Executive Director and Endowed Chair CS 5323 Firewalls Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 16 ravi.utsa@gmail.com www.profsandhu.com © Ravi Sandhu World-Leading Research with Real-World Impact!
TCP/IP Basics World-Leading Research with Real-World Impact! © Ravi Sandhu World-Leading Research with Real-World Impact!
OSI Reference Model END USER A END USER B Application Layer higher level protocols Presentation Layer End user functions Presentation Layer higher level protocols Session Layer Session Layer Transport Layer Transport Layer lower level protocols or network services Network Layer Network Layer Network functions lower level protocols or network services Data Link Layer Data Link Layer Physical Layer Physical Layer PHYSICAL MEDIUM © Ravi Sandhu World-Leading Research with Real-World Impact! 3
OSI Reference Model END USER A END USER B INTERMEDIATE NETWORK NODE higher level protocols higher level protocols lower level protocols or network services lower level protocols or network services INTERMEDIATE NETWORK NODE SOURCE NODE DESTINATION NODE © Ravi Sandhu World-Leading Research with Real-World Impact! 4
TELNET FTP SMTP HTTP etc TCP UDP TCP/IP Protocol Stack: Basic Protocols layer 5-7 4 3 2 TELNET FTP SMTP HTTP etc TCP UDP IP IEEE 802.3 802.11 Token-Ring ATM PPP etc © Ravi Sandhu World-Leading Research with Real-World Impact! 5
TCP/IP Protocol Stack: Basic Protocols IP (Internet Protocol) connectionless routing of packets UDP (User Datagram Protocol) unreliable datagram protocol TCP (Transmission Control Protocol) connection-oriented, reliable, transport protocol Application layer protocols TELNET (network virtual terminal) FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) HTTP (Hyper Text Transfer Protocol) …… © Ravi Sandhu World-Leading Research with Real-World Impact! 6
Internet Hourglass Model TCP/IP TCP RFC 793 Sept. 1981 IPv4 RFC 791 Sept. 1981 © Ravi Sandhu World-Leading Research with Real-World Impact!
TELNET FTP SMTP HTTP etc TCP UDP TCP/IP Protocol Stack: Infrastructure Protocols layer 5-7 4 3 2 TELNET FTP SMTP HTTP etc TCP UDP IP IEEE 802.3 802.11 Token-Ring ATM PPP etc DNS DHCP RIP BGP ICMP ARP RARP © Ravi Sandhu World-Leading Research with Real-World Impact! 8
TCP/IP Protocol Stack: Infrastructure Protocols DNS: Domain Name Service DHCP: Dynamic Host Configuration Protocol OSPF: Open Shortest Path First BGP: Border Gateway Protocol ICMP: Internet Control Message Protocol ARP: Address Resolution Protocol RARP: Reverse Address Resolution Protocol © Ravi Sandhu World-Leading Research with Real-World Impact! 9
TELNET FTP SMTP HTTP etc TCP UDP TCP/IP Protocol Stack: Security Protocols layer 5-7 4 3 2 TELNET FTP SMTP HTTP etc TCP UDP IP IEEE 802.3 802.11 Token-Ring ATM PPP etc DNS DHCP SSL RIP BGP ICMP IPSEC ARP RARP © Ravi Sandhu World-Leading Research with Real-World Impact! 10
Internet Security Protocols IPsec, 1998 SSL,1994 Largely failed Half successful Dozens of other security protocols Some successes Many failures © Ravi Sandhu World-Leading Research with Real-World Impact!
IP v4 Packet header data carries a layer 4 protocol TCP, UDP or a layer 3 protocol ICMP, IPSEC, IP or a layer 2 protocol IEEE 802.3 © Ravi Sandhu World-Leading Research with Real-World Impact! 12
TCP Inside IP IP HEADER TCP HEADER © Ravi Sandhu World-Leading Research with Real-World Impact! 13
IP Header Format version: 4bit, currently v4 header length: 4 bit, length in 32 bit words TOS (type of service): unused total length: 16 bits, length in bytes identification, flags, fragment offset: total 16 bits used for packet fragmentation and reassembly TTL (time to live): 8 bits, used as hop count Protocol: 8 bit, protocol being carried in IP packet, usually TCP, UDP but also ICMP, IPSEC, IP, IEEE 802.3 header checksum: 16 bit checksum source address: 32 bit IP address destination address: 32 bit IP address © Ravi Sandhu World-Leading Research with Real-World Impact! 14
IP Header Format options source routing enables route of a packet and its response to be explicitly controlled route recording timestamping security labels © Ravi Sandhu World-Leading Research with Real-World Impact! 15
TCP Header Format source port number source IP address + source port number is a socket: uniquely identifies sender destination port number destination IP address + destination port number is a socket : uniquely identifies receiver SYN and ACK flags sequence number acknowledgement number © Ravi Sandhu World-Leading Research with Real-World Impact! 16
TCP/IP Vulnerabilities © Ravi Sandhu World-Leading Research with Real-World Impact!
TCP 3 Way Handshake SYN(X) SYN(Y), ACK(X) ACK(Y) initiator responder © Ravi Sandhu World-Leading Research with Real-World Impact! 18
TCP SYN Flooding Attack TCP 3 way handshake send SYN packet with random IP source address return SYN-ACK packet is lost half-open connection stays for some time-out period Denial of service attack Basis for IP spoofing attack © Ravi Sandhu World-Leading Research with Real-World Impact! 19
IP Spoofing Send SYN packet with spoofed source IP address SYN-flood real source so it drops SYN-ACK packet guess sequence number and send ACK packet to target target will continue to accept packets and response packets will be dropped © Ravi Sandhu World-Leading Research with Real-World Impact! 20
TCP Session Hijacking Send RST packet with spoofed source IP address and appropriate sequence number to one end SYN-flood that end send ACK packets to target at other end © Ravi Sandhu World-Leading Research with Real-World Impact! 21
Fundamental Vulnerability IP packet carries no authentication of source address IP spoofing is possible Firewalls do not solve this problem Requires cryptographic solutions © Ravi Sandhu World-Leading Research with Real-World Impact! 22
IP Spoofing Story ALLOW GOOD GUYS IN KEEP BAD GUYS OUT IP Spoofing predicted in Bell Labs report ≈ 1985 Unencrypted Telnet with passwords in clear 1st Generation firewalls deployed ≈ 1992 IP Spoofing attacks proliferate in the wild ≈ 1993 Virtual Private Networks emerge ≈ late 1990’s Vulnerability shifts to the client PC Network Admission Control ≈ 2000’s Persists as a Distributed Denial of Service mechanism Most of these fixes have not changed or extended IPv4 © Ravi Sandhu World-Leading Research with Real-World Impact! 23
Firewalls © Ravi Sandhu World-Leading Research with Real-World Impact!
What is a Firewall? external Internet internal network FIRE- WALL © Ravi Sandhu World-Leading Research with Real-World Impact! 25
What is a Firewall? all traffic between external and internal networks must go through the firewall easier said than done firewall has opportunity to ensure that only suitable traffic goes back and forth © Ravi Sandhu World-Leading Research with Real-World Impact! 26
Benefits secure and carefully administer firewall machines to allow controlled interaction with external Internet internal machines can be administered with varying degrees of care does work © Ravi Sandhu World-Leading Research with Real-World Impact! 27
Basic Limitations connections which bypass firewall services through the firewall introduce vulnerabilities insiders can exercise internal vulnerabilities performance may suffer single point of failure © Ravi Sandhu World-Leading Research with Real-World Impact! 28
Ultimate Firewall external Internet internal network Air Gap © Ravi Sandhu World-Leading Research with Real-World Impact! 29
Types of Firewalls Packet filtering firewalls IP layer Application gateway firewalls Application layer © Ravi Sandhu World-Leading Research with Real-World Impact! 30
Packet Filtering Firewalls IP packets are filtered based on source IP address + source port number destination IP address + destination port number protocol field: TCP or UDP TCP protocol flag: SYN or ACK TCP/UDP: protocol field © Ravi Sandhu World-Leading Research with Real-World Impact! 31
Filtering Routers internal external network Internet packet filtering mail gateway © Ravi Sandhu World-Leading Research with Real-World Impact! 32
Packet Filtering Firewalls drop packets based on filtering rules static (stateless) filtering no context is kept dynamic (stateful) filtering keeps context © Ravi Sandhu World-Leading Research with Real-World Impact! 33
Packet Filtering Firewalls Should never allow packet with source address of internal machine to enter from external internet Cannot trust source address to allow selective access from outside © Ravi Sandhu World-Leading Research with Real-World Impact! 34
Packet Filtering Firewalls packet filtering is effective for coarse-grained controls not so effective for fine-grained control can do: allow outgoing ftp from a particular internal host cannot do: allow outgoing ftp from a particular internal user © Ravi Sandhu World-Leading Research with Real-World Impact! 35
Filtering Routers internal network 1 external Internet internal packet filtering router external Internet internal network 2 mail gateway (internal network 3) © Ravi Sandhu World-Leading Research with Real-World Impact! 36
Filtering Host external Internet internal network router internal network packet filtering firewall host one can use a packet filtering firewall even if connection to Internet is via an external service provider © Ravi Sandhu World-Leading Research with Real-World Impact! 37
Application Gateway Firewalls external Internet external router internal network application gateway firewall host © Ravi Sandhu World-Leading Research with Real-World Impact! 38
Application Proxies have to be implemented for each service may not be safe (depending on service) typically used for outgoing http requests from internal users © Ravi Sandhu World-Leading Research with Real-World Impact! 39
Demilitarized Zone (DMZ) Outgoing web proxy Filtering Router Filtering Router I n t r a e I n t e r Outgoing & incoming email server Webserver Static content Webserver Dynamic User-dependent content © Ravi Sandhu World-Leading Research with Real-World Impact! 40