This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Application Firewalls
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
1 / 44
Moving Up the Stack
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
2 / 44
■ Why move up the stack?■ Apart from the limitations of packet filters
discussed last time, firewalls are inherently
incapable of protecting against attacks on a
higher layer
■ IP packet filters (plus port numbers. . . ) can’tprotect against bogus TCP data
■ A TCP-layer firewall can’t protect against bugsin SMTP
■ SMTP proxies can’t protect against problemsin the email itself, etc.
Advantages
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
3 / 44
■ Protection can be tuned to the individualapplication
■ More context can be available■ You only pay the performance price for that
application, not others
Disadvantages
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
4 / 44
■ Application-layer firewalls don’t protect againstattacks at lower layers!
■ They require a separate program perapplication
■ These programs can be quite complex■ They may be very intrusive for user
applications, user behavior, etc.
Example: Protecting Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
5 / 44
■ Do we protect inbound or outbound email?Some of the code is common; some is quitedifferent
■ Do we work at the SMTP level (RFC 2821) orthe mail content level (RFC 2822)?
■ What about MIME?■ (What about S/MIME- or PGP-protected
mail?)■ What are the threats?
Email Threats
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
6 / 44
■ The usual: defend against protocolimplementation bugs
■ Virus-scanning■ Anti-spam?■ Javascript? Web bugs in HTML email?■ Violations of organizational email policy?■ Signature-checking?
Inbound Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
7 / 44
■ Email is easy to intercept: MX records in theDNS route inbound email to an arbitrarymachine
■ Possible to use “*” to handle entire domain■ Example: DNS records exist for att.com and
*.att.com
■ Net result: all email for that domain is sent toa front end machine
Different Sublayers
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
8 / 44
■ Note that are are multiple layers of protectionpossible here
■ The receiving machine can run a hardenedSMTP, providing protection at that layer
■ Once the email is received, it can be scannedat the content layer for any threats
■ The firewall function can consist of either orboth
Outbound Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
9 / 44
■ No help from the protocol definition here■ But — most mailers have the ability to
forward some or all email to a relay host■ Declare by administrative fiat that this must
be done■ Enforce this with a packet filter. . .
Combining Firewall Types
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
10 / 44
■ Use an application firewall to handle inboundand outbound email
■ Use a packet filter to enforce the rules
Firewalling Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
11 / 44
Filter
Outside
DMZ
Inside
SMTPReceiver
Anti−SpamAnti−Virus
Packet
Enforcement
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
12 / 44
■ Email can’t flow any other way■ The only SMTP server the outside can talk to
is the SMTP receiver■ It forwards the email to the
anti-virus/anti-spam filter, via some arbitraryprotocol
■ That machine speaks SMTP to some insidemail gateway
■ Note the other benefit: if the SMTP receiver iscompromised, it can’t speak directly to theinside
Outbound Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
13 / 44
■ Again, we use a packet filter to block directoutbound connections to port 25
■ The only machine that can speak to externalSMTP receivers is the dedicated outboundemail gateway
■ That gateway can either live on the inside oron the DMZ