Top Banner
Firewalls Original slides prepared by Theo Benson
35
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Firewalls Original slides prepared by Theo Benson.

Firewalls

Original slides prepared by Theo Benson

Page 2: Firewalls Original slides prepared by Theo Benson.
Page 3: Firewalls Original slides prepared by Theo Benson.
Page 4: Firewalls Original slides prepared by Theo Benson.
Page 5: Firewalls Original slides prepared by Theo Benson.
Page 6: Firewalls Original slides prepared by Theo Benson.
Page 7: Firewalls Original slides prepared by Theo Benson.
Page 8: Firewalls Original slides prepared by Theo Benson.
Page 9: Firewalls Original slides prepared by Theo Benson.

Unix Firewalls• FreeBSD: ipfw• Linux: ipfw → ipchains → iptables• MacOS X: ipfw

ipfw example rules:

# SSH# Allow ssh from unc.edu hosts/sbin/ipfw -f add allow tcp from 152.2.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.19.0.0/16 to any 22 setup /sbin/ipfw -f add allow tcp from 152.23.0.0/16 to any 22 setup

Page 10: Firewalls Original slides prepared by Theo Benson.
Page 11: Firewalls Original slides prepared by Theo Benson.
Page 12: Firewalls Original slides prepared by Theo Benson.

Stateful Firewalls• A bit more complicated• Keep track of transport layer

connections (e.g., TCP, UDP) that may comprise multiple packets

• Often allow only connections initiated from behind the firewall

Page 13: Firewalls Original slides prepared by Theo Benson.

How are they deployed?

“circle of trust”

The InternetAKA “Everything evil”

The firewall isthe gatekeeper

Only one way in or out into the circle

Page 14: Firewalls Original slides prepared by Theo Benson.

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Page 15: Firewalls Original slides prepared by Theo Benson.

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Page 16: Firewalls Original slides prepared by Theo Benson.

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Page 17: Firewalls Original slides prepared by Theo Benson.

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Page 18: Firewalls Original slides prepared by Theo Benson.

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Page 19: Firewalls Original slides prepared by Theo Benson.

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Page 20: Firewalls Original slides prepared by Theo Benson.

Similar to streaming a Video …

Browser Network

HTTP RequestsGet: image.png

HTTP RequestsGet: video.avi

Loading Youtube

Page 21: Firewalls Original slides prepared by Theo Benson.

Allowing Outbound Connections Only

“circle of trust”

The InternetAKA “Everything evil”

SYN

• Why would someone from the outside want to start a connection?

Page 22: Firewalls Original slides prepared by Theo Benson.

Allowing Outbound Connections Only

“circle of trust”

The InternetAKA “Everything evil”

SYN

• Why would someone from the outside want to start a connection?– They would if you were running a web-server, an email-server, a gaming

server …. Pretty much any ‘server’ service.– Firewall configuration may allow “punching holes” to specific

addresses/ports

Page 23: Firewalls Original slides prepared by Theo Benson.
Page 24: Firewalls Original slides prepared by Theo Benson.

Traversing Firewalls

• Two hosts behind separate firewalls may try to fool their firewalls by simultaneously establishing outbound connections.

• An external server may help coordinate which source ports, sequence numbers, to use. (E.g., STUN protocol.)

Page 25: Firewalls Original slides prepared by Theo Benson.

Network Address Translation (NAT)

• For outbound packets, the translator replaces (typically) private address with it’s own public address, and rewrites the source port.

• Translator remembers the mapping.• For inbound packets, the reverse translation is performed.

192.168.1.100

128.2.205.42

Src: 192.168.1.100:32532

Src: 128.2.205.42:45323

Page 26: Firewalls Original slides prepared by Theo Benson.

NAT versus Firewall

• A network address translator is not intrinsically a firewall, but– Often the two are combined in one device– Traffic cannot be sent directly to private addresses

used behind a NAT from the public Internet– A NAT may block incoming connections by

necessity because it does not know which private address to forward the traffic to

Page 27: Firewalls Original slides prepared by Theo Benson.
Page 28: Firewalls Original slides prepared by Theo Benson.

What Happens When you Connect to a Website?

Browser NetworkLoading SoundCloud

HTTP RequestsGet: image.png

HTTP RequestsGet: sound.mp3

What happens if the virus/worm is hidden in an email? Picture? Or if the security exploit is in an HTML page?

Page 29: Firewalls Original slides prepared by Theo Benson.

Deep Packet Inspection

• Examine payload (data) portion of packet as well as headers

IP Header

TCP/UDP Header

Payload

Page 30: Firewalls Original slides prepared by Theo Benson.

Application Level Firewall

• Why are they needed?

• Attackers are tricky– When exploiting security vulnerabilities– Attacks span multiple packets

• Need a system to scan across multiple packets for Virus/Worm/Vulnerability exploits

Page 31: Firewalls Original slides prepared by Theo Benson.

Application Level Firewalls

• Similar to Packet-filters except:– Supports regular expression– Search across different packets for a match– Reconstructs objects (images,pictures) from

packets and scans objects.

Page 32: Firewalls Original slides prepared by Theo Benson.

Application Level Firewalls

• Similar to Packet-filters except:– Supports regular expression– Searches across different packets for a match– Reconstructs objects (images,pictures) from

packets and scans objects.

HTTP RequestsGet: image.png

Appy reg-ex to the object:

Page 33: Firewalls Original slides prepared by Theo Benson.

Application Level Firewalls

• Similar to Packet-filters except:– Supports regular expression– Searches across different packets for a match– Reconstructs objects (images,pictures) from

packets and scans objects.

HTTP RequestsGet: image.png

Page 34: Firewalls Original slides prepared by Theo Benson.

Why doesn’t everyone use App level firewalls?

• Object re-assembly requires a lot of memory• Regular-expressions require a lot of CPU

• App level firewalls are a lot more expensive– And also much slower – So you need more -- a lot more.

Page 35: Firewalls Original slides prepared by Theo Benson.

How do you Attack the Firewall?

• Most Common: Denial-of-Service attacks – Figure out a bug in the Firewall code– Code causes it to handle a packet incorrectly– Send a lot of ‘bug’ packets and no one can use the

firewall