firewalls

Document Sample
firewalls Powered By Docstoc
					Firewalls
      Mark Clements
    Last Week ...

       Three main methods for cryptography
       Symmetric, asymmetric, hash
       Used in unique combinations
       Allow Bob and Alice to communicate without
        Eve knowing




2                                         ENS
    This week ...

     Firewalls in general
     Stateful vs. Stateless Firewalls
     Application Proxies
     Firewall Architectures


3                               ENS
    Protecting the Network Perimeter

    Possible reasons for attacking a network:

         Extortion
         Fraud
         Espionage
         Sabotage
         Simple curiosity
                            ENS
4
    What is a Firewall?

       A firewall acts as a control barrier between a
        trusted and an un-trusted computer network
        –   For example between a company network and the
            Internet
       It is able to make a decision whether to allow a
        packet to pass or not
       It can be a dedicated system or a router too


5                                                ENS
    Policy and Connections



     Untrusted                                              Trusted
      Network                                               Network

                          Firewall
                 -enforces a security policy
                 -allows only connections matching security settings



6                                                          ENS
    Example Policy

       For example, a firewall might be configured to
        pass all http (www) traffic to TCP port 80, but
        to block any TELNET datagrams to TCP port 23

        –   TELNET is known to have some security weaknesses
            such as sending username and password in plain-text
        –   you do not wish to allow external clients to TELNET onto
            your servers and clients




7                                                       ENS
    Policy in action
                  Telnet (to TCP port 23) Blocked




      Untrusted                                      Trusted
       Network                                       Network

                         Firewall


                  HTTP (to TCP port 80) Passed


8                                                   ENS
    IP Datagram Overview




                             ENS




9                    Source: http://dimitar.me/
     Firewall Components

        There are two principal firewall components
         –   Packet filtering routers
         –   Application proxies
        These work at different layers of the network
         stack
        We shall now consider each of these in more
         detail


10                                             ENS
     Packet Filtering Routers
        Packet filtering routers decide whether to pass an IP
         datagram by viewing data in both the network and
         transport layer headers
        In particular, packet filtering routers can consider the
         following information:
         –   Source and destination IP address (or subnet)
         –   Source and destination TCP or UDP port number
         –   Direction of datagram flow
         –   State of connection (new or established)

         –   So in summary, packet filtering routers operate at the
11           network (IP) and transport (TCP/UDP) layers of the stack
                                                         ENS
     OSI Layers for firewalling

                                             Packet Filtering Router

                                              Transport (TCP/UDP) Layer



                                                  Network (IP) Layer



                                Link Layer                                Link Layer



                          Physical Layer                                      Physical Layer




12    Untrusted Network
                                                                                         ENS
                                                                                               Trusted Network
     Packet Filtering Routers

        Packet filtering routers can operate in one of
         two ways:
         –   Stateless packet filtering
         –   Stateful packet filtering
        Using an access control list to check for traffic is
         an example of stateless filtering
        Stateful packet filtering takes note of the TCP 3-
         way handshake and ensures packets that pass
         are part of an agreed stream
13                                                 ENS
         Stateless Firewalls
        Stateless packet filtering routers make
         forwarding decisions based on the contents of
         the network (IP) layer header and the transport
         (TCP/UDP) layer header
        Their forwarding decision are therefore based
         on:
          –   The source and destination IP address (or subnet)
          –   The direction of datagram travel
          –   The source and destination TCP or UDP port number
          –   Transport layer data such as SYN and ACK flags

14                                                   ENS
     Stateful Packet Filtering Routers
        Stateful packet filtering routers also make
         forwarding decisions based on the contents of
         the Network (IP) layer datagram header and the
         Transport (TCP/UDP) layer segment header
        In addition they maintain a connection state
         table
         –   Holds the current state of a given connection,
         –   No need to rely solely on the SYN and ACK flag
             values for each packet to learn this information (the
             flag values can be spoofed)

15                                                     ENS
         Stateful Firewall Decisions
        Forwarding decision are therefore based on:
          – The source and destination IP address (or
            subnet)
          – The direction of datagram travel
          – The source and destination TCP or UDP port
            number
          – Whether the datagram is part of a new or
            established connection (as indicated by
            information in the state table as indicated by the
            SYN and ACK flags in the TCP segment header)

16                                                  ENS
     Performance vs. Cost

        90% of the firewalls today are stateful
        Stateful packet filtering routers are more
         reliable than stateless packet filtering routers
        Provide a greater level of protection than
         stateless packet filtering routers
        However, for similar cost, stateful packet
         filtering routers are generally slower than
         stateless packet filtering routers
17                                               ENS
     Packet Filtering Routers
     Performance Summary




18                              ENS
     Application Proxies

        10% of firewalls are application proxies
        Application Proxies operate on all layers of the
         OSI stack from the application layer down
         rather than just the network and transport
         layers
        Makes them slower
        Makes them more specific

19                                              ENS
     Application Proxy and OSI
                                                            Application Proxy

                                                              Application Layer



                                      Transport (TCP/UDP)                         Transport (TCP/UDP)
                                             Layer                                       Layer



                                 Network (IP) Layer                                      Network (IP) Layer



                               Link Layer                                                         Link Layer



                         Physical Layer                                                                 Physical Layer




     Untrusted Network                                                                                                   Trusted Network

20                                                                                                              ENS
     Proxies and Decisions

        Application proxies can see and manipulate all
         data which the full application can see
        A separate application proxy is required for
         each application’s traffic
         –   i.e. HTTP, SMTP, FTP, etc
         –   There are a number of other types of proxies. However, in
             firewall terminology, it is not unusual to refer to application
             proxies simply as proxies




21                                                                ENS
     Application Proxy Examples

        HTTP proxy: Java applets and ActiveX
         components which are coming in from TCP
         port 80 can be dropped, while plain HTML files
         and graphics files coming in from the same
         port can be passed
        SMTP proxy: An executable file attached to an
         e-mail can be scanned for known viruses


22                                            ENS
     Application Proxy Performance

        Application proxies are more reliable in detecting
         malicious content than packet filtering routers
        They are generally considered to provide a much
         greater level of protection than packet filtering
         routers
        However, proxies require considerably more
         memory and processor cycles than any of the types
         of packet filtering routers outlined

23                                               ENS
     Firewall Performance Summary


     Processing
     Cost
     (processor
     cycles and
     memory)                                      Proxying

                                   Stateful
                                   Packet
                       Stateless   Filtering
                       Packet
                       Filtering




24                                             Security
                                                    ENS
     Network Address Translation

        Network address translation (NAT) is a technique
         which allows a router to change the IP addresses of
         datagrams as they pass through (RFC1631)
        Hostile datagrams cannot be routed to target systems,
         if the IP address of the target system is unknown, or is
         illegal for use on the Internet (RFC 1918) e.g.:
         –   10.0.0.0/8
         –   172.16.0.0/12
         –   192.168.0.0/16


25                                                    ENS
     NAT Example

                                                                         Client
                                            10.0.0.1

                               Firewall                 10.0.0.2

                155.198.5.83


                                                                         Client

                Internet                                10.0.0.3



                                          Company
     -Static NAT                          Network                        Client
     -Dynamic NAT
                                                       10.0.0.4
        -PAT(Port Address Translation)
26                                                                 ENS
     Firewall Architectures
        Most real firewalls make use of a number of
         components connected together, to form an overall
         firewall solution
        It is possible to build a wide range of firewall
         architectures, with each having a range of applications
        Some examples are:
         –   The Classic architecture
         –   The Belt and Braces architecture
         –   The Chapman architecture



27                                                   ENS
     Firewall Architectures - Classic
                                       DMZ

                                                             DNS
                                                            Server
                             WWW                FTP
                             Server            Server



      Internet                                          Application
                                                          Proxy

                  Packet
                 Filtering             DNS
                  Router              Server
                                                                Company
                                                                Network


28                                                          ENS
     Classic Architecture

        The packet filtering router prevents datagrams not
         addressed to the DMZ hosts or the proxy from entering
         the DMZ
        Externally visible services (www, FTP, etc) are easily
         available
        Datagrams traveling to the company network are sent
         via the application proxy for maximum security
        If any of the DMZ hosts are compromised, they can be
         re-configured quickly
         –   no adverse effect on company network

29                                                   ENS
     Belt and Braces Architecture
                                                     Company
                                                     Network

                             DMZ


      Internet                     Application
                                     Proxy


                  Packet                          Packet
                 Filtering                       Filtering
                  Router                          Router




30                                                 ENS
     Belt and Braces Security
        The additional packet filtering router provides
         an additional level of security
        If the proxy is compromised, the company
         network is still protected




31                                               ENS
     Chapman Architecture

                                                                     Company
                             WWW                 FTP                 Network
                             Server             Server



      Internet


                  Packet                                  Packet
                                  Application
                 Filtering                               Filtering
                                    Proxy
                  Router                                  Router




32                                                              ENS
     Chapman Architecture
        Outgoing traffic can by-pass the proxy
        Allows external access to services not
         supported by the proxy
        NAT not possible
        If external router is compromised, internal
         router is vulnerable to attack



33                                             ENS
     Firewall Security
        Remember that firewalls themselves are
         vulnerable to attack, so the following
         precautions should be taken:
         –   Remove all Telnet and SSH access to firewall
             components
         –   Operate firewall components only from the console
         –   Remove all unnecessary software and services from
             firewall components
         –   Remove all unnecessary user accounts from firewall
             components
34                                                   ENS
     What Firewall Cannot Do
        A firewall cannot protect against poor server,
         client or network configuration
        A firewall cannot configure itself, or prevent the
         firewall administrator from configuring it badly
        A firewall should be considered as part of a
         network security solution, not as the network
         security solution


35                                               ENS
     Conclusion

        Firewalls prevent malicious traffic from
         entering a network by filtering
        Traffic defined in a policy
        Stateful and stateless architectures
        Application proxies better but slower
        Allows for several architectures
        NAT obfuscates inside addresses

36                                             ENS
     Professional Qualifications in Information Security

        There are a number of professional certifications in
         the field of information security
        Some of the most commonly recognized are those
         offered by:
         –   The International Information Systems Security Certification
             Consortium, generally known as (ISC)2
         –   ISACA, the Information Systems Audit and Controls
             Association
         –   The SANS Institute
         –   See the following web site screen shots



37                                                                  ENS
38   ENS
39   ENS

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:4/6/2013
language:Unknown
pages:39