Beruflich Dokumente
Kultur Dokumente
CS 772
Fall 2009
Introduction
Any device, software, or arrangement that
limits network access.
Categories:
Packet filtering (Network level)
Circuit gateways
Application gateways
Dynamic packet filter (Packet filter + circuitlevel gateway)
Packet Filters
action
src
port
dest
Port
block
SPIGOT *
Allow
OURGW
Allow
OURGW
25
Block
Example
Intended policies:
Outside world
Router
Gateway
DMZ
Inside Net 3
Inside Net 1
Inside Net 2
Example (cont.)
Rule set for external
interface at the router
(that is filtering
packets coming in
from the outside
world)
Action
Block
Block
Block
Allow
Allow
Allow
Src
{NET 1}
{NET 2}
{NET 3}
*
*
*
Port
*
*
*
*
*
*
Dest
*
*
*
GW
{NET 2}
{NET 3}
Port
*
*
*
25
*
*
Flags comment
flags Block forgeries
Block forgeries
Block forgeries
Legal calls
ACK Replies to our calls
ACK Replies to our calls
Example (cont.)
Rule set on the
routers interface to
NET 1
Action
Allow
Allow
Allow
Block
Block
Allow
Src
GW
GW
GW
GW
GW
GW
Port
*
*
*
*
*
*
Dest
{partners}
{NET 2}
{NET 3}
{NET 2}
{NET 3}
*
Sample Configurations
Packet-filtering Performance
Total degradation due to filtering depends on the
number of rules applied at any point.
It is better to hav eone rule specifying a network
rather than to have several rules enumerating
different hosts on that network.
Also, speed up things by ordering the rules so
that the most common types of traffic are
processed first.
Application-level Filtering
Deal with the details of the particular service
they are checking
Special purpose code needed for each
application
Easy to log and control all incoming and
outgoing traffic---e.g., checking mail message for
specific words.
Web queries can be checked for conformation
with organizational policies
E-mail is generally passed through an
application-level filter
Circuit-level Gateways
Work at TCP level---TCP connections are
relayed through a computer that essentially acts
as a wire
A client wishing to connect to a server, connects
to the relay host supplying the needed info. The
name and IP are not available to the server.
IP packets now flow from server to host, filtered
and then to the client (like NAT)
Circuit relays are generally used to create
specific connections between isolated networks
Distributed Firewalls
Rather than have a separate box on the
edge of the network reject all inbound
packets to port 80, this rule is enforced by
every host.
Application-Level Filtering
More complex than packet filters---look at the
details of the particular service they are checking
Special code for each desired application
Easy to control and log all incoming and
outgoing traffic
Look for inappropriate or confidential words
Check if web queries are in conformance with
company policies
Strip dangerous attachments
E-mail is usually passed through an application-level
gateway
Circuit-level Gateways
Work at the TCP level
Firewall Problems
(i) Inadvertent problems
Example: Suppose a company has a policy to
drop all e-mail coming through the gateway, to
avoid exposure to mail-borne viruses. If port 80
is left open, Web mail services (e.g., gmail,
hotmail) introduce a new avenue for malicious
cod eto get in, via-e-mail-over-Web tunnels.
Example: Admin errors are the most common
cause of trivial firewall problems. A large set of
complex rules is a cause of such problems.
Firewall Problems
(ii) Intentional subversions
Consciously subversions---more
functionality, malicious parties
Firewalls often allow traffic for port 80 to
pass; Inbound HTTP traffic should be
allowed only to a Web server, and should
not reach other internal machines. Web
server should be on a DMZ network
Httptunnel is a publicly available tool for
transporting IP packets over HTTP.
Handling of IP Fragments
Firewalking
http://www.packetfactory.net/firewalk/firewalk-final.html
http://vesaria.com/Firewall/Testing/eye_of_hacker.php
Technique of using ICMP echo and ICMP responses and DNS queries to
get information about systems beyond a firewall.
Firewalk is an active reconnaissance network security tool that attempts to
determine what layer 4 protocols a given IP forwarding device will pass.
Firewalk works by sending out TCP or UDP packets with a TTL one
greater than the targeted gateway. If the gateway allows the traffic, it will
forward the packets to the next hop where they will expire and elicit an
ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the
traffic, it will likely drop the packets on the floor and we will see no
response.
To get the correct IP TTL that will result in expired packets one beyond
the gateway we need to ramp up hop-counts. We do this in the same
manner that traceroute works. Once we have the gateway hopcount
(at that point the scan is said to be `bound`) we can begin our scan.
It is significant to note the fact that the ultimate destination host does not
have to be reached. It just needs to be somewhere downstream, on the
other side of the gateway, from the scanning host.