun and
personal business (not very effective).
4
Browser
Web Server
Application
Layer
(HTTP)
Port 80
Transport
Layer
(TCP,UDP)
Segment No.
Network
Layer (IP)
IP Address
130.207.22.5
E'net Data
Link Layer
Ethernet
Phys. Layer
Router-Firewall
can drop packets
based on
source or destination,
ip address and/or port
Network
Layer
Network
Layer
Token Ring
E'net Data
Link Layer Data Link Layer
E'net Phys.
Layer
Token Ring
Phys. Layer
Application
Layer
(HTTP)
Port 31337
Transport
Layer
(TCP,UDP)
Segment No.
Network
Layer (IP)
IP Address
24.88.15.22
Token Ring
Data-Link Layer
Token Ring
Phys. Layer
5
Process
Application
Layer (HTTP,
FTP, TELNET,
SMTP)
Transport or
App.-Layer
Gateway, or Proxy
Transport
Transport
Layer
Layer
(TCP, UDP)
(TCP, UDP)
Network
Network
Layer (IP)
Layer (IP)
E'net Data
TR Data
E'net Data
Link Layer
Link
Link
Layer
Layer
E'net Phys.
Layer
E'net Phys.
TR Phys.
Layer
Layer
Transport
Layer
(TCP, UDP)
Network
Layer (IP)
Process
Application
Layer
(HTTP(HTTP,
FTP, TELNET,
SMTP)
Transport
Layer
(TCP,UDP)
Network
Layer (IP)
TR Data
Link Layer
TR Phys.
Layer
6
Policy
No outside Web access.
Firewall Setting
Drop all outgoing packets to any IP, Port 80
Outside connections to Public Web
Server Only.
Drop all incoming TCP SYN packets to any IP
except 130:207:244.203, port 80
Prevent Web-Radios from eating up
the available bandwidth.
Drop all incoming UDP packets - except DNS
and Router Broadcasts.
Prevent your network from being
used for a Smuft DoS attack.
Drop all ICMP packets going to a “broadcast”
address (130.207.255.255 or 130.207.0.0).
Prevent your network from being
tracerouted or Ping scanned.
Drop all incoming ICMP, UDP, or TCP echorequest packets, drop all packets with TTL < 5.
7
Firewall Attacks
IP Internal-Address Spoofing
Firewall Defense
Drop all incoming packets with local source address.
Source Routing (External Spoof) Drop all IP packets with Source-Routing Option.
Tiny Fragment Attacks
Drop all incoming packet fragments with small size.
2nd-Fragment Probes
Assemble IP fragments (hard work), or at least *.
SYN-ACK Probes
Be “Stateful” -keep track of TCP outgoing SYN
packets (start of all TCP connections).
Internal Outbound Hacking
Drop all outgoing packets which do not have an
"internal" source IP address.
* Fragments after the first one have no transport header (no way to tell if it is
TCP, UDP, ICMP, ... , or determine port numbers. Firewall must at least keep a
temporary list of approved IP ID-Numbers based on the first fragment decision.
8
A Network Firewall is a single point that a Network Administrator can control,
even if individual computers are managed by workers or departments.
------Over half of corporate computer misfeasance is caused by employees who are
already behind the main firewall.
Solution 1 - isolate subnets with firewalls (usually routers or Ethernet switches
with “filter” capabilities). Protect Finance Department from Engineering
Department [Problem: internal network is much higher bit rate, firewalls more
expensive].
Solution 2 - implement host-based firewalls to limit access except on certain
TCP/UDP ports from specific hosts or subnets. Must be centrally managed to be
economical.
Solution 3 – Use a Intruder Detection System that divides the network into
zones, and reports unauthorized cross-zone connections.
9
Stateful
Firewall
Local PC
ip1
External Host
ip2
TCP SYN
establishes “state” (ip1,ip2,tcp, 33489,80)
TCP SYN-ACK or RESET or relatedICMP
established “state” (ip1,ip2,tcp, 33489,80)
TCP ACK’s
established “state” (ip1,ip2,tcp, 33489,80)
TCP or UDP or ICMP
Not part of an established “state”
10
# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source
destination
ACCEPT tcp -- 143.218.132.0/25 0.0.0.0/0
ACCEPT tcp -- 130.207.225.0/24 0.0.0.0/0
ACCEPT all -- 79.76.0.0/16
0.0.0.0/0
ACCEPT tcp -- 130.207.152.119
0.0.0.0/0
ACCEPT tcp -- 143.215.151.0/24 0.0.0.0/0
ACCEPT udp -- 64.192.0.0/10
0.0.0.0/0
ACCEPT tcp -- 69.59.0.0/16
0.0.0.0/0
ACCEPT tcp -- 24.0.0.0/8
0.0.0.0/0
DROP
all -- 0.0.0.0/0
0.0.0.0/0
tcp dpt:22
tcp dpt:22
tcp dpt:22
tcp dpt:22
tcp dpt:22
Chain FORWARD (policy DROP)
target prot opt source
destination
DROP
all -- anywhere
anywhere
Chain OUTPUT (policy DROP)
target prot opt source
ACCEPT icmp -- anywhere
ACCEPT icmp -- anywhere
destination
10.0.0.0/24
anywhere state RELATED,ESTABLISHED
A “-n” option speeds up iptables because it stops reverse lookups. Also beneficial for “route”,
“netstat”, … .
11
Uncomplicated Firewall (UFW) for Ubuntu (LINUX)
$ ufw status numbered
Status: active
To
Action
From
---------[ 1] 8822/tcp ALLOW IN
[ 2] Anywhere ALLOW IN
[ 3] 8822/tcp ALLOW IN
[ 4] 8822/tcp ALLOW IN
[ 5] 8822/tcp ALLOW IN
[ 6] Anywhere DENY IN
130.207.150.144
143.215.138.0/25
130.207.225.103
78.88.0.0/16
80.55.0.0/16
Anywhere
$ ufw insert 1 allow proto tcp from
130.207.0.0/16 to any port 8822
Rule Inserted
$ ufw activate (changes iptables configuration)
12
NAT - Network
Address Translation
Web Server
130.27.8.35
Internet
To 24.88.48.47:y
from 130.27.8.35:80
3
To 130.27.8.35:80
from 24.88.48.47:y
2
Router 24.88.48.47 with NAT
To 192.168.0.20:x
from 130.27.8.35:80
Host
192.168.0.10
4
Web Client
192.168.0.20
1
To 130.27.8.35:80
from 192.168.0.20:x
Host
192.168.0.30
x & y are high
number ephemeral
client ports.
Simple NATs, use
x=y
Host
192.168.0.40
Web Server
FTP Server
port 80
port 21
Local Web client accessing an external Web server
13
FTP Client
130.27.8.35
Internet
To 130.27.8.35: x
from 24.88.48.47:21
4
To 24.88.48.47: 21
from 130.27.8.35:x
1
Router 24.88.48.47 with NAT
2
To 192.168.0.30:21
from 130.27.8.35:y
Host
192.168.0.10
Host
192.168.0.20
3
Forwarding
Table
Port 80 -> .10
Port 21 -> .30
To 130.27.8.35:y
from 192.168.0.20:21
Host
192.168.0.30
Host
192.168.0.40
Web Server
FTP Server
port 80
port 21
External FTP client accessing a local FTP server
14
15
Home Routers allow incoming
connections based on server port
New Home Routers also allow port
translation (e.g., 2222 -> 22)
16
Combined Firewalls and IDS
(see also: IBM Proventia - www.iss.net)
17
Protocol Anomaly Detection
WatchGuard Transparent Application layer proxies examine entire connection data streams,
identifying protocol anomalies and discarding harmful or questionable information.
In addition, WatchGuard firewalls perform:
* Packet Handling - prevents packets from entering the network until they are reassembled and
examined.
* Packet Reassembly - reassembles packet fragments to prevent fragment overlap attacks such
as Teardrop and other Layer 3 protocol anomaly based attacks.
Signature Element Analysis
Rather than using signatures that precisely identify specific attacks, WatchGuard systems look at
what any attack of a certain type (e.g., e-mail) must do to succeed (e.g., auto-execute an
attachment). With rule sets, you can choose to allow or deny traffic, or even deny all traffic from a
source for a specific period.
In addition to rigorous rule sets, the firewall processes policy-based configurations, and management
subsystems perform state and content analysis. These processes protect against entire known and
unknown attack classes, and can narrow the vulnerability window without having to make you wait
for updated attack-specific signatures.
Behavior-Based Analysis
Although behavior-based intrusion detection is a relatively new technology, WatchGuard has
mechanisms in place within the firewall to identify known attack behaviors, such as:
* Port scans and probes
* Spoofing
* SYN flood attacks
* DoS and DDoS attacks
* The misuse of IP options such as source routing
from www.watchguard.com
18
Network Operations
* Resolve network performance issues in minutes
* Provides enterprise network visibility down to user level
* Troubleshoots network incidents at 1/3 the time of point solutions
* Analyzes NetFlow / sFlow to facilitate capacity planning and traffic
engineering
Network Security
* Detects attacks that bypass signature based, perimeter defenses
* Leverages flow data, including packet capture, to reduce security risks by
90%
* Enforces policies and assures compliance with agent-free user identity
tracking
* Delivers scalable, robust security and risk management
from www.lancope.com
(also see http://users.ece.gatech.edu/~copeland/jac/lancope/index.html)
19