CSE543 Computer Security: Lecture 20 - Firewalls, Study notes of Computer Science

Download CSE543 Computer Security: Lecture 20 - Firewalls and more Study notes Computer Science in PDF only on Docsity! CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07 1 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Midterm • Grades (High is 83) • 77-94 -- A (4) • 71-75 -- B+/A- (7) • 64-69 -- B+/B (13) • 56-61 -- B/B- (7) • 54-55 -- C+ (2) • <50 -- D/F (2) • Impact • 20% of grade • Project and final to go -- more than 50% of grade 2 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Network Security … • This is a poorly understood engineering discipline. • The following looks at the application of tools … 5 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Network security: the high bits • The network is … • … a collection of interconnected computers • … with resources that must be protected • … from unwanted inspection or modification • … while maintaining adequate quality of service. • Another way of seeing network security is • Securing the network infrastructure such that the integrity, confidentiality, and availability of the resources is maintained. • Q: How do we do this? 6 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger The network … Internet LAN (perimeter) (hosts/desktops) (edge) (server)(remote hosts/servers) 7 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Filtering: the threats • Adversary 1: some external network entity attempting to gain access to internal resources • Adversary 2: some internal, but malicious entity (or software) trying to expose sensitive data • Adversary 3: some internal or external entity that is preventing access to internal resource (DOS) 10 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Filtering: Firewalls • Filtering traffic based on policy • Policy determines what is acceptable traffic • Access control over traffic • Accept or deny • May perform other duties • Logging (forensics, SLA) • Flagging (intrusion detection) • QOS (differentiated services) Application Network Link 11 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Firewall Policy • Specifies what traffic is (not) allowed • Maps attributes to address and ports • Example: HTTP should be allowed to any external host, but inbound only to web-server 12 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger DMZ (De-militarized Zone) (servers) LANInternet LAN • Zone between LAN and Internet (public facing) 15 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Practical Issues and Limitations • Network layer firewalls are dominant • DMZs allow multi-tiered fire-walling • Tools are widely available and mature • Personal firewalls gaining popularity • Issues • Network perimeters not quite as clear as before • E.g., telecommuters, VPNs, wireless, … • Every access point must be protected • E.g., this is why war-dialing is effective • Hard to debug, maintain consistency and correctness • Often seen by non-security personnel as impediment • E.g., Just open port X so I can use my wonder widget … • SOAP - why is this protocol an issue? 16 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Wool’s Firewall Study • What is the purpose of this study? 17 CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page Netfilter hooks • Series of hooks in Linux network protocol stack • At each Netfilter hook – An iptable rule set is evaluated • Hook placements Preroute Input Forward PostrouteRouting Output CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page iptables Concepts • Table – All the firewall rules • Chain – List of rules associated with the chain identifier – E.g., hook name • Match – When all a rule’s field match the packet (protocol-specific) • Target – Operation to execute on a packet given a match CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page iptables Commands • iptables [-t <table_name>] <cmd> <chain> <plist> • Commands – Append rule to end or specific location in chain – Delete a specific rule in a chain – Flush a chain – List a chain – Create a new user-specified chain – Replace a rule CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page iptables Rule Parameters • Destination/Source – IP address range and netmask • Protocol of packet – ICMP, TCP, etc • Fragmented only • Incoming/outgoing interface • Target on rule match CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page Per Protocol Options • Specialized matching options for rules – Specific to protocol • TCP – Source/destination ports – SYN – TCP flags CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page Examples • iptables -A INPUT -s 200.200.200.2 -j ACCEPT • iptables -A INPUT -s 200.200.200.1 -j DROP • iptables -A INPUT -s 200.200.200.1 -p tcp -j DROP • iptables -A INPUT -s 200.200.200.1 -p tcp --dport telnet -j DROP • iptables -A INPUT -p tcp --destination-port telnet -i ppp0 -j DROP