f2 - brandvägg 2

8/2/2019 F2 - Brandvgg 2

1/22

1

KTH STH

L2, Firewalls

HI1023 - Ntverksskerhet, gk

KTH STHSlide 2Slide 2 Micael LundvallMicael Lundvall

Outline of Lecture 2

Firewall Characteristics

NAT (Network Address Translation)

Port Forwarding

Types of firewalls

Firewall Configuration

Trusted systems

8/2/2019 F2 - Brandvgg 2

2/22

2


Firewall Characteristics

All traffic between inside and outside must passthrough the firewall.

Only authorized traffic, as defined by localsecurity policy, will be allowed to pass.

The firewall itself is immune to penetration.

Trusted private networkUntrusted public network

Firewall


Four general techniques

Service control

Type of Internet service that can be accessed

Direction control

Direction of service request that may pass

User control

User access to specified service

Behavior control

Controls how particular services are used

8/2/2019 F2 - Brandvgg 2

3/22

3


Firewall example, DMZ

ip_int 192.168.123.1

Router 194.1.1.1

Internet

int-sql int-proc int-mail websrv dmz-proz

ISDN

ip_ext 194.1.1.1/32

ip_dmz 194.1.1.3

dmznet 194.1.1.0/24intnet 192.168.123.0/24

KTH STH

NAT (Network Address Translation)

NAT is used by a device that sits between aninternal network and the rest of the world.

NAT solves IPv4 lack of IP-addresses (232).

NAT has many forms and can work in serevalways.

Slide 6Slide 6 Micael LundvallMicael Lundvall

8/2/2019 F2 - Brandvgg 2

4/22

4

KTH STH

Static NAT

Static NAT - Mapping an unregistered IPaddress to a registered IP address on a one-to-one basis.

Particularly useful when a device needs to beaccessible from outside the network



Port Forwarding, Static NAT

Port Forwarding allows the router/firewall topublish one or more internal IP-addresses onthe external interface.

Internet

132.168.27.32

10.0.0.11

10.0.0.12

10.0.0.13

10.0.0.14

10.0.0.15

10.0.0.1

10.0.0.11:80132.168.27.32:80

8/2/2019 F2 - Brandvgg 2

5/22

5

KTH STH

Dynamic NAT

Dynamic NAT - Maps an unregistered IPaddress to a registered IP address from a groupof registered IP addresses.


KTH STH

Overloading, PAT (Port Address Translation)

Overloading - A form of dynamic NAT thatmaps multiple unregistered IP addresses to asingle registered IP address by using differentports.


8/2/2019 F2 - Brandvgg 2

6/22

6


Port-mapped NAT (NAPT, PAT, )

Can be implemented in most routers.

Hides private net from public net.

All outgoing trafik seems to come from onesingle address, the routers external.

Internet

NAT Router

132.168.27.32

10.0.0.11

10.0.0.12

10.0.0.13

10.0.0.14

10.0.0.15

10.0.0.1


Port-mapped NAT (NAPT, PAT, )

NAT works with blocks of port numbers.

Every internal PC gets a NAT port numberwhen connecting to an external address.

Privateaddress

Privateport

External address Externalport

NATport

Usedprotocol

10.0.0.5 2123 128.10.19.20 80 14003 TCP

10.0.0.1 1862 128.10.19.20 80 14010 TCP

10.0.2.1 2660 207.200.75.200 21 14012 TCP

10.0.0.3 1274 128.210.1.5 53 14007 UDP

8/2/2019 F2 - Brandvgg 2

7/22

7

KTH STH

Overlaping

Overlapping - IP addresses used on a internalnetwork are registered IP addresses in use onanother network.



Type of firewalls

Packet filter (PF)

Also referred to as Static/Stateless Packet Filter

Stateful Inspection

Also referred to as Dynamic Packet Filter

Cirquit-Layer Gateway, (CLG)

Also referred to as proxy server

Application-Layer Gateway, (ALG)

8/2/2019 F2 - Brandvgg 2

8/22

8


Packet Filtering Firewall

Set of rules in ACL to allow or deny packets based

on source and destination.

Packet is filtered only on info in header.

Payload is NOT examed.

LANPacket filtering

in router

Internet

FirewallRouter


Packet Filter

A packet at the Network Layer will encapsulateheaders for the layers above.

No information is held about packets that have

been previously checked.

IP headerSrc addressDst address

TCP headerSrc addressDst address

Application data

IP Layer TCP Layer

8/2/2019 F2 - Brandvgg 2

9/22

9


Filtering rules

Rules are contained in a filter table or list

Access Control List (ACL)

Rules are processed top-down.

As soon as a rule matches, the action associatedwith this rule is performed and processingterminated.

Action Source Src port Dst Dst port flags

Allow Our net >1023 * 80 *

Allow * 80 Our net >1023 ACK

Deny * * * * *


Analysis of Stateless Filtering

Works well when all the information needed toopen connection is held within the individualpackets.

E.g. to allow outgoing connections to anyWeb server, you must:

allow outgoing requests to establish aconnection.

allow all subsequent packets that are partof this connection.

8/2/2019 F2 - Brandvgg 2

10/22

10


TCP connection

TCP can destinguish a packet that is about toopen a connection from a packet that is part ofan existing connection.

Openconnection

Port> 1023

Port

80

Port

80

Existingconnection

Port> 1023


Fragmentation

Somtimes IP packets arrive fragmented.

The original packet may have been to largefor a link.

Fragmented packets are a problem forstateless filtering.

Not all fragments contain the TCP header.

8/2/2019 F2 - Brandvgg 2

11/22

11


Fragmentation

Network Layer Network Layer

IP TCP Data

IP TCP Data

IP2 Data IP1 TCP Data

1. Packet sent 2. Packet is fragmentedat a router.

3. Packet received andreassembled at the destination


UDP

UDP headers do not hold enough informationfor effective stateless filtering.

An incomming packet may be either a

request, or response to a previous outgoingpacket.Port > 1023

Port 53

Port 53

New Port > 1023

ClientServer

8/2/2019 F2 - Brandvgg 2

12/22

12


Stateful Packet Filter

Can allow or deny packets based on

Information in the current packet.

Information in previous transmitted packets

Remembers state information about the

communication from previous packets.


Stateful Packet Filter

Maintains a table of active TCP sessions andUDP "pseudo" sessions.

Each entry records the session's:

source and destination IP addresssource and destination port numbers

the current TCP sequence number

8/2/2019 F2 - Brandvgg 2

13/22

13


Connection State Table

Src Addr Src Port Dst Addr Dst Port Connection192.168.1.10 1054 210.9.88.23 80 Established

192.168.1.11 1055 216.32.42.12 80 Established

192.168.1.12 1056 173.32.42.89 25 Established

Entries are created for TCP connections or UDPstreams that pass rules in ACL.

Packets associated with these sessions are

permitted to pass without ACL check.


Stateful Packet filter

DNS server

1. Resolve aDNS query

2. Packet to

UDP port 53 onDNS server

3. Stateful filter checkspacket going out andcreate a rule allowingreplies within limited time

4. DNS replyallowed

Client

Resolve of a DNS query

8/2/2019 F2 - Brandvgg 2

14/22

14


Fragmentation

Fragments reassembled for inspection

Unexpected fragments can be detected anddropped of the filter.

Internal network

Fragment 1

Fragment 2

Fragment n

No filtering on fragments at the router

1. Denial-of-serviceattack floods networkwith fragments

2. Inspect and attempt toreassemble fragmentsinto a packet. If it fails,deny the fragment.

KTH STH

Firewall Builder


8/2/2019 F2 - Brandvgg 2

15/22

15


Juniper firewall


Stateful Inspection Packet Filter

SPF with Inspection Modules.

Checks if the session opened really seems to

be the protocol corresponding to used port.

If not, the session is terminated.

E.g. HTTP inspection module checks if the first lineof a TCP request on port 80 starts with thecharacters PUT, POST or GET.

8/2/2019 F2 - Brandvgg 2

16/22

16


Circuit-Level Gateway

Hides the internal network by providing acommunication endpoint for clients and servers.

Normaly added as a service on a well-known portnumber

All connection through the firewall must berelayed through this port.


Operation of a CLG

123.1.2.310.1.1.4

1. Client connectsto the CLG andspecifies thedestination host

Network Layer(disable routing)10.1.1.1 130.1.2.1

2. CLG connects to thedestination host ifallowed by the policy

3. Data is copiedbetween the twoconnections

Transport Layer

8/2/2019 F2 - Brandvgg 2

17/22

17


CLG Connections

Information is stored within the circuit-level gatewayabout the connections.

Each client connection gets a unique port number.

Can destinguish connections for all clients.

Connection A Connection BClient 10.1.1.4 CLG 10.1.1.1 port 1080

CLG 130.1.2.1 port 4711123.1.2.3 port 80


CLG Connections

Can be used for both incomming and outgoingconnections.

Require special client configuration

Can use any port numberSOCKS is the standard implementation for acircuit-level gateway

8/2/2019 F2 - Brandvgg 2

18/22

18


Application-Level Gateway

Acts as a relay of application-level trafficbetween clients an servers for specifikapplications.

Require a separate ALG for each protocol.

Does not provide the service itself.

It acts as the client to the real server.


ALG content filtering

Can check or filter protocol content.

Can filter HTML tag to block JavaScript, Javaor ActiveX.

Checks for viruses.Checks for illegal content and usage

Could affekt performance.

Provides integration with content and URL-

filtering software.

8/2/2019 F2 - Brandvgg 2

19/22

19


Operation of an ALG

123.1.2.310.1.1.4

1. Client connectsto the ALG andspecifies thedestination host

Network Layer(disable routing)10.1.1.1 130.1.2.1

2. The ALG acts asthe client to make aconnection to theserver dependingon its policy

3. Data can beprocessed beforebeing passedbetween the twoconnections.

Transport Layer

ALG


Bastion Host

A system identified by the firewall administratoras a critical strongpoint in the networks security.

Typically a platform with hardened OS for ALG

or CLG.

8/2/2019 F2 - Brandvgg 2

20/22

20


Screened host firewall system(single homed)

From Internet: Only IP packets destined for thebastion host are allowed in.

From internal Network: Only packets from

bastion host are allowed out.

Direct Internet access with IS may be allowed

Internet

Informationserver

Private network

BastionHost

Packet

filter

First line ofdefence


Screened host firewall system(dual homed)

From Internet: Only IP packets destined forthe bastion host are allowed in.

From internal Network: Only packets from

bastion host are allowed out.Direct Internet access with IS may be allowed

Internet

Informationserver

Private network

BastionHost

Packetfilter


8/2/2019 F2 - Brandvgg 2

21/22

21


Screened subnet firewall system(Three levels of defense)

Both Internet and Private network haveaccess to hosts on screened subnet.

Private network are hidden for Internet.

Traffic across the screened network isblocked in both directions.

Internet

Informationserver

Private network

BastionHost

Packet

filter


Packet

filter


Trusted Systems

Defence against intruders and maliciousprograms.

Data access control

User Access ControlPermissions to operations and file access

All access data is saved in an access

matrix

Critical operations are logged

8/2/2019 F2 - Brandvgg 2

22/22


Access Control Structure

Elements of access matrix

Subject:

Users, groups, applications

Object:

Files, programs, segments of memory

Access rights:

Read, write, execute


Summary

To get a secure system you need to disign acombination of different components.

Defence on the depth.

There are no standard solution for everycompany.

Price/Performance

f2 - brandvägg 2

Documents