Perimeter defense
- Divide inside from outside
- Put security barriers at boundary
Easy case: use network topology
|
A |
\ |
B -[ LAN ] - [Router] -- { Internet }
/ |
C |
Boundary: single point
Hard cases: multiple branches or mobile employees.
- old way: dedicated wires
- modern way: virtual private network
Example VPN
encrypted tunnel through inet
A /============
\ / \
B -[ LAN ]-[Router] -{ Inet } [router] - [LAN]
/ ========/
C /
employee
One way to do this: SSH between routers (bytestream). Run PPP on top (routes packets over bytestreams). Used in modern bytestrem dialups.
[ PPP ] [ Proprietary ]
[ over ] [ VPN ]
[ SSH ] [ Product ]
Can snip insecure links to internet, and have only one point of entry to inet.
Put at boundary between inside and outsidee. Can see and filter all incoming/outgoing packets.
Purposes
- keep outsiders from snooping around on network (see topology... # of fileservers... their verions... patched?)
- shield internal machines from directed attack
- centralize enforcement of security policy (easier to control 1 firewall than 100 PCs)
- keep insiders from doing stupid things
Can buy many firewall products
Can use built-in firewall support (Linux, Windows)
$1000-$2000 is only 1-2 weeks of an employee's time... it is worth it to have a PC be a firewall, for added security.
Does router have its own IP addr? I guess... to advertise network
Assume: small group of client PC's, no server.
Policy: allow outgoing TCP connections, disallow incoming connections and all other traffic. Streaming media uses incoming TCP SYN... but this is OK policy.
Implementation
- block all incoming packets, except TCP
- block all incomping TCP SYN packets
- allow everything else through
Administration
- disallow connections to firewall itself (except SSH from inside)
- careful about who gets accounts, physical security, etc.
A
\
B -[ LAN ] - [Firewall] -- { Internet }
/
C
If just router, machines have IP addresses; this is information for adversary. May get through firewall.
So far, each machine has own IP addr.
NAT: inside machines don't have real IP addresses (only firewall has real IP addresses). All traffic goes through one IP.
Advantages:
- cheaper (many places pay by the IP)
- leak less info to outside (size and nature of inside PCs)
- outside can't try to connect (no address to connect to)
Use fictitious addresses: range of IP addr declaed "not valid" on open net
- routers know these are invalid, and don't route; 192.168.x.x, 10.x.x.x. 192.168 came about by accident... a popular textbook used addr in example code, maybe people used this code and tried to connect. Addr declared invalid.
- use fictitious addr internally
Example: address C (both IP and port) is fictitious
[client C] -----------> [Firewall F]---------------> [Server S]
^ (1) [From: C] / \ (2) [From: F] |
| [To: S] / \ [To: S] |
| / \ |
| / ====================
==================/ (3) [From: S]
(4) [From: S] [To: F]
[To: C]
inside | outside
----------------
C | F (IP and Port)
|
Number of ports limits number of connections (16-bit) per IP. 32k, so should not be problem.
Adversary: coudl try to find out F... send data to that (but needs to know sequence number). Send fake packets.
Approaches
- Servers inside, make exception in blocking rules
- Servers outside
- pro: if server broken into, can deface etc., doesn't break network. Hire web-hosting company.
- double-walled setup
Diagram
[Server]
A |
B -[LAN]-[F2]-----[F1]--{Inet}
C ^
|_____ DMZ (demilitarized zone)
Different rules of insider/outsider
- first firewall (F1): allows incoming port 80
- second firewall (F2): allows no incoming connections
email: have dropbox... then siphone process (runs inside, makes connection out, grabs email, pulls it inside). Send email by connecting to mail server.
DNS
- put DNS on the firewall
- inside machines treat firewall as DNS proxy
- firewall does regular DNS lookups (don't have to open hole in FW for DNS)
FTP
- FTP normally makes reverse connections (client requests data, server makes reverse connection to client. Firewall would block this. Modern protocols don't have reverse connection).
- Soltuion: use "passive mode" (added after... most good FTPs (client/server) use passive mode)
Streaming media and other challenging protocols (UDP packets)
- make exceptions in blocking rules. Be flexible, but not too large a hole.
- setup a proxy on the firewall (juggle connection back and forth)
- tunnel over http
- benefit: every firewall allowsl http
- may be inefficient (streaming media needs high bitrate)
FWs... harder to prevent stupid actions, lots of programs allow http tunneling.
FW violates network modularity (looks at IP packet, then type... "oh, it's a streaming media packet" ... then apply policy)
Performance: make the common case fast.
