Chapter 20 Firewalls Special Thanks to our friends

  • Slides: 60
Download presentation
Chapter 20: Firewalls Special Thanks to our friends at The Blekinge Institute of Technology,

Chapter 20: Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2004 CS 395: Computer Security 1

Outline • Firewall Design Principles – Firewall Characteristics – Types of Firewalls – Firewall

Outline • Firewall Design Principles – Firewall Characteristics – Types of Firewalls – Firewall Configurations • Trusted Systems – Data Access Control – The Concept of Trusted systems – Trojan Horse Defense Fall 2004 CS 395: Computer Security 2

Firewalls • Effective means of protection a local system or network of systems from

Firewalls • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WANs or the Internet • Information systems undergo a steady evolution (from small LAN`s to Internet connectivity) • Strong security features for all workstations and servers not established Fall 2004 CS 395: Computer Security 3

Why? • Systems provide many services by default – Many workstations provide remote access

Why? • Systems provide many services by default – Many workstations provide remote access to files and configuration databases (for ease of management and file sharing) – Even if configured only for specific users, they can sometimes be tricked into providing services they shouldn’t • E. g. missing bounds check in input parsers – Also, users sometimes forget to close temporary holes • E. g. leaving file system remote mountable for file sharing Fall 2004 CS 395: Computer Security 4

Why? • Firewalls enforce policies that centrally manage access to services in ways that

Why? • Firewalls enforce policies that centrally manage access to services in ways that workstations should, but don’t • Which services? – Finger – telnet: requires authentication, but password sent in clear – rlogin: similar to telnet, but uses IP address based authentication (Bad!) – ftp: Tricky because two connections, control channel from sender, and data connection from receiver. (passsive ftp has both sender originated) – X Windows – ICMP Fall 2004 CS 395: Computer Security 5

Firewall Design Principles • The firewall is inserted between the premises network and the

Firewall Design Principles • The firewall is inserted between the premises network and the Internet • Aims: – Establish a controlled link – Protect the premises network from Internet-based attacks – Provide a single choke point Fall 2004 CS 395: Computer Security 6

Firewall Characteristics • Design goals: – All traffic from inside to outside must pass

Firewall Characteristics • Design goals: – All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) – Only authorized traffic (defined by the local security police) will be allowed to pass – The firewall itself is immune to penetration (use of trusted system with a secure operating system) Fall 2004 CS 395: Computer Security 7

Firewall Characteristics • Four general techniques: • Service control – Determines the types of

Firewall Characteristics • Four general techniques: • Service control – Determines the types of Internet services that can be accessed, inbound or outbound • Direction control – Determines the direction in which particular service requests are allowed to flow Fall 2004 CS 395: Computer Security 8

Firewall Characteristics • User control – Controls access to a service according to which

Firewall Characteristics • User control – Controls access to a service according to which user is attempting to access it • Behavior control – Controls how particular services are used (e. g. filter e-mail) Fall 2004 CS 395: Computer Security 9

Firewall Limitations • Cannot protect against attacks that bypass the firewall – E. g.

Firewall Limitations • Cannot protect against attacks that bypass the firewall – E. g. an internal modem pool • Firewall does not protect against internal threats • Firewall cannot protect against transfer of virus infected programs – Too many different apps and operating systems supported to make it practical to scan all incoming files for viruses Fall 2004 CS 395: Computer Security 10

Types of Firewalls • Three common types of Firewalls: – – Fall 2004 Packet-filtering

Types of Firewalls • Three common types of Firewalls: – – Fall 2004 Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host) CS 395: Computer Security 11

Types of Firewalls • Packet-filtering Router Fall 2004 CS 395: Computer Security 12

Types of Firewalls • Packet-filtering Router Fall 2004 CS 395: Computer Security 12

Types of Firewalls • Packet-filtering Router – Applies a set of rules to each

Types of Firewalls • Packet-filtering Router – Applies a set of rules to each incoming IP packet and then forwards or discards the packet – Filter packets going in both directions – The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header – Two default policies (discard or forward) Fall 2004 CS 395: Computer Security 13

Types of Firewalls • Advantages: – Simplicity – Transparency to users – High speed

Types of Firewalls • Advantages: – Simplicity – Transparency to users – High speed • Disadvantages: – Difficulty of setting up packet filter rules – Lack of Authentication • Who really sent the packet? Fall 2004 CS 395: Computer Security 14

Firewalls – Packet Filters Fall 2004 CS 395: Computer Security 15

Firewalls – Packet Filters Fall 2004 CS 395: Computer Security 15

Firewalls – Packet Filters • Can be clever: – Allow connections initiated from inside

Firewalls – Packet Filters • Can be clever: – Allow connections initiated from inside network to outside, but not initiated from outside. • Traffic flows both way, but if firewall only allows incoming packets with ACK set in TCP header, this manages the issue. • Problem: some apps require outside node to initiate connection with inside node (e. g. ftp, Xwindows), even if original request initiated by inside node. • Solution (sort of): allow packets from outside if they are connecting to high port number. Fall 2004 CS 395: Computer Security 16

Stateful Packet Filter • Changes filtering rules dynamically (by remembering what has happened in

Stateful Packet Filter • Changes filtering rules dynamically (by remembering what has happened in recent past) • Example: Connection initiated from inside node s to outside IP address d. For short time allow incoming connections from d to appropriate ports (I. e. ftp port). • In practice, much more caution – Stateful filter notices the incoming port requested by s and only allows connections from d to that port. Requires parsing ftp control packets Fall 2004 CS 395: Computer Security 17

Types of Firewalls • Possible attacks and appropriate countermeasures – IP address spoofing •

Types of Firewalls • Possible attacks and appropriate countermeasures – IP address spoofing • Discard packet with inside source address if it arrives on external interface – Source routing attacks • Discard all source routed packets Fall 2004 CS 395: Computer Security 18

Types of Firewalls • Possible attacks and appropriate countermeasures – Tiny fragment attacks •

Types of Firewalls • Possible attacks and appropriate countermeasures – Tiny fragment attacks • Intruder uses IP fragment option to create extremely small IP packets that force TCP header information into separate packet fragments • Discard all packets where protocol type is TCP and IP fragment offset is small Fall 2004 CS 395: Computer Security 19

Types of Firewalls • Application-level Gateway Fall 2004 CS 395: Computer Security 20

Types of Firewalls • Application-level Gateway Fall 2004 CS 395: Computer Security 20

Types of Firewalls • Application-level Gateway – Also called proxy server – Acts as

Types of Firewalls • Application-level Gateway – Also called proxy server – Acts as a relay of application-level traffic – Can act as router, but typically placed between two packet filtering firewalls (for total of three boxes) • Two firewalls are routers that refuse to forward anything from the global net that is not to gateway, and anything to global net that is not from gateway. • Sometimes called a bastion host (we use the term differently) Fall 2004 CS 395: Computer Security 21

Types of Firewalls • Advantages: – Higher security than packet filters – Only need

Types of Firewalls • Advantages: – Higher security than packet filters – Only need to scrutinize a few allowable applications – Easy to log and audit all incoming traffic • Disadvantages: – Additional processing overhead on each connection (gateway as splice point) Fall 2004 CS 395: Computer Security 22

Types of Firewalls • Circuit-level Gateway Fall 2004 CS 395: Computer Security 23

Types of Firewalls • Circuit-level Gateway Fall 2004 CS 395: Computer Security 23

Types of Firewalls • Circuit-level Gateway – Stand-alone system or – Specialized function performed

Types of Firewalls • Circuit-level Gateway – Stand-alone system or – Specialized function performed by an Application-level Gateway – Sets up two TCP connections – The gateway typically relays TCP segments from one connection to the other without examining the contents Fall 2004 CS 395: Computer Security 24

Types of Firewalls • Circuit-level Gateway – The security function consists of determining which

Types of Firewalls • Circuit-level Gateway – The security function consists of determining which connections will be allowed – Typically use is a situation in which the system administrator trusts the internal users – An example is the SOCKS package Fall 2004 CS 395: Computer Security 25

Types of Firewalls • Bastion Host – A system identified by the firewall administrator

Types of Firewalls • Bastion Host – A system identified by the firewall administrator as a critical strong point in the network´s security – The bastion host serves as a platform for an application-level or circuit-level gateway Fall 2004 CS 395: Computer Security 26

Firewall Configurations • In addition to the use of simple configuration of a single

Firewall Configurations • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible • Three common configurations Fall 2004 CS 395: Computer Security 27

Firewall Configurations • Screened host firewall system (single -homed bastion host) Fall 2004 CS

Firewall Configurations • Screened host firewall system (single -homed bastion host) Fall 2004 CS 395: Computer Security 28

Firewall Configurations • Screened host firewall, single-homed bastion configuration • Firewall consists of two

Firewall Configurations • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems: – A packet-filtering router – A bastion host Fall 2004 CS 395: Computer Security 29

Firewall Configurations • Configuration for the packet-filtering router: – Only packets from and to

Firewall Configurations • Configuration for the packet-filtering router: – Only packets from and to the bastion host are allowed to pass through the router • The bastion host performs authentication and proxy functions Fall 2004 CS 395: Computer Security 30

Firewall Configurations • Greater security than single configurations because: – This configuration implements both

Firewall Configurations • Greater security than single configurations because: – This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) – An intruder must generally penetrate two separate systems Fall 2004 CS 395: Computer Security 31

Firewall Configurations • This configuration also affords flexibility in providing direct Internet access (public

Firewall Configurations • This configuration also affords flexibility in providing direct Internet access (public information server, e. g. Web server) Fall 2004 CS 395: Computer Security 32

Firewall Configurations • Screened host firewall system (dualhomed bastion host) Fall 2004 CS 395:

Firewall Configurations • Screened host firewall system (dualhomed bastion host) Fall 2004 CS 395: Computer Security 33

Firewall Configurations • Screened host firewall, dual-homed bastion configuration – If the packet-filtering router

Firewall Configurations • Screened host firewall, dual-homed bastion configuration – If the packet-filtering router is completely compromised, you’re still OK – Traffic between the Internet and other hosts on the private network has to flow through the bastion host Fall 2004 CS 395: Computer Security 34

Firewall Configurations • Screened-subnet firewall system Fall 2004 CS 395: Computer Security 35

Firewall Configurations • Screened-subnet firewall system Fall 2004 CS 395: Computer Security 35

Firewall Configurations • Screened subnet firewall configuration – Most secure configuration of the three

Firewall Configurations • Screened subnet firewall configuration – Most secure configuration of the three – Two packet-filtering routers are used – Creation of an isolated sub-network Fall 2004 CS 395: Computer Security 36

Firewall Configurations • Advantages: – Three levels of defense to thwart intruders – The

Firewall Configurations • Advantages: – Three levels of defense to thwart intruders – The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) Fall 2004 CS 395: Computer Security 37

Firewall Configurations • Advantages: – The inside router advertises only the existence of the

Firewall Configurations • Advantages: – The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) • Reduces ``chewyness’’ of inside Fall 2004 CS 395: Computer Security 38

Why Firewalls Don’t Work • Assume all bad guys are on outside, and everyone

Why Firewalls Don’t Work • Assume all bad guys are on outside, and everyone inside can be trusted. • Firewalls can be defeated if malicious code can be injected into corporate network – E. g. trick someone into launching an executable from an email message or into downloading something from the net. • Often make it difficult for legitimate users to get their work done. – Misconfiguration, failure to recognize new app Fall 2004 CS 395: Computer Security 39

Why Firewalls Don’t Work • If firewall allows anything through, people figure out how

Why Firewalls Don’t Work • If firewall allows anything through, people figure out how to do what they need by disguising their traffic as allowed traffic – E. g. file transfer by sending it through email. If size of emails limited, then user breaks them into chunks, etc. – Firewall friendly traffic (e. g. using http for other purposes) • Defeats effort of sysadmin to control traffic • Less efficient than not using http Fall 2004 CS 395: Computer Security 40

Trusted Systems • One way to enhance the ability of a system to defend

Trusted Systems • One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology Fall 2004 CS 395: Computer Security 41

Data Access Control • Through the user access control procedure (log on), a user

Data Access Control • Through the user access control procedure (log on), a user can be identified to the system • Associated with each user, there can be a profile that specifies permissible operations and file accesses • The operation system can enforce rules based on the user profile Fall 2004 CS 395: Computer Security 42

Data Access Control • General models of access control: – Access matrix – Access

Data Access Control • General models of access control: – Access matrix – Access control list – Capability list Fall 2004 CS 395: Computer Security 43

Data Access Control • Access Matrix Fall 2004 CS 395: Computer Security 44

Data Access Control • Access Matrix Fall 2004 CS 395: Computer Security 44

Data Access Control • Access Matrix: Basic elements of the model – Subject: An

Data Access Control • Access Matrix: Basic elements of the model – Subject: An entity capable of accessing objects, the concept of subject equates with that of process – Object: Anything to which access is controlled (e. g. files, programs) – Access right: The way in which an object is accessed by a subject (e. g. read, write, execute) Fall 2004 CS 395: Computer Security 45

Data Access Control • Access Control List: Decomposition of the matrix by columns Fall

Data Access Control • Access Control List: Decomposition of the matrix by columns Fall 2004 CS 395: Computer Security 46

Data Access Control • Access Control List – An access control lists users and

Data Access Control • Access Control List – An access control lists users and their permitted access right – The list may contain a default or public entry Fall 2004 CS 395: Computer Security 47

Data Access Control • Capability list: Decomposition of the matrix by rows Fall 2004

Data Access Control • Capability list: Decomposition of the matrix by rows Fall 2004 CS 395: Computer Security 48

Data Access Control • Capability list – A capability ticket specifies authorized objects and

Data Access Control • Capability list – A capability ticket specifies authorized objects and operations for a user – Each user have a number of tickets Fall 2004 CS 395: Computer Security 49

The Concept of Trusted Systems • Trusted Systems – Protection of data and resources

The Concept of Trusted Systems • Trusted Systems – Protection of data and resources on the basis of levels of security (e. g. military) – Users can be granted clearances to access certain categories of data Fall 2004 CS 395: Computer Security 50

The Concept of Trusted Systems • Multilevel security – Definition of multiple categories or

The Concept of Trusted Systems • Multilevel security – Definition of multiple categories or levels of data • A multilevel secure system must enforce: – No read up: A subject can only read an object of less or equal security level (Simple Security Property) – No write down: A subject can only write into an object of greater or equal security level (*Property) Fall 2004 CS 395: Computer Security 51

The Concept of Trusted Systems • Reference Monitor Concept: Multilevel security for a data

The Concept of Trusted Systems • Reference Monitor Concept: Multilevel security for a data processing system Fall 2004 CS 395: Computer Security 52

The Concept of Trusted Systems Fall 2004 CS 395: Computer Security 53

The Concept of Trusted Systems Fall 2004 CS 395: Computer Security 53

The Concept of Trusted Systems • Reference Monitor – Controlling element in the hardware

The Concept of Trusted Systems • Reference Monitor – Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters – The monitor has access to a file (security kernel database) – The monitor enforces the security rules (no read up, no write down) Fall 2004 CS 395: Computer Security 54

The Concept of Trusted Systems • Properties of the Reference Monitor – Complete mediation:

The Concept of Trusted Systems • Properties of the Reference Monitor – Complete mediation: Security rules are enforced on every access – Isolation: The reference monitor and database are protected from unauthorized modification – Verifiability: The reference monitor’s correctness must be provable (mathematically) Fall 2004 CS 395: Computer Security 55

The Concept of Trusted Systems • A system that can provide such verifications (properties)

The Concept of Trusted Systems • A system that can provide such verifications (properties) is referred to as a trusted system Fall 2004 CS 395: Computer Security 56

Trojan Horse Defense • Secure, trusted operating systems are one way to secure against

Trojan Horse Defense • Secure, trusted operating systems are one way to secure against Trojan Horse attacks Fall 2004 CS 395: Computer Security 57

Trojan Horse Defense Fall 2004 CS 395: Computer Security 58

Trojan Horse Defense Fall 2004 CS 395: Computer Security 58

Trojan Horse Defense Fall 2004 CS 395: Computer Security 59

Trojan Horse Defense Fall 2004 CS 395: Computer Security 59

Recommended Reading • Chapman, D. , and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995

Recommended Reading • Chapman, D. , and Zwicky, E. Building Internet Firewalls. O’Reilly, 1995 • Cheswick, W. , and Bellovin, S. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, 2000 • Gasser, M. Building a Secure Computer System. Reinhold, 1988 • Pfleeger, C. Security in Computing. Prentice Hall, 1997 Fall 2004 CS 395: Computer Security 60