Title: Ch12: Electronic Mail Security
1Firewalls
2Outline
- Firewall design principles
- Firewall characteristics
- Types of firewalls
- Firewall configurations
- Trusted systems
- Data access control
- The concept of trusted systems
- Trojan horse defense
3Firewalls
- Effective means of protecting a local system or
network of systems from network-based security
threats while affording access to the outside
world via WANs or the Internet
4Firewall Design Principles
- Evolution of information systems
- Centralized system
- A central mainframe directly connected
terminals - LAN
- Interconnecting PCs, servers, terminals
mainframe - Premises network
- Consisting of LANs
- Enterprise-wide network
- Consisting of distributed premises networks
interconnected by a private WAN - Internet connectivity
- Consisting of various premises networks all hook
into the Internet
5Firewall Design Principles
- Internet firewalls
- Internet connectivity is no longer an option for
most organizations - Strong security features for all workstations and
servers not established (not practical) - The firewall is inserted between the premises
network and the Internet to establish a
controlled link - Aims of firewall
- Protecting the premises network from
Internet-based attacks - Providing a single choke point (where security
audit can be imposed)
6Firewall Characteristics
- Design goals
- All traffic from inside to outside, and vice
versa, must pass through the firewall (physically
blocking all access to the local network except
via the firewall) - Only authorized traffic (defined by the local
security police) will be allowed to pass - The firewall itself is immune to penetration (use
of trusted system with a secure operating system)
7Firewall Characteristics
- General techniques
- Service control
- Determines the types of Internet services that
can be accessed, inbound or outbound (filtering
with IP address service port , e.g. Web or
email service) - Direction control
- Determines the direction in which particular
service requests are allowed to flow thru the
firewall - User control
- Controls access to a service according to which
user is attempting to access it (both local users
and external users) - Behavior control
- Controls how particular services are used (e.g.
filtering e-mail to eliminate spam)
8Firewall Characteristics
- Firewall capabilities
- Defines a single choke point (security
capabilities are consolidated on a single system) - Provides a location for monitoring
security-related events (auditing alarming) - Provides convenient platform for some Internet
functions (e.g. address translation, logging
Internet usage) - Can serves as the platform for IPSec (used to
implement VPN) - Firewall limitations
- Cannot protect against attacks that bypass it
(e.g. dial-up access) - Does not protect against internal threats (e.g. a
disgruntled employee) - Cannot protect against the transfer of
virus-infected programs or files (because various
OS applications are supported inside, it is
impractical to scan all incoming files, emails,
etc)
9Types of Firewalls
- Three common types of firewalls
- Packet-filtering routers
- Application-level gateways
- Circuit-level gateways
- Bastion host
10Packet-Filtering Router
- Filtering by rules
- Applies a set of rules to each IP packet and then
forwards or discards the packet (in both
directions) - The packet filter is typically set up as a list
of rules based on matches to fields in the IP or
transport (TCP or UDP) header - If a match to a rule is found, the rule is
invoked - If no match is found, a default policy is taken
- Default policies
- Discard Discard, if not expressly permitted
(tradeoff ease of use?, security?) - Forward Forward, if not expressly prohibited
(tradeoff ease of use?, security?)
11Packet-Filtering Router
- Example A Inbound mail is allowed, but only to
a gateway host. However, mail from host SPIGOT is
blocked. - Example B Explicit statement of the default
policy. - Example C Any inside host can send mail to the
outside. The problem with this rule is that the
use of port 25 for SMTP receipt is only a
default.
12Packet-Filtering Router
- Example D This rule set achieves the intended
result that was not achieved in C taking
advantage of a feature of TCP connections (ACK
flag of a TCP segment). - Example E This rule set is one approach to
handling FTP-like services with two connections
(using control connection port and data
connection port). The 3rd rule allows packets
destined for a high-numbered port (nonservers) on
an internal machine.
13Packet-Filtering Router
- Advantages
- Simplicity
- Transparency to users
- High speed
- Disadvantages
- Difficulty of dealing with applications at the
packet-filtering level - Difficulty of setting up packet filter rules
correctly - Lack of Authentication
14Packet-Filtering Router
- Possible attacks vs. countermeasures
- IP address spoofing
- The attacker replaces source address of packets
with an address of trusted internal host - ? Discards packets with an inside source address
if the packet arrives on an external interface - Source routing attacks
- The source station specifies the route that a
packet should take as it crosses the Internet (in
the hope that this will bypass security measures) - ? Discards all packets that use the source route
option - Tiny fragment attacks
- The intruder uses IP fragmentation option to
create extremely small fragments and force the
TCP header information into a separate packet
fragment (in the hope that only the first
fragment is examined and the remaining are passed
thru). - ? Discards all packets where the protocol type
is TCP and the IP Fragment Offset is equal to 1
15Application-Level Gateway
- Also called a proxy server
- Acts as a relay of application-level traffic
- If the gateway does not implement the proxy code
for a specific application, the service is not
supported - The gateway can be configured to support only
application-specific features - Authentication the user is asked for the name
of the remote host, valid user ID and
authentication information
16Application-Level Gateway
- Advantages
- More secure than packet filters
- Only need to scrutinize a few allowable
applications (rather than trying to deal with the
numerous possible combinations that are to be
allowed and forbidden at the TCP and IP level) - Easy to log and audit all incoming traffic at the
application level - Disadvantages
- Additional processing overhead on each connection
(as the splice point, the gateway must examine
and forward all traffic in both directions)
17Circuit-Level Gateway
- Types of circuit-level gateway
- A stand-alone system
- A specialized function performed by an
application-level gateway - Security function
- The gateway relays TCP segments without examining
the contents - The gateway determines which connections will be
allowed
18Circuit-Level Gateway
- Use of circuit-level gateway
- A situation in which the system admin trusts the
internal users - The gateway can be configured to support
- Application-level or proxy service on inbound
connections - ? incurs examining overhead for incoming
application data for forbidden functions - Circuit-level functions for outbound connections
- ? does not incur overhead on outgoing data
19Circuit-Level Gateway
- Example implementation SOCKS package
- Defined in RFC 1928 (SOCKS version 5)
- SOCKS components
- The SOCKS server (runs on UNIX-based firewall)
- The SOCKS client library (runs on internal hosts)
- SOSKS-ified versions of several client (such as
FTP and TELNET) - SOCKS procedures
- The client opens a TCP connection to the SOCKS
port (TCP 1080) on the SOCKS server - The client performs authentication with
negotiated method - The client sends a relay request
- After evaluating the request, the SOCKS server
either establishes the connection or denies it
20Bastion Host
- A system identified by the firewall administrator
as a critical strong point in the networks
security - It serves as a platform for an application-level
or circuit-level gateway
21Bastion Host
- Common characteristics
- A trusted system with secure OS
- Only the services considered essential are
installed - Additional authentication required to access the
proxy service - Each proxy is configured to support only a subset
of the standard applications command set - Each proxy is configured to allow access only to
specific hosts - Each proxy maintains detailed audit information
- Each proxy module is a very small SW package
specifically designed for network security - Each proxy is independent of other proxies
- A proxy generally performs no disk access other
than to read its initial configuration file - Each proxy runs as a nonprivileged user in a
private and secured directory
22Firewall Configurations
- In addition to the use of simple configuration of
a single system (single packet filtering router
or single gateway), more complex configurations
are possible - Three common configurations
- Screened host firewall with single-homed bastion
- Screened host firewall with dual-homed bastion
- Screened subnet firewall
23Screened Host Firewall, Single-Homed Bastion
- Consists of two systems
- A packet-filtering router
- Configured so that only packets from and to the
bastion host are allowed to pass thru - A bastion host
- Performs authentication and proxy functions
24Screened Host Firewall, Single-Homed Bastion
- Advantages
- Greater security than single configurations
- This configuration implements both packet-level
and application-level filtering (allowing for
flexibility in defining security policy) - An intruder must generally penetrate two separate
systems - Flexibility in providing direct Internet access
- For public information server (such as a Web
server), the router can be configured to allow
direct traffic from the Internet - Disadvantages
- If the router is completely compromised, traffic
could flow directly thru the router between the
Internet and the private network
25Screened Host Firewall, Dual-Homed Bastion
- Physically prevents security breach of the
previous configuration - Traffic between the Internet and other hosts on
the private network has to flow through the
bastion host - The advantages of the previous configuration are
present here as well
26Screened Subnet Firewall
- The most secure configuration of the three
- Two packet-filtering routers are used (creation
of an isolated subnet) - Advantages
- Three levels of defense to thwart intruders
- The outside router advertises only the existence
of the screened subnet to the Internet (internal
network is invisible to the Internet) - The inside router advertises only the existence
of the screened subnet to the internal network
(the systems on the inside network cannot
construct direct routes to the Internet)
27Trusted Systems
- One way to enhance the ability of a system to
defend against intruders and malicious programs
is to implement trusted system technology
28Data Access Control
- Access control by OS
- Through the user access control procedure (log
on), a user can be identified to the system - Associated with each user, there can be a profile
that specifies permissible operations and file
accesses - The operating system can enforce rules based on
the user profile (and may grant a user permission
to access a file or use an application, no
further security checks) - Access control by DBMS
- Previous scheme is not sufficient for a system
including sensitive data in its database - The DBMS must control access to specific records
or even portions of records in the database
29Data Access Control
- Access control models
- Access matrix
- Access control list
- Capability list (Capability tickets)
30Access Matrix
- A general model of access control
- Basic elements
- Subject An entity capable of accessing objects
(generally a process representing any user or
application that gains access to an object) - Object Anything to which access is controlled
(e.g. files, portions of files, programs and
segments of memory) - Access right The way in which an object is
accessed by a subject (e.g. read, write and
execute)
31Access Control List
- Decomposition of the access matrix by columns
- An access control list lists users (processes)
and their permitted access rights - The list may contain a default or public entry
defines default set of rights)
32Capability List
- Decomposition of the access matrix by rows
- A capability list (ticket) specifies authorized
objects and operations for a user (process) - Each user has a number of tickets and may be
authorized to loan or give them to others - Management of tickets
- Tickets may be dispersed around the system ?
great security problem - The ticket must be unforgeable
- A solution the OS holds all tickets in a region
of memory inaccessible to users
33The Concept of Trusted Systems
- Multilevel security
- Definition of multiple categories or levels of
data - Commonly found in the military (information
category unclassified, confidential, secret,
top secret) - A subject at a high level may not convey
information to a subject at a lower level or
noncomparable level unless that flow accurately
reflects the will of an authorized user - Two rules of multilevel security
- No read up a subject can only read an object of
less or equal security level (simple security
property) - No write down a subject can only write into an
object of greater or equal security level
(-Property)
34The Concept of Trusted Systems
- Reference monitor concept
- Multilevel security for a data processing system
35The Concept of Trusted Systems
- Reference monitor
- Controlling element in the HW and OS of a
computer that regulates the access of subjects to
objects on basis of security parameters - Accesses security kernel database
- Enforces the security rules (no read up no
write down) - Security kernel database
- A file that lists
- Security clearance the access privileges of
each subject - Classification level the protection attributes
of each object - Audit file
- Stores important security events such as
- Detected security violations
- Authorized changes to the security kernel database
36The Concept of Trusted Systems
- Reference monitor properties
- Complete mediation the security rules are
enforced on every access - Every access to data in memory, disk and tape
must be mediated - Pure SW implementation too high performance
penalty - Isolation the reference monitor and database
are protected from unauthorized modification - It must not be possible for an attacker to change
the logic of the reference monitor or the
contents of the security kernel database - Verifiability the reference monitors
correctness must be provable - It must be possible to demonstrate mathematically
that the reference monitor enforces the security
rules and provides complete mediation and
isolation
37The Concept of Trusted Systems
- Trusted system
- A system that can provide such verification
- The Commercial Product Evaluation Program
- The Computer Security Center (within the NSA)
evaluates commercially available products as
meeting the security requirement - The center classifies evaluated products
according to the range of security features - The evaluations are needed for DoD procurements
but are published and freely available - The evaluations can serve as guidance to
customers for the purchase of commercial
equipment
38Trojan Horse Defense
RW
RW
39Trojan Horse Defense
- Secure, trusted operating systems
- One way to secure against Trojan Horse attacks
RW
RW
- Security level assignment
- Bob and Bobs data file Sensitive (higher)
- Alice and Alices data file Public (lower)
- When the Trojan horse program attempts to store
the string in the Back-pocket file - -Property (no write down rule) is violated
- The attempt is disallowed by the reference
monitor
40Appendix A1 Firewall Products
PS (Proxy Service) / FW (Firewall)
41Appendix A2 LINUX Firewall
- Original IP firewall (2.0 kernels) configuration
Categories -I Input rule -O Output rule
-F Forwarding rule Commands -a
policy Append a new rule -i
policy Insert a new rule -d
policy Delete an existing rule -p
policy Set the default policy -l List all
existing rules -f Flush all existing
rules Policies accept Allows matching
datagrams to be received, forwarded, or
transmitted deny Blocks matching datagrams
from being received, forwarded, or transmitted
reject Blocks matching datagrams from being
received, forwarded, or transmitted, and sends
ICMP error message Parameters -P
protocol Can be TCP, UDP, ICMP, or all (-P
tcp) -S address/mask port Source IP
address that this rule will match (-S
172.29.16.1/24 ftpftp-data) -D address/mask
port Specify the destination IP address that
this rule will match (-D 172.29.16.1/24 smtp)
-V address Specify the address of the network
interface on which the packet is received (-I) or
is being sent (-O) (-V 172.29.16.1) -W
name Specify the name of the network interface
(-W ppp0) Options -b This is used for
bidirectional mode -o This enables logging of
matching datagrams to the kernel log -y This
is used to match TCP connect datagrams
-k This is used to match TCP acknowledgement
datagrams
42Appendix A2 LINUX Firewall
- Example command
- We want our internal network users to be able to
log into FTP servers on the Internet to read and
write files. But we don't want people on the
Internet to be able to log into our FTP servers. - We know that FTP uses two TCP ports
- Port 20 ftp-data
- Port 21 ftp
43Appendix A2 LINUX Firewall
- Firewall configuration script
The TCP services we wish to allow to pass - ""
empty means all ports note space
separated TCPIN"smtp www" TCPOUT"smtp www ftp
ftp-data irc" The UDP services we wish to
allow to pass - "" empty means all ports note
space separated UDPIN"domain" UDPOUT"domain"
The ICMP services we wish to allow to pass - ""
empty means all types ref /usr/include/netinet/
ip_icmp.h for type numbers note space
separated ICMPIN"0 3 11" ICMPOUT"8 3 11"
Logging uncomment the following line to enable
logging of datagrams that are blocked by the
firewall. LOGGING1
!/bin/bash
IPFWADM
VERSION This sample configuration is for a
single host firewall configuration with no
services supported by the firewall machine
itself.
USER CONFIGURABLE
SECTION The name and location of the ipfwadm
utility. Use ipfwadm-wrapper for 2.2.
kernels. IPFWADMipfwadm The path to the
ipfwadm executable. PATH"/sbin" Our internal
network address space and its supporting network
device. OURNET"172.29.16.0/24" OURBCAST"172.29.1
6.255" OURDEV"eth0" The outside address and
the network device that supports
it. ANYADDR"0/0" ANYDEV"eth1"
44Appendix A2 LINUX Firewall
- Firewall configuration script (contd)
UDP - INCOMING We will allow UDP datagrams in
on the allowed ports. IPFWADM -I -a accept -P
udp -W ANYDEV -D OURNET UDPIN UDP -
OUTGOING We will allow UDP datagrams out on the
allowed ports. IPFWADM -I -a accept -P udp -W
OURDEV -D ANYADDR UDPOUT ICMP - INCOMING
We will allow ICMP datagrams in of the allowed
types. IPFWADM -I -a accept -P icmp -W ANYDEV
-D OURNET UDPIN ICMP - OUTGOING We will
allow ICMP datagrams out of the allowed
types. IPFWADM -I -a accept -P icmp -W OURDEV
-D ANYADDR UDPOUT DEFAULT and LOGGING All
remaining datagrams fall through to the default
rule and are dropped. They will be logged if
you've configured the LOGGING variable
above. if "LOGGING" then Log barred
TCP IPFWADM -I -a reject -P tcp -o Log
barred UDP IPFWADM -I -a reject -P udp -o
Log barred ICMP IPFWADM -I -a reject -P icmp
-o fi end.
END USER CONFIGURABLE SECTION
Flush the Incoming table rules IPFWADM -I -f
We want to deny incoming access by
default. IPFWADM -I -p deny SPOOFING We
should not accept any datagrams with a source
address matching ours from the outside, so we
deny them. IPFWADM -I -a deny -S OURNET -W
ANYDEV SMURF Disallow ICMP to our broadcast
address to prevent "Smurf" style attack. IPFWADM
-I -a deny -P icmp -W ANYDEV -D OURBCAST
TCP We will accept all TCP datagrams belonging
to an existing connection (i.e. having the ACK
bit set) for the TCP ports we're allowing
through. This should catch more than 95 of
all valid TCP packets. IPFWADM -I -a accept -P
tcp -D OURNET TCPIN -k -b TCP - INCOMING
CONNECTIONS We will accept connection requests
from the outside only on the allowed TCP
ports. IPFWADM -I -a accept -P tcp -W ANYDEV -D
OURNET TCPIN -y TCP - OUTGOING CONNECTIONS
We accept all outgoing tcp connection requests on
allowed TCP ports. IPFWADM -I -a accept -P tcp
-W OURDEV -D ANYADDR TCPOUT -y
45Appendix B TCSEC
- TCSEC (Trusted Computer System Evaluation
Criteria)
- Published 1985 by DoD
- Orange Book (DoD 5200.28-STD)
- Defines 7 levels of security
- D, C1, C2, B1, B2, B3, A1
- Basis of
- ITSEC (Information Technology Security Evaluation
Criteria), EU - CTCPEC (Canadian Trusted Computer Product
Evaluation Criteria), Canada - CC (Common Criteria)
- ISO standard (ISO 15408)
- Based on TCSEC, ITSEC and CTCPEC
- TNI (Trusted Network Interpretation of TCSEC)
- Published 1987
- Red Book (part 1 2)