1

Firewall

1

References

• Computer Networking: A Top Down Approach ,Chapters 1 and 8, 4th edition. Jim Kurose, Keith Ross, Addison-Wesley, July 2007.

• 資訊安全 – 網際網路安全與數位鑑識科學。王旭正、高大宇、 ICCL- 資訊密碼暨建構實驗室著。博碩文化。

2

Outline

• Network Attacks

• Introduction of Firewall

• Firewall Products

3

4

Part 1Network Attacks

5

Network Security (1/2)

• Attacks on Internet infrastructure– Infecting/attacking hosts by malware:

spyware, worms, unauthorized access (data stealing, user accounts)

– Denial of Service• Deny access to resources (servers, link

bandwidth) • Distributed Denial of Service (DDoS)

Network Security (2/2)

• Internet not originally designed with (much) security in mind– Original vision: “a group of mutually trusting

users attached to a transparent network” – Internet protocol designers playing “catch-up”– Security considerations in all layers!

• System bug and hole

• Social engineering

6

7

Malware (1/2)

• Spyware– Infection by downloading web page with spyware– Records keystrokes, web sites visited, upload info to

collection site

• Virus– Infection by receiving object (e.g., e-mail attachment),

actively executing– Self-replicating: propagate itself to other hosts, users

• Worm– Infection by passively receiving object that gets itself

executed– Self-replicating

Malware (2/2)

• Trojan horse– BirdSpy: made in Taiwan– Restore OS– Used for DDoS

8

9

Denial of Service (DoS)

• Attackers make resources (ex: servers, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic.– Weak attack– Bandwidth overload– Connection overload

target

Ex: UDP packets or TCP requests

Some Types of DoS

• Smurf attack– Ex: ping broadcasts (destination is

210.5.255.255)

• Mail bomb– SPAM

• Window system attack

• SYN flooding

• Buffer overflow – ping of death

11

Create A TCP Connection

Client Server

SYN=1Seq = 2000

SYN=1, ACK=1Seq = 4000

ACK # = 2001Window size

ACK=1 Seq = 2001ACK # = 4001 data

Step 1: client host sends TCP SYN segment to server

specifies initial seq #

no data

Step 2: server host receives SYN, replies with SYNACK segment

server allocates buffers

specifies server initial seq. #

Step 3: client receives SYN/ACK, replies with ACK segment, which may

contain data

12

Distributed DoS (DDoS)

• Attackers make resources (ex: servers, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic.

1. select target

2. break into hosts around the network (see malware)

3. send packets toward target from compromised hosts

target

1-13

Packet Sniffing

• Promiscuous network interface reads & records all packets passing by– Accept all broadcast media– Wireshark (Ethereal) is a packet-sniffer!– Sniff, modify, deletion your packets

Alice

Bob

C

src:B dest:A payload

14

IP Spoofing

• Send packet with false source address

• Require end-point authentication

A

B

C

src:B dest:A payload

15

• Record-and-playback

– Sniff sensitive information (e.g., password), and use later.

Masquerade as you (1/2)

A

B

C

src:B dest:A user: B; password: foo

16

Masquerade as you (2/2)

• Password holder is that user from system point of view

• Man-in-the-middle attack

A

B

later …..C

src:B dest:A user: B; password: foo

1-17

How to Provide Security?

• More throughout this course

• Cryptographic techniques: obvious uses and not so obvious uses

• Firewall

18

Part 2Introduction of Firewall

Firewalls

administerednetwork

publicInternet

firewall

Internet

• To isolate organization’s internal network from Internet, allowing some packets to pass, blocking others.

19

Comparison of Firewall & Router

router

firewall

所有的封包都會透過 IP 層轉送

不會轉送任何的封包，送到防火牆的封包，只會在防火牆內部處理 20

Goals of Firewalls

• Prevent denial of service attacks– SYN flooding: attacker establishes many bogus

TCP connections, no resources left for “real” connections

• Prevent illegal modification/access of internal data.– E.g., attacker replaces Central Intelligence Agency

’s homepage with something else

• Allow only authorized access to inside network (set of authenticated users/hosts)

21

Types of Firewalls

• Three types of firewalls:– Stateless packet filters– Stateful packet filters– Application gateways

22

Stateless Packet Filtering

• Router filters packet-by-packet, decision to forward/drop packet based on– Source IP address, destination IP address– TCP/UDP source and destination port numbers– ICMP message type– TCP SYN and ACK bits

Should arriving packet be allowed in? Departing packet let out?

router firewall

Internet

23

Stateless Packet Filtering Policy

• Example 1: Block incoming and outgoing datagrams with protocol number=17 and with either source or destination port=23.

– All incoming, outgoing UDP flows and telnet connections are blocked.

• Example 2: Block inbound TCP segments with ACK=0.– Prevents external clients from making TCP

connections with internal clients, but allows internal clients to connect to outside.

24

Policy Firewall SettingNo outside Web access. Drop all outgoing packets to

any IP address, port 80

No incoming TCP connections, except those for institution’s public Web server only.

Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80

Prevent Web-radios from eating up the available bandwidth.

Drop all incoming UDP packets - except DNS and router broadcasts.

Prevent your network from being used for a smurf DoS attack.

Drop all ICMP packets going to a “broadcast” address (eg 130.207.255.255).

Prevent your network from being tracerouted

Drop all outgoing ICMP TTL expired traffic

Policy & Firewall Setting

25

Access Control Lists

• Table of rules, applied to all packets

actionsourceaddress

destaddress

protocolsource

portdestport

flagbit

allow222.22/1

6outside of222.22/16

TCP > 1023 80any

allowoutside

of222.22/1

6

222.22/16TCP 80 > 1023 ACK

allow222.22/1

6outside of222.22/16

UDP > 1023 53 ---

allowoutside

of222.22/1

6

222.22/16UDP 53 > 1023 ----

deny all all all all all all

26

Question of Stateless Packet Filtering

• Heavy handed tool

• Admits packets that “make no sense,” e.g., destination port = 80, ACK bit set, even though no TCP connection established.action

sourceaddress

destaddress

protocolsourceport

destport

flagbit

allow outside of222.22/16

222.22/16TCP 80 > 1023 ACK

27

Source IP: 150.23.23.155 Destination IP: 222.22.0.2Source port:80 Destination port:12543

Stateful Packet Filtering

r Track status of every TCP connectionm Track connection setup (SYN), teardown (FIN): can

determine whether incoming, outgoing packets “makes sense”

m Timeout inactive connections at firewall: no longer admit packets

m ACL augmented to indicate need to check connection state table before admitting packet

28

Source IP: 150.23.23.155 Destination IP: 222.22.0.2Source port:80 Destination port:12543

Cisco Router Example

• 阻擋所有 IP 為 211.21.160.12 之主機的封包流入 network 168.95.35.0/24 。

R1e0

R2(config)#access-list 21 deny host 211.21.160.12

R2(config)#access-list 21 permit any

R2(config)#interface serial 1

R2(config-if)#ip access-group 21 in

211.21.160.12/24

R2

168.95.35.0/22

S0

S1

any= 0.0.0.0 255.255.255.255

deny ip any any 隱藏在清單中看不見。host 表特定主機，所以就不用再有 wildcard mask 。

e0

s1

10.5.3.0/24

actionsourceaddress

destaddress

protosource

portdestport

flagbit

check connectio

n

allow 222.22/16outside of222.22/16

TCP > 1023 80any

allow outside of222.22/16

222.22/16TCP 80 > 1023 ACK x

allow 222.22/16outside of222.22/16

UDP > 1023 53 ---

allow outside of222.22/16

222.22/16UDP 53 > 1023 ---- x

deny all all all all all all

ACL for Stateful Packet Filtering

8-30

Application Gateways

• Filters packets on application data as well as on IP/TCP/UDP fields.

host-to-gatewaytelnet session

gateway-to-remote host telnet session

applicationgateway

router and filter

31

32

Application Gateways Example

• Allow selected internal users to telnet outside.1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet connection to destination host. Gateway relays data between 2 connections3. Router filter blocks all telnet connections not originating from gateway.

Comparison

• Stateless/stateful filters– Operates on TCP/IP headers only– No correlation check among sessions

• Application gateways– Detect the application data– Intrusion detection system (IDS)

• Detect and alert if something wrong

– Intrusion prevention system (IPS)• Detect, alert and filter out

33

Intrusion Detection Systems (IDS)

• Deep packet inspection: look at packet contents – E.g., check character strings in packet against

database of known virus, attack strings

• Examine correlation among multiple packets– Port scanning– Network mapping– DoS attack

34

applicationgateway

Internet

internalnetwork

firewall

Webserver

FTPserver

DNSserver

demilitarized zone

IDS sensors

Multiple IDSs

• Different types of checking at different locations

35

Limitations of Firewalls (1/2)

• IP spoofing: router can’t know if data “really” comes from claimed source

• If multiple app’s. need special treatment, each has own app. gateway.

• Client software must know how to contact gateway.– e.g., must set IP address of proxy in Web

browser

36

37

Limitations of Firewalls (2/2)

• Filters often use all or nothing policy for UDP.

• Tradeoff: degree of communication with outside world, level of security

• Many highly protected sites still suffer from attacks.

38

Part 3Firewall Products

Firewalls

administerednetwork

publicInternet

firewall

Internet

• To isolate organization’s internal network from Internet, allowing some packets to pass, blocking others.

39

Products

• General firewall

• IDS, IPS

• Mail firewall

• Web Application Firewall (WAF)

40

Mail Firewall

41

• Anti-virus

• Anti-spam

Web Site Attack

42

弱點名稱 成因與攻擊方式 造成之影響

1 參數竄改程式設計者藉由隱藏欄位傳遞數值， 卻沒進行檢查，導致駭客可修改欄位數值傳送偽造資料。

駭客得以傳送偽造資料，變更網站交易行為。

2 跨站指令碼 (A1)網站程式允許使用者將輸入的資料顯示在網站上，卻沒有過濾輸入資料。

允許讓惡意攻擊者將惡意的 Javascript 程式碼塞入網站上，影響其他無辜的瀏覽者。

3 SQL 程式碼注入 (A2) 網頁程式沒有過濾特殊字元，駭客得以控制後端資料庫。

可將資料庫資料竊出，嚴重者可取得資料庫主機的控制權。

4 跨目錄存取網頁程式沒有過濾特殊字元，駭客得以輸入特殊跳脫字串，瀏覽檔案。

可瀏覽 Web 主機檔案，嚴重者可因此取得系統控制權。

5 指令插入 (A2)網頁程式沒有過濾特殊字元，駭客得以輸入特定字元加上命令，對伺服器下達指令。

可針對 Web 主機下達指令，嚴重者可因此取得系統控制權。

6 目錄瀏覽 伺服器設定不當，駭客可列出網站目錄下的所有檔案。

可能將目錄下的機密檔案列出。

網際網路網際網路

ID=A123456789Passwd=1234

SELET * FROM member WHERE UID = 'A123456789' AND Passwd='1234'

Normal Connection

43

SQL Injection Attack

InternetInternet

ID=Admin' --Passwd=1234

SELECT * FROM member WHERE UID = 'Admin' --' AND Passwd= '1234’ ## 避過 Passwd 檢查

44

Cross Site Scripting (XSS)

• Sever does not detect the page parameters.

• Sever does not detect the data upload (ex: YouTube).

• Web page is attached with bad script.– Ex: JavaScript 、 VBScript

45

網站有 XSS 漏洞

Hackers Computer

XSS Case 1: 竊取 cookie

快快樂樂上網

反彈 cookies 值至駭客端

發現 XSS 漏洞張貼惡意文章

耐心等待魚兒上鉤了

登入後瀏覽惡意文章

利用取得身分作壞事

哭哭…我什麼也沒做阿！！

46

入口網站 A 有 XSS 漏洞

Hackers Computer

XSS Case 2: 掛馬

快快樂樂上網

發現 XSS 漏洞

發送包含惡意連結信件

收到惡意郵件

先睡一覺去

小心確認 domain 是網站 A放心點下去

Hackers Server下載惡意程式

又中了！買樂透也沒這麼準…

你是我的肉雞 . 你是我的 Baby

駭客取得遠端控制權限

47

Web Application Firewall (1/2)

• Reverse proxy acts as an intermediary between a client browser and Web server.

48

ClientWebAP Server

Application

Transport

Internet

Network Interface

CWAF Transparent

Proxy

HTTP

Mo

nito

r/An

alysis

Accep

t / Blo

ck

Web Application Firewall (2/2)

• Provides positive/negative dual-mode inspection

49

Summary

• Firewall 、 IDS 與 IPS 能夠完全屏蔽你的網路不遭受任何攻擊嗎 ?

• 答案顯然是否定的，因為攻擊者會不斷找到新的攻擊方式。

• 那麼，身為 MIS 人員是否要架設防火牆 ?

• 答案顯然是肯定的，因為管理者要盡最大的努力來抵禦外侮，盾牌（ firewall）和工作日誌（ log）是必要的。

50