Download Firewalls

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Airborne Networking wikipedia , lookup

Internet protocol suite wikipedia , lookup

Network tap wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Computer security wikipedia , lookup

Lag wikipedia , lookup

Deep packet inspection wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wireless security wikipedia , lookup

Parallel port wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript
Living Behind Administrative
Firewalls at Stanford:
A Survival Guide
August 5, 2005
2-4 pm, Turing Auditorium
Sunia Yang
[email protected]
Networking Systems
1
Topics
• Security by protocol stack
– What's a firewall?
– What's a vpn?
– How secure are we?
• Stanford's deployment of firewalls and vpns
– How to get behind a firewall
– How to add/change/delete rules
• Troubleshooting
• Requesting rules - exercise (50 min)
2
Firewalls at Stanford
• Everyone, especially sys admins and
application folks, behind a firewall has to
learn more about networking
• Networking folks have to learn more about
systems and applications
• More process required- audit/authorization
trail
3
Living with Firewalls- Mantras
• "Know Thy Network Traffic"
– If you don't know it now, you're going to learn
it the hard way
• "Know Thy Servers"
– ditto
4
Security by Protocol Stack
• Firewalls and VPNs are just part of a total
security approach
– Firewall would not have caught bugbear-b virus
– Perimeter firewall or user vpn client would not
have prevented Windows RPC, Agobot, Sasser
5
Physical Layer Security
• "If you can touch it, you can hack it"
– Lock up servers, network closets
• Wireless- major physical security risk
– firewall defeated if wireless behind firewall
– allowing unencrypted wireless session through
firewall defeats data security
6
Data layer
• Switches as security device
– isolates conversations- sniffer protection
• may misbehave and "leak"
– block by hardware address
• not possible in all switches
– hardcode hw address to port- tedious,
unscalable
7
Network/Transport Layers
• Filter traffic by IP addresses and ports
– Router ACLs (may be leaky)
– Firewalls (hardware, software)
– Host IP filters
• Require secure (not clear text) protocols or vpn
– data encrypted (ssl, ssh)
– encrypted data could still be virus or worm
8
Perimeter vs Server vs Dept
"Firewalls"
• Perimeter- at SUNet boundaries
– Protect entire network at boundary
• SUNet uses Routers and Packetshapers
– SUNet leaves most ports open, only blocking
particularly vulnerable ports (Windows, backdoors)
– Guard mostly against worms/viruses/script kiddies
– Does not guard against internal hacked machines
• Server- protect essential data/services
– Block all unused ports
• Departmental- at the network boundary
– still working out what we can support
9
Application Layer
• Very critical layer for security- starts in the design
–
–
–
–
–
–
good architecture- 3 tier (separate web, app, db)
no group accounts
good passwords
secure transports- no cleartext data or passwords
critical data only on secured hosts (workstations!!!)
separate production and development (data, too!)
• Good sys admins
– patch, antivirus-software
– turnoff unused services
• Monitoring– how to detect compromise
10
User/Political Layer
• The most important security layer
• Political
– Policy and mandate
– Funding
– Enforcement
• User
–
–
–
–
# 1 risk- disgruntled employees
data on workstations
bad passwords
usage - laptops, wireless, patching, AV
11
How secure are we and why do
we care?
• Computer security is among top financial
risks to Stanford
– loss of data and reputation
– cost of cleaning hacked machines
– legal liability- Hipaa (medical), Ferpa (student)
• Audit reports are grim
– many security issues at application layer
12
What is a firewall?
• Network/transport layer
• Passes traffic based on these basic criteria:
–
–
–
–
source IP
destination IP
destination port
session status- initiation, timeout
• Generally, default is block everything
13
Why firewalls/vpns?
• Physical and data layer security is critical
– mostly implemented already (except wireless)
• Too many badly architected apps on market
– many assume perimeter and server firewalls
• Often best return of security for given staff,
time and money
14
Firewall Issues
• No security on opened ports
• Manageable rule set vs. many exceptions
• Hard to secure port-hopping apps- VPN
instead
• Session timeout limits
• Hosts are unprotected from hacked hosts
behind firewall ( want personal firewall!!)
15
What is a vpn?
• Network/transport layer
• Establish session between two devices
– vpn client and vpn server/concentrator
– two firewalls
• Encrypt traffic- secure cleartext traffic
• Another layer of
authentication/authorization
16
VPN Pros
• With limited staff time and money, may get
some application layer security
• Sometimes can be used to enforce patch
level of client operating systems
17
VPN Cons
• May break IP dependent services
• Inconvenient- processing overhead
• Most vpn clients incompatible with each
other
• Incomplete security- allows encrypted path
for hacker
• Cost of vpn client support
18
VPN - Split Tunnel
• only traffic to specific servers is encrypted
• pros- performance
– less encryption overhead
– less traffic to central VPN concentrator
• cons- security
– if client host is hacked, hacker can control VPN
session
• no split tunnel allowed for admin apps
19
Stanford Public Vpn
Allows split tunnel
Two main uses:
-access Windows svrs from outside
-get Stanford IP for authorization
VPN Client
google.com
su-vpn
Windows svr
Library Resources
SUNet
20
Stanford Admin Vpn
No split tunnel allowed
Mainly to access firewalled servers
VPN Client
google
www.stanford.edu
server
firewall
firewall
vpnap
21
General Steps For Firewall Design
•
•
•
•
•
Design topology
Firewall Rules
Enforce rules
Monitor, document, audit (not in this class)
Troubleshooting
22
Firewall Process at Stanford
•
•
•
•
•
•
•
•
•
Process tries to make things easier but auditable
Contact firewall team (firewall-team@lists ASAP
Fill out form + application layout
Meet and design topology
Order hardware, cables
Move behind firewall
Rule requests and approval
VPN access
SLA and charges
• https://www.stanford.edu/group/networking/fwmaps/service_site/
23
New Firewall Form
• form gives list of the process and required
information
• application diagram
– hosts and required ports
– transport between hosts
– where's the data?
• what trying to protect- hosts, data, service
24
Application Architecture Diagram -
Citrix Users
Odd Users
drastically simplified
Stanford user- anywhere
Stanford user- anywhere
Developers- vpn client
Web1
Web2
Production Web
Service- Port 443
Production Web
Service- Port 443
Development Web
Service- Port 88
Odd1
Odd Application
Port 8572
App1
App2
Production App ServicePort 4572
Production App ServicePort 4572
Development App ServicePort 4573
DB1
Production DatabasePort 1521
Training
Database- Port 1550
Development
Database- Port 1560
DB2
Citrix App
Citrix1
Every Arrow Point is
Another Rule!
25
Meeting and Design
• meet with someone from firewall team and
information security
• review form, application diagram,
transports, data
• propose initial firewall topology and
schedule install
26
Laying out Firewall Topology
• Group servers by
– Sensitivity and type of data
– Security level (don't put petty cash in the safe)
– Production vs development
• Especially as projects are out-sourced, don't want our data
somewhere else in the world
– Separate web from app/db layers
• Sharing switches
– Generally, databases or servers actually holding data
should be on separate switch (no VLANs)
27
Basic Firewall Topology
FW = firewall
SW = switch
S = server
Firewall can only filter between zones by IP address and port
Applications often use a well-known port
Zone 1
FW1
Zone 2
Ex. Web Servers
Zone 3
Ex. App Servers
Zone 4
Ex. Database Servers
SW1
vlan 20
S1
S2
vlan 30
S3
S4
S5
SW2
S6
S7
S8
S9
28
Routing vs Transparent FWs
• Routing FWs
– extra security because of layer 3 separation
– standard for server firewalls
• Transparent FWs
– standard for departmental firewalls
– acts like a switch
29
Ordering
• firewalls- currently using Juniper/Netscreen
• switches
• cabling if in machine room
– fwteam assigns switch ports for servers
– sysadmin requests cabling from machine room
infrastructure support through HelpSU
30
Server Moves
• usually firewall is in routing mode
• fw team notifies project owner that firewall
ready
• sys admin moves server behind firewall by
unplugging old cable and putting in new
cable. Sys admin also takes care of any
needed NetDB changes if renumbering
server
31
Rule Request Form
• Ideally request initial rules before move
• Template rules = set of commonly requested rules
–
–
–
–
–
backup
windows administration
solaris administration
linux administration
database administration
• Rule request form
– https://tools.stanford.edu/cgi-bin/firewall-request
– reminder of required fields
– archived for audit purposes
• Requesters/approvers designated by app owner
32
Firewall Rules- Part 1
Rule requires the following pieces:
Action: Permit, Deny
Source IPs: Client, VPN Client, Admin
Destination IPs: Servers
Destination Port: 80(web), 25(smtp), etc.
Port Type: tcp, udp
33
Firewall Rules- Part 2
Examples:
Allow 10.0.1.5 to 171.64.7.77 on udp port 53 (DNS)
Allow 10.0.1.0/24 to 10.0.2.10 on tcp port 25 (SMTP)
Deny 10.0.1.0/24 to any on tcp port 25 (SMTP)
Sources: servers, clients, vpn clients, hackers
(remember the last one when you are writing rules!!!!)
34
Types of Rules - Part 1
• Basic host functions - in template
– DNS, NTP, ping
• Remote host admin- mostly in template
Monitoring – snmp, email, icmp
Remote session - ssh, citrix
Authentication - sident, kerberos, MS auth
Maintenance - upgrades, virus, rebuilds, backup,
file transfer
Central systems –Microsoft domains/AD, afs, nfs
35
Types of Rules - Part 2
• Application specific
Client: Web services, front end ports
Server to server: db sharing, file transfer, app to db
• Development
Environments- training, development, etc
Server to server: db sharing, file transfer, app to db
Application build
Developer access- in-house, remote
36
VPN access
• traffic from sysadmin or application folks to
servers should be over secure transports or over
vpn (unencrypted SQL, etc)
• authorization set by workgroups
• app owner sets membership with Workgroup
Manager (http://workgroup.stanford.edu)
• currently, delegated vpn approver must send email
to firewall-team to activate vpn account
37
Troubleshooting
• A can't reach B which is behind firewall
– Try ping first (allowed by default at Stanford on FWs)
• If fails, check IP addr, physical connection
– Try telnet to desired port
• If okay, then not a firewall issue- probably app layer
– Message like "Connected to B"
• If fails, depends on message:
– "Connection closed by foreign host" or "Connection refused"
means B rejects A
– Hangs with message "Trying B", finally getting message like
"Unable to connect to remote host: timed out" means that port is
not reachable- possibly firewall
– Run "netstat" on B to see if ports are open
– Ask us to log- see if traffic is coming thru or blocked
38
Common Problems
• ~80% requests to check firewall show that
firewall is not the problem
• ~10% of time, previously unknown traffic
("know thy app") has no appropriate rule
• Typos, miscommunication
• Extra filtering on host itself
• Host IP changes, thus breaking rule
39
Exercise Goals
•
•
•
•
understand firewall terms
understand how to construct a rule
understand the types of rules
understand how topology affects rule
requests
40
Application Architecture Diagram -
Citrix Users
Odd Users
drastically simplified
16
Stanford user- anywhere
Stanford user- anywhere
4
13
Web1
1
2
Developers- vpn client
14
15
Web2
Production Web
Service- Port 443
Production Web
Service- Port 443
17
Development Web
Service- Port 88
Odd1
8
Odd Application
Port 8572
9
5
18
19
App1
App2
Production App ServicePort 4572
Production App ServicePort 4572
3
DB1
6
20
10
Production DatabasePort 1521
7
Development App ServicePort 4573
Training
Database- Port 1550
Development
Database- Port 1560
DB2
11
12
Citrix App
Citrix1
Every Arrow Point is
Another Rule!
41
System Administration & Development Diagram ( greatly simplified )
Sys Admins
Sys Admins
Mail Server
200.0.1.5
Bastion
21
terminal svcs
32
ssh- port
22
ssh- port
22
22
23
24
smtp- port
25
Web1
Web2
App2
App1
DB1
Windows PDCs200.0.0.20
200.0.0.30
smtp- port
25
25
33
26
DNSsvrs
Timesvrs
200.0.2.9
DB2
windows ports- 135,
137, 138, 139, 445
Odd1
Citrix1
UnixServers
pingICMP
29
27
Anyhost
28
afs
mounts
afs svrs
200.0.5.0/24
pingICMP
pingICMP
31
MonitoringServer
200.0.3.11
35
30
pingICMP
Anyhost
pingICMP
Switch1
Switch2
Every Arrow Point is
Another Rule!
Windows
Servers
telnet/ssh
37
Fw Admins
Switch3
Network
Devices
42
Network Topology
Wireless
User
VPN Clients
Hacker
SUNet
200.0.2.9
DNS/NTP
200.0.5.0/24
afs/nfs svrs
200.0.1.5
Hacker
Wired User
10.0.100.6410.0.100.126
SysAdmin
Developer
User
Internet
Monitoring
Developer
SysAdmin
200.0.3.11
Router
10.0.0.1/24
Mail Svrs
PDCs
200.0.0.20
200.0.0.30
10.0.0.2/24
Firewall
10.0.1.1/24
10.0.3.1/24
Zone =App
DB1
10.0.1.3/24
Switch1
Switch2
DB2
10.0.1.4/24
Bastion Host
10.0.4.2/24
10.0.2.1/24
Zone=DB
10.0.1.2/24
10.0.4.1/24
App1
10.0.2.3/24
Zone =Web
10.0.2.2/24
App2
10.0.2.4/24
Switch3
Web1
10.0.3.3/24
10.0.3.2/24
Web2
Citrix1
Odd1
10.0.3.4/24
10.0.3.5/24
10.0.3.6/24
43