Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security: Firewalls Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014.

Similar presentations

Presentation on theme: "Network Security: Firewalls Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014."— Presentation transcript:

1 Network Security: Firewalls Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014

2 Firewalls: Stateless packet filter 2

3 Intranet 3 Firewall Perimeter defence: Divide the world into the good/safe inside (intranet) and bad/dangerous outside (Internet) Prevent anything bad from entering the inside Block communication that is evil, risky or just unnecessary Internet

4 4 IPv4 and TCP headers Which field should a firewall use for filtering? (TCP flags: CWR ECE URG ACK PSH RST SYN)

5 5 Stateless packet filter Allow or block IP packets based on their IP header fields and TCP/UDP port numbers Fields with static locations in most IP packets: protocol (TCP/UDP/ICMP), source and destination IP address, source and destination port, TCP flags, ICMP type and code Packet filter is defined as a rule table Linear list of rules Each rule consist of conditions and an action For each packet, the first matching rule is found Two possible actions: allow (=accept, permit, bypass) or block (=drop, deny, discard), maybe also allow and log or block and log

6 6 Packet filter example (1) Example rule table: inbound email to our SMTP server ProtocolSrc IPSrc portDst IPDst portActionComment TCP4.5.6.7* this spammer TCP** SMTP TCP1.2.3.1025**AllowSMTP responses *****BlockDefault rule Note: The examples in this lecture are an abstraction and don’t directly correspond to the way real firewalls are configured

7 7 Packet filter example (2) Allow web access from our subnet… not quite right! ProtocolSrc IPSrc portDst IPDst portActionComment TCP1.2.3.0/24**80AllowOutbound HTTP requests TCP*801.2.3.0/24*AllowHTTP responses *****BlockDefault rule Slightly more restrictive but not perfect: ProtocolSrc IPSrc portDst IPDst portActionComment TCP1.2.3.0/24≥1024*80AllowOutbound HTTP requests TCP*801.2.3.0/24≥1024AllowHTTP responses *****BlockDefault rule

8 8 Packet filter example (3) Allow only outbound connections: ProtocolSrc IPSrc portDst IPDst portFlagsActionComment TCP1.2.3.0/24**80AllowOutbound HTTP requests TCP*801.2.3.0/24*ACKAllowHTTP responses *****BlockDefault rule All TCP packets, except the first SYN packet, have ACK flag set  stateless way to prevent inbound connections

9 9 Packet filter example (3) University lab network (address, netmask HTTP/Mail/DNS server ProtocolSrc IPSrc portDst IPDst portFlagsActionComment UDP***53AllowDNS queries in and out UDP*53**AllowDNS responses TCP5.4.3.2* zone transfer TCP** SMTP TCP** HTTP TCP1.2.3.121***BlockBob’s test machine TCP***BlockBob’s test machine TCP** SSH TCP1.2.3.0/24***AllowAll outbound TCP TCP***ACKAllowAll TCP responses *****BlockDefault rule Is this correct? Could we limit inbound DNS queries to the server?

10 10 Router as packet filter Firewall rule table is similar to a routing table, with the option of dropping some packets Most routers can be used as a packet filter Choice of filters may affect router throughput Intranet 10 Internet interface1interface2

11 11 Ingress and egress filtering Filter packets with topologically incorrect (probably spoofed) source IP addresses Ingress filtering by local network: At the gateway router of a local network, drop inbound packets with source addresses that belong to the local network Egress filtering by local network: At the gateway router of a local network, drop outbound packets with non-local source addresses Ingress filtering by ISP: At the gateway router towards a customer, drop packets from the customer if the source address does not belong to the customer Egress filtering by ISP (less common): At the gateway router towards a customer, drop packets to the customer if the source address belongs to the customer

12 12 Anti-spoofing filter example Filter based on input interface (only part of the policy shown): 12 Intranet 12 Internet interface1interface2 Input interfaceProtocolSrc IPPortDst IPPortFlagsActionComment 2****BlockIngress filter 2****BlockRouter address 1****BlockRouter address 1****AllowEgress filter 1*****BlockDefault rule (If1) ……

13 Dynamic packet filter

14 14 Dynamic firewall Stateful packet inspection (SPI): change filtering rules based on previously seen packets Outbound TCP or UDP packet creates a pinhole for inbound packets of the same connection Unlike stateless packet filter, can support UDP connections TCP pinhole closed with connection, UDP after eg. 30 min May also allow inbound ICMP messages that match outbound traffic Support for special protocols: FTP: firewall may sniff PORT command in FTP to open port for the inbound connections X Windows: user workstation is the X server

15 15 Typical network topology Services accessible from the Internet are isolated to a demilitarized zone (DMZ), i.e. in a separate subnetwork 15 Internet interface1interface2 Intranet Public server (web, email, DNS) interface3 Note: This topology is becoming less common as the servers move to the cloud.

16 16 InputProtSrc IPPortDst IPPortOtherActionComment 2****BlockAnti-spoofing 3****BlockAnti-spoofing 2****BlockAnti-spoofing 1****BlockAnti-spoofing ** {,,} ***BlockAnti-spoofing (router addr) 2TCP** to server (HTTP) 2TCP** to server (HTTPS) 2TCP** to server (SMTP) 2UDP** query in and out 3UDP1.2.4.10**53AllowDNS query in and out 1TCP1.2.3.0/24** Allow, create state Server access from intranet 3TCP1.2.4.10**StateAllowResponses 1UDP1.2.3.0/24≥10241.2.4.1053 Allow, create state DNS query 3UDP1.2.4.10531.2.3.0/24≥1024StateAllowDNS response 1***BlockUnnecessary traffic with DMZ 3***BlockUnnecessary traffic with DMZ 1**** Allow, create state Outbound to Internet 2*****StateAllowResponses from Internet 1TCP1.2.3.0/24* {,,} 80 Allow, create state Router management -TCP {,,} 801.2.3.0/24*StateAllowRouter management ******BlockDefault rule

17 17 Bastion host Inbound user connections are often allowed only to a hardened bastion host Bastion can be located in the DMZ or outside the firewall or be two- homed itself 17 Internet Intranet Public server (web, email, DNS) interface2 interface1 interface2 FW router AFW router B interface1 Bastion host Older two-firewall configuration for the DMZ – nowadays rarely used because routers/ firewalls are expensive

18 Gateway Router / NAT 18 NAT IPv4 addresses are in short supply Network address translation (NAT) is a mechanisms for sharing one IPv4 address between multiple hosts Hosts behind NAT can only act as TCP or UDP clients Internet Internal IP addressesInternet addresses src= src port = 3344... src= src port = 4567...

19 19 NAT IPv4 addresses are in short supply Network address translation (NAT) is a mechanisms for sharing one IPv4 address between multiple hosts Hosts behind NAT can only act as TCP or UDP clients Gateway Router / NAT Internet Internal IP addressesInternet addresses dest= dest port = 3344... dest= dest port = 4567...

20 20 NAT as a firewall NAT maps internal pairs to external pairs and back NAT creates the mapping after seeing an outbound packet → a node on the intranet must initiate the connection→ NAT acts as a dynamic firewall NAT reference types (not real NATs): Full cone NAT: NAT doesn’t remember peer addresses Port-restricted cone NAT: NAT remembers peer IP address and port and filters inbound packets Symmetric NAT: different external port (and even address) depending the peer address and port Port-restricted and symmetric NATs provide some firewall- like security Real NATs combine some of the above and stateful firewall functions; there are hundreds of different NAT implementations that differ from each other

21 21 iptables Firewall implementation for Unix/Linux Complex policies can be defined as multiple chains of rules: Action can be a reference to another chain Provides modularity (“subroutines”) for firewall policies Examples:

22 Transport and application- layer firewalls

23 23 Circuit-level proxy Transport-layer proxy as a firewall When an intranet client needs to connect to a server outside, it connects to the proxy instead Proxy terminates TCP and UDP connections. Creates a second connection to the server on the Internet Proxy is simpler than a host, easier to harden against attacks Proxy can filter and normalizes connections SOCKS management protocol between client and firewall Client requests new connections from firewall Authentication and authorization of client requests, e.g. Kerberos with GSSAPI Error messages to client SOCKS is supported by most web browsers

24 24 Application-level firewall Application-level firewall filters application data E.g. email gateway, intercepting web proxy Need to implement the entire application protocol Telephone call blocking and barring vs. wiretapping Encrypted data cannot be filtered → what to do? Are the latest applications and features supported?

25 Firewall issues 25

26 26 Why filter outbound connections Security: Prevent people from accessing untrusted services or dangerous web content Prevent compromised machines from spreading viruses to the Internet, phishing etc. Cost: Businesses and other organizations are charged by megabyte → block access to P2P, VoIP Productivity: How do employees spend their time? Liability: Does free Internet access by employees or visitors expose the company to legal risks?

27 27 Firewall traversal Network admins prefer to block traffic by default → new applications and protocols will not work New applications will not become popular if an administrative decision is needed at each site → application developers (and users) do their best to circumvent firewalls Web services over port 80, everything over port 443 Skype, Bittorrent etc. Question: Should all new network applications be standardized and get a port number from IANA, so that they can be filtered by the firewall? Big debate in the 90s, now everything uses port 80

28 28 Debugging firewall rules Firewall rules are difficult to configure Order of rules matters → fragile configurations Configuration language and its exact semantics and expressiveness vary between implementations Stateless packet filters have limited expressive power Performance depends on hardware Router may become slower when filtering is enabled, or when specific filters are deployed. What is processed in hardware? Redundancy may be a clue to errors, but not always: Rule is shadowed if another rule above it prevents it from ever being triggered. Is this intentional? Overlapping rules match some of the same packets. Do they specify the same action or different ones? In a network with multiple firewalls, do you want to block packets only in one firewall?

29 29 Firewall limitations May prevent people from doing their work Try to convince a network admin to open a port for your server! Network admins are often reluctant to change firewall policies in case something breaks Makes network diagnostics harder Firewall configuration errors are common Only coarse-grained filtering for efficient routing and administration Perimeter defence is ineffective in large networks There are always some compromised nodes inside Potential unfiltered ingress routes that circumvent firewalls: Historical threat: dial-up modem connections in and out Unauthorized wireless access points Laptops move in and out of the intranet, “bring your own device” culture Laptops have both cellular data and intranet connections Apps installed from the web may be Trojan horses Security of home gateways and other network devices is questionable Most applications now use TCP port 80 or 443, or use other clever tricks to traverse firewalls

30 30 Related reading William Stallings. Network security essentials: applications and standards, 3rd ed.: chapter 11 William Stallings. Cryptography and Network Security, 4th ed.: chapter 20 Kaufmann, Perlman, Speciner. Network security, 2nd ed.: chapter 23 Ross Anderson. Security Engineering, 2nd ed.: chapter 21.4.2 Dieter Gollmann. Computer Security, 2nd ed.: chapter 13.6

31 31 Exercises Why cannot ingress filtering ever stop all IP spoofing attacks? Do you find any mistakes or shortcomings in the firewall policy examples of this lecture? Can they be improved? Find out what kind of firewall capabilities your home gateway router/NAT has. Find the firewall configuration of a small network. Try to understand each line of the policy. Have compromises on security been made to achieve better performance, to make management easier, or because of limitations in the firewall platform? Extend the firewall policy example to support a bastion host (it its own network segment). Stateless firewall typically allows all inbound TCP packets with the ACK flag set. On a 1 GB/s network, how difficult is it for external attackers to spoof some TCP packets (e.g. RST) that match the sequence numbers of an intranet TCP connection? Translate the examples in these slides to policies for iptables or a commercial firewall product.

Download ppt "Network Security: Firewalls Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014."

Similar presentations

Ads by Google