Week 9 Lecture Note

Transcription

Week 9 Lecture Note

Protec)on*Mechanisms:*
Firewalls*!
(Part!2)!
Introduction (cont.)
• Categories
of Firewalls
processing mode
1.1)
1.2)
1.3)
1.4)
1.5)
MAC layer firewalls
packet filtering firewalls
application gateways
circuit gateways
hybrids
development era (generation)
2.1) – 2.5) 1st, 2nd, 3rd, 4th, 5th generation
structure
3.1)
3.2)
3.3)
3.4)
commercial grade firewall appliances
commercial grade firewall systems
small-office/home-office (SOHO) firewall appliances
residential-grade firewall software
architecture
4.1)
4.2)
4.3)
4.4)
packet filtering routers
dual-homed host firewalls
screened host firewalls
screened subnet firewalls
Firewalls by Structure
3.1) Commercial – stand-alone, self-contained
Grade
combination of hardware and
Firewall
software (~ $1 – $10,000 k)
Appliance
often a general-purpose computer
[Hardware]
with customized OS that can be
modified only using direct physical
connection & strong authentication
not vulnerable to ‘bugs’ and other
flaws of common OS + can handle
more data with faster throughput
generally more expensive than
software counterparts
examples:
Cisco’s hardware firewalls running on Cisco’s
own Internetwork Operating System (IOS)
The Cisco ASA 5510 Adaptive Security Appliance delivers a wealth of
advanced security and networking services for small-to-medium businesses and
enterprise remote/branch offices in an easy-to-deploy, cost-effective appliance.
These services can be easily managed and monitored by the integrated, Webbased management application, Cisco Adaptive Security Device Manager, thus
reducing the overall deployment and operations costs associated with providing
this high level of security. The Cisco ASA 5510 Adaptive Security Appliance
provides high performance firewall and VPN services, three integrated
10/100 Fast Ethernet interfaces, and optional high-performance intrusion
prevention and anti-x services via a Security Services Module making it an
excellent choice for businesses requiring a cost-effective, extensible, DMZ-enabled
security solution. As business needs grow, the Cisco ASA 5510 Adaptive Security
Appliance can also scale to higher interface density and integrate into switched
network environments through VLAN support by installing a Security Plus upgrade
license. Furthermore, this upgrade license maximizes business continuity by
enabling Active/Standby high availability services and expands VPN capacity by
supporting a greater number of concurrent VPN connections for mobile users,
remote sites, and business partners.
suggested retail price:$5,304.10
$3,978.07
Firewalls by Structure (cont.)
3.2) Commercial – consist of application firewall
Grade
software that runs on a general
purpose computer (~ $1 – $5 k)
Firewall
Systems
aka Enterprise Firewalls –
[Software]
designed for large complex networks
features:
ability to manage multiple firewalls centrally
sophisticated monitoring and reporting
load balancing and failover, …
examples:
Novell’s BorderManager
See: http://www.novell.com/documentation/nbm39/pdfdoc/installation/installation.pdf
3.3) Small Office / – aimed to protect small business
Home Office
& residences with DSL or cable
modem (always on) connection
[SOHO] or
to the Internet (~ $100)
Residential
Grade
SOHO firewalls properties:
Firewall
stateful packet filtering
port filtering & simple intrusion detection
Appliance
screened subnetting, …
in recent years, SOHO firewall also
combine features of WAP & NAT
with NAT, internal computers ‘not visible’
to public network, hence less vulnerable
examples:
SMC Barricade residential broadband router
Sonicwall SOHO firewall
3.4) Residential – software installed directly on
Grade
user’s system (free or ~ $100)
[SOHO]
aka Personal Firewalls – intended
Firewall
to protect a single computer
Software
features:
lightweight in terms of protection
most guard only against IP threats
some do not handle outbound blocking, …
examples:
ZoneAlarm Pro (freeware available)
Norton Personal Firewall
Sygate Personal Firewall Pro (freeware available)
Microsoft Windows Firewall – integral to
Windows XP, Vista, Windows 7 systems
http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm
Example: Firewall advantages and disadvantages
Firewalls by Architecture
Firewall Architectures – each of the four classes of
firewalls (MAC-layer, packet
filtering firewall, application
gateway, circuit gateway) can
be used and combined in a
number of ways
ultimate decision on which and
how many firewalls to deploy
depends on:
network uses
network objectives
available budget (for initial
purchase, maintenance, upgrades)
Firewalls by Architecture (cont.)
4.1) Packet Filtering – rejects packets that organi(Screening)
zation does not want to let ‘in’
Firewall/Router
simple way to lower risk from highvolume low-complexity attacks
drawbacks:
complex ACL can degrade (slow down)
network performance
single point of failure – if router fails,
there is no further protection
4.1) Packet Filtering (Screening) Router
appropriate uses:
the network being protected already
has a high level of host security
the number of protocols and their
rules/use is straightforward
you require maximum performance
4.2) Dual-Homed – a host-firewall (not router!) with
Firewall
2 NIC is placed between internal
and external network
(Application
Gateway)
all traffic must physically go through
host-firewall
host-firewall filters data based on
higher-layer data (not just IP!)
4.2) Dual-Homed Firewall (cont.)
drawbacks:
dual-homed hosts/firewalls are NOT
high-performance devices; have more
work to do per each connection
a dual-homed host is ‘regular’ computer
with all its vulnerabilities
a dual-homed host is the system’s
single-point of failure
4.2) Dual-Homed Firewall (cont.)
appropriate use:
traffic to the Internet is low-volume and
is not business-critical
no service is being provided to
Internet-based users
4.3) Screened – combines a packet filtering router
Host
& a separate application gateway
Firewall
router prescreens packets to minimize
network traffic
gateway - aka bastion-host - performs
proxy services for one or more applicat.
protocols (e.g. FTP, HTTP)
gateway is the only host in internal network that
hosts from the Internet can communicate to
4.3) Screen Host Firewall (cont.)
strengths:
to compromise internal network, attacker must compromise
both – the screening router and bastion host
overall, router + proxy protect data (network) more fully than
router or dual-homed host alone
appropriate uses:
few connections are coming from the
Internet
the network being protected has a
relatively high level of host security
4.4) Screened –
Subnet
Architecture
adds an extra layer of security
to screened host architecture
by adding a perimeter network
to better isolate bastion host
bastion host is ‘the most likely to be
attacked’ machine on a network
by setting up a perimeter network,
the ultimate impact of a break-in on
bastion host is significantly reduced
it is no longer an instant ‘jackpot’;
it gives an intruder some access,
but not all
to break into internal network an
attacker would have to get past
both routers
4.4) Screened Subnet Architecture (cont.)
If you have $$$$
it is OK to use multiple bastion hosts
e.g., one host handles services important to
your own users (SMTP, DNS), other host
handles services that you provide to the
Internet (HTTP, FTP) – this way the
performance of your own users will not be
dragged down by activities of outside users
If you do not have $$$$
it is OK to merge bastion host and
exterior router
this configuration exposes bastion host more,
but it doesn’t open significant new vulnerabilities to the internal network
If you do not have $$$$
it is dangerous to merge bastion host
and interior router
with this type of configuration, if the bastion
host is broken into, there is nothing left in
the way of security between the bastion host
and the internal network
one of the main purposes of
perimeter network is to
prevent bastion host from
being able to snoop on
internal traffic – with this
configuration all of your
internal traffic is visible to it
In multi-LAN networks…
multiple interior routers should be
used with caution
in case of misconfiguration
on one of interior routers
(which happens frequently),
strictly internal traffic may
end up flowing across
perimeter network where it
can be snooped on if somebody has managed to break
into bastion host
possible solution: backbone
architecture
In complex networks…
it is OK to use multiple exterior routers
may be needed if:
a) for redundancy purposes, you have multiple
connections to the Internet
b) you have connection to the Internet plus
other connections to other sites
compromise of an exterior
router in case of a) is not
critical – attacker still cannot
see internal traffic
case b) is possibly dangerous
if other connections are to
sites that require/assume
privacy of information
HTTP Server and HTTP Proxy separated by a firewall.
Is this architecture optimal with regard to QoS?
HTTP
Proxy
HTTP
Server
4.5) Screened Subnet – provides an extra layer of
Firewalls
security by creating a new
network segment (DMZ)
with DMZ
of ‘public servers’
DeMilitarized Zone (DMZ) is
isolated from rest of internal net.
Exterior and
interior filtering
routers.
Bastion host.
4.4) Screened Subnet Firewall with DMZ (cont.)
bastion host acts as proxy for DMZ’s servers and is
protected by interior and exterior filtering routers
interior router protects internal network from perimeter
network and the Internet
allow only specific DMZ hosts (DNS, SMTP, HTTP server) to
communicate with hosts on internal network
exterior router protects perimeter and internal network
from the Internet
block incoming and outgoing IP packets with forged IP addresses
if someone successfully breaks into bastion host, internal
network is still (reasonably) protected by internal router
attacker will be able to snoop only on DMZ’s local hosts and traffic
Example: Multiple DMZ/Firewall Configurations
server
farm 1
server
farm 2
Web Server 1: stores public data that
requires no (major) protection or is
not likely to be a ‘target’
Web Server 2: stores public data
that requires protection
server
farm 3
Web Server 3: stores private data
that requires high level of protection
How Many Firewalls
and Where?
simple home network might
be sufficiently protected with a
single stateful packet filter
small network with proprietary
information can use a proxy
server + packet filter to prevent
external user from ‘seeing’ internal
data and network
large companies with public
Web servers & proprietary data
may have to build a DMZ with
packet filters on either side
Firewall Rules
Firewall Rules (cont.)
Configuring Firewall – art as much as science
Rules
each rule must be carefully crafted,
debugged, tested and placed into
Access Control List (ACL) in
proper order
rules that can be evaluated quickly
& regulate broad access should be
performed first
when security rules conflict with
performance, security often needs
to be removed or redesigned
Most firewalls operate on the principle of
explicitly permitted rules:
“that which is not permitted is prohibited”.
‘Best Practices’ for Firewall & Firewall Rules
Firewall devices should not be accessible from public, as well
internal network, for management and configuration purposes.
only authorized firewall administrators should be able to access
device, using encryption and strong authentication
SMTP data should be allowed through firewall, but routed to
a well-configured SMTP gateway to filter mail traffic securely.
All ICMP data should be denied.
Telnet access to all internal servers form the public network
should be blocked (especially to DNS server).
if internal users need to come into an organization’s network
form outside firewall, Virtual Private Network (VPN) is preferred
‘Best Practices’ for Firewall & Firewall Rules (cont.)
When Web services are offered outside firewall, use of proxy
servers (in or outside DMZ) should be considered.
proxy server – application-level software, checks and forwards
packets to & from Web server, and caches Web pages to speed
up network performance
Example: Firewall rules
Assume a network with one internal and one external
firewall.
NetIP: 10.10.10.0
Internal
Server
10.10.10.1 10.10.10.2
10.10.10.3 192.168.2.1
Firewall
Admin.
192.168.2.2 192.168.2.3
Switch
(external firewall)
(internal firewall)
NAT Addressing
INT Address
EXT Address
192.168.2.1
10.10.10.7
192.168.2.2
10.10.10.8
192.168.2.3
10.10.10.9
192.168.2.x
10.10.10.10
I1
I1
I2
I1
I2
I2
I1
I1
I1
I1
both
I1
I1
I2
I1
I2
I2
I1
both
Example: Firewall rules (cont.)
Rule 1: Responses to internal requests are allowed.
External (Inbound) Firewall:
Client programs
run on registered ports.
Internal Firewall:
Use state tables to track connections and
prevent dangerous packets from entering
the upper port range.
Rule 2: Firewall device is never accessible directly from
public or internal network, and it should never
be allowed to access other devices directly.
External Firewall:
Internal Firewall:
Similar rules should be designed for internal
firewall as well.
Rule 3: All traffic from trusted network is allowed out.
External and Internal Firewall:
Rule 4: All traffic intended for SMTP server is allowed
into DMZ.
Rule 5: All outside ICMP data (Ping, Traceroute) should
be denied, while inside ICMP should be allowed.
Internal Firewall:
External Firewall:
Rule 6: All outside Telnet access to all internal servers
should be blocked.
Internal Firewall:
External Firewall:
Rule 7: The proxy server & the Web server are in DMZ.
Internal hosts are allowed to access the Web
server directly.
External hosts are directed to proxy server.
Proxy server repackage any HTTP request into
a new packet and retransmits to the web server.
Internal Firewall:
External Firewall:
Rule 8: The Cleanup Rule!
If a request for a service is not explicitly allowed
by policy, that request should be denied!

Week 9 Lecture Note

Transcription

Similar documents

Read more

wooweb-pro v5

Transforming Security with NSX Micro-Segmentation

MTL Instruments

Our Multi-Hurdle Food Safety Program

Installation Manual. iHUD for iRacing .

as PDF

Network NPRO database server could not be found

Fun houses - Michael Prager

10 Free Ways To Keep Your PC Safe