Firewalls Network Security: Firewalls, • “A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks” - NCSA Firewall Functional Summary Computer Security • Usually, a computer that keeps the bad March 7, 2005 guys out Lecture 14 Lecture 14 Page 1 Page 2 CS 239, Winter 2005 CS 239, Winter 2005 Typical Use of a Firewall What Is a Firewall, Really? • Typically a machine that sits between a LAN/WAN and the Internet ??? ??? The • Running special software Firewall • That somehow regulates network Internet traffic between the LAN/WAN and the Local Network Internet Lecture 14 Lecture 14 Page 3 Page 4 CS 239, Winter 2005 CS 239, Winter 2005 Weaknesses of Perimeter Firewalls and Perimeter Defense Defense Models • Firewalls implement a form of security • Breaching the perimeter compromises all called perimeter defense security • Protect the inside of something by • Windows passwords are a form of perimeter defending the outside strongly defense – The firewall machine is often called a – If you get past the password, you can do bastion host anything • Control the entry and exit points • Perimeter defense is part of the solution, not • If nothing bad can get in, I’m safe, right? the entire solution Lecture 14 Lecture 14 Page 5 Page 6 CS 239, Winter 2005 CS 239, Winter 2005 1
Defense in Depth Weaknesses of Perimeter Defense • An old principle in warfare • Don’t rely on a single defensive mechanism or defense at a single point • Combine different defenses • Defeating one defense doesn’t defeat your entire plan Lecture 14 Lecture 14 Page 7 Page 8 CS 239, Winter 2005 CS 239, Winter 2005 So What Should Happen? Or, Better Lecture 14 Lecture 14 Page 9 Page 10 CS 239, Winter 2005 CS 239, Winter 2005 Or, Even Better So Are Firewalls Any Use? • Definitely! • They aren’t the full solution, but they are absolutely part of it • Anyone who cares about security needs to run a decent firewall • They just have to do other stuff, too Lecture 14 Lecture 14 Page 11 Page 12 CS 239, Winter 2005 CS 239, Winter 2005 2
Types of Firewalls Filtering Gateways • Filtering gateways • Based on packet routing information – AKA screening routers • Look at information in the incoming • Circuit gateways packets’ headers – Also a kind of screening router • Based on that information, either let • Application level gateways the packet through or reject it – AKA proxy gateways • Hybrid (complex) gateways Lecture 14 Lecture 14 Page 13 Page 14 CS 239, Winter 2005 CS 239, Winter 2005 Example Use of A Fundamental Problem Filtering Gateways • Today’s IP packet headers aren’t • Allow particular external machines to authenticated telnet into specific internal machines –And are pretty easy to forge –Denying telnet to other machines • If your filtering firewall trusts packet • Or allow full access to some external headers, it offers little protection machines • Situation may be improved by IPsec • And none to others –But hasn’t been yet Lecture 14 Lecture 14 Page 15 Page 16 CS 239, Winter 2005 CS 239, Winter 2005 One Exception to This Problem Filtering Based on Ports • Most incoming traffic is destined for a • Checking internal addresses particular machine and port • Safety procedures inside the security – Which can be derived from the IP and perimeter may limit some services to TCP headers LAN members • Only let through packets to select machines • The firewall can check that incoming at specific ports packets don’t claim to be internal to • Makes it impossible to externally exploit the LAN flaws in little-used ports – If you configure the firewall right . . . Lecture 14 Lecture 14 Page 17 Page 18 CS 239, Winter 2005 CS 239, Winter 2005 3
Pros and Cons of Circuit Gateways Filtering Gateways + Fast • Another kind of filtering firewall + Cheap • Used when internal machines request + Flexible service from machines outside the + Transparent firewall – Limited capabilities • Makes it look like the request came – Dependent on header authentication from the firewall – Generally poor logging –Concealing internal system details – May rely on router security Lecture 14 Lecture 14 Page 19 Page 20 CS 239, Winter 2005 CS 239, Winter 2005 How Application Level Application Level Gateways Gateways Work • The firewall serves as a general • Also known as proxy gateways and stateful framework firewalls • Firewalls that understand the application- • Various proxies are plugged into the level details of network traffic framework – To some degree • Incoming packets are examined • Traffic is accepted or rejected based on the –And handled by the appropriate probable results of accepting it proxy Lecture 14 Lecture 14 Page 21 Page 22 CS 239, Winter 2005 CS 239, Winter 2005 Firewall Proxies An Example Proxy • Programs capable of understanding • A proxy to audit email particular kinds of traffic • What might such a proxy do? –E.g., FTP, HTTP, videoconferencing – Only allow email from particular users • Proxies are specialized through – Or refuse email from known spam sites • A good proxy must have deep understanding of the network – Or filter out email with unsafe inclusions application (like executables) Lecture 14 Lecture 14 Page 23 Page 24 CS 239, Winter 2005 CS 239, Winter 2005 4
Pros and Cons of Application What Are the Limits of Proxies? Level Gateways • Proxies can only test for threats they + Highly flexible understand + Good logging • Either they must permit a very limited + Content-based filtering set of operations + Potentially transparent • Or they must have deep understanding – Slower of the program they protect – More complex and expensive –If too deep, they may share the flaw – A good proxy is hard to find Lecture 14 Lecture 14 Page 25 Page 26 CS 239, Winter 2005 CS 239, Winter 2005 Hybrid Gateways More Firewall Topics • A combination of two or more other • Statefulness types • Transparency –Typically filtering gateways and • Handling authentication proxy gateways • Handling encryption • Are they better? • Looking for viruses –If in parallel, no –If in series, maybe Lecture 14 Lecture 14 Page 27 Page 28 CS 239, Winter 2005 CS 239, Winter 2005 Stateful Firewalls Firewalls and Transparency • Much network traffic is connection- • Ideally, the firewall should be invisible oriented –Except when it vetoes access –E.g., telnet and videoconferencing • Users inside should be able to • Proper handling of that traffic requires communicate outside without knowing the firewall to maintain state about the firewall • But handling information about • External users should be able to invoke connections is more complex internal services transparently Lecture 14 Lecture 14 Page 29 Page 30 CS 239, Winter 2005 CS 239, Winter 2005 5
Firewalls and Authentication Firewalls and Encryption • Firewalls provide no confidentiality • Many systems want to allow specific sites – For data they pass back and forth or users special privileges • Unless the data is encrypted • Firewalls can only support that to the extent • But if the data is encrypted, the firewall that strong authentication is available can’t examine it – At the granularity required • So typically the firewall must be able to • For general use, may not be possible decrypt – In current systems – Or only work on unencrypted parts of packets Lecture 14 Lecture 14 Page 31 Page 32 CS 239, Winter 2005 CS 239, Winter 2005 Firewalls and Link Encryption Firewalls and Viruses • Inter-firewall encryption is essentially link • Firewalls are an excellent place to check for level encryption viruses – With all inherent problems • Virus detection software can be run on incoming executables – Except (presumably) that only trusted machines encrypt and decrypt • Requires that firewall knows when executables come in • More encryption can be applied at the application level • And must be reasonably fast – Limiting the firewall’s options • Again, might be issues with encryption Lecture 14 Lecture 14 Page 33 Page 34 CS 239, Winter 2005 CS 239, Winter 2005 Firewall Configuration and Firewall Location Administration • Clearly, between you and the bad guys • Again, the firewall is the point of • But you may have some very different types attack for intruders of machines/functionalities • Thus, it must be extraordinarily secure • Sometimes makes sense to divide your network into segments • How do you achieve that level of – Most typically, less secure public security? network and more secure internal network – Using separate firewalls Lecture 14 Lecture 14 Page 35 Page 36 CS 239, Winter 2005 CS 239, Winter 2005 6
Recommend
More recommend