Distributed Systems - Paul Krzyzanowski'

Distributed Systems
28. Firewalls and Virtual Private Networks
Paul Krzyzanowski
Rutgers University
Fall 2015
November 23, 2015
© 2013-2015 Paul Krzyzanowski
1
Firewalls
November 23, 2015
© 2014-2015 Paul Krzyzanowski
2
Network Security Goals
• Confidentiality: sensitive data & systems not accessible
• Integrity: data not modified during transmission
• Availability: systems should remain accessible
Gateway Router
Internal subnet
Internet
Dragon artwork by Jim Nelson. © 2012 Paizo Publishing, LLC. Used with permission.
November 23, 2015
© 2014-2015 Paul Krzyzanowski
3
Firewall
• Separate your local network from the Internet
– Protect the border between trusted internal networks and the
untrusted Internet
• Approaches
– Packet filters
– Application proxies
– Intrusion detection / intrusion protection systems
November 23, 2015
© 2014-2015 Paul Krzyzanowski
4
Screening router
• Border router (gateway router)
– Router between the internal network(s) and external network(s)
– Any traffic between internal & external networks passes through the
border router
Instead of just routing the packet, decide whether to route it
• Screening router = Packet filter
Allow or deny packets based on
–
–
–
–
Incoming interface, outgoing interface
Source IP address, destination IP address
Source TCP/UDP port, destination TCP/UDP port, ICMP command
Protocol (e.g., TCP, UDP, ICMP, IGMP, RSVP, etc.
November 23, 2015
© 2014-2015 Paul Krzyzanowski
5
Filter chaining
• An IP packet entering a router is matched against a set of
rules (chain)
• Each rule contains criteria and an action
– Criteria: packet screening rule
– Actions
•
•
•
•
Accept – and stop processing additional rules
Drop – discard the packet and stop processing additional rules
Reject – and send an error to the sender (ICMP Destination Unreachable)
Continue – continue evaluating rules
November 23, 2015
© 2014-2015 Paul Krzyzanowski
6
Network Ingress Filtering
Basic firewalling principle
Never have a direct inbound connection from the originating host
from the Internet to an internal host
• Determine which services you want to expose to the Internet
– e.g., HTTP & HTTPS: TCP ports 80 and 443
• Create a list of services and allow only those inbound ports and
protocols to the machines hosting the services.
• "Default deny model" - by default, "deny all”
– Anything not specifically permitted is dropped
– May want to log denies to identify who is attempting access
November 23, 2015
© 2014-2015 Paul Krzyzanowski
7
Network Ingress Filtering
• Disallow IP source address spoofing
– Restrict forged traffic (RFC 2827)
• At the ISP
– Filter upstream traffic - prohibit an attacker from sending traffic from forged
IP addresses
– Attacker must use a valid, reachable source address
• Disallow incoming/outgoing traffic from private, non-routable IP
addresses
• Helps with DDoS attacks such as SYN flooding from lots of invalid
addresses
access-list 199 deny ip 192.168.0.0 0.0.255.255 any log
access-list 199 deny ip 224.0.0.0 0.0.0.255 any log
....
access-list 199 permit ip any any
November 23, 2015
© 2014-2015 Paul Krzyzanowski
8
Network Egress Filtering
• Usually we don’t worry about outbound traffic.
– Communication from a higher security network (internal) to a lower
security network (Internet) is fine
• Why might we want to restrict it?
– Consider: if a web server is compromised & all outbound traffic is
allowed, it can connect to an external server and download more
malicious code
... or launch a DoS attack on the internal network
– Also, log which servers are trying to access external addresses
November 23, 2015
© 2014-2015 Paul Krzyzanowski
9
Stateful Inspection
• Retain state information about a stream of related packets
• Examples
– TCP connection tracking
• Disallow TCP data packets unless a connection is set up
– ICMP echo-reply
• Allow ICMP echo-reply only if a corresponding echo request was sent.
– Related traffic
• Identify & allow traffic that is related to a connection
• Example: related ports in FTP
November 23, 2015
© 2014-2015 Paul Krzyzanowski
10
Network Design: DMZ
Security Appliance
(screening router)
Internal subnet
Internet
DMZ subnet
Dragon artwork by Jim Nelson. © 2012 Paizo Publishing, LLC. Used with permission.
November 23, 2015
© 2014-2015 Paul Krzyzanowski
11
Network Design: DMZ
Security Appliance
(screening router)
Internal subnet
?
Clients from the Internet:
Internet
• Can access allowed services
in the DMZ
• Cannot access internal hosts
The router:
• Blocks impersonated packets
DMZ subnet
Dragon artwork by Jim Nelson. © 2012 Paizo Publishing, LLC. Used with permission.
November 23, 2015
© 2014-2015 Paul Krzyzanowski
12
Network Design: DMZ
Security Appliance
(screening router)
Internal subnet
Clients in the internal subnet:
Internet
• Can access the Internet
• Can access allowed services
in the DMZ
• May access extra services in
the DMZ
DMZ subnet
Dragon artwork by Jim Nelson. © 2012 Paizo Publishing, LLC. Used with permission.
November 23, 2015
© 2014-2015 Paul Krzyzanowski
13
Network Design: DMZ
Security Appliance
(screening router)
Internal subnet
?
?
Clients in the DMZ:
Internet
• Can access Internet services
only to the extent required
• Can access internal services
only to the extent required
Goal:
Limit possible damage if DMZ
machines are compromised
DMZ subnet
Dragon artwork by Jim Nelson. © 2012 Paizo Publishing, LLC. Used with permission.
November 23, 2015
© 2014-2015 Paul Krzyzanowski
14
Application-Layer Filtering
• Deep packet inspection
– Look beyond layer 3 & 4 headers
– Need to know something about application protocols & formats
• Example
– URL filtering
• Normal source/destination host/port filtering +
URL pattern/keywords, rewrite/truncate rules, protocol content filters
• Detect ActiveX and Java applets; configure specific applets as trusted
• Filter others from the HTML code
November 23, 2015
© 2014-2015 Paul Krzyzanowski
15
IDS/IPS
• Intrusion Detection/Prevention Systems
– Identify threats and attacks
• Types of IDS
– Protocol-based
– Signature-based
– Anomaly-based
November 23, 2015
© 2014-2015 Paul Krzyzanowski
16
Protocol-Based IDS
• Reject packets that do not follow a prescribed protocol
• Permit return traffic as a function of incoming traffic
• Define traffic of interest (filter), filter on traffic-specific
protocol/patterns
• Examples
– DNS inspection: prevent spoofing DNS replies: make sure they
match IDs of DNS requests
– SMTP inspection: restrict SMTP command set (and command
count, arguments, addresses)
– FTP inspection: restrict FTP command set (and file sizes and file
names)
November 23, 2015
© 2014-2015 Paul Krzyzanowski
17
Signature-based IDS
• Don't search for protocol violations but for exploits in
programming
• Match patterns of known “bad” behavior
– Viruses
– Malformed URLs
– Buffer overflow code
November 23, 2015
© 2014-2015 Paul Krzyzanowski
18
Anomaly-based IDS
• Search for statistical deviations from normal behavior
– Measure baseline behavior first
• Examples:
– Port scanning
– Imbalance in protocol distribution
– Imbalance in service access
November 23, 2015
© 2014-2015 Paul Krzyzanowski
19
Application proxies
• Proxy servers
– Intermediaries between clients and servers
– Stateful inspection and protocol validation
External client
Proxy server
Real server
• Dual-homed host
• Bastion host
November 23, 2015
© 2014-2015 Paul Krzyzanowski
20
Virtual Private Networks
November 23, 2015
© 2013-2015 Paul Krzyzanowski
21
Private networks
Connect multiple geographically-separated private
subnetworks together
192.168.2.0/24
192.168.1.0/24
Gateway
Router
Gateway
Router
Private network line
Internal subnet
Internal subnet
November 23, 2015
© 2014-2015 Paul Krzyzanowski
22
What’s a tunnel?
Tunnel = Packet encapsulation
Gateway
Router
Internet
192.168.2.0/24
Gateway
Router
Internal subnet
Internal subnet
From: 192.168.1.11
To: 192.168.2.22
Data: [--------]
128.6.4.2
192.168.1.0/24
68.36.210.57
Treat an entire IP datagram as payload on the public network
From: 68.36.210.57
To: 128.6.4.2
Data: From: 192.168.1.11
From: 192.168.1.11
To: 192.168.2.22
Data: [--------]
To: 192.168.2.22
Data: [--------]
November 23, 2015
© 2014-2015 Paul Krzyzanowski
23
Tunnel mode vs. transport mode
• Tunnel mode
– Communication between gateways
– Or a host-to-gateway
– Entire datagram is encapsulated
• Transport mode
– Communication between hosts
– IP header is not modified
November 23, 2015
© 2014-2015 Paul Krzyzanowski
24
IPsec
• Internet Protocol Security
• End-to-end solution at the IP layer
• Two protocols:
– IPsec Authentication Header Protocol (AH)
– IPsec Encapsulating Security Payload (ESP)
November 23, 2015
© 2014-2015 Paul Krzyzanowski
25
IPsec Authentication Header (AH)
• Ensures the integrity & authenticity of IP packets
– Digital signature for the contents of the entire IP packet
– Over unchangeable IP datagram fields (e.g., not TTL or
fragmentation)
IP
New IP
• Protects
AH
AH
IP
TCP/UDP
TCP/UDP
Application
Transport
mode
Application
Tunnel
mode
original IP packet
– Tampering
– Forging addresses
– Replay attacks (signed sequence number in AH)
• Directly on top of IP (protocol 51) - not UDP or TCP
November 23, 2015
© 2014-2015 Paul Krzyzanowski
26
IPsec Encapsulating Security Payload (ESP)
• Encrypts entire payload
– Optional authentication of payload + IP header (everything AH does)
IP
ESP
header
TCP/UDP
Application
ESP
trailer
ESP
auth
ESP
trailer
ESP
auth
Encrypted
Authenticated
New IP
ESP
header
IP
TCP/UDP
Application
Encrypted
Authenticated
• Directly on top of IP (protocol 51) - not UDP or TCP
November 23, 2015
© 2014-2015 Paul Krzyzanowski
27
TLS/SSL
• Designed to operate at the transport layer
– Application-to-application VPN
– Public key authentication & key exchange; symmetric encryption
– Provides applications with a socket interface
• SSL VPN
– Can create host-host, host-to-network, or network-network connections
• SSL-based VPNs (e.g., OpenVPN)
–
–
–
–
authentication: pre-shared keys, certificates
Transport: UDP or TCP
Multiplex communication stream onto a single TCP or UDP port
Transport-layer, so works through proxy servers and NAT environments
November 23, 2015
© 2014-2015 Paul Krzyzanowski
28
The End
November 23, 2015
© 2013-2015 Paul Krzyzanowski
29
Download PDF
Similar pages