* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Completeness
Survey
Document related concepts
Server Message Block wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wireless security wikipedia , lookup
Computer network wikipedia , lookup
Parallel port wikipedia , lookup
Network tap wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Airborne Networking wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
TCP congestion control wikipedia , lookup
Internet protocol suite wikipedia , lookup
Transcript
Firewall Ge Zhang Karlstad University A typical network topology • Threats example – Back door – Port scanning –… Karlstad University Karlstad University What is Firewall? A single checking point that reacts traffic to and from a network (pass, discard, block, log) • Design goals – All traffic from inside to outside and vice versa must pass through the firewall Internet Karlstad University Services by a firewall • • • • Service control Direction control User Control (internal network) Behavior control (the firewall needs to know the application protocol) • Logging flow information • Hidden internal topology Karlstad University Capabilities and limitations • Capabilities – – – – Prevent unauthorized traffics Monitoring security-related events The platform for Network address translator (NAT) The platform for IPSec tunnel mode (VPN) • Limitations – Attacks the bypass the firewall (over other channels) – Internal threats (internal employees cooperate with external attackers) – Transferring virus-infected programs Karlstad University The working flow of a Firewall if {condition_1} then {action_1} else if{condition_2} then {action_2} else if{condition_3} then {action_3} else if{condition_4} then {action_4} … else if{condition_n} then {action_n} How to define the conditions? Karlstad University Layered TCP/IP model Karlstad University Types of firewalls • Packet-Filtering router • Application-level gateway • Circuit-level gateway Karlstad University Packet-Filtering router (1) Security perimeter External network Internal network TCP/UDP headers IP headers • Packet-Filtering Firewall – Applies a set of rules – Decides forwarding or discarding the packet – Only examine the header, do not “see inside” a packet Karlstad University Packet-Filtering router (2) source destination protocol dest. port action Ane_home Ane_work any any Allow any SIP proxy Tcp, udp 5060, 5061 Allow any Mail server Tcp, udp 25 Allow any Web server tcp 80, 8080 Allow any any any any Deny source destination protocol dest. port action mal1 any any any Deny mal2 any any any Deny mal1 any any any Deny mal3 any any any Deny any any any any Allow Karlstad University Requirements on rule set design • Consistency: The rules are ordered correctly • Completeness: every packet satisfies at least one rule in the firewall • Compactness: firewall has no redundant rules Karlstad University An example Internet 0 Web Server 1 Malicious Host Interface source destination protocol dest. port action 0 any Web server tcp 80 Allow 0 any Web server any any Deny 0 malicious any any any Deny 1 host any any any Allow 1 any any any any Allow 0 Not malicious Karlstad University host any any ???? Consistency error Compactness error Completeness error Improvement Internet 0 1 Malicious Web Server Host Interface source destination protocol dest. port action 0 malicious any any any Deny 0 any Web server tcp 80 Allow 0 any Web server any any Deny 0 any any any any Allow 1 any any any any Allow Karlstad University Efficiency of rule set source destination protocol dest. port action 192.163.0.1 any tcp 80, 8080 Deny 192.163.0.2 any tcp 80, 8080 Deny 192.163.0.3 any tcp 80, 8080 Deny 10.1.1.2 any tcp 80, 8080 Allow 10.1.1.3 any tcp 80, 8080 Allow source destination protocol dest. port action 192.163.0.* any tcp 80,8080 Deny 10.1.1.* any tcp 80,8080 Allow Karlstad University Stateful PF • For TCP connections – Server ports are mostly fixed (<1024) – Client ports are dynamically used ( from 1024 to 65535) • Stateful: tightens up the rules for TCP traffic by creating a directory of outbound TCP connections src Src port des Des port state 192.168.1.100 1030 210.9.88.29 80 established 192.168.1.102 3331 216.32.1.122 25 established Karlstad University Pro and cons in PF • Pro: – Simple, high efficient – Transparent to users • Con: – – – – Karlstad University Does not work with application-specific vulnerabilities Limited log information No user authentication Difficulty to configure rulesets Attacks on a PF • IP address spoofing: (use spoofed IP address which can be trusted) • Fragment attacks – Tiny fragment – Overlapping fragment Karlstad University IP fragment • A firewall only inspects the first fragmented one. Sender intermediaries IP h. recipient Karlstad University IP h. TCP/UDP h. data IP h. IP h. TCP/UDP h. IP h. data Tiny fragment attack Sender IP h. TCP/UDP h. data Not enough information intermediaries IP h. recipient Karlstad University IP h. IP h. IP h. TCP/UDP h. data Overlapping fragment Sender IP h. Offset 0 intermediaries TCP/UDP h. Offset 20 IP h. data Offset 16 IP h. IP h. Offset 16 recipient IP h. TCP/UDP h. Rewrite the overlapped part Karlstad University data Application-level Gateway (mainly for inbound requests) Outside host SIP HTTP Inside host FTP Outside host • Have more checking parameters (user names, message format, client software version, etc) • Only deal with allowable applications • More useful log information • Con: high processing overhead Karlstad University Circuit level gateway (mainly for outbound requests) • • • • Based on connections instead of packets Similar to stateful PF Perform authentication Implementations: Socks server out in out in out Outside host Karlstad University in Inside host Bastion Host • A secure version of its operating system • A platform for an application-level gateway or circuit-level gateway • Only support allowed applications • Only support a subset of the standard applications • Needs additional authentication Karlstad University Demilitarized Zone (DMZ) • Demilitarized zone is a subnet that contains and exposes an organization's public services to an external network • DNS, web server, VoIP server • Internal network, work stations Karlstad University Setup Firewalls in a network • Screened host firewall (single-homes bastion) Bastion host Work station External network PF Work stationWork station Information server (web, DNS...) Karlstad University • Sceened host firewall (dual-homed bastion host) Bastion host Work station External network PF Work stationWork station Information server (web, DNS...) Karlstad University • Screened subnet firewall Bastion host External network Internal network PF Information server (web, DNS...) Karlstad University PF Practical experiences on firewall itself • Stealth rule: drop any packet from outside to the firewall • Insecure firewall management: drop packets to the firewall over insecure protocols (telnet, ftp, x11) • Limited management machines: firewalls should be managed from a small number of machines Karlstad University High-throughput firewall (1) • Application Specific Integrated Circuit (ASIC) • e.g., netscreen 100 (100Mbps firewall) Karlstad University High-throughput firewall (2) • Load balance Firewall 1 Firewall 2 Internal router ... Firewall n Karlstad University External router Key points • Types of firewall • Pros and cons of the three types • Ruleset of PF (consistency, completeness, compactness, efficiency) • Stateful PF • Attack on PF • Bastion host • DMZ • Setup firewalls in a network Karlstad University