Security and Firewalls

Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls

John P. Wack and Lisa J. Carnahan

NIST Special Publication 800-10

What

• A firewall is a barrier that prevents something bad from passing and doing harm

• Network Firewalls are systems through which must pass all traffic going into or out of a protected network environment– The gateway becomes the guardian, protecting

the network by selectively forbidding access

Why

• TCP/IP services were not all designed with security in mind– a determined attacker takes advantage of

security risks inherent in some service implementations

• Networks and computing resources, including the data stored, are increasingly critical to an organization’s survival

What, more

• Firewall– systems– routers– policy– central connection

• Restrict– access to or from selected systems– block certain TCP/IP services

Authentication

• Weak authentication– password files are accessible

• password attacks are sophisticated

• finding one vulnerable password gives access to the system

– Granularity of authentication• user level or host level

• trusted user may come from a host accessible to many untrusted users.

Monitoring

• Unencrypted passwords cross networks when using telnet or ftp

• Monitoring traffic on a LAN is easy

• Information displayed may be critical

Spoofing

• Source routing of IP packets allows an intruder to masquerade as a trusted site

• Many services determine access rights based on the IP address, assuming that traffic from a trusted domain is safe

• Mail is easily spoofed and allows an intruder to gain access to the mail privileges of a legitimate user.

• More can be said, but we probably all know that the networks are vulnerable to attack.

Structure

A barrier

The Internet

Our network to be protected

Firewall Services

• Protection from vulnerable services

• Controlled access to specific systems

• Concentrated security

• Enhanced privacy

• Logging and statistics on network use, misuse

• Policy enforcement

Service restriction

• Refuse to respond to source-routed packets

• Restrict NFS and NIS service access– Constrain them to a local network where the

services are needed– Disallow remote access

Site access restriction

• A Policy matter– What internal sites should be accessible from

outside?– Base: no access unless there is a reason for it

Concentrated security

• Only one place needs to be configured and maintained for control of access to the systems. – Reduces the burden of configuring many

systems– Increases the likelihood of well maintained

access control

Privacy

• Blocking some service access– finger on unix systems

• in addition to information about the user that might be better restricted to internal use, it gives information on when the user last logged in.

• usage patterns can be useful to intruders

– DNS• knowledge about the configuration of network

internals can be useful in attacks.

Logging

• If all access to network resources goes through one site, comprehensive logging of activity becomes feasible.

• What might look unimportant when logs of one host are examined, may be serious when aggregated with information about access to other hosts on the same network.

Policy

• A reasonable policy– allows access that is needed and useful– denies access that serves no good use and might

be dangerous

• A firewall is a way to enforce a good policy

Issues, problems with Firewalls

• Restricted access adds a burden to legitimate users

• Firewall provides no protection from attacks that originate behind the firewall

• A false sense of security may lead to carelessness

Firewall components

• network policy– what restrictions– how enforced

• advanced authentication mechanisms– one-time passwords, biometrics, smartcards, etc.

• packet filtering– source, destination IP address or port

• application gateways– proxy service

Packet filtering• Flexibility in what you allow• Perhaps allow http or smtp access to specific

internal hosts, but no access to others• Example:

Type Src addr Dst addr Src port DstPort

Action

Tcp * 123.4.5.6 >1023 23 permit

Tcp * 123.4.5.7 >1023 25 Permit

Tcp * 123.4.5.8 >1023 25 Permit

Tcp 129.6.48.254 123.4.5.9 >1023 119 permit

Udp * 123.4.*.* >1023 123 Permit* * * * * deny

(port 23= telnet; 25 = smtp; 119 = nntp; 123 = NTP )

What to restrict

• tftp, port 69, trivial FTP, used for booting diskless workstations, terminal servers and routers, can also be used to read any file on the system if set up incorrectly

• X Windows, OpenWindows, ports 6000+, port 2000, can leak information from X window displays including all keystrokes

• RPC, port 111, Remote Procedure Call services including NIS and NFS, which can be used to steal system information such as passwords and read and write to files

• rlogin, rsh, and rexec, ports 513, 514, and 512, services that if improperly configured can permit unauthorized access to accounts and

commands. Quoted from the reference source

More restrictions

• TELNET, port 23, often restricted to only certain systems, • FTP, ports 20 and 21, like TELNET, often restricted to only certain systems, • SMTP, port 25, often restricted to a central e-mail server, • RIP, port 520, routing information protocol, can be spoofed to redirect

packet routing, • DNS, port 53, domain names service zone transfers, contains names of hosts

and information about hosts that could be helpful to attackers, could be spoofed,

• UUCP, port 540, UNIX-to-UNIX CoPy, if improperly configured can be used for unauthorized access,

• NNTP, port 119, Network News Transfer Protocol, for accessing and reading network news, and

• gopher, http ports 70 and 80, information servers and client programs for gopher and WWW clients, should be restricted to an application gateway

that contains proxy services.

Examples

• Firewalls come in several types– Packet filtering

• simplest, common, block addresses and/or protocols

– Dual homed• proxy for all services that are needed

– Screened host• more flexible, less secure

– Screened subnet• no need for dual homed host

Dual homed host

Internet

Info server

Application Gateway

Complete block to IP traffic between the protected network and the Internet

Service only available by proxy servers on the Application Gateway

IP filtering

Host based application must accept all requests for specific services and pass on or not.

Mail, telnet, ftp,http, etc.

Screened host

Internet

Info server

Application Gateway

IP filtering

Application traffic from Internet to App Gateway ok; all other incoming traffic rejected; application from App Gateway to Internet ok; all other traffic from the network to the Internet rejected

Screened subnet

1Internet

Info server

E-mail server

Application Gateway

Similar in function to a dual homed host

2

Firewall summary

• The goal: impose a barrier between the protected network and the potential intruder

• The problem: provide protection without undo restriction on services to legitimate users.

• Most important: have a policy

• Options available for how to implement the policy