CS 417: Distributed Systems 12/3/2012 © 2011 Paul Krzyzanowski 1 Distributed Systems 22. Firewalls & VPNs Paul Krzyzanowski [email protected] 1 inetd Most UNIX systems ran a large number of TCP services as dæmons – e.g., rlogin, rsh, telnet, ftp, finger, talk, … Later, one process, inetd, was created to listen to a set of ports and then spawn the service on demand – pass sockets as standard in/standard out file descriptors – servers don’t run unless they are in use 2 TCP wrappers (tcpd) • Plug-in replacement to inetd • Restrict access to TCP services – Allow only specified machines to execute authorized services – Monitor and log requests • Specify rules in two files: – hosts.allow and hosts.deny – access: • grant access if service:client in /etc/hosts.allow • deny access if service:client in /etc/hosts.deny • otherwise allow access • support for booby traps (honeypots) 3 Defending the network 4 Firewalls Isolate trusted domain of machines from the rest of the untrusted world – move all machines into a private network – disconnect all other systems – untrusted users not allowed not acceptable – we want to be connected Solution: protect the junction between a trusted internal network of computers from an external network with a firewall 5 Firewall • First line of defense – Protect the WAN-LAN boundary • Also: protect communications within internal LANs – Ensure that employees to not access LANs/services that they are not allowed to 6CS 417: Distributed Systems 12/3/2012 © 2011 Paul Krzyzanowski 2 Firewalls Two major approaches to building firewalls: packet filtering proxies 7 Packet filtering • Selective routing of packets – Between internal and external hosts • By routers, kernel modules, or firewall software • Allow or block certain types of packets Screening router – determine route and decide whether the packet should be routed 8 Packet filtering: screening router Filter by – IP source address, IP destination address – TCP/UDP source port, TCP/UDP destination port – Protocol (TCP, UDP, ICMP, …) – ICMP message type – interface packet arrives on – destination interface Allow or block packets based on any/all fields – Block any connections from certain systems – Disallow access to “dangerous services” IP packet data 9 Packet filtering Stateless inspection – filter maintains no state – each packet examined on its own 10 Packet filtering Stateful inspection – keep track of TCP connections (SYN, SYN/ACK packets – has a TCP connection been established?) – e.g. no rogue packets when connection has not been established – “related” ports: allow data ports to be opened for FTP sessions – Port triggering (outbound port triggers other port access to be redirected to the originating system) • Generally used with NAT (Network Address Translation) – Limit rates of SYN packets • avoid SYN flood attacks – Other application-specific filtering • Drop connections based on pattern matching • Rewrite port numbers in data stream 11 Packet filtering Screening router – allows/denies access to a service – cannot protect operations within a service 12CS 417: Distributed Systems 12/3/2012 © 2011 Paul Krzyzanowski 3 Packet filtering: rules Dest addr=192.168.1.0/24, dest port=* Reject Src addr=128.6.0.0/16, Dest addr=192.168.2.3, dest port=22 Accept Dest addr=192.168.2.2, dest port=80 Accept Src addr=42.15.0.0/16, dest port=* Reject Src addr=192.168.1.0/24, dest port=25 Accept * Reject Reject everything from 42.15.*.* Accept email (port 25) requests from 192.168.1.* Reject all other requests from 192.168.1.* Accept ssh (port 22) requests from 128.6.*.* to 192.168.2.3 Accept web (port 80) requests to a server at 192.168.2.2 Pass to next rule Pass to next rule Pass to next rule Pass to next rule Pass to next rule 13 Proxy services • Application or server programs that run on firewall host – dual-homed host – bastion host • Take requests for services and forward them to actual services • provide replacement connections and act as gateway services • Application-level gateway Stateful inspection and protocol validation 14 Proxy services Proxies are effective in environments where direct communication is restricted between internal and external hosts – dual-homed machines and packet filtering 15 Proxy example Checkpoint Software Technologies’ Firewall mail proxy: – mail address translation: rewrite From: – redirect To: – drop mail from given address – strip certain mime attachments – strip Received info on outbound mail – drop mail above given size – perform anti-virus checks on attachments does not allow outsiders direct connection to a local mailer 16 Internet Dual-homed host architecture • Built around dual-homed host computer • Disable ability to route between networks – packets from Internet are not routed directly to the internal network – services provided by proxy – users log into dual-homed host to access Internet – user accounts present security problems dual-homed host internal network internal machines 17 Screened host architecture • Provides services from a host attached to internal network • Security provided by packet filtering – only certain operations allowed (e.g. deliver email) – outside connections can only go to bastion host • allow internal hosts to originate connections over Internet • if bastion host is compromised… Internet screening router internal network internal machines bastion host 18CS 417: Distributed Systems 12/3/2012 © 2011 Paul Krzyzanowski 4 Screened subnet architecture Add extra level of isolation for internal network – Place any externally visible machines on a separate perimeter network (DMZ) Internet exterior router DMZ network bastion hosts externally-visible services interior router internal network internal machines 19 Screened subnet architecture Exterior router (access router) – protects DMZ and internal network from Internet – generally… allow anything outbound … that you need – block incoming packets from Internet that have forged source addresses – allow incoming traffic only for bastion hosts/services. Interior router (choke router) – protects internal network from Internet and DMZ – does most of packet filtering for firewall – allows selected outbound services from internal network – limit services between bastion host and internal network