CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 - PowerPoint PPT Presentation

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1

Midterm • Grades (High is 83) • 77-94 -- A (4) • 71-75 -- B+/A- (7) • 64-69 -- B+/B (13) • 56-61 -- B/B- (7) • 54-55 -- C+ (2) • <50 -- D/F (2) • Impact • 20% of grade • Project and final to go -- more than 50% of grade 2 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Some Questions • First 14: General basic concepts or lookup in slides or papers • Generally Good • All were answered correctly by multiple people (Windows and TOCTTOU in Janus) • Questions 15-18 • Generally good • 17 weak capability • 18 IDs in messages • Constructions • Where points were lost 3 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Question 19-21 • Capability and Crypto • E(K, obj+rights) HMAC(K, obj+rights) • E(K+, obj+rights) S(K-, obj+rights) • DH and Info Flow • DH was better • Info Flow -- not so prepared • Multics • Better than the other two • Main problem: ring of user shell vs. ring of passwd 4 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Network Security … • This is a poorly understood engineering discipline. • The following looks at the application of tools … 5 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Network security: the high bits • The network is … • … a collection of interconnected computers • … with resources that must be protected • … from unwanted inspection or modification • … while maintaining adequate quality of service. • Another way of seeing network security is • Securing the network infrastructure such that the integrity, confidentiality, and availability of the resources is maintained. • Q: How do we do this? 6 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

The network … (perimeter) (edge) Internet LAN (server) (remote hosts/servers) (hosts/desktops) 7 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

The big picture …. • Internet Protocol (IP) • Really refers to a whole collection of protocols making up the vast majority of the Internet • Routing • How these packets move from place to place • Network management • Administrators have to maintain the services and infrastructure supporting everyone’s daily activities 8 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Network security – the tools … • Filtering • Firewalls • Communication Security and Services • DNSsec, IPsec, SSH, ... • Isolation • VPNs, VLANs • Detection and mitigation • intrusion detection • DDOS tools 9 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Filtering: the threats • Adversary 1: some external network entity attempting to gain access to internal resources • Adversary 2: some internal, but malicious entity (or software) trying to expose sensitive data • Adversary 3: some internal or external entity that is preventing access to internal resource (DOS) 10 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Filtering: Firewalls • Filtering traffic based on policy • Policy determines what is acceptable traffic • Access control over traffic • Accept or deny Application • May perform other duties • Logging (forensics, SLA) Network • Flagging (intrusion detection) • QOS (differentiated services) Link 11 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Firewall Policy • Specifies what traffic is (not) allowed • Maps attributes to address and ports • Example: HTTP should be allowed to any external host, but inbound only to web-server 12 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

xListing • Blacklisting - specifying specific connectivity that is explicitly disallowed • E.g., prevent connections from badguys.com • Whitelisting - specifying specific connectivity that explicitly allowed • E.g., allow connections from goodguys.com • These is useful for IP filtering, SPAM mitigation, … • Q: What access control policies do these represent? 13 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Stateful, Proxy, and Transparent • Single packet contains insufficient data to make access control decision • State allows historical context consideration • Firewall collects data over time • e.g., TCP packet is part of established session • Firewalls can affect network traffic • Transparent: appear as a single router (network) • Proxy: receives, interprets, and reinitiates communication (application) • Transparent good for speed (routers), proxies good for complex state (applications) 14 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

DMZ (De-militarized Zone) (servers) LAN LAN Internet 15 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Practical Issues and Limitations • Network layer firewalls are dominant • DMZs allow multi-tiered fire-walling • Tools are widely available and mature • Personal firewalls gaining popularity • Issues • Network perimeters not quite as clear as before • E.g., telecommuters, VPNs, wireless, … • Every access point must be protected • E.g., this is why war-dialing is effective • Hard to debug, maintain consistency and correctness • Often seen by non-security personnel as impediment • E.g., Just open port X so I can use my wonder widget … • SOAP - why is this protocol an issue? 16 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Wool’s Firewall Study • What is the purpose of this study? 17 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Interesting tid-bits from the Wool study • 12 error classes • No default policy, automatic broad tools • NetBIOS (the very use of the Win protocol deemed error) • Portmapper protocols • Use of “any wildcards” • Lack of egress rules • Interesting questions: • Is the violation of Wool’s errors really a problem? • “DNS attack” comment? • Why do you think more expensive firewalls had a higher occurrence of errors? • Take away: configurations are bad 18 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Practical Firewall Implementations • Primary task is to filter packets – But systems and requirements are complex • Consider – All the protocols and services – Stateless vs. stateful firewalls – Network function: NAT, forwarding, etc. • Practical implementation: Linux iptables – http://www.netfilter.org/documentation/HOWTO/packet- filtering-HOWTO.html – http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/ ch-iptables.html CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Netfilter hooks • Series of hooks in Linux network protocol stack • At each Netfilter hook – An iptable rule set is evaluated • Hook placements Preroute Routing Forward Postroute Input Output CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

iptables Concepts • Table – All the firewall rules • Chain – List of rules associated with the chain identifier – E.g., hook name • Match – When all a rule ’ s field match the packet (protocol-specific) • Target – Operation to execute on a packet given a match CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

iptables Commands • iptables [-t <table_name>] <cmd> <chain> <plist> • Commands – Append rule to end or specific location in chain – Delete a specific rule in a chain – Flush a chain – List a chain – Create a new user-specified chain – Replace a rule CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Test it out • PING on localhost – ping -c 1 127.0.0.1 • Add iptables rule to block – iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP • Try ping • Delete the rule – iptables -D INPUT 1 – iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP – iptables -F INPUT CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Testing • Use loopback to test the rules locally on your machine – IP address 127.0.0.1 • ICMP – submit ping requests to 127.0.0.1 as above • TCP – submit requests to 127.0.0.1 at specific port – server • nc -l -p 3750 • listen at port 3750 – client • nc -p 3000 localhost 3750 • send from port 3000 to localhost at port 3750 CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

iptables Rule Parameters • Destination/Source – IP address range and netmask • Protocol of packet – ICMP, TCP, etc • Fragmented only • Incoming/outgoing interface • Target on rule match CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Per Protocol Options • Specialized matching options for rules – Specific to protocol • TCP – Source/destination ports – SYN – TCP flags CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page