CSC 474 Dr. Peng Ning 1 Computer Science CSC 474 Information Systems Security Topic 4.1 Firewalls
Mar 30, 2015
CSC 474 Dr. Peng Ning 1
Computer Science
CSC 474Information Systems Security
Topic 4.1 Firewalls
CSC 474 Dr. Peng Ning 2Computer Science
Outline
• What are firewalls?
• Types– Filtering
• Packet filtering
• Session filtering
– Proxy• Circuit Level
• Application Level
• Brief introduction to Linux firewall
CSC 474 Dr. Peng Ning 3Computer Science
What is a firewall?
• Device that provides secure connectivity between networks (internal/external; varying levels of trust)
• Used to implement and enforce a security policy for communication between networks
Trusted Networks
Untrusted Networks & ServersFirewall
Router
Internet
Intranet
DMZ Public Accessible Servers & Networks
Trusted Users
Untrusted Users
CSC 474 Dr. Peng Ning 4Computer Science
Firewalls Can …
• Restrict incoming and outgoing traffic by IP address, ports, etc.
• Block invalid packets
• It’s also convenient …– Give insight into traffic mix via logging– Network Address Translation– Encryption
CSC 474 Dr. Peng Ning 5Computer Science
Firewalls Cannot Protect…
• Traffic that does not cross it– routing around – Internal traffic
• When misconfigured
CSC 474 Dr. Peng Ning 6Computer Science
InternetInternet
DMZ NetWeb Server Pool
Corporate
Network
ALERT!!ALERT!!ALERT!!
Security Requirement• Control access to network information and resources• Protect the network from attacks
Access Control
CSC 474 Dr. Peng Ning 7Computer Science
Filtering
• Typically route packets
• Packets checked then passed
• May have different policies for inbound and outbound packets
• Some firewalls need to understand the application protocols
• May perform– Fragmentation/reassembly– Sequence number checking
CSC 474 Dr. Peng Ning 8Computer Science
Filtering (Cont’d)
• Packet filtering – Access Control Lists
• Session filtering– Dynamic Packet Filtering– Stateful Inspection– Smart Packet Filtering– Context Based Access Control
CSC 474 Dr. Peng Ning 9Computer Science
Packet Filtering
• Decisions made on a per-packet basis
• No state information saved
• If dynamic protocols are in use, entire ranges of ports must be allowed for the protocol to work.
• Example configuration– Deny access to ports <= 1024, and allow access to
all the others.
CSC 474 Dr. Peng Ning 10Computer Science
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
DataLinkDataLink
PhysicalPhysical
RouterRouter
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
Packet Filtering (Cont’d)
NetworkNetwork NetworkNetwork
CSC 474 Dr. Peng Ning 11Computer Science
Session Filtering
• Packet decision made in the context of a connection
• If packet is a new connection, check against security policy
• If packet is part of an existing connection, match it up in the state table & update table
• Example configuration
CSC 474 Dr. Peng Ning 12Computer Science
Applications
Presentations
Sessions
Transport
DataLink
Physical
DataLink
Physical
Applications
Presentations
Sessions
Transport
DataLink
Physical
Network Network
Network
Presentations
Sessions
Transport
ApplicationsApplications
Dynamic Dynamic State TablesState Tables
Dynamic Dynamic State TablesState Tables
Dynamic State Tables
Screens ALL attempts, Protects All applications
Extracts & maintains ‘state’ information
Makes an intelligent security / traffic decision
Session Filtering (Cont’d)
CSC 474 Dr. Peng Ning 13Computer Science
Proxy Firewalls
• Relay for connections
• Client Proxy Server
• Two flavors– Application level – Circuit level
CSC 474 Dr. Peng Ning 14Computer Science
Application Gateways
• Understands specific applications– Limited proxies available– Proxy ‘impersonates’ both sides of connection
• Resource intensive– process per connection
• HTTP proxies may cache web pages
CSC 474 Dr. Peng Ning 15Computer Science
Application Gateways
• More appropriate to TCP
• Must write a new proxy application to support new protocols– Not trivial!
CSC 474 Dr. Peng Ning 16Computer Science
Application Gateways
• Clients configured for proxy communication
• Transparent Proxies
CSC 474 Dr. Peng Ning 17Computer Science
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
DataLinkDataLink
PhysicalPhysical
Application GatewayApplication Gateway
ApplicationsApplications
PresentationsPresentations
SessionsSessions
TransportTransport
NetworkNetwork NetworkNetwork
TelnetTelnetTelnetTelnet HTTPHTTPHTTPHTTPFTPFTPFTPFTP
Application Layer GW/proxy
CSC 474 Dr. Peng Ning 18Computer Science
Circuit-Level Gateways
• Support more services than Application-level Gateway– less control over data
• Hard to handle protocols like FTP– Passive FTP is usually okay
• Clients must be aware they are using a circut-level proxy
CSC 474 Dr. Peng Ning 19Computer Science
SOCKS
• Circuit level Gateway
• Support TCP
• SOCKS v5 supports UDP, earlier versions did not
• See http://www.socks.nec.com
CSC 474 Dr. Peng Ning 20Computer Science
Comparison
Security
Perform
ance
Service
Support
Packet Filter 3 1 No dynamic w/o holes
Session Filter 2 2 Dependent on vendor for dynamic supportCircuit GW 2 3
App. GW 1 4 Typically < 20
Lower is better for security & performance
CSC 474 Dr. Peng Ning 21Computer Science
Comparison (Cont’d)
Modify Client Applications?
Packet Filter No
Session Filter No
Circuit GW Typical, SOCKS-ify client applications
App. GW Unless transparent, client application must be proxy-aware & configured
CSC 474 Dr. Peng Ning 22Computer Science
Comparison (Cont’d)
ICM
P
Fragm
entation
Packet Filter Yes No
Session Filter Yes Maybe
Circuit GW (SOCKS v5) Yes
App. GW No Yes
CSC 474 Dr. Peng Ning 23Computer Science
Linux Firewall: iptables
• History – ipfw– ipfwadm– ipchains– iptables
• Based on the netfilter framework
CSC 474 Dr. Peng Ning 24Computer Science
The Netfilter Framework
• A framework for packet mangling
Protocol stack netfilter
…
Kernel modules
hooks
Kernel
User space
CSC 474 Dr. Peng Ning 25Computer Science
The Netfilter Framework (Cont’d)
• Current protocols– IPv4, IPv6, and DECnet.
• Five hooks for IPv4– [1]: Pre-routing hook; [2]: Local-in hook;– [3]: Forward hook; [4]: Local-out hook;– [5]: Post-routing hook
A packet traversing the netfilter system:
[1]
[2]
[ROUTE]
[ROUTE]
[3] [4]
[5]
CSC 474 Dr. Peng Ning 26Computer Science
Packet Filtering
A packet traversing the netfilter system:
[1]
[2]
[ROUTE]
[ROUTE]
[3] [4]
[5]
Packet filtering only uses these three hooks
CSC 474 Dr. Peng Ning 27Computer Science
IP Tables
• A packet selection system– Direct descendent of ipchains
• Used for– Packet filtering– Network Address Translation (NAT)
• Masquerading, port forwarding, transparent proxying
– Packet mangling • Actual changing of packet information
CSC 474 Dr. Peng Ning 28Computer Science
User Space Tool: iptables
• iptables – Command to configure and communicate with the
kernel modules
• iptables for packet filtering– Three chains
• INPUT
• OUTPUT
• FORWARD
CSC 474 Dr. Peng Ning 29Computer Science
Iptables for Packet Filtering
• You need three things to configure a firewall rule– Which chain?– What packet pattern?– What action to apply?
• Example– Drop all packets from 200.200.200.1– iptables -A INPUT -s 200.200.200.1 -j DROP– Use “man iptables” on Linux to get more
information.