1CS155 - FirewallsSimon Cooper <[email protected]>CS155 – Firewalls22 May 20032Why Firewalls?Need for the exchange of information; education, business, recreation, social and politicalNeed to do something useful with your computerDrawbacks; unsolicited attention and bugs3Why Firewalls?There are a lot of people on the InternetMillions of people together -> bad things happenTrue for cities; it is true for the InternetWith the Internet...Everyone is in your backyard!You can be scoped out at any time from anywhereThe community discourages neighborhood watch like activities (a hot potato!)4Bugs, Bugs, BugsAll programs contain bugsLarger programs contain more bugs!Network protocols contain;Design weaknesses (SSH CRC)Implementation flaws (SSL, NTP, FTP, SMTP...)Careful (defensive) programming & protocol design is hard5What is a Firewall?Literally?Prevents fire from spreading!The Castle & Moat AnalogyRestricts access from the outsidePrevents attackers from getting too closeRestricts people from leaving <- Important!!6What is a Firewall?Logically A separator, a restrictor and an analyzerRarely a single physical object!Practically any place where internal and external data can meet7Where do you put a Firewall?Between insecure systems & the InternetTo separate test or lab networksFor networks with more sensitive data;Financial recordsStudent gradesSecret projectsPartner or joint venture networks8Firewall Design & Architecture IssuesLeast privilegeDefense in depth (very important)Choke pointWeakest linksFail-safe stanceUniversal participationDiversity of defenseSimplicity9Firewall ArchitecturesUsing a Screening Router to do Packet Filtering10Packet Filtering: IPv4 Packet Header 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Version| IHL |Type of Service| Total Length |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identification |Flags| Fragment Offset |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time to Live | Protocol | Header Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Source Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Destination Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Options | Padding |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+http://www.faqs.org/rfcs/rfc760.html11Packet Filtering: UDP Packets 0 7 8 15 16 23 24 31 +--------+--------+--------+--------+ | Source | Destination | | Port | Port | +--------+--------+--------+--------+ | | | | Length | Checksum | +--------+--------+--------+--------+ | | data octets ... +---------------- ... User Datagram Header Formathttp://www.faqs.org/rfcs/rfc768.html12Packet Filtering: TCP packet structure 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Source Port | Destination Port |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Sequence Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Acknowledgment Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Data | |U|A|E|R|S|F| || Offset| Reserved |R|C|O|S|Y|I| Window || | |G|K|L|T|N|N| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Checksum | Urgent Pointer |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Options | Padding |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| data |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP Header Formathttp://www.faqs.org/rfcs/rfc761.html13Packet Filtering: Ipv6 Packet Header+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Version| Prio. | Flow Label |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Payload Length | Next Header | Hop Limit |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| |+ +| |+ Source Address +| |+ +| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| |+ +| |+ Destination Address +| |+ +| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+http://www.faqs.org/rfcs/rfc1883.html14Packet Filtering: SummaryIP Source AddressIP Destination AddressProtocol/Next Header (TCP, UDP, ICMP, etc)TCP or UDP source & destination portsTCP Flags (SYN, ACK, FIN, RST, PSH, etc)ICMP message typePacket sizeFragmentation15Router KnowledgeInterface packet arrives onInterface a packet will go outIs the packet in response to another one?How many packets have been seen recently?Is the packet a duplicate?Is the packet an IP fragment?16Filtering Example: Inbound SMTP17Filtering Example: Outbound SMTP18Stateful or Dynamic Packet Filtering19Network Address Translation (NAT)Port & Address Translation (PAT)20Normal Fragmentation21Abnormal Fragmentation22Firewall ArchitecturesScreened Host Architecture23Bastion HostA secured system (it will interact/accepts data from the Internet)Disable all non-required services; keep it simpleInstall/modify services you wantRun security audit to establish baselineConnect system to network <- importantBe prepared for the system to be compromised24Firewall ArchitecturesScreened Subnet
View Full Document