speaking frankly the internet is not a very safe place operational...
TRANSCRIPT
1
CS242 Computer Networks Department of Computer Science Wellesley College
Operational Security Firewalls and Intrusion Detection
Firewalls 25-2
Speaking Frankly The Internet is not a very safe place
o From our network administrator’s point of view, the world divides into two camps:
o Us - good; able to access local resources and
o Them - suspicious; access must be carefully scrutinized and perhaps restricted.
Firewalls*
*A firewall isolates an organizations internal network from larger Internet, allowing some packets to pass, blocking others.
Firewalls 25-3
Administered Network
Public Internet
firewall trusted “good guys” untrusted “bad guys”
A sense of false security ... o In theory, only
authorized traffic, as defined by local security policy, is allowed to pass.
o Of course the firewall itself is a device connected to the network. It had better be carefully designed and installed or else we are only fooling ourselves.
Firewalls 25-4
2
Firewalls come in three flavors o Traditional packet filters
exam each datagram in isolation at the point of entry/exit.
o Stateful filters track TCP connections, and use this knowledge to make filtering decisions.
o Application gateways are application-specific servers through which all application data must pass.
Firewalls 25-5
Traditional (stateless) packet filters o The internal network is connected to Internet via router
firewall which filters packet-by-packet.
o Filtering decisions typically based on: IP source or destination address; Protocol type in IP datagram field; TCP or UDP source and destination port; TCP flag bits (SYN, ACK, etc.); ICMP message type.
Firewalls 25-6
Firewalls 25-7
Policy decisions Policy Firewall Setting
No outside Web access. Drop all outgoing packets to any IP address, port 80
No incoming TCP connections, except those for institution’s public Web server only.
Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80
Prevent Web-radios from eating up the available bandwidth.
Drop all incoming UDP packets - except DNS and router broadcasts.
Prevent your network from being used for a smurf DoS attack.
Drop all ICMP packets going to a “broadcast” address (e.g. 130.207.255.255).
Prevent your network from being tracerouted
Drop all outgoing ICMP TTL expired traffic
We could get tricky o And base our policy on a
combination of addresses and port numbers.
o For example, our router could filter all Telnet datagrams (port 23) except those going to and coming from a list of specific IP address.
o This allows Telnet connections to and from hosts on the allowed list.
o However, ...
Firewalls 25-8
3
Filtering TCP handshakes
Firewalls 25-9
o Filtering can be based on whether or not the TCP ACK bit is set.
o This lets internal clients connect to external servers, but ...
o ... prevents external clients from connecting to internal servers.
Access control list for router interface*
Firewalls 25-10
action source
address dest
address protocol
source port
dest port
flag bit
allow 222.22/16 outside of 222.22/16
TCP > 1023 80 any
allow
outside of 222.22/16
222.22/16
TCP 80 > 1023 ACK
allow 222.22/16 outside of 222.22/16
UDP > 1023 53 ---
allow
outside of 222.22/16
222.22/16
UDP 53 > 1023 ----
deny all all all all all all
*Table of rules, applied top to bottom to incoming packets: (action, condition) pairs.
Problems with stateless filters o Although restrictive, the access control list in the previous
table allows packets arriving from the outside with ACK=1 and source port 80, even when no TCP connection has been established.
o Such packets could be used by attackers in attempts to
crashed internal systems with malformed packets, carry out denial-of-service attacks, or map the internal network.
Firewalls 25-11
action source address
dest address protocol
source port
dest port
flag bit
allow
outside of 222.22/16
222.22/16 TCP 80 > 1023 ACK
Stateful packet filters o Stateful filters track all ongoing TCP connections in a
connection table. o The firewall observes the beginning of a new connection
(SYN, SYNACK, and ACK); and it can observe the end of the connection with it sees a FIN packet.*
Firewalls 25-12
*The firewall can (conservatively) assume that the connection is over when it hasn’t seen any activity for say 60 seconds.
source addr dest addr sourceport dest port 222.22.1.7 37.96.87.123 12699 80
222.22.93.2 199.1.205.23 37654 80 222.22.65.143 203.77.240.43 48712 80
4
Augmented access control list for stateful filter
Firewalls 25-13
*ACL augmented to indicate need to check connection state table before admitting packet
action source
address dest
address proto source port
dest port
flag bit
check conxion
allow 222.22/16 outside of 222.22/16 TCP > 1023 80
any
allow
outside of 222.22/16
222.22/16 TCP 80 > 1023 ACK x
allow 222.22/16 outside of 222.22/16 UDP > 1023 53 ---
allow
outside of 222.22/16
222.22/16 UDP 53 > 1023 ----
x
deny all all all all all all
So far, so good, but suppose now that ...
Firewalls 25-14
o ... Wellesley wants to provide Telnet services to a restricted set of internal users, as opposed to IP addresses) ...
o ... and suppose Wellesley wants such privileged users to authenticate themselves first before being allowed to create a Telnet session to the outside world.
*Such tasks are beyond stateful filters. The identity of internal users is an application-layer data and is not included in the IP/TCP/UDP headers.
Application gateway
Firewalls 25-15
o An application gateway is an application-specific server through which all application data must pass.
o It looks beyond IP/TCP/UDP headers to make policy decisions based on application data.
o We design a firewall that allows only a restricted set of internal users to Telnet outside and prevents all external clients from Telneting inside.
host-to-gateway telnet session
gateway-to-remote host telnet session
application gateway
router and filter
To do this, we must ...
Firewalls 25-16
1. Require all Telnet users to Telnet through the application gateway.
2. For authorized users, gateway sets up Telnet connection to dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating from gateway.
application gateway
host-to-gateway telnet session
router and filter
gateway-to-remote host telnet session
5
Intrusion detection systems
Firewalls 25-17
o Packet filtering: operates on TCP/IP headers only; no correlation check among sessions.
o To detect many attacks, we need a deep packet inspection, e.g., check character strings in packet against database of known virus strings.
o Additionally we may wish to examine correlation among multiple packets to detect: port scanning; network mapping; DoS attack.
Multiple IDS sensors
Firewalls 25-18
Web server FTP
server
DNS server
Internet
demilitarized zone
Firewall
IDS sensors
Internal network
Application gateway
Course grain classification o Signature-based IDS
maintains an database of attack signatures, sniffs every packet, comparing contents with tis database.*
o Anomaly-based IDS creates a traffic profile in normal operation, then looks for statistically unusual packet streams.**
Handshake pitfalls 18-19
*Most common, but completely blind to new attacks. Subject to false positives. **Can potentially detect new attacks, but often difficult to distinguish between normal traffic and statistically unusual traffic.