Title: Firewalls
1Firewalls
- PROTECTING YOUR COMPUTER NETWORK
By Ford Levy
2What we will cover
- Who Needs a Firewall
- Network Basics
- Firewall Basics
- Establishing Rules
- Firewall Solutions
- Sources for more information
3Does Security Matter?
Would you care if someone could
- Crash your computer every 5 minutes?
- Erase or change your client data
- Steal proprietary information
- Reconfigure your Server
- Transfer your companys bank balance via EFTPS to
ENRONs payroll account.
4Does Your Business Need
- Theft or disclosure of internal data
- Unauthorized access to internal hosts
- Interception or alteration of data
- Vandalism denial of service
- Wasted employee time
- Access to Martha Stewarts Broker
5Does Security Matter at Your Company?
Do You Have
- Computers
- A Network
- Access to the Internet
- Shared Files and Peripherals
- Files you do not want to lose
- Programs you do not want tampered with
- Artwork to Ship to New Hampshire
6Is it an Issue on Your System?
Some systems and/or protocols are designed with
security in mind from the beginning -- maybe even
as their primary design goal. But for most? The
storys the same
- Protocol design? (Nah, thats an application
problem) - Application design? (We plan to add that in the
future...) - Application deployment? (Lets get it running
first) - System administration? (Im putting out fires
every day!)
The Focus is on System Operation, not Security
7System Vulnerabilities
- Almost all vulnerabilities come from bugs in the
implementation of, or misconfigurations of, the
OS and/or apps - Rarely, a problem with a protocol itself
- Vulnerabilities can lead to
- Unauthorized access attacker gains control of
the victims machine (attacker can log in, read
files, and/or make changes to the system) - Denial of Service against host (attacker can
crash the computer, disable services, etc.) - Denial of Service against network (attack can
disrupt routing, flood the network, etc.)
8System Vulnerabilities
- MS WINDOWS A MAJOR CULPRIT
NT XP 2000 MILLENIUM
What About Linux?
9Security incidents reported to CERT
Source CERT/CC
10Who is the enemy?
- The Troubled Genius
- Has a deep understanding of systems
- Capable of finding obscure vulnerabilities in
OSs, apps, and protocols, and exploiting them - Extremely skilled at evading countermeasures
- Can dynamically adapt to new environments
- The Idiot
- Little or no true understanding of systems
- Blindly downloads runs code written by T.G.
- Can usually be stopped by calling his mother
Who do you think causes more damage?
11The IDIOT!!!
- The idiots collectively cause more damage because
there are a vast number of them - Every security incident analyzed at NIH was the
work of an idiot - Every time smart hackers find a new security
hole, they make it public -- they have a publish
or perish ethic - Each time, hordes of idiots pounce on it and
break into every system they can find - Purchases used shredders from Arthur Andersen on
Ebay
12What a Firewall Cant Protect You From
- Inside Attack
- Social Engineering
- Viruses and Trojan Horses
- Poorly Trained firewall administrators
- Most of the shows on the Fox News Channel
13NETWORKS AND PROTOCOLS
14TCP/IP MAKING THE INTERNET HAPPEN
- Transmission Control Protocol/Internet Protocol
- A Suite of Protocols or Rules for Communicating
(language) - Defines Standards for Communicating on the
Internet - Four Layers
- Network Interface Layer
- Internet Layer
- Transport Layer
- Application Layer
15PACKET FENCES
Internet Communication uses Packets Data broken
up into small Packets Prevents single user from
capturing bandwidth and bogging down internet IP
labels each packet with unique internet
destination address TCP assigns sequence number
to each so destination can reconstruct
16Connecting to the Internet
- Dial-up modem (slow but no permanent connection)
- ISDN (faster with no permanent connection)
- DSL (fast with permanent connection)
- Cable Modem (fast but bandwidth limits. Permanent
connection) - T1/T3 (very fast with permanent connection)
- Wireless (comparable to DSL. May be permanent)
17Connecting to the Internet
Network Router
Transfers network packets between two different
networks
18FIREWALL BASICS
19Securing your systemthe quick easy way
Its easy to run a secure computer system. You
just have to disconnect all dial-up (and DSL)
connections and permit only direct-wired
terminals, put the machine and its terminals in a
shielded room, fire all employees and post a
guard at the door.
F.T. Grampp and R.H. Morris
20The never-ending game
- 1. New bugs are found exploits are published
- 2. Hordes of idiots cause damage using those
exploits - 3. Vendors are pressured to come out with fixes
- 4. Users install the fixes (sometimes? rarely?)
- 5. Go to step 1.
The big questions are
1. How can we protect a large site? (The site is
only as strong as its most poorly administered
machine.) 2. How can we pro-actively protect
against attacks that we have never seen before,
to avoid Step 2 damage?
21Okay, so wheres the fire?
22Firewalls(not as good as a guard but)
- Routers easy to say allow everything but
- Firewalls easy to say allow nothing but
- This helps because we turn off access to
everything, then evaluate which services are
mission-critical and have well-understood risks - Note the only difference between a router and a
firewall is the design philosophy do we
prioritize security, or Connectivity/performance?
23A Firewall Separates an Internal Network from the
Internet
Internet
Firewall
Internal Network
24Typical firewall setup
Evil Internet
DMZ
internal network
Diagram courtesy of CheckPoint Software Tech,
www.checkpoint.com
25Inter-department firewall setup
Department B
DMZ ?
Department A
26Okay, So what is it?
- A firewall is a system of components of hardware,
software or both designed to control access
between our network and an external network or
Internet - A firewall system can be a router, a personal
computer, a host, or multi-host - What the investors of WorldCom want to throw
Bernard Ebbers through
27Really, What Is It!
- Logically, a firewall is a separator, a
restrictor, an analyzer - Physically, the implementation of a firewall
varies from site to site - The best implementations occur during network
design, not after
28How About Common Features
- Block incoming network traffic based on source or
destination (most common) - Block outgoing network traffic based on source or
destination - Block network traffic based on content
(screening) - Make internal resources available
- Allow connections to internal network (VPNs)
- Report on network traffic and firewall activities
29Why Do We Need It?
- A firewall is a line of Internets defense
- a. Protection
- -- A firewall has ability to filter insecure
- services that will be reduce risks
- to the sites on the internet
- -- Will pass only selected protocols
30Say What?
- b. Controlling Access
- -- Can block all ways to get into a system
- without knowing an account name and
- password
- -- Reduce the number of accounts
- accessed from the outside
- -- Keep the attackers out of the network
31Firewall Uses
- c. Monitoring and logging
- -- Logging what happens at the firewall is
- important
- -- Can help us analyze a possible security
- breach later
- -- Gives feedback on the performance and
- actual filtering done by the firewall
32One Size Does Not Fit All
- Personal firewall
- Departmental or small organization firewall
- Enterprise firewall
33How Does It Work?
- Packet filtering
- -- Packet filtering system route packets
- between internal and external host, but
- they do it selectively.
- -- Usually, this router checks the information
- that every packets header has
- source IP address
- destination IP address
- IP protocol ID
- TCP or UDP port number
- ICMP message type
- -- It is the only protecting system if its
- security fails, the internal network is
- exposed.
34How Does It Work?
- Proxy services ( or application proxy )
- -- It is a software solution
- -- These programs take users requests for
- Internet services and forward them to the
- actual services
- Proxy services(PS) vs Packet filtering(PF)
- -- A PF inspects only the packet header
- A PS scan the entire data in the packet
- A PF passes and an allowed packet that
- travels from the internal network
- A PS regenerates an allowed packet that
- is sent from the firewall to the server
on - the Internet
-
35How Does It Work?
- Network Address Translation (NAT)
- -- Outside world sees only one or more outside
IP addresses of the firewall. Internal network
uses different IP addresses. - -- These programs take users requests for
Internet services and forward them to the
actual services -
36Establishing Rules
Creating an Internet Acceptable Use
Policy Creating a Security Policy Using the
Policy to Configure your Firewall
Allow-all
Deny-all
Combination of both
37Strategies, Policies and Rules
Internet Use and Security
Policy Internet Acceptable Use Define all
available services Determine who can access the
internet Define ownership of resources Establi
sh the responsibility of employees Define all
unauthorized use of the Internet Define what
e-mail purposes are expressly disallowed. Define
disallowed protocol for internet use Define
disallowed web content Define disallowed
file-type downloads Define disallowed web
addresses and actions
38Strategies, Policies and Rules
Internet Use and Security
Policy Security Establish a project team to
develop security policy Identify what resources
require protection Identify what potential
risks exist for each resource Decide the
probability of risks coming of fruition Create
mitigation plans that address each risk
39Sample Policy in Use
- Deny network traffic on all IP ports
- Except, allow network traffic on port 80 (HTTP)
- Except, from all HTTP traffic, deny HTTP video
content - Except, allow HTTP video content for members of
the Education Center - Except, deny members of Education Center to
download HTTP video content at night and
weekends.
40FIREWALL SOLUTIONS
41Solutions Disguised as Software
Windows as a firewall
A Personal Firewall
Enterprise Firewalls
42Windows as a Firewall
43BUT
- No stateful packet filters
- No application proxies
- No monitoring or logging
- No firewall mindset
44Dangers of Older Windows OS
Win 95, 98 and ME
- File and Printer sharing
- - Easy to misuse for remote administration
- - Should disable sharing component for dial-up
adapter (unbinding)
PPTP Client - All Windows OS products support
VPN. - Requires closer monitoring of those
computers - PPTP replaced by L2TP on Windows
2000 and XP
45The Latest Windows Networking System
Windows 2000
- Better packet filtering capabilities
- TCP/IP Filtering in the Network Control Panel
Console - Input filters and output filters per network
interface - Input filters and output filters per remote
access policy - Block and permit filters in an IPSec policy
- More flexible NAT implementation
- Simplified version from Windows 98SE
- More configurable version that can be installed
in the Routing and Remote Access console
46The Latest Windows Networking System
Windows 2000
- Support for L2TP VPN Protocol
- Considered more secure than PPTP
- Support for IPSec encrypted traffic
47Personal Firewalls
- ZoneAlarm
- Free for single computer
- Provides three security levels
- Two network zones (local and internet)
- Trusted Application list created via Program
Alerts - Lock option to block internet activity after
specified period of inactivity - Works on any Windows OS from 95 on up
BlackICE 40 for single user Intrusion
detection over outgoing traffic blockage Four
predefined protection levels (paranoid, nervous,
cautious and trusting) Two packet filtering
levels (IDS and Firewall) Intrusion alert can
vary from icon indication to information
collection to complete blockage Also any Windows
OS from 95 up
48Solutions Disguised as Hardware
Firewall Appliances
49Whats a Firewall Appliance?
- No moving parts, no hard drive, no boot-up and
no crashing (hopefully) - Can be placed between network and internet or
within a network structure (departmentalized) - Replaces software firewalls (with exceptions)
- Turn-key approach
50Whats Available
At the Enterprise Level
TOP MODELS INCLUDE Lucents - VPN Gateway
V2.0 Radgaurd Incs - clPro-HQ Sonic Systems
Incs - SonicWALL PRO WatchGuard Technologies
Incs - WatchGuard LiveSecurity System
51Whats Available
At the Home Office/Small Office Level
TOP MODELS INCLUDE Sonic Systems Incs -
SonicWALL Soho2 WatchGuard Technologies Incs
Watchguard SOHO/tc
52Summary
- Firewalls are not a complete security
solution. Certain threats ( such as malicious
insiders, completely new threats, or new viruses)
are outside the control of the firewall. You need
to figure out other ways to protect against these
threats. But firewalls offer excellent protection
against network threats. - Firewalls only work within a complete system of
security where policies have been defined and
implemented throughout the enterprise, regardless
of size.
53More Information
Sites to Visit
- The SANS Institute
- CERT/CC
- Microsoft Security
- ICSA Labs
- InfoSysSec Security Patrol
- SecurityFocus.com
- Firewallguide.com
54(No Transcript)