Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always a tradeoff between security and ease of use PROTECT outsideinside outside and
Primary Types of Firewalls Internet Dual-Homed Gateway Inner Network bastion host Internet Screened Host Gateway Inner Network screened host router
ftp proxy Any data wanting to pass through to/from the bastion host should be required to pass through a PROXY agent. Proxy software can be configured to use encryption. Clients may need to be replaced with proxy clients Internet Dual-Homed Gateway Inner Network bastion host ftp requestpasses through telnet requestno agentX
Only data allowed through is data for the screened host Router can allow holes to certain hosts on inner net. Router uses IP addresses and port numbers to control the flow of data Internet Screened Host Gateway Inner Network screened host router Router for bastion host passes through for other nodes Inner Network X not allowed Screened Host
Some Risks Once you allow holes in the router, the nodes to which you allow “extra” access increase your ZONE OF RISK. Those machines need to be as secure as your screened/bastion host or represent your weak link. The larger the program, the more susceptible to errors and security leaks. –Browsers are good examples of large programs
router Two Other Types of Firewalls Internet Screening Router Inner Network bastion host Internet Router-only Gateway Inner Network router
Planning Steps Know the details of how client-server connections are made Determine physical location of equipment Decide who gets access in either direction –Screening router is on basis of IP/port not user Determine a strategy for logging activity –What to write –How to monitor –Under what conditions do you take specific actions Must develop a failure plan if firewall breaks Develop a thorough testing procedure
Software for Firewall Support Cern WEB server Proxy mode to handle requests for internal clients Handles http AND OTHER PROTOCOLS –browser clients usually handle other protocols NOT SERVERS Requires the client to be configurable to use proxy mode. Not sure how common the is in the client p.504 of text setenv http_proxy “ setenv ftp_proxy “ What if the client doesn’t go through the WEB server? –bastion serves as a router of sorts and doesn’t let any other data through –router will deny passge if not through the screened host Has caching features so only one copy needed for entire inner net
Freeware running on bastion host Presumably configures the bastion to do filtering of data passing through SOCKS is a proxy server dealing with TCP streams, not client dependent The specific client must be written to be SOCKsified SOCKsified versions are available for PCs and unix environments Check it out at ftp.nec.com Software for Firewall Support SOCKS
tn-gw, ftp-gw, plug-gw(socket to socket) Does NOT requires a special client Client must RUN the program differently Software for Firewall Support Firewall Toolkit “netacl” can be used with inetd.conf to check server requests against an access list first A scaled down ftp to allow anonymous ftp to the bastion and to proxy other requests instead of: telnet remotehost you must: tn-gw tn-gw>connect remotehost OTHER FEATURES
Where does the server go? WWW Dual homed gateway –Outside the firewall »may be difficult to connect at service entry »sacrificial lamb –On bastion host »software is avialable »if server cracked, the whole inner net is vulnerable –Behind the firewall »internal access is easy / external access is difficult »needs a socksified browser –One inside and one outside »inside company confidential »outside for public info
Screened host –Outside firewall (as before) –On screened host segment »router only sends outside requests to a SPECIFIC port on the server –On the Screened Host itself »It controls too much access in and out With a screened subnet –On the screened subnet »SECOND ROUTER ONLY ALLOWS ACCESS FROM THE server/port TO THE INSIDE »if server cracked, can’t get inside Where does the server go? WWW Preferred
Connections are initiated from both directions Where does the server go? FTP SERVERCLIENT time connects to port 21 ( command channel ) get “file” connects from port 20 ( data channel ) NET
Dual Homed Gateway –Possible to have your service provider handle it »the ftp clients would require the provider agent to proxy ftp –Suggest putting it on the bastion host »ftp to chroot() ed area of the disk »run daemon as a non-priviledged user Screened host –Preferred to be inside... preferred with screened subnet –run ftp server in proxy mode –if possible, run clients in proxy (PASV) mode so client creates both end of the connection –router allows IN->OUT not OUT->IN, no inward server connections –router allows incoming on 21 and outgoing on 20 Where does the server go? FTP
Safeguards for internal servers Strip inner network priviledges –hostp.equiv and.rhosts Internal machines should NOT trust server Strip the server of networking clients –telnet, ftp, rlogin, rsh, etc. NFS & NIS should be disabled Kernel should not route IP packets Disable all services in inetd.conf which do not support the service USED IN CONJUNCTION WITH SCREENED SUBNET, THESE DO THE BEST JOB
Other things to do for Protection Leave traps for attackers –If hackers gain access to your server, they will try to access other machines by clients like telnet, rsh, etc –Change the client to look like it has errors and use it to mail the sys admin that a problem exists »error messages and delays to occupy attacker Periodically run software to verify the integrity of your system. –Store files with encryption signatures –Files which are public relations (or more) for your business should be protected. –This way you verify no one has misrepresented you Run servers in a chroot()ed area –Should do this anyway
Helping clients access through the firewall TELNET Always on port 23 Screened host –an access list in the router can typically be configured to allow outgoing on port 23 Dual Homed –use a proxy –use socks –use firewall toolkit
Interesting because it uses UDP not TCP –The routers look at acceptable connections by looking at the CONNECT sequence –UDP does not do connections to consider acceptable data (don’t know who started it) So how do you know whether your archie server is ok? Special solution: only a limited (about 20) Archie servers on the net. Set router to accept from any of them DH Gateway use a proxy –must also proxy ftp since archie uses ftp Helping clients access through the firewall ARCHIE
Web clients must access lots of types of servers Easiest solution is to use cern web server and let it proxy for you Otherwise must provide individual proxies Routers allowing messages from inside to out solves the problem for most... not for ftp. Helping clients access through the firewall Web clients
PCs Screened hosts can use holes in router... Some ftps support PASV mode so that it can be used with a screened host For Dual Homed Gateway, use SOCKS SOCKS is available for pc software DLLs are (being made) available for a SOCKsified version of winsock.dll