Professional Documents
Culture Documents
HI1023 - Ntverksskerhet, gk
KTH STH
Outline of Lecture 2
Firewall Characteristics NAT (Network Address Translation) Port Forwarding Types of firewalls Firewall Configuration Trusted systems
Slide 2
Micael Lundvall
KTH STH
Firewall Characteristics
All traffic between inside and outside must pass through the firewall. Only authorized traffic, as defined by local security policy, will be allowed to pass. The firewall itself is immune to penetration.
Firewall
Slide 3
Micael Lundvall
KTH STH
Slide 4
Micael Lundvall
KTH STH
Internet
ip_ext 194.1.1.1/32
Router 194.1.1.1
int-sql
int-proc
int-mail
websrv
dmz-proz
Slide 5
Micael Lundvall
KTH STH
Slide 6
Micael Lundvall
KTH STH
Static NAT
Static NAT - Mapping an unregistered IP address to a registered IP address on a one-toone basis. Particularly useful when a device needs to be accessible from outside the network
Slide 7
Micael Lundvall
KTH STH
Internet
132.168.27.32 10.0.0.1
Slide 8
Micael Lundvall
KTH STH
Dynamic NAT
Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
Slide 9
Micael Lundvall
KTH STH
Slide 10
Micael Lundvall
KTH STH
Internet
132.168.27.32
10.0.0.13 10.0.0.14
10.0.0.1 10.0.0.15
Slide 11
Micael Lundvall
KTH STH
Slide 12
Micael Lundvall
KTH STH
Overlaping
Overlapping - IP addresses used on a internal network are registered IP addresses in use on another network.
Slide 13
Micael Lundvall
KTH STH
Type of firewalls
Packet filter (PF) Also referred to as Static/Stateless Packet Filter Stateful Inspection Also referred to as Dynamic Packet Filter Cirquit-Layer Gateway, (CLG) Also referred to as proxy server Application-Layer Gateway, (ALG)
Slide 14
Micael Lundvall
KTH STH
Slide 15
Micael Lundvall
KTH STH
Packet Filter
A packet at the Network Layer will encapsulate headers for the layers above. No information is held about packets that have been previously checked.
IP header TCP header Application data Src address Src address Dst address Dst address IP Layer TCP Layer
Slide 16
Micael Lundvall
KTH STH
Filtering rules
Rules are contained in a filter table or list Access Control List (ACL) Rules are processed top-down. As soon as a rule matches, the action associated with this rule is performed and processing terminated.
Action Allow Allow Deny Source Our net * * Src port >1023 80 * Dst * Our net * Dst port 80 >1023 * flags * ACK *
Slide 17
Micael Lundvall
KTH STH
Slide 18
Micael Lundvall
KTH STH
TCP connection
TCP can destinguish a packet that is about to open a connection from a packet that is part of an existing connection.
Open connection Port > 1023 Port 80 Existing connection Port > 1023 Port 80
Slide 19
Micael Lundvall
KTH STH
Fragmentation
Somtimes IP packets arrive fragmented. The original packet may have been to large for a link. Fragmented packets are a problem for stateless filtering. Not all fragments contain the TCP header.
Slide 20
Micael Lundvall
KTH STH
10
Fragmentation
3. Packet received and reassembled at the destination IP
Network Layer
TCP
Data
Network Layer
IP
TCP
Data
IP2
Data
IP1
TCP
Data
1. Packet sent
Slide 21
Micael Lundvall
KTH STH
UDP
UDP headers do not hold enough information for effective stateless filtering. An incomming packet may be either a request, or response to a previous outgoing packet.
Port > 1023 Port 53 Port 53 New Port > 1023
Server
Client
Slide 22
Micael Lundvall
KTH STH
11
Slide 23
Micael Lundvall
KTH STH
Slide 24
Micael Lundvall
KTH STH
12
Src Port
1054 1055 1056
Dst Addr
210.9.88.23 216.32.42.12 173.32.42.89
Dst Port
80 80 25
Connection
Established Established Established
Entries are created for TCP connections or UDP streams that pass rules in ACL. Packets associated with these sessions are permitted to pass without ACL check.
Slide 25
Micael Lundvall
KTH STH
Slide 26
Micael Lundvall
KTH STH
13
Fragmentation
Fragments reassembled for inspection Unexpected fragments can be detected and dropped of the filter.
2. Inspect and attempt to reassemble fragments into a packet. If it fails, deny the fragment. 1. Denial-of-service attack floods network with fragments Fragment 1 Fragment 2 Fragment n Internal network No filtering on fragments at the router
Slide 27
Micael Lundvall
KTH STH
Firewall Builder
Slide 28
Micael Lundvall
KTH STH
14
Juniper firewall
Slide 29
Micael Lundvall
KTH STH
Slide 30
Micael Lundvall
KTH STH
15
Circuit-Level Gateway
Hides the internal network by providing a communication endpoint for clients and servers. Normaly added as a service on a well-known port number All connection through the firewall must be relayed through this port.
Slide 31
Micael Lundvall
KTH STH
Operation of a CLG
3. Data is copied between the two connections 2. CLG connects to the destination host if allowed by the policy
10.1.1.4
123.1.2.3
Slide 32
Micael Lundvall
KTH STH
16
CLG Connections
Information is stored within the circuit-level gateway about the connections. Each client connection gets a unique port number. Can destinguish connections for all clients.
Connection A
Client 10.1.1.4 CLG 10.1.1.1 port 1080
Connection B
CLG 130.1.2.1 port 4711 123.1.2.3 port 80
Slide 33
Micael Lundvall
KTH STH
CLG Connections
Can be used for both incomming and outgoing connections. Require special client configuration Can use any port number SOCKS is the standard implementation for a circuit-level gateway
Slide 34
Micael Lundvall
KTH STH
17
Application-Level Gateway
Acts as a relay of application-level traffic between clients an servers for specifik applications. Require a separate ALG for each protocol. Does not provide the service itself. It acts as the client to the real server.
Slide 35
Micael Lundvall
KTH STH
Slide 36
Micael Lundvall
KTH STH
18
Operation of an ALG
3. Data can be processed before being passed between the two connections. 1. Client connects to the ALG and specifies the destination host ALG Transport Layer Network Layer (disable routing) 10.1.1.1 130.1.2.1
2. The ALG acts as the client to make a connection to the server depending on its policy
10.1.1.4
123.1.2.3
Slide 37
Micael Lundvall
KTH STH
Bastion Host
A system identified by the firewall administrator as a critical strongpoint in the networks security. Typically a platform with hardened OS for ALG or CLG.
Slide 38
Micael Lundvall
KTH STH
19
From Internet: Only IP packets destined for the bastion host are allowed in. From internal Network: Only packets from bastion host are allowed out. Direct Internet access with IS may be allowed
Packet filter Internet First line of defence Information server Bastion Host Private network
Slide 39
Micael Lundvall
KTH STH
From Internet: Only IP packets destined for the bastion host are allowed in. From internal Network: Only packets from bastion host are allowed out. Direct Internet access with IS may be allowed
Packet filter Internet First line of defence Information server Bastion Host Private network
Slide 40
Micael Lundvall
KTH STH
20
Both Internet and Private network have access to hosts on screened subnet. Private network are hidden for Internet. Traffic across the screened network is blocked in both directions.
Packet filter Internet First line of defence Information server Bastion Host Packet filter Private network
Slide 41
Micael Lundvall
KTH STH
Trusted Systems
Defence against intruders and malicious programs. Data access control User Access Control Permissions to operations and file access All access data is saved in an access matrix Critical operations are logged
Slide 42
Micael Lundvall
KTH STH
21
Slide 43
Micael Lundvall
KTH STH
Summary
To get a secure system you need to disign a combination of different components. Defence on the depth. There are no standard solution for every company. Price/Performance
Slide 44
Micael Lundvall
KTH STH
22