Beruflich Dokumente
Kultur Dokumente
Chapter 6
1.
Legitimate hosts send innocent packets.
Attackers send attack packets.
2.
Ingress packets come into a site.
Egress packets go out from a site.
2
Copyright Pearson Prentice-Hall 2010
1
8/18/2010
3
Copyright Pearson Prentice-Hall 2010
4
Copyright Pearson Prentice-Hall 2010
2
8/18/2010
The Problem
◦ If a firewall cannot filter all of the traffic passing
through it, it drops packets it cannot process
◦ This is secure because it prevents attack packets
from getting through
◦ But it creates a self-inflicted denial-of-service
attack by dropping legitimate traffic
5
Copyright Pearson Prentice-Hall 2010
Firewall Capacity
◦ Firewalls must have the capacity to handle the
incoming traffic volume
◦ Some can handle normal traffic but cannot handle
traffic during heavy attacks!
◦ They must be able to handle incoming traffic at
wire speed—the maximum speed of data coming
into each port
6
Copyright Pearson Prentice-Hall 2010
3
8/18/2010
2. Complexity of filtering
Complexity
Performance
of Filtering:
Requirements
Number of
Filtering
Rules,
Complexity
If a firewall cannot inspect packets
Of rules, etc.
fast enough, it will drop unchecked
packets rather than pass them
4
8/18/2010
9
Copyright Pearson Prentice-Hall 2010
10
Copyright Pearson Prentice-Hall 2010
5
8/18/2010
11
12
Copyright Pearson Prentice-Hall 2010
6
8/18/2010
Deny
(Drop) IP-H ICMP-H ICMP Message
Deny
(Drop) IP-H ICMP-H ICMP Message
7
8/18/2010
15
Copyright Pearson Prentice-Hall 2010
16
Copyright Pearson Prentice-Hall 2010
8
8/18/2010
17
Copyright Pearson Prentice-Hall 2010
Market Status
◦ No longer used as the main filtering mechanism for
border firewalls
◦ May be used as a secondary filtering mechanism on
main border firewalls
18
Copyright Pearson Prentice-Hall 2010
9
8/18/2010
Market Status
◦ Also may be implemented in border routers, which
lie between the Internet and the firewall
Stops simple, high-volume attacks to reduce the
load on the main border firewall
19
Copyright Pearson Prentice-Hall 2010
20
10
8/18/2010
21
Copyright Pearson Prentice-Hall 2010
22
Copyright Pearson Prentice-Hall 2010
11
8/18/2010
23
Copyright Pearson Prentice-Hall 2010
Default Behavior
Router Internet
12
8/18/2010
25
Copyright Pearson Prentice-Hall 2010
26
Copyright Pearson Prentice-Hall 2010
13
8/18/2010
Stateful Firewall
1.
2.
Spoofed
Check Attacker
Internal TCP SYN/ACK Segment
Connection Table: Spoofing
Client PC From: 10.5.3.4.:80
No Connection External
60.55.33.12 To: 60.55.33.12:64640
Match: Drop Webserver
10.5.3.4
Connection Table
14
8/18/2010
2.
To Establish
1. Connection 3.
TCP SYN Segment TCP SYN Segment
From: 60.55.33.12:62600 From: 60.55.33.12:62600
To: 123.80.5.34:21 To: 123.80.5.34:21
Internal
Client PC External
Stateful Firewall
60.55.33.12 FTP Server
123.80.5.34
State Table
Internal Internal External External
Type Status
IP Port IP Port
Step 2 TCP 60.55.33.12 62600 123.80.5.34 21 OK
15
8/18/2010
6. 4.
TCP SYN/ACK Segment Stateful TCP SYN/ACK Segment External
Internal From: 123.80.5.34:21 Firewall From: 123.80.5.34:21 FTP
Client PC To: 60.55.33.12:62600 5. To: 60.55.33.12:62600 Server
60.55.33.12 Use Ports 20 To Allow, Use Ports 20 123.80.5.34
and 55336 for Establish and 55336 for
Data Transfers Second Data Transfers
Connection
*In many cases, both TCP and UDP can be used by an application. In
such cases, the same port number is used for both. Typically,
however, the use of either TCP or UDP will be predominant.
32
Copyright Pearson Prentice-Hall 2010
16
8/18/2010
33
Copyright Pearson Prentice-Hall 2010
17
8/18/2010
35
Copyright Pearson Prentice-Hall 2010
18
8/18/2010
19
8/18/2010
DENY ALL
DENY ALL
◦ Last rule
◦ Drops any packets not specifically permitted
by earlier rules
20
8/18/2010
Low Cost
◦ Most packets are not part of packet-opening
attempts
◦ These can be handled very simply and therefore
inexpensively
◦ Connection-opening attempt packets are more
expensive process but are rare
41
Copyright Pearson Prentice-Hall 2010
Safety
◦ Attacks other than application-level attacks usually
fail to get through SPI firewalls
◦ In addition, SPI firewalls can use other forms of
filtering when needed
42
Copyright Pearson Prentice-Hall 2010
21
8/18/2010
Dominance
◦ The combination of high safety and low cost makes
SPI firewalls extremely popular
◦ Nearly all main border firewalls today use stateful
packet inspection
43
Copyright Pearson Prentice-Hall 2010
44
22
8/18/2010
45
Copyright Pearson Prentice-Hall 2010
23
8/18/2010
47
48
Copyright Pearson Prentice-Hall 2010
24
8/18/2010
49
Copyright Pearson Prentice-Hall 2010
50
Copyright Pearson Prentice-Hall 2010
25
8/18/2010
51
Copyright Pearson Prentice-Hall 2010
52
26
8/18/2010
Perspective
◦ Growing processing power made stateful packet
inspection possible
◦ Now, growing processing power is making a new
firewall filtering method attractive
◦ Intrusion prevention systems (IPSs)
53
Copyright Pearson Prentice-Hall 2010
54
Copyright Pearson Prentice-Hall 2010
27
8/18/2010
55
Copyright Pearson Prentice-Hall 2010
56
Copyright Pearson Prentice-Hall 2010
28
8/18/2010
57
Copyright Pearson Prentice-Hall 2010
29
8/18/2010
Possible Actions
◦ Drop packets
Risky for suspicious traffic even with high
confidence
◦ Bandwidth limitation for certain types of traffic
Limit to a certain percentage of all traffic
Less risky than dropping packets
Useful when confidence is lower
59
Copyright Pearson Prentice-Hall 2010
60
30
8/18/2010
61
Copyright Pearson Prentice-Hall 2010
62
Copyright Pearson Prentice-Hall 2010
31
8/18/2010
63
Introduction
◦ Attack on availability
◦ Act of vandalism
32
8/18/2010
i. SYN flooding
33
8/18/2010
Echo
Attacker 4.
2.
1.34.150.37 Echo
Router with
Replies
Broadcasting
1. Enabled
Single ICMP Echo Message
Source IP: 60.168.47.47
(Victim) Destination IP:
Broadcast 3.
Broadcast
Victim Echo
60.168.47.47 Message
Attack
Command
Zombie
Attack Packet
Attack
Command
Handler Zombie
34
8/18/2010
Perspective
◦ Done by most main border firewalls
◦ DOS attacks are easy to detect but difficult to stop
because their traffic looks like legitimate packets
70
Copyright Pearson Prentice-Hall 2010
35
8/18/2010
SYN
SYN/
TCP Half-
Half-Opening ACK
Attacks
No ACK
◦ Attacks SYN
Attacker sends a TCP SYN
segment to a port
The application program sends back a SYN/ACK
segment and sets aside resources
The attacker never sends back an ACK, so the
victim keeps the resources reserved
The victim soon runs out of resources and crashes
or can no longer serve legitimate traffic
71
Copyright Pearson Prentice-Hall 2010
SYN
SYN/
TCP Half-
Half- ACK
Opening Attacks
No ACK
◦ Defenses
Firewall intercepts the SYN from an external host
Firewall sends back an SYN/ACK without passing
the segment on to the target host
Only if the firewall receives a timely ACK does it
send the original SYN the destination host
72
Copyright Pearson Prentice-Hall 2010
36
8/18/2010
Rate Limiting
◦ Set a limit on all traffic to a server—
both legitimate and DoS packets
◦ Keeps the entire network from being overloaded
◦ Not perfect—does not protect the target server or
allow legitimate traffic
73
Copyright Pearson Prentice-Hall 2010
74
Copyright Pearson Prentice-Hall 2010
37
8/18/2010
75
76
Copyright Pearson Prentice-Hall 2010
38
8/18/2010
78
Copyright Pearson Prentice-Hall 2010
39
8/18/2010
79
Copyright Pearson Prentice-Hall 2010
80
40
8/18/2010
81
Copyright Pearson Prentice-Hall 2010
82
Copyright Pearson Prentice-Hall 2010
41
8/18/2010
Implementation
◦ Firewall hardening
Firewall appliances are hardened at the factory
Vendors sell software plus a server with a pre-
hardened operating system
Firewall software on a general-purpose computer
requires the most on-site hardening
83
Copyright Pearson Prentice-Hall 2010
Implementation
◦ Central firewall management systems (Figure 6-24)
Creates a policy database
Changes policies into ACL rules Firewall
Administrator
Sends ACL rules out to
individual firewalls Policy Policy
Server
ACL Rule
ACL Rule
84
Copyright Pearson Prentice-Hall 2010
42
8/18/2010
85
Copyright Pearson Prentice-Hall 2010
Implementation
◦ Vulnerability testing after configuration
There will be problems
Tests, like firewall configuration, should be based
on policies
86
Copyright Pearson Prentice-Hall 2010
43
8/18/2010
Implementation
◦ Change authorization and management
Limit the number of people who can make change
requests
Limit the number of authorizers even more
Require requesters and authorizers to be different
people
Implement the rule in the most restrictive way
possible —
To pass the least number of packets
87
Copyright Pearson Prentice-Hall 2010
Implementation
◦ Change authorization and management
Document all changes carefully
Do vulnerability testing after every change
The change should work
All previous behaviors should still work (regression
testing)
88
Copyright Pearson Prentice-Hall 2010
44
8/18/2010
Implementation
◦ Reading the firewall logs
Should be done daily
or more frequently
The most labor-intensive part of firewall
management
Strategy is to find unusual traffic patterns
Top ten source IP addresses whose packets were dropped
Number of DNS failures today versus in an average day
90
45
8/18/2010
91
Copyright Pearson Prentice-Hall 2010
92
Copyright Pearson Prentice-Hall 2010
46
8/18/2010
93
Copyright Pearson Prentice-Hall 2010
Anomaly Detection
◦ Detects an unusual pattern indicating a possible
attack
◦ This is difficult, so there are many false positives
◦ Shrinking time needed to define signatures
◦ Anomaly detection is necessary in today’s firewalls
94
Copyright Pearson Prentice-Hall 2010
47
8/18/2010
95
48