Firewalls and Proxy Servers:
Using
the Internet we can get connected to any other computer, no matter how far the
two are located from each other on the network. But this facility usually may
be a nightmare for network support staff, which is left with a very difficult
job of trying to protect the corporate networks from a variety of attacks. At a
broad level, there are two kinds of attacks:
1.
Most
corporations have large amounts of valuable and confidential data in their
networks. Leaking of this critical information to competitors can be a great
setback.
2.
Apart
from the danger of the insider information leaking out, there is a great danger
of the outside elements (such as viruses and Worms) entering a corporate
network to create havoc.
As
a result of these dangers, we must have mechanisms which can ensure that the
inside information remains inside, and also prevents the outsider attackers
from entering inside a corporate network. This is where a firewall is
needed. A firewall acts like a guard, which can guard a corporate network
by standing between the network and the outside world.
All
traffic between the network and the Internet in either direction must pass
through the firewall. The firewall decides if the traffic can be allowed to
flow, or whether it must be stopped from proceeding further. Technically,
therefore, a firewall is specialized version of a router. Apart from the basic
routing functions and rules, a router can be configured to perform the firewall
functionality with the help of additional software resources.
The characteristics of a good firewall
can be described as follows:
1.
All
traffic from inside to outside, and vice versa must pass through the firewall.
To achieve this, all the access to the local network must first be physically
blocked, and access only via the firewall should be permitted.
- Only
the traffic authorized as per the local security policy should be allowed
to pass through.
- The
firewall itself must be strong enough, so as to render attacks on it
useless.
The word 'firewall' has come from a
kind of arrangement in automobiles, to prevent the passengers from engine
components. The firewalls in computers also work with similar concept. It is
defined as 'the collection of components that are placed between the local
(unprotected) private network / workstation and the Internet (unprotected)
which is the external public network.
Firewalls come in various categories,
configurations, set of devices and products which run on the hosts in the
network. They work like logical security guards which keep an eye on the
outgoing and incoming traffic.
Demilitarized
Zone (DMZ) networks:
The concept of a Demilitarized Zone
(DMZ) networks is quite popular in firewall architectures. Firewalls can be
arranged to form a DMZ. DMZ is required only if an organization has servers
that it needs to make available to the outside world (e.g. Web Servers or FTP
servers). For this, a firewall has at least three network interfaces. One
interface connects to the internal private network; the second connects to the
external public network (i.e. the Internet), and the third connects to the
public servers (which form the DMZ network).
Limitation
of the Firewall:
The
main limitations of a firewall can be listed as follows:
- Insider's
intrusion: A
firewall system is designed to thwart outside attacks. Therefore, if an
inside user attacks the internal network in some way, the firewall cannot
prevent such an attack.
- Direct
Internet traffic:
A firewall must be configured very carefully. It is effective only if it
is the only-entry point of an organization's network. If, instead, the
firewall is one of the entry-exit points, a user can bypass
the firewall and exchange information with the Internet via the other
entry exit points. This can open up the possibilities of attacks on the
internal network through those points. The firewall cannot, obviously be
expected to take care of such situations.
- Virus
attacks: A
firewall cannot protect the internal network from virus threats. This is
because a firewall cannot be expected to scan every incoming file or
packet for possible virus contents. Therefore, a separate virus detection
and removal mechanism is required for preventing virus attacks.
Alternatively, some vendors bundle their firewall products with anti virus
software, to enable both the features out of the box.
4.1 Kinds of Firewalls:
In general, the firewalls have been
classified as per the work carried out by them.
They have two basic types:
(1)
Packet Filtering and
(2)
Application Level.
Two more types have also resulted based
on these two primary types. They are:
(3)
Circuit level gateways and
(4)
Stateful Multi-layer inspection (Dynamic).
Each type is discussed below in detail.
4.2 Packet Filters:
This is the basic level of the
firewalls. As the name suggests, this firewall checks for each and every IP
packet individually, either coming in or going out of private network.
According to the selected policies
(called Rule-sets or Access Control Lists or ACLs) it determines whether to
accept a packet or reject it. This is the first line of defense against the
intruders, and is not totally foolproof. It has to be combined with other
techniques as well, to strengthen the security.
Advantages of packet filters:
1.
Simple and straightforward mechanism.
2.
Operation is totally transparent to the
users.
3.
Faster in operation.
Disadvantages of packet filters:
1.
Rule-sets to be defined for a packet filter
may be very complex to specify as well as to test.
2.
In order to allow certain access, some
exceptions to the rules need to be added. This may add further to the
complexity.
3.
Some packet filters do not filter on the
source TCP/UDP ports at all, which may increase the flaws in the filtering
system.
4.
These do not possess any auditing
capabilities and auditing is considered to be of major importance in security.
5.
All the applications on Internet may not be
fully supported by packet filtering firewalls.
6.
These type of firewalls do not attempt to
hide the private network topology to the outside network and hence it gets
exposed.
7.
Using packet filters may be complex as
graphical interface is not available in most of the cases.
4.3 Application level filtering:
An application gateway is also
called as a proxy server. This is because it acts like a proxy i.e deputy or
substitute, and decides about the flow of application level traffic.
An
application gateway typically works as follows:
1.
An
internal user contacts the application gateway using a TCP/IP application, such
as HTTP or TELNET. .
2.
The
application gateway asks the user about the remote host with which the user
wants to set up a connection for actual communication (i.e. its domain name or
IP address) The application gateway also asks for the user id and the password
required to access the services of the application gateway.
3.
The
user provides the information to the application gateway.
4.
The
application gateway now accesses the remote host on .behalf of the user, and
passes the packets of the user to the remote host.
Application
gateways are generally more secure than packet filters, because rather than
examining every packet against a number of rules, we simply detect whether a
user is allowed to work with a TCP/IP application or not.
The
disadvantage is the overhead in terms of connections. There are actually two
sets of connections now: one / between the end user and the application
gateway, and another between the application gateway and the remote host. The
application gateway has to manage these two sets of connections, and the
traffic going between them. This means that the actual communicating internal
host is under an illusion.
The Application level firewalls work at
the topmost layer in the network i. e. the Application Layer. Hence, they can
monitor the flow of information in great details. They do not need to check
each and every packet but rather check an application as a whole and determine whether
it should be allowed the access of a network both in-bound as well as
out-bound. Hence, they are more secure than the packet filters.
These are also called Application level
gateways as they are between the local network and the Internet. They require
the policies to be set up by using specific software and hence are NOT
transparent to the end users.
Another variation in them is called a
Proxy server. These are the hosts which make/receive the requests to/from the
Internet to the local network which they do on behalf of the local clients.
These provide a single point of entry for Internet traffic into the, local
network.
The Proxy servers work with two faces -
one towards the local network (with an internal I P address) and another
towards the Internet (using an external lP address), which is similar to the
coin with two sides. Local network clients refer to it using its local I P
address whereas anyone from the Internet uses its external lP address for
communication.
The services which are proxied include
FTP, DNS, TELNET, HTTP, SMTP and so on. Thus, the application gateway allows
the clients to think or believe that they are getting the direct connection to
the Internet; in fact it is routed always through the proxy server.
Examples of Application level firewalls
include Zone Lab's Zone Alarm, and Zone Alarm-Pro, IBM firewall, Mc-A’fee
Firewall, Norton Firewall, Linux based Mitel Networks SME server, Squid proxy
server, Wingate, Winproxy and many more with various facilities and
configurations.
Advantages of Application level fire
walls:
1.
Checks traffic in greater details than the
packet filters.
2.
No need to check each and every packet, but
checks application as a whole.
3.
Provides more security than the packet
filters.
4.
These are available as software with
Graphical interface, hence specifying, changing the Rule-sets is easier in this
case.
5.
Ability to hide the structure, topology and
other sensitive information of the private network from the external parties.
6.
Has capability of complete auditing/logging
of events, which is an important aspect of security.
7.
Easier to install, setup and operate from the
point of users (also called as personal firewalls sometimes)
Disadvantages of Application level firewalls
1.
Operation may be slower since it has to check
the traffic in more detail.
2.
The software products used may be costly to
procure.
3.
In some cases, setup may be difficult and
require administrative help.
4.
They
are not transparent to the end users, and may have to be set up specifically on
the client nodes.
4.4 Circuit level Gateways:
Another variation of firewalls is
called the Circuit Level Gateways. These are set to run on the Transport level
of TCP/IP model (or Session layer in case of the OSI model). This check for the
specific sessions or services for filtering. They neither check individual
packets nor the entire applications for filtering purpose. They are sometimes
called as the Relays which relay the sessions / services (also called circuits)
for the users. Normally they relay the services such as Telnet or FTP for the
users. But in the process, they tend to break the standard client-server model.
Thus, for every request/response, there
will be two connections to be set-up: one from the client machine to the
firewall, and the second between the firewall to the external server, and
similarly in reverse way. But they provide the facility to control these
services. It is hence possible to enable/disable these services through the
circuit gateways.
It
performs some additional functions as compared to those performed by an
application gateway. A circuit gateway, in fact, creates a new connection
between itself and the remote host. The user is not aware of this, and thinks
that there is a direct connection between itself and the remote host. Also, the
circuit gateway changes the source IP addresses in the packets from the end
user's IP address to its own. This way the IP address of the internal network
are hidden from the outer world.
The
SOCKS server is an example of the real life implementation of a circuit
gateway. It is a client server application. The SOCKS client runs on the
internal host, and, the SOCKS server runs on the firewall.
Advantages of Circuit level gateways:
1.
More secure than packet filters since work on
higher level.
2.
Do not check individual packets inbound or
outbound.
3.
Can
hide internal network structure to the external entities.
4.
Flexibility
to enable or disable sessions or services is available. 5. Less expensive
compared to the Application level products. 6. Operation is transparent to the
end-users
Disadvantages of Circuit level
gateways:
1.
Less secure compared to application level
gateways.
2.
Breaks the client-server model.
3.
Requires two dedicated connections to be set
up for each service / response.
4.5 Dynamic (Stateful Multi-layer
Inspection) Firewalls:
The last category of firewalls is the
Dynamic also known as the Stateful, multi-layer inspection type. As the name
suggests it checks the traffic in multiple layers viz. Application, Transport
as well as Internet layer. Hence, it combines all the advantages of the first
three categories of firewalls. These are the recent type of firewalls being
used. They check the individual packets at the Internet layer, checks for valid
sessions at the Transport layer and evaluates the application at the topmost
layer.
Another difference between this type
and earlier ones is the awareness of a State and the Dynamic nature of them.
This means, the firewall can modify itself or can adapt to changes in
situations and can change the rules dynamically. This facility is not available
in any of the earlier types, which make this a more efficient. and hence they
are known to be Stateless. For this purpose the firewall needs to maintain some
historical information about all the transactions in a form called state
tables. These state tables are updated as and when new events are generated.
These are used by the firewall to modify or update the Rule-sets in different
situations.
Examples of this type of firewall
include Checkpoint's Firewall-1, Sun's SunScreen etc.
Advantages
of Dynamic Firewalls:
1.
Scans the traffic in three different layers
in great details
2.
Provides much more security than in first
three types of firewalls
3.
Facility to adapt to the changes in the stage
of network.
4.
More flexible in its operation due to its
dynamic nature
5.
Combines most of the advantages of first
three types of firewalls.
Disadvantages of Dynamic Firewalls:
1.
Operation much slow may reduce the overall
performance.
2.
Applications
need to be procured, especially and can be expensive.
3.
Setup
or implementation may be more difficult.
4.6 Distributed Firewalls:
Provide multiple checkpoints less prone
(is in multiple forms). Possible to prevent inside attacks more secure
implementation Servers can be outside perimeter More flexibility in operation
Different security levels possible
The Distributed firewalls are the
host-resident security solutions which protect the enterprise network's
critical end points against the intrusion. As the name suggests, the firewall
implementation is distributed over multiple points rather than providing a
single-point-entry into your network in case of traditional firewalls. With
distributed firewalls, one can provide separate level of security to the Web,
Mail servers, Application servers or individual nodes in the setup.
These are meant to provide higher
security to the corporate networks. These can also prevent the malicious inside
attacks also within the network, as they treat all traffic as unfriendly
whether it is originating from the Internet or your Local network. This is more
important advantage, since most of the attacks are initiated from inside the
network. These firewalls also guard the individual machines the same way as the
perimeter firewall guards the entire network. .
These are like the personal firewalls
but the additional features include the centralized management, logging and a
fine access-control granularity. These are the prime features considered for
implementation of firewalls in larger enterprises. These protect remote employees,
precious servers of the enterprise, internal network as well as the individual
terminal. Presently, organizations of various types that are security conscious
are deploying the Distributed type of firewalls and has a scope of unlimited
scalability even keeping the same performance. I n some cases, even the
perimeter firewalls need not be installed at all when distributed firewalls are
deployed.
Some key differences between the
Traditional Firewall implementations and the Distributed Firewall Implementations
are as stated below.
Traditional Firewalls
§ Provide
single entry point into the network
§ More prone to
attacks
§ Cannot
prevent inside attacks
§ Less secure
implementation
§ Servers have
to be inside perimeter
§ Has less
flexibility of operation
§ Provides same
level of security
Firewall
Configuration:
|
|
1. Screened Host firewall, Single homed Bastion configuration:
A
firewall set up consists of two parts:
i. A packet filtering router and
ii. An application gateway.
Their
purposes are as follows:
a.
The
packet filter ensures that the incoming traffic (i.e. from the internet to the
corporate network) is allowed only if it is destined for the application
gateway, by examining the destination address field of every incoming IP packet
Similarly, it also ensures that the outgoing traffic (i.e. from the corporate
network to the Internet) is allowed only if it is originating from the
application gateway, by examining the source address field of every outgoing IP
packet.
b.
The
application gateway performs authentication and proxy functions. This
configuration increases the security of the network by performing checks at
both packets and application levels. This also gives more flexibility to the
network administrators to define better security policies.
However,
one big disadvantage here is that the internal users are connected to the
application gateway, as well as to the packet filter. Therefore, if the packet
filter is somehow successfully attacked and its security compromised, then the
whole internal network is exposed to the attacker.
2.
Screened
Host Firewall, Dual Homed Bastion configuration:
This
type of configuration is a improvement over the previous one. Here, direct
connections between the internal host and the packet filter are avoided.
Instead, the packet filter connects only to the application gateway, which, in
turn, has a separate connection with the internal hosts. Therefore, now even if
the packet filter is successfully attacked, only if the application gateway is
visible to the attacker. The internal hosts are protected.
3.
Screened
subnet firewall:
This
configuration offers the highest security among the possible firewall
configurations. It is an improvement over the previous scheme. Here, two packet
filters are used, one between the Internet and the application gateway, and
another one between the application gateway and the internal network. Now,
there are three levels of security for an attacker to break into. This makes it
difficult, because he doesn't know about the internal network, unless he breaks
into both the packet filters and the single application gateway standing
between them.
4.7 What Firewalls cannot do?
As seen normally, firewalls provide
good amount of security to the private network. But there are certain aspects
not covered or protected by any general form of a firewall. These are named, as
the things the firewalls cannot do.
They include following:
- Firewalls in general, cannot prevent from Internal
attacks at all.
- Does not prevent viruses from entering into the
local network.
- Do not
differentiate between users on a single side i.e. either the Internet side
or the Local side. This means one Internet user can spoof another or one
local user can spoof other. They only try to differentiate between local
and the External members.
- Do not protect any connection that is not going
through them or in some way by passing them.
- Can be bypassed by users in order to avail of the
services normally blocked in which case they fail to provide any security
to these connections. e.g. using modems or RAS to connect to Internet
directly.
- Cannot prevent from any new kind of threats or
attacks for which the firewalls may not have been configured.
- Fail to provide enough security, if not properly
configured or not updated continuously.
4.8 Filtering Services & Reasonable
services to filter:
The most popular services are:
1. Name service, (DNS and NIS – Network Information Service)
2. Password / key service,
3. Authentication / proxy service,
4. Electronic mail, (SMTP) – Simple Mail Transfer Protocol
5. Electronic Mail, (POP3, IMAP) (Post Office Protocol, Internet Mail Access Protocol)
6. WWW, (World Wide Web)
7. File transfer, and (FTP)
8. NFS. (Network File Service (or System))
9. TCP (Transmission Control Protocol)
10. NTP (Network Time Protocol)
11. ssh
12. Telnet
Since these are the most frequently used services, they are the most obvious points of attack. Also, a successful attack on one of these services can produce disaster all out of proportion to the innocence of the basic service.
1 Name Servers (DNS and NIS (+))
What is DNS? Domain Name System
What is NIS? Network Information Service
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
DNS
|
Allow
|
Filter
|
Block Internal info
|
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
2.
|
DNS
|
Allow
|
DMZ
|
|
What is DMZ: De-militarised zone
The Internet uses the Domain Name System (DNS) to perform address resolution for host and network names. The Network Information Service (NIS) and NIS+ are not used on the global Internet, but are subject to the same risks as a DNS server. Name-to-address resolution is critical to the secure operation of any network. An attacker who can successfully control or impersonate a DNS server can re-route traffic to subvert security protections. For example, routine traffic can be diverted to a compromised system to be monitored; or, users can be tricked into providing authentication secrets. An organization should create well known, protected sites to act as secondary name servers and protect their DNS masters from denial of service attacks using filtering routers.
Traditionally, DNS has had no security capabilities. In particular, the information returned from a query could not be checked for modification or verified that it had come from the name server in question. Work has been done to incorporate digital signatures into the protocol which, when deployed, will allow the integrity of the information to be cryptographically verified (see RFC 2065).
2 Password / Key Servers (NIS (+) and KDC)
What is NIS(+)? Network Information Service
What is KDC? Key Distribution Center.
Password and key servers generally protect their vital information (i.e., the passwords and keys) with encryption algorithms. However, even a one-way encrypted password can be determined by a dictionary attack (wherein common words are encrypted to see if they match the stored encryption). It is therefore necessary to ensure that these servers are not accessible by hosts, which do not plan to use them for the service, and even those hosts should only be able to access the service (i.e., general services, such as Telnet and FTP, should not be allowed by anyone other than administrators).
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
2.
|
Telnet
|
Allow
|
Allow
|
Only for the administrator
|
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
2.
|
FTP
|
Allow
|
Allow
|
Only for the administrator
|
3 Authentication / Proxy Servers (SOCKS)
A proxy server provides a number of security enhancements. It allows sites to concentrate services through a specific host to allow monitoring, hiding of internal structure, etc. This tunneling of services creates an attractive target for a potential intruder. The type of protection required for a proxy server depends greatly on the proxy protocol in use and the services being proxied. The general rule of limiting access only to those hosts, which need the services, and limiting access by those hosts to only those services, is a good starting point.
4 Electronic Mail
Electronic mail (email) systems have long been a source for intruder break-ins because email protocols are among the oldest and most widely deployed services. Also, by it's very nature, an email server requires access to the outside world; most email servers accept input from any source. An email server generally consists of two parts: a receiving/sending agent and a processing agent. Since email is delivered to all users, and is usually private, the processing agent typically requires system (root) privileges to deliver the mail. Most email implementations perform both portions of the service, which means the receiving agent also has system privileges. This opens several security holes, which this document will not describe. There are some implementations available which allow a separation of the two agents. Such implementations are generally considered more secure, but still require careful installation to avoid creating a security problem.
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
SMTP
|
Allow
|
Filter
|
|
5 World Wide Web (WWW)
The Web is growing in popularity exponentially because of its ease of use and the powerful ability to concentrate information services. Most WWW servers accept some type of direction and action from the persons accessing their services. The most common example is taking a request from a remote user and passing the provided information to a program running on the server to process the request. Some of these programs are not written with security in mind and can create security holes. If a Web server is available to the Internet community, it is especially important that confidential information not be co-located on the same host as that server. In fact, it is recommended that the server have a dedicated host, which is not "trusted" by other internal hosts.
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
Web
|
Allow
|
Block
|
Put Web Server in DMZ
|
An alternative rule set, if you require insiders to use an internal web proxy, is to permit only it to talk directly to the world. In this case, the rule looks like:
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
Web
|
Filter
|
Block
|
Put Web Server in DMZ
|
Many sites may want to co-locate FTP service with their WWW service. But this should only occur for anon-ftp servers that only provide information (ftp-get). Anon-ftp puts, in combination with WWW, might be dangerous (e.g., they could result in modifications to the information your site is publishing to the web) and in themselves make the security considerations for each service different.
6 File Transfer (FTP, TFTP)
FTP and TFTP both allow users to receive and send electronic files in a point-to-point manner. However, FTP requires authentication while TFTP requires none. For this reason, TFTP should be avoided as much as possible.
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
FTP
|
Passive
|
Block
|
Put FTP server in DMZ
|
Improperly configured FTP servers can allow intruders to copy, replace and delete files at will, anywhere on a host, so it is very important to configure this service correctly. Access to encrypted passwords and proprietary data, and the introduction of Trojan horses are just a few of the potential security holes that can occur when the service is configured incorrectly. FTP servers should reside on their own host. Some sites choose to co-locate FTP with a Web server, since the two protocols share common security considerations However, the practice isn't recommended, especially when the FTP service allows the deposit of files section on WWW above). Services offered internally to your site should not be co-located with services offered externally. Each should have its own host.
TFTP does not support the same range of functions as FTP, and has no security whatsoever. This service should only be considered for internal use, and then it should be configured in a restricted way so that the server only has access to a set of predetermined files (instead of every world-readable file on the system). Probably the most common usage of TFTP is for downloading router configuration files to a router. TFTP should reside on its own host, and should not be installed on hosts supporting external FTP or Web access.
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
TFTP
|
Block
|
Block
|
TFTP has no security what so ever
|
8 NFS
The Network File Service allows hosts to share common disks. NFS is frequently used by diskless hosts who depend on a disk server for all of their storage needs. Unfortunately, NFS has no built-in security. It is therefore necessary that the NFS server be accessible only by those hosts, which are using it for service.
This is achieved by specifying which hosts the file system is being exported to and in what manner (e.g., read-only, read-write, etc.). File systems should not be exported to any hosts outside the local network since this will require that the NFS service be accessible externally. Ideally, external access to NFS service should be stopped by a firewall.
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
NFS
|
Block
|
Block
|
NFS has no built-in security
|
9 TCP
Because insiders are trusted, is it
okay to allow outgoing TCP connections? Not completely. Although the insiders
might be trusted, it is not always certain that the code they are running is
behaving properly.
Applets running on users' machines are
considered insiders.
There are ways that bad things can
originate from the inside. Assume that the mail filter is weeding out viruses
and worms. That only works if users obtain their mail via POP3 or IMAP.
If mail is read through a Web-based
server, such as Hotmail or Hushmail, there is little to prevent the poor user
from infection via these vectors. Once hit, the inside machine may generate
problematic outgoing TCP connections. (Imagine a dual-mode worm: When it can,
it spreads by direct attacks on vulnerable systems, but it also e-mails copies
of itself to users behind firewalls. Your imagination won’t be stretched very
far; these worms exist.)
Incoming TCP connections should not be
allowed. If there is a strong need for access to an internal machine from the
outside, this should be handled via a dedicated proxy, often from a machine on
the DMZ.
If possible, use cryptographically
enhanced services such as ssh. It is also best to limit the sets of
machines that can be reached; and, if possible, the set of machines that can
initiate access. The filtering rule for TCP can be summarized as follows:
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
TCP
|
Allow
|
Block
|
Generally trust insider
|
10 NTP (Network Time Protocol)
There are
now cheap, extremely accurate time devices available based on the Global
Positioning System and other radio sources. If these are not used, there are
time sources on the Internet. You should limit access to selected, trusted
external servers.
If you have a close relationship with the outside time
server, you may want to use NTP’s built-in authentication mechanisms. It is
also common to run an external NTP server of your own and use the firewall to
restrict insiders' access to that server alone.
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
NTP
|
Passive
|
Block
|
Put FTP server in DMZ
|
11 ssh
One of the principles of computer security is to trust as
little as possible. Ssh is one of the things we trust. As with Mail, it is thus
crucial to keep up with bugs and patches. Ssh has indeed had some serious
security problems in the past. Ssh is reasonable to allow through the firewall because
it implements cryptographic authentication and encryption, and is the best way
we know of to allow access through a firewall.
Depending on your internal trust
policies, you may want to terminate incoming ssh connections at the firewall.
Here you can do strong, centralized authentication. It's also attractive to
pretend that doing so prevents people or malicious programs from creating back
doors, but it's just that: a pretense. If you permit outbound TCP, it's easy to
create back doors, and ssh's port forwarding just lets Bad Guys do it a bit
more easily, from the command line. The rule for ssh is as follows:
Inbound and outbound queries can be summarised as:
|
||||
S. No.
|
Protocol
|
Outbound Query
|
Inbound response
|
Comment
|
1.
|
ssh
|
allow
|
allow
|
Stay current on patches
|
4.9
Digging for Worms:
E-mail isn't the only way that viruses
and worms spread, but it's one of the most common. If your user population runs
susceptible software (i.e., Windows), you really need to filter incoming
e-mail. If you want to be a good citizen of the Net, you'll filter outgoing
e-mail, too.
One approach, of course, is to screen
each piece of incoming mail on each desktop. That's a good idea, even if you
adopt other measures as well; defense in depth generally pays off. But desktops
are often behind in their updates, and getting new pattern files to them now
can be difficult.
Fortunately, it's not hard to install
a centralized filter for malware. Use MX records to ensure that all inbound
e-mail goes to a central place. Make sure that you include a wildcard MX
record, too, for both your inside and your outside DNS:
example. com. IN MX 10 mail-gw.example.com
*.example.com. IN MX 10 mail-gw.example.com
It's a good idea to use a different
brand of virus scanner for your gateway than for your desktop; all virus
scanners are subject to false negatives. Many goods ones are out there, both
commercial and open source. If you can, obtain your central scanner from the
vendor who delivers new patterns rapidly during times of plague and
helminthiasis [Reynolds, 1989].
In some cases, you may want to add
your own patterns. There are some legal worms-spam, actually-but
"legal" because the users consented to their spread by not decrypting
the legalese in the license. Antivirus companies have been hesitant to block
them, given that they are, technically, legal, but you're under no obligation
to allow them inside your organization.
Outgoing e-mail should be scanned,
too. There's no convenient analog to MX records; if you can't rely on your
users to configure their mailers correctly, you can "encourage" them
by blocking outbound connections to TCP port 25. That will also help guard
against worms that do their own SMTP. If you run a DNS proxy of some sort, you
can configure it to make your outbound mail gateway the MX server for the
entire Internet:
IN MX
10 mail-gw.example.co
Just make sure that you filter out any
more-specific inbound records.
Some antivirus software annoys as
much as it protects. A number of packages, if they detect a virus on a piece of
incoming e-mail, will send an' alert to the sender and all other recipients of
that piece of e-mail. It seems civic-minded enough, but isn't as big a help as
it appears. For one thing, many worms used forged sender addresses; notifying
the putative sender does no good whatsoever. Moreover, notifying other
recipients has bad scaling properties when one of the addressees is a mass
mailing list.
A more dangerous form of annoyance is
the trailer that reads something like this:
This piece of e-mail has been
scanned, X-rayed, and screened for excessive nitrogenous compounds by
ASCI/phage 2.71827, and is warranted to be free of viruses, worms, arthropods,
and cyclotrimethylenetrinitramine. It is safe for consumption by humans and
computers.
A trailer like that is about
equivalent to naming a file "This is not a virus. exe," and teaches
users bad habits.
4.10 Packet Filtering:
Packet filtering can also be incorporated
in Routers. Many routers have this capability in which the Rulesets can be
hard-coaded into them. Thus, apart from normal routing decisions, a router can
also be made capable of performing packet filtering. Another implementation of
packet filters is kernel based in which the kernel is configured to carry out
packet filtering. In case of Linux operating system, command line tools such as
ipchains (now replaced with iptables) can also be used to define, modify or
apply the specific Rulesets for packet filters.
Conceptually,
a packet filter can be considered as a router that performs three main actions,
- Receive
each packet as it arrives.
- Pass
the packet through a set of rules, based on the contents of the IP and
transport header fields of the packet. If there is a match with one of the
set rules, decide whether to accept of discard the packet based on that
rule.
- If
there is no match with any rule, take the default action. The default can
be discard all packets, or accept all packets. The former policy is more
conservative, whereas the latter is more: open. Usually, the
implementation of the firewall begins at the default discard all packets
option.
Packet
Filters are very fast in their operating speed. However, the two disadvantages
of a packet are the difficulties in setting up packet filter rules correctly,
and the lack of support for authentication.
Attackers
can try and break the security of a packet filter by using the following
techniques:
1. IP address spoofing: An intruder outside the corporate world
can attempt to send a packet towards the internal corporate world, with the
source IP address set equal to one of the IP addresses of the internal users.
2. Source routing attacks: An attacker can specify the route
that a packet should take as it moves along the Internet. The attacker hopes
that by specifying this option, the packet filter can be fooled to bypass its
normal checks.
3. Tiny Fragment Attacks: IP packets pass through a variety of
physical networks, such as Ethernet, Token Ring, etc. All these networks have
predefined maximum file size. Many times, the size of the IP packet is greater
than this maximum size allowed by the underlying network. In such cases, the IP
packet needs to be fragmented, so that it can be accommodated inside the physical
frame, and carried further. The attacker feels that the packet filter can be
fooled, so that after fragmentation, it checks only the first fragment, and
does not check the remaining fragments. This attack can be foiled by discarding
all the packets where the (upper layer) protocol type is TCP a.'1d the packet
is fragmented
Packet filtering is simple and
straightforward mechanism. This works at the Internet Layer in the TCP/IP
model. Usually, a packet is checked for the following information for filtering:
- Source I P address,
- Destination I
P address,
- Source
TCP/UDP port,
- Destination TCP/UDP port.
Hence using these, a security decision
may suggest blocking certain address or a website, which are not trustworthy.
4.11
Specific Attacks: Packet sniffing v/s Packet Spoofing
On the
Internet, computers exchange messages with each other in the form of small
groups of data called as packets. A packet, like a postal envelope contains the
actua1 data to be send and the addressing information. Attackers target these
packets, as they travel from the source computer to the destination computer
over the Internet.
These attacks
take two main forms:
(a) Packet
Sniffing (also called as snooping)
(b) Packet
Spoofing.
Since the
protocol used in this communication is called as Internet Protocol (IP), other
names for these two attacks are: (a) IP sniffing and (b) IP spoofing. The
meaning remains the same.
(a) Packet
Sniffing:
Packet
sniffing is a passive attack on an ongoing conversation. An attacker need not
hijack a conversation, but instead, can simply observe i.e. sniff packets as
they pass by. Clearly, to prevent an attacker from sniffing packets, the
information that is passing needs to be protected in some ways.
This can be
done at two levels:
i.
The
data that is traveling can be encoded in some ways.
ii.
the
transmission link itself can be encoded.
(b) Packet
Spoofing:
In this
technique, an attacker sends packets with an incorrect source address. When
this happens, the receiver i.e. the party who receives the packets containing a
false source address would inadvertently send replies back to the forged
address (called as spoofed address) and not to the attacker.
This can lead
to three possible cases:
i.
The
attacker can intercept the reply- If the attacker is between the destination
and the forged source, the attacker can see the reply and use that information
for hijacking attacks.
ii.
the
attacker need not see the reply-If the attacker's intention was a Denial of
Service(DOS) attack, the attacker need not bother about the reply. ,
iii.
The
attacker does not want the reply- The attacker could simply be angry with the
host. so it may put that host's address as the forged source address and send
the packet to the destination. The attacker does not want a reply from the destination,
as it wants the host with the forged address to receive it and get confused.
DNS
Spoofing:
With DNS
(Domain Name System), people can identify Websites with human readable names
such as www.yahoo.com and computers C<lJ1 continue to treat them as IP
addresses such as 120.9.32.23). For this, a special server computer called as
DNS server maintains the mappings between domain names and the corresponding IP
address. The DNS Server could be located anywhere. Usually, it is with the
Internet Service Provider (ISP) of the users. With this background, the DNS
spoofing attack works as follows:
i.
Suppose
that there is user A whose site domain name is www.A.com and the IP address is
100.10.10.10. So, all the DNS servers entry is maintained as: www.A.com l00.10.10.10
ii.
The
attacker B manages to hack and replace the IP address of A with his own ie.e
100.20.20.20 in the DNS server maintained by the ISP of user C. Therefore, the
DNS Server maintained by the ISP of A has the following entry: www.A.com l00.20.20.20
iii.
When
C wants to communicate with A's site, the Web browser queries the DNS server
maintained by the ISP for A's IP address, providing it the domain name. C gets
the replaced i.e. (B's IP address) which is 100.20.20.20.
iv.
Now,
C starts communicating with B, believing that he is communicating with A.
A protocol
called as DNSSec (Secure DNS) is being used to overcome such attacks.
4.12Implementing Policies (Default Allow,
Default Deny) on Proxy:
As far as allowing or disallowing the
services, there are mainly two approaches or methods. First is the Allow All
approach and the second one is the Deny All approach. The first one is more
open while later one is more conservative. In Default Allow approach, first by
default everything is 'open'. Later on, the rules can be added for whatever you
wish to block to the users. In the second approach, by default or in beginning
everything is 'blocked and as and when required rules can be added to open up
the services/information that is required or is thought as trustworthy.
On the application level gateways or
proxy servers, especially Linux based, there exists the configuration files
called hosts.allow and hosts.deny using which specific configurations can be
made. The addresses added in hosts.allow file will be necessarily allowed and
similarly the addresses in the hosts deny file will be prevented.
4.13 Write short notes on DMZ:
Some servers are difficult to trust because
of the size and the complexity of the code they run. Web servers are a classic
example.
Do you place your external Web server
inside the firewall, or outside?
 |
If you place it inside, then a
compromise creates a launch point for further attacks on inside machines.
 |
If you place it outside, then you make
it even easier to attack. –
The common approach to this is to
create a demilitarized zone (DMZ) between two firewalls.
It is important to carefully control
administrative access to services on the DMZ. Most likely, this should only
come from the internal network, and preferably over a cryptographically
protected connection, such as ssh.
A DMZ is an example of our general
philosophy of defense in depth. That is, multiple layers of security provide a
better shield. If an attacker penetrates past the first firewall, he or she
gains access to the DMZ, but not necessarily to the internal network.
Without the DMZ, the first successful
penetration could result in a more serious compromise.
You should not fully trust machines
that reside in the DMZ-that's the reason we put them there. Important Web
servers may need access to, say, a vital internal database, but ensure that the
database server assumes that queries may come from an un-trusted source.
Otherwise, an attacker may be able to steal the crown jewels via the
compromised Web server.
We'll stress this point again and
again: Nothing is completely secure, but some situations need more care (and
more defenses) than do others.
The concept of a Demilitarized Zone
(DMZ) networks is quite popular in firewall architectures. Firewalls can be
arranged to form a DMZ. DMZ is required only if an organization has servers
that it needs to make available to the outside world (e.g. Web servers or FTP
servers). For this, a firewall has at least three network interfaces. One
interface connects to the internal private network; the second connects to the
external public network (i.e. the Internet), and the third connects to the
public servers (which form the DMZ network). The idea is illustrated in Figure:
The chief advantage of such a scheme
is that the access to any service on the DMZ can be restricted. For instance,
if the Web server is the only required service, we can limit the traffic in/out
of the DMZ network to the HTTP and HTTPS protocols (i.e. ports 80 and 443,
respectively). All other traffic can be filtered. More significantly, the
internal private network is no way directly connected to the DMZ. So, even if
an attacker can somehow manage to hack into the DMZ, the internal private
network is safe, and out of the reach of the attacker.
No comments:
Post a Comment