Implementing a Distributed Firewall

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

Guide to Network Defense and Countermeasures Second Edition

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Firewalls and Intrusion Detection Systems

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Data Security in Local Networks using Distributed Firewalls

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

An Analysis of Firewalls

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

A Brief Taxonomy of Firewalls

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Intranet, Extranet, Firewall. Intranet and Extranet.

FIREWALL Mạng máy tính nâng cao-V1.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.

Chapter 6: Packet Filtering

Chapter 13 – Network Security

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

Windows 7 Firewall.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Network Firewall Technologies By: David W Chadwick Implementing a Distributed Firewall By: Sotiris Ioannidis Angelos D. Keromytis Steve M. Bellovin Jonathan.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Module 10: How Middleboxes Impact Performance

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.

Module 10: Windows Firewall and Caching Fundamentals.

Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.

Deny-by-Default Distributed Security Policy Enforcement in MANETs Joint work with Mansoor AlicherryAngelos D. Keromytis Columbia University Angelos Stavrou.

1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.

Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.

K. Salah1 Security Protocols in the Internet IPSec.

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Filtering/Firewalls CSE 581, Winter Anand Patwardhan

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

* Essential Network Security Book Slides.

Firewalls Routers, Switches, Hubs VPNs

POOJA Programmer, CSE Department

Firewalls Jiang Long Spring 2002.

دیواره ی آتش.

Data Security in Local Networks using Distributed Firewalls

Presentation transcript:

Implementing a Distributed Firewall Sotiris Ioannidis Angelos D. Keromytis Steve M. Bellovin Jonathan M. Smith Presented By Jim Michaud Paper based off of paper by Nov. 1999 Steve Bellovin

Outline Intro to Security and Firewalls Problems with Current Firewalls Distributed Firewall Concept Distributed Firewall Implementation Conclusions

*Dieter Gollman, Computer Security, p 9 Intro to Security Computer/Network Security - The prevention and detection of unauthorized actions by users of computer systems* But what does “unauthorized” mean? It depends on the system’s “security policy” Define “system” Define Security *Dieter Gollman, Computer Security, p 9

Security Policy A “security policy” defines the security rules of a system. Without a defined security policy, there is no way to know what access is allowed or disallowed An example policy: (simple) Allow all connections to the web server Deny all other access

Firewalls In most systems today, the firewall is the machine that implements the “security policy” for a system A firewall is typically placed at the edge of a system and acts as a filter for unauthorized traffic Filters tend to be simple: source and destination addresses, source and destination ports, or protocol (tcp, udp, icmp)

Firewall Example Here we have 4 competing companies. They have installed firewalls to protect their secrets from their competitors. Only Web server access is allowed from external hosts

Firewall Drawbacks Firewalls can become a bottleneck Certain protocols (FTP, Real-Audio) are difficult for firewalls to process Assumes inside users are “trusted” Multiple entry points make firewalls hard to manage Users can circumvent access methods, by adding a modem (etc) without administrator’s consent. End-to-end encryption Idea is to not have firewall read entire application header to figure out

Distributed Firewall Concept Security policy is defined centrally Enforcement of policy is done by network endpoint(s)

Standard Firewall Example Not worried about DMZ’s for now, since it creates bottleneck

Standard Firewall Example Connection to web server

Standard Firewall Example Connection to intranet Would need a separate firewall to protect against this.

Distributed Firewall Example

Distributed Firewall Example to web server

Distributed Firewall Example to intranet

Distributed Firewall Implementation Language to express policies and resolving requests (KeyNote system) Mechanisms to distribute security policies (web server) Mechanism that applies security policy to incoming packet (Policy daemon and kernel updates)

KeyNote A language to describe security policies (RFC 2704) Fields in an “assertion”: KeyNote Version – Must be first field, if present Authorizer – Mandatory field, identifies the issuer of the assertion Comment Conditions – The conditions under which the Authorizer trusts the Licensee Licensees – Identifies the authorized, should be public key, but can be IP address Local-Constants – Similar to environment variable Signature – Must be last, if present All field names are case-insensitive Blank lines not permitted within an assertion

KeyNote Policies and Credentials Policies and Credentials have same basic syntax Policies are “local” Credentials are “delegated” and MUST be signed

KeyNote Example 1 Licensee is public key of a machine, but doesn’t have to be Blank line ends Signature is a hash of everything up to the newline before the signature field Could have entire file of these

KeyNote Example 2 KeyNote-Version: 2 Authorizer: “rsa-hex:1023abcd” Licensee: “IP:158.130.6.141” Conditions: (@remote_port < 1024 && @local_port == 22 ) -> “true”; Signature: “rsa-sha1-hex:bee11984” IP can be used as identifier, This trusts validity of IP address Note that this credential delegates to an IP address,

Distributed Firewall Implementation Not a complete solution, only a prototype Done on OpenBSD Filters done in kernel space Focused on TCP connections only connect and accept calls When a connect is issued, a “policy context” is created Policy contect is a container for

User Space This design was not chosen because of the difficulty in “forcing” an application to use the modified library For example, “telnetd”, “ftpd”

Policy Context Policy context contains all the information that the Policy Daemon will need to decide whether to allow or disallow a packet No limit to the kind of data that can be associated with the context For a connect, context will include ID of user that initiated the connection, the destination address and destination port. For an accept, context will include similar data to connect, except that the source address and source port are also included

Implementation Design

Policy Daemon User level process that makes all the decisions based on policies Initial policies are read from a file Current implementation allows changes to policies but changes only affect “new” connections A host that does not run this daemon is not part of the “distributed firewall” Uses /dev/policy device Daemon receives request by reading the kernel device The daemon processes the request using the keyNote library and a decision the accept or deny is reached The daemon then writes the reply back to the kernel

Policy Device /dev/policy – pseudo device driver Communication path between the Policy Daemon and the “modified” kernel Supports standard operations: open, close, read, write, ioctl Independent of type of application If /dev/policy has not been opened, then no connection filtering is done

Example of Connection to a Distributed Firewall local host security policy: KeyNote-Version: 2 Authorizer: “POLICY” Licensees: ADMINISTRATIVE_KEY Assumes an IPSEC SA between hosts

Example of Connection to a Distributed Firewall Credential provided to local host during IKE exchange KeyNote-Version: 2 Authorizer: ADMINISTRATIVE_KEY Licensees: USER_KEY Conditions: (app_domain == "IPsec policy" && encryption_algorithm == "3DES" && local_address == "158.130.006.141") -> "true"; (app_domain == "Distributed Firewall" && @local_port == 23 && encrypted == "yes" && authenticated == "yes") -> "true"; Signature: ...

Example of Connection to a Distributed Firewall

Conclusions Distributed firewalls allows the network security policy to remain the control of the system administrators Insiders may no longer be unconditionally treated as “trusted” Does not completely eliminate the need for traditional firewalls More research is needed in this area to determine robustness, efficiency, and scalability DoS attacks are mitigated easier at the network ingress point Intrusion detection are more effective when complete traffic information is available Protect endhosts that do not support distributed firewalls. Failsafe

Future Work High quality administration tools NEED to exist for distributed firewalls to be accepted Allow per-packet scanning as opposed to per-connection scanning Policy updating and revocation Credential discovery Need to add a way to walk through the list of connection and re-apply the policy Use ioctl call Users need a way to discover what they might need to supply the system in order to connect (see a problem with this)

Questions