Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Chapter 20: Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2004 CS 395: Computer Security 1 Outline • Firewall Design Principles – Firewall Characteristics – Types of Firewalls – Firewall Configurations • Trusted Systems – Data Access Control – The Concept of Trusted systems – Trojan Horse Defense Fall 2004 CS 395: Computer Security 2 Firewalls • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WANs or the Internet • Information systems undergo a steady evolution (from small LAN`s to Internet connectivity) • Strong security features for all workstations and servers not established Fall 2004 CS 395: Computer Security 3 Why? • Systems provide many services by default – Many workstations provide remote access to files and configuration databases (for ease of management and file sharing) – Even if configured only for specific users, they can sometimes be tricked into providing services they shouldn’t • E.g. missing bounds check in input parsers – Also, users sometimes forget to close temporary holes • E.g. leaving file system remote mountable for file sharing Fall 2004 CS 395: Computer Security 4 Why? • Firewalls enforce policies that centrally manage access to services in ways that workstations should, but don’t • Which services? – Finger – telnet: requires authentication, but password sent in clear – rlogin: similar to telnet, but uses IP address based authentication (Bad!) – ftp: Tricky because two connections, control channel from sender, and data connection from receiver. (passsive ftp has both sender originated) – X Windows – ICMP Fall 2004 CS 395: Computer Security 5 Firewall Design Principles • The firewall is inserted between the premises network and the Internet • Aims: – Establish a controlled link – Protect the premises network from Internet-based attacks – Provide a single choke point Fall 2004 CS 395: Computer Security 6 Firewall Characteristics • Design goals: – All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) – Only authorized traffic (defined by the local security police) will be allowed to pass – The firewall itself is immune to penetration (use of trusted system with a secure operating system) Fall 2004 CS 395: Computer Security 7 Firewall Characteristics • Four general techniques: • Service control – Determines the types of Internet services that can be accessed, inbound or outbound • Direction control – Determines the direction in which particular service requests are allowed to flow Fall 2004 CS 395: Computer Security 8 Firewall Characteristics • User control – Controls access to a service according to which user is attempting to access it • Behavior control – Controls how particular services are used (e.g. filter e-mail) Fall 2004 CS 395: Computer Security 9 Firewall Limitations • Cannot protect against attacks that bypass the firewall – E.g. an internal modem pool • Firewall does not protect against internal threats • Firewall cannot protect against transfer of virus infected programs – Too many different apps and operating systems supported to make it practical to scan all incoming files for viruses Fall 2004 CS 395: Computer Security 10 Types of Firewalls • Three common types of Firewalls: – – – – Fall 2004 Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host) CS 395: Computer Security 11 Types of Firewalls • Packet-filtering Router Fall 2004 CS 395: Computer Security 12 Types of Firewalls • Packet-filtering Router – Applies a set of rules to each incoming IP packet and then forwards or discards the packet – Filter packets going in both directions – The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header – Two default policies (discard or forward) Fall 2004 CS 395: Computer Security 13 Types of Firewalls • Advantages: – Simplicity – Transparency to users – High speed • Disadvantages: – Difficulty of setting up packet filter rules – Lack of Authentication • Who really sent the packet? Fall 2004 CS 395: Computer Security 14 Firewalls – Packet Filters Fall 2004 CS 395: Computer Security 15 Firewalls – Packet Filters • Can be clever: – Allow connections initiated from inside network to outside, but not initiated from outside. • Traffic flows both way, but if firewall only allows incoming packets with ACK set in TCP header, this manages the issue. • Problem: some apps require outside node to initiate connection with inside node (e.g. ftp, Xwindows), even if original request initiated by inside node. • Solution (sort of): allow packets from outside if they are connecting to high port number. Fall 2004 CS 395: Computer Security 16 Stateful Packet Filter • Changes filtering rules dynamically (by remembering what has happened in recent past) • Example: Connection initiated from inside node s to outside IP address d. For short time allow incoming connections from d to appropriate ports (I.e. ftp port). • In practice, much more caution – Stateful filter notices the incoming port requested by s and only allows connections from d to that port. Requires parsing ftp control packets Fall 2004 CS 395: Computer Security 17 Types of Firewalls • Possible attacks and appropriate countermeasures – IP address spoofing • Discard packet with inside source address if it arrives on external interface – Source routing attacks • Discard all source routed packets Fall 2004 CS 395: Computer Security 18 Types of Firewalls • Possible attacks and appropriate countermeasures – Tiny fragment attacks • Intruder uses IP fragment option to create extremely small IP packets that force TCP header information into separate packet fragments • Discard all packets where protocol type is TCP and IP fragment offset is small Fall 2004 CS 395: Computer Security 19 Types of Firewalls • Application-level Gateway Fall 2004 CS 395: Computer Security 20 Types of Firewalls • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic – Can act as router, but typically placed between two packet filtering firewalls (for total of three boxes) • Two firewalls are routers that refuse to forward anything from the global net that is not to gateway, and anything to global net that is not from gateway. • Sometimes called a bastion host (we use the term differently) Fall 2004 CS 395: Computer Security 21 Types of Firewalls • Advantages: – Higher security than packet filters – Only need to scrutinize a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) Fall 2004 CS 395: Computer Security 22 Types of Firewalls • Circuit-level Gateway Fall 2004 CS 395: Computer Security 23 Types of Firewalls • Circuit-level Gateway – Stand-alone system or – Specialized function performed by an Application-level Gateway – Sets up two TCP connections – The gateway typically relays TCP segments from one connection to the other without examining the contents Fall 2004 CS 395: Computer Security 24 Types of Firewalls • Circuit-level Gateway – The security function consists of determining which connections will be allowed – Typically use is a situation in which the system administrator trusts the internal users – An example is the SOCKS package Fall 2004 CS 395: Computer Security 25 Types of Firewalls • Bastion Host – A system identified by the firewall administrator as a critical strong point in the network´s security – The bastion host serves as a platform for an application-level or circuit-level gateway Fall 2004 CS 395: Computer Security 26 Firewall Configurations • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible • Three common configurations Fall 2004 CS 395: Computer Security 27 Firewall Configurations • Screened host firewall system (single-homed bastion host) Fall 2004 CS 395: Computer Security 28 Firewall Configurations • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems: – A packet-filtering router – A bastion host Fall 2004 CS 395: Computer Security 29 Firewall Configurations • Configuration for the packet-filtering router: – Only packets from and to the bastion host are allowed to pass through the router • The bastion host performs authentication and proxy functions Fall 2004 CS 395: Computer Security 30 Firewall Configurations • Greater security than single configurations because: – This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) – An intruder must generally penetrate two separate systems Fall 2004 CS 395: Computer Security 31 Firewall Configurations • This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) Fall 2004 CS 395: Computer Security 32 Firewall Configurations • Screened host firewall system (dualhomed bastion host) Fall 2004 CS 395: Computer Security 33 Firewall Configurations • Screened host firewall, dual-homed bastion configuration – If the packet-filtering router is completely compromised, you’re still OK – Traffic between the Internet and other hosts on the private network has to flow through the bastion host Fall 2004 CS 395: Computer Security 34 Firewall Configurations • Screened-subnet firewall system Fall 2004 CS 395: Computer Security 35 Firewall Configurations • Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network Fall 2004 CS 395: Computer Security 36 Firewall Configurations • Advantages: – Three levels of defense to thwart intruders – The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) Fall 2004 CS 395: Computer Security 37 Firewall Configurations • Advantages: – The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) • Reduces ``chewyness’’ of inside Fall 2004 CS 395: Computer Security 38 Why Firewalls Don’t Work • Assume all bad guys are on outside, and everyone inside can be trusted. • Firewalls can be defeated if malicious code can be injected into corporate network – E.g. trick someone into launching an executable from an email message or into downloading something from the net. • Often make it difficult for legitimate users to get their work done. – Misconfiguration, failure to recognize new app Fall 2004 CS 395: Computer Security 39 Why Firewalls Don’t Work • If firewall allows anything through, people figure out how to do what they need by disguising their traffic as allowed traffic – E.g. file transfer by sending it through email. If size of emails limited, then user breaks them into chunks, etc. – Firewall friendly traffic (e.g. using http for other purposes) • Defeats effort of sysadmin to control traffic • Less efficient than not using http Fall 2004 CS 395: Computer Security 40 Trusted Systems • One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology Fall 2004 CS 395: Computer Security 41 Data Access Control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile Fall 2004 CS 395: Computer Security 42 Data Access Control • General models of access control: – Access matrix – Access control list – Capability list Fall 2004 CS 395: Computer Security 43 Data Access Control • Access Matrix Fall 2004 CS 395: Computer Security 44 Data Access Control • Access Matrix: Basic elements of the model – Subject: An entity capable of accessing objects, the concept of subject equates with that of process – Object: Anything to which access is controlled (e.g. files, programs) – Access right: The way in which an object is accessed by a subject (e.g. read, write, execute) Fall 2004 CS 395: Computer Security 45 Data Access Control • Access Control List: Decomposition of the matrix by columns Fall 2004 CS 395: Computer Security 46 Data Access Control • Access Control List – An access control list lists users and their permitted access right – The list may contain a default or public entry Fall 2004 CS 395: Computer Security 47 Data Access Control • Capability list: Decomposition of the matrix by rows Fall 2004 CS 395: Computer Security 48 Data Access Control • Capability list – A capability ticket specifies authorized objects and operations for a user – Each user have a number of tickets Fall 2004 CS 395: Computer Security 49 The Concept of Trusted Systems • Trusted Systems – Protection of data and resources on the basis of levels of security (e.g. military) – Users can be granted clearances to access certain categories of data Fall 2004 CS 395: Computer Security 50 The Concept of Trusted Systems • Multilevel security – Definition of multiple categories or levels of data • A multilevel secure system must enforce: – No read up: A subject can only read an object of less or equal security level (Simple Security Property) – No write down: A subject can only write into an object of greater or equal security level (*Property) Fall 2004 CS 395: Computer Security 51 The Concept of Trusted Systems • Reference Monitor Concept: Multilevel security for a data processing system Fall 2004 CS 395: Computer Security 52 The Concept of Trusted Systems Fall 2004 CS 395: Computer Security 53 The Concept of Trusted Systems • Reference Monitor – Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters – The monitor has access to a file (security kernel database) – The monitor enforces the security rules (no read up, no write down) Fall 2004 CS 395: Computer Security 54 The Concept of Trusted Systems • Properties of the Reference Monitor – Complete mediation: Security rules are enforced on every access – Isolation: The reference monitor and database are protected from unauthorized modification – Verifiability: The reference monitor’s correctness must be provable (mathematically) Fall 2004 CS 395: Computer Security 55 The Concept of Trusted Systems • A system that can provide such verifications (properties) is referred to as a trusted system Fall 2004 CS 395: Computer Security 56 Trojan Horse Defense • Secure, trusted operating systems are one way to secure against Trojan Horse attacks Fall 2004 CS 395: Computer Security 57 Trojan Horse Defense Fall 2004 CS 395: Computer Security 58 Trojan Horse Defense Fall 2004 CS 395: Computer Security 59 Recommended Reading • Chapman, D., and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995 • Cheswick, W., and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000 • Gasser, M. Building a Secure Computer System. Reinhold, 1988 • Pfleeger, C. Security in Computing. Prentice Hall, 1997 Fall 2004 CS 395: Computer Security 60