CSCE 522 - PowerPoint PPT Presentation

1 / 44

About This Presentation

Title:

CSCE 522

Description:

Brick wall placed between apartments to prevent the spread of fire from one ... Complexity - feature bloat. Some services do not work well with firewalls ... – PowerPoint PPT presentation

Number of Views:24

Avg rating:3.0/5.0

Slides: 45

Provided by: engi79

Category:

more less

Transcript and Presenter's Notes

Title: CSCE 522

1

CSCE 522
Firewalls

2
Readings

Pfleeger 7.4

3
Traffic Control Firewall

Brick wall placed between apartments to prevent
the spread of fire from one apartment to the next
Single, narrow checkpoint placed between two or
more networks where security and audit can be
imposed on traffic which passes through it

4
Firewall
Private Network
security wall between private (protected) network
and outside word
Firewall
External Network
5
Firewall Objectives

Keep intruders, malicious code and unwanted
traffic or information out
Keep proprietary and sensitive information in

Proprietary data
External attacks
6
Without firewalls, nodes

Are exposed to insecure services
Are exposed to probes and attacks from outside
Can be defenseless against new attacks
Network security totally relies on host security
and all hosts must communicate to achieve high
level of security almost impossible

7
Network Address Translation (NAT)
Organization uses private IP addresses on its
network ? increase address space Send packet to
Internet convert private IP address to globally
assigned IP address Receive packer from Internet
globally assigned IP addresses converted to
private IP addresses Firewalls may Establish
connections on behalf of the client Support NAT
8
Common firewall features

Routing information about the private network
can't be observed from outside
traceroute and ping -o can't see' internal hosts
Users wishing to log on to an internal host must
first log onto a firewall machine (or else start
behind' the firewall).

9
Trade-Off between accessibility and Security
Service Access Policy
Accessibility
Security
10
Firewall Advantages

Protection for vulnerable services
Controlled access to site systems
Concentrated security
Enhanced Privacy
Logging and statistics on network use, misuse
Policy enforcement

11
Protection For Vulnerable Services

Filtering inherently insecure services gt fewer
risks. For example,
NFS services
SNMP
TFTP
NetBIOS

12
Controlled Access

A site could prevent outside access to its hosts
except for special cases (e.g., mail server).
Do not give access to a host that does not
require access
Some hosts can be reached from outside, some can
not.
Some hosts can reach outside, some can not.

13
Concentrated Security

Firewall less expensive than securing all hosts
All or most modified software and additional
security software on firewall only (no need to
distribute on many hosts)
Other network security (e.g., Kerberos) involves
modification at each host system.

14
Enhanced Privacy

Even innocuous information may contain clues that
can be used by attackers
E.g., finger
information about the last login time, when
e-mail was read, etc.
Infer how often the system is used, active
users, whether system can be attacked without
drawing attention
SNMP picture of your network anyone?

15
Logging and Statistics on Network Use, Misuse

If all access to and from the Internet passes
through the firewall, the firewall can
theoretically log accesses and provide statistics
about system usage
Alarm can be added to indicate suspicious
activity, probes and attacks double duty as IDS
on smaller networks

16
Policy enforcement

Means for implementing and enforcing a network
access policy
Access control for users and services
Cant replace a good education/awareness program,
however
Knowledgeable users could tunnel traffic to
bypass policy enforcement on a firewall

17
Firewall Disadvantages

Restricted access to desirable services
Large potential for back doors
No protection from insider attacks
No protection against data-driven attacks
Cannot protect against newly discovered attacks
policy/situation dependent
Large learning curve

18
Restricted Access to Desirable Services

May block services that users want
E.g., telnet, ftp, X windows, NFS, etc.
Need well-balanced security policy
Similar problems would occur with host access
control
Network topology may not fit the firewall design
E.g., using insecure services across major
gateways
Need to investigate other solutions (e.g.,
Kerberos)

19
Back Doors

Firewalls DO NOT protect against back doors into
the site
e.g., if unrestricted modem access is still
permitted into a site the attacker could jump
around the firewall
Legacy network topology in large networks

20
Little Protection from Insider Attacks

Generally does not provide protection from
insider threats
Sneaker Net - insider may copy data onto tape or
print it and take it out of the facility

21
Data-Driven Attacks

Viruses
users downloading virus-infected personal
computer programs
Executable Content
Java applets
ActiveX Controls
JavaScript, VBScript
End to End Encryption
Tunneling/Encapsulation

22
Other Issues

Throughput potential bottleneck (all connections
must pass through firewall)
Single point of failure concentrates security in
one spot gt compromised firewall is disaster
Complexity - feature bloat
Some services do not work well with firewalls
Lack of standard performance measurements or
techniques

23
Firewall Components

Firewall Administrator
Firewall policy
Packet filters
transparent
does not change traffic, only passes it
Proxies
Active
Intercepts traffic and acts as an intermediary

24
Firewall Administrator

Knowledge of underpinnings of network protocols
(ex. TCP/IP, ICMP)
Knowledge of workings of applications that run
over the lower level protocols
Knowledge of interaction between firewall
implementation and traffic
Vendor specific knowledge

25
Firewall Policy

High-level policy service access policy
Low-level policy firewall design policy

Firewall policy should be flexible!
26
Service Access Policy

Part of the Network Security Policy
Defines
TCP/IP protocols
Services that are allowed or denied
Service usage
Exception handling

27
Service Access Policy

Goal Keep outsiders out
Must be realistic and reflect required security
level
Full security v.s. full accessibility

28
Firewall Design Policy

Refinement of service access policy for specific
firewall configuration
Defines
How the firewall achieves the service access
policy
Unique to a firewall configuration
Difficult!

29
Firewall Design Policy

Approaches
Open system Permit any service unless
explicitly denied (maximal accessibility)
Closed system Deny any service unless
explicitly permitted (maximal security)

30
Simple Packet Filters

Applies a set of rules to each incoming IP packet
to decide whether it should be forwarded or
discarded.
Header information is used for filtering ( e.g,
Protocol number, source and destination IP,
source and destination port numbers, etc.)
Stateless each IP packet is examined isolated
from what has happened in the past.
Often implemented by a router (screening router).

31
Simple Packet Filter
Private Network
Placing a simple router (or similar hardware)
between internal network and outside Allow/proh
ibit packets from certain services
Packet-level rules
Packet Filter
Outside
32
Simple Packet Filters

Advantages
Does not change the traffic flow or
characteristics passes it through or doesnt
Simple
Cheap
Flexible filtering is based on current rules

33
Simple Packet Filters

Disadvantages
Direct communication between multiple hosts and
internal network
Unsophisticated (protects against simple attacks)
Calibrating rule set may be tricky
Limited auditing
Single point of failure

34
Stateful Packet Filters

Called Stateful Inspection or Dynamic Packet
Filtering
Checkpoint patented this technology in 1997
Maintains a history of previously seen packets to
make better decisions about current and future
packets
Check out
Stateful Inspection Technology at
http//www.sofaware.com/html/Stateful_Inspection.p
df
Firewall Security Requirements at
http//www.sofaware.com/html/tech_stateful.shtm

35
Proxy Firewalls
View
Reality
Private Network
Private Network
Proxy Server
Outside
Outside
36
Proxy Firewalls

Application Gateways
Works at the application layer ? must understand
and implement application protocol
Called Application-level gateway or proxy server
Circuit-Level Gateway
Works at the transport layer
E.g., SOCKS

37
Application Gateways

Interconnects one network to another for a
specific application
Understands and implements application protocol
Good for higher-level restrictions

Server
Client
Application Gateway
38
Application Gateways

Advantages by permitting application traffic
directly to internal hosts
Information hiding names of internal systems are
not known to outside systems
Can limit capabilities within an application
Robust authentication and logging application
traffic can be pre-authenticated before reaching
host and can be logged
Cost effective third-party software and hardware
for authentication and logging only on gateway
Less-complex filtering rules for packet filtering
routers need to check only destination
Most secure

39
Application Gateways

Disadvantages
Keeping up with new applications
Need to know all aspects of protocols
May need to modify application client/protocols

40
Circuit-Level Gateways

Is basically a generic proxy server for TCP
Works like an application-level gateway, but at a
lower level
SOCKS most widely know circuit-level gateway

41
Circuit-Level Gateways

Advantages
Dont need a separate proxy server for each
application
Provides an option for applications for which
proxy servers dont yet exist
Simpler to implement than application specific
proxy servers
Most Open-Source packages can be easily extended
to use SOCKS

42
Circuit-Level Gateways

Disadvantages
No knowledge of higher level protocols cant
scan for active content or disallowed commands
Can only handle TCP connections new extensions
proposed for UDP
Proprietary packages, TCP/IP stacks must be
modified by vendor to use circuit-level gateways

43
Checkpoint Firewall