Presentation is loading. Please wait.

Presentation is loading. Please wait.

UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls.

Similar presentations


Presentation on theme: "UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls."— Presentation transcript:

1

2

3 UNIT 2: Firewalls

4 Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls using static packet inspection Application proxy firewalls UNIT 2 Network addresses translation (NAT). Antivirus filtering. Demilitarized zones (DMZs)+IDS/IPS

5  Firewalls  A system or group of systems that enforce a network access control policy  Filters data packets in and out of intended target  Strength relies on configuration  Governs the flow of data into and out of a Local Area Network  Separates a private network (LAN) from the public IP Net  Will defend the following attacks:  Denial of Services (DoS) Attacks  Unauthorized Access  Port-scanning and Probing  Intrusion Detection Systems  Complements firewalls to detect if internal assets are being hacked or exploited  Network-based Intrusion Detection  Monitors real-time network traffic for malicious activity  Similar to a network sniffer  Sends alarms for network traffic that meets certain attack patterns or signatures  Host-based Intrusion Detection  Monitors computer or server files for anomalies  Sends alarms for network traffic that meets a predetermined attack signature  Will defend the following attacks:  Denial of Service (DoS) attacks  Website Defacements  Malicious Code and Trojans Security Technology (Measures or Tools)

6  Virus Protection  Software should be installed on all network servers, as well as computers  Shall include the latest versions, as well as signature files (detected viruses)  Should screen all software coming into your computer or network system (files, attachments, programs, etc.)  Will defend the following attacks:  Viruses and Worms  Malicious Code and Trojans  Authentication and Authorization  Authentication  Comes in (3) forms: What you have, know, or are  Have – Smartcard, token  Know – Password or PIN  Are – Fingerprint, Retina scan  Two factor authentication is the strongest – (2) out of the (3) listed means (i.e. ATM card)  Password (most common)  Should be at least (8) mixed characters and numbers  Should be changed at least every (90) days  Should have a timeout of (3) attempts  Authorization  What an individual has access to once authenticated  Will defend the following attacks:  Unauthorized access Security Technology (Measures or Tools)

7  Encryption  Protects data in transit or stored on disk  The act of ciphering and enciphering data through the  use of shared software keys, data cannot be accessed without the appropriate software keys  Common use of encryption includes the following technologies:  Virtual Private Networking (VPN): Used to secure data transfer across the IP Net  Secure Sockets Layer: Used to secure client to server web-based transactions  S-MIME: Used to secure transactions  Wireless Equivalency Privacy (WEP) protocol: Used to secure wireless transactions  Will defend the following attacks:  Data sniffing and spoofing  Wireless attacks Security Technology (Measures or Tools)

8  Assessment and Auditing  Assessment (Risk and Vulnerability)  Process by which an organization identifies what needs to be done to achieve sufficient security  Involves identifying and analyzing threats, vulnerabilities, attacks, and corrective actions  Key driver in the Information Security process  Should be conducted by a third-party  Include manual and automated (vulnerability scanners) methods  Auditing  Compare the state of a network or system against a set of standards or policy  Will defend the following attacks:  Identify weaknesses and vulnerabilities that address all of the mentioned attacks  Data and Information Backups  Must have for disaster recovery and business continuity  Should include daily and periodic (weekly) backups  Should be stored off-site, at least (20) miles away from geographic location, and have 24X7 access  Should be kept for at least (30) days while rotating stockpile  Will defend the following attacks:  Used to respond and replace information that is compromised by all the mentioned attacks

9 The Unprotected Network What could possibly be wrong with this setup? Hackers paradise & administrators nightmare!

10 What Can We Do? Fortunately firewalls can give us very good protection against attacks from the IP Net. The only problem is that there are numerous firewall strategies. In order to choose the right strategy we need to know a bit more about the underlying communication protocol TCP/IP.

11 Intranets An intranet is a network that employs the same types of services, applications, and protocols present in an IP Net implementation, without involving external connectivity Intranets are typically implemented behind firewall environments.

12 Intranets

13 Extranets Extranet is usually a business-to-business intranet Controlled access to remote users via some form of authentication and encryption such as provided by a VPN Extranets employ TCP/IP protocols, along with the same standard applications and services

14 Type of Firewalls Firewalls fall into four broad categories 1. Packet filters 2. Circuit level 3. Application level 4. Stateful multilayer

15 1. Packet Filtering

16 A Simple Packet Filter Firewall This must be really secure...?

17 Packet Filter

18 Two Packet Filters Is a Must

19 2. Circuit level Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP Monitor TCP handshaking between packets to determine whether a requested session is legitimate.

20 Circuit Level

21 3. Application Level Application level gateways, also called proxies, are similar to circuit-level gateways except that they are application specific Gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through

22 Application Level

23 Proxy Firewall

24 4. Stateful Multilayer Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer

25 Stateful Multilayer

26 A Stateful firewall Can Do That A stateful firewall is an advanced packet filter that keeps track of the state of the network connections going through it. Whenever a packet arraives to the stateful firewall, it checks whether it matches an ongoing connection. If a match is found the packet can pass through.

27 Masquerading Firewall

28 Stateful Inspection Takes Us Further A stateful inspecting firewall is not limited to the network TCP/IP protocols. For known applications it looks at the application protocol as well. This enables the firewall to detect when a communication link does something out of the ordinary It also enables the firewall to filter out certain parts of the data transmitted. For the HTTP protocol it may filter out javascripts For the SMTP protocol it may filter out certain types of attachments.

29 General Performance

30 Well-Known Port Numbers Port Number Primary Protocol Application 20TCPFTP Data Traffic 21TCPFTP Supervisory Connection Passwords sent in the clear 23TCPTelnet Passwords sent in the clear 25TCPSimple Mail Transfer Protocol (SMTP)

31 Well-Known Port Numbers Port Number Primary Protocol Application 53TCPDomain Name System (DNS) 69UDPTrivial File Transfer Protocol (TFTP) No login necessary 80TCPHypertext Transfer Protocol (HTTP) 110TCPPost Office Protocol (POP)

32 Well-Known Port Numbers Port Number Primary Protocol Application TCPNETBIOS service for peer-to-peer file sharing in older versions of Windows 143TCPIP Net Message Access Protocol (IMAP) for downloading to client 161UDPSimple Network Management Protocol (SNMP) 443TCPHTP over SSL/TLS

33 Firewalls Log File Hardened Server IDS Hardened Client PC Network Management Console Internal Corporate Network IP Net Firewall Allowed Legitimate Packet Legitimate Host Legitimate Packet Attacker

34 Firewall Log File Hardened Server IDS Hardened Client PC Network Management Console Internal Corporate Network IP Net Firewall Legitimate Host Attacker Attack Packet Denied Attack Packet

35 Firewall Architecture (Single Site) IP NET Main Border Firewall x Subnet Marketing Client on x Subnet Accounting Server on x Subnet Public Webserver SMTP Application Proxy Server HTTP Application Proxy Server External DNS Server Screening Router Firewall Internal Firewall Host Firewall Host Firewall

36 Defense in Depth with Firewalls Client with Host Firewall Software IP Net Application Firewall , HTTP, etc. Main Firewall: Stateful Inspection Firewall Screening Border Router with Packet Filter Firewall Software Site

37 Basic Firewall Operation 1. IP Net (Not Trusted) Attacker 1. Internal Corporate Network (Trusted) 2. IP Net Border Firewall

38 Basic Firewall Operation 3. Attack Packet 1. IP Net (Not Trusted) Attacker 2. Border Firewall 4. Log File 4. Dropped Packet (Ingress/from)

39 Basic Firewall Operation 1. IP Net (Not Trusted) Legitimate User 1. Internal Corporate Network (Trusted) 2. IP Net Border Firewall 5. Passed Legitimate Packet (Ingress/from) 5. Legitimate Packet

40 Basic Firewall Operation 1. IP Net (Not Trusted) Attacker 1. Internal Corporate Network (Trusted) 2. IP Net Border Firewall 4. Log File 7. Dropped Packet (Egress/to) 7. Passed Packet (Egress/to)

41 Basic Firewall Operation 1. IP Net (Not Trusted) Attacker 6. Hardened Client PC 6. Hardened Server 1. Internal Corporate Network (Trusted) 2. IP Net Border Firewall 6. Attack Packet that Got Through Firewall

42 Border Firewall 1. IP Net (Not Trusted) Attacker 1. Internal Corporate Network (Trusted) 2. IP Net Border Firewall

43 Border Firewall 1. IP Net (Not Trusted) Attacker 6. Hardened Client PC 6. Hardened Server 1. Internal Corporate Network (Trusted) 2. IP Net Border Firewall 6. Attack Packet that Got Through Firewall Hardened Hosts Provide Defense in Depth

44 Packet Filter RuleBase Source Address Source Port Destination Address Destination Port ActionDescription Any > 1023AllowRule to allow return TCP Connections to internal subnet Any DenyPrevent Firewall system itself from directly connecting to anything Any AnyDenyPrevent External users from directly accessing the Firewall system Any AllowInternal Users can access External servers Any SMTP (25)AllowAllow External Users to send in Any HTTP (80)AllowAllow External Users to access WWW server Any Deny"Catch-All" Rule -Everything not previously allowed is explicitly denied Any type of access from the inside to the outside is allowed.Any type of access from the inside to the outside is allowed. No access originating from the outside to the inside is allowed except for SMTP and HTTP.No access originating from the outside to the inside is allowed except for SMTP and HTTP. SMTP and HTTP servers are positioned “behind” the firewall.SMTP and HTTP servers are positioned “behind” the firewall.

45 A network of IP address , with the “0” indicating that the network has addresses that range from to The firewall would normally accept a packet and examine its source and destination addresses and ports, and determine what protocol is in use. Firewall starts at the top of the rulebase and work down through the rules – whenever it finds a rule that permits or denies the packet, it takes the appropriate action: Accept: firewall passes the packet through the firewall as requested, subject to whatever logging capabilities may or may not be in place.Accept: firewall passes the packet through the firewall as requested, subject to whatever logging capabilities may or may not be in place. Deny: firewall drops the packet, without passing it through the firewall. Once the packet is dropped, an error message is returned to the source system. The “Deny” action may or may not generate log entries depending on the firewall’s rule base configuration.Deny: firewall drops the packet, without passing it through the firewall. Once the packet is dropped, an error message is returned to the source system. The “Deny” action may or may not generate log entries depending on the firewall’s rule base configuration. Discard: firewall not only drops the packet, but it does not return an error message to the source system. This particular action is used to implement the “black hole” methodology in which a firewall does not reveal its presence to an outsider. “Discard” action may or may not generate log entries.Discard: firewall not only drops the packet, but it does not return an error message to the source system. This particular action is used to implement the “black hole” methodology in which a firewall does not reveal its presence to an outsider. “Discard” action may or may not generate log entries.

46 1.A first rule permits return packets from external systems to return to the internal systems, thus completing the connection – it is assumed that if a connection to an external system was permitted, then the return packets from the external system should be permitted as well. 2.The second rule prohibits the firewall from forwarding any packets with a source address from the firewall – this would indicate that an attacker is spoofing the firewall’s address, hoping that the firewall would pass this packet to an internal destination, which might then accept the packet since it would appear to have come from the trusted firewall. 3.The third rule simply blocks external packets from directly accessing the firewall. 4.The fourth rule allows internal systems to connect to external systems, using any external addresses and any protocol. 5.Rules 5 and 6 allow external packets past the firewall if they contain SMTP data or HTTP data – and web, respectively. 6.The final rule blocks any other packets from the outside.

47 Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls using static packet inspection Application proxy firewalls UNIT 2 Network addresses translation (NAT). Antivirus filtering. Demilitarized zones (DMZs)+IDS/IPS.

48 Opening Connections in Stateful Inspection Firewalls Default Behavior Permit connections initiated by an internal host (ingress) Deny connections initiated by an external host (egress) Can change default behavior with access control lists (ACLs) for ingress and egress IP Net Automatically Accept Connection Attempt Router Automatically Deny Connection Attempt

49 Permitting Incoming Connections in a Stateful Inspection Firewall Default Behavior Can be Modified by Access Control Lists (ACLs) Ingress ACL permits some externally-initiated connections to be opened Egress ACL prohibits some internally-initiated connections from being opened On basis of IP address, TCP or UDP port number, and/or IP protocol Sets of if-then rules applied in order

50 Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL) 1.If TCP destination port = 80, Allow Connection [Pass all HTTP traffic to any webserver. (Port 80 = HTTP)] 2.If TCP destination port = 25 AND destination IP address = , Allow Connection [Pass all SMTP traffic to a specific host (mail server), Port 25 = SMTP] Safer than Rule 1

51 Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL) 3.If TCP destination port = 500, AND destination IP address = , Allow Connection [Pass all IP Net Key Exchange traffic to the firm’s IPsec gateway, ] 4.If protocol = 51, AND destination IP address = , Allow Connection [Pass all encrypted ESP traffic to the firm’s IPsec gateway, Protocol 51 is IPsec ESP Encapsulating Security Payload ] Rule based on IP protocol value.

52 Permitting Incoming Connections in a Stateful Inspection Firewall (Ingress ACL) 5.Deny ALL [Deny all other externally-initiated connections] (Use the default behavior of stateful inspection firewalls for all other connection-opening attempts)

53 Stateful Firewall Default Operation Internal Host External Host Internally initiated communication is allowed. Externally initiated communication is stopped. X

54 Main Border Firewall Stateful Inspection Stateful Firewall Operation If accept a connection… Record the two IP addresses and port numbers in state table as OK (open) Accept future packets between these hosts and ports with no further inspection This stops most IP Net-level attacks Does not address application-level attacks

55 Main Border Firewall Stateful Inspection I External Webserver Internal Client PC TCP SYN Segment From: :62600 To: :80 2. Establish Connection 3. TCP SYN Segment From: :62600 To: :80 Stateful Firewall Type TCP Internal IP Internal Port External IP External Port 80 Status OK Connection Table Again: Outgoing Connections Allowed By Default Permitted outgoing Connections are Placed in the Connection table

56 Main Border Firewall Stateful Inspection I External Webserver Internal Client PC TCP SYN/ACK Segment From: :80 To: : TCP SYN/ACK Segment From: :80 To: :62600 Stateful Firewall Type TCP Internal IP Internal Port External IP External Port 80 Status OK Connection Table 5. Check Connection OK; Pass the Packet

57 Main Border Firewall Stateful Inspection I Stateful Firewall Operation For UDP, also record two IP addresses and port numbers in the state table Type TCP UDP Internal IP Internal Port External IP External Port Status OK Connection Table

58 Main Border Firewall Stateful Inspection II Attacker Spoofing External Webserver Internal Client PC Stateful Firewall 2. Check Connection Table: No Connection Match: Drop 1. Spoofed TCP SYN/ACK Segment From: :80 To: :64640 Type TCP UDP Internal IP Internal Port External IP External Port Status OK Connection Table

59 Stateful Inspection Firewall in Perspective Simplicity and Therefore Low Cost Connection opening decisions are somewhat complex But most packets are part of approved ongoing connections Filtering ongoing packets is extremely simple Therefore, stateful inspection is fast and inexpensive

60 Stateful Inspection Firewall in Perspective Low Cost Safety Stops nearly all IP Net-level attacks (Application-level filtering still needed) Dominance for Main Border Firewalls Nearly all use stateful inspection

61 Stateful Inspection Firewall in Perspective Beyond Stateful Inspection Most main border firewalls also use other inspection methods Denial-of-service filtering Limited application content filtering Etc.

62 Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls using static packet inspection Application proxy firewalls UNIT 2 Network addresses translation (NAT). Antivirus filtering. Demilitarized zones (DMZs)+IDS/IPS.

63 Firewall Architecture (Single Site) IP Net 1. Screening Router Last Rule=Permit All x Subnet Marketing Client on x Subnet Accounting Server on x Subnet Public Webserver SMTP Relay Proxy HTTP Proxy Server External DNS Server

64 Static Packet Inspection on Screening Router Firewalls Screening Firewall Routers Add filtering to the border router to stop scanning TCP/IP probes packets at IP level that contains IP addresses and Port numbers Filter out many high-frequency, low- complexity attacks For ingress filtering, reduce the load on the main border firewall

65 Static Packet Inspection on Screening Router Firewalls High Cost for Sufficient Performance Must add inspection software for the router (expensive) Usually must upgrade router processing speed and memory (expensive)

66 Static Packet Inspection on Screening Router Firewalls Good Location for Egress Filtering Stops all replies to probe packets Including those from the border router itself

67 Static Packet Filter Firewall IP-H TCP-H UDP-HApplication Message IP-HICMP-H Only IP, TCP, UDP and ICMP Headers Examined Permit (Pass) Deny (Drop) Corporate NetworkThe IP Net Log File ICMP Message

68 Static Packet Filter Firewall IP-H TCP-H UDP-HApplication Message IP-HICMP-H Arriving Packets Examined One at a Time, in Isolation; This Misses Many Arracks Permit (Pass) Deny (Drop) Corporate NetworkThe IP Net Log File ICMP Message

69 Static Packet Inspection on Screening Router Firewalls Use Static Packet Filtering Require complex access control lists (ACLs) Because need an ACL statement for each rule

70 Screening Firewall Router Ingress (out to in) ACL 1.If source IP address = 10.*.*.*, DENY [private IP address range] 2.If source IP address = *.* to *.*, DENY [private IP address range] 3.If source IP address = *.*, DENY [private IP address range] 4.If source IP address = *.*, DENY [internal IP address range] 5.If source IP address = , DENY [black- holed IP address of attacker]

71 6.If TCP SYN=1 AND FIN=1, DENY [crafted attack packet that makes no sense, asking both to open a connection and to close a connection] 7.If destination IP address = AND TCP destination port = 80 OR 443, PASS [connection to a public webserver via HTTP and HTTP over SSL/TLS] 8.If TCP destination port = 80 OR 443, DENY [prevent communication to other internal webservers] Note: Rule 7 MUST come before Rule 8 Screening Firewall Router Ingress ACL

72 9.If TCP destination port = 20, DENY [FTP data connection] 10. If TCP destination port = 21, DENY [FTP supervisory control connection] 11. If TCP destination port = 23, DENY [Telnet data connection] 12. If TCP destination port = 135 through 139, DENY [File/Print Sharing for Windows clients] Screening Firewall Router Ingress ACL

73 13. If TCP destination port = 513, DENY [Unix rlogin without password] 14. If TCP destination port = 514, DENY [Unix rsh launch shell without login] 15. If TCP destination port = 22, DENY [SSH for secure login, but Version 1 was not secure] 16. If UDP destination port = 69, DENY [Trivial File Transfer Protocol; no login necessary] Screening Firewall Router Ingress ACL

74 17. If ICMP Type = 0, PASS [allow incoming echo reply messages] 18. If ICMP, DENY [drop all other incoming ICMP packets] 19. PASS ALL [pass all other packets; it is the job of the main border firewall to stop attacks not found by the screening firewall router] Screening Firewall Router Ingress ACL

75 Screening Firewall Router Egress (in to out) ACL 1If source IP address NOT = *.*, DENY [not in internal IP address range so must be spoofed] 2.If ICMP Type = 8, PASS [allow outgoing echo messages, that is, pings] 3.If ICMP, DENY [drop all other outgoing ICMP messages] Again, order is important.

76 4.If TCP RST=1, DENY [do not allow outgoing resets; used in host scanning] 5.If TCP source port = 1234, DENY [port of a currently-widespread Trojan horse] 6.PASS ALL [screening firewalls have PASS ALL as their last rule] Screening Firewall Router Egress ACL

77 Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls using static packet inspection Application proxy firewalls UNIT 2 Network addresses translation (NAT). Antivirus filtering. Demilitarized zones (DMZs)+IDS/IPS.

78 NAT and PAT Because the firewall keeps track of all live connections through it, the firewall is able to make both NAT and PAT, or any combination thereof. NAT: Network Address Translation PAT: Port Address Translation A firewall performing NAT or PAT is often referred to as a masquerading firewall.

79 Network Address Translation (NAT)  Here, we look at several filtering methods that firewalls use to make pass/deny decisions about arriving packets.  There is one IP Net-level method used in several types of firewalls that does not actually filter packets but that effectively provides a great deal of protection.  This is network address translation (NAT).  It is used in firewalls that use different types of examination methods as a second type of protection.

80 Network Address Translation (NAT) The problem: Sniffers on the IP Net can read packets to and from organizations Reveals IP addresses and port numbers of hosts Provides considerable information about potential victims without the risks of sending probing attacks Solution: Hide IP addresses and port numbers of internal hosts.

81 Network Address Translation (NAT) Server Host Client NAT 1 IP Net 2 From , Port From , Port IP Addr Port Internal IP Addr Port External 3 To , Port To , Port 61000

82 Network Address Translation (NAT) Server Host Client NAT Firewall 3 IP Net 4 Sniffer To , Port To , Port IP Addr Port Internal IP Addr Port External Translation Table

83 Comments on NAT Sniffers on the IP Net cannot learn internal IP addresses and port numbers Only learn the translated address and port number By themselves, provide a great deal of protection against attacks External attackers cannot create a connection to an internal computers

84 Sniffers and NAT Sniffers can read stand-in IP addresses and port numbers Can send back packets to these stand-in values; NAT will deliver them to the real host Comments on NAT

85 NAT/PAT NAT does more than network (IP) address translation Also does port number translation Should be called NAT/PAT, but NAT is the common term Comments on NAT

86 Problems with Certain Protocols Virtual private networks VoIP, etc. Comments on NAT

87 Box: Using NAT for Address Multiplication Firm may only be given a limited number of public IP addresses Must use these in packets sent to the IP Net May use private IP addresses internally Comments on NAT

88 Using NAT for Address Multiplication For each public IP address, there can be a separate connection for each possible port Address , Port = 2000 Address , Port = 2001 Etc. Each connection can be linked to a different internal IP address Can have thousands of internal IP addresses for each public IP address Comments on NAT

89 Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls using static packet inspection Application proxy firewalls UNIT 2 Network addresses translation (NAT). Antivirus filtering. Demilitarized zones (DMZs)+IDS/IPS.

90 Application Proxy Firewalls

91 Application Proxy Firewall BrowserHTTP ProxyWebserver Application 1. HTTP Request From Filtering 3. Examined HTTP Request From Client PC Webserver Application Proxy Firewall Filtering: Blocked URLs, Post Commands, etc.

92 BrowserHTTP ProxyWebserver Application 4. HTTP Response to Examined HTTP Response To Filtering on Hostname, URL, MIME, etc. Application Proxy Firewall Client PC Webserver Application Proxy Firewall Operation

93 Application Proxy Firewall Client Server Relaying Relay operation: Proxy acts as a server to the client and a client to the server Full protocol support Slow processing per packet

94 Application Proxy Firewall HTTP Content Filtering Command filtering (POST) Host or URL filtering MIME and file extension filtering HTML script filtering

95 Application Proxy Firewall Core Protections IP address hiding (sniffer will only see the application proxy firewall’s IP address) Packet header destruction Stopping protocol spoofing with protocol enforcement Problem with HTTP Tunneling

96 Core Protections Due to Application Proxy Firewall Relay Operation Internal Host Webserver Application Proxy Firewall Packet from Packet from Sniffer

97 App MSG (HTTP) Orig. TCP Hdr Orig. IP Hdr App MSG (HTTP) New TCP Hdr New IP Hdr App MSG (HTTP) Attacker Webserver Application Proxy Firewall Header Removed Arriving PacketNew Packet X Core Protections Due to Application Proxy Firewall Relay Operation

98 Internal Client PC Attacker Trojan Horse 1. Trojan Transmits on Port 80 to Get Through IP Net-Level Firewall 2. Protocol is Not HTTP Firewall Stops The Transmission X Application Proxy Firewall Core Protections Due to Application Proxy Firewall Relay Operation

99 Application Proxy Firewall Operation Application Proxy Firewall FTP Proxy SMTP ( ) Proxy Client PC Webserver Outbound Filtering on Put Inbound and Outbound Filtering on Obsolete Commands, Content A Separate Proxy Program is Needed for Each Application Filtered on the Firewall

100 Application Proxy Firewalls Multiple Proxies Each application to be filtered needs a separate proxy program Small firms usually use a single application proxy firewall with multiple application proxies Large firms usually use a single application proxy firewall per proxy

101 Application Proxy Firewalls Other Application Proxies FTP (prohibit Put, limit file sizes, etc.) SMTP (Prohibit obsolete commands, delete attachments, limit attachment size, MIME type) Web Services (work in progress)

102 Proxy Firewall Advantages We can safely allow any kind of network traffic from the inside to the outside, as long as we use a proxy to do it. To the outside it seems that only the firewall exists. It is impossible to send any network packets directly to the internal hosts or vice versa.

103 Proxy Firewall Disadvantages For every network service we wish to use we must install a proxy designed exactly for that service on the firewall. Furthermore, every network service we wish to use, we must use a client that is able to use a proxy. What can we do if no proxy exists for a given service?

104 Proxy Friewall In general proxy firewalls are considered very secure. Unfortunately they are not very flexible Ideally we wish to be able to use any client software.

105 Circuit Firewalls Non application-specific application proxy firewalls Create connections at the application layer Provide IP address hiding and header destruction, but not protocol enforcement Do not provide content filtering Do provide authentication SOCKS V5 is the dominant standard for circuit firewalls

106 Circuit Firewall Webserver Circuit Firewall (SOCKS v5) External Client Authentication 2. Transmission 5. Passed Reply: No Filtering 3. Passed Transmission: No Filtering 4. Reply Generic Type of Application Firewall

107 Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls using static packet inspection Application proxy firewalls UNIT 2 Network addresses translation (NAT). Antivirus filtering. Demilitarized zones (DMZs)+IDS/IPS.

108 Antivirus Filtering

109 Normally, Firewalls Do Not Do Antivirus Filtering Pass packets needing antivirus filtering to an antivirus server

110 Checkpoint’s FireWall-1 and Antivirus Filtering Internal Client 2. Statefully Filtered Packet 1. Arriving Packet External Server 4. Content Vectoring Protocol FireWall- 1 Firewall 3. DoS Protection Optional Authentications 5. Statefully Filtered Packet Plus Application Inspection Third-Party Application Inspection Firewall

111 Antivirus Filtering Examine Application Messages for Many Forms of Malware Not just viruses Worms, Trojan horses, spyware, adware

112 Antivirus Filtering Detection is Based on Signatures Strings of characters found within specific malware files Create a new signature for each piece of malware, add it to signatures database Antivirus filter vendors worry about signatures so complex that signature- based detection will be too slow to be useful

113 Antivirus Filtering Updating Antivirus Programs All antivirus programs have an updating feature To get new signatures and program upgrades Without updates, programs cannot handle new threats Users may turn off updating or update too rarely Users may let subscriptions lapse; program remains, but get no new updates

114 Antivirus Filtering Where to Filter? On individual user PCs The traditional approach to antivirus filtering But users often fail to update May even turn off the antivirus program because it is inconvenient

115 Antivirus Filtering Where to Filter? On the server Filters mail before the user gets it Systems administrators are likely to maintain the filtering

116 Antivirus Filtering Where to Filter? outsourcing companies Filter mail before it gets to the firm Outsourcers have expertise This reduces corporate labor costs

117 Antivirus Filtering Where to Filter? Defense in Depth Filter in two locations or all three

118 Antivirus Filtering Spam Unsolicited commercial Also can be filtered on individual PCs, on e- mail servers, or at outsourcing firms Not as precise as antivirus filtering Too many false negatives (failing to label spam messages as spam) Too many false positives (labeling good messages as spam) Very dangerous.

119 Host Firewalls

120 IP Net x Subnet Marketing Client on x Subnet Accounting Server on x Subnet 5. Server Host Firewall 6. DMZ Public Webserver SMTP Relay Proxy HTTP Proxy Server External DNS Server Host Firewall Host Firewall

121 Host Firewalls Firewalls on clients and servers Give defense in depth

122 Host Firewalls Client PC Firewalls Third party PC firewalls are common Windows XP introduced the IP Net Connection Facility (ICF) Stateful inspection firewall Not turned on by default No egress filtering Can open selected ports for ingress filtering

123 Host Firewalls Client PC Firewalls Windows XP Service Pack 2 (Late 2004) introduced the Windows Firewall Upgrade to ICF Turned on by default Can open selected ports for ingress filtering Still no egress filtering

124 Host Firewalls Why no egress filtering on PC firewalls? Ingress filtering requires no or little user intervention Egress filtering requires users to decide what programs can communicate over the IP Net—a difficult task Does not stop spyware, other outbound attack communication

125 Host Firewalls Server Firewalls IP Net-level firewalls Precise because only need to open a few specific ports Application-Specific Firewalls Filtering rules linked to specific protocols (SQL, HTTP, etc.) Filtering sometimes linked to specific application programs (Microsoft’s IIS, etc.)

126 Home Firewall IP Net Service Provider Home PC Broadband Modem PC Firewall Always-On Connection UTP Cord Coaxial Cable Windows XP has an internal firewall Originally called the IP Net Connection Firewall Disabled by default After Service Pack 2 called the Windows Firewall Enabled by default

127 SOHO Firewall Router Broadband Modem (DSL or Cable) SOHO Router --- Router DHCP Sever, NAT Firewall, and Limited Application Firewall Ethernet Switch IP Net Service Provider User PC UTP Many Access Routers Combine the Router and Ethernet Switch in a Single Box

128 Many firewalls, particularly those based on Stateful Inspection Security Technology (Measures or Tools), have maintained successful defense arsenals against network assaults. As a result, a growing number of attacks attempt to exploit vulnerabilities in network applications rather than target the firewall directly. This important shift in attack methodology requires that firewalls provide not only access control and network-level attack protection, but also understand application behavior to protect against application attacks and hazards. The application layer attracts numerous attacks for several reasons. First, it is the layer that contains a hacker’s ultimate goal—actual user data. Second, the application layer supports many protocols (HTTP, CIFS, VoIP, SNMP, SMTP, SQL, FTP, DNS, etc.), so it houses numerous potential attack methods. And third, detecting and defending against attacks at the application layer is more difficult than at lower layers because more vulnerabilities arise in this layer.

129 Comments Stateful Inspection vs. Application Layer Filtering: Application layer filtering is considered to be the more secure method, Why? When using stateful inspection you are only looking at the envelope’s information to determine whether or not you will accept the letter. With Application Level Filtering Security Technology (Measures or Tools), you are opening the envelope to inspect the letter itself.

130 1)Stateful inspection firewalls cannot defend internal systems against application specific attacks such as buffer overflows or code exploits. These firewalls rely on the software running on internal systems for security in protecting against these types of attacks. Often customers will not secure internal systems and applications because they are given a false sense of security from their firewall. 2) Application Layer Filtering firewalls offer a more secure method of handling traffic without exposing internal machines to application specific attacks. By verifying incoming data against an application level filter, they can intercept these types of attacks before reaching internal systems. Comments Stateful Inspection vs. Application Layer Filtering:

131 3) Stateful inspection firewalls may not detect inserted ‘destructive’ data that may be within a session that appears safe. Because stateful inspection firewalls do not inspect each packet for application information, a remote user can establish a session with a stateful inspection firewall to pass ‘destructive’ data. Once a session is established on a valid port, a remote user can embed potentially harmful data within a seemingly safe packet. Due to the fact that the application data can not be verified, the stateful inspection firewall would be unable to check the data of the incoming packets to verify whether they are harmful or not. Comments Stateful Inspection vs. Application Layer Filtering

132 4) Stateful inspection firewalls do not provide the same level of logging that application level filters can. Because stateful inspection firewalls do not intercept the application data, they are limited to the information that they can log. Application level filters allow for more detailed logging. Comments Stateful Inspection vs. Application Layer Filtering:

133 The traditional argument for the use of stateful inspection Security Technology (Measures or Tools) has always been that they achieve similar levels of security as other firewall technologies, but with greater throughput capabilities. This is a faulty concept based on two points: 1) Application level filtering has always been seen as a more secure alternative to stateful inspection. Stateful inspection does not give a similar level of security as application level filtering for the reasons mentioned above. It is a less secure alternative. 2) With current operating system and hardware advances, the idea of application level filtering being slower than stateful inspection is no longer valid. Stateful Inspection Firewall can achieve a throughput of near line speed for 10 Mbps or 100 Mbps networks and do not exceed these speeds, meaning that a company’s link to the IP Net will have a bottleneck for throughput. Application Layer Filtering Firewall:

134 Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls using static packet inspection Application proxy firewalls UNIT 2 Network addresses translation (NAT). Antivirus filtering. Demilitarized zones (DMZs)+IDS/IPS.

135 The Demilitarized Zone (DMZ)

136 IP Net x Subnet Marketing Client on x Subnet Accounting Server on x Subnet 5. Server Host Firewall 6. DMZ Public Webserver SMTP Relay Proxy HTTP Proxy Server External DNS Server

137 The Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Subnet for servers and application proxy firewalls accessible via the IP Net Hosts in the DMZ must be especially hardened because they will be attacked by hackers Hardened hosts in the DMZ are called bastion hosts

138 The Demilitarized Zone (DMZ) Uses Tri-Homed Main Firewalls 3 NICs, each attached to a different subnet One subnet to the border router One subnet for the DMZ (accessible to the outside world) One subnet for the internal network Access from the subnet to the IP Net is strongly controlled Access from the DMZ is also strongly controlled

139 The Demilitarized Zone (DMZ) Hosts in the DMZ Public servers (public webservers, FTP servers, etc.) Application proxy firewalls External DNS server that only knows host names for hosts in the DMZ

140 DMZ

141 DMZ Environment Can be created out of a network connecting two firewalls Boundary router filter packets protecting server First firewall provide access control and protection from server if they are hacked

142 Intrusion Detection Systems (IDSs)

143 Intrusion Detection System (IDS) 1. Suspicious Packet Internet Attacker? Security Administrator Hardened Server Corporate Network 2. Suspicious Packet Passed 3. Log Suspicious Packet 4. Alarm Intrusion Detection System (IDS) Log File

144 IDS and IPS Placement Internal Network Internet Border Router IPS IDS Alert Attack Packet Attack Packet IDSs are slow and cannot be in-line with the packet stream. IPSs use ASICs for speed; can be in-line with the packet stream. Therefore can stop attacks.

145 Firewalls, IDSs, and IPSs FirewallsIDSsIPSs Drops Packets?YesNoYes Logs PacketsYes Sophistication in Filtering MediumHigh

146 Firewalls, IDSs, and IPSs FirewallsIDSsIPSs Sophistication in Filtering MediumHigh Creates Alarms? NoYesSometime s PrecisionHighLow without Tuning

147 Event Correlation in An Integrated Log File 1.8:45:05.03 Packet from to (network IDS log entry) 2. 8:45:05.45 Host Failed login attempt for account Lee (Host log entry) 3.8:45:06.03 Packet from to (network IDS log entry)

148 4.8:45:12.30 Packet from to (network IDS log entry) 5.8:45: Host Failed login attempt for account Lee (Host log entry) 6.8:45:13.27 Packet from to (network IDS log entry) Event Correlation in An Integrated Log File

149 7.8:45:30.45 Packet from to (network IDS log entry) 8.8:45:30.59 Host Successful login for account Lee (Host log entry) 9.8:45:31.11 Packet from to (network IDS log entry) Event Correlation in An Integrated Log File

150 10. 9:05:12.25 Packet from to TFTP request (network IDS log entry) 11. (no corresponding host log entry) 12. 9:05: Series of packets from to TFTP response (network IDS) 13. (no more host log entries) Event Correlation in An Integrated Log File

151 14. 9:10:48.52 Packet from to TCP SYN=1, Dest. Port 25 (network IDS) 15. 9:10:48.54 Packet from to TCP RST=1, Src. Port 25 (network IDS) 16. 9:10.48:58 Packet from to TCP SYN=1, Dest. Port 25 (network IDS) 17. 9:10:49.07 Packet from to TCP RST=1, Src. Port 25 (network IDS) 18.Several hundred packets like 14-17, each increasing the target IP address by 1) Event Correlation in An Integrated Log File

152 19. 9:14:18.52 Packet from to TCP SYN=1, Dest. Port 25 (network IDS) 20. 9:14:27.58 Packet from to TCP SYN=1, ACK=1, Src. Port 25 (NIDS) 21. 9:14:28.07 Packet from to TCP ACK=1, Dest. Port 25 (network IDS) 22. 9: Packet from to SMTP (network IDS) (This would really be several packets back and forth.) 23. 9:15:48.18 Packet from to SMTP (network IDS) (This would really be several packets back and forth.) 24.Several thousand packets similar to 22 and 23 Event Correlation in An Integrated Log File

153 Distributed IDS Log File Manager Host IDS (HIDS) Main Border Firewall Agent Site Internal Switch-Based Network IDS (NIDS) Stand-Alone Network IDS (NIDS) (Inside Firewall) Stand-Alone Network IDS (NIDS) (Outside Firewall) Log File Transfer in Batch Mode or Real Time

154 Information Sources: the different sources of event information used to determine whether an intrusion has taken place. These sources can be drawn from different levels of the system, with network, host, and application monitoring. Analysis: the part of intrusion detection systems that actually organizes and makes sense of the events derived from the information sources, deciding when those events indicate that intrusions are occurring or have already taken place. The most common analysis approaches are misuse detection and anomaly detection. Response: the set of actions that the system takes once it detects intrusions. These are typically grouped into active and passive measures, with active measures involving some automated intervention on the part of the system, and passive measures involving reporting IDS findings to take action based on those reports Major types of IDSs :

155 The architecture of IDS refers to how the functional components of the IDS are arranged with respect to each other. The primary architectural components are: The Host The system on which the IDS software runs The Target the system that the IDS are monitoring for problems.. IDS Architecture:

156 IDS Centralized Control Strategy :

157 IDS Partially Distributed Control Strategy :

158 IDS Fully Distributed Control Strategy :

159 Timing refers to the elapsed time between the events that are monitored and the analysis of those events. Interval-Based (Batch Mode) In interval-based IDSs, the information flow from monitoring points to analysis engines is not continuous. The information is handled in a fashion similar to “store and forward” communications schemes. Many early host-based IDSs used this timing scheme, as they relied on OS audit trails, which were generated as files. Interval based IDSs are precluded from performing active responses. Real-Time (Continuous) Real-time IDSs operate on continuous information feeds from information sources. This is the predominant timing scheme for network based IDSs, which gather information from network traffic streams. In this document, we use the term “real-time” as it is used in process control situations. This means that detection performed by “real-time” IDS yields results quickly enough to allow the IDS to take actions. Timing

160 The most common way to classify IDSs is to group them by information source. Some IDSs analyze network packets, captured from network backbones or LAN segments (DMZ), to find attackers. Other IDSs analyze information sources generated by the OS or application software for signs of intrusion. Information Sources

161 NIDS and HIDS Log File Manager Host IDS (HIDS) Main Border Firewall Agent Site Internal Switch-Based Network IDS (NIDS) Stand-Alone Network IDS (NIDS) (Inside Firewall) Stand-Alone Network IDS (NIDS) (Outside Firewall) Log File Transfer in Batch Mode or Real Time

162 NIDS and HIDS Log File Manager Host IDS (HIDS) Main Border Firewall Agent Site Internal Switch-Based Network IDS (NIDS) Stand-Alone Network IDS (NIDS) (Inside Firewall) Stand-Alone Network IDS (NIDS) (Outside Firewall) Log File Transfer in Batch Mode or Real Time

163 Application-based IDSs are a special subset of host- based IDSs that analyze the events transpiring within a software application. The most common information sources used by application-based IDSs are the application’s transaction log files. The ability to interface with the application directly, with significant domain or application-specific knowledge included in the analysis engine, allows application-based IDSs to detect suspicious behavior due to authorized users exceeding their authorization. This is because such problems are more likely to appear in the interaction between the user, the data, and the application. Application-Based IDSs

164 Deploying Network-Based IDSs

165 Monitoring and analysis of system events and user behaviors Testing the security states of system configurations Base lining the security state of a system, then tracking any changes to that baseline Recognizing patterns of system events that correspond to known attacks Recognizing patterns of activity that statistically vary from normal activity Strengths of Intrusion Detection Systems

166 Almost all IDSs will output a small summary line about each detected attack: Time/date, Sensor IP address, Vendor specific attack name, Standard attack name (if one exists), Source and destination IP address, Source and destination port numbers Network protocol used by attack. Typical IDS Output

167 Text description of attack, Attack severity level, Type of loss experienced as a result of the attack, The type of vulnerability the attack exploits, List of software types and version numbers that are vulnerable to the attack, Patch/cover information so that computers can resist the attack References to public advisories about the attack or the vulnerability it exploits. Handling Attacks

168 Three types of computer attacks are most commonly reported by IDSs: 1. System scanning 2. Denial of service (DOS) 3. System penetration. These attacks can be launched locally, on the attacked machine, or remotely, using a network to access the target. An IDS operator must understand the differences between these types of attacks, as each requires a different set of responses. Types of Computer Attacks Detected by IDSs

169 Conclusion It is clear that some form of security for private networks connected to the IP Net is essential A firewall is an important and necessary part of that security, but cannot be expected to perform all the required security functions.

170 Distributed IDS Log File Manager Host IDS (HIDS) Main Border Firewall Agent Site Internal Switch-Based Network IDS (NIDS) Stand-Alone Network IDS (NIDS) (Inside Firewall) Stand-Alone Network IDS (NIDS) (Outside Firewall) Log File Transfer in Batch Mode or Real Time

171 Many thanks


Download ppt "UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls."

Similar presentations


Ads by Google