application firewallssmb/classes/f06/l16.pdf · inbound email different sublayers outbound email...
TRANSCRIPT
![Page 1: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/1.jpg)
Application Firewalls
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
1 / 44
![Page 2: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/2.jpg)
Moving Up the Stack
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
2 / 44
■ Why move up the stack?■ Apart from the limitations of packet filters
discussed last time, firewalls are inherently
incapable of protecting against attacks on a
higher layer
■ IP packet filters (plus port numbers. . . ) can’tprotect against bogus TCP data
■ A TCP-layer firewall can’t protect against bugsin SMTP
■ SMTP proxies can’t protect against problemsin the email itself, etc.
![Page 3: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/3.jpg)
Advantages
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
3 / 44
■ Protection can be tuned to the individualapplication
■ More context can be available■ You only pay the performance price for that
application, not others
![Page 4: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/4.jpg)
Disadvantages
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
4 / 44
■ Application-layer firewalls don’t protect againstattacks at lower layers!
■ They require a separate program perapplication
■ These programs can be quite complex■ They may be very intrusive for user
applications, user behavior, etc.
![Page 5: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/5.jpg)
Example: Protecting Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
5 / 44
■ Do we protect inbound or outbound email?Some of the code is common; some is quitedifferent
■ Do we work at the SMTP level (RFC 2821) orthe mail content level (RFC 2822)?
■ What about MIME?■ (What about S/MIME- or PGP-protected
mail?)■ What are the threats?
![Page 6: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/6.jpg)
Email Threats
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
6 / 44
■ The usual: defend against protocolimplementation bugs
■ Virus-scanning■ Anti-spam?■ Javascript? Web bugs in HTML email?■ Violations of organizational email policy?■ Signature-checking?
![Page 7: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/7.jpg)
Inbound Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
7 / 44
■ Email is easy to intercept: MX records in theDNS route inbound email to an arbitrarymachine
■ Possible to use “*” to handle entire domain■ Example: DNS records exist for att.com and
*.att.com
■ Net result: all email for that domain is sent toa front end machine
![Page 8: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/8.jpg)
Different Sublayers
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
8 / 44
■ Note that are are multiple layers of protectionpossible here
■ The receiving machine can run a hardenedSMTP, providing protection at that layer
■ Once the email is received, it can be scannedat the content layer for any threats
■ The firewall function can consist of either orboth
![Page 9: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/9.jpg)
Outbound Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
9 / 44
■ No help from the protocol definition here■ But — most mailers have the ability to
forward some or all email to a relay host■ Declare by administrative fiat that this must
be done■ Enforce this with a packet filter. . .
![Page 10: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/10.jpg)
Combining Firewall Types
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
10 / 44
■ Use an application firewall to handle inboundand outbound email
■ Use a packet filter to enforce the rules
![Page 11: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/11.jpg)
Firewalling Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
11 / 44
Filter
Outside
DMZ
Inside
SMTPReceiver
Anti−SpamAnti−Virus
Packet
![Page 12: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/12.jpg)
Enforcement
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
12 / 44
■ Email can’t flow any other way■ The only SMTP server the outside can talk to
is the SMTP receiver■ It forwards the email to the
anti-virus/anti-spam filter, via some arbitraryprotocol
■ That machine speaks SMTP to some insidemail gateway
■ Note the other benefit: if the SMTP receiver iscompromised, it can’t speak directly to theinside
![Page 13: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/13.jpg)
Outbound Email
Application Firewalls
Moving Up theStack
Advantages
Disadvantages
Example: ProtectingEmail
Email Threats
Inbound Email
Different Sublayers
Outbound EmailCombining FirewallTypes
Firewalling Email
Enforcement
Outbound Email
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
13 / 44
■ Again, we use a packet filter to block directoutbound connections to port 25
■ The only machine that can speak to externalSMTP receivers is the dedicated outboundemail gateway
■ That gateway can either live on the inside oron the DMZ
![Page 14: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/14.jpg)
The DNS
Application Firewalls
The DNS
DNS Issues
UDP IssuesInternal VersusExternal ViewCacheContaminationAttacks
DNS Filtering
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
14 / 44
![Page 15: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/15.jpg)
DNS Issues
Application Firewalls
The DNS
DNS Issues
UDP IssuesInternal VersusExternal ViewCacheContaminationAttacks
DNS Filtering
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
15 / 44
■ UDP (discussed previously)■ Internal versus external view■ DNS cache corruption■ Optimizing DNSSEC checks
![Page 16: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/16.jpg)
UDP Issues
Application Firewalls
The DNS
DNS Issues
UDP IssuesInternal VersusExternal ViewCacheContaminationAttacks
DNS Filtering
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
16 / 44
■ Remember the DNS server location discsussedlast time
■ In fact, what we did there was use anapplication-level relay to work around packetfilter restrictions
■ We’re lucky — since the DNS protocolincludes provision for recursion, it requires noapplication changes for this to work
![Page 17: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/17.jpg)
Internal Versus External View
Application Firewalls
The DNS
DNS Issues
UDP IssuesInternal VersusExternal ViewCacheContaminationAttacks
DNS Filtering
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
17 / 44
■ Should outsiders be able to see the names ofall internal machines?
■ What about secretproject.foobar.com?■ Solution: use two DNS servers, one for internal
requests and one for external request■ Put one on each side of the firewall■ Issue: which machine does the NS record for
foobar.com point to, the inside or the outsideserver?
■ Can be trickier than it seems — must makesure that internal machines don’t see NSrecords that will make them try to go outsidedirectly
![Page 18: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/18.jpg)
Cache Contamination Attacks
Application Firewalls
The DNS
DNS Issues
UDP IssuesInternal VersusExternal ViewCacheContaminationAttacks
DNS Filtering
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
18 / 44
■ DNS servers cache results from queries■ Responses can contain “additional
information” — data that may be helpful butisn’t part of the answer
■ Send bogus DNS records as additionalinformation; confuse a later querier
![Page 19: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/19.jpg)
DNS Filtering
Application Firewalls
The DNS
DNS Issues
UDP IssuesInternal VersusExternal ViewCacheContaminationAttacks
DNS Filtering
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
19 / 44
■ All internal DNS queries go to a DNS switch
■ If it’s an internal query, forward the query tothe internal server or pass back internal NSrecord
■ If it’s an external query, forward the query tooutside, but:
◆ Scrub the result to remove any referencesto inside machines
◆ Scrub the result to remove any referencesto any NS records; this prevents attemptsto go outside directly
■ Use a packet filter to block direct DNScommunication
![Page 20: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/20.jpg)
Application Proxies
Application Firewalls
The DNS
Application Proxies
Small ApplicationGateways
FTP Proxy
Attacks Via FTPProxy
Web Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
20 / 44
![Page 21: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/21.jpg)
Small Application Gateways
Application Firewalls
The DNS
Application Proxies
Small ApplicationGateways
FTP Proxy
Attacks Via FTPProxy
Web Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
21 / 44
■ Some protocols don’t need full-fledgedhandling at the application level
■ That said, a packet filter isn’t adequate■ Solution: examine some of the traffic via an
application-specific proxy; react accordingly
![Page 22: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/22.jpg)
FTP Proxy
Application Firewalls
The DNS
Application Proxies
Small ApplicationGateways
FTP Proxy
Attacks Via FTPProxy
Web Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
22 / 44
■ Remember the problem with the PORTcommand?
■ Scan the FTP control channel■ If a PORT command is spotted, tell the
firewall to open that port temporarily for anincoming connection
■ (Can do similar things with RPC — definefilters based on RPC applications, rather thanport numbers)
![Page 23: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/23.jpg)
Attacks Via FTP Proxy
Application Firewalls
The DNS
Application Proxies
Small ApplicationGateways
FTP Proxy
Attacks Via FTPProxy
Web Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
23 / 44
■ Downloaded Java applets can call back to theoriginating host
■ A malicious applet can open an FTP channel,and send a PORT command listing avulnerable port on a nominally-protected host
■ The firewall will let that connection through■ Solution: make the firewall smarter about
what host and port numbers can appear inPORT commands. . .
![Page 24: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/24.jpg)
Web Proxies
Application Firewalls
The DNS
Application Proxies
Small ApplicationGateways
FTP Proxy
Attacks Via FTPProxy
Web Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
24 / 44
■ Again, built-in protocol support■ Provide performance advantage: caching■ Can enforce site-specific filtering rules
![Page 25: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/25.jpg)
Circuit Gateways
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Circuit Gateways
ApplicationModificationsAddingAuthentication
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
25 / 44
![Page 26: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/26.jpg)
Circuit Gateways
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Circuit Gateways
ApplicationModificationsAddingAuthentication
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
26 / 44
■ Circuit gateways operate at (more or less) theTCP layer
■ No application-specific semantics■ Avoid complexities of packet filters■ Allow controlled inband connections, i.e., for
FTP■ Handle UDP■ Most common one: SOCKS. Supported by
many common applications, such as Firefoxand GAIM.
![Page 27: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/27.jpg)
Application Modifications
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Circuit Gateways
ApplicationModificationsAddingAuthentication
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
27 / 44
■ Application must be changed to speak thecircuit gateway protocol instead of TCP orUDP
■ Easy for open source■ Socket-compatible circuit gateway libraries
have been written for SOCKS — use thoseinstead of standard C library to convertapplication
![Page 28: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/28.jpg)
Adding Authentication
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Circuit Gateways
ApplicationModificationsAddingAuthentication
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
28 / 44
■ Because of the circuit (rather than packet)orientation, it’s feasible to add authentication
■ Purpose: extrusion control
![Page 29: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/29.jpg)
Personal and Distributed
Firewalls
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
Rationale
Personal FirewallsSaying “No”, Saying“Yes”Application-LinkedFirewalls
Distributed Firewalls
The Problems withFirewalls
Midterm
29 / 44
![Page 30: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/30.jpg)
Rationale
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
Rationale
Personal FirewallsSaying “No”, Saying“Yes”Application-LinkedFirewalls
Distributed Firewalls
The Problems withFirewalls
Midterm
30 / 44
■ Conventional firewalls rely on topologicalassumptions — these are questionable today
■ Instead, install protection on the end system■ Let it protect itself
![Page 31: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/31.jpg)
Personal Firewalls
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
Rationale
Personal FirewallsSaying “No”, Saying“Yes”Application-LinkedFirewalls
Distributed Firewalls
The Problems withFirewalls
Midterm
31 / 44
■ Add-on to the main protocol stack■ The “inside” is the host itself; everything else
is the “outside”■ Most act like packet filters■ Rule set can be set by individual or by
administrator
![Page 32: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/32.jpg)
Saying “No”, Saying “Yes”
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
Rationale
Personal FirewallsSaying “No”, Saying“Yes”Application-LinkedFirewalls
Distributed Firewalls
The Problems withFirewalls
Midterm
32 / 44
■ It’s easy to reject protocols you don’t like witha personal firewall
■ The hard part is saying “yes” safely■ There’s no topology — all that you have is the
sender’s IP address■ Spoofing IP addresses isn’t that hard,
especially for UDP
![Page 33: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/33.jpg)
Application-Linked Firewalls
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
Rationale
Personal FirewallsSaying “No”, Saying“Yes”Application-LinkedFirewalls
Distributed Firewalls
The Problems withFirewalls
Midterm
33 / 44
■ Most personal firewalls act on port numbers■ At least one such firewall is tied to applications
— individual programs are or are not allowedto talk, locally or globally
■ Pros: don’t worry about cryptic port numbers;handle auxiliary ports just fine
■ Cons: application names can be just ascryptic; service applications operate on behalfof some other application
![Page 34: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/34.jpg)
Distributed Firewalls
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
Rationale
Personal FirewallsSaying “No”, Saying“Yes”Application-LinkedFirewalls
Distributed Firewalls
The Problems withFirewalls
Midterm
34 / 44
■ In some sense similar to personal firewalls,though with central policy control
■ Use IPsec to distinguish “inside” from“outside”
■ Insiders have inside-issued certificates;outsiders don’t
■ Only trust other machines with the propercertificate
■ No reliance on topology; insider laptops areprotected when traveling; outsider laptopsaren’t a threat when they visit
![Page 35: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/35.jpg)
The Problems with Firewalls
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Problems
Corrupt Insiders
Connectivity
Laptops
Evasion
Midterm
35 / 44
![Page 36: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/36.jpg)
Problems
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Problems
Corrupt Insiders
Connectivity
Laptops
Evasion
Midterm
36 / 44
■ Corrupt insiders■ Connectivity■ Laptops■ Evasion
![Page 37: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/37.jpg)
Corrupt Insiders
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Problems
Corrupt Insiders
Connectivity
Laptops
Evasion
Midterm
37 / 44
■ Firewalls assume that everyone on the inside isgood
■ Obviously, that’s not true■ Beyond that, active content and subverted
machines mean there are bad actors on theinside
![Page 38: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/38.jpg)
Connectivity
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Problems
Corrupt Insiders
Connectivity
Laptops
Evasion
Midterm
38 / 44
■ Firewalls rely on topology■ If there are too many conections, some will
bypass the firewall■ Sometimes, that’s even necessary; it isn’t
possible to effectively firewall all externalpartners
■ A large company may have hundreds or eventhousands of external links, most of which areunknown to the official networking people
![Page 39: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/39.jpg)
Laptops
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Problems
Corrupt Insiders
Connectivity
Laptops
Evasion
Midterm
39 / 44
■ Laptops, more or less by definition, travel■ When they’re outside the firewall, what
protects them?■ At one conference, I spotted at least a dozen
other attendee machines that were infectedwith the Code Red virus
■ (Code Red only infected web servers. Whywere laptops running web servers?)
![Page 40: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/40.jpg)
Evasion
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Problems
Corrupt Insiders
Connectivity
Laptops
Evasion
Midterm
40 / 44
■ Firewalls and firewall administrators got toogood
■ Some applications weren’t able to run■ Vendors started building things that ran over
HTTP■ HTTP usually gets through firewalls and even
web proxies. . .
![Page 41: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/41.jpg)
Midterm
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
Conditions
Format
Material
41 / 44
![Page 42: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/42.jpg)
Conditions
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
Conditions
Format
Material
42 / 44
■ Open book, open notes■ No computers or calculators■ 75 minutes
![Page 43: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/43.jpg)
Format
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
Conditions
Format
Material
43 / 44
■ Approximately 8 questions■ I’m not asking you to write programs■ Three types of questions
◆ Explanations of certain concepts, abovethe pure memorization level
◆ Carrying out tasks based on thingsdiscussed in class
◆ Design questions (i.e., ones intended tomake you think)
![Page 44: Application Firewallssmb/classes/f06/l16.pdf · Inbound Email Different Sublayers Outbound Email Combining Firewall Types Firewalling Email Enforcement Outbound Email The DNS Application](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fb1dcd67a4026121e8d18/html5/thumbnails/44.jpg)
Material
Application Firewalls
The DNS
Application Proxies
Circuit Gateways
Personal andDistributed Firewalls
The Problems withFirewalls
Midterm
Conditions
Format
Material
44 / 44
■ Everything through today’s lecture■ If it’s in my slides or I said it in class, you’re
responsible for it■ There will be some material based more on the
readings■ You’re responsible for the assigned readings at
about the level of class coverage.