home | articles | links | fun | about
Up to: CS432 Information Security

VPN and Firewalls - 11/21/02

Perimeter defense

Divide inside from outside
Put security barriers at boundary

Dividing inside from outside

Easy case: use network topology

                       |
        A              |
          \            |
     B -[ LAN ] - [Router] -- { Internet }
          /            |
        C              |
               Boundary: single point

Hard cases: multiple branches or mobile employees.

old way: dedicated wires
modern way: virtual private network

Example VPN

                              encrypted tunnel through inet             
        A                /============   
          \             /             \
     B -[ LAN ]-[Router] -{  Inet  }   [router] - [LAN]
          /                   ========/
        C                    /
                             
                        employee

One way to do this: SSH between routers (bytestream). Run PPP on top (routes packets over bytestreams). Used in modern bytestrem dialups.

        [ PPP  ]     [ Proprietary  ]
        [ over ]     [    VPN       ]
        [ SSH  ]     [  Product     ]

Can snip insecure links to internet, and have only one point of entry to inet.

Firewalls

Put at boundary between inside and outsidee. Can see and filter all incoming/outgoing packets.

Purposes

keep outsiders from snooping around on network (see topology... # of fileservers... their verions... patched?)
shield internal machines from directed attack
centralize enforcement of security policy (easier to control 1 firewall than 100 PCs)
keep insiders from doing stupid things

Can buy many firewall products
Can use built-in firewall support (Linux, Windows)

$1000-$2000 is only 1-2 weeks of an employee's time... it is worth it to have a PC be a firewall, for added security.

Does router have its own IP addr? I guess... to advertise network

Simple firewall case

Assume: small group of client PC's, no server.

Policy: allow outgoing TCP connections, disallow incoming connections and all other traffic. Streaming media uses incoming TCP SYN... but this is OK policy.

Implementation

block all incoming packets, except TCP
block all incomping TCP SYN packets
allow everything else through

Administration

disallow connections to firewall itself (except SSH from inside)
careful about who gets accounts, physical security, etc.

Network Address Translation (NAT)

        A              
          \            
     B -[ LAN ] - [Firewall] -- { Internet }
          /            
        C

If just router, machines have IP addresses; this is information for adversary. May get through firewall.

So far, each machine has own IP addr.

NAT: inside machines don't have real IP addresses (only firewall has real IP addresses). All traffic goes through one IP.

Advantages:

cheaper (many places pay by the IP)
leak less info to outside (size and nature of inside PCs)
outside can't try to connect (no address to connect to)

Use fictitious addresses: range of IP addr declaed "not valid" on open net

routers know these are invalid, and don't route; 192.168.x.x, 10.x.x.x. 192.168 came about by accident... a popular textbook used addr in example code, maybe people used this code and tried to connect. Addr declared invalid.
use fictitious addr internally

Example: address C (both IP and port) is fictitious

        [client C] -----------> [Firewall F]---------------> [Server S]
            ^    (1) [From: C]    /       \  (2) [From: F]      |
            |        [To:   S]   /         \     [To:   S]      |
            |                   /           \                   |                          
            |                  /             ====================
            ==================/                       (3) [From: S]
               (4) [From: S]                              [To:   F]
                   [To:   C]

                               inside | outside
                               ----------------
                                    C | F (IP and Port)
                                      |

Number of ports limits number of connections (16-bit) per IP. 32k, so should not be problem.

Adversary: coudl try to find out F... send data to that (but needs to know sequence number). Send fake packets.

Running Servers

Approaches

Servers inside, make exception in blocking rules
Servers outside
- pro: if server broken into, can deface etc., doesn't break network. Hire web-hosting company.
double-walled setup

Diagram

                            [Server]
                A              |
                B -[LAN]-[F2]-----[F1]--{Inet}
                C              ^
                               |_____ DMZ (demilitarized zone)

Different rules of insider/outsider

first firewall (F1): allows incoming port 80
second firewall (F2): allows no incoming connections

email: have dropbox... then siphone process (runs inside, makes connection out, grabs email, pulls it inside). Send email by connecting to mail server.

Remaining issues

DNS

put DNS on the firewall
inside machines treat firewall as DNS proxy
firewall does regular DNS lookups (don't have to open hole in FW for DNS)

FTP

FTP normally makes reverse connections (client requests data, server makes reverse connection to client. Firewall would block this. Modern protocols don't have reverse connection).
Soltuion: use "passive mode" (added after... most good FTPs (client/server) use passive mode)

Streaming media and other challenging protocols (UDP packets)

make exceptions in blocking rules. Be flexible, but not too large a hole.
setup a proxy on the firewall (juggle connection back and forth)
tunnel over http
- benefit: every firewall allowsl http
- may be inefficient (streaming media needs high bitrate)

FWs... harder to prevent stupid actions, lots of programs allow http tunneling.

FW violates network modularity (looks at IP packet, then type... "oh, it's a streaming media packet" ... then apply policy)

Performance: make the common case fast.



Kalid at kazad@princeton.edu