Guide to Network Defense and Countermeasures Second Edition Chapter 10 Firewall Topology
Guide to Network Defense and Countermeasures, Second Edition2 Objectives Explain the goal of securing the network perimeter Describe factors in choosing a bastion host Explain how to supplement a firewall with a proxy server Set up Network Address Translation (NAT) Decide when to use user, session, or client authentication
Guide to Network Defense and Countermeasures, Second Edition3 Securing Network Perimeters Goal is to provide adequate access without jeopardizing confidential or mission-critical areas You need –Firewalls, IDSs, bastion host, Network Address Translation (NAT), proxy servers Combined with authentication mechanisms Bastion host –Provides Web, FTP, , or other services running on a specially secured server
Guide to Network Defense and Countermeasures, Second Edition4 Choosing a Bastion Host Security software does not operate on its own –You install it on a computer Bastion host –Computer that sits on the network perimeter –Has been specially protected through OS patches, authentication, and encryption
Guide to Network Defense and Countermeasures, Second Edition5 General Requirements Steps in creating a bastion host –Select sufficient memory and processor speed –Choose and install OS and any patches or updates –Determine where the bastion host will fit in the network configuration –Install services you want to provide –Remove services and accounts that aren’t needed. –Back up the system and all data on it –Run a security audit –Connect the machine to the network
Guide to Network Defense and Countermeasures, Second Edition6 Selecting the Bastion Host Machine Select familiar hardware and software Ideal situation –One bastion host for each service you want to provide –Can be prohibitively expensive Operating system –Pick a version that is stable and secure –Check OS Web site for patches and updates
Guide to Network Defense and Countermeasures, Second Edition7 Selecting the Bastion Host Machine (continued) Memory and processor speed –Memory is always important when operating a server –Bastion host might provide only a single service Does not need gigabytes of RAM –Match processing power to server load You might have to add processor Location on the network –Typically located outside the internal network Combined with packet-filtering devices –Multiple bastion hosts are set up in the DMZ
Guide to Network Defense and Countermeasures, Second Edition8
9
10 Hardening the Bastion Host Selecting services to provide –Close unnecessary ports –Disable unnecessary user accounts and services Reduces chances of being attacked –Disable routing or IP forwarding services –Do not remove dependency services System needs them to function correctly
Guide to Network Defense and Countermeasures, Second Edition11 Hardening the Bastion Host (continued) Using honeypots –Honeypot Computer placed on the network perimeter Attracts attackers away from critical servers Appears real –Network security experts are divided about honeypots –Laws on the use of honeypots are confusing at best –Another goal of a honeypot is logging Logs are used to learn about attackers techniques
Guide to Network Defense and Countermeasures, Second Edition12
Guide to Network Defense and Countermeasures, Second Edition13 Hardening the Bastion Host (continued) Disabling user accounts –Default accounts are created during OS installation –Disable all user accounts from the bastion host Users should not be able to connect to it –Rename the Administrator account –Passwords at least 6-8 alphanumeric characters
Guide to Network Defense and Countermeasures, Second Edition14 Handling Backups and Auditing Essential steps in hardening a computer –Backups –Detailed recordkeeping –Auditing Copy log files to other computers in your network –Check these files for viruses Audit all failed and successful attempts to log on to the bastion host –And any attempts to access or change files
Guide to Network Defense and Countermeasures, Second Edition15 Working with Proxy Servers Proxy server –Software product –Forwards packets to and from the network being protected –Caches Web pages to speed up network performance
Guide to Network Defense and Countermeasures, Second Edition16 Goals of Proxy Servers Original goal –Speed up network communications –Information is retrieved from proxy cache instead of the Internet If information has not changed at all Other goals –Provide security at the application layer –Shield hosts on the internal network –Control Web sites users are allowed to visit
Guide to Network Defense and Countermeasures, Second Edition17
Guide to Network Defense and Countermeasures, Second Edition18 How Proxy Servers Work Proxy server goal –Prevent a direct connection between an external computer and an internal computer Proxy servers work at the application layer –Opens the packet and examines the data –Decides to which application it should forward the packet –Reconstructs the packet and forwards it Replace the original header with a new header –Containing proxy’s own IP address
Guide to Network Defense and Countermeasures, Second Edition19
Guide to Network Defense and Countermeasures, Second Edition20 How Proxy Servers Work (continued) Proxy server receives traffic before it goes to the Internet Client programs are configured to connect to the proxy server instead of the Internet –Web browser – applications
Guide to Network Defense and Countermeasures, Second Edition21
Guide to Network Defense and Countermeasures, Second Edition22
Guide to Network Defense and Countermeasures, Second Edition23 Choosing a Proxy Server Different proxy servers perform different functions Freeware proxy servers –Often described as content filters –Do not have features for business applications –Example: Squid Commercial proxy servers –Offer Web page caching, source and destination IP addresses translation, content filtering, and NAT –Example: Microsoft ISA Server
Guide to Network Defense and Countermeasures, Second Edition24 Choosing a Proxy Server (continued) Proxy servers that can include firewall functions –Having an all-in-one program simplifies life –Disadvantages Single point of failure –Try to use several software and hardware products to protect your network
Guide to Network Defense and Countermeasures, Second Edition25 Filtering Content Proxy servers can open packets and examine data Proxy servers can filter out content –That would otherwise appear in a user’s Web browser –Can block Web sites with content your users should not be viewing –Can also drop executable programs Java applets ActiveX controls
Guide to Network Defense and Countermeasures, Second Edition26 Using Network Address Translation (NAT) Network Address Translation (NAT) –Go-between –Receives requests at its own IP address and forwards them to the correct IP address A NAT-enable device is the only one that needs a public IP address Essential functions many firewalls or routers perform –Shields IP addresses of internal hosts NAT modes –Hide-mode and static mapping
Guide to Network Defense and Countermeasures, Second Edition27 Hide-Mode Mapping Process of having multiple IP addresses behind one public IP address Dynamic Host Configuration Protocol (DHCP) –Enables IP addresses to be assigned dynamically among hosts on a network Disadvantages –Cannot hide all clients behind a single IP address –Does not work with some types of VPNs –Cannot provide more than one service with a single IP address
Guide to Network Defense and Countermeasures, Second Edition28
Guide to Network Defense and Countermeasures, Second Edition29 Static Mapping Internal IP addresses are mapped to external, routable IP addresses –On a one-to-one basis Internal IP addresses are still hidden –Computers appear to have public addresses All addresses are static
Guide to Network Defense and Countermeasures, Second Edition30
Guide to Network Defense and Countermeasures, Second Edition31 Authenticating Users Authentication –Identify users authorized to access the network –Important role in firewall or other security configurations Depends on the exchange of information –Password –Key –Checksum –Smart card
Guide to Network Defense and Countermeasures, Second Edition32 Step 1: Deciding What to Authenticate User authentication –Identify person authorized to access network –Users submit credentials and log on to the network –Can be automatic and based on key exchange –Define an user and assign it to a group Set access rules for that group –Other restrictions IP addresses Time-based restrictions
Guide to Network Defense and Countermeasures, Second Edition33
Guide to Network Defense and Countermeasures, Second Edition34
Guide to Network Defense and Countermeasures, Second Edition35 Step 1: Deciding What to Authenticate (continued) Client authentication –Grant access to network resources based on Source IP address Computer MAC address Computer name –Identification can be automatic or manual Manual requires extra effort but offers more security –Knowing a username and password is not enough User must log on from an authorized IP address
Guide to Network Defense and Countermeasures, Second Edition36
Guide to Network Defense and Countermeasures, Second Edition37 Step 1: Deciding What to Authenticate (continued) Session authentication –Authorize user or computer on a per-connection basis –Uses special authentication software on the client Exchanges information with the firewall –Gives the user more flexibility than user or client authentication
Guide to Network Defense and Countermeasures, Second Edition38
Guide to Network Defense and Countermeasures, Second Edition39 Step 2: Deciding How to Authenticate Password Security –User name and password compared against a database of approved users –Simplest and most straightforward authentication –Password systems OS password Firewall password S/Key password SecureID
Guide to Network Defense and Countermeasures, Second Edition40
Guide to Network Defense and Countermeasures, Second Edition41 Step 2: Deciding How to Authenticate (continued) Smart cards and tokens –Two-factor authentication Combines objects the user posses with passwords –Most common objects used in authentication Smart cards Tokens –Smart cards Similar to ATM cards –Tokens Objects that enable users to authenticate themselves Examples :Smart cards, handhelds, key fobs
Guide to Network Defense and Countermeasures, Second Edition42 Step 2: Deciding How to Authenticate (continued) Exchanging public and private keys –Password is a code used to authenticate yourself –Computers can also authenticate each other Exchanging codes Code can be long and complicated Called keys –Keys Blocks of encrypted code generated by algorithms –Public key cryptography Authenticates by exchanging public and private keys
Guide to Network Defense and Countermeasures, Second Edition43
Guide to Network Defense and Countermeasures, Second Edition44 Step 2: Deciding How to Authenticate (continued) Digital signatures –Message recipient can authenticate sender’s identity –One-way hash function Called a message digest Code of fixed-length Results from processing a message through a mathematical function –One-way hash function characteristics Value is unique for the hashed data Data cannot be deduced from the hash
Guide to Network Defense and Countermeasures, Second Edition45 Step 2: Deciding How to Authenticate (continued) Digital signatures –Signing software creates a hash of the message And encrypts it using your private key –Validation process Recipient uses signer’s public key to decrypt the hash Computes hash value of received message –Using same hashing algorithm as the sender Compares hash values
Guide to Network Defense and Countermeasures, Second Edition46 Step 3: Putting It All Together S-HTTP –Secure Hypertext Transfer Protocol (S-HTTP) Encrypts communication between a Web server and a Web browser –Using Secure Socket Layer (SSL) or Transport Layer Security (TLS) SSL encrypts data portion of a packet not the header –Firewall can still filter and route it SSL does not provide user authentication
Guide to Network Defense and Countermeasures, Second Edition47 Step 3: Putting It All Together (continued) IPSec/IKE –IPSec encrypts communications at network layer of OSI model –Widely used –NAT can interfere with IPSec –Internet Key Exchange (IKE) Allows exchange of public and private keys –Internet Security Association Key Management Protocol (ISAKMP) Enables two computers to agree on security settings
Guide to Network Defense and Countermeasures, Second Edition48 Step 3: Putting It All Together (continued) Dial-in Authentication: RADIUS and TACACS+ –Terminal Access Controller Access Control System (TACACS+) Called “Tac-plus” Authentication protocols developed by Cisco Systems Uses MD5 to produce an encrypted digest version of transmitted data
Guide to Network Defense and Countermeasures, Second Edition49 Step 3: Putting It All Together (continued) Dial-in Authentication: RADIUS and TACACS+ –Remote Authentication Dial-In User Service (RADIUS) Provides less security than TACACS+ More widely supported Transmits authentication packets unencrypted across the network Vulnerable to packet sniffing
Guide to Network Defense and Countermeasures, Second Edition50 Summary Modern networks require a variety of services Firewalls cannot secure a network alone Bastion host –Computer on the network perimeter –Specially protected through OS patches, authentication, and encryption Proxy server –Forwards packets to and from the network –Caches Web pages to speed up network performance
Guide to Network Defense and Countermeasures, Second Edition51 Summary (continued) Network Address Translation (NAT) –Conceals the IP addresses of computers on the internal network from external locations Authentication types –Client authentication –User authentication –Session authentication Encryption schemes –Secure Socket Layer (SSL) –Internet Protocol Security (IPSec)