Presentation is loading. Please wait.

Presentation is loading. Please wait.

Second Edition by William Stallings and Lawrie Brown Lecture slides by Susan Lincke & Lawrie Brown Chapter 9 – Firewalls and Intrusion Prevention Systems.

Similar presentations


Presentation on theme: "Second Edition by William Stallings and Lawrie Brown Lecture slides by Susan Lincke & Lawrie Brown Chapter 9 – Firewalls and Intrusion Prevention Systems."— Presentation transcript:

1 Second Edition by William Stallings and Lawrie Brown Lecture slides by Susan Lincke & Lawrie Brown Chapter 9 – Firewalls and Intrusion Prevention Systems

2 Chapter Objectives Objectives: The student should be able to: Describe the different types of firewalls: Circuit, Application Proxy, Packet, Stateful, Personal including how they differ in an example attack that each can fend off. Describe 3 firewall vulnerabilities Draw configurations for network types: double inline, T, multihomed, distributed, load balanced. Describe what a firewall policy is, give an example policy, and indicate how a policy may be used Describe each of the following: border router, static and dynamic NAT and PAT.

3 Security: Defense in Depth Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls

4 Firewall Required Functions Required Functions: Serve as an entry point into a network Screens all packets entering the network Service control Direction control User control Behavior control (access only part of Web service) Log and alarm events Perform Network Address Translation functions (optional) Perform Virtual Private Network functions (optional) Support no other functions (that can be compromised)

5 Firewall Locations

6 Screening Router Firewall A External DNS IDS Web Server E-CommerceVPN Server Firewall B IDS Protected Internal Network IDS Database/File Servers Internet Network Defense Configuration: Double Inline Firewalls

7 Router Firewall B External DNS IDS Web Server E-Commerce VPN Server Firewall A Protected Internal Network IDS Database/File Servers Internet Network Defense Configuration: Load Balanced Firewalls Screening Router

8 Router External DNS IPS Web Server E-Commerce VPN Server Firewall Protected Internal Network Zone IPS Database/File Servers Internet Network Defense Configuration: Single T or Multihomed (Separate Zones) Demilitarized Zone Screening Router

9 Firewall A External DNS IDS Web Server E-CommerceVPN Server Firewall B IDS Protected Internal Network IDS Database/File Servers Internet Network Defense Configuration: Distributed Firewall Firewal l

10 Bastion Hosts critical strongpoint in network hosts application/circuit-level gateways common characteristics: runs secure O/S, only essential services may require user auth to access proxy or host each proxy can restrict services & hosts accessed each proxy small, simple, checked for security each proxy is independent, non-privileged proxy disk use is boot only; hence read-only code

11 Firewall Topologies host-resident firewall screening router single bastion inline: One firewall single bastion T: with 3 zones double bastion inline: Serial firewalls double bastion T: with 3 zones distributed firewall configuration: double with host firewalls

12 Router Firewall Vendor A External DNS IPS Web Server E-CommerceVPN Server Firewall Vendor B IDS Protected Internal Network IPS Database/File Servers Internet Network Defenses – with Logs Security Mgmt Syslog

13 Types of Firewalls

14 Firewall Configurations AA terminal firewall host Router Packet Filtering: Packet header is inspected Single packet attacks caught Very little overhead in firewall: very quick High volume filter AA terminal firewall host A Stateful Inspection State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick

15 Packet Filtering Firewall applies rules to packets in/out of firewall based on information in packet header src/dest IP addr & port, IP protocol, interface typically a list of rules of matches on fields if match rule says if forward or discard packet two default policies: discard - prohibit unless expressly permitted forward - permit unless expressly prohibited

16 Packet Filter Problems In heavy load may forward all packets without logging Cannot catch application-level errors ICMP can have invalid contents FTP, RPC use ports > 1023, dynamically allocated Cannot recognized spoofed IP or port addresses Do not support advanced user authentication Tiny fragments can hide attacks Improper configuration can lead to breaches Routers can do packet filtering, most firewalls do more

17 Stateful Inspection Firewall reviews packet header information but also keeps info on TCP connections typically have low, “known” port no for server and high, dynamically assigned client port no simple packet filter must allow all return high port numbered packets back in stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections only allow incoming traffic to high-numbered ports for packets matching an entry in this directory may also track TCP seq numbers as well

18 Packet Filter Rules

19 Stateful Packet Filters Tracks TCP/UDP connection status Can configure outbound-only connections Packets are allowed in if connection is established Records source/destination IP and port addresses, protocol (TCP/UDP), timer expiration TCP: Also supports TCP state, Sequence numbers UDP: Supports expiration timer, pseudo state May prevent fragmentation attacks Advantage: Supports higher loads than Circuit-Level Firewalls at same memory/processor speed levels Problems ICMP: Messages may come from intermediate node, not destination. Must accept/reject all ICMP messages of type N DOS Attack: Establish connections to fill table Applications change ports or use multiple ports: e.g., ftp Application attacks not detected since application protocols not scanned Some routers support Stateful packet filtering; nearly all firewalls do

20 Stateful Firewall Connection State Table Source Address Source PortDestination Address Destination Port Connection State Established Established Established Established

21 Firewall Configurations AB terminal firewall host Circuit-Level Firewall: Packet session terminated and recreated via a Proxy Server All multi-packet attacks caught Packet header completely inspected High overhead in firewall: slow AB terminal firewall host A Application-Proxy Firewall Packet session terminated and recreated via a Proxy Server Packet header completely inspected Most or all of application inspected Highest overhead: slow & low volume AB B

22 Firewall & Router Protection Levels IP Header TCP Header Application Header & Data … Pr ot Src Addr Dest Addr ……Src Port Dest Port IP Header TCP Header Application Header & Data … ProtSrc Addr Dest Addr ……Src Port Dest Port Fl ag Seq No IP Header TCP Header Application Header & Data … ProtSrc Addr Dest Addr ……Src Port Dest Port Fl ag Seq No IP Header TCP Header Application Header & Data … ProtSrc Addr Dest Addr ……Src Port Dest Port Fl ag Seq No Appl Hdr Appl Hdr Appl Data Application Proxy Firewall Guard Firewall – Sophisticated Application Proxy Firewall – IDS/IPS Packet Filter Stateful Packet Filter – Circuit Level Filter – Proxy Server Fields shown are monitored by these types of Firewalls

23 Circuit-Level Firewalls or Proxy Server Establishes a TCP connection with remote end before passing information through. Creates two sessions: one with sender & one with receiver Does not filter based on packet contents (other than state) Also known as Pass-Through Proxy or Generic Proxy Advantages: If firewall failure, no packets are forwarded through firewall Catches fragmentation errors Problems: Does not detect invalid application data Moves security issues from service to firewall: e.g., DOS attacks Less able to handle high loads since each connection becomes two Requires much greater memory and processor at application level (Web page is > 1 connection) Slower interfaces can result in poor performance for streaming applications

24 Application Proxy Firewall Examines packets and their contents at the Application Layer Can cause delay due to additional processing May strip info on internal servers, server version on outgoing messages (e.g., ) May allow only certain types of sessions through: FTP: May permit receives, no sends. Or sends of specific files only. Encrypts between all of company’s offices HTTP: May filter PUT commands, URL names. Can cache replies. Authentication: Perform extra authentication for external access (via dialup or internet)

25 Application-Level Gateway acts as a relay of application-level traffic user contacts gateway with remote host name authenticates themselves gateway contacts application on remote host and relays TCP segments between server and user must have proxy code for each application may restrict application features supported more secure than packet filters but have higher overheads

26 SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow TCP/UDP client-server applications to use firewall components: SOCKS server on firewall SOCKS client library on all internal hosts SOCKS-ified client applications client app contacts SOCKS server, authenticates, sends relay request server evaluates & establishes relay connection UDP handled with parallel TCP control channel

27 Distributed Firewalls

28 Host-Based Firewalls often used on servers used to secure individual host available in/add-on for many O/S filter packet flows advantages: taylored filter rules for specific host needs protection from both internal / external attacks additional layer of protection to org firewall

29 Personal Firewall controls traffic flow to/from PC/workstation for both home or corporate use may be software module on PC or in home cable/DSL router/gateway typically much less complex primary role to deny unauthorized access may also monitor outgoing traffic to detect/block worm/malware activity

30 Virtual Private Networks

31 Network Address Translation NATNAT x Dynamic NAT: Single external IP address may translate into many IP addresses. NATNAT x y Hide NAT or PAT: IP/Port translates to IP/Port Static NAT: External IP address translates into Internal IP address. NATNAT x External Organization IP: /24 Internal Addresses: /8

32 Network Address Translation Static NAT: One external IP address translates into one fixed internal IP address Dynamic NAT: Internal IP addresses are assigned an external IP address on a FCFS basis. Port Address Translation (PAT) or Hide NAT: Translates one incoming IP address/port into an internal IP address/port. Multiple internal IP addresses can map to one external IP address

33 Firewall Capabilities & Limits capabilities: defines a single choke point provides a location for monitoring security events convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC VPNs limitations: cannot protect against attacks bypassing firewall may not protect fully against internal threats improperly secure wireless LAN laptop, PDA, portable storage device infected outside then used inside

34 Firewall Vulnerabilities Firewalls can be bypassed via other means (e.g., modem, CDs) Data transmitted to the outside may be vulnerable Firewalls may lie: in heavy loads attack packets may get through without logging. Extra software on the firewall device increase vulnerability Firewalls are vulnerable if installed above a general- purpose OS Firewalls do not prevent malicious acts within the network Layers of defense are safer than a single firewall Auditing: Scan weekly or at every change Retain a baseline of perimeter device configurations

35 Designing Firewalls/Routers Before creating a firewall configuration, create firewall policies. Firewall policy: An Access Control List (ACL) item in English Policies can be reviewed, turned into ACLs, and tested Example Policy: IP addresses with internal source addresses shall not be allowed into the internal network from the outside. Often ports > 1000 cannot be closed due to applications like FTP Other policies may deal with failover protection, detecting malicious code, …

36 Configuring Firewalls/Routers Put specific rules first, then general rules When a rule matches, no further testing is done. Minimize tests & speed processing by placing common rules first

37 Auditing Firewalls If there is no security policy, speak with mgmt about their expectations of the firewall After configuring the firewall, test the firewall by launching an attack Use a sniffer to determine which attack packets get through Other required operations include: Log Monitoring and Notification User Mgmt and Password policy Patch Update and Backup Change Control Secure build for firewall platforms

38 Audit Testing Scan all TCP and UDP ports 0-65,535 on the firewall Ping devices to see if Echo Requests pass Scan using ‘TCP Connect Scan’ (Full SYN-ACK) Do a slow SYN scan (with 15 second delay) to se if port scans are detected (by IDS) Scan with FINs, ACKs, and fragmented ACKs, Xmas Tree scans (URG, PUSH, FIN flags) to see how all perform Scan the subnet using UDP ports to look for open applications Check routing capability, including NAT Test other blocked source IP addresses: Spoofed, private, loopback, undefined Test other protocols: ICMP, IP fragmentation, all policies, all directions. Verify logging occurs for illegal probes Always get signed-off permission first!!!

39 Intrusion Prevention Systems (IPS) enhanced security product which inline net/host-based IDS that can block traffic functional addition to firewall that adds IDS capabilities can block traffic like a firewall alternatively send commands to firewall uses IDS algorithms may be network or host based

40 Host-Based IPS addresses: modification of system resources privilege-escalation exploits buffer overflow exploits access to contact list directory traversal identifies attacks using: sandbox applets to monitor behavior signature techniques anomaly detection techniques can be tailored to the specific platform e.g. general purpose, web/database may protect file access, system registry, I/O, system calls

41 Network-Based IPS inline NIDS that can discard packets or terminate TCP connections can provide flow data protection reassembling whole packets monitoring full application flow content can identify malicious packets using: pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly cf. SNORT inline can drop/modify packets

42 Unified Threat Management Products

43 Summary Firewall filters packets Types of networks double inline, T or multihomed, distributed, load balanced, screening router Types of firewalls packet filter, stateful inspection, application and circuit gateways Other capabilities Virtual Private Network (VPN), Network Address Translation (NAT) Advanced configurations: IPS, Unified Threat Management


Download ppt "Second Edition by William Stallings and Lawrie Brown Lecture slides by Susan Lincke & Lawrie Brown Chapter 9 – Firewalls and Intrusion Prevention Systems."

Similar presentations


Ads by Google