Download Proxy Servers, Firewalls, NAT

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
Document related concepts
no text concepts found
Transcript 
Firewalls, etc.
(Some of the slides in this file were adapted from Oppliger’s online slides at
http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm.)
Chapter 3
• Intro
• Various firewall technologies:
–
–
–
–
Static Packet Filtering
Dynamic Packet Filtering (or Stateful inspection)
Circuit-level gateways
Application-level gateways (aka. Proxy servers)
• Firewall configurations
• NAT
• Browser configurations
Web Security
2
Firewalls
•
•
•
•
•
A firewall, in the real world, is built between buildings to
prevent a fire started in one building from spreading to
another
A digital firewall serves similar purpose, by preventing
security breaches that occur in one zone from spreading to
another zone
In a way, firewalls can be considered as delimiters that
together define the perimeter of a network
A firewall prevents unwanted and/or unauthorized traffic
from entering into or getting out of a given network (the
‘protected’ network)
Also called ‘secure Internet gateways’ or ‘security gateways’
Web Security
3
RFC2828 Internet Security Glossary (by R. Shirey, May 2000)
$ filtering router
• An internetwork router that selectively prevents the
passage of data packets according to a security policy.
•
•
•
A filtering router may be used as a firewall or part of a firewall.
A router usually receives a packet from a network and decides
where to forward it on a second network. A filtering router does the
same, but first decides whether the packet should be forwarded at
all, according to some security policy.
The policy is implemented by rules (packet filters) loaded into the
router. The rules mostly involve values of data packet control fields
(especially IP source and destination addresses and TCP port
Web Security
4
RFC2828 Internet Security Glossary (by R. Shirey, May 2000)
$ bastion host
• A strongly protected computer that is in a network
protected by a firewall (or is part of a firewall) and is the
only host (or one of only a few hosts) in the network
that can be directly accessed from networks on the
other side of the firewall.
•
•
•
Filtering routers in a firewall typically restrict traffic from the
outside network to reaching just one host, the bastion host, which
usually is part of the firewall.
Since only this one host can be directly attacked, only this one host
needs to be very strongly protected, so security can be maintained
more easily and less expensively.
However, to allow legitimate internal and external users to access
application resources through the firewall, higher layer protocols
and services need to be relayed and forwarded by the bastion
host. Some services (e.g., DNS and SMTP) have forwarding built
in; other services (e.g., TELNET and FTP) require a proxy server
on the bastion host.
Web Security
5
Firewalls
•
According to RFC2828 Internet Security Glossary (by R. Shirey, May
2000):
$ firewall
- An internetwork gateway that restricts data
communication traffic to and from one of the
connected networks (the one said to be "inside" the
firewall) and thus protects that network's system
resources against threats from the other network
(the one that is said to be "outside" the firewall).
-
A firewall typically protects a smaller, secure network (such as
a corporate LAN, or even just one host) from a larger network
(such as the Internet). The firewall is installed at the point
where the networks connect, and the firewall applies security
policy rules to control traffic that flows in and out of the
protected network.
Web Security
6
Firewalls
-
-
A firewall is not always a single computer. For example, a
firewall may consist of a pair of filtering routers and one or
more proxy servers running on one or more bastion hosts,
all connected to a small, dedicated LAN between the two
routers. The external router blocks attacks that use IP to break
security (IP address spoofing, source routing, packet
fragments), while proxy servers block attacks that would
exploit a vulnerability in a higher layer protocol or service. The
internal router blocks traffic from leaving the protected network
except through the proxy servers.
The difficult part is defining criteria by which packets are
denied passage through the firewall, because a firewall not
only needs to keep intruders out, but usually also needs to let
authorized users in and out.
Web Security
7
Firewalls
- a more precise definition
•
•
According to Cheswick & Bellovin (1994)
A firewall system is a collection of components
placed btwn two networks that collectively have the
following 3 properties:
1. All traffic (inside out, or outside in) must pass through
the firewall.
2. Only authorized traffic (as defined by the local security
policy) are allowed to pass.  firewall policy
3. The firewall itself is immune to penetration.
Web Security
8
Firewalls
- additional, stronger features
•
A firewall is able to:
1. enforce strong authentication for users who wish to
establish inbound or outbound connections
2. associate data streams that are allowed to pass through
the firewall with previously authenticated and authorized
users
•
Use of application gateways is needed to support
these higher-level features.
Web Security
9
Compare Various Firewall
Technologies
Types
Subtypes
Packet filters
Static
Dynamic
Application gateways
Circuit-level
Application-level
OSI
layers
Network layer
(or Internet layer in
TCP/IP)
Transport layer or higher
Web Security
10
Web Security
11
Static Packet Filtering
• Aka ‘screening routers’
• Stateless, meaning that each IP packet must be
examined in isolation from what has happened
in the past (and what may happen in the future),
forcing the filter to make a decision to permit or
deny each packet individually based on the
packet-filtering rules
 no concept of session
 lead to problems when more than one connection is
created in a protocol such as FTP
Web Security
12
Web Security
13
Dynamic Packet Filtering
• Aka stateful inspection
• A dynamic packet filter maintains state
information about past IP packets to make more
intelligent decisions about the legitimacy of
present and future IP packets
• State information are stored in an internal
database
• Subsequent packets belonging to the same
association can pass quickly through the stateful
inspection device
Web Security
14
Circuit-level Gateways
• A proxy server for TCP or UDP (at the transport
layer)
• Goal: To allow a TCP/IP application to traverse
(i.e., securely use) a firewall
• Is Located and running on a firewall
• Relays TCP connections
• It does not interfere with the data stream. 
Making it different from an application-level
gateway
• Example: SOCKS (RFC1928
SOCKS Protocol Version 5. By M. Leech, M. Ganis, Y. Lee, R. Kuris, D.
Koblas, L. Jones. March 1996)
Web Security
15
SOCKS
• The implementation of the SOCKS protocol typically involves
the recompilation or relinking of TCP-based client
applications to use the appropriate encapsulation routines in
the SOCKS library.  ‘socksified’ clients
• Procedure for TCP-based clients
– When a TCP-based client wishes to establish a connection to an object
that is reachable only via a firewall, it must open a TCP connection to
the appropriate SOCKS port on the SOCKS server system. The
SOCKS service is conventionally located on TCP port 1080.
– If the connection request succeeds, the client enters a negotiation for
the authentication method to be used, authenticates with the chosen
method, then sends a relay request.
– The SOCKS server evaluates the request, and either establishes the
appropriate connection or denies it.
Web Security
16
Web Security
17
Application-level Gateways
• A proxy server that allows a specific application protocol
to traverse a firewall.
• A scenario: The packet filter of a firewall blocks all
inbound Telent and FTP sessions, unless the sessions
are terminated by a bastion host.
– Multiple application gateways may be running on the bastion
host  a proxy server for FTP, a proxy server for Telent, …
– A user who wishes to connect inbound to an intranet server must
have his Telnet or FTP client connect to the application gateway
Web Security
18
Web Security
19
Application-level Gateways
• To properly authenticate the user, an application
gateway must have access to authentication and
authorization information, either locally or
remotely:
– User-level authentication info may be stored locally
on the firewall
– User-level authentication info may be stored in a
centralized authentication server (e.g., RADIUS,
TACACS+)
Web Security
20
Trade-offs of Firewalls
•
Advantages:
1. Provides basic access control services for an intranet
2. Provides a centralized filtering/gateway function
3. (To some degree) Relieves individual hosts the
responsibility of having a filter or firewall itself
4. Centralized management of filtering rules
•
Limitations: next
Web Security
21
Trade-offs of Firewalls
•
Limitations:
1. Cannot protect sites and corporate intranets against
insider attacks  internal / intranet firewalls
2. Can be circumvented by tunneling unauthorized
application protocols in authorized ones
3. Little protection against attacks embedded in the data
field of a packet (e.g., virus-infected programs or data
files, malicious Java applets, malicious ActiveX controls,
…)
4. May foster a false sense of security  lax security within
the firewall perimeter
Web Security
22
Dual-Homed Firewalls
• A dual-homed host is a host with two network
interfaces, each of which is connected to a
different network.
• A dual-homed firewall is a dual-homed host on
which IP routing and forwarding are disabled.
– IP packets can no longer be routed or forwarded
between the two networks.
– Data can only be transferred from one network to the
other if there is an application gateway running on the
firewall to do that.
– See diagram next.
Web Security
23
inner screening
router
Web Security
outer screening
router
24
Dual-Homed Firewalls
• The outer screening router makes sure that
– All incoming packets have the bastion host as the
destination address.
– All outgoing packets have the bastion host as the
source address.
• The inner screening router makes sure that
– All incoming packets have the bastion host as the
source address.
– All outgoing packets have the bastion host as the
destination address.
• Packet filtering rules need to be configured.
Web Security
25
Screened Subnet Firewalls
• Two separate screening routers: outer, inner
(see diagram next)
• DMZ: the subnet in between the two screening
routers
• The bastion host is part of the DMZ.
• A packet must pass both screening routers
before it reach the intranet.
• When configured properly (e.g., using NAT), only
the bastion host and other servers in the DMZ
can be seen from the Internet.
Web Security
26
outer screening
router
inner screening
router
the DMZ
Web Security
27
NAT and Security
•
Network Address Translation (NAT) is useful:
–
–
Hide internal private IP addresses
Conserve routable IP addresses on the Internet
•
RFC1918 Address Allocation for Private Internets. Y. Rekhter,
B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear. February
1996.
•
Reserved IP addresses for private networks in RFC
1918 addressing scheme:
–
The Internet Assigned Numbers Authority (IANA) has reserved
the following three blocks of the IP address space for private
internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Web Security
28
An Example
- a firewall supporting NAT
Also a router ?
IP addresses:
Port numbers:
C
67.64.10.3
F=
192.168.4.1
f
c
Web Security
S = 67.64.10.1
 192.168.4.1
21
29
Other Examples
- the DCSL network
• Network diagram for the UHCL Distributed Computer
Security Lab (D140, D158)
– http://www.dcsl-uhcl.net/public/experiments.html
Web Security
30
Advantages of using NAT
• The obvious advantage of using private address space
for the Internet at large is to conserve the globally unique
address space by not using it where global uniqueness
is not required.
• Enterprises themselves also enjoy a number of benefits
from their usage of private address space: They gain a
lot of flexibility in network design by having more address
space at their disposal than they could obtain from the
globally unique pool. This enables operationally and
administratively convenient addressing schemes as well
as easier growth paths.
Web Security
31
Drawbacks of using NAT
•
Renumbering of IP addresses may be needed
in some cases:
1. Once one commits to using a private address, one
is committing to renumber part or all of an
enterprise, should one decide to provide IP
connectivity between that part (or all of the
enterprise) and the Internet.
2. Another drawback to the use of private address
space is that it may require renumbering when
merging several private internets into a single
private internet.
Web Security
32
Is NAT sufficient for network security?
•
No. It’s mainly a convenience measure.
1.
It cannot replace the functionalities of a firewall:
NAT does not track packet sequence numbers, TCP handshake, and
UDP progress-based timers, etc.
2.
It cannot replace a intrusion detection system:
NAT does not concern itself with protecting the hosts from malicious
data being sent on the NAT connections.
3.
It cannot replace an access control mechanism.
Web Security
33
Related documents
Firewall Configuration
Firewall Configuration
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Read more
Read more
Understanding and Installing Firewalls
Understanding and Installing Firewalls
Deployed and Emerging Security Systems for the Internet
Deployed and Emerging Security Systems for the Internet
homework 8
homework 8
CS572: Computer Security
CS572: Computer Security
Document 62752
Document 62752
Assignment # 3 - UNT Class Server
Assignment # 3 - UNT Class Server
Firewalls
Firewalls