Monday, April 22, 2013
INTRODUCTION
Today, Internet is the buzzword in the Information
Technology field . Internet connected
systems are growing exponentially and
hence the security of the interconnected
systems is becoming a hard task. Firewalls are highly effective way
of protecting a site from the attacks. Firewall is component or combination of
components(hardware/software) which provides a security to the internal network
from the external network (internet).Basically, Firewalls deal with preventing
intruders, while allowing legal communication . The existence of Firewall of a
site can greatly reduce the odds that outside
attackers will penetrate the internal network.
FIREWALL :
Basically
Firewall is a protection device hardware/software or a combination of these
used to protect.
DATA: The information we keep
on the computers.
RESOURCE: The
computers themselves
Packet Filtering and Proxy Services
are the major Firewall techniques used in building Firewalls. Packet Filtering
does the enforcement of rules (framed according to security policy of internal
network) on the packets, which arrive at the router. During filtering process
it uses header information corresponding to different layers of network
architecture. Proxy service are special server or application programs that run
on a firewall host. It takes the request from users for Internet Services and
forwards them as per the security policy. Proxy services are transparent
between the users and Internet. They also provide caching facility.
MOTIVATION:
Firewall
protects:
A Firewall is basically a protective device. While building a
Firewall, the first thing to concentrate about is what are we trying to protect.
When we connect to the Internet, we are putting three things at risk. They are
*Data: the
information we keep on the computer
*Resources: the
computers themselves
*Reputation: the
reputation of the company/organization
Data :
Data has three separate
characteristics that need to be protected
Secrecy: the data that we don’t want other people to
know.
Integrity: the
data that we don’t want to other people to change.
Availability: data
that must not be available to all the people.
Resources:
Resources (software/hardware) of the
organization.
Reputation:
An intruder may appear on the
Internet with another person’s Identity. Anything he does appears as though it
from the person possesses the identity. Most of the time, the `consequences are
simply that other sites or law enforcement agencies start calling the person to
ask why he is trying to break into their systems.
Types of Attacks:
Intrusion:
With intrusions, people are actually able to us other’s computers. Most
attackers want to use other computers, as they were legitimate users.
Denial
of Service: A denial of service attack is open that
is aimed entirely at preventing others from using their own computers.
Information Theft: Some types of attacks
allow an attackers to ge data without ever having to directly use others
computers.
Approaches to protect against the kinds
of attacks:
People choose a variety of
security model or approaches ranging from no security at all, through what’s
called “security through obscurity” and host security to network security.
No Security:
The simplest possible approach is to put no effort at all into security and run
with whatever minimal security the vendor provides.
Security through Obscurity:
With this model, system is presumed to be secure simply because nobody knows
about it. It's existence, contents, security measures or anything else.
Host Security:
With this model, the security of each host machine is enforced separately, and every effort is made to avoid
or alleviate security problems that might affect that particular host.
Network
Security: With a network security model, concentration is on
controlling network access to various hosts and the services they offer, rather
than on securing them one by one. Network Security approaches include building
Firewalls to protect internal systems and networks. Using strong authentication
approaches and using encryption to protect particularly sensitive data as it
transits the networks.
LITERATURE
SURVEY :
VOCABULARY:
Firewall: A
component or set component the restricts access between protected network and
th
Host : A computer
system attached to a network is known as host.
Bastion Host: A
computer system that must be highly secured because it is vulnerable to attack,
usually because it is exposed to the internet and is a main point of contact
for users of internal networks.
Router: The
basic device that connects IP networks is called a Router.
Dual-homed Host:
A general purpose computer system that has at least two network interfaces (or
homes).
Packet Filtering:
The action a device takes to selectively control the flow of data to and from a
network. Packet filter’s allow or block packets. Usually while routing them
from one network to another.
Perimeter
network: A network added
between a protected network and an external network, in order to provide an
additional layer of security. A Perimeter network is sometimes called DMZ,
which stands for De-Militarized Zone.
Proxy Server:
A program that deals with external
servers on behalf of internal clients proxy clients talk to proxy servers.
Which relay approved client requests on to real servers and relay answers back
to clients.
Interface: Between
each pair of adjacent layers, the interface defines the primitive operations
and services the lower layer offers to the upper layer.
Bastion Host: A
computer system that must be highly secured because it is vulnerable to attack,
usually because it is exposed to the internet and is a main point of contact
for users of internal networks.
Router: The
basic device that connects IP networks is called a Router.
Dual-homed
Host: A general
purpose computer system that has at least two network interfaces (or homes).
Packet
Filtering: The
action a device takes to selectively control the flow of data to and from a
network. Packet filter’s allow or block packets. Usually while routing them
from one network to another.
Perimeter
network: A network added
between a protected network and an external network, in order to provide an
additional layer of security. A Perimeter network is sometimes called DMZ,
which stands for De-Militarized Zone.
Proxy Server:
A program that deals with
external servers on behalf of internal clients proxy clients talk to proxy
servers. Which relay approved client requests on to real servers and relay
answers back to clients.
Interface: Between each pair of adjacent layers, the
interface defines the primitive operations and services the lower layer offers
to the upper layer.
FIREWALL
COMPONENTS
There are basically two Firewall components that are used
to build a firewall.
PACKET
FILTERING:
Packet Filtering systems check between internal and
external hosts. Using the information in “Filtering Tables”, they allow or
block certain types of packets in a way that reflects a site’s own security
policy. The type of router that does packet filtering is known as “Screening
Router”
Screened routers perform the access control by examining
the header part of the packet that is being transmitted. Internet is based on
TCP/IP protocol architecture, which has four layers. Namely, Application Layer,
Host-Host, Transport layer, Network Access Layer. Packet contains three sets of
header information-one for each of the following layers.
1.
The Transport Layer, which includes
TCP, UDP, ICMP
2.
The Internet Layer – IP.
3.
The Network Access Layer, which
includes Ethernet, Fiber Distributed Data Interface (FDDI) and so on.
Screened
router uses information from the first two layers. The main information that
the header of a packet contains includes.
IP
source address.
IP
destination address
Protocol
(Whether the packet is TCP, UDP or ICMP)
TCP
or UDP Source Port
TCP
or UDP Destination Port
In addition the router knows things about the packet are
not reflected in the packet.
Headers such as
The interface the packet arrives on .
The interface the packet will go out on.
FILTERING
TABLE
|
RULE NO
|
DIRECTION
|
SOURCE ADDRESS
|
DEST
ADDRESS
|
SP
|
DP
|
ACK
SET
|
ACTION
|
|
A
|
Inbound
|
Trusted External host
|
Internal
|
!
|
80(HTTP)
|
Yes
|
Permit
|
|
B
|
Outbound
|
Internal
|
Trusted External host
|
!
|
25(SMTP)
|
!
|
Permit
|
|
C
|
Inbound
|
(Trouble host)
|
Internal
|
!
|
23(FTP)
|
!
|
Deny
|
|
Z
|
!
|
!
|
!
|
!
|
!
|
!
|
!
|
!= any value allowed, SP=
Source Port, DP= Destination Port
Tricks
and Tips for packet Filtering:
1.
Packet Filtering rules should be
edited off-line.
2.
Rules should be reloaded from
scratch each time
3.
Always IP addresses should be used
and never host names.
4.
The rules must be applied for the
packets in the order specified in the table. The order of the rules is very
important.
Advantages
of Packet Filtering:
1. One
Screening Router can help protect an entire network.
2. Packet
Filtering doesn’t require user knowledge of operation.
3. Packet
Filtering is widely available in many routers.
Disadvantages
of Packet Filtering:
1. Current
filtering tools are not perfect.
2. Some
protocols are not well suited to packet filtering.
3. Some
policies can not readily be enforced by normal packet filtering routers.
PROXY SERVICES:
Proxy
Services are specialized application or server programs that run on a firewall
host either a dual-homed host with an interface on the internal network and one
on the external network, or some other bastion host that has access to the
Internet and is accessible from the internal machines. These programs accept
the user’s request for Internet services (such as HTTP, FTP and Telnet) and
forward them, as appropriate according to the site’s security policy to the
actual services. The proxy servers provide replacement connections and act as
gateways to the services. For this reason, proxies are sometimes known as
application level gateways.
Proxy
services sit, more or less transparently, between a user on the inside (on the
internal network) and a service on the outside (on the Internet). Instead of
talking to each other directly, each talks to proxy. Proxies handle all the
communication between users and internet services behind the scenes.
A proxy service requires two components:
A
Proxy Server and
A Proxy Client.
In this situation, the proxy server
runs on the dual-homed host. A proxy client is s special version of a normal
client program (i.e., a Telnet client, HTTP client (a browser) or FTP client) that talks to the proxy server
rather than to the “real server on the Internet. The proxy server evaluates
request from the proxy client, and decides which to approve and which to deny.
If a request is approved, the proxy
server contacts the real server on behalf of the client (thus the term “Proxy”)
and proceeds to relay requests from the proxy client to the real server and
responses from the real server to the proxy client.
The proxy server does not always just forward user’s requests
on to the real internet services. The proxy server can control what users do,
because it can make decisions about the requests it processes. Depending on
site’s security policy, requests might be allowed or refused. For example, the
FTP proxy might refuse to let users
export files, or it might allow users to import files only from certain sites.
Also an HTTP proxy server may validate user’s
requests for objects at the server. More sophisticated proxy services
might allow different capabilities to different hosts, rather than enforcing
the same restrictions on all hosts. They even have caching facility.
Advantages of Proxying:
1.Proxy services allow users to access internet services
directly all the work needed in
establishing connections is transparent to the user.
2. Proxy services provide logging (the log information)
can help in detecting attacks.
3.Proxy
server is usually a configured host computer, which can be used to run
authentication server and other servers.
Disadvantages of Proxying:
1. Proxy
services lag behind non-proxied services, because of the overhead needed to do
caching and implementing the security policy.
2. Proxy
services may require different servers for each services. If we want to add a
new service then the proxy must support it otherwise, we cannot add.
3. Proxy
services usually require modifications to clients, procedures or both.
4. Proxy
services are not workable for some services, for example a service like ‘talk’
that has complicated and messy interactions may not be easily possible to
proxy.
5. Proxy
services do not protect from all protocol weaknesses.
FIREWALL
ARCHITECTURE
RECOMMENDED
SETUP FOR A FIREWALL:
The setup of a firewall largely depends on the physical
and logical layout of your network. Broadly speaking, there are two types of
firewall setups:
Dual Homed
De-Militarized Zone (DMZ)
DUALHOMED
FIREWALL SETUP:
In a Dual Homed setup, one firewall stands between the
trusted and untrusted networks. It has two interfaces, internal for the
trusted, and external for the untrusted network. These interfaces can be network cards on the same
machine or ports on a router. All packets that have to traverse between these
two networks must go through the firewall. So, a packet coming from the untrusted
network will first land at the external interface. The firewall will then
compare it against the pre-defined access rules. If allowed access, the
firewall will route the packet to the private network through the internal
interface. The machine on which the firewall is setup is called a Bastion host.
In this setup the Bastion host presents a single point of attack. Anyone who
can access your private network. So the Bastion host must have a robust
security policy.
De
Militarized Zone (DMZ):
The DMZ setup is used when you have a private network,
which must be shielded from the Internet, but at the same time you want to
provide the same time you want to provide some services like Web access or
e-mail facilities to the public through Internet. In such a case, the web,
mail, and news servers must be protected by strict access-control rules. Thus
the public servers reside in an area called the demilitarized zone. This area
is surrounded by two firewall (as shown in fig:). The first firewall, f1,
provides lenient access-control rules so that people across the Internet can access
the public servers. But the second firewall, F2, defines strict access-control
rules. If, by chance, anyone exploits a hole in the firewall F1 and gains
privileged access to the machines hosting the public services, the person will
still be retarded by the strong rules differed by firewallF2.
A software firewall requires a machine, maybe PC to run. This machine will need an OS and will typically have two network interfaces. Therefore, configuring the two network interfaces for the firewall, etc. An important point here is that if the OS or any other service is running has some bugs, then it may be an open invitation for a hacker. So it becomes important to patch the OS against any vulnerability and stop all the services that are not required.How's hardware Firewall different from software one:
On the other hand , a hardware firewall doesn’t require a
separate machine to run on. It’s a small box that can be just plugged into your
network and is ready for customized configuration.
CONCLUSION:
The simulation model of Screening Router we have
implemented has been successfully tested for all possible cases.
The Screening Router is good enough for enforcing
security policy. But firewalls cannot protect from malicious insiders and from
completely new threats and viruses.
There is no Firewall Architecture that can be said to
‘perfect’. Each design has its own limitation and advantages and selection of
particular design depends on level of security in need, cost consideration and
particular site’s requirements.
