Firewall TechnologyOutlineReading MaterialPresentation BiasFirewall GoalSecurity DomainsSeveral Firewall StylesApplication ProxyPacket FilterStateful Packet FiltersTraffic reconstructionAccess Control Lists (ACLs)Activating Proxy controlAddress TranslationNAT exampleAddress Hiding (NAPT)NAT exampleStatic MappingNAT exampleLoggingFW Runtime CharacteristicsPoint for other filteringMulti-legged FirewallsClassic Three Legged FWComplications from Multiple InterfacesFive Legged FWIdentity Aware FirewallAAA ScenarioFirewall BladesTransparent FirewallsFirewall VirtualizationIs the Firewall Dead?One AlternativeAnother alternativeThe FutureFirewall TechnologyCyber SecuritySpring 20062/22/2006 CyberSecurity Spring 2006Outline• Basics of firewalling– Architectures– Network Address Translation– Logging• Advanced Topics– Identity in firewalls– Multiple security levels• Firewall Futures2/22/2006 CyberSecurity Spring 2006Reading Material• “Firewalls and Internet Security: Repelling the Wily Hacker”, Cheswick, Bellovin, and Rubin.– New second edition• “Network Security Principles and Practices”, Sadaat Malik– Cisco oriented• PIX 6.3 Configuration Guide http://cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186a0080172852.html• PIX 6.3 Command Reference http://cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_book09186a008017284e.html• “Firewall and Internet Security, the Second Hundred (Internet) Years” http://www.cisco.com/warp/public/759/ipj_2-2/ipj_2-2_fis1.html– A firewall overview article from 19992/22/2006 CyberSecurity Spring 2006Presentation Bias• Talking from my experience– Colored by Cisco Firewalls: Centri, PIX, IOS FW, Firewall Service Module• The enterprise firewall producers chase each other so similar issues arise in Netscreen (Juniper) and Checkpoint• Personal firewalls address a subset of the issues that Enterprise Firewalls do2/22/2006 CyberSecurity Spring 2006Firewall Goal• Insert after the fact security by wrapping or interposing a filter on network traffic2/22/2006 CyberSecurity Spring 2006Security Domains2/22/2006 CyberSecurity Spring 2006InternetCorporate NetworkControl NetworkPartnerNetworkSeveral Firewall Styles• Differ primarily on what layers of the network stack they consider– Packet Filter– Application Proxy– Stateful Packet Filter2/22/2006 CyberSecurity Spring 2006Application Proxy• Firewall software runs in application space on the firewall• The traffic source must be aware of the proxy and add an additional header• Leverage basic network stack functionality to sanitize application level traffic– Block java or active X– Filter out “bad” URLs– Ensure well formed protocols or block suspect aspects of protocol• Not used much anymore2/22/2006 CyberSecurity Spring 2006Packet Filter• Operates at Layer 3 in router or HW firewall• Has access to the Layer 3 header and Layer 4 header• Can block traffic based on source and destination address, ports, and protocol• Does not reconstruct Layer 4 payload, so cannot do reliable analysis of layer 4 or higher content2/22/2006 CyberSecurity Spring 2006Stateful Packet Filters• Evolved as packet filters aimed for proxy functionality• In addition to Layer 3 reassembly, it can reconstruct layer 4 traffic• Some application layer analysis exists, e.g., for HTTP, FTP, H.323– Called context-based access control (CBAC) on IOS– Configured by fixup command on PIX• Some of this analysis is necessary to enable address translation and dynamic access for negotiated data channels• Reconstruction and analysis can be expensive. – Must be configured on specified traffic streams– At a minimum the user must tell the Firewall what kind of traffic to expect on a port, e.g., port 80 is just a clue that the incoming traffic will be HTTP– Degree of reconstruction varies per platform, e.g. IOS does not do IP reassembly2/22/2006 CyberSecurity Spring 2006Traffic reconstruction2/22/2006 CyberSecurity Spring 2006Access Control Lists (ACLs)• Used to define traffic streams– Bind ACL’s to interface and action• Access Control Entry (ACE) contains– Source address– Destination Address– Protocol, e.g., IP, TCP, UDP, ICMP, GRE– Source Port– Destination Port• ACL runtime lookup–Linear– N-dimensional tree lookup (PIX Turbo ACL)– Object Groups– HW classification assists2/22/2006 CyberSecurity Spring 2006Activating Proxy control• A given firewall type has a fixed set of application proxies• Configurations range on the granularity you can activate the proxies– Activate for all traffic with a particular destination port– Activate for traffic matching a particular ACL– Some proxies might be activated by default• Activating a proxy will dynamically open holes for related protocol channels.2/22/2006 CyberSecurity Spring 2006Address Translation• Traditional NAT RFC 3022 Reference RFC• Map real address to alias address– Real address associated with physical device, generally an unroutable address– Alias address generally a routeable associated with the translation device• Originally motivated by limited access to publicly routable IP addresses– Folks didn’t want to pay for addresses and/or hassle with getting official addresses • Later folks said this also added security– By hiding structure of internal network– Obscuring access to internal machines• Adds complexity to firewall technology– Must dig around in data stream to rewrite references to IP addresses and ports– Limits how quickly new protocols can be firewalled2/22/2006 CyberSecurity Spring 2006NAT exampleHide from inside to outside192.168.1.0/24 behind 128.274.1.1Static map from inside to DMZ192.168.1.5 to 128.274.1.5insideDMZoutside2/22/2006 CyberSecurity Spring 2006Address Hiding (NAPT)• Many to few dynamic mapping– Packets from a large pool of private addresses are mapped to a small pool of public addresses at runtime• Port remapping makes this sharing more scalable– Two real addresses can be rewritten to the same alias address– Rewrite the source port to differentiate the streams• Traffic must be initiated from the real side 2/22/2006 CyberSecurity Spring 2006NAT exampleHide from inside to outside192.168.1.0/24 behind 128.274.1.1insideDMZoutsideSrc=192.168.1.1Dst=microsoft.comSrc=128.274.1.1Dst=microsoft.com2/22/2006 CyberSecurity Spring 2006Static Mapping• One-to-one fixed mapping–
View Full Document
Unlocking...