Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of WashingtonComputing & Communications Firewalls for Open Networks Terry Gray Director, Networks & Distributed Computing University of Washington.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "University of WashingtonComputing & Communications Firewalls for Open Networks Terry Gray Director, Networks & Distributed Computing University of Washington."— Presentation transcript:

1 University of WashingtonComputing & Communications Firewalls for Open Networks Terry Gray Director, Networks & Distributed Computing University of Washington 08 May 2002

2 University of WashingtonComputing & Communications Conventional Security Wisdom Popular Myth: “The network” caused the problem, so “the network” should solve it: –Border firewalls and border VPNs will save us! Unpopular Reality: In a large, diverse enterprise such as UW, security is not achieved by either one.

3 University of WashingtonComputing & Communications Gray’s Network Security Axioms Network security is maximized… when we assume there is no such thing. Firewalls are such a good idea… every host should have one. Seriously. Remote access is fraught with peril… just like local access.

4 University of WashingtonComputing & Communications Perimeter Protection Paradox Firewall value is proportional to number of systems protected. Firewall effectiveness is inversely proportional to number of systems protected. –Probability of compromised systems existing inside –Lowest-common-denominator blocking policy

5 University of WashingtonComputing & Communications Credo Open networks* Closed servers Protected sessions *With one exception: DDOS attacks require network-level blocking

6 University of WashingtonComputing & Communications “Inverted Networks” New trend in big companies (e.g. DuPont) Ditch the border firewall Assume LANs are “dirty” Use VPNs from each workstation to servers Hey, an open network, with closed servers and E2E encryption! Why didn’t we think of that? :)

7 University of WashingtonComputing & Communications Heroic (but futile) Endeavors Getting anyone to focus on policies first Getting any consensus on border blocking Patching old end-systems Pretending that clients are only clients Securing access to older network gear

8 University of WashingtonComputing & Communications Properties of ALL Firewalls  Inserted between UN-trusted (outside) and trusted (inside) nets  "All" traffic between inside and outside flows through them  The more restrictive the rules, the more protection offered  If rules are too restrictive, users may bypass them  Increase complexity, complicate debugging  No protection between hosts on trusted (inside) network  Little protection from attacks against permitted services  Your vulnerability is proportional to both the number of hostile hosts able to connect and the number of vulnerable servers to connect to.  Firewalls improve security primarily by reducing the number of hosts able to connect. You still need to reduce the number of vulnerable servers by applying patches

9 University of WashingtonComputing & Communications Where do firewalls make sense? Pervasively: (But of course we have a firewall…:) –For blocking spoofed source addresses Small perimeter/edge: –Cluster firewalls, e.g. server sanctuaries, labs –OS-based and Personal firewalls Large perimeter/border: –Maybe to block an immediate attack? –Maybe if there is widespread consensus to block certain ports? (Aye, and there’s the rub…) –And then again, maybe not...

10 University of WashingtonComputing & Communications Good Uses for a Firewall  Reducing exposure of vulnerable services on hosts you can't patch because they are:  Certified by the FDA for only one particular revision of software;  Old and no longer supported by the vendor;  Devices with code in ROM, such as a printer or terminal server;  Embedded in a device with a service contract where the service technician routinely wipes out any custom configuration  Protecting a new computer or service while you bring it up (even if you don't intend it to be firewalled in production).  Preventing the spread of worms and exploitation of back-doors.  As insurance against misconfigured hosts (defense in depth).  Explicitly blocking specific troublesome traffic.  Meeting due-diligence security requirements.  Limiting access to network-attached printers and devices.

11 University of WashingtonComputing & Communications Fundamental Firewall Truths... Bad guys aren’t always "outside" the moat One person’s security perimeter is another’s broken network Organization boundaries and filtering requirements constantly change Perimeter defenses always have holes

12 University of WashingtonComputing & Communications The Dark Side of Border Firewalls It’s not just that they don’t solve the problem very well; large-perimeter firewalls have serious unintended consequences Operational consequences –Force artificial mapping between biz and net perimeters –Catch 22: more port blocking -> more port 80 tunneling –Cost more than you think to manage; MTTR goes up –May inhibit legitimate activities –May be a performance bottleneck Organizational consequences –Give a false sense of security –Encourage backdoors –Separate policy configuration from best policy makers –Increase tensions between security, network, and sys admins

13 University of WashingtonComputing & Communications Mitnick’s Perspective "It's naive to assume that just installing a firewall is going to protect you from all potential security threats. That assumption creates a false sense of security, and having a false sense of security is worse than having no security at all." Kevin Mitnick eWeek 28 Sep 00

14 University of WashingtonComputing & Communications Do You Feel Lucky? QUESTION: If a restrictive border firewall surrounds your --and 50,000 other-- computers, should you feel safe? ANSWER: Only if you regularly win the lottery!

15 University of WashingtonComputing & Communications Distributed Firewall Management Given the credo of: –Open networks –Closed servers –Protected sessions What about all the desktops? –Organizations that can tolerate a restrictive border firewall usually centrally manage desktops –Thus, they can also centrally configure policy- based packet filters on each desktop and don’t need to suffer the problems of border firewalls –Centrally managing desktop firewalls possible even if desktops generally unmanaged

16 University of WashingtonComputing & Communications UW’s Logical Firewall A response to pressure for dept’l firewalls in our communication closets Plugs into any network port Departmentally managed Opt-in deployment Doesn’t interfere with network management Uses Network Address Translation (NAT) Intended for servers; can be used for clients Web-based rules generator Gibraltar Linux foundation

17 University of WashingtonComputing & Communications UW Logical Firewall - How it Works  Ethernet allows two completely separate subnets to share a single wire.  As per RFC 1918, our campus routers block all 10.x.y.z traffic.  LFW clients are given 10.x.y.z unroutable network addresses.  By changing just the first octet to 10, address allocation becomes trivial.  Firewalled hosts can talk directly only to each other or their LFW.  LFW does Network Address Translation (NAT) for every packet in/out. Note that the LFW is not physically between the outside network and protected hosts but all traffic between the outside network and protected hosts must go through it.

18 University of WashingtonComputing & Communications LFW Traffic Flow

19 University of WashingtonComputing & Communications LFW Advantages No re-wiring necessary Opt-in (easy to add/remove clients) Firewalls (plural) can live anywhere on the subnet Can have different administrators or policies, etc. Does not interfere with managing network infrastructure Software is available for free Requires only a PC with floppy, NIC and CDROM (no hard drive, keyboard, mouse, monitor) Use your favorite linux or use "Gibraltar" (boots & runs from CDROM) Web-based firewall rule-generator supports hand-crafting rules too Stateful firewall rules (more expressive and simpler to write) Remotely and securely manageable (via SSH login) Supports IPSEC tunneling between subnets

20 University of WashingtonComputing & Communications LFW Disadvantages Potentially more vulnerable from hacked un-firewalled box on subnet A hacked box might be able to sniff traffic from the 10.x.y.z net A skillful intruder might be able to configure a 10.x.y.z virtual interface But this added threat is only from hosts on your own subnet You're always more vulnerable to arp-spoofing, IP spoofing and hijacking attacks from your subnet anyway. Traffic through firewall (off subnet) travels your switch twice --unless you use a second NIC and rewire (which _is_ supported) With a full-duplex switched network connection, this may not reduce throughput significantly Clients must be re-configured with a new IP address A few protocols don't NAT well (or at all) Public and private IP addrs on one wire makes DHCP difficult

21 University of WashingtonComputing & Communications LFW - Setup Overview Download the "Gibraltar" CDROM image and burn it onto a CDROM Boot the Gibraltar CDROM Copy "uw-setup" script to a floppy, run it on Gibraltar, answer questions Visit LFW "Rule Generator" webpage to specify firewall rules and clients SSH into Gibraltar, copy/paste output of "Rule Generator" into Gibraltar Save configuration to floppy Once you have the CDROM, the remaining steps take under 5 minutes More detail at the LFW homepage: http://staff.washington.edu/corey/fw/ http://staff.washington.edu/corey/fw/

22 University of WashingtonComputing & Communications LFW Results Largest installation: Appled Physics Lab –5 LFWs on 5 subnets –219 protected clients –IPSEC tunnels between them Publication Svcs: LFW protects hi-end printers FTP performance: 7.1MB/s vs. 8.6MB/s without Local policy-making a big win: minimizes admin distance between policy definition and policy enforcement.

23 University of WashingtonComputing & Communications Is it enough? Hard to find anyone who believes all end- systems can be properly managed/secured Server sanctuaries, centrally-managed personal firewalls, logical-firewalls… are they enough? Do we need a dual-policy network? What about DDOS attacks?

24 University of WashingtonComputing & Communications Resources http://staff.washington.edu/gray/papers/credo.html http://staff.washington.edu/corey/fw/ http://staff.washington.edu/dittrich http://www.sans.org/ Thanks to Corey Satten for several of the LFW slides used in this presentation.

Download ppt "University of WashingtonComputing & Communications Firewalls for Open Networks Terry Gray Director, Networks & Distributed Computing University of Washington."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
VLANs Virtual LANs CIS 278.

VLANs Virtual LANs CIS 278.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalls & VPNs Terry Gray UW Computing & Communications 13 September 2000.

Firewalls & VPNs Terry Gray UW Computing & Communications 13 September 2000.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.

Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies

Firewall Configuration Strategies
Network Insecurity: challenging conventional wisdom Terry Gray UW Computing & Communications 10 October 2000.

Network Insecurity: challenging conventional wisdom Terry Gray UW Computing & Communications 10 October 2000.
University of WashingtonComputing & Communications Open Network Security or “closed network” insecurity? Terry Gray Director, Networks & Distributed Computing.

University of WashingtonComputing & Communications Open Network Security or “closed network” insecurity? Terry Gray Director, Networks & Distributed Computing.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Similar presentations

Ads by Google