Firewall Technology Cyber Security Spring 2008 1 24 2008 CyberSecurity Spring 2008 Outline Basics of firewalling Architectures Network Address Translation Logging Advanced Topics Identity in firewalls Multiple security levels Firewall Futures 1 24 2008 CyberSecurity Spring 2008 Reading Material Firewalls and Internet Security Repelling the Wily Hacker Cheswick Bellovin and Rubin New second edition Network Security Principles and Practices Sadaat Malik Cisco oriented PIX 7 0 Configuration Guide http www cisco com en US products ps6120 products configuratio n guide book09186a0080450278 html PIX 7 0 Command Reference http www cisco com en US products ps6120 products command r eference book09186a00805fbad6 html Firewall and Internet Security the Second Hundred Internet Years http www cisco com warp public 759 ipj 2 2 ipj 2 2 fis1 html A firewall overview article from 1999 1 24 2008 CyberSecurity Spring 2008 Presentation Bias Talking from my experience Colored by Cisco Firewalls Centri PIX IOS FW Firewall Service Module The enterprise firewall producers chase each other so similar issues arise in Netscreen Juniper and Checkpoint Personal firewalls address a subset of the issues that Enterprise Firewalls do 1 24 2008 CyberSecurity Spring 2008 Firewall Goal Insert after the fact security by wrapping or interposing a filter on network traffic Inside 1 24 2008 Outside CyberSecurity Spring 2008 Security Domains Internet Partner Network Corporate Network Control Network 1 24 2008 CyberSecurity Spring 2008 Several Firewall Styles Differ primarily on what layers of the network stack they consider Packet Filter Application Proxy Stateful Packet Filter 1 24 2008 CyberSecurity Spring 2008 Application Proxy Firewall software runs in application space on the firewall The traffic source must be aware of the proxy and add an additional header Leverage basic network stack functionality to sanitize application level traffic Block java or active X Filter out bad URLs Ensure well formed protocols or block suspect aspects of protocol Not used much anymore 1 24 2008 CyberSecurity Spring 2008 Packet Filter Operates at Layer 3 in router or HW firewall Has access to the Layer 3 header and Layer 4 header Can block traffic based on source and destination address ports and protocol Does not reconstruct Layer 4 payload so cannot do reliable analysis of layer 4 or higher content 1 24 2008 CyberSecurity Spring 2008 Stateful Packet Filters Evolved as packet filters aimed for proxy functionality In addition to Layer 3 reassembly it can reconstruct layer 4 traffic Some application layer analysis exists e g for HTTP FTP H 323 Called context based access control CBAC on IOS Configured by fixup command on PIX Some of this analysis is necessary to enable address translation and dynamic access for negotiated data channels Reconstruction and analysis can be expensive Must be configured on specified traffic streams At a minimum the user must tell the Firewall what kind of traffic to expect on a port e g port 80 is just a clue that the incoming traffic will be HTTP Degree of reconstruction varies per platform e g IOS does not do IP reassembly 1 24 2008 CyberSecurity Spring 2008 Traffic reconstruction X Y FTP X to Y GET etc passwd GET command causes firewall to dynamically open data channel initiate from Y to X 1 24 2008 Might have filter for files to block like etc passwd CyberSecurity Spring 2008 Access Control Lists ACLs Used to define traffic streams Bind ACL s to interface and action Access Control Entry ACE contains Source address Destination Address Protocol e g IP TCP UDP ICMP GRE Source Port Destination Port ACL runtime lookup Linear N dimensional tree lookup PIX Turbo ACL Object Groups HW classification assists 1 24 2008 CyberSecurity Spring 2008 Activating Proxy control A given firewall type has a fixed set of application proxies Configurations range on the granularity you can activate the proxies Activate for all traffic with a particular destination port Activate for traffic matching a particular ACL Some proxies might be activated by default Activating a proxy will dynamically open holes for related protocol channels 1 24 2008 CyberSecurity Spring 2008 Address Translation Traditional NAT RFC 3022 Reference RFC Map real address to alias address Real address associated with physical device generally an unroutable address Alias address generally a routeable associated with the translation device Originally motivated by limited access to publicly routable IP addresses Later folks said this also added security By hiding structure of internal network Obscuring access to internal machines Adds complexity to firewall technology Must dig around in data stream to rewrite references to IP addresses and ports Limits how quickly new protocols can be firewalled 1 24 2008 CyberSecurity Spring 2008 NAT example Hide from inside to outside 192 168 1 0 24 behind 128 274 1 1 Static map from inside to DMZ 192 168 1 5 to 128 274 1 5 192 168 1 0 24 inside Enforcing Device DMZ 10 10 10 0 24 1 24 2008 CyberSecurity Spring 2008 outside Internet Address Hiding NAPT Many to few dynamic mapping Packets from a large pool of private addresses are mapped to a small pool of public addresses at runtime Port remapping makes this sharing more scalable Two real addresses can be rewritten to the same alias address Rewrite the source port to differentiate the streams Traffic must be initiated from the real side 1 24 2008 CyberSecurity Spring 2008 NAT example Hide from inside to outside 192 168 1 0 24 behind 128 274 1 1 192 168 1 0 24 Src 192 168 1 1 Dst microsoft com inside Enforcing Device DMZ 10 10 10 0 24 1 24 2008 CyberSecurity Spring 2008 outside Internet Src 128 274 1 1 Dst microsoft com Static Mapping One to one fixed mapping One real address is mapped to one alias address at configuration time Traffic can be initiated from either side Used to statically map out small set of servers from a network that is otherwise hidden Static port remapping is also available 1 24 2008 CyberSecurity Spring 2008 NAT example Static map from inside to DMZ 192 168 1 5 to 128 274 1 5 192 168 1 0 24 Src 192 168 1 5 Dst 10 10 10 1 inside Enforcing Device DMZ 10 10 10 0 24 Src 128 274 1 5 Dst 10 10 10 1 1 24 2008 CyberSecurity Spring 2008 outside Internet Proxy Arp Router Firewalls produces ARP replies for addresses behind it http www cisco com en US tech tk648 tk361 techn Goal to help with routing If misconfigured can bring down the network 1 24 2008
View Full Document
Unlocking...