email or call for office visit, or call Kathy Cheek, 404 894-5696 ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Centergy 5177 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 10a - Firewalls
Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area Networks: - connects PC’s (in “terminal emulation” mode), remote terminals (next building) and mini-computers. Premises Network: - connects LANs and LAN-attached devices to each other. Enterprise-wide Network: - leased data lines (T1, DS-3) connect various offices. Internet Connectivity: - initially for email, now for Web access, e-commerce, ... . Makes the world accessible, but now the world also has access to you. 2
Connectivity Provided by the Georgia Backbone Network • Citizens • Schools WWW • Contractors • Libraries • City & County • Kiosks Governments Firewalls State WWW Gateway State Internet Agency Gateway & Other Agencies Web Server Agency Virtual Private Network Private Virtual Connection Agency Server LANs at Agency Offices across Georgia Non-Agency State Server 3
Agency Firewall - Protects Agency Subnets from Unwanted Connections from Unwanted Connections Subnet 1 Subnet 2 Gate- WAN Gate- way way Firewalls (and many routers) can reject: • Packets with certain source and destination addresses • Packets with certain high-level protocols (UDP, Telnet) Proxy Servers - for specific applications • Email messages assembled and inspected, then passed to internal email server machine. Prevent Cyber Loafing - Exploring the Internet for fun. 4
Router-Firewall can drop packets based on source or destination, Web Server Browser Application Application Router-Firewall can drop packets based on source or destination, ip address and/or port Layer Layer (HTTP) (HTTP) Port 80 Port 31337 Transport Transport Layer Layer (TCP,UDP) (TCP,UDP) Segment No. Segment No. Network Network Layer (IP) Layer (IP) IP Address 130.207.22.5 Network Network IP Address 24.88.15.22 Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Ethernet Token Ring E'net Phys. Token Ring Phys. Layer Phys. Layer Layer Phys. Layer 5
Transport or App.-Layer Process Process Application Application Layer (HTTP, Gateway, or Proxy Layer FTP, TELNET, (HTTP(HTTP, SMTP) FTP, TELNET, SMTP) Transport Transport Transport Transport Layer Layer Layer Layer (TCP, UDP) (TCP, UDP) (TCP, UDP) (TCP,UDP) Network Network Network Network Layer (IP) Layer (IP) Layer (IP) Layer (IP) E'net Data TR Data Link Link E'net Data TR Data Layer Link Layer Layer Link Layer E'net Phys. E'net Phys. TR Phys. TR Phys. Layer Layer Layer Layer 6
Policy No outside Web access. Outside connections to Public Web Server Only. Prevent Web-Radios from eating up the available bandwidth. Prevent your network from being used for a Smuft DoS attack. Prevent your network from being tracerouted or Ping scanned. Firewall Setting Drop all outgoing packets to any IP, Port 80 Drop all incoming TCP SYN packets to any IP except 130:207:244.203, port 80 Drop all incoming UDP packets - except DNS and Router Broadcasts. Drop all ICMP packets going to a “broadcast” address (130.207.255.255 or 130.207.0.0). Drop all incoming ICMP, UDP, or TCP echo-request packets, drop all packets with TTL < 5. 7
Firewall Attacks IP Internal-Address Spoofing Source Routing (External Spoof) Tiny Fragment Attacks 2nd-Fragment Probes SYN-ACK Probes Internal Hacking Firewall Defense Drop all incoming packets with local address. Drop all IP packets with Source-Routing Option. Drop all incoming packet fragments with small size. Assemble IP fragments (hard work), or at least *. Be “Stateful” -keep track of TCP outgoing SYN packets (start of all TCP connections) (hard work). Drop all outgoing packets which do not have an "internal" source IP address. * Fragments after the first one have no transport header (no way to tell if it is TCP, UDP, ICMP, ... , or determine port numbers. Firewall must at least keep a temporary list of approved IP ID-Numbers based on the first fragment decision. 8
A Firewall is a single point that a Network Administrator can control, even if individual computers are managed by workers or departments. ------- Over half of corporate computer misfeasance is caused by employees who are already behind the main firewall. Solution 1 - isolate subnets with firewalls (usually routers or Ethernet switches with “filter” capabilities). Protect Finance department from Engineering department [Problem: Internal network is much higher bit rate, firewalls more expensive]. Solution 2 - implement /etc/hosts.allow, “IP Chains”, or “IP Tables” (PC “Personal Firewalls”) to limit access except from individual computers on certain ports for specific hosts and subnets. 9
"inetd" and "xinetd" hosts.allow #cat /etc/hosts.deny ALL:ALL #cat /etc/hosts.allow in.telnetd: 199.77.146 24.88.154.17 in.ftpd: 199.77.146.19 199.77.146.102 UNIX and Linux computers allow network contact to be limited to individual hosts or subnets (199.77.146 means 199.77.146.any). Above, telnet connection is available to all on the 199.77.146.0 subnet, and a single off-subnet host, 24.88.154.17 FTP service is available to only to two local hosts, .19 and .102. The format for each line is “daemon:host-list” 10
* replaced by IP Tables ("iptables”) IP Chains* The kernel starts with three lists of rules; these lists are called firewall chains or just chains. The three chains are called input, output and forward. When a packet comes in (say, through the Ethernet card) the kernel uses the input chain to decide its fate. If it survives that step, then the kernel decides where to send the packet next (this is called routing). If it is destined for another machine, it consults the forward chain. Finally, just before a packet is to go out, the kernel consults the output chain. A chain is a checklist of rules. Each rule says `if the packet header looks like this, then here's what to do with the packet'. If the rule doesn't match the packet, then the next rule in the chain is consulted. Finally, if there are no more rules to consult, then the kernel looks at the chain policy to decide what to do. In a security-conscious system, this policy usually tells the kernel to reject or deny the packet. http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html#ss4.2 * replaced by IP Tables ("iptables”) 11
IPchains - Linux Firewall and Router utility program ---------------------------------------------------------------- | ACCEPT/ "lo" (local) interface | v REDIRECT _______ | C --> S --> ______ --> D --> ~~~~~~~~ -->|forward|----> _______ --> h a |input | e {Routing } |Chain | |output |ACCEPT e n |Chain | m {Decision} |_______| --->|Chain | c i |______| a ~~~~~~~~ | | ->|_______| k t | s | | | | | s y | q | v | | | u | v e v DENY/ | | v m | DENY/ r Local Process REJECT | | DENY/ | v REJECT a | | | REJECT | DENY d --------------------- | v e ----------------------------- DENY not “lo” interface ipchains -A good-if -i ! eth1 -j DENY ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A good-if -j icmp-acc IPchains - Linux Firewall and Router utility program 12
IP Tables and Netfilter Whereas ipchains and ipfwadm combine packet filtering and NAT (particularly three specific kinds of NAT, called masquerading, port forwarding and redirection), netfilter makes it possible to separate packet operations into three parts: packet filtering, connection tracking, and Network Address Translation. Each part connects to the netfilter hooks at different points to access packets. The connection tracking and NAT subsystems are more general and more powerful than the stunted versions within ipchains and ipfwadm. This split allowed iptables, in turn, to use the information which the connection tracking layer had determined about a packet: this information was previously tied to NAT. This makes "iptables" superior to "ipchains" because it has the ability to monitor the state of a connection and redirect, modify or stop data packets based on the state of the connection, not just on the source, destination or data content of the packet. A firewall using iptables this way is said to be a stateful firewall versus ipchains, which can only create a stateless firewall (except in very limited cases). It can be said that ipchains is not aware of the full context from which a data packet arises, whereas iptables is, and therefore iptables can make better decisions on the fate of packets and connections. Excerpt from http://en.wikipedia.org/wiki/Ip_tables 13
Stateful Firewall Local PC ip1 External Host ip2 14 TCP SYN establishes “state” (ip1,ip2,tcp, 33489,80) TCP SYN-ACK or RESET or relatedICMP established “state” (ip1,ip2,tcp, 33489,80) TCP ACK’s established “state” (ip1,ip2,tcp, 33489,80) TCP or UDP or ICMP Not part of an established “state” 14
# iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- localhost anywhere tcp spt:smtp ACCEPT tcp -- anywhere anywhere tcp spt:smtp state ESTABL ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT icmp -- 1.185.lancope.com anywhere DROP all -- 0.0.0.0/8 anywhere DROP all -- anywhere 127.0.0.0/8 DROP icmp -- anywhere anywhere state NEW DROP all -- anywhere anywhere Chain FORWARD (policy DROP) Chain OUTPUT (policy DROP) ACCEPT icmp -- anywhere 10.0.0.0/24 ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED Warning- the “-l” listing does not indicate the restriction on network port (lo, eth0, eth1, ...). For example, the first line may appear to accept all tcp packets, but not show this applies only to tcp packets from the “lo” port. 15
Router Setup with Network Address Translation (NAT) Addresses 10.x.y.z and 192.168.x.y reserved for private networks. 16
17
18