Download Firewalls - comp

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Cracking of wireless networks wikipedia , lookup

Transcript
An Introduction to
Internet Firewalls
Dr. Rocky K. C. Chang
12 April 2007
1
1. Components of a firewall: Packet filtering


A firewall today uses a combination of packet
filtering and proxy services.
Screening router: It performs packet filtering
based on the source and destination addresses,
types of packets, TCP/UDP ports, etc. For
example,



it blocks all incoming connections except for incoming
SMTP connections, or
it blocks all connections to and from certain systems you
distrust.
The principle of default deny stance is usually
employed for packet filtering: That which is not
expressly permitted is prohibited.
2
Rocky K. C. Chang
1.1 Components of a firewall: Proxies
With an intermediate proxy, an TCP
connection is broken into two and the
proxy is responsible for splicing them.
 An UDP association, similarly, consists of
two separate UDP associations.

TCP
TCP
Proxy
TCP connection
3
Rocky K. C. Chang
1.1 Components of a firewall: Proxies

Transport-level proxies: Proxies that do not
understand particular application protocols, e.g.,
SOCKS.


Application-level proxies: Proxies that understand
particular application protocols, e.g., telnet, ftp,
http proxies.


For example, a SOCKS proxy only allows users inside
the firewall to open TCP connections, and refuses to
accept connection requests from outside.
For example, a FTP proxy may refuse to let users export
files, or may allows users to import files only from
certain sites.
The proxies are usually run on a bastion host,
which is a highly secured system.
4
Rocky K. C. Chang
1.2 Stateful inspection by Checkpoint



Unlike application proxies, stateful inspection
does not break an TCP connection or an UDP
association.
Unlike transport-level proxies, stateful inspection
understands application protocols.
Stateful inspection, however, is not a proxy
technology, and it intercepts packets at the
network layer and then the INSPECT engine takes
over.



The engine extracts “state-related information” required
for the security decision from all application layers.
It maintains this information in dynamic state tables for
evaluating subsequent connection attempts.
For example, establishing a FTP back connection.
5
Rocky K. C. Chang
2. Screened host firewall architecture


This architecture consists of a separate bastion
host and a screening router.
For the incoming connectivity,


For the outgoing connectivity,



the packet filter is set up in such a way that the bastion
host is the only system on the internal network that
hosts outside can communicate with.
the packet filter permits the bastion host to open
allowable connections to the outside world.
For other internal hosts, the packet filter may allow them
to open connections to outside for certain services or
disallow all connections from internal hosts (forcing them
to use proxy services via the bastion host).
The zone of risk is restricted to the screening
router and the bastion host.
6
Rocky K. C. Chang
2. Screened host firewall architecture
Host
Bastion Host
Screening filter
7
Rocky K. C. Chang
3. Screened subnet firewall architecture

This architecture adds an extra layer of security
to the screened host architecture by adding a
perimeter network.



A perimeter network lies between an external network
and a protected network, sometimes called a DeMilitarized Zone (DMZ).
By isolating the bastion host on a perimeter network,
the impact of a break-in on the bastion host is
significantly reduced.
A simple design is to have a single perimeter
network with two screening routers (exterior and
interior).

It is also possible to create a layered series of perimeter
nets. Less trusted and more vulnerable services are
placed on the outer perimeter nets.
8
Rocky K. C. Chang
3. Screened subnet firewall architecture

The interior router does most of the packet
filtering.




It allows selected services outbound from the internal
net to the Internet.
The services between the bastion host and internal hosts
may also be limited to services that are actually needed,
e.g., SMTP and DNS, and limited to certain hosts, e.g.,
SMTP mail servers.
The exterior router may block any incoming
packets that have forged source addresses.
Other variations:


Use different bastion hosts for different services.
Merge the interior router and the exterior router.
9
Rocky K. C. Chang
3. Screened subnet firewall architecture
Host
Internal network
Bastion Host
Interior router
Perimeter network
Exterior router
10
Rocky K. C. Chang
4. Packet filtering

A screening router parses the headers of
incoming packets and then apply rules
from a simple rule base to determine
whether to route or drop the packet.


The filtering rules are generally expressed as a
table of conditions and actions that are applied
in a certain order until a decision is reached.
For example, consider a network employs
a policy to allow all incoming packets
destined to its mail server 172.16.6.1,

Except for a malicious IP address 200.10.1.1.
11
Rocky K. C. Chang
A packet filtering example
Internet
0
Firewall
Internal
network
1
Rule
Intf
Source
Addr.
Dest.
Addr.
Dest
Port
Prot.
Action
A
B
C
D
0
0
1
Any
Any
200.10.1.1
Any
Any
172.16.6.1
Any
Any
Any
25
Any
Any
Any
TCP
Any
Any
Any
Permit
Deny
Permit
Permit




Rule A: Permit all incoming SMTP packets destined to the mail
server.
Rule B: Deny incoming packets from the malicious IP address.
Rule C: Permit any outgoing packets.
Rule D: Permit any incoming or going packets.
12
Rocky K. C. Chang
A consistent problem

Rules A and B are in conflict:


In other words, the decision for a
malicious packet is rule-order dependent.



A malicious packet matches to both rules A
and B, but have different decisions.
A rule cannot be understood by its literal
meaning.
The rule B should be “discard all non-SMTP
packets originated from 200.10.1.1.”
Swap rules A and B.
13
Rocky K. C. Chang
A completeness problem
The set of rules should ensure that all
possible packets are considered, i.e.,
matched to at least a rule.
 Rule D says that non-SMTP packets from
all, except the known malicious IP, are
allowed to reach the mail server.
 Two new rules added after rule A.

Rule
Intf
Source
Addr.
Dest.
Addr.
Dest
Port
Prot.
Action
A
A’
A’’
B
0
0
0
0
200.10.1.1
Any
Any
Any
Any
172.16.6.1
172.16.6.1
172.16.6.1
Any
25
Any
 TCP
Any
TCP
Deny
Deny
Deny
Permit
 25
25
14
Rocky K. C. Chang
A compactness problem

A rule in a firewall is redundant iff
removing the rule does not change the
firewall’s function.

That is, it does not change the decision of the
firewall for every packet.
A firewall is compact iff it does not have
redundant rules.
 Rule C is redundant


Rules C and D have the same decision if a
packet does not match rules A and B.
15
Rocky K. C. Chang
4.3 Dynamic packet filtering

Compared with TCP, it is much more
difficult to filter UDP packets.


There are no state information to rely on for
keeping track of the connection’s status.
However, some firewalls modify filtering
rules on the fly.


The firewalls remember outgoing UDP packets
that they have seen, and then allow only the
corresponding response packets back in
through the filtering mechanism.
Those rules modified on the fly are timelimited; they time out after a few seconds or
minutes.
16
Rocky K. C. Chang
4.3 Dynamic packet filtering
Client inside
the firewall
Server outside
the firewall
Firewall
Src IP
:1
Src po 40.22.10.1
rt: UD
P
Dest I
P: 150 1640
.
1
6
Dest p
ort: UD .5.9
P7
Remember the
source and
destination IP
addresses and ports
50.16.5.9
Src IP: 1
UDP 7
Src port:
0.1
140.22.1
Dest IP:
DP 1640
U
t:
r
o
p
Dest
Drop the
packet
50.16.5.9
Src IP: 1
UDP 7
Src port:
0.1
140.22.1
Dest IP:
DP 1700
U
t:
r
o
p
t
Des
17
Rocky K. C. Chang
5. SOCKS: A generic proxy

SOCKS is a session/transport layer proxy,
providing a generic mechanism for IP to traverse
a firewall.




SOCKS provides relay services for UDP and TCP traffic
with network and port translation.
SOCKS usually allows only TCP connections and UDP
packet transmissions initiated from inside.
SOCKS provides a single platform integrating other
security mechanisms, e.g., user-level authentication
(from user password to IPSec), encryption methods, key
management systems, etc.
A TCP/UDP data connection is initiated by a
SOCKS server to the remote server on behalf of
the actual client.
18
Rocky K. C. Chang
5.1 Socksified clients

A client needs to be “socksified” in order to use
the proxy service.



There are two ways to socksify a client:



Socksification of a client creates a thin SOCKS layer
between the application and transport layers.
A proxy client resides in that layer to communicate with
a proxy server.
The first one requires compiling and relinking the
applications.
The second is to perform dynamic library linking.
A socksified client intercepts a socket call, and if
the local policy is allowed, it will redirect the call
to the proxy server.
19
Rocky K. C. Chang
5.2 SOCKS’ transport model

The SOCKS protocol exchange between a server
and a client consists of two phases: Proxy
establishment and data relay.



In the first phase, user authentication and other option
negotiation are performed in the control channel.
In the second phase, the data packets are relayed
between the SOCKS client and SOCKS server.
SOCKS supports both TCP and UDP data
transmissions.


SOCKS uses an in-band transport model for TCP data.
SOCKS uses an out-of-band transport model for UDP
data.
20
Rocky K. C. Chang
5.2 SOCKS’ transport model
Remote Application Server
SOCKS' TCP Connection
for control and data relay
Internal Relay
Socket (port 1080)
UDP Data Connection
UDP
Relay
SOCKS Server
Internal Socket
(port 1080)
External Relay
Socket
Internal Relay
Socket
UDP Data Connection
(Encapsulated in SOCKS)
TCP
Relay
External Relay
Socket
Local Socket
Remote Socket
SOCKS' TCP Connection
for control
TCP Data Connection
Remote Socket
Local Socket
Local Socket
SOCKS Client
Local Application Client
21
Rocky K. C. Chang
Acknowledgements

The slides on the firewalls are based on


E. Zwicky, S. Cooper, and D. Chapman,
Building Internet Firewalls, Second Edition,
O’Reilly & Associates, Inc., 2000.
The SMTP filtering example is based on

M. Gouda and A. Liu, “Firewall design:
Consistency, Completeness, and Compactness,”
Proc. IEEE ICDCS, 2004.
22
Rocky K. C. Chang