[IT-Security-2] 防火牆 Firewalls
Firewalls
Notes from RWTH Aachen University course
“IT security 2” Wintersemester 2019/20
professor: Meyer, Ulrike Michaela
What is a firewall and what does it do
定義:- internal 和 external網路的access control
- 可以接受或拒絕
- 服務:
- Filter IP
- 進階
- Network Address翻譯
- 分辨緊急(time critical)封包
- 檢查內容
Security Policies
- rules
- 檢查封包header是否符合rules
- 若header是rules的subset則符合
Match Policy
- First-Match
- match list中第一個符合的
- default通常在list後面
- Best-Match
- 最接近
- 需掃描整個list
- Last-Match
- list最後一個符合的
Modeling
- P : packet
- R : rules
- A(R) 接受
- D(R) 拒絕
- U(R) 沒有對應的rules
- comprehensive 對應到至少一個rules
Shadowing/ half shadowing/ optimizing firewalls
- Shadowing
- first-match policies
- 先對應到的rules範圍較廣
- 後對應到的rules範圍較窄但被忽略
- first-match policies
- Half shadowing
- first-match policies
- 後面的rules不會全部被忽略
只有system administrator知道是否此行為是故意的
- first-match policies
- Optimization
- 因為過多的rules會影響performance
- reordering rules / 刪除不必要的rules
- 不能影響封包的接受/拒絕
Default Accept or Deny
- debate
- 假設administrator定義一個,則default是另一個
- define what is accepted and default deny 最常見
Firewall Types
- Packet filters
- network/ transport layer
- 像router
- 檢查
- IP
- port
- tranport protocol type
- 檢查packet的header,不檢查content
- 攻擊
- IP address spoofing
- 偽裝成internal IP address
- 從externel送訊息
- 防止: 丟棄ingress packets
- Tiny fragment attack
- split IP packet,使TCP header不在第一個fragment中
- 若filter接受第一個fragment則預設接受其他fragment
- 防止: 要求IP packet符合最小size(包含TCP header)
- IP address spoofing
為何不夠?
無法知道每個connection的 state - Stateful packet firewalls
- 額外maintain state
- 允許connection tracking
- 允許關聯(associate)
- 允許associated return packets通過
- 設定動態rule
- 通常用timer決定connection是否關閉
- incoming traffic是為了回應使用者需求(request by users)
- 允許關聯(associate)
- FTP connection
- 兩種connection:
- 被使用者初始化
- 被server初始化
- 內部使用者初始化的connection才能允許incoming data通過
- 兩種connection:
- Forms of state
- New connection的第一個packet
- Established 在雙方都有此packet
- Related 與established的packet相關的connection
- Application Layer Firewalls
- filter network/tranport/application layer的traffic
- 通常用Proxy
- 若要連到外部,則proxy連出去
- 會檢查packet Content
- Application layer firewalls/ intrusion prevention systems/ intrusion detection system通常結合成one device
- 檢查patterns/ signatures/ spam/ intrusion attempts
- 提供differentiated services (multimedia)
- content不被加密下才能運作
分類
- Where/ What to protect
- Host firewall: 保障個人電腦
- Network firewall: 保障整個network
- 通常只能有相同的security policy
- Placement of webserver
- 在firewall外
- 沒被保護到
- 在firewall內
- 難以到達
- Solution: Demilitarized Zone(DMZ)
- 用internal firewall和external firewall
中間稱為DMZ (放webserver) - internal firewall可以比external firewall嚴格控制
- 檢查雙向traffic
Handling important administrative protocols
- Routing protocols
- 決定device接收routing information
- Internet Control Message Protocol(ICMP)
- errors/ echo requests
- 攻擊者可以利用ping取得host
- 通常不允許ping通過firewall
- Network Time Protocol
- 同步時間
- Dynamic Host Configuration Protocol
- 通常不允許egress通過firewall
Network Address Translation (NAT)
- firewall通常都有NAT
- firewall內部用一組IP,對外都用一公開IP
- host用不同port分別incoming和outgoing的traffic
Load Balancing and Firewall Arrays
- 有一組firewalls array和通常兩個balancer
- 每個firewall都相同
- load balancer會分配packet給loading較少的firewall
State ?
- 在Load balancer儲存,工作量增加
- 在firewall儲存,複製n個state且firewall需連線
- 缺點:
- 難以預測哪個firewall會先完成工作
- state難以maintain
- 優點:
- scalable
- robustness (一個壞了其他還能用)
- easy update rules
Problems
- 仍無法避免overflow, DoS, insider攻擊
- Encrypted data(IPsec)難以決定是否能通過
- Application在HTTP之上
- HTTP通常pass即使用application的proxy
Readings
Stallings and Brown, Computer Security, 2015
§ Chapter 9 on Firewalls and Intrusion Prevention Systems
John R. Vacca (Editor): Computer and Information Security, 2009
§ Chapter 21: Firewalls
Bishop: Introduction to Computer Security, 2004
§ Chapter 23
More Detailed Reading
§J.R. Vacca and S.R. Ellis: Firewalls Jumpstart for Network and Systems Administrators,2005
§ Complete book on firewalls
Classical Reading
§Bellovin and Cheswick: Network Firewalls, 1994
留言
張貼留言