CORNELL CS 5190 - Lecture 7: Firewalls and NATs

Unformatted text preview:

CS519: Computer NetworksLecture 7: Apr 14, 2004Firewalls and NATsCS519Network security topics| I’m going to limit “network security” to three topic areas:z Network access issues (user or host authentication, and VPNs)z Site protection issues (firewalls and VPNs)z Flow encryption issues (including key distribution)• IPsec at network layer• TLS or SSL or SSH at transport layer| I’m excluding application-level security, like S/MIME or secure email, as well as KerberosCS519Site with no firewallISP RouterSite RouterSite NetworkLink (T1 etc.)CS519Site with firewallISP RouterSite RouterSite NetworkFirewallCS519Site with firewallISP RouterSite Router(Nothing is this simple!)FirewallCS519DMZ (“De-Militarized Zone”)ISP RouterFirewall/NATDMZ:Network outside of Site security perimeter used to deploy firewall(s) and publicly available services (Web, FTP, DNS, etc.)CS519Various DMZ deployments are possibleISP RouterSite RouterSite RouterFirewall/NATFirewall/NATFirewall/NATCS519History: Firewalls were rogue components| Firewall/DMZ architecture never part of the “official” Internet Architecturez Purely a commercial creationz Distrusted by IAB (Internet Architecture Board)| “Crunchy on the outside, soft on the inside”z “All security should be end-to-end”, etc…CS519Firewall model held up well until recently| Email viruses and laptops now cause havocz Firewalls scan incoming email, but laptops bypass firewalls| Nowadays sites are proactive about what can attach to the internal networkz Newly attached hosts are scanned for latest virus software and profiles z More and more, internal switches have firewall functionality, monitor all traffic!CS519Firewalls not just protection from outside attackers| Bandwidth controlz Block (or choke) high volume, non-critical applicationsz Kazaa| Employee network usage controlz Block games, pornography, non-business uses| Privacyz Don’t let outside see what you have, how big you are, etc.z Similar to making corporate phone directory proprietaryCS519Firewall functions| Dropping packetsz According to 5-tuple and direction of packet (incoming or outgoing)• Recall: 5-tuple = src/dst address, src/dst port, protocolz According to “conversation”• Multiple related flows, like FTP, SIPz According to higher-layer info (i.e. URL, email attachments)| Steering packets/messagesz To other filters, like spam filter, virus checker, HTTP filter, etc.| Logging flows and statisticsCS519Simple firewall policy configurationdropanyany-outsideany-insideallowFTPany-outsideany-insidedropanyany-insideany-outsideallowHTTPany-outsideany-insidedropSMTPany-outsideany-insideallowSMTPdmz-mailany-insideActionAppDestSourceCS519Conversations| FTP consists of two flows, control flow and data flow| Firewall must be smart enough to read control flow, identify subsequent data flow| True for SIP as wellCS519Stateful and stateless firewalls| Original firewalls were statelessz Maintain static filter list, but no per flow statez For TCP, only look at SYN• Means that non-SYN TCP packets are allowed even if should be blocked!z No concept of conversation| Modern firewalls are typically statefulz Maintains dynamic list of all allowed flowsz Better capability, harder to scaleCS519Routing-based or callout-based steering (1/2)| Callout-based:z User-customized functions may be called at specific checkpoints• i.e. after each individual email in an email stream• after each HTTP GETz These callouts can operate on the firewall box, or send messages to another box• i.e. after each mail message, local callout looks for attachments, and if found sends mail to a virus checkerCS519Routing-based or callout-based steering (2/2)| Routing-basedz Packets matching policy rule sent to another boxz Destination address may be modified to that of the box• if box is not promiscuousCS519Firewall arms race| Firewalls make it hard to introduce new applicationsz Because firewall rules tend to err on the side on prevention| As a result, many new apps are built over HTTPz Or at least can fall back on HTTP if better performing protocols are blockedz Firewalls respond by looking deeper into HTTP/HTML, but this is hardCS519Case study: Windows Media| Can run in four modes (from most to least efficient):1. IP multicast2. UDP3. TCP4. HTTP| Windows media client will attempt to connect in the above order| TCP firewall “holes” are simple to configurez TCP port 1755z Admin can specify which UDP ports| Also allows a proxy in the DMZCS519Windows Media client network configurationCS519Ethereal trace: First MMS stream Îú°è MMS     ðððð    N S P l a y e r / 7 . 1 . 0 . 3 0 5 5 ; { D 4 C 5 5 2 1 3 - 3 6 4 F - 4 C F 6 - A 7 F 6 - 9 0 F 4 D F B A 9 8 F 8 } ; H o s t : w m . s o n y . g l o b a l . s p e e d e r a . n e t  Îú°p MMS     ðððð    ð?  € 4 . 1 . 0 . 3 9 2 3  Îú° MMS   Ház®GÑ?   ùðð   Îú°@ MMS      ùðð   Eö MMS   ôýÔxé&@   ùððÿÿÿÿ  \ \ 1 2 8 . 8 4 . 9 9 . 2 3 1 \ U D P \ 2 3 6 6 3  Îú°@ MMS      ñððð F u n n e l O f T h e  Îú°ˆ MMS   Zd;ßO@    ÿÿÿÿ w m . s o n y . g l o b a l / P e a r l J a m / s a v e y o u f u l l v i d _ 1 0 0 . w m v  Îú°ˆ MMS   ………CS519Ethereal trace: Second MMS stream Îú°è MMS       N S P l a y e r / 7 . 1 . 0 . 3 0 5 5 ; { D 4 C 5 5 2 1 3 - 3 6 4 F - 4 C F 6 - A 7 F 6 - 9 0 F 4 D F B A 9 8 F 8 } ; H o s t : w m . s o n y . g l o b a l . s p e e d e r a . n e t  Îú°p MMS        ð?  € 4 . 1 . 0 . 3 9 2 3  Îú° MMS   Tã¥›Ä @   ïððð   Îú°@ MMS     ïððð   ‚ö!   Îú°` MMS   »I+‡@  ïðððÿÿÿÿ  \ \ 1 2 8 . 8 4 . 9 9 . 2 3 1 \ T C P \ 2 3 6 7 3  Îú°@ MMS      ðððð  F u n n e l O f T h e  Îú°ˆ MMS   øS㥛Ä@    ÿÿÿÿ w m . s o n y . g l o b a l / P e a r l J a m / s a v e y o u f


View Full Document

CORNELL CS 5190 - Lecture 7: Firewalls and NATs

Download Lecture 7: Firewalls and NATs
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture 7: Firewalls and NATs and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture 7: Firewalls and NATs 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?