pattern recognition and applications lab firewalls · 2020. 4. 27. · firewalls can operate on...
TRANSCRIPT
![Page 1: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/1.jpg)
Pattern Recognition and Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic Engineering
FIREWALLS
Spring Semester 2019/2020
Giorgio Giacinto
![Page 2: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/2.jpg)
http://pralab.diee.unica.it
Firewall – Perimeter defence
INTERNET
A firewall is either a device or a set of devices intended to ensure control of the traffic
flowing across different networks
Firewall
2
![Page 3: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/3.jpg)
http://pralab.diee.unica.it
Firewall - DefinitionSingle point
of accessKeeps attackers
away from defenses
3
![Page 4: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/4.jpg)
http://pralab.diee.unica.it
Functionalities• A Firewall analyses network traffic and check if it complies
with the organisation policies– Policies are defined from the organization’s information security risk
assessment– Should be developed from a broad specification of which traffic types
the organization needs to support– Then refined to detail the filter elements which can then be
implemented within an appropriate firewall topologyAn example• HTTP traffic is allowed for all the machines connected to the network• Access the the following domains is forbidden
– Youtube.com, Facebook.com, Twitter.com• IMAP/POP/SMTP traffic is allowed only to machines on the
172.16.20/24 subnet
4
![Page 5: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/5.jpg)
http://pralab.diee.unica.it
Firewall Capabilities And LimitsCapabilities• Defines a single choke point• Provides a location for monitoring security events• Convenient platform for several Internet
functions that are not security related• Can serve as the platform for IPSec
Limitations• Cannot protect against attacks bypassing firewall• May not protect fully against internal threats• Improperly secured wireless LAN can be accessed from
outside the organization• Laptop, PDA, or portable storage device may be infected
outside the corporate network then used internally
5
![Page 6: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/6.jpg)
http://pralab.diee.unica.it
Functionalities
INTERNET
Firewall
Filtered trafficNot
Filte
red
Traf
fic
6
![Page 7: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/7.jpg)
http://pralab.diee.unica.it
Functionalities• Firewalls act as “brokers” that
– manage and control the network traffic – protect resources behind the firewall
• This allows Firewalls to record events and activities– log files may turn useful for forensic purposes
• Firewalls also allow managing authentication– still this increments both protection and logging capabilities
7
![Page 8: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/8.jpg)
http://pralab.diee.unica.it
Firewall Filter Characteristics IP address
and protocol values
This type of filtering is
used by packet filter and statefulinspection firewalls
Typically used to limit access
to specific services
Application protocol
This type of filtering is used by an
application-level gateway
that relays and monitors the exchange
of information for specific application protocols
User identity
Typically for inside users who identify themselves using some
form of secure authentication
technology
Network activity
Controls access based
on considerations
such as the time or
request, rate of requests, or other activity
patterns
8
![Page 9: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/9.jpg)
http://pralab.diee.unica.it
Stack TCP & Firewall LayersFirewalls can operate on different layers of the TCP/IP stack
Application
Transport
Network (Internet)
Link
If access must be restricted to certain users or resources, filtering has to be done at the Application
Layer
If access must be disciplined on a per IP basis firewall must work at the Internet Layer
If access must be limited to certain applications, filtering has to be done at the Transport Layer
9
![Page 10: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/10.jpg)
http://pralab.diee.unica.it
Types of Firewalls
10
![Page 11: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/11.jpg)
http://pralab.diee.unica.it
Firewalls
PersonalFirewalls
NetworkFirewalls
Packet Filter
Firewalls
Application Level
Firewalls
NATFirewalls
Packet Filter
Firewalls
StatefulFirewalls
StatefulFirewalls
Firewall - Taxonomy
11
![Page 12: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/12.jpg)
http://pralab.diee.unica.it
Network Firewalls
Firewalls
NetworkFirewalls
PacketFilter
Firewalls
Application Level
Firewalls
NATFirewalls
StatefulFirewalls
12
![Page 13: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/13.jpg)
http://pralab.diee.unica.it
Firewall Appliances
13
![Page 14: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/14.jpg)
http://pralab.diee.unica.it
Feature Summary (Palo Alto PA-7080)
• Firewall throughput – 600/700 Gbps FW
• New Sessions per Second– 4.56 M
• Maximum Number of Sessions (no inspection) – 320M
• Threat prevention throughput– 270/330 Gbps
• IPSec VPN Throughput– 280 Gbps
https://www.paloaltonetworks.com/network-security/next-generation-firewall/pa-7000-series 14
![Page 15: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/15.jpg)
http://pralab.diee.unica.it
Gartner Magic Quadrant
15
![Page 16: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/16.jpg)
http://pralab.diee.unica.it
Packet Filter Firewalls
16
![Page 17: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/17.jpg)
http://pralab.diee.unica.it
Stateless Packet Filter• It is one of the simplest firewalling mechanisms
– Often integrated in the router
• Filtering at layer 3 (Network) and/or 4 (Transport)– A typical implementation is a router with Access Control Lists (ACL)
• Filtering criteria– Source IP Address– Destination IP address– Protocol (ICMP, TCP, UDP, …)– Protocol-specific information
• ICMP Echo, ICMP Reply, ICMP Error– TCP/UDP Ports– etc
• Two default policies– Discard - prohibit unless expressly permitted (more conservative)– Forward - permit unless expressly prohibited (easier to manage but less secure)
17
![Page 18: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/18.jpg)
http://pralab.diee.unica.it
Stateless Packet Filter
Source: Network WarriorGary A. Donoue - O’Reilly
18
![Page 19: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/19.jpg)
http://pralab.diee.unica.it
Discard the packetNO
What’s the action defined by the policy rule?
Yes
Allow the packet Allow Discard the
packetDeny
Stateless Packet Filter
Allow the packet NO
Do an ACL exists in that direction?
Is there a policy rule for that kind of packet?
Yes
19
![Page 20: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/20.jpg)
http://pralab.diee.unica.it
Stateless Packet Filter - Clarifications
• It is worth to remind that:– Once the FW receives a packet it inspects the ACL to check whether a
rule matches the packet– For efficiency, more specific rules must be on top the list
access-list In deny udp any host 192.168.1.101
– The order of the rules is important.One rule can make the following ones useless.
access-list In deny udp any host 192.168.1.101access-list In allow udp any host 192.168.1.101 eq 53
This rule is never activated since the previous one is always matched first
20
![Page 21: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/21.jpg)
http://pralab.diee.unica.it
Stateless Packet Filter• Pros
– Fast– High Flexibility in the definition of the Policy Rules
• Cons– Can’t stop application layer attacks (malicious FTP commands,
malware)– No User Authentication– Limited Logging Capabilities– Vulnerable to TCP/IP weaknesses (e.g. Ip spoofing, Syn flood, DOS). – It might be difficult to configure
21
![Page 22: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/22.jpg)
http://pralab.diee.unica.it
About Transport Port Status (Nmap Results)• open
– Port is open and accepts TCP connections and UDP packets
• closed– A which can be reached and behind which there is not a listening
application
• filtered– It is not possible to determine whether the port is open because
packet filtering prevents its probes from reaching the port.
• Other NMAP results– open|filtered / unfiltered/ closed|filtered
22
![Page 23: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/23.jpg)
http://pralab.diee.unica.it
Stateful Packet Filter• Processes packets at the Network and Transport Layers
as in the case of Stateless Packet Filter but it also traces the Transport Layer connections
– Packets are thus analysed in the context of the connection• e.g., by keeping track of sequence numbers
– Connectionless protocols such as UDP are inspected as well. Here the Packet Filter checks that the exchange of messages is coherent with the protocol logic.
23
![Page 24: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/24.jpg)
http://pralab.diee.unica.it
1. Host A begins a connection with Host B2. Host B replies to the A request3. Host A finalises the connection. A is ready to send data. 4. Host A sends Host B data.5. Host B acknowledges it has received data.
How can I prevent Host B initiating a connection?
Stateful Packet Filter – An example
24
![Page 25: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/25.jpg)
http://pralab.diee.unica.it
Stateful Packet Filter• Pros
– Higher consciousness of the Layer 4 traffic à higher security
• Cons– Can’t stop application layer attacks (malicious FTP commands,
malicious HTTP requests, malware)– No User Authentication– Connections management requires CPU & RAM resources
25
![Page 26: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/26.jpg)
http://pralab.diee.unica.it
Packet Filter Evasion• Packet filters can be evaded leveraging on the IP
fragmentation mechanism– Hackers can play with the offset values
• Several variants of the attack do exist http://www.ouah.org/fragma.html– e.g., Tiny Fragment Attack
• http://tools.ietf.org/html/rfc3128
26
![Page 27: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/27.jpg)
http://pralab.diee.unica.it
Packet Filter Evasion
27
![Page 28: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/28.jpg)
http://pralab.diee.unica.it
Review problems
28
![Page 29: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/29.jpg)
http://pralab.diee.unica.it
Firewall rulesThe following table shows a sample of a packet filter firewall ruleset for an imaginary network of IP address that range from 192.168.1.0 to 192.168.1.254. Describe the effect of each rule.
29
![Page 30: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/30.jpg)
http://pralab.diee.unica.it
Firewall rules - SMTPSMTP (Simple Mail Transfer Protocol) transfers mails between hosts over TCP. The server listens on TCP port 25 for incoming connection requests. The user is on a TCP port number above 1023. Suppose you wish to build a packet filter rule set allowing inbound and outbound SMTP traffic:
Describe the effect of each rule30
![Page 31: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/31.jpg)
http://pralab.diee.unica.it
Firewall rules - SMTP
If the server IP address is 172.16.1.1, which of the following packets will be allowed and which will be denied?
31
![Page 32: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/32.jpg)
http://pralab.diee.unica.it
Firewall rules - SMTP
Someone from the outside world (10.1.2.3) attempts to open a connection from port 5150 on a remote host to the Web proxy server on port 8080 in order to carry out an attack.
Will the attack succeed?
32
![Page 33: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/33.jpg)
http://pralab.diee.unica.it
Application Level Gateways
33
![Page 34: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/34.jpg)
http://pralab.diee.unica.it
Application Level Gateway (aka Proxy)
• Combines Packet Layer functionalities with the capability of inspecting the activities at the application level
• Requires user-authentication before any activity
• It can be used for different services:– Email– Web– FTP– DNS– Telnet
34
![Page 35: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/35.jpg)
http://pralab.diee.unica.it
Application Level Gateway (aka Proxy)
35
![Page 36: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/36.jpg)
http://pralab.diee.unica.it
Application Level Gateway (aka Proxy)
• Authentication Mechanisms– Username and Password– Token HW/SW– Biometrics
• Authentication somehow prevents spoofing attacks– Different authentication mechanisms can be foreseen according to the
users’ privileges
• 2 different types of proxy mechanisms– Connection oriented (circuit level proxy)– Cut-through
36
![Page 37: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/37.jpg)
http://pralab.diee.unica.it
Connection Oriented Proxies1. A Client makes a connection with the proxy
2. The Proxy authenticates the client
3. The Proxy checks authorisations for the client
4. The Proxy opens a second connection toward the resource (e.g. a server) requested by the client
5. The Proxy manages two connections– The connection between the client and the proxy– The connection between the proxy and the server behind the proxy
37
![Page 38: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/38.jpg)
http://pralab.diee.unica.it
Application Level Gateway (aka Proxy)
• Pros– Very high logging capabilities– Very high filtering capability
• Granular permissions can be defined
• Cons– Very high Overhead
• Slow– Ad-hoc firewall and client
38
![Page 39: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/39.jpg)
http://pralab.diee.unica.it
Cut-through Proxy1. Client makes a connection with the proxy
2. Proxy authenticates the client
3. Proxy checks authorisations for the client
4. Proxy opens a second connection toward the resource (e.g. a server) which is then merged with the previous one
5. Proxy acts as an intermediary, by managing one single connection
39
![Page 40: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/40.jpg)
http://pralab.diee.unica.it
Cut-through Proxy• Pros
– Higher throughput with respect to a Connection Proxy– Higher flexibility (possibility to handle a higher number of
applications)
• Cons– Smaller logging capabilities (with respect to Connection Proxy)– Filtering only on layers 3 and 4
40
![Page 41: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/41.jpg)
http://pralab.diee.unica.it
Web Application Firewalls (WAF)
Web application
Web server
OS
Network
Web application vulnerability attack
DoS (service interrumptions) attacks
Network vulnerability attacks
Firewall IDS/IPS WAF
Firewall and Intrusion Detection/Prevention Systems (IDS/IPS) are not effective against Web Application Attacks
Web application
41
![Page 42: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/42.jpg)
http://pralab.diee.unica.it
Attacking Web Services
http://www.vulnerableserver.com/components/com_hbssearch/longDesc.php?h_id=1&id=3
legitimate
Normal traffic
42
![Page 43: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/43.jpg)
http://pralab.diee.unica.it
http://www.vulnerableserver.com/components/com_hbssearch/longDesc.php?h_id=1&id=-2%20union%20select%20concat%28username,0x3a,password%29%20from[…]
malicious
Attack
Attacking Web Services (WAF Protection)
WAFs are commonly based on rules / signatures thatdetect the presence of specific attack patterns into HTTP requests
e.g.: IF‘union%20select*’ in param-input STOP request
Easily evaded in several wayse.g. by replacing a “%20” with a comment (“/**/”)
43
![Page 44: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/44.jpg)
http://pralab.diee.unica.it
WAF (and rule-based systems) Limitations• Easy-to-evade signatures / rules
– changing even a single character may evade detection– several rules required to detect attack variants
• Explosion of the number of Signatures– for computational reasons, only most common rules are used– rare attack patterns (even if known) may evade detection!
• False alarms tend to increase with the number of signatures
• Signatures can not intrinsically detect– Attacks which exploit vulnerabilities in custom applications– Advanced attacks like Phishing, User-Impersonation, Information Leakage– 0-day / never-before-seen attacks (e.g., advanced injection)
WAF and rule-based systems (such as Layer 3-4 protection devices) are thus ineffective to deal with the increasing sophistication
and variability of attacks44
![Page 45: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/45.jpg)
http://pralab.diee.unica.it
Other types of firewalls
45
![Page 46: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/46.jpg)
http://pralab.diee.unica.it
Personal Firewall• Controls traffic between a personal computer or workstation
and the Internet or enterprise network
• Typically much less complex than server-based or stand-alone firewalls– e.g., a software module on a personal computer– can be housed in a router that connects all of the home
computers to a DSL, cable modem, or other Internet interface
• Primary role is to deny unauthorized remote access
• May also monitor outgoing traffic to detect and block worms and malware activity
46
![Page 47: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/47.jpg)
http://pralab.diee.unica.it
Host-Based Firewalls• Used to secure an individual host
• Available in operating systems or can be provided as an add-on package
• Filter and restrict packet flows
• Common location is a server
Advantages
• Filtering rules can be tailored to the host environment
• Protection is provided independent of topology• Provides an additional layer of protection
47
![Page 48: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/48.jpg)
http://pralab.diee.unica.it
DMZ and VPN
48
![Page 49: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/49.jpg)
http://pralab.diee.unica.it
Firewall Configuration
49
![Page 50: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/50.jpg)
http://pralab.diee.unica.it
DMZ – Demilitarized Zone• DMZ is a physical or logical subnetwork between the internal
network (TRUSTED) and the external network (UNTRUSTED)– It usually hosts public company services
50
![Page 51: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/51.jpg)
http://pralab.diee.unica.it
DMZ – Demilitarized Zone• DMZ allows protecting the private network through two
layers of firewalling– the front-end firewall is directly exposed to the network
• Servers (e.g. Mail, Web) are located just behind this firewall– back-end firewall stands behind the front-end firewall and in
front of the internal network
• Rules– The private network can initiate connections toward the DMZ
and the Internet, and doesn’t accept any kind of incoming connection
– Hosts on the DMZ accept connections from both the private network and from the Internet but can not initiate any kind of connection
• A router connecting the three different zones can perform both tasks.
51
![Page 52: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/52.jpg)
http://pralab.diee.unica.it
Virtual Private Network (VPN)• A VPN is a virtual network through which is possible to
establish a secure communication channel over an “insecure” medium (the Internet) without the need of a dedicated link
• VPN management mechanisms ensure security– Confidentiality– Integrity– Authenticity
52
![Page 53: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/53.jpg)
http://pralab.diee.unica.it
Remote Access VPN
Firewall (VPN Concentrator)
Company network
53
![Page 54: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/54.jpg)
http://pralab.diee.unica.it
Site-to-Site VPN
54
![Page 55: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/55.jpg)
http://pralab.diee.unica.it
VPN - Advantages• Cheap– Possibility to build large overlaid networks without the
need of a dedicated infrastructure
• Security– Authentication and Cryptography ensure the security of
the data
• Scalability– Adding branches to the VPN doesn’t require costly
infrastructures
55
![Page 56: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/56.jpg)
http://pralab.diee.unica.it
Network Segmentation and the cloud
• Network segmentation is becoming a complex task– Virtualisation– Cloud applications, services, storage
• The physical deployment of a network barely represents the actual data flow
• A deep logical map of all the enterprise activities is needed in order to define the routing and firewalling policies
• The firewall itself is not required to be a physical appliance, as it can be deployed as a virtual application
56
![Page 57: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/57.jpg)
http://pralab.diee.unica.it
OT Networks
57
![Page 58: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/58.jpg)
http://pralab.diee.unica.it
Operational Technology Networks• The network connecting all Industrial Control Systems
(ICS) devices – PLCs– SCADA– DCS
• In the past, OT used proprietary protocols, and no connection with the external world was available
• Currently, the IT-OT convergence allows ICS to share data, to realise remote control.
• Network segmentation through firewalls is mandatory to avoid those devices to be exposed (ISA99 – IEC 62443)
58
![Page 59: Pattern Recognition and Applications Lab FIREWALLS · 2020. 4. 27. · Firewalls can operate on different layers of the TCP/IP stack Application Transport Network (Internet) Link](https://reader033.vdocuments.site/reader033/viewer/2022051904/5ff53a40fdb72e41fa54a53b/html5/thumbnails/59.jpg)
http://pralab.diee.unica.it
Purdue model (ISA99)
59